arithmetic integration of decision procedures a

ARITHMETIC INTEGRATION OF DECISION PROCEDURES

A DISSERTATIONSUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE

AND THE COMMITTEE ON GRADUATE STUDIESOF STANFORD UNIVERSITY

IN PARTIAL FULFILLMENT OF THE REQUIREMENTSFOR THE DEGREE OF

DOCTOR OF PHILOSOPHY

Ting ZhangJune 2006

c© Copyright by Ting Zhang 2006All Rights Reserved

ii

I certify that I have read this dissertation and that, in my opinion, it is fully adequatein scope and quality as a dissertation for the degree of Doctor of Philosophy.

Zohar Manna Principal Adviser


Henny B. Sipma


David L. Dill

Approved for the University Committee on Graduate Studies.

iii

To the Apple of My I

v

Acknowledgments

I thank Zohar Manna, for advising me for six years at Stanford. This dissertation would not bepossible but for his constant support and encouragement. I learnt from him that the essence of aresearcher is “to think” as “for every problem there is a solution”. I would have been lost withouthis guidance.

Many thanks to Henny Sipma for being my co-advisor. Over the years she has patiently advisedme to be a better researcher. I owe her a great debt for her meticulously reading through my writingsand correcting errors.

Many thanks to Grigori Mints for his enlightening classes and instructions, and for his constantsupport, counsel, and enthusiasm. He showed me a wonderland of logic.

Thanks to David Dill for the collaboration over the last five years. I am grateful to him for hishelpful guidance and also for being a part of my orals and reading committees. I would like tothank my orals committee member, John Mitchell for his valuable feedback.

Many thanks to Maggie McLoughlin, Lynda Harris, Kathleen DiTommaso and other helpfulstaff of the computer science department. Thanks to Miles Davis for keeping the servers running.

Thanks to the members of my research group, past and present: Nikolaj Bjørner, Aaron Bradley,Michael Colon, Bernd Finkbeiner, Cesar Sanchez, Sriram Sankaranarayanan, Matteo Slanina, andCalogero Zarba. I am grateful to Nikolaj Bjørner whose Ph.D. thesis is a source of inspiring ideas.

Thanks to Gu, Lisha, Parker, Rui, Yan and Yong for being such good pals for years. Thanks toBill, Carol, Haidong, Hongbin, Honglei, Hui, Jan, Jian, Jianying, Jing, Josh, Jun, Karen, Lei, Linda,Mengqiu, Qiong, Shelley, Steven, Tao, Weilai, Yirong, and Ying for making the years at Stanfordvery lively. I am so fortunate to have friends like you.

Lastly, and most importantly, I wish to thank my parents, Mr. Zhongsheng Zhang and Mrs.Yanan Yao, and my brother Jian Zhang for their unconditional love and support in the course of mystudy at Stanford. To them I dedicate this thesis.

This research was supported in part by NSF grants CCR-01-21403, CCR-02-20134, CCR-02-09237,CNS-0411363, and CCF-0430102, by ARO grant DAAD19-01-1-0723, and by NAVY/ONR contractN00014-03-1-0939.

vi

Abstract

Decision procedures are algorithms that can determine validity or satisfiability of first-order for-mulas in a given decidable theory. They are at the heart of virtually every verification system,reasoning about the system behaviors, proving their safety or finding situations that could leadto bugs. They can efficiently discharge a large number of formulas in specific theories withoutany user guidance, thereby bringing practical program verification closer to reality. Besides theirindispensable role in rigorous formal verification, decision procedures are also of great importancein model checking and program analysis where automatic proof engines can improve the overallefficiency and increase the analysis accuracy.

Decision procedures exist for many specialized logical domains including integers, reals aswell as for many data structures frequently appearing in programs such as lists, queues, setsand multisets. Programs, however, often involve multiple data domains, resulting in verificationconditions spanning multiple logical theories. To be able to verify high-level programs with richdata types, we need decision procedures that can reason on complex domains.

This thesis offers novel solutions to an important class of decision problems, the mixed con-straints on data structures and their quantitative properties. It includes three major contributions.

1. Decision Procedures for Term Algebras with Integer Arithmetic. Term Algebras can model a varietyof tree-like data types such as records, lists, stacks, etc., which are essential constructs in pro-gramming languages. We developed the basic reduction technique, namely, extraction of accurateinteger constraints from data constraints. From the construction of accurate integer constraintsthat precisely characterize data constraints, we can derive decision procedures for the combinedconstraints by utilizing decision procedures for data structures and decision procedures for integerarithmetic. We also developed quantifier elimination procedures for the first-order theory of thecombined structure. The procedure has optimal complexity; it removes in a single step a block ofquantifiers of the same kind regardless of the size of the block.

2. Decision Procedures for Queues with Integer Arithmetic. A Queue is a typical data type of linearstructure. It is widely used in programming languages and forms the basis for many concurrentalgorithms and communication protocols. As a queue can grow at both ends, it does not fall inthe category of recursive data structures, which can be modeled as term algebras. For this reason,

vii

we have further improved the reduction technique and developed new normalization proceduresto handle the distinguished properties of queues. With these new improvements, we designeddecision procedures for the quantifier-free theories as well as quantifier elimination procedures forthe first-order theories.

3. Decision Procedures for Knuth-Bendix Order. Using quantifier elimination and the reductiontechnique developed for solving the combined constraints of recursive data structures and integerarithmetic, we proved the decidability of the first-order theory of Knuth-Bendix Order, therebysolving a long-standing open problem in term rewriting (officially listed as RTA open problem 99since 2000). Knuth-Bendix order is widely used in term rewriting and theorem proving, alongwith the lexicographic path order. Unfortunately, the first-order theory of lexicographic path order isundecidable. Therefore, our result on the decidability of Knuth-Bendix order may greatly benefitfuture algorithm design in term rewriting and theorem proving.

viii

Contents

Acknowledgments vi

Abstract vii

1 Introduction 11.1 Combination Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Our Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4 Thesis Organization and Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Term Algebras with Integers 92.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2 Term Algebras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.3 Decision Procedures for Th∀(TA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.4 Decision Procedures for Quantifier-free Theories . . . . . . . . . . . . . . . . . . . . . 20

2.4.1 Term Algebras with Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.4.2 A Generic Decision Procedure for Th∀(TAZ) . . . . . . . . . . . . . . . . . . . 222.4.3 A Decision Procedure for Th∀(TAω

Z) . . . . . . . . . . . . . . . . . . . . . . . . 252.4.4 A Decision Procedure for Th∀(TAZ) . . . . . . . . . . . . . . . . . . . . . . . . 272.4.5 Richer Theories on Constant Domain . . . . . . . . . . . . . . . . . . . . . . . 302.4.6 Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.5 Case Study: Verification of Red-Black Tree Algorithm . . . . . . . . . . . . . . . . . . 312.5.1 The Theory of Red-Black Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.5.2 Algorithm and Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352.5.3 Verification Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.6 A New Quantifier Elimination Procedure for Th(TA) . . . . . . . . . . . . . . . . . . . 482.7 Decision Procedures for Quantified Theories . . . . . . . . . . . . . . . . . . . . . . . 53

2.7.1 Term Algebras with Integers and Parameters . . . . . . . . . . . . . . . . . . . 542.7.2 A Quantifier Elimination Procedure for Th(TAZ) . . . . . . . . . . . . . . . . . 57

ix

2.7.3 Richer Theories on Constant Domain . . . . . . . . . . . . . . . . . . . . . . . 632.7.4 Adaptation for Infinite Languages . . . . . . . . . . . . . . . . . . . . . . . . . 64

2.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662.9 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3 Queues with Integers 823.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833.2 The Theory of Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853.3 Decision Procedure for Th∀(Q) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883.4 Decision Procedures for Th∀(QZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

3.4.1 The Theory of Queues with Integers . . . . . . . . . . . . . . . . . . . . . . . . 903.4.2 Decision Procedure for Th∀(QZ) . . . . . . . . . . . . . . . . . . . . . . . . . . 92

3.5 Decision Procedure for Th∀(Q+Z

) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963.6 Decision Procedure for Th(QZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

3.6.1 Normalization in QZ with Parameters Y . . . . . . . . . . . . . . . . . . . . . . 1113.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133.8 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

4 Decidability of Knuth-Bendix Order 1234.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1244.2 Term Algebras with Knuth-Bendix Order . . . . . . . . . . . . . . . . . . . . . . . . . 126

4.2.1 Proof Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274.2.2 Decomposition of Knuth-Bendix Order . . . . . . . . . . . . . . . . . . . . . . 1284.2.3 Gap Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284.2.4 Boundary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294.2.5 Extension of Knuth-Bendix Order . . . . . . . . . . . . . . . . . . . . . . . . . 1294.2.6 Tuples of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1304.2.7 Delineated Gap Order Completion . . . . . . . . . . . . . . . . . . . . . . . . . 1324.2.8 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

4.3 Quantifier Elimination for Th(TAZkb+ ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364.3.1 The Elimination Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364.3.2 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

4.4 Presence of a 0-weight Unary Function . . . . . . . . . . . . . . . . . . . . . . . . . . . 1414.4.1 Reduction of u ≺w

n v and u wn v . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

4.4.2 Reduction of u ≺pn v and u p

n v . . . . . . . . . . . . . . . . . . . . . . . . . . . 1424.4.3 Reduction of u ≺l

n v and u ln v . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464.6 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

x

4.7 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744.8 Reductions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

4.8.1 Reduction of Closed Equalities . . . . . . . . . . . . . . . . . . . . . . . . . . . 1774.8.2 Reduction of Closed Stretchable Gap Orders . . . . . . . . . . . . . . . . . . . 1784.8.3 Reduction of Closed Rigid Gap Orders . . . . . . . . . . . . . . . . . . . . . . 1814.8.4 Reduction of Half Open Stretchable Gap Orders . . . . . . . . . . . . . . . . . 1854.8.5 Reduction of Half Open Rigid Gap Orders . . . . . . . . . . . . . . . . . . . . 1864.8.6 Reductions of Open Stretchable Gap Orders . . . . . . . . . . . . . . . . . . . 1874.8.7 Reductions of Open Rigid Gap Orders . . . . . . . . . . . . . . . . . . . . . . . 1884.8.8 Reduction of Closed Tuple Equalities . . . . . . . . . . . . . . . . . . . . . . . 1884.8.9 Reduction of Half Open Tuple Equalities. . . . . . . . . . . . . . . . . . . . . . 1894.8.10 Reductions of Closed Stretchable Tuple Gap Orders . . . . . . . . . . . . . . . 1894.8.11 Reductions of Closed Rigid Tuple Gap Orders . . . . . . . . . . . . . . . . . . 1934.8.12 Reductions of Half Open Stretchable Tuple Gap Orders . . . . . . . . . . . . . 1974.8.13 Reductions of Half Open Rigid Tuple Gap Orders . . . . . . . . . . . . . . . . 1984.8.14 Reductions of Open Stretchable Tuple Gap Orders . . . . . . . . . . . . . . . . 1994.8.15 Reductions of Open Rigid Tuple Gap Orders . . . . . . . . . . . . . . . . . . . 200

5 Conclusion 202

Bibliography 205

List of Definitions 211

List of Algorithms 213

List of Propositions 215

List of Lemmas 216

List of Theorems 217

List of Examples 218

Index 221

xi

Chapter 1

Introduction

00:28:41:100

Morpheus : Unfortunately, no one can be told what the matrix is. You have to see it foryourself. This is your last chance. After this, there is no turning back. You take the bluepill, the story ends. You wake up in your bed and believe whatever you want to believe.You take the red pill, you stay in Wonderland, and I show you how deep the rabbit holegoes. Remember, all I’m offering is the truth. Nothing more.

—The Matrix.

This thesis presents a general technique for integrating integer arithmetic with decisionprocedures of recursively defined data structures.

1

2 CHAPTER 1. INTRODUCTION

1.1 Combination Problem

Decision procedures are algorithms that can determine whether a formula in a given logical theoryis valid or satisfiable. An important distinction between these algorithms and general-purposetheorem provers is the level of automation. Decision procedures are fully automatic; they alwaysterminate with either positive or negative answers. In formal program verification, hundreds ofthousands of verification conditions are generated. Program verification will never be practicalif human efforts are need to prove these formulas, most of which are repetitive, tediously longand mathematically uninteresting. Decision procedures can automatically discharge verificationconditions that fall in the scope of certain decidable theories, and hence relieve users of verificationsystems from tedious interaction with general-purpose theorem provers. Besides their indispens-able role in rigorous formal verification, decision procedures are also of great importance in modelchecking and program analysis where automatic proof engines can improve the overall efficiencyand increase the analysis accuracy.

Decision procedures exist for many specialized logical domains including integers, reals aswell as for many data structures frequently appearing in programs such as lists, queues, sets andmulti-sets. These specialized decision procedures can only handle a particular class of formulasin a particular theory. Programs, even very simple kind, however, often involve multiple datadomains, resulting in verification conditions spanning multiple logical theories. To be able to verifyhigh-level programs with rich data types, we have to find decision procedures that can reason oncomplex domains.

Designing a decision procedure not only requires a good understanding of the algebraic prop-erties of the specific domains, but also requires a lot of effort and often ingenuity to exploit thesealgebraic properties. Decision procedures for simple domains are well-studied in this way; byexploiting specific structures of the domains, efficient algorithms are obtained whose complexity inmost cases matches the optimal theoretical bounds. Designing a decision procedure for a combinedtheory from scratch, however, is not practical because there are potentially many different combi-nations. Combined structures, however, usually are constructed in a modular way, by imposingadditional constructs on component substructures. Therefore, it is natural to investigate whetherdecision procedures for such combined structures can be obtained modularly, namely, by utilizingdecision procedures for the component theories as black boxes.

This line of investigation goes back to Nelson and Oppen who discovered a combination pro-cedure for stably infinite quantifier-free theories with disjoint signatures. The procedure combinessatisfiability procedures for component theories using equality propagation. The applicabilityof Nelson-Oppen method, however, is limited mainly by two conditions: (i) it works only withquantifier-free theories and, (ii) it requires that the signatures of component theories are disjoint.It turns out that these two restrictions are very hard to remove in spite of much research in this

1.2. OUR CONTRIBUTION 3

direction. There are several recent advances for combining quantified theories or non-disjoint the-ories. The practical applicability of these general combination methods, however, is limited in thatthese methods require additional nontrivial conditions on component theories or structures. In factaccumulated evidence shows that the existence of modular combinations like the Nelson-Oppenmethod should be viewed as an exception. In combining theories with quantifiers or non-disjointsignatures, we should not expect the same level of modularity as in Nelson-Oppen schema, butrather rely on close examination of the characteristics of the combining constructs as well as theproperties of the individual component theories.

1.2 Our Contribution

This thesis presents another approach to the combination problem; instead of seeking solutionsto general purpose combinations, we study specific combination problems by exploiting algebraicproperties of the combined domain. As a result, we offer novel solutions to an important class ofdecision problems which commonly appear in program verification, namely, the mixed constraintson data structures with constraints on “integral measures” of those data structures. Such constraintscan express a wide range of program properties, in particular memory safety properties suchas absence of memory overflow and out-of-bound array access, which are crucial for programcorrectness.

The combination consists of recursively defined data structures and integer arithmetic integratedby the size function that maps a data object to its size. This kind of combination tightly links datadomains with integer domains, rendering a combination that does not fall under the Nelson-Oppenframework nor any other current combination techniques.

Our approach is to reduce constraints on data structures to constraints on integers, and in thepresence of quantifiers, to reduce quantifiers on data objects to quantifiers on integers. The technicaldevelopment divides into three parts.

Decision Procedures for Term Algebras with Integer Arithmetic.

Term Algebras can model a variety of tree-like data types such as records, lists, stacks, etc., whichare essential constructs in programming languages. We developed the basic reduction technique,namely, extraction of accurate integer constraints from term constraints. From the constructionof accurate integer constraints that precisely characterize term constraints, we can derive decisionprocedures for the combined constraints by utilizing decision procedures for term algebras anddecision procedures for integer arithmetic.

We showed that for structures with infinite constant domain such an accurate integer constraint,which is satisfiable if and only if the corresponding term constraint is satisfiable, can be effectivelycomputed and is expressible by a quantifier-free Presburger formula linear in the size of the term


constraint. For structures with finite constant domain we introduce an additional counting con-straint to account for the fact that with finitely many constants the number of distinct terms ofa particular length is bounded. We showed that also this counting constraint is expressible by aquantifier-free Presburger formula. The latter decision procedure directly extends Oppen’s decisionprocedure for infinite data domains to finite domains.

For the first-order theory, we first developed a new quantifier elimination procedure for thetheory of pure term algebras which can eliminate blocks of quantifiers of the same kind in onestep. Then we extended it to a decision procedure for the theory of term algebras with integerconstraints by, again, extracting integer constraints from term constraints combined with a reductionof quantifiers on term variables to quantifiers on integer variables. The complexity of the newdecision procedure is k-fold exponential for formulas with k quantifier alternations. This is optimalin the sense that the theory of pure term algebras itself has non-elementary complexity.

Decision Procedures for Queues with Integer Arithmetic.

A queue is a typical data type of linear structure. It is widely used in programming languagesand forms the basis for many concurrent algorithms and communication protocols. As a queuecan grow at both ends, it does not fall in the category of recursive data structures, which can bemodeled as term algebras. For this reason, we have further improved the reduction technique anddeveloped new normalization procedures to handle the distinguished properties of queues. Withthese new improvements, we designed decision procedures for the quantifier-free theories as wellas quantifier elimination procedures for the first-order theories.

Decidability of the First-order Theory of Knuth-Bendix Order.

Using quantifier elimination and the reduction technique developed for solving the decision prob-lem of term algebras augmented with integer arithmetic, we proved the decidability of the first-ordertheory of Knuth-Bendix Order, thereby solving a long-standing open problem in term rewriting(officially listed as RTA open problem 99 since 2000).

This decidability result is obtained by quantifier elimination on a complex structure contain-ing term algebras and integer arithmetic. In this structure, we have a weight function mappingterms to integers as well as various boundary functions mapping integers to terms. In addition,the Knuth-Bendix order is expanded in two directions. First, the order is decomposed into threedisjoint suborders depending on which of three conditions is used in the definition. Secondly,all orders (including the suborders) are extended to gap orders, which assert the least number ofdistinct objects between two terms. Moreover, as Knuth-Bendix order is recursively defined on alexicographic extension of itself, gap orders are extended to tuples of terms. Thus we actually estab-lished the decidability of a richer theory. In constructing the quantifier elimination procedure, we

1.3. PRELIMINARIES 5

overcame several technical challenges, including simplification of complex literals, elimination ofinteger quantifiers, elimination of equality, elimination of negative literals, and proof of termination.

Knuth-Bendix order has numerous applications in term rewriting and theorem proving, alongwith lexicographic path order. In ordered term rewriting, a strategy built on ordering constraints candynamically orient an equation, at the time of instantiation, even if the equation is not uniformlyorientable. This provides a powerful tool to prove the termination of rewriting systems. In orderedresolution and paramodulation, ordering constraints are used to select maximal literals to performresolution. It also serves as enabling conditions for inference rules and such conditions can beinherited from previous inferences at each deduction step. This helps to prune redundancy ofthe search space without compromising refutational completeness. Unfortunately, the first-ordertheory of lexicographic path order is undecidable. Therefore, our result on the decidability ofKnuth-Bendix order may greatly benefit future algorithm design in term rewriting and theoremproving.

It is interesting that the combination of term algebras with integer arithmetic can help solve anopen problem in another quite different field. We believe that this demonstrates the effectivenessof our approach to the combination problem; studying concrete combination types where richeralgebraic properties can be exploited.

1.3 Preliminaries

We assume the first-order syntactic notions of variables, parameters and quantifiers, and semanticnotions of structures, satisfiability and validity as in [16].

Syntax

A signatureSignature Σ is a set of function symbols and predicate symbols each of which is associatedwith an arity. The function symbols with arity 0 are also called constants. The set of Σ-terms T (Σ,X)is recursively defined by: (i) every constant c ∈ Σ or variable x ∈ X is a term, and (ii) if f ∈ Σ isan n-place function symbol and t1, . . . , tn are terms, then f (t1, . . . , tn) is a term. We write T (Σ) forT (Σ, ∅). Equality = is always included as a binary predicate symbol. If ϕ is a formula, we use T (ϕ)to denote the set of terms occurring in ϕ, andV(ϕ) to denote the set of variables in ϕ.

An atomic formula is a formula of the form P(t1, . . . , tn) where P is an n-place predicate symboland t1, . . . , tn are terms. A literal is an atomic formula or its negation. A variable occurs free in aformula if it is not in the scope of a quantifier. A formula without quantifiers is called quantifier-free.A ground formula is a formula with no variables. A sentence is a formula in which no variable occursfree. Every quantifier-free formula can be put into disjunctive normal form, that is, a disjunction ofconjunctions of literals.

We use x to denote a sequence of variables, say, x1, . . . , xn, and ∃x (resp. ∀x) as an abbreviationof ∃x1, . . . ,∃xn (resp. ∀x1, . . . ,∀xn). We write ϕ(x) to indicate x occur freely in ϕ, without exclusionof other free variables which are of no interest in the context. A formula ψ(x) can be put into prenexform Q1y1, . . . ,Qnyn ϕ(x, y1, . . . , yn), where Qi’s are either ∃ or ∀ andϕ(x, y1, . . . , yn) is quantifier-free,called the matrix of ψ. In case x contain all free variables in x, (∃x)ϕ(x) and (∀x)ϕ(x) are calledexistential closure and universal closure of ϕ(x), respectively. If, in addition, ϕ(x) is quantifier-free,then (∃x)ϕ(x) is called ∃1 and (∀x)ϕ(x) is called ∀1. The quantifier-free (resp. ∃1, ∀1) fragment of alanguage is the subclass of quantifier-free (resp. ∃1, ∀1) sentences in the language.

An expression E is either a formula or a term. We use E[e1, . . . , en] to denote that e1, . . . , en aresubexpressions of E.

We use≡ for syntactic equality. We use interval notation for integer sets. For example, the closedinterval [m, n] means i | m ≤ i ≤ n. Similarly for open intervals (m, n) and half-open intervals[m, n) and (m, n]. We use (si)i∈I to denote a sequence indexed by I. For example, by (ei)i<n we meane0, . . . , en. We use the standard notations for partial orders. Suppose C is a partial order, then byx E y we mean x = y ∨ x C y. If C is transitive, by x1 C x2 C · · · C xn we mean

∧

0<i<n xi C xi+1.

Semantics

AΣ-structureA is a tuple 〈A, I〉where A is a non-empty domain and I is a function that associates eachn-place function symbol f (resp. predicate symbol P) with an n-place function f A (resp. relationPA) on A. We use Gothic letters (like A) for structures and Roman letters (like A) for the underlyingdomain. We usually denote A by 〈A;Σ〉 which is called the signature of A. A variable assignment σ(in A) is a function that assigns each variable an element of A. We use ~xσ to denote the assignedvalue of x under σ and ~ϕσ for the truth value of ϕ under σ. A |= ~ϕσ means ϕ is true under σ.A formula ϕ is satisfiable (in A), denoted by A |=∃ ϕ, if A |= ~ϕσ for some σ; is unsatisfiable (in A),denoted by A 6|=∃ ϕ, if A |= ~ϕσ for no σ; is valid (in A), denoted by A |= ϕ, if A |= ~ϕσ for any σ. Aformula ϕ is valid if and only if ¬ ϕ is unsatisfiable.A is a model of a set T of sentences if every sentence in T is true in A. A sentence ϕ is (logically)

implied by T (or T-valid), written T |= ϕ, if ϕ is true in every model of T. Similarly, we say thatϕ is T-satisfiable if ϕ is true in some model of T and it is T-unsatisfiable otherwise. The notions of(T-)validity and (T-)satisfiability naturally extend to a set of formulas. A theory T is a set of sentencesthat is closed under logical implication, that is, if T |= ϕ, then ϕ ∈ T. The theory of A, written Th(A),is the set of all true sentences in A. By a quantifier-free theory of A, written Th∀(A), we mean thequantifier-free subclass of Th(A).

By satisfiability and validity of a quantifier-free formula, we actually mean the validity of thecorresponding∃1 and∀1 formulas, respectively. Similarly, the satisfiability problem and the validityproblem of a quantifier-free theory (or more precisely, the quantifier-free fragment), respectively,refer to the validity problem of the corresponding ∃1 fragment and ∀1 fragment.

1.3. PRELIMINARIES 7

Multisorted Logic

All above notions naturally generalize to multi-sorted logic. In a multi-sorted logic, we have anon-empty set S of sorts. Variables, constants, equality symbols and quantifiers are indexed bys ∈ S. A n-ary function symbol f is associated with a n + 1-tuple 〈s1, . . . , sn+1〉, called the type of f .Similarly, the type of a n-ary predicate symbol p is a n-tuple 〈s1, . . . , sn〉. For 0 < i ≤ n, we say that theith-place of f (or p) has sort si. We require the type of the equality symbol of sort s be 〈s, s〉. A term tis of sort s if (i) t is a variable or a constant of sort s, or (ii) t is of the form f (t1, . . . , tn) such that thetype of f is 〈s1, . . . , sn, s〉, and t1, . . . , tn are of sorts s1, . . . , sn, respectively. A formula is well-formedif in addition it is well-typed in the sense that (i) a term of sort s only occurs in a place of sort s in afunction or predicate symbol, and (ii) variables of sort s are only quantified by ∀s and ∃s.

A multi-sorted structure A is a tuple 〈AS, S, I〉 where S is the set of sorts, AS are mutuallydisjoint sets (domains) indexed by S, and I is an interpretation such that (i) each n-ary functionsymbol f with type 〈s1, . . . , sn+1〉 is assigned a function F : As1 × · · · × Asn → Asn+1 ; (ii) each n-arypredicate symbol p with type 〈s1, . . . , sn〉 is assigned a relation P ⊆ As1 × · · · × Asn . A variableassignment assigns a variable of sort s an element in As. Satisfiability, unsatisfiability and validityare defined as above with ∀s (resp. ∃s) being interpreted as “for all (resp. some) elements in thedomain As”.

Refutational Decision Procedure

All decision procedures for quantifier-free theories presented in this thesis are refutation-based; todetermine the validity of a formula ϕ, they determine the unsatisfiability of ¬ ϕ, which furtherreduces to determining the unsatisfiability of each disjunct in the disjunctive normal form of ¬ ϕ.Henceforth, in discussions related to quantifier-free theories, a quantifier-free formula always refersto a conjunction of literals. We identify a conjunction of literals Φ with the set of all its conjuncts.By A ∈ Φ we mean A is a conjunct of Φ and by A ∪Φ we mean Φ ∧ A.

Quantifier Elimination

All decision procedures for the first-order theories presented in this thesis are based on quantifierelimination. A theory T is said to admit quantifier elimination if any formula can be equivalently(modulo T) and effectively transformed into a quantifier-free formula. If a theory admits quantifierelimination, then the truth value of any sentence is reducible to the truth value of a ground formula.

It is well-known that eliminating arbitrary quantifiers reduces to eliminating existential quanti-fiers from formulas in the form

(∃x)[

A1(x, y) ∧ · · · ∧ An(x, y)]

, (1.1)

where Ai(x, y) (0 < i ≤ n) are literals [19]. In discussions related to quantifier elimination, aquantified formula always refers to a formula of the form (1.1). We also assume that the literals Ai

are not of the form x = t when x does not appear in t. For ∃x(x = t ∧ Φ(x, y)) simplifies to Φ(t, y).

Nondeterminism

We present algorithms in a nondeterministic manner; whenever we say “guess φ”, we mean toadd a valid (w.r.t. the context) disjunction

∨

i φi (where φ is one of the disjuncts) to the matrixof (1.1). When we replace φ by

∨

i φi or directly introduce∨

i φi, it should be understood that animplicit disjunctive splitting is carried out and we work on each resultant disjunct of the form (1.1)“simultaneously”. We call the target formula redex and the resulting formula reduct.

Presburger Arithmetic

Presburger arithmetic is the first-order theory of addition in the arithmetic of integers. The corre-sponding structure is denoted by PA = 〈Z; 0,+, <〉. We use LZ to denote the formal language ofPA.

Presburger arithmetic was first shown to be decidable in 1929 by quantifier elimination [16]. Amore efficient algorithm was later discovered by Cooper [12] and further improved by Reddy andLoveland [46].

1.4 Thesis Organization and Publications

Chapter 2 presents decision procedures for the theory of term algebras with integers. It introducesthe technique to reduce term constraints to integer constraints, and in the presence of quantifiers,term quantifiers to integer quantifiers. These decision procedures were first published, withoutproofs, in IJCAR’04 [60] (Best Paper Award) and in TPHOLs’04 [61]; an expanded version, includingproofs, has been accepted for publication in Information and Computation [64]. Chapter 3 adaptsthe reduction technique to construct decision procedures for the theory of queues with integerarithmetic. A part of this work was published in FSTTCS’05 [63]. Chapter 4 presents the proof ofdecidability of the first-order theory of Knuth-Bendix order using quantifier elimination and thereduction technique developed for the theory of term algebras with integer arithmetic. This resultwas published in CADE’05 [62]. Chapter 5 concludes the thesis with a discussion of future work.

Chapter 2

Term Algebras with Integers

01:14:08:650

Oracle : You know what that means? It’s Latin. Means, “Know Thyself.” I’ll let you inon a little secret. Being the One is just like being in love. No one can tell you you’re inlove. You just know it. Through and through . . .

—The Matrix.

Terms “know themselves” in the sense that they can describe themselves formally in al-gebraic structures, called term algebras. Term algebras can model a class of recursivelydefined data structures such as lists, trees and records, which are widely used in pro-gramming languages. In this chapter we extend the theory of term algebras with integerfunctions which map terms to integers, resulting in a combined theory of term algebras andPresburger arithmetic. We present decision procedures for quantifier-free theories in struc-tures with an infinite constant domain and with a finite constant domain. We also presenta quantifier elimination procedure for the extended first-order theory that can remove ablock of existential quantifiers in one step.

9

10 CHAPTER 2. TERM ALGEBRAS WITH INTEGERS

2.1 Introduction

Recursively defined data structures are essential constructs in programming languages. Intuitively,a data structure is recursively defined if it is partially composed of smaller or simpler instances ofthe same structure. Examples include lists, stacks, counters, trees, records and queues. To verifyprograms containing recursively defined data structures we must be able to reason about these datastructures. Decision procedures for several data structures exist. However, in program verificationdecision procedures for a single theory are usually not applicable as programming languages ofteninvolve multiple data domains, resulting in verification conditions that span multiple theories.Common examples of such mixed constraints are combinations of data structures with integerconstraints on the size of those structures. Such constraints can express memory safety propertiessuch as absence of memory overflow and out-of-bound array access, which are crucial to programcorrectness.

In this chapter we consider the integration of Presburger arithmetic with term algebras whichcan represent an important class of recursively defined data structures known as recursive datastructures. This class of structures satisfies the following two properties of term algebras: (i) thedata domain is the set of data objects generated exclusively by applying constructors, and (ii) eachdata object is uniquely generated. Examples of such structures include lists, stacks, counters, treesand records; queues do not belong to this class as they are not uniquely generated: they can growat both ends.

Our language of the integrated theory has two sorts; the integer sortZ and the term sort T. Thelanguage is the set-theoretic union of the language of term algebras and the language of Presburgerarithmetic plus the additional length function | · | : T→ N. Formulas are formed from term literalsand integer literals in the usual way. Term literals are exactly the literals in the theory of termalgebras. Integer literals are those that can be built up from primitive integer terms (the lengthfunction applied to Σ-terms), addition and the other usual arithmetic functions and relations.

We present decision procedures for the quantifier-free and the first-order theory of term algebraswith length function and integer constraints, for structures with both finite and infinite constantdomain. In the rest of the chapter we will use the following notation for these theories. Th∀(TA) andTh∀(TAZ) denote the quantifier-free theory of, respectively, pure term algebras and term algebraswith a length function and Presburger arithmetic constraints. Similarly, Th(TA) and Th(TAZ) denotethe full first-order theory of pure term algebras and term algebras with a length function andPresburger arithmetic constraints. When we separately consider decision procedures for structureswith infinite constant domain, we add an ω superscript, for example, Th∀(TAω

Z).The decision procedures for Th∀(TAZ) are based on Oppen’s algorithm for acyclic recursive data

structures with infinite data domain (which, essentially, is Th∀(TAω)) [45]. To decide satisfiability ofa term constraint ϕ, Oppen’s procedure constructs a DAG for ϕ, extracts from this DAG all impliedequalities between terms, and then checks for inconsistencies with disequalities in ϕ. We extend

2.1. INTRODUCTION 11

this procedure to Th∀(TAZ) by extracting an implied length constraint from the term constraint. Weshow that for structures with infinite constant domain such a length constraint, which is satisfiableif and only if the term constraint ϕ is satisfiable, can be effectively computed and is expressibleby a quantifier-free Presburger formula linear in the size of ϕ. For structures with finite constantdomain we introduce an additional counting constraint to account for the fact that with finitelymany constants the number of distinct terms of a particular length is bounded. We show that alsothis counting constraint is expressible by a quantifier-free Presburger formula. The latter decisionprocedure directly extends Oppen’s decision procedure for infinite data domains to finite domains.As a case study, we analyze the red-black tree algorithm using Th∀(RBZ), the theory of a termalgebra with two integral functions. This serves as an example on how to apply our method totheories of term algebras with more than one integral function.

For the first-order theory, we first present a new quantifier elimination procedure for Th(TA)and then extend it to an elimination procedure for Th(TAZ). Our elimination procedure for Th(TA)is based on the elimination procedure in [19], but can eliminate blocks of quantifiers of the samekind in one step. We extend it to a decision procedure for Th(TAZ) by, again, extracting integerconstraints from term constraints combined with a reduction of quantifiers on term variables toquantifiers on integer variables.

The decision procedures for Th∀(TAZ) and Th(TAZ) were first published, without proofs, in[60]. The improved version that allows elimination of blocks of quantifiers was published in [61].In that paper we showed that the complexity of our decision procedures was 2k-fold exponentialfor k quantifier alternations for Th(TAZ). This chapter provides an extended presentation of theresults in both papers, improves the complexity of the decision procedure for Th(TAZ) to k-foldexponential for k quantifier alternations, and includes all the proofs.

Related Work and Comparison. Our component theories are both decidable. Presburger arith-metic was first shown to be decidable in 1929 by quantifier elimination [16]. A more efficientalgorithm was later discovered by Cooper [12] and further improved by Reddy and Loveland [46].

It is well-known that recursive data structures can be modeled as term algebras which wereshown to be decidable by Malcev using quantifier elimination [36]. This result was proved againseveral times in different settings [34, 9, 19, 8, 3, 49, 30, 29, 60].

Quantifier elimination has been used to obtain decidability results for various extensions of termalgebras. Maher showed the decidability of the theory of infinite and rational trees [34]. Comonand Delor presented an elimination procedure for term algebras with membership predicate in theregular tree language [8]. Backofen presented an elimination procedure for structures of featuretrees with arity constraints [3]. Rybina and Voronkov showed the decidability of term algebras withqueues [49]. Kuncak and Rinard showed the decidability of term powers, which are term algebrasaugmented with coordinate-wise defined predicates [30].


Decision procedures for the quantifier-free theory of recursive data structures were discoveredby Nelson, Oppen et al. [40, 45, 15]. Oppen gave a linear algorithm for acyclic structures [45] and(with Nelson) a quadratic algorithm for cyclic structures [40]. If the values of the selector functionson constants are specified, then the problem is NP-complete [45].

A general combination method for decision procedures for quantifier-free theories was devel-oped by Nelson and Oppen in 1979 [39]. The method requires that component theories be looselycoupled, that is, have disjoint signatures, and are stably infinite1[53]. Tinelli and Ringeissen pre-sented a general theoretical framework for combining satisfiability procedures of theories withnon-disjoint signatures [54]. Tinelli and Zarba generalized Nelson-Oppen’s method to theories inmultisorted languages [55]. Armando, Ranise and Rusinowitch presented a uniform frameworkusing superposition for deriving decision procedures for certain combined theories [1]. Ghilardipresented a set of model-theoretical conditions for the existence of Nelson-Oppen combinationschema on theories having non-disjoint signatures [18]. But none of these general purpose combi-nation methods are applicable to the combination of our component theories, which is a multisortedtheory with a function mapping elements in one sort to another.

Zarba constructed decision procedures for a combined theory of sets and integers and a theory ofmultisets and integers, respectively [59, 58]. The integration of Presburger arithmetic with recursivedata structures was discussed by Bjørner [5] and an incomplete procedure was implemented in STeP(Stanford Temporal Prover) [6].

Integer constraints not only arise in the combination of decision procedures, but they are alsouseful as an auxiliary extension to encode properties on data structures. This line of investigationgoes back to Skolem who showed the decidability of the first-order theory of Boolean algebras byreducing constraints on sets to constraints on the cardinality of sets [51]. It readily follows fromthe reduction technique that the first order theory of sets with cardinality constraints in Presburgerarithmetic is decidable [17]. Recently, Revesz [47], and Kuncak and Rinard [31] independentlypresented decision procedures for this theory. A combination of Presburger arithmetic and termalgebras was used by Korovin and Voronkov to show that the quantifier-free theory of term algebraswith Knuth-Bendix order is NP-complete [26, 27]. Along this line of investigation we proved thedecidability of the first-order theory of Knuth-Bendix orders [62] using quantifier elimination (Chap-ter 4). The elimination procedure makes extensive use of Presburger arithmetic in the reduction ofquantifiers on term variables to quantifiers on integer variables.

Chapter Organization. Section 1.3 presents the notation and terminology. Section 2.2 introducesthe language and structure of term algebras. Section 2.3 describes Oppen’s algorithm for recursivedata structures. Section 2.4 presents our decision procedures for the quantifier-free theory ofterm algebras augmented with a length function and Presburger arithmetic. In Section 2.4.1 we

1A theory is stably infinite if a quantifier-free formula in the theory is satisfiable if and only if it is satisfiable in an infinitemodel.

2.2. TERM ALGEBRAS 13

first describe the theory and then in Section 2.4.2 we outline our approach for constructing thedecision procedures by introducing the concepts of implied length constraints and presenting ageneric decision procedure. In Section 2.4.3 we specialize this procedure for structures with infiniteconstant domain, and in Section 2.4.4 we refine it further for structures with finite constant domain.Section 2.4.5 outlines the approach to obtain decision procedures for structures whose constantdomain contains relations besides equality. Section 2.4.6 discusses the complexity of the decisionprocedures for the quantifier-free theories. In Section 2.5 we extend our method to a theory of aterm algebra with two integral functions to analyze the red-black tree algorithm.

Section 2.6 presents a new decision procedure for the first-order theory of term algebras. Sec-tion 2.7 presents the decision procedures for the first-order theory of term algebras with integerconstraints. We first introduce the technical machinery for the construction of a quantifier elimi-nation procedure and then, in Section 2.7.2, we extend the elimination procedure for term algebraspresented in Section 2.6 to term algebras with integers. Section 2.7.3 further generalizes the resultto structures whose constant domain has an internal structure and admits quantifier elimination.In Section 2.7.4 we discuss how this procedure can be adapted for theories with infinite languages.Section 2.8 concludes with some ideas for future work. Most proofs are provided in Section 2.9.

2.2 Term Algebras

We present a general language and structure of term algebras. For simplicity, we do not distinguishsyntactic terms in the language from semantic terms in the corresponding structure. The meaningshould be clear from the context.

Definition 2.1 (Term Algebras). A term algebra TA : 〈T;C,A,S,T 〉 consists of

1. T: The term domain, which exclusively consists of terms recursively built up from constants byapplying non-nullary constructors. Objects in T are called TA-terms. The type of a term t, denotedby type(t), is the outermost constructor symbol of t. We say that t is α-typed (or is an α-term) iftype(t) = α.

2. C: A set of constructors: α, β, γ, . . . The arity of α is denoted by ar(α).

3. A: A set of constants: a, b, c, . . . We requireA , ∅ andA ⊆ C. For a ∈ A, ar(a) = 0 and type(a) = a.

4. S: A set of selectors. For a constructor α with arity k > 0, there are k selectors sα1 , . . . , sαk in S. We

call sαi (0 < i ≤ k) the ith α-selector. For a term x, sαi (x) returns the ith component of x if x is an α-termand x itself otherwise.

5. T : A set of testers. For each constructor α there is a corresponding tester Isα. For a term x, Isα(x) istrue if and only if x is an α-term. For a constant a, Isa(x) is just x = a. In addition there is a specialtester IsA such that IsA(x) is true if and only if x is a constant.


We use LT to denote the language of term algebras. We use TAω to denote a term algebra with an infiniteconstant domain.

A term algebra has two essential properties: (i) the domain T is exclusively generated by re-cursively applying constructors; (ii) each object in T is uniquely constructed. Note that the termdomainT is the ground Herbrand domain T (C) in the language consisting of only constructors (i. e.,Σ = C). Selectors and testers are introduced into the formal language for our study. A more generaldefinition of term algebras would include a variable baseX. For our purpose of modeling recursivedata structures, however, it suffices to assume the term domain only consists of ground terms; i. e.,the baseX = ∅. Nevertheless, our method can be modified to deal with a non-ground term domainby treating variables as special constants.

For simplicity, in the rest of this chapter we assume that LT is finite except in Section 2.4.3 wherewe present an algorithm for structures with an infinite constant domain as the basis for algorithmsfor structures with a finite constant domain. The main techniques used for finite languages, however,can be easily generalized to handle the case of infinite languages. Actually, the decision problemsbecome considerably easier if we allow LT to have infinitely many constants. We defer the detaileddiscussion to Section 2.7.4.

Example 2.1 (LISP Lists). Consider the LISP list structure

List = 〈 list; cons,nil, nil, car, cdr, Iscons, Isnil, IsA 〉

where list denotes the domain, nil denotes the empty list, cons is a binary constructor (pairing function) andcar and cdr are the corresponding left and right selectors (projectors) respectively. It is not difficult to verifythat List is an instance of term algebras.

The theory of term algebras is axiomatizable. Let zα denote z1, . . . , zar(α). The following formulaschemes, in which variables are implicitly universally quantified over T, axiomatize Th(TA).

A1. t(x) , x, if t is built solely by constructors and t properly contains x .

A2. α(x1, . . . , xar(α)) , β(y1, . . . , yar(β)), if α, β ∈ C and α . β .

A3. α(x1, . . . , xar(α)) = α(y1, . . . , yar(α))→∧

1≤i≤ar(α) xi = yi .

A4. Isα(x)↔ ∃zαα(zα) = x for α ∈ C. In particular, Isa(x)↔ x = a for a ∈ A .

A5. IsA(x)↔ ∨

a∈A Isa(x) .

A6. sαi (x) = y↔ ∃zα(

α(zα) = x ∧ y = zi))

∨(

∀zα(α(zα) , x) ∧ x = y)

.

This set of axioms is a variant of the axiomatization given in [19]. In general, selectors andtesters can be defined by constructors and vice versa. One direction has been shown by (A4), (A5)

2.2. TERM ALGEBRAS 15

and (A6), which are purely definitional axioms. The other direction follows from the equivalenceof

∧ki=1 sαi (x) = xi ∧ Isα(x) and x = α(x1, . . . , xk).

We write α = (sα1 , . . . , sαk ) to indicate that α is a non-nullary constructor with ar(α) = k and

sα1 , . . . , sαk are the corresponding selectors of α. A term t is called a constructor term if t is a variable

or the outermost function symbol of t is a constructor. A constructor term not containing selectorsis called pure. For example, constants are pure constructor terms. A term t is called a selector termif either t is a variable or the outermost function symbol of t is a selector. Note that variables areboth constructor terms and selector terms. We assume that no constructors appear immediatelyinside selectors as simplification can always be done. For example, sαi (α(x1, . . . , xk)) simplifies to xi

(0 < i ≤ k) and sβj (α(x1, . . . , xk)) simplifies to α(x1, . . . , xk) for α . β. As a consequence, a selector termhas the form s1(· · · (sn(x) · · · )) for n ≥ 0. We use L, F,G,H, . . . to denote (possibly empty) selectorsequences. So s1(· · · (sn(x) · · · )) can be abbreviated as Lx for L = s1, . . . , sn. The depth of x in Lx is |L|,the length of L. The depth of x in a formula ϕ is the maximum depth of x in the selector terms inϕ, denoted by depthϕ(x). We use Isα(t1, . . . , tn) as an abbreviation for

∧

0<i≤n Isα(t). We say a selectorterm sαi (t) is proper in a formula ϕ if Isα(t) is a conjunct of ϕ. We can make selector terms properwith type information.

Definition 2.2 (Type Completeness). A conjunction of literals Φ is type complete if for any selectorterm t occurring in Φ, exactly one type of tester predicate Isα(t) (α ∈ C \A ∪ A) is a conjunct of Φ.

For a type completeΦ containing a term t, we write type(t) = α to indicate that Isα(t) is a conjunctof Φ. A type complete Φ can be simplified so that any selector term is proper.

Example 2.2 (Type Completeness). Let us consider in List the type complete constraint

y , cons(x, car(x)) ∧ IsA(x, car(x)) ∧ Iscons(y) . (2.1)

Thanks to the type information, it can be simplified to

y , cons(x, x) ∧ IsA(x) ∧ Iscons(y) . (2.2)

We could have defined the notion of type completeness only for terms that occur inside selectors.In this way, a type complete formula may contain terms of unspecified types; they are eithervariables or selector terms that are not embedded inside selectors. This will lead to more efficientalgorithms in practice. We choose the above definition, however, because it simplifies descriptionsof algorithms presented in the following sections, and in addition, it does not affect the worst-casecomplexity for those algorithms.

Given a quantifier-free formula ϕ, we can obtain a type complete ϕ′ from ϕ by adding exactlyone tester predicate Isα(t) (α ∈ C) for each term t occurring in ϕ. We call ϕ′ so obtained a typecompletion of ϕ.


Example 2.3 (Type Completion). Let us revisit Example 2.2. It is easily seen that (2.1) is a type completionof y , cons(x, car(x)).

Example 2.4 (Type Completion and Simplification). Let α, β ∈ C, α . β and α = (sα1 ). A possible typecompletion for y = sα1 (x) is

y = sα1 (x) ∧ Isβ(x, sα1(x), y) , (2.3)

which, by Axioms (A4) and (A6), simplifies to y = x∧ Isβ(x, y). Another type completion is

y = sα1 (x) ∧ Isα(x) ∧ Isβ(sα1 (x), y) , (2.4)

in which the selector term sα1 (x) is proper and no simplification is possible. As a third possibility, we can havethe type completion

y = sα1 (x) ∧ Isα(x, sα1(x)) ∧ Isβ(y) , (2.5)

which simplifies to false because of type conflicts.

As shown by the above example, a type completion of a satisfiable formula may be contradictorydue to type conflicts. A type completion ϕ′ of ϕ is compatible with ϕ if the satisfiability of ϕ impliesthe satisfiability of ϕ′. Obviously, ϕ is satisfiable if and only if it has a satisfiable compatible typecompletion.

In the following sections, we present nondeterministic algorithms that rely on the successfulguess of a satisfiable compatible type completion. Unless stated otherwise, we assume that anyquantifier-free formula is type complete, and all occurring selector terms are simplified to properones. We assume that equalities (resp. disequalities) between terms with conflicting types aresimplified to false (resp. true). For example, in List the appearance of car(x) , y should be readas car(x) , y ∧ Iscons(x). We also assume that formulas do not have conflicting type literals. Forexample, we never encounter formulas containing subformulas of the form

x , α(t1, . . . , tar(α)) ∧ x , β(t′1, . . . , t′ar(β))

for α . β, because at least one conjunct would have been simplified to true. But to save notation,we omit test literals and treat them as implicit side conditions.

2.3 Decision Procedures for Th∀(TA)

This section and the next section present decision procedures for quantifier-free theories. All ourdecision procedures for quantifier-free theories are refutation-based; to determine the validity of a

2.3. DECISION PROCEDURES FOR TH∀(TA) 17

formulaϕ, a procedure determines the unsatisfiability of ¬ϕ, which further reduces to determiningthe unsatisfiability of each disjunct in the disjunctive normal form of ¬ ϕ. Henceforth, in discussionsrelated to quantifier-free theories, a quantifier-free formula (or an input formula) always refers to aconjunction of literals. To emphasize this, we use capital symbols Φ,Ψ, . . . to denote conjunctionsof literals. We identify a conjunction of literals Φ with the set of all its conjuncts. By A ∈ Φ wemean A is a conjunct of Φ and by Φ ∪ A (or more formally Φ ∪ A) we mean Φ ∧ A. We presentalgorithms in a nondeterministic manner; by saying “guess” ϕ, we mean to split on a disjunctionthat is valid in the context and contains ϕ as one of the disjuncts, and we work on each resultantconstraint “simultaneously”.

In [45] Oppen presented a decision procedure for the quantifier-free theory of acyclic recursivedata structures which is essentially Th∀(TA). The basic idea of the decision procedure is to generateall equalities implied by the input formula and check for inconsistencies with disequalities given inthe input. The decision procedure relies on the fact that Th∀(TA) is convex in a language withoutselectors. In fact, the convexity was shown implicitly in the correctness proof of Oppen’s algorithm[45].

Definition 2.3 (Convexity Theory). A theory is convex if whenever a conjunction of literals implies adisjunction of atomic formulas, it also implies one of the disjuncts.

Let Φ be a conjunction of equalities andΨ a disjunction of equalities. The convexity of Th∀(TA)can be rephrased as follows: Φ ∧ ¬ Ψ is satisfiable if and only if for each of conjuncts s , t ∈ ¬ Ψ,Φ ∧ s , t is satisfiable, i. e., Φ 6|= s = t. The idea of Oppen’s algorithm is to discover all logicallyimplied equalities (between terms in Φ andΨ) by constructing a directed acyclic graph (DAG) withterms as vertexes and computing an equivalence relation on the nodes based on equality of childrenand ancestor nodes (bidirectional closure), formally described below.

Definition 2.4 (DAG Representation). A term t can be naturally represented by an ordered tree Tt suchthat (i) if t is a constant, then Tt is a leaf vertex labeled by t, and (ii) if t is in the form α(t1, . . . , tk), then Tt

is the tree with root labeled by α and Tt1 , . . . ,Ttk as its subtrees. A directed acyclic graph (DAG) Gt of t isobtained from Tt by merging all identical subgraphs of Tt.

The DAG of a formula is the DAG representing all terms in the formula. For example, Figure 2-1shows the DAG for

cons(y, z) = cons(x, z) ∧ cons(x, y) , z . (2.6)

We assume DAGs are sibling complete in the sense that a node and all of its siblings coexist. Forexample, car(x) appears if and only if cdr(x) does. A sibling completion can be easily obtained byadding trivial equality literals like t = t to the original formula. For a vertex u, let δ(u) denote theoutgoing degree and u[i] (1 ≤ i ≤ δ(u)) the ith successor of u.

v1

111

1111

1111

1 v2

111

1111

1111

1 v3

v4 v5 v6

v1 : cons(x, y) v4 : xv2 : cons(x, z) v5 : yv3 : cons(y, z) v6 : z

Figure 2-1: The DAG of cons(y, z) = cons(x, z) ∧ cons(x, y) , z.

Let R be a binary relation on the vertexes of a DAG and let u, v be any two vertexes.

Definition 2.5 (Unification Closure). We say that R′ is the unification closure of R (denoted by R)if R′ is the smallest equivalence relation extending R such that (u, v) ∈ R′ and type(u) = type(v) implies(u[i], v[i]) ∈ R′, for every i ∈ [1, δ(u)].

Definition 2.6 (Congruence Closure). We say that R′ is the congruence closure of R (denoted by R)if R′ is the smallest equivalence relation extending R such that (u[i], v[i]) ∈ R′ (for every i ∈ [1, δ(u)]) andtype(u) = type(v) implies (u, v) ∈ R′.

If R′ is both unification and congruence closed (with respect to R), we call it the bidirectionalclosure, denoted by R.

Let R be the set of all pairs asserted equal in Φ. It was shown that R represents all equalitieslogically implied by Φ [45]. Therefore, Φ is unsatisfiable if and only if there exist t and s such thatt , s ∈ Φ and (t, s) ∈ R.

Algorithm 2.1 (Oppen’s Decision Procedure for Th∀(TA) [45]). Input:

Φ : q1 = r1 ∧ · · · ∧ qk = rk ∧ s1 , t1 ∧ · · · ∧ sl , tl ,

where qi, ri, si and ti are pure constructor terms.

1. Construct the DAG G of Φ.

2. Compute on G the bidirectional closure R of R = (qi, ri) | 0 < i ≤ k.

3. Return FAIL if ∃i(si, ti) ∈ R, or (∃(u, v) ∈ R)[type(u) , type(v)].Return SUCCESS otherwise.

Oppen’s original algorithm is given for the theory of LISP lists, which only has one non-nullaryconstructor (cons). It is straightforward, however, to generalize it to term algebras with an arbitrarynumber of non-nullary constructors; in Algorithm 2.1, we added type checking which is not presentin Oppen’s original algorithm.

In our setting, the language contains selectors and values of α-selectors on non α-terms arespecified, e.g., sαi (x) = x if x is not an α-term. It was shown that for such structures the decision

2.3. DECISION PROCEDURES FOR TH∀(TA) 19

v1

111

1111

1111

11v2

111

1111

1111

11v3

111

1111

1111

11v4

v5 v6 v7 v8

v1 : x v5 : car(x)v2 : cons(car(x), y) v6 : cdr(x)v3 : cons(cdr(x), z) v7 : yv4 : cons(y, z) v8 : z

Figure 2-2: The DAG of cons(y, z) = cons(cdr(x), z) ∧ cons(car(x), y) , x ∧ Iscons(x).

problem is NP-complete [40]. The complication is that it is not known a priori whether s(x) is aproper subterm of x and hence it is not possible to use the DAG representation directly. A solutionto this problem is to guess the type information of terms occurring inside selectors before applyingAlgorithm 2.1.

Algorithm 2.2 (Decision Procedure for Th∀(TA) with Selectors).Input: Φ, a conjunction of equalities and disequalities.

1. Guess a type completion Φc of Φ and simplify selector terms accordingly.

2. Call Algorithm 2.1 on Φc.

Example 2.5 (Oppen’s Algorithm). Figure 2-2 shows the DAG representation of the LISP list formula

cons(y, z) = cons(cdr(x), z) ∧ cons(car(x), y) , x (2.7)

assuming that Iscons(x) is present. Initially R = (v3, v4) as v3 and v4 are asserted equal in (2.7). (Forsimplicity reflexive pairs are not listed.) By the unification algorithm (v6, v7) are merged, which givesR= (v3, v4), (v6, v7). Then by the congruence algorithm (v1, v2) are merged, resulting in

R= (v1, v2), (v3, v4), (v6, v7) .

(Here we used the property that R= (R).) Obviously this branch fails as v1 , v2 is asserted by (2.7).The remaining branch (in the presence of IsA(x)) simplifies to IsA(x) ∧ x = y which is clearly satisfiable, andtherefore so is (2.7).

Note that the correctness of both Algorithm 2.1 and 2.2 relies on the (implicit) assumption thatthe constant domain is infinite, since otherwise the theory is not convex. As a counter-example, forthe structure TA with domain A = a, b, we have IsA(x) |= x = a ∨ x = b, but neither IsA(x) |= x = anor IsA(x) |= x = b. We shall see (in Section 2.4.4) that our algorithm extends Oppen’s algorithm tostructures with finite constant domain.


2.4 Decision Procedures for Quantifier-free Theories

In this section we present decision procedures for Th∀(TAZ), the quantifier-free theory of termalgebras augmented with a length function and Presburger arithmetic. First, in Section 2.4.1 wedescribe the theory, and then, in Section 2.4.2, outline our generic approach for constructing decisionprocedures for this theory. This approach is refined in Section 2.4.3 into a decision procedure forstructures with an infinite constant domain, Th∀(TAω

Z) and then further refined for structureswith finite constant domain, Th∀(TAZ) in Section 2.4.4. Section 2.4.5 outlines the approach toobtain decision procedures for structures whose constant domain contains relations besides equality.Section 2.4.6 discusses the complexity of the decision procedures for the quantifier-free theories.

2.4.1 Term Algebras with Integers

Definition 2.7 (Term Algebras with Integers). The structure of term algebras with integers is

TAZ = 〈TA; PA; | · | : T→N 〉 ,

where TA is a term algebra, PA is Presburger arithmetic, and | · | is the length function defined recursively by

1. for any constant a, |a| = 1, and

2. for a term α(t1, . . . , tk), |α(t1, . . . , tk)| = 1 +∑k

i=1 |ti|.

The extended language is denoted by L ZT

. We use TAωZ to denote a term algebra with integers and with an

infinite constant domain.

The length function given in Definition 2.7 was chosen for ease of presentation. Generalizingit into a weight function that assigns an arbitrary nonnegative integer to each symbol, or a heightfunction that gives the length of the maximum path does not require any essential changes to ourtechniques. In fact we can have more than one length function. An example is given in Section 2.5.

We use subscripts T, Z (or prefixes TA-, PA-) to denote notions related to term sort and integersort, respectively. For example, ΦT denotes a formula in LT, the language of pure term algebras,ΦZ denotes a formula in LZ, the language of Presburger arithmetic, VT denotes the collection ofvariables in LT and VZ denotes the collection of variables in LZ. Although L Z

Tcontains two

equality predicates: term equality =T in LT and integer equality =Z in LZ, we use = in both casesunless there is a chance of confusion. Recall that we do not distinguish syntactic TA-terms in LZ andsemantic TA-terms in T. We also use “term” for “TA-” when there is no confusion. For example, byterm variables we mean TA-variables and by term quantifiers we mean quantifiers on term variables.

A TA-term can occur inside the length function. Such occurrence is called an integer occurrenceto be distinguished from the normal term occurrence. From now on, we freely use integer terms |t|

2.4. DECISION PROCEDURES FOR QUANTIFIER-FREE THEORIES 21

to form Presburger formulas. For example, car(x) is a TA-term and |car(x)| is a PA-term. The firstoccurrence of car(x) is a term occurrence and the second one is an integer occurrence.

To save space, we use an integer term |t(x)| in two ways; one as the length function | · | appliedto t(x) (when t(x) is in discussion), and the other as a special integer variable (called pseudo integervariable). In the latter case, if x ∈ VT, then |x| = z denotes the formula of the form

∧

i |ti(x)| = zi

where z ∈ VZ and ti(x) enumerates all TA-terms containing x in the context.

Example 2.6 (Notation for Pseudo Integer Variables). In the context of the formula ΦT(x) : x1 =

cons(x2, x3), |x| = z denotes

|x1| = z1 ∧ |x2| = z2 ∧ |x3| = z3 ∧ |cons(x2, x3)| = z4 .

In the context of the formula ΦZ(x) : |x1| = |car(cdr(x2))|, |x| = z denotes

|x1| = z1 ∧ |x2| = z2 ∧ |cdr(x2)| = z3 ∧ |car(cdr(x2))| = z4 .

Suppose Φ(x, y) is in a context in which all occurrences of x ∈ VT are integer occurrences. Thenby Φ(z, y) we mean the formula obtained by substituting a true integer variable z (z ∈ z) for eachpseudo integer variable |t(x)|. (Here we actually overload the symbol Φ, but the risk of confusion isminimal.) We use |x| ← z to denote such a substitution. For example, in Example 2.6ΦZ(z) denotesz1 = z4. If σT is an assignment forVT, then |σT| denotes the corresponding assignment for pseudointeger variables. For example, if ΦT is x1 = cons(x2, x3) and σT is

x1 := nil, x2 := cons(nil,nil), x3 := nil ,

then |σT| is

|x1| := 1, |x2| := 3, |x3| := 1 .

It is easily seen that the general purpose combination method in [39] is not directly applicableto TAZ due to the presence of the length function.

Example 2.7 (Hidden Length Constraints). The constraints

Φlist : x = cons(car(y), y) , ΦZ : |x| < 2|car(x)|

are clearly satisfiable, respectively, in List and PA. However, since Φlist implies that car(x) = car(y), xcontains two copies of car(y) and so its length should be at least two times the length of car(x). Therefore,ΦZ ∧Φlist is unsatisfiable in ListZ.


A simple but crucial observation is thatΦT induces an implicit length constraintΦ∆, in addition tothe explicit constraintΦZ given in the input. The unsatisfiability is due to the fact thatΦ∆ contradictsΦZ. In Example 2.7, Φlist in fact implies |x| ≥ 2|car(x)|, resulting in a contradiction to ΦZ.

Implicit length constraints are induced not only by the structures of objects, but also by the sizeof the constant domain.

Example 2.8 (More Hidden Length Constraints). Consider the constraint

Φlist : x , cons(cons(nil,nil),nil) ∧ x , cons(nil, cons(nil,nil)) , ΦZ : |x| = 5

in List and in PA, respectively. Clearly, both are satisfiable in the respective structures. In the combinedstructure ListZ, however, there are exactly two term trees with length 5 and Φlist states that x is not equal toeither of them. As a consequence, Φlist implies Φ∆ : |x| , 5, contradicting |x| = 5.

Intuitively, if we can extract from ΦT the implicit Φ∆ that exactly characterizes the solution setof ΦT, then the satisfiability of ΦT ∧ ΦZ reduces to the satisfiability of Φ∆ ∧ ΦZ. As a consequence,we can derive decision procedures for the combined theory by utilizing the decision procedures forPA and TA.

2.4.2 A Generic Decision Procedure for Th∀(TAZ)

Given a term constraint ΦT our objective is to construct a Presburger formula Φ∆, called a LengthConstraint Completion, that is satisfiable if and only if ΦT is satisfiable.

Definition 2.8 (Length Constraint Completion (LCC) in TAZ). An LZ-formula Φ∆(x) is a lengthconstraint completion (LCC) for ΦT(x) if the following formulas are valid:

(∀x : T)[

ΦT(x) → (∃z : Z)(

Φ∆(z) ∧ |x| = z) ]

, (2.8)

(∀z : Z)[

Φ∆(z) → (∃x : T)(

ΦT(x) ∧ |x| = z) ]

. (2.9)

Let Φ∆ be an LCC for ΦT. Condition (2.8) says that for any satisfying assignment σT of ΦT, |σT|is a satisfying assignment for Φ∆. In other words, | · |maps a satisfying assignment for ΦT in TA toa satisfying assignment for Φ∆ in PA. We say that Φ∆ satisfying (2.8) is sound with respect to ΦT.On the other hand, condition (2.9) says that for any satisfying assignment σ∆ of Φ∆ there exists asatisfying assignment σT ofΦT such that |σT| = σ∆. In other words, any satisfying assignment in PAis the image under | · | of a satisfying assignment in TA. We say that Φ∆ satisfying (2.9) is realizableby ΦT. In particular, if ΦT is unsatisfiable, then so is Φ∆.

Let Φ∆ be a formula satisfying both (2.8) and (2.9). Let Φ∆+ and Φ∆−, respectively, be any twoformulas satisfying (2.8) and (2.9) (when in place of Φ∆). If we identify these constraints with their


corresponding solution sets, we have

Φ∆− ⊆ Φ∆ ⊆ Φ∆+ . (2.10)

ThusΦ∆ is the exact projection ofΦT from TA to PA, whileΦ∆+,Φ∆− are over and under approxima-tions ofΦ∆ respectively. LetΦ∆ andΦ∆′ both be LLCs forΦT. By (2.10) we haveΦ∆′ ⊆ Φ∆ ⊆ Φ∆′ andhence Φ∆ = Φ∆′ (with respect to the corresponding solution sets). Therefore, for a term constraintthere exists a unique LCC up to equivalence.

Example 2.9 (LCC in ListZ). Consider in List the formulas Φlist : cons(x, y) = z. The constraint

Φ∆+ : |z| > |x| ∧ |z| > |y| ∧ |x| > 0 ∧ |y| > 0 ∧ 2 - |x| ∧ 2 - |y|

is sound but it is not realizable for Φlist, as the integer assignment

σ∆ : |x| := 3, |y| := 3, |z| := 4

can not be realized. On the other hand, the constraint

Φ∆− : |x| + |y| + 1 = |z| ∧ |x| > 5 ∧ |y| > 0 ∧ 2 - |x| ∧ 2 - |y|

is realizable for Φ, but it is not sound because it is not satisfied by the data assignment

σT : x := nil, y := nil, z := cons(nil,nil) .

Finally, the constraint

Φ∆ : |x| + |y| + 1 = |z| ∧ |x| > 0 ∧ |y| > 0 ∧ 2 - |x| ∧ 2 - |y|

is both sound and realizable, and hence is the induced length constraint of Φlist.

We have a decision procedure for Th∀(TAZ) if Φ∆ can be effectively computed from ΦT.

Theorem 2.1 (Reduction with LCC [60]). Let Φ∆ be an LCC for ΦT. Then TAZ |=∃ ΦT∧ΦZ if and onlyif PA |=∃ Φ∆ ∧ ΦZ.

Proof. Conditions (2.8) and (2.9) give the “⇒” and “⇐” directions, respectively.

By this theorem the decision problem for quantifier-free theories reduces to computing the LCCin Presburger arithmetic. To obtain an LCC, we need a normalization process to transformΦT to anequivalent disjunction in which each disjunct is of the formΦ′

T∧ θ′

Z. We call such a transformation

a partitioning and each disjunct a partition. (We do not require partitions to be mutually exclusive.)

In the subsequent sections, we shall show in detail each of the normalization procedures. First, weextend Definition 2.8 to deal with newly generated integer constraints in the normalization.

Definition 2.9 (Relativized LCC (RLCC) in TAZ). A formulaΦ∆(x) is a length constraint completionfor ΦT(x) relativized to θZ(x), (in short, Φ∆(x) is an RLCC for ΦT(x)/θZ(x)), if the following formulas arevalid:

(∀x : T)[

ΦT(x) ∧ θZ(x) → (∃z : Z)(

Φ∆(z) ∧ |x| = z) ]

, (2.11)

(∀z : Z)[

Φ∆(z) → (∃x : T)(

ΦT(x) ∧ θZ(x) ∧ |x| = z) ]

. (2.12)

Example 2.10 (RLCC in List). Consider List. Let

x : x1, x2, x3 , ΦT(x) : cons(x1, x2) = x3 , θZ(x) : |x1| < |x2| .

Consider the following formulas:

Φdiv : |x1| > 0 ∧ |x2| > 0 ∧ 2 - |x1| ∧ 2 - |x2| ,Φ∆ : |x1| + |x2| + 1 = |x3| ∧ |x1| < |x2| ∧ Φdiv ,

Φ∆+ : |x1| < |x3| ∧ |x2| < |x3| ∧ |x1| < |x2| ∧ Φdiv ,

Φ∆− : |x1| + |x2| + 1 = |x3| ∧ |x1| ≤ 3 ∧ |x2| > 3 ∧ Φdiv .

It is not hard to prove that Φ∆ is an RLCC for ΦT(x)/θZ(x). But neither Φ∆+ nor Φ∆− is such an RLCC.Although Φ∆+ satisfies (2.11), it does not satisfy (2.12), as the assignment

|x1| := 2, |x2| := 3, |x3| = 4

can not be realized by any assignment for x. On the other hand, Φ∆− satisfies (2.12), but not (2.11), as theassignment

x1 := nil, x2 := cons(nil,nil), x3 := cons(nil, cons(nil,nil))

falsifies Φ∆−.

Comparing (2.8) and (2.9) with (2.11) and (2.12), we see that an LCC is an RLCC with θZ ≡ true.Like LCCs, up to equivalence, there exists a unique RLCC with respect to ΦT(x)/θZ(x). In addition,RLCCs have the following easily proved “additive” property.

Proposition 2.1 (Additivity of RLCC). If Φ∆ is an RLCC for ΦT/θZ, then for any θ′Z

, Φ∆ ∧ θ′Z is anRLCC for ΦT/(θZ ∧ θ′Z).

In particular, by letting θ′Z

:= ΦZ and θZ := true, we see that if Φ∆ is an LCC for ΦT, thenΦ∆ ∧ ΦZ is an RLCC for ΦT/ΦZ. So Theorem 2.1 is in fact a special case of the following theorem.

Theorem 2.2 (Reduction with RLCC). Let Φ∆ be an RLCC for ΦT/θZ. Then TAZ |=∃ ΦT ∧ θZ if andonly if PA |=∃ Φ∆.

Proof. Conditions (2.11) and (2.12) give the “⇒” and “⇐” directions, respectively.

This theorem motivates the strategy of our decision procedures. In the normalization process,with introduction of auxiliary integer constraints, we partition the original search space forΦT suchthat ΦT ↔

⋃

iΦ(i)T∧θ(i)

Z, until we easily compute the RLCC Φ(i)

∆for each Φ(i)

T/θ(i)Z

. By Proposition 2.1,Φ

(i)∆∧ ΦZ is an RLCC for Φ(i)

T/(θ(i)

Z∧ ΦZ). Then TAZ |=∃ ΦT ∧ ΦZ if and only if for some i, TAZ |=∃

Φ(i)T∧ θ(i)

Z∧ ΦZ, which, by Theorem 2.2 (set ΦT := Φ(i)

T, Φ∆ := Φ(i)

∆∧ ΦZ, ΦZ := ΦZ ∧ θ(i)

Z), reduces

to determining whether PA |=∃ Φ(i)∆∧ ΦZ. Note that ΦZ is not involved in computing an RLCC.

Therefore, we can assume that θ(i)Z

includes constraints relevant to the corresponding partitioningand other constraints generated during the normalization procedure have been merged into ΦZ.

Algorithm 2.3 (Generic Decision Procedure). Input: ΦT ∧ ΦZ.

1. Return FAIL if TA 6|=∃ ΦT.

2. For each partition Φ(i)T∧ θ(i)

Zof ΦT:

(a) Compute an RLCC Φ(i)∆

for Φ(i)T/θ(i)Z

.

(b) Return SUCCESS if PA |=∃ Φ(i)∆∧ΦZ.

3. Return FAIL.

2.4.3 A Decision Procedure for Th∀(TAωZ)

The easiest arithmetic extension of term algebras is Th∀(TAωZ), the quantifier-free theory of term

algebras with integers and with an infinite constant domain. In TAωZ, an LCC can be derived directly

from the DAG for the formula. (We do not need the notion of RLCC in this case.) Before we presentthe algorithm we define the following integer predicates on lengths of terms in a DAG:

Tree(x) : ∃x1, . . . , xn ≥ 0(

x = 1 +n∑

i=1dixi

)

, (2.13)

Nodeα(x, xα) : x = 1 +ar(α)∑

i=1xi , (2.14)

Treeα(x) : ∃xα(

Nodeα(x, xα) ∧∧

0<i≤ar(α)Tree(xi)

)

, (2.15)

v1

,,,

,,,,

,,,,

v2

BBB

B

v3

222

2222

v4 v5 v6 v7

v1 : x v5 : cdr(x)v2 : cons(car(y), y) v6 : car(y)v3 : y v7 : cdr(y)v4 : car(x)

Figure 2-3: The DAG of x = cons(car(y), y) ∧ |cons(car(y), y)| < 2|car(x)| ∧ Iscons(y).

where xα denotes x1, . . . , xar(α) and d1, . . . , dn are the distinct arities of non-nullary constructors. Thepredicate Tree(x) is true if and only if x is the length of a well-formed tree, since whenever a leafexpands one level with outgoing degree d, the length of the tree increases by d. The second predicateexpresses that the length of an α-typed node with known children is the sum of its children’s lengthsplus 1. The last predicate states the length constraint for an α-typed tree. With these predicates theconstruction of an LCC is given by the following algorithm.

Algorithm 2.4 (Computation of LCC in TAωZ). LetΦT be a type-complete term constraint, GT the DAG

of ΦT and R the bidirectional closure obtained by Algorithm 2.1. Initially set Φ∆ = ∅. For each term t addthe following to Φ∆.

• |t| = 1, if t is a constant or asserted to be a constant (i. e., IsA(t) is in ΦT);

• |t| = |s|, if (t, s) ∈ R;

• Nodeα(|t|, |t1|, . . . , |tar(α)|), if t is an α-typed vertex with children t1, . . . , tar(α);

• Treeα(|t|), if t is an α-typed leaf vertex.

Proposition 2.2 (LCC in TAωZ). Φ∆ obtained by Algorithm 2.4 is expressible in a quantifier-free Presburger

formula linear in the size of ΦT.

Theorem 2.3 (LCC in TAωZ). Φ∆ obtained by Algorithm 2.4 is an LCC for ΦT.

Algorithm 2.5 (Decision Procedure for Th∀(TAωZ)). Input: ΦT ∧ΦZ where ΦT is type-complete.

1. Call Algorithm 2.1 on ΦT; return FAIL if TA 6|=∃ ΦT.

2. Construct Φ∆ from the DAG GT using Algorithm 2.4.

• Return SUCCESS if PA |=∃ Φ∆ ∧ ΦZ.

• Return FAIL otherwise.

The correctness of the algorithm follows from Theorem 2.1 and Theorem 2.3.

Example 2.11 (LCC in TAωZ). We here assume that List contains infinitely many constants. Figure 2-3

shows the DAG of

x = cons(car(y), y) ∧ |cons(car(y), y)| < 2|car(x)| ∧ Iscons(y) , (2.16)

where y is asserted not to be a constant. The computed R is (v1, v2), (v3, v5), (v4, v6) . By Algorithm 2.4Φ∆ is

|x| = |cons(car(y), y)| ∧ |car(x)| = |car(y)| ∧ |cdr(x)| = |y|∧

|x| = |car(x)| + |cdr(x)| + 1 ∧ |y| = |car(y)| + |cdr(y)| + 1∧

|cons(car(y), y)| = |car(y)| + |y| + 1∧

2 - |car(x)| ∧ 2 - |cdr(x)| ∧ 2 - |car(y)| ∧ 2 - |cdr(y)|∧

|car(x)| ≥ 1 ∧ |cdr(x)| ≥ 1 ∧ |car(y)| ≥ 1 ∧ |cdr(y)| ≥ 1

(2.17)

which implies

|cons(car(y), y)| ≥ 2|car(x)| , (2.18)

contradicting |cons(car(y), y)| < 2|car(x)|. If y is asserted to be a constant, then v3, v6, v7 are merged. In thiscase Φ∆ also implies (2.18), and therefore (2.16) is unsatisfiable.

Note that the last two lines of (2.17) are the result of simplification of constraints of the form Tree(·);according to our definition of the length function, the length of any term (tree) in List is a positive oddnumber.

2.4.4 A Decision Procedure for Th∀(TAZ)

Algorithm 2.4 can produce an incorrect LCC in Th∀(TAZ), the quantifier-free theory of term algebraswith integers and with a finite constant domain, as illustrated by the following example.

Example 2.12 (Hidden Length Constraints in TAZ). Consider List withA = nil. The constraint

|x| = 5 ∧ IsA(y) ∧ x , cons(cons(y, y), y) ∧ x , cons(y, cons(y, y)) (2.19)

is unsatisfiable while Φ∆ obtained by Algorithm 2.4 is

|y| = 1 ∧ |cons(y, y)| = 3 ∧ |cons(cons(y, y), y)| = 5 ∧ |cons(y, cons(y, y)| = 5


which is obviously satisfiable together with |x| = 5.

The reason is that ifA is finite, then there are only finitely many terms of length n for any n > 0.If a term t is forced to be distinct from all of them, then t cannot have length n. Therefore Φ∆ needsto include constraints that count the number of distinct terms of a certain length.

Definition 2.10 (Counting Constraints). A counting constraint is a predicate CNTαk,n(x) (k > 0, n ≥ 0)that is true if and only if there are at least n+1 different α-terms of length x in TA with |A| = k. CNTk,n(x)is similarly defined with α-terms replaced by TA-terms.

Example 2.13 (Counting Constraints). For List withA = nil, CNTcons1,n (x) is x ≥ 2m−1∧2 - m where

m is the least number such that the m-th Catalan number

Cm =1m

(

2m − 2m − 1

)

is greater than n. This is not surprising as Cm gives the number of binary trees with m leaves (that tree has2m − 1 nodes).

The following two monotonicity properties are easily proven: for any l ≥ k > 0 and m ≥ n > 0,

CNTαk,n(x)→ CNTαl,n(x) , CNTαk,m(x)→ CNTαk,n(x) .

In general we have the following result.

Theorem 2.4 (Counting Constraints in TAZ). CNTαk,n(x) and CNTk,n(x) are expressible by quantifier-free Presburger formulas that can be computed in time O(n).

In order to construct counting constraints, we need equality information between terms.

Definition 2.11 (Equality Completeness). ΦT ∧ θZ is equality complete if for any two terms u and vin ΦT

• either u = v or u , v (but not both) is in ΦT, and

• either |u| = |v| or |u| , |v| (but not both) is in θZ.

Equality completeness is a syntactical notion similar to a variable partition in the Nelson-Oppencombination method. We can make a quantifier-free formula ΦT ∧ θZ (which does not containcontradictory literals) equality complete by adding exactly one of u = v and u , v toΦT, and exactlyone of |u| = |v| and |u| , |v| to θZ. Let us call the resulting formula an equality completion of ΦT ∧ θZ.Similarly, we can define equality completion for sets of terms. Like type completion, Φ′

T∧ θ′

Zis a

compatible equality completion of ΦT ∧ θZ if the satisfiability of ΦT ∧ θZ implies the satisfiability ofΦ′T∧ θ′

Z.


Example 2.14 (Equality Completion). Let Φlist be y , cons(x, z) ∧ Iscons(x, y, z). A possible equalitycompletion of Φlist (θZ = ∅) is

|y| = |cons(x, z)| ∧ |x| = |z| ∧ |y| , |x| ∧ Iscons(x, y, z) ∧∧

t,t′∈S;t.t′t , t′ , (2.20)

where S = x, y, z, cons(x, z).

Strictly speaking, the formula (2.20) is not an equality completion of ΦT; to save space, weomitted equalities and disequalities that follow from equality substitution. In general, equalitycompletion could add O(n2) literals. It however can be more succinctly represented as assertionsof the form eq(t1, . . . , tn) or neq(t1, . . . , tn) that state that a set of terms are all equal or all pairwisedistinct, respectively.

We partition the search space for ΦT by computation of equality completion. To save notation,ΦT and θZ always refer to the updated version for one of the partitions. By CLSαn(x0, x1, . . . , xn)we denote the conjunction of literals expressing that x0, . . . , xn are α-typed terms having the samelength but pairwise distinct.

Algorithm 2.6 (Computation of RLCC in TAZ). Input: ΦT ∧ θZ (type and equality complete); k, thecardinality ofA.

1. Call Algorithm 2.4 to obtain Φ∆.

2. Set Φ∆ := Φ∆ ∧ θZ.

3. Add to Φ∆ the constraints CNTαk,n(|t|) if CLSαn(t, t1, . . . , tn) is induced by ΦT ∧ θZ for some t1, . . . , tn.

Note that CNTαk,n(|t|)→ CNTαk,m(|t|) for n ≥ m. In step (3), therefore, it suffices to add CNTαk,n(|t|)only if the set t, t1, . . . , tn is maximal in the sense that CLSαn(t, t1, . . . , tn) occurs in ΦT ∧ θZ, but forno t′1, . . . , t′n+1 does CLSαn+1(t, t′1, . . . , t′n+1) also occur in ΦT ∧ θZ. In addition, due to symmetry, thereis no need to add CNTαk,m(|t1|), . . ., CNTαk,m(|tn|).

Proposition 2.3 (RLCC in TAZ). Φ∆ obtained by Algorithm 2.6 is expressible in a quantifier-free Pres-burger formula of size linear in the size of ΦT ∧ θZ.

Theorem 2.5 (RLCC in TAZ). Φ∆ obtained by Algorithm 2.6 is an RLCC for ΦT/θZ.

Algorithm 2.7 (Decision Procedure for Th∀(TAZ)). Input : ΦT ∧ ΦZ.

1. Guess a type and equality completion of ΦT, denoted by ΦT ∧ θZ.

2. Call Algorithm 2.1 on ΦT. Return FAIL if TA 6|=∃ ΦT.

3. Construct Φ∆ from ΦT ∧ θZ using Algorithm 2.6.


• Return SUCCESS if PA |=∃ Φ∆ ∧ ΦZ.

• Return FAIL otherwise.

The correctness of Algorithm 2.7 follows from Theorems 2.2 and 2.5. Notice that, when ΦZ isempty, the algorithm can be viewed as an extension of Oppen’s original algorithm for structureswith a finite constant domain.

Example 2.15 (RLCC in TAZ). Let us return to Example 2.12. Constraint (2.19) has exactly one compat-ible completion, namely

CLScons2 (x, cons(cons(y, y), y), cons(y, cons(y, y))) .

This results in an RLCC containing the counting constraint

CNTcons1,2 (|x|) : |x| > 5 ∧ 2 - |x| ,

contradicting |x| = 5 in (2.19).

2.4.5 Richer Theories on Constant Domain

Up to now we assumed that the constant domain is purely equational, i. e., we can only expressequality and disequality between constants. It is fairly easy, however, to relax this assumption andallow a constant domain with richer constructs provided the enriched structure is decidable andthe signature of this structure is disjoint with the signature of TAZ except for constants. (In fact,disjointness is trivially satisfied because in L Z

Twe only have the equality predicate on constants.)

We outline the approach below.Let Ac denote the new constant structure and Lc the corresponding language. Let TA+Z denote

the extended structure of term algebras with integers and Φ+ a constraint in TA+Z. Without loss ofgenerality, we assume that both Φ+ is equality and type complete with respect to TA-terms. Thereis a standard way to purify Φ+ to Φ ∧ Φc ∧ Abs where Φ is a constraint in L Z

TA, Φc is a constraintin Lc, and Abs is the set of equalities of the form vi = tii where vi are fresh variables and ti areTA-terms in Φwhich are of constant type but are not constants directly. Both Φ and Φc contains thesame equality completion (up to the isomorphic mapping vi → tii) for terms of constant type. Itfollows from the Nelson-Oppen combination method that TA+Z |=∃ Φ+ if and only if TAZ |=∃ Φ andAc |=∃ Φc.

2.4.6 Complexity

The complexity of the decision problems for the quantifier-free theories is NP-complete. Let n bethe input size. First it is not hard to see that decision problems for both Th∀(TAZ) and Th∀(TAω

Z)

2.5. CASE STUDY: VERIFICATION OF RED-BLACK TREE ALGORITHM 31

are NP-hard as they are super-theories of Th∀(TA) and Th∀(PA), both of which are NP-complete[45], [20, pp. 336-340]. Second, Algorithm 2.4 computes Φ∆ in O(n) (see Proposition 2.2) and sodoes Algorithm 2.6. Third, the size of any type and equality completion of Φ is bounded by O(n2)as there are at most n2 pairs of terms. By the nondeterministic nature of our algorithms, we seethat each branch of computation (in Algorithms 2.5 and 2.7 respectively) is in P. Therefore bothTh∀(TAω

Z) and Th∀(TAZ) are NP-complete.

2.5 Case Study: Verification of Red-Black Tree Algorithm

In this section we present formalisms for analyzing the red-black tree algorithm. We also extendour method to a theory of a term algebra with two length functions. Let us first consider a simpleexample of tree manipulation.

Algorithm 2.8 (Left-Rotation of Trees).Input: List x. Require: cdr(x) , nil; Insure: |y| = |x|.

1: t := x2: y := cdr(t)3: cdr(t) := car(y)4: car(y) := t5: return y

Algorithm 2.8 is a tree balancing routine used in the red-black tree algorithm. It takes an inputtree x and “shuffles” the root node of x with the root node of the right child of x. Our decisionprocedure can prove that the size of the tree returned by Algorithm 2.8 is equal to the size of x.

We carry out the post-condition computation as follows. Let v denote the variables in thecurrent state and v′ denote the corresponding variables in the next state. The transition relation of astatement q is denoted by ρq(v, v′). The post-condition post(q, ϕ) of ϕ(v) after executing a statementq is

(∃v0)(

ρq(v0, v) ∧ ϕ(v0))

.

For example, the state ϕ0 before statement 1 is cdr(x) , nil. The post-condition after executingstatement 1 is

(∃x∃t∃y)[

cdr(x) , nil ∧ t′ = x ∧ x′ = x ∧ y′ = y]

,

which simplifies to cdr(x′) , nil ∧ t′ = x′, and after renaming, to cdr(x) , nil ∧ t = x, called ϕ1.The transition relation of two sequential statements can be computed as follows. Let ρq(v, v1)

and ρr(v1, v′) be the transition relations for statements q and r respectively. Then the transition


relation of the composite statement 〈q; r〉 is

(∃v1)(

ρq(v, v1) ∧ ρr(v1, v′))

.

The validity checking of a Hoare triples ϕqψ is equivalent to proving that post(q, ϕ)→ ψ.Below we list the result of each step of the computation.

ϕ0 : cdr(x) , nil ,ϕ1 : cdr(x) , nil ∧ t = x ,

ϕ2 : cdr(x) , nil ∧ t = x ∧ y = cdr(t) ,ϕ3 : cdr(x) , nil ∧ y = cdr(x) ∧ cdr(t) = car(y) ∧ car(t) = car(x) ,ϕ4 : cdr(x) , nil ∧ cdr(t) = car(cdr(x)) ∧ car(t) = car(x) ∧ car(y) = t ∧ cdr(y) = cdr(cdr(x)) ,

where ϕ4 describes the state after executing statement 4. It is easily seen that ϕ4 → |x| = |y| is valid.

2.5.1 The Theory of Red-Black Trees

In the above example, the integer constraints come from the simple length function. Our method forderiving decision procedures, however, can apply to theories with more than one integer functionon terms. In this section we present a theory of a term algebra with two integer functions to expressthe properties of red-black trees.

Definition 2.12 (Red-black Trees [13]). A red-black tree is a binary tree with the following coloringproperties:

1. Every node is either red or black.

2. Every leaf node is black.

3. The root is black.

4. Every red node has two black children.

5. All paths from the root to leaf nodes contain the same number of black nodes.

Properties (1)-(3) can be modeled in a theory of term algebras as follows:

Definition 2.13 (Colored Trees). The structure of red-black colored trees is

RB = 〈 Trb; red, black,nil, nil, Isred, Isblack, Isnil, IsA 〉 ,

where Trb denotes the domain, nil denotes a leaf, red and black are binary constructors. The correspondinglanguage is denoted by LRB.


We opt not to include selectors in the language for simplicity. As before we use terms and trees,respectively, to refer to syntactic objects and semantic objects. We call terms (trees) of red-type (resp.of black-type) red-terms (-trees) (resp. black-terms (-trees)).

We extend RB with PA to express balancing properties (4)-(5):

Definition 2.14 (Structure of Red-black Trees). The structure of red-black trees is

RBZ = 〈RB; PA; | · |max, | · |min : Trb →N 〉 ,

where, | · |max and | · |min are two integer functions defined recursively as

|x|? =

1 x = nil ,

0 Vio(x) ,

?(|x1|?, |x2|?) + 1 GB(x, x1, x2) ,

?(|x1|?, |x2|?) GR(x, x1, x2) .

where ? ∈ max,min and GB(x, x1, x2), GR(x, x1, x2) and Vio(x) are

Vio(x) def== x , nil ∧ ∀x1∀x2

(

¬GB(x, x1, x2) ∨ ¬GR(x, x1, x2))

,

GB(x, x1, x2) def== x = black(x1, x2) ∧ |x1|max , 0 ∧ |x2|max , 0 ,

GR(x, x1, x2) def== x = red(x1, x2) ∧ |x1|max , 0 ∧ |x2|max , 0

∧ ¬Isred(x1) ∧ ¬Isred(x2) .

We denote the corresponding language by L ZRB.

Vio(x) states that x violates property (4) of red-black trees. GB(x, x1, x2) states x is a black treewith two good subtrees x1 and x2. Similarly for GR(x, x1, x2). |x|max (resp. |x|min) gives the maximal(resp. minimal) number of black nodes that x can have on a maximal path. A maximal path of xthat contains the largest (resp. smallest) number of black nodes is called a maximal black path (resp.minimal black path) of x. We call |x|max the maximal black length of x, |x|min the minimal black length, andthe pair (|x|max, |x|min) the measure of x, denoted by ‖x‖.

In this theory, properties (1) and (2) of Definition 2.12, which state that every node is either blackor red, and that a nil node is black, are trivially satisfied by the choice of signature and the integer


functions. Therefore x is a red-black tree if x satisfies the following three conditions.

(§1) |x|max = |x|min any maximal path of x contains the same number of black nodes,(§2) |x|max > 0 any red node of x must have two black children,(§3) Isblack(x) the root of x is black.

We denote by ϕ−RB(x) the conjunction of (§1) and (§2), and by ϕRB(x) the conjunction of (§1)-(§3). Wenote that ϕRB(x) defines a subdomain of Trb and the theory of this subdomain can be obtained byrelativizing quantifiers to ϕRB(x). Formally, ∀x(ϕRB(x) → Φ(x)) (resp. ∃x(ϕRB(x) ∧ Φ(x))) expressesthat Φ is a universal (resp. existential) property of red-black trees.

We define three counting constraints CNTrbn (x1, x2), CNTr

n(x1, x2) and CNTbn(x1, x2) as follows.

CNTrbn (x1, x2) iff | t ∈ Trb | |t|max = x1 ∧ |t|min = x2 | > n ,

CNTrn(x1, x2) iff | t ∈ Trb | |t|max = x1 ∧ |t|min = x2 ∧ Isred(t) | > n ,

CNTbn(x1, x2) iff | t ∈ Trb | |t|max = x1 ∧ |t|min = x2 ∧ Isblack(t) | > n .

CNTn(x1, x2) states that there are more than n distinct terms of measure (x1, x2). Similarly forCNTr

n(x1, x2) and CNTbn(x1, x2).

Theorem 2.6 (Counting Constraints in RBZ). CNTn(x1, x2), CNTrn(x1, x2) and CNTb

n(x1, x2) are ex-pressible by quantifier-free Presburger formulas that can be computed in O(n).

Similar to Definition 2.9 we have the notion of RLCC.

Definition 2.15 (Relativized LCC (RLCC) in RBZ). An L ZRB-formula Φ∆(x) is an LCC for ΦRB(x) rela-

tivized to θZ(x), (in short, Φ∆(x) is an RLCC for ΦRB(x)/θZ(x)), if the following formulas are valid:

(∀x : Trb)[

ΦRB(x) ∧ θZ(x) → (∃z : Z)(

Φ∆(z) ∧ |x| = z) ]

, (2.21)

(∀z : Z)[

Φ∆(z) → (∃x : Trb)(

ΦRB(x) ∧ θZ(x) ∧ |x| = z) ]

. (2.22)

Similar to Definition 2.11 we have the notions of equality completeness and completion. ByCLSr

n(x, x1, . . . , xn) we denote the conjunction of literals expressing that x0, . . . , xn are red-termshaving the same measure but pairwise distinct. Similar to Algorithms 2.4 and 2.6, we have

Algorithm 2.9 (Computation of RLCC in RBZ). Input: ΦRB∧θZ (type and equality complete). Initiallyset Φ∆ = θZ. For each term t add the following to Φ∆.

• |t|max = 1 and |t|min = 1, if t ≡ nil;

• |t|max = |s|max and |t|min = |s|min if t = s is present in ΦRB;

• |t|max = max(|t1|max, |t2|max) + 1 and |t|min = min(|t1|min, |t2|min) + 1, if t ≡ black(t1, t2);


• |t|max = 0 and |t|min = 0 if t ≡ red(t1, t2) and either Isred(t1) or Isred(t2) are present in ΦRB;

• |t|max = |t1|max = |t2|max and |t|min = |t1|max = |t2|min if

1. t ≡ red(t1, t2),

2. either Isblack(t1) or Isnil(t1) is present in ΦRB,

3. either Isblack(t2) or Isnil(t2) is present in ΦRB;

• CNTrn(|t|max, |t|min) if CLSr

n(t, t1, . . . , tn) is induced by ΦRB ∧ θZ for some t1, . . . , tn;

• CNTbn(|t|max, |t|min) if CLSb

n(t, t1, . . . , tn) is induced by ΦRB ∧ θZ for some t1, . . . , tn.

Theorem 2.7 (RLCC in RBZ). Φ∆ obtained by Algorithm 2.9 is an RLCC for ΦRB/θZ and is expressiblein a quantifier-free Presburger formula of size linear in the size of ΦRB ∧ θZ.

Finally we have

Theorem 2.8 (Decidability of Th∀(RBZ)). The decision problem for Th∀(RBZ) is NP-complete.

Proof. Similar argument as in Section 2.4.6 with the help of Theorem 2.7.

2.5.2 Algorithm and Example

In this section we consider the insertion operation of red-black trees represented by Algorithm 2.10,a slightly modified version of the algorithm given in [13] . We illustrate the algorithm on the sameexample as in [13], inserting 4 at the bottom of the tree and showing how the algorithm restores thered-black tree property.

Note that our language does not have an update function to express the relation betweenthe original tree and updated tree if the update happens at an unbounded depth inside the tree.However, we know that the restoring updates will begin at the newly inserted node and traverseupwards to the root and that all local updates will happen on this path. We represent the tree as asequence of subtrees indexed by nodes on the path from the root to the newly inserted node. Wetreat the path as a doubly linked list (denoted by T in the algorithm) in which each element containsthree fields, .color, .dir and .tree. Field .color denotes the type of the node. Field .dir indicates whetherthe subtree at this node is the left child or the right child. Field .tree denotes the sibling subtree ofthis node. We have root.dir = ⊥ and root.tree = ⊥. For simplicity, we omit the value field as it hasno role in restoring the red-black tree property. We treat root and x as iterators and we use arraynotation T[x] to denote the element pointed to by x. We use x + 1 and x − 1 to denote previousiterator and next iterator of x, respectively. For example, the statement x + 3 − 1 = x − 1 at line 19means x.pre.pre.pre.next := x.pre.

Figure 2-4 shows the results of the operations performed to restore the balanced-tree propertyafter inserting 4. Figure 2-5 gives a more detailed picture of the data structures of the nodes on the


Algorithm 2.10 (RB-Insertion with Left-Rotation and Right-Rotation Integrated).Input: root, T, x.

1: while (x , root and T[x-1].color = ) do2: if T[x-1].dir=right then3: if (T[x-1].tree ) Case 1 then4: T[x-1].tree := (car(T[x-1].tree),cdr(T[x-1].tree))5: T[x-1].color := 6: T[x-2].color := 7: x := x-28: else9: if (T[x].dir=left) Case 2 then

10: swap(T[x].tree, T[x+1].tree)11: T[x].dir := right12: T[x+1].dir := left13: end if14: T[x-1].color := Case 315: T[x].tree := (T[x].tree, T[x-1].tree)16: T[x-1].tree := T[x-2].tree17: T[x-1].dir := T[x-2].dir18: if (x-2 , root) then19: x-3+1:=x-120: else21: root := x-122: end if23: end if24: else if (T[x-1].dir=left) then25: similar code as the then clause with left and right swapped26: end if27: end while28: T[root].color :=

path from the root to x. Figure 2-4 (b) shows the tree obtained by recoloring. The new violation nowcorresponds to Case 2 in Algorithm 2.10. Figure 2-4 (c) shows the tree obtained from a left rotation.There is still a violation which corresponds to Case 3 in Algorithm 2.10. Figure 2-4 (d) shows a newred-black tree after a right rotation. Figures 2-5 (b)-(d) show the corresponding changes of the datastructure during the run.

2.5.3 Verification Conditions

We now show how to use L ZRB to express the verification conditions for statements restoring that

red-black tree property in Algorithm 2.10. Recall that in the algorithm x is an iterator and T[x] is anode pointed by x in a linked list and it contains three fields, .dir, .color and .tree. At the semanticlevel, however, we view x as an integer index and T[x] as a subtree indexed by x. If x , root, thenT[x].tree denotes the sibling tree of T[x], and T[x−1] represents the immediate super-tree containing


11

2

1 7

5

4 nil

8

14

nil 15

11

2

1 7

5

4 nil

8

14

nil 15

(a) (b)

11

7

2

1 5

4 nil

8

14

nil 15

7

2

1 5

4 nil

11

8 14

nil 15

(c) (d)

Figure 2-4: A run of RB-Insertion.

T[x]. For example, if T[x].dir is right and T[x− 1].color is red, then T[x− 1] = red(T[x],T[x].tree). Wehave three field operators, .dir, .color and .tree. Among them .dir can only take three values, le f t,right and⊥, so expressions involving .dir can be removed by disjunctive splitting. Similar for .color,but it can be directly expressed in LRB as below.

T[x].color = red def== Isred(T[x]) ,

T[x].color = black def== x = nil ∨ Isblack(T[x]) .

With the help of .dir, .tree can be expressed in LRB as follows.

T[x].tree = y , ⊥ def== x , root ∧

(

(y = car(T[x − 1]) ∧ T[x].dir = right)∨ (y = cdr(T[x − 1]) ∧ T[x].dir = le f t)

)

,

T[x].tree = ⊥ def== x = root .

Therefore from now on we treat field access expressions as abbreviations in LRB. Note that we usearray and record notations for clarity. At the formula level terms of index access or field access are


(a)

11 2 7 5 4

⊥ −→ ←− −→ −→

⊥ 14

nil 15

1 8 nil

(b)

11 2 7 5 4

⊥ −→ ←− −→ −→

⊥ 14

nil 15

1 8 nil

(c)

11 7 2 5 4

⊥ −→ −→ ←− −→

⊥ 14

nil 15

8 1 nil

(d)

7 2 5 4

⊥ −→ ←− −→

⊥ 11

8 14

nil 15

1 nil

Figure 2-5: Paths from the root of the tree to x. In each of (a)-(d), the first row shows the sequence of nodesfrom the root to x; the second row shows whether the node above it is a left (←) or right (→) sibling; the thirdrow shows the sibling tree of the node in the top row.


simply variables. For example, T[x], T[x].tree, T[x].color and T[x].dir can be represented by variablesfx, gx, hx and kx indexed by x, respectively. Similarly for terms indexed by x − i and x + i.

The lack of update functions makes it impossible to express the tree operational semanticsprecisely in a finite formula. For example, when T[x] is changed, not only should T′[x] appear inρq(v, v′), but also all ancestors of T[x]. In fact ρq(v, v′) has an unbounded number of conjuncts ofthe form car(T′[x − i]) = T′[x − i + 1] or cdr(T′[x − i]) = T′[x − i + 1]. We can still, however, provesafety properties about tree operations with the help of an informal induction. As an example, weshow that ϕ−RB(T[x]), introduced in Section 2.5.1, is an invariant with respect to each code fragment(corresponding to Case 1, 2 or 3 in Algorithm 2.10). This can be obtained by establishing the Hoaretriple ϕQψwhere ϕ is the pre-condition

x , root ∧ x − 1 , root →(

ϕ−RB(T[x]) ∧ ϕ−RB(T[x].tree) ∧ ¬ϕ−RB(T[x− 1]) ∧ ϕ−RB(T[x − 1].tree))

ψ is the post-condition ϕ−RB(T[x]), and Q is a code fragment corresponding to Case 1, 2 or 3. Here weneed an invariant ∀x(x , root → ϕ−RB(T[x].tree)). This invariant can not be formally proved in ourtheory because of the universal quantification on indexes. But it is easy to verify that the parametricHoare triples

x , root→ ϕ−RB(T[x ± i].tree) q x , root→ ϕ−RB(T[x ± i].tree)

can be established for each statement q not modifying index x (see below for the transition relationsof those statements). In the following we list local transition relations of all statements involvingtree update and use guard conditions to simplify those transition relations.

Case 1 is implemented by statements 4-7. The guard conditions are x , root ∧ Isred(T[x − 1])(line 1), T[x − 1].dir = right (line 2) and Isred(T[x − 1].tree) (line 3). Under these conditions thetransition relations for statements 4-7 are, respectively,

T′[x − 1].tree = cdr(T′[x − 2]) = black(car(T[x − 1].tree), cdr(T[x − 1].tree)) , (S-4)

car(T′[x − 2]) = T′[x − 1] = black(car(T[x − 1]), cdr(T[x − 1])) , (S-5)

T′[x − 2] = red(car(T[x − 2]), cdr(T[x − 2])) , (S-6)

x′ = x − 2 . (S-7)

The composite transition relation for statements 4-7 is

T′[x − 1].tree = black(car(T[x − 1].tree), cdr(T[x − 1].tree))

∧ T′[x − 1] = black(car(T[x − 1]), cdr(T[x − 1]))

∧ T′[x − 2] = red(T′[x − 1],T′[x − 1].tree)

∧ x′ = x − 2 .


11

2

1 7x − 2

5x − 1

4x

nil

8

14

nil 15

11

2

1 7x − 2

5x − 1

4x

nil

8

14

nil 15

(b-0) (b-1)

11

2

1 7x − 2

5x − 1

4x

nil

8

14

nil 15

11

2

1 7x − 2

5x − 1

4x

nil

8

14

nil 15

(b-2) (b-3)

Figure 2-6: A detailed run of RB-Insertion step (b).

Recall that T[x], T[x].tree, T[x].color and T[x].dir are just more informative aliases of indexedvariables fx, gx, hx and kx, respectively. Similarly for terms indexed by x−1 and x−2. The next statevariable for T[x] should be T′[x′], but by default we write T′[x] when x′ = x. When we do transitionrelation composition, statement 7 requires us to hard code the integer indexing properties in theformula by adding equalities like T′[x− 1] = T′[x′ + 1], T′[x− 2].tree = T′[x′].tree and so on. To savespace, however, we omit them in the above example.

Figure 2-6 illustrates Case 1 by a run on tree (a) in Figure 2-4 (copied as (b-0)). Trees (b-1), (b-2)and (b-3) are the outcomes of statements 4, 5 and 6, respectively.

The code fragment for Case 2 consists of statements 10-12. We take into account the conditionsT[x − 1].color = red (line 1), T[x − 1].dir = right (line 2) and T[x].dir = le f t (line 9). Under thesecondition the transition relations for statements 10-12 are, respectively,

cdr(T′[x − 1]) = T′[x] ∧ (T′[x + 1].tree = cdr(T′[x]) = T[x].tree)

∧ (T′[x].tree = car(T′[x − 1]) = T[x + 1].tree) , (S-10)


11

2x − 1

1 7x

5

4 nil

8

14

nil 15

11

7x − 1

8 2x

5

4 nil

1

14

nil 15

(c-0) (c-1)

11

7x − 1

2x

5

4 nil

1

8

14

nil 15

11

7x − 1

2x

1 5

4 nil

8

14

nil 15

(c-2) (c-3)

Figure 2-7: A detailed run of RB-Insertion step (c).

T′[x].dir = right ∧ T′[x − 1] = red(cdr(T[x − 1]), car(T[x − 1])) , (S-11)

T′[x + 1].dir = le f t ∧ car(T′[x − 1]) = T′[x]

∧ T′[x] = red(cdr(T[x]), car(T[x])) . (S-12)

The composite transition relation for statements 10-12 is

T′[x + 1].tree = T[x].tree ∧ T′[x].tree = T[x + 1].tree

∧ T′[x].dir = right ∧ T′[x − 1] = red(T′[x],T[x+ 1].tree)

∧ T′[x + 1].dir = le f t ∧ T′[x] = red(T[x].tree, car(T[x])) .

Figure 2-7 illustrates Case 2 by a run on tree (b) in Figure 2-4 (copied as (c-0)). Trees (c-1), (c-2)and (c-3) are the outcomes of statements 10, 11 and 12, respectively. Recall that we ignored valuelabels at internal nodes as they are irrelevant to the red-black tree properties. But the binary searchtree property may be violated without adjusting the value labels. So for the sake of illustration weswitched positions of 2 and 7 in Figure 2-7 (c-1) although statement 10 does not have this effect.


11

7x − 1

2x

1 5

4 nil

8

14

nil 15

11

7x − 1

2x

1 5

4 nil

8

14

nil 15

(d-0) (d-1)

11

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

14

nil 15

11

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

nil

(d-2) (d-3)

11

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

nil

7

2x

1 5

4 nil

11

8 14

nil 15

(d-4) (d-5)

Figure 2-8: A detailed run of RB-Insertion step (d) with x − 2 = root.

Case 3 consists of statements 14-21. We take into account the conditions T[x − 1].color = red(line 1), T[x−1].dir = right (line 2) and T[x].dir = right (line 11). Under these conditions the transitionrelations for statements 14-21 are, respectively,

car(T′[x − 2]) = T′[x − 1] = black(car(T[x − 1]), cdr(T[x − 1])) , (S-14)


cdr(T′[x − 1]) = T′[x].tree = red(T[x].tree,T[x− 1].tree) , (S-15)

T′[x − 1].tree = T[x − 2].tree ∧ (x − 2 , root → cdr(T′[x − 2]) = T[x − 2].tree) , (S-16)

T′[x − 1].dir = T[x − 2].dir ∧(

x − 2 , root ∧ T[x − 1].dir , T[x − 2].dir →

T′[x − 2] = black(cdr(T[x − 2]), car(T[x − 2])))

, (S-17)

x′ − 2 = x − 3 ∧(

(cdr(T′[x − 3]) = T[x − 1] ∧ T[x − 2].dir = le f t)

∨ (car(T′[x − 3]) = T[x − 1] ∧ T[x − 2].dir = right))

, (S-19)

x′ − 1 = root . (S-21)

Assuming x − 2 = root, the composite transition relation for statements 14-21 is

car(T′[x − 2]) = T′[x − 1] = black(car(T[x − 1]),T′[x].tree)

∧ T′[x].tree = red(T[x].tree,T[x− 1].tree)

∧ T′[x − 1].tree = T[x − 2].tree ∧ T′[x − 1].dir = T[x − 2].dir

∧ x′ − 1 = root .

Assuming x − 2 , root, the composite transition relation for statements 14-21 is

car(T′[x − 2]) = T′[x − 1] = black(car(T[x − 1]),T′[x].tree)

∧ T′[x].tree = red(T[x].tree,T[x− 1].tree)

∧ T′[x − 1].tree = T[x − 2].tree ∧ cdr(T′[x − 2]) = T[x − 2].tree

∧ T′[x − 1].dir = T[x − 2].dir ∧(

T[x − 1].dir , T[x − 2].dir →

T′[x − 2] = black(cdr(T[x − 2]), car(T[x − 2])))

∧ x′ − 2 = x − 3 ∧(

(cdr(T′[x − 3]) = T[x − 1] ∧ T[x − 2].dir = le f t)

∨ (car(T′[x − 3]) = T[x − 1] ∧ T[x − 2].dir = right))

.

Figure 2-8 illustrates Case 3 by a run on tree (c) in Figure 2-4 (copied as (d-0)). Trees (d-1)-(d-5)are the outcomes of statements 14-17 and 21, respectively, under the assumption that x − 2 = root.Here (d-3) and (d-4) are the same because T[x − 1].dir = T[x − 2].dir and hence statement 17 has noeffect. Figures 2-9 and 2-10 illustrate Case 3 under the assumption x− 2 , root∧ T[x− 2].dir = right.Trees (d’-1)-(d’-5) corresponds to the outcomes of statements 14-17 and 19, respectively. Similarly asbefore (d’-3) and (d’-4) are the same because T[x−1].dir = T[x−2].dir. Figures 2-11 and 2-12 illustrateCase 3 under the assumption x − 2 , root ∧ T[x − 2].dir = le f t. Trees (d”-1)-(d”-5) corresponds tothe outcomes of statements 14-17 and 19, respectively. As before we keep the binary search treeproperty by adjusting value labels 11, 16 and −16.


(d’-0) 16

11x − 2

7x − 1

2x

1 5

4 nil

8

14

nil 15

18

19 20

(d’-1) 16

11x − 2

7x − 1

2x

1 5

4 nil

8

14

nil 15

18

19 20

(d’-2) 16

11x − 2

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

14

nil 15

18

19 20

Figure 2-9: A detailed run of RB-Insertion step (d) with x − 2 , root ∧ T[x − 2].dir = right.


(d’-3) 16

11x − 2

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

18

19 20

18

19 20

(d’-4) 16

11x − 2

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

18

19 20

18

19 20

(d’-5) 16

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

18

19 20

Figure 2-10: A detailed run of RB-Insertion step (d) with x − 2 , root ∧ T[x − 2].dir = right (continued).


(d”-0) -16

-18

-20 -19

11x − 2

7x − 1

2x

1 5

4 nil

8

14

nil 15

(d”-1) -16

-18

-20 -19

11x − 2

7x − 1

2x

1 5

4 nil

8

14

nil 15

(d”-2) -16

-18

-20 -19

11x − 2

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

14

nil 15

Figure 2-11: A detailed run of RB-Insertion step (d) with x − 2 , root ∧ T[x − 2].dir = le f t.


(d”-3) -16

-18

-20 -19

11x − 2

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

-18

-20 -19

(d”-4) -16

-18

-20 -19

11x − 2

-18

-20 -19

7x − 1

2x

1 5

4 nil

11

8 14

nil 15(d”-5) -16

-18

-20 -19

7x − 1

2x

1 5

4 nil

11

8 14

nil 15

Figure 2-12: A detailed run of RB-Insertion step (d) with x − 2 , root ∧ T[x − 2].dir = le f t (continued).

2.6 A New Quantifier Elimination Procedure for Th(TA)

In this section we present a new quantifier elimination algorithm for Th(TA), the first-order theoryof term algebras, and show that the algorithm only needs exponential time to eliminate a block ofquantifiers of the same kind. The algorithm works mainly in the constructor language while usingselectors as auxiliary tools. It is the basis for the elimination procedure for the extended theorypresented in the next section. In this section we assume a finite constant domain. We drop thesubscript T in this section.

Primitive Form. Recall that eliminating of arbitrary quantifiers reduces to eliminating existentialquantifiers from formulas in the form

(∃x)[

A1(x, y) ∧ · · · ∧ An(x, y)]

, (1.1)

where Ai(x, y) (0 < i ≤ n) are literals [19]. Taking into account the specific properties of termalgebras, we can assume that the literals Ai are not of the form x = t when x does not appear insideselectors. For ∃x(x = t ∧ Φ(x, y)) simplifies to Φ(t, y) if x does not occur in t, to ∃xΦ(x, y) if t ≡ x,and to false by Axiom (A1) if t is a term properly containing x. In all algorithms we assume thesesimplifications are performed in the end of each step to automatically restore the primitive form.

Nondeterminism. Recall that all transformations in quantifier elimination are done on formulasof the form (1.1). Again as in the presentation for quantifier-free theories, whenever we say “guessφ”, we mean to add a valid (with respect to the context) disjunction

∨

i φi (where φ is one of thedisjuncts) to the matrix of (1.1). When we replace φ by

∨

i φi or directly introduce∨

i φi, it shouldbe understood that an implicit disjunctive splitting is carried out and we work on each resultantdisjunct of the form (1.1) “simultaneously”.

Simplification. For simplicity, in the description of algorithms, we omit tester literals unless theyare needed for the correctness proof. We may also assume that the matrix of (1.1) is type completeand basic simplifications are carried out whenever applicable: for a nonempty selector sequence L,we replace Lx , x by true and Lx = x by false; if t(x) is a term properly containing x and x does notappear in selector terms, we replace t(x) , x by true and t(x) = x by false.

Notation. In the algorithm we use the following notation: x denote the set of existentially quan-tified variables; y denote the set of parameters (implicitly universally quantified variables); s, t, udenote TA-terms; L, F,G,H denote (possibly empty) selector sequences; f , g, h, p, q denote indexfunctions with ranges clear from the context; i, j, k, l denote indexes; numerical superscripts areparenthesized. Index functions are used to differentiate multiple occurrences of the same variables.

2.6. A NEW QUANTIFIER ELIMINATION PROCEDURE FOR TH(TA) 49

In each step of the transformations the algorithm manipulates the formula (∃x)Φ(x, y) to pro-duce a version of the same form (or multiple versions of the same form in case disjunctions areintroduced), and thus in each step (∃x)Φ(x, y) refers to the updated version rather than to theoriginal input formula.

Outline. The elimination is performed as follows. A sequence of equivalence-preserving trans-formations will bring the input formula into a disjunction of formulas in solved form which havesolutions under any instantiation of parameters. Therefore, the whole block of existential quantifiers∃x can be eliminated by removing all literals containing x in the matrix.

Definition 2.16 (Solved Form in TA). We say Φ(x, y) is solved in x, if x do not appear in equalities, arenot asserted to be constants and are not inside selector terms. We say (∃x)Φ(x, y) is in solved form if Φ(x, y)is solved in x.

A solved form can be obtained by the following normalization procedure. The normalizationcan be viewed as an explicit syntactical procedure comparable with the DAG construction andcomputation of the bidirectional closure.

Algorithm 2.11 (Normalization in TA). Input: (∃x)Φ(x, y).

1. Type Completion. Guess a type completion ofΦ(x, y) and simplify every selector term to a proper one.

2. Selector Elimination. Replace all selector terms containing x by the corresponding equivalent con-structor terms according to Axiom (A6).

3. Decomposition. Call Algorithm 2.12 to decompose equalities and disequalities between constructorterms and equalities containing x.

4. Constant Elimination. If some x ∈ x is asserted to be a constant (i. e., IsA(x) appears), we instantiatex to each constant to eliminate ∃x sinceA is finite.

After step (1) of Algorithm 2.11 terms can have three forms:

(i) Lx , (ii) Ly , (iii) α(t1(x, y), . . . , tar(α)(x, y)) ,

where L may be empty. Terms of the form (iii) are constructor terms built recursively from terms in(i)-(ii) using non-nullary constructors with ti(x, y) of the form (i), (ii) or (iii). These three forms giverise to the following six types of equality literals:

Lx = L′x′ , (2.23)

Lx = L′y , (2.24)

Lx = α(t1(x, y), . . . , tar(α)(x, y)) , (2.25)


Ly = L′y′ , (2.26)

Ly = α(t1(x, y), . . . , tar(α)(x, y)) , (2.27)

α(t1(x, y), . . . , tar(α)(x, y)) = α(t′1(x, y), . . . , t′ar(α)(x, y)) . (2.28)

Similarly, we have six types of disequalities, the negations of (2.23)-(2.28).Step (2) transforms equalities of the forms (2.23)-(2.25), and similarly for disequalities of the

same form. Thus after application of this step, we can assume that x does not appear inside selectorterms, that is, equality literals have the forms

Ly = L′y′ , (2.29)

Ly = α(t1(x, y), . . . , tar(α)(x, y)) , (2.30)

α(t1(x, y), . . . , tar(α)(x, y)) = α(t′1(x, y), . . . , t′ar(α)(x, y)) , (2.31)

and disequality literals are in the forms of the negations of (2.29)-(2.31) and in the forms of

x , x′ , x , Ly , x , α(t1(x, y), . . . , tar(α)(x, y)) .

Step (2) may generate literals like x = t(x, y). The reinstatement of the primitive form, however,does not put any of x inside selector terms. Step (2) may also linearly increase the size of the matrix.In general, elimination of selectors adds more existential quantifiers of sort term. The newly addedquantifiers, however, will be removed in one step together with the original ones. The followingexample illustrates step (2).

Example 2.16 (Elimination of Selectors). Step (2), selector elimination, first converts the formula

(∃x)[

car(x) = y2 ∧ cdr(x) , y2 ∧ x , y3]

(2.32)

into

(∃x1∃x2)[

x1 = y2 ∧ x2 , y2 ∧ cons(x1, x2) , y3]

, (2.33)

which, by substitution of x1 for y2, simplifies to

(∃x2)[

x2 , y2 ∧ cons(y2, x2) , y3]

. (2.34)

Step (3) converts equalities and disequalities of form (2.31) and equalities of form (2.30). Afterstep (3) the matrix, if it did not simplify to false, contains only literals of the form

x , t(x, y) , Ly , t(x, y) , Ly = L′y′ . (2.35)

2.6. A NEW QUANTIFIER ELIMINATION PROCEDURE FOR TH(TA) 51

where t is: (i) existentially quantified variables x, (ii) implicitly universally quantified parametersy, (iii) selector terms of parameters in the form Ly (y ∈ y), (iv) constants in A, or (v) constructorterms built recursively from terms in (i)-(iv) using non-nullary constructors.

Algorithm 2.12 (Decomposition of Constructor Terms). Input:(∃x)Φ(x, y).

1. Decomposition of Equalities between Constructor Terms. Replace

α(t1, . . . , tar(α)) = α(t′1, . . . , t′ar(α)) (2.36)

by∧

1≤i≤ar(α) ti = t′i . Repeat until no equality of the form (2.36) appears.

2. Decomposition of Disequalities between Constructor Terms. Replace

α(t1, . . . , tar(α)) , α(t′1, . . . , t′ar(α)) (2.37)

by∨

1≤i≤ar(α) ti , t′i . Repeat until no disequality of the form (2.37) appears.

3. Decomposition of Equalities Containing x. Solve equalities of the form Ly = t(x, y), where t(x, y) isa constructor term containing x, in terms of Ly such that the result is a set of equalities in the selectorlanguage.

In step (1) of Algorithm 2.12, recall that literals like x = t(x, y) can always be eliminated togetherwith (∃x) and hence after this step, we can assume no such literals appear in the matrix.

After step (2) we can assume that literals have one of the following forms:

Ly = L′y′ , (2.38)

Ly , L′y′ , (2.39)

x , t(x, y) , (2.40)

Ly , α(t1, . . . , tar(α)) , (2.41)

Ly = α(t1, . . . , tar(α)) . (2.42)

Step (3) solves equalities of form (2.42), and thus we are left only with literals of forms (2.38)-(2.41). Notice that these are the same as those in (2.35), where Ly , t(x, y) represents both (2.39) and(2.41).

The following example illustrates how equalities are solved.

Example 2.17 (Solving Equalities). The literal cdr(y) = cons(cons(x1, y1), y2) is converted to the solu-tion set

x1 = car(car(cdr(y))), y1 = cdr(car(cdr(y))), y2 = cdr(cdr(y)).


Given an input formula (∃x)Φ(x, y), the normalization procedure in Algorithm 2.11 lets useffectively eliminate all quantifiers (∃x) in one step. Indeed, after application of Algorithm 2.11 wecan assume, according to (2.35), that (∃x)Φ(x, y) is in the form

(∃x)[ ∧

ixp(i) , ti(x, y) ∧

∧

jL jyq( j) , s j(x, y)

]

∧∧

kFk y f (k) , uk(y) ∧

∧

lGlyg(l) = Hlyh(l) . (2.43)

Here ti, s j are:

(i) existentially quantified variables x,

(ii) implicitly universally quantified parameters y,

(iii) selector terms of parameters in the form Ly (y ∈ y),

(iv) constants inA, or

(v) constructor terms built recursively from terms in (i)-(iv) using constructors,

where we require that s j contain at least one occurrence of a variable in x (otherwise, the corre-sponding literal should have been moved out of the scope of (∃x)). The term uk(y) can be one of(ii)-(v) above, where in (v) recursion is limited to (ii)-(v).

We claim that the first part of (2.43),

(∃x)[ ∧


∧


]

, (2.44)

is valid, and hence (2.43) is equivalent to∧

kFky f (k) , uk(y) ∧

∧

lGlyg(l) = Hlyh(l) . (2.45)

Thus the algorithm for elimination of quantifiers can be given as

Algorithm 2.13 (Quantifier Elimination in TA). Input: (∃x)Φ(x, y).

1. Call Algorithm 2.11 to normalize (∃x)Φ(x, y).

2. Remove (∃x) and all literals containing x.

Theorem 2.9 (Soundness of Algorithm 2.13). All transformations in Algorithm 2.13 keep equivalence.

Theorem 2.10 (Complexity of Algorithm 2.13). Algorithm 2.13 removes a block of quantifiers in time2O(n).

2.7. DECISION PROCEDURES FOR QUANTIFIED THEORIES 53

Example 2.18 (Quantifier Elimination in TA). Let us look at an example in List. Consider a type com-plete formula

(∃x)[

cons(car(x), y1) = y2 ∧ y2 , x]

. (2.46)

(Because of the assumption of type completeness, we know Iscons(y2) and Iscons(x) must be present in the sidecondition. We omit type information of y1, because it is irrelevant here.) Step (2) of Algorithm 2.11 removesthe selectors on x by converting (2.46) into

(∃x1∃x2)[

cons(x1, y1) = y2 ∧ y2 , cons(x1, x2)]

. (2.47)

Step (3) of Algorithm 2.11 (Algorithm 2.12) solves the equality cons(x1, y1) = y2, with solution set

x1 = car(y2), y1 = cdr(y2) ,

resulting in

(∃x1∃x2)[

car(y2) = x1 ∧ cdr(y2) = y1 ∧ y2 , cons(x1, x2)]

, (2.48)

which, by standard substitution and quantifier manipulation, reduces to

(∃x2)[

y2 , cons(car(y2), x2)]

∧ cdr(y2) = y1 . (2.49)

As (∃x2)[ y2 , cons(car(y2), x2) ] is in solved form, it is valid, and hence (2.49) reduces to cdr(y2) = y1, ormore formally, to cdr(y2) = y1 ∧ Iscons(y2).

2.7 Decision Procedures for Quantified Theories

In this section we present decision procedures for the theory Th(TAZ) of term algebras with integersand parameters. In Section 2.7.1 we first refine the notions and techniques from Section 2.4 for theconstruction of a quantifier elimination procedure for Th(TAZ), and then, in Section 2.7.2, presentthe quantifier elimination procedure itself. Throughout Sections 2.7.1 and 2.7.2 we assume a finitelanguage. In Section 2.7.3 we further generalize the result to structures whose constant domainhas an internal structure and admits quantifier elimination. In Section 2.7.4 we discuss how theprocedure can be adapted for infinite languages.

2.7.1 Term Algebras with Integers and Parameters

In this section we refine the notions and techniques from Section 2.4 for the construction of aquantifier elimination procedure for Th(TAZ), which is given in the next section.

We first refine the notion of equality completion. As we have seen, to get an RLCC (LCC) weneed to express in Presburger arithmetic the set of legitimate lengths such that a certain number ofdistinct terms of any length in the set can co-exist. This can be supported by equality completion.Equality completion, however, in general introduces more literals, especially disequalities, whichmay again destroy the completion because it may cause generation of new terms in the subsequentoperation (see disequality splitting in Algorithm 2.16). To avoid compromising convergence, weintroduce the notion of clusters which is weaker than equality completion but contains sufficientinformation to allow extracting counting constraints. Intuitively, it suffices to have the equalityinformation only between terms of the same length and of the same type.

Definition 2.17 (Clusters). LetΦ be a conjunction of literals in L ZT

. Term equality literals appearing inΦinduce equivalence classes on TA-terms occurring in Φ. Let [t] denote such an equivalence class containingthe term t. We say that C = [t0], . . . , [tn] is an α-cluster (of Φ) if CLSαn(t′0, . . . , t′n) is induced by Φ, i. e., Φexpresses that t0, . . . , tn are pairwise distinct α-terms of the same length.

The notion of clusters is syntactic modulo =T and =Z (equality substitution). For example,

t = s ∧ s = u ∧ u , v ∧ |t| = |v| ∧ Isα(t, s, u, v) , (2.50)

induces the α-cluster [t], [v] (where [t] = t, s, u, [v] = v). Formally speaking, a cluster CΦ isinduced by the closure of Φ under equality substitution. We chose this definition to limit the formof disequalities generated in transformations of Algorithm 2.16.

Below we will drop the subscriptΦ ifΦ is clear from the context. For clarity, we view a cluster asa set consisting of terms that are chosen representatives of their corresponding equivalence classes.The choice of representatives is arbitrary unless stated otherwise. For example, [t0], . . . , [tn] willalso be written simply as t0, . . . , tn .

A cluster is maximal if no superset of it is a cluster. A cluster C is closed if C is maximal andit is disjoint with any other maximal clusters. Two clusters C and C′ are called connected if thereexists t ∈ C and t′ ∈ C′ (or more formally [t] ∈ C and [t′] ∈ C′) such that either (i) t = t′ occurs inthe defining formula (i. e., C and C′ intersect), or (ii) t , t′ occurs in the defining formula while|t| , |t′| does not. Two clusters are called mutually independent if they are not connected. The size ofa cluster is the number of equivalence classes it contains. The rank of a cluster C, written rk(C), is|t| for an arbitrarily chosen term t occurring in C. Clusters are partially ordered by their ranks; fortwo clusters C, C′ we write C < C′ if rk(C) = t, rk(C′) = t′ and |t| < |t′| is logically implied by ϕ.

Example 2.19 (Mutually Independent Clusters). Consider again the formula from Example 2.14,

|y| = |cons(x, z)| ∧ |x| = |z| ∧ |y| , |x| ∧ Iscons(x, y, z) ∧∧

t,t′∈S;t.t′t , t′ , (2.51)

where S = x, y, z, cons(x, z). This formula induces two mutually independent cons-clusters,

C1 : x, z , C2 : y, cons(x, z)

with rk(C1) < rk(C2).

A conjunction of literals Φ is cluster complete if all maximal clusters of Φ are mutually indepen-dent. A conjunction of literals Φ′ is a cluster completion of Φ if Φ ⊆ Φ′ and Φ′ is cluster complete. Φ′

is compatible with Φ if satisfiability of Φ implies satisfiability of Φ. Like equality completion, we areonly interested in compatible cluster completions.

Example 2.20 (Cluster Completeness). The ListZ formula

x , y ∧ x , z ∧ x , w ∧ |x| = |y| ∧ |x| = |z| ∧ Iscons(x, y, z,w) (2.52)

gives three maximal cons-clusters

C1 : x, y , C2 : x, z , C3 : w .

C3 is closed, but neither C1 nor C2 is. If we conjoin (2.52) with y , z, C1 and C2 are merged, making theresulting cluster x, y, z maximal. If we conjoin (2.52) with y = z, then C1 and C2 become identical.Neither strengthening, however, results in a cluster completion of (2.52), because C3 is unaffected by eitherchanges, and in both cases is still connected to other maximal clusters. The first case can be made clustercomplete by conjoining it with |w| , |x| or |w| = |x| ∧ w , y ∧ w , z. Similarly for the second case.

As demonstrated in Example 2.19, equality completeness implies cluster completeness. Theconverse, however, does not hold: it is not necessary to have complete equality and type informationon all terms to induce a set of mutually independent clusters. For example,

∧

0<i≤n

(

|xi| = |yi| ∧ xi , yi ∧ Isα(xi, yi))

is not equality complete, but induces n maximal and mutually independent α-clusters, namely xi, yi | 1 ≤ i ≤ n . This in fact is what we want: a constraint weaker than an equality and typecompletion.

We also need to refine the notion of RLCC to deal with parameters.


Definition 2.18 (RLCC with Parameters in TAZ). Consider

(∃x : T)[

ΦT(x, y) ∧ θZ(x, y)]

,

where y are parameters. Let Φ(2)T

(y) be the maximum subset of ΦT(x, y) not containing x and Φ(1)T

(x, y) =ΦT(x, y)\Φ(2)

T(y). A formulaΦ∆(x, y) is an RLCC in x forΦT(x, y) relativized toθZ(x, y), (in short,Φ∆(x, y)

is an RLCC for ΦT(x, y)/x/θZ(x, y)), if the following formulas are valid:

(∀x, y : T)[

ΦT(x, y) ∧ θZ(x, y) → (∃z : Z)(

Φ∆(z, y) ∧ |x| = z) ]

, (2.53)

(∀y : T)(∀z : Z)[

Φ(2)T

(y) ∧ Φ∆(z, y) → (∃x : T)(

ΦT(x, y) ∧ θZ(x, y) ∧ |x| = z) ]

. (2.54)

In the viewpoint of logical equivalence, we can assume Φ(2)T

(y) is empty as it can be moved outof the scope of (∃x). But we cannot make such an assumption with respect to the computation ofRLCC, as its existence in general affects cluster completeness. For example,

(∃x : T)[

x , y1 ∧ x , y2 ∧ Isα(x, y1, y2) ∧ |x| = |y1| ∧ |x| = |y2|]

is not cluster complete without equality information between y1 and y2.For the construction of an RLCC, we require that ΦT(x, y) ∧ θZ(x, y) be cluster complete and in

strongly solved form.

Definition 2.19 (Strongly Solved Form). We say that ΦT(x, y) ∧ θZ(x, y) is strongly solved in x ifΦT(x, y) is solved in x and all literals of the form Ly , t(x, y), where y ∈ y and t(x, y) is a constructor term(properly) containing x, are redundant. We say that (∃x : T)[ΦT(x, y) ∧ θZ(x, y)] is in strongly solvedform if ΦT(x, y) ∧ θZ(x, y) is strongly solved in x.

Example 2.21 (Strongly Solved Form). The formula Φlist ∧ θZ

Iscons(y) ∧ y , cons(x, z) ∧∧

t,t′∈S;t.t′t , t′ ∧ |y| = |cons(x, z)| ∧ |x| = |z| ∧ |y| , |x| , (2.55)

with S = x, y, z, cons(x, z) is not in strongly solved form. It can be made into strongly solved form,however, by adding car(y) , x or cdr(y) , z to Φlist, or by changing |cons(x, z)| = |y| to |cons(x, z)| , |y| inθZ. Either one will make the literal y , cons(x, z) redundant.

Recall that CLSαn(x0, x1, . . . , xn) states that x0, . . . , xn is an α-cluster of n + 1 elements. We claimthat Algorithm 2.6 computes an RLCC (with parameters y being treated as ordinary variables).

Theorem 2.11 (RLCC with Parameters in TAZ). IfΦT(x, y) ∧ θZ(x, y) is strongly solved in x and clus-ter complete, then Φ∆(x, y) computed by Algorithm 2.6 is an RLCC for ΦT(x, y)/x/θZ(x, y).


2.7.2 A Quantifier Elimination Procedure for Th(TAZ)

In this section we expand Algorithm 2.11 to an elimination procedure for Th(TAZ), the first-ordertheory of term algebras with integers. Since L Z

Thas two sorts, namely Z and T, we need to show

elimination of integer quantifiers as well as term quantifiers.

Elimination of Quantifiers on Integer Variables

We assume that formulas with quantifiers on integer variables are in the form

(∃z : Z)[

ΦT(x) ∧ ΦZ(x, y, z)]

, (2.56)

where y, z are integer variables and x are term variables. Since ΦT(x) is in LT, we can move ΦT(x)out of the scope of ∃z, obtaining

ΦT(x) ∧ (∃z : Z)ΦZ(x, y, z) . (2.57)

For this reason, neither ΦT(x) nor ΦZ(x, y, z) is required to be quantifier-free. Now we can put(∃z : Z)ΦZ(x, y, z) into a quantifier-free form using Cooper’s method [12, 46]. For the sake ofefficiency, however, we can defer the actual elimination on (∃z : Z)[ϕZ(x, y, z)] until all termquantifiers have been eliminated. The reason, as we shall see soon, is that the elimination of termquantifiers does not require the integer constraint in (2.58) to be quantifier-free.

Elimination of Quantifiers on Term Variables

We assume that formulas with quantifiers on term variables are in the form

(∃x : T)[

ΦT(x, y) ∧ ΦZ(x, y, z)]

, (2.58)

where x, y are term variables, z are integer variables, ΦT(x, y) is quantifier-free. The followingalgorithm is based on Algorithm 2.11.

Algorithm 2.14 (Normalization with Parameters TAZ). Input: (2.58). Apply the following sub-proceduressuccessively.

1. Basic Normalization. Apply Algorithm 2.11 to ΦT(x, y) and update ΦZ(x, y, z) accordingly.

2. Cluster Completion. Normalize (2.58) to a cluster completion (Algorithm 2.15).

3. Decomposition of Disequalities. Decompose disequalities of the Form Ly , t(x, y) (Algorithm 2.16).


The purpose of steps (1)-(3) is to transform (2.58) into a formula which is in strongly solved formand cluster complete, such that we can use Algorithm 2.6 to construct an RLCC. Having the RLCCallows us to reduce term quantifiers to integer quantifiers. Step (1) gives us a formula of the form(omitting integer literals)

(∃x : T)[ ∧


∧


]

. (2.44)

Algorithm 2.15 produces cluster completions of the input by merging mutually dependentmaximal clusters.

Algorithm 2.15 (Cluster Completion). Input: (2.44). Apply the following sub-procedures repeatedlyuntil cluster completeness is obtained.

1. Select Clusters. Let

C1 = t1, . . . , tn , C2 = s1, . . . , sm

be two connected maximal clusters with witness either ti = s j or ti , s j.

2. Merge Clusters.

(a) If ti = s j occurs. Guess an equality completion for C1 ∪ C2.

(b) If ti , s j occurs, but not |ti| , |s j|. Split on

|ti| = |s j| ∨ |ti| , |s j| .

For the |ti| = |s j| branch, guess an equality completion for C1 ∪ C2.

3. Renormalization. Apply Algorithm 2.12 to ΦT(x, y) and update ΦZ(x, y, z) accordingly.

The termination of Algorithm 2.15 can be seen as follows. Step (2) may increase the number ofliterals and hence the number of term occurrences, but it does not increase the number of equivalenceclasses on TA-terms. Step (3) (Algorithm 2.12) is called afterwards to restore the primitive form.Clearly, steps (1)-(2) of Algorithm 2.12 do not introduce new terms. Step (3) of Algorithm 2.12 solvesequalities containing existentially quantified variables x in terms of parameters y. It however willonly introduce new terms into existing equivalence classes. In particular, it removes at least onevariable in x by substitution. So there can be at most n rounds of the run of step (2) where n is thenumber of distinct terms in (2.44). It is easily seen that the resulting formula is still in the form of(2.44) (omitting integer literals).

Algorithm 2.16 decomposes disequalities in ΦT that are of the form Ly , t(x, y) such that|Ly| = |t(x, y)| is implied by ΦT and t(x, y) is a constructor term (properly) containing x. The

decomposition consists of a sequence of disjunctive splittings, where in each step the matrix of(2.58) is updated accordingly. It is assumed that when Algorithm 2.16 is called, the matrix ΦT ∧ΦZof (2.58) is cluster complete. The algorithm preserves this completeness: all resulting branches arecluster complete.

Algorithm 2.16 (Decomposition of Disequalities Containing x). Input: D, a set of disequalities ofthe form Ly , t(x, y) such that |Ly| = |t(x, y)|, in the context of (2.58).

Repeat untilD is empty.

1. Disequality Removal. SelectD′ ⊆ D such that for some Ly

D′ = Ly , α(t(i)1 (x, y), . . . , t(i)

k (x, y)) | 0 < i ≤ m .

(a) Disequality Splitting. RemoveD′ fromD and add to ΦT(x, y)

m∧

i=1

(

sαp(i)Ly , t(i)p(i)(x, y) ∧

∧

1≤ j<p(i)sαj Ly = t(i)

j (x, y))

, (2.59)

where p is an index function with domain [1,m] and range [1, k].

(b) Disequality Rewriting. Let δ ∈ [1,m], I ⊆ [1,m] be such that

p(δ) = sup p(i) | 0 < i ≤ m ,I = i ∈ [1,m] | p(i) < p(δ) .

For any i ∈ I, replace

sαp(i)Ly , t(i)p(i)(x, y) by t(δ)

p(i)(x, y) , t(i)p(i)(x, y) .

2. Cluster Completion. Call Algorithm 2.15 to restore cluster completeness.

In step (1a) we rewrite Ly , α(t(i)1 (x, y), . . . , t(i)

k (x, y)) to∨

0< j≤k

(

sαj Ly , t(i)j (x, y) ∧

∧

0<l< jsαl Ly = t(i)

l (x, y))

instead of more directly to∨

1≤ j≤k

(

sαj Ly , t(i)j (x, y)

)

.

Introduction of equalities helps limit the number of generated terms by consolidating most of themwith existing ones. Thus, among newly generated terms, exactly one (namely sαp(δ)Ly) is asserted


unequal to old terms that may contain x thanks to the rewriting in step (1a) and an additionalrequirement on clusters explained below. Each run of step (1a) replaces a set of disequalities

Ly , α(t(i)1 (x, y), . . . , t(i)

k (x, y)) | i ∈ [1,m]

with a new set of disequalities

sαp(δ)Ly , t(i)p(δ)(x, y) | i ∈ I .

Clearly, sαp(δ)Ly must reside in a cluster of lower rank than that of Ly. As rank ordering is well-founded, the size ofDwill eventually decrease, and hence Algorithm 2.16 terminates. In addition, itcan be shown that the total number of newly generated terms is bounded quadratically by the inputsize. As a result, we can obtain one exponential upper bound on the complexity of Algorithm 2.16.

Besides the rewriting in step (1a), we also need to prevent step (2) (Algorithm 2.15) fromgenerating unwanted disequalities. This can be done by requiring, upon calling Algorithm 2.15,that newly generated terms are not made representatives for existing equivalence classes.

Example 2.22 (Removal of Disequalities). To illustrate step (1), assume α = (sα1 , sα2 , s

α3 , s

α4), and

D′ =

y , α(u1, u2, u3, u4), y , α(v1, v2, v3, v4)

y , α(w1,w2,w3,w4), y , α(t1, t2, t3, t4)

.

Let us consider below one of the disjuncts obtained by step (1a), written in matrix style with the conjunctionconnective omitted:

sα1 y = u1 sα2 y = u2 sα3 y , u3

sα1 y = v1 sα2 y = v2 sα3 y = v3 sα4 y , v4

sα1 y = w1 sα2 y , w2

sα1 y , t1

.

It follows that δ = 2 and p(δ) = 4. In step (1b) we use v1, v2, v3, respectively, to replace sα1 y, sα2 y, sα3 y thatoccur in newly generated disequalities, obtaining a new matrix of conjuncts

sα1 y = u1 sα2 y = u2 v3 , u3

sα1 y = v1 sα2 y = v2 sα3 y = v3 sα4 y , v4

sα1 y = w1 v2 , w2

v1 , t1

.

In this case only sα4 y (among the newly generated terms), having a lower rank than y, involves in a disequality


that may need to be split further.

Proposition 2.4 (Strongly Solved Form). Algorithm 2.14 produces a formula which is in strongly solvedform and cluster complete.

After normalization (Algorithm 2.14) and removal of redundant disequalities, the resultingformula is in the form

(∃x : T)[

Φ(1)T

(x, y) ∧ Φ(2)T

(y) ∧ θZ(x, y) ∧ ΦZ(x, y, z)]

, (2.60)

where Φ(1)T

(x, y) is of the form∧

i x f (i) , ti(x, y) and Φ(2)T

(y) does not contain x. θZ(x, y) is the integerconstraint obtained from runs of Algorithm 2.15 (step (2) of Algorithm 2.14 and step (2) of Algo-rithm 2.16). The resulting formula is guaranteed to be in strongly solved form and cluster complete,and hence by Theorem 2.11, we can compute an RLCC Φ∆(x, y) for (Φ(1)

T(x, y) ∧ Φ(2)

T(y))/x/θZ(x, y),

producing the equivalent

(∃x : T)[

Φ(1)T

(x, y) ∧ Φ(2)T

(y) ∧ Φ∆(x, y) ∧ ΦZ(x, y, z)]

, (2.61)

which reduces to

Φ(2)T

(y) ∧ (∃u : Z)[

Φ∆(u, y) ∧ ΦZ(u, y, z)]

, (2.62)

becauseΦ(1)T

(x, y) has been completely characterized byΦ∆, and all occurrences of x inΦ∆ are integeroccurrences and hence integer variables.

Thus, the final algorithm for elimination of term quantifiers can be given as follows.

Algorithm 2.17 (Elimination of Term Quantifiers in TAZ). Input: (2.58)

1. Call Algorithm 2.14 to normalize the input, obtaining (2.60).

2. Call Algorithm 2.6 to get the RLCCΦ∆(x, y) forΦT(x, y)/x/θZ(x, y) and add it to the matrix of (2.60),obtaining (2.61).

3. Remove Φ(1)T

(x, y) from the matrix of (2.61), pull Φ(2)T

(x, y) out of (∃x : T) and then reduce (∃x : T) to(∃z : Z), obtaining (2.62).

Theorem 2.12 (Soundness of Algorithm 2.17). All transformations in Algorithm 2.17 keep equivalence.

Theorem 2.13 (Complexity of Algorithm 2.17). Algorithm 2.17 eliminates a block of quantifiers in time2O(n2 lg n).


Example 2.23 (Quantifier Elimination in TAZ). Let us modify Example 2.18 by conjoining the matrixof (2.46) with an integer constraint ϕZ(x). (The concrete form of ϕZ(x) is irrelevant.) Now we have

(∃x : list)[

cons(car(x), y1) = y2 ∧ y2 , x ∧ ϕZ(x)]

. (2.63)

Running Algorithm 2.11 on (2.63) and updating integer constraints accordingly, we arrive at

cdr(y2) = y1 ∧ (∃x2 : list)[

y2 , cons(car(y2), x2) ∧ ϕZ(|car(y2)| + |x2| + 1)]

(2.64)

(cf. (2.49)). Below we will follow a single branch produced in the disjunctive splittings.

We run Algorithm 2.15 to obtain a compatible cluster completion of (2.64), producing

cdr(y2) = y1 ∧ (∃x2 : list)[

y2 , cons(car(y2), x2) ∧ |y2| = |car(y2)| + |x2| + 1

∧ ϕZ(|car(y2)| + |x2| + 1)]

.(2.65)

Here we omitted obvious disequalities implied by literals listed. The matrix of (2.65) induces three mutuallyindependent clusters:

x2 , car(y2) , y2, cons(car(y2), x2) .

The formula (2.65), however, is not in strongly solved form as x2 appears in the disequality y2 , cons(car(y2), x2),and hence we need to run Algorithm 2.16. Choosing cdr(y2) , x2 in step (1a), we obtain

cdr(y2) = y1 ∧ (∃x2 : list)[

cdr(y2) , x2 ∧ |y2| = |car(y2)| + |x2| + 1

∧ ϕZ(|car(y2)| + |x2| + 1)]

,(2.66)

which induces four clusters:

car(y2) , x2 , cdr(y2) , y2

that are not mutually independent as neither x2 nor cdr(y2) is closed. Then step (2) of Algorithm 2.16(Algorithm 2.15) is called upon to fix the problem of mutual independence. Choosing |cdr(y2)| = |x2| we have

cdr(y2) = y1 ∧ (∃x2 : list)[

cdr(y2) , x2 ∧ |y2| = |car(y2)| + |x2| + 1

∧ |cdr(y2)| = |x2| ∧ ϕZ(|car(y2) + |x2| + 1)]

,(2.67)

which is in strongly solved form and induces three mutually independent clusters:

car(y2) , x2, cdr(y2) , y2 .


Identifying (2.67) with (2.60), we have

ΦT(x, y) : Φ(1)T

(x, y) ∧ Φ(2)T

(y) ,Φ

(1)T

(x, y) : cdr(y2) , x2 ,

Φ(2)T

(y) : cdr(y2) = y1 ,

θZ(x, y) : |y2| = |car(y2)| + |x2| + 1 ∧ |cdr(y2)| = |x2| ,ΦZ(x, y, z) : ϕZ(|car(y2)| + |x2| + 1) .

We can now call Algorithm 2.6 to get the RLCC Φ∆(x, y) for ΦT(x, y)/x/θZ(x, y), which simplifies to

θZ(x, y) ∧ |x2| > 3 ∧ 2 - |x2| .

By step (2) of Algorithm 2.17, (2.67) is equivalent to

cdr(y2) = y1 ∧ (∃x2 : list)[

cdr(y2) , x2 ∧ |y2| = |car(y2)| + |x2| + 1 ∧ |cdr(y2)| = |x2|

∧ |x2| > 3 ∧ 2 - |x2| ∧ ϕZ(|car(y2)| + |x2| + 1)]

,(2.68)

which, by the reduction of term quantifiers to integer quantifiers, transforms to

cdr(y2) = y1 ∧ (∃z : Z)[

|y2| = |car(y2)| + z + 1 ∧ |cdr(y2)| = z

∧ z > 3 ∧ 2 - z ∧ ϕZ(|car(y2)| + z + 1)]

.(2.69)

By substituting |cdr(y2)| for z we can remove (∃z : Z). Using the fact that |y2| = |car(y2)| + |cdr(y2)| + 1,we finally obtain

cdr(y2) = y1 ∧ |cdr(y2)| > 3 ∧ 2 - |cdr(y2)| ∧ ϕZ(|car(y2)| + |cdr(y2)| + 1) . (2.70)

It is easy to verify that (2.70) implies (2.63). The reverse direction, however, does not hold because we onlyshowed one branch of the reduction.

2.7.3 Richer Theories on Constant Domain

Similar to Section 2.4.5, we can have quantifier elimination for TA+Z provided Ac also admits quan-tifier elimination. It is easily seen that no change is needed for the elimination of quantifiers oninteger variables. For the elimination of term quantifiers, we assume formulas are of the form

(∃x : T)[

Φc(x, y) ∧ ΦT(x, y) ∧ ΦZ(x, y, z)]

, (2.71)

where Φc(x, y) is a formula in Lc. Thanks to step (2) in Algorithm 2.11, we can assume that noneof x appears inside selectors. Without loss of generality, we also assume x are either all asserted to


be non-nullary constructor terms or all asserted to be constants. In the former case, we can assumeΦc(x, y) is just Φc(y) because x do not properly appear inside selectors and hence they do not haveany place in Φc. So we can simply move Φc(y) out of ∃x, obtaining a quantified formula in the sameform as (2.58). In the latter case, we can assume that x do not properly occur inside constructorterms either, because we can decompose constructor terms properly containing x in the same wayas in Algorithms 2.12 and 2.16. So literals containing x in ΦT(x, y) are equalities or disequalities onterms of constant type, and hence we can rewriteΦT(x, y) asΦ(a)

T(x, y)∧Φ(b)

T(y) with Φ(a)

T(x, y) being a

constraint in Lc. We can then assume that Φ(a)T

(x, y) is a part of Φc(x, y). We also simplify ΦZ(x, y, z)to Φ′

Z(y, z) by instantiating all |xi| to 1. Now it is clear that (2.71) is equivalent to

Φ(b)T

(y) ∧ Φ′Z(y, z) ∧ (∃x : T)Φc(x, y) , (2.72)

where the quantifiers can be handled by the quantifier elimination procedure for Th(Ac).

2.7.4 Adaptation for Infinite Languages

In this section we describe adaptations to aforementioned algorithms needed to deal with theoriesin a (countably) infinite language. We require the number of distinct arities of the language befinite, which is not a real restriction for practically interesting theories. We distinguish threetypes of infinite languages according to the cardinalities of the constant domain and non-nullaryconstructor domain:

1. infinitely many constants, finitely many non-nullary constructors;

2. finitely many constants, infinitely many non-nullary constructors;

3. infinitely many constants, infinitely many non-nullary constructors.

A finite language is called type 0.Below we discuss the three aspects of our algorithms that are affected by an infinite signature:

type completion, counting constraints, and constant instantiation.

Type Completion

Type completion is affected only by the cardinality of the domain of non-nullary constructors, sincefor type completion the identity of constants is not important; only the fact that a term is a constantis relevant, which is provided by IsA. Thus, no adaptation is necessary for languages of type 1. Forlanguages of type 2 and 3, note that a given formula ϕ can only contain finitely many non-nullaryconstructors. For type completion we can collect all non-nullary constructors not occurring in ϕinto one pseudo-constructor type U, thus reducing a type 2 (resp. type 3) language a type 0 (resp.type 1) language. Below, we show how to define the counting constraints for the new constructortype U.


Counting Constraints

Both an infinite constant domain and an infinite number of non-nullary constructors allow countingconstraints to be relaxed. For languages with an infinite constant domain (type 1 and 3), CNTαω,n(x)(resp. CNTω,n(x)) is equivalent to Treeα(x) (resp. Tree(x)), as there are infinitely many trees of anylegitimate tree length.

For languages with only an infinite number of non-nullary constructors (type 2), the situationis slightly more complicated, because, depending on the arities of those non-nullary constructors,an infinite subset of those non-nullary constructors may or may not be useful in forming terms of aparticular length. First consider the simplest case in which the language has an infinite number ofnon-nullary constructors of arity i only. Then the number of distinct terms of length x is infinite ifand only if x − i is a legitimate tree length (and thus x is also a legitimate tree length). If x − i is nota legitimate tree length, the counting constraint reduces to that of a finite language. Thus in thiscase the counting constraint CNTk,n,i(x), where the additional subscript i denotes the arity with aninfinite number of non-nullary constructors, can be defined as

CNTk,n,i(x) : Tree(x − i) ∨ CNTk,n(x) .

In general there can be a finite number of arities for which the number of non-nullary constructorsis infinite. Let I be the set of these arities. Then the counting constraint CNTk,n,I(x) can be expressedas

CNTk,n,I(x) :∨

i∈ITree(x − i) ∨ CNTk,n(x) ,

and the counting constraint CNTαk,n,I(x) can be expressed as

CNTαk,n,I(x) :∨

i∈ITreeα(x − i) ∨ CNTαk,n(x) .

Note that CNTk,n(x) and CNTαk,n(x) above are defined with respect to a finite sub-language containingall constants and all non-nullary constructors not having arities in I. It does not matter if the sub-language contains any non-nullary constructors having arities in I, because the presence of thoseconstructors does not affect the truth value of CNTk,n(x) (resp. CNTαk,n(x)) when

∨

i∈I Tree(x − i)(resp.

∨

i∈I Treeα(x − i)) is false. Let S denote the signature of such a sub-language. For thepseudo-constructor type U introduced above we have

CNTUk,n,I(x) :

∨

i∈ITree(x − i) ∨

∨

α∈SCNTαk,n(x) ,

since U must necessarily include all non-nullary constructors of arities in I.


Constant Instantiation

Having an infinite number of constants prohibits the application of the constant elimination (step (4)of Algorithm 2.11). In that step all variables x that are asserted to be constants are nondeterminis-tically instantiated with constants, thereby allowing the elimination of the corresponding ∃x. Withan infinite number of constants, direct instantiation obviously is not possible. These variables,however, can still be eliminated as follows. At step (4) of Algorithm 2.11 all existentially quantifiedvariables appear in disequalities only (cf. (2.35)). Let xc ⊆ x be the set of existentially quantifiedvariables that are asserted to be constants. Then for any given assignment σ of the parameters y andthe remaining variables x\xc, all disequalities containing variables in xc can be simultaneously sat-isfied by assigning them distinct constants occurring neither in ~yσ nor in the formula. Thereforeall variables in xc can be removed from the formula (2.44), as desired.

2.8 Conclusion

We presented decision procedures for term algebras augmented with Presburger arithmetic, forquantifier-free theories and quantified theories. Our technique is based on the extraction of exactinteger constraints from term constraints, and in case of quantified theories, combined with thereduction of term quantifiers to integer quantifiers.

In Chapter 3 we extend our results to queues, a type of non-recursive data structure in which anobject can be constructed in more than one way [63]. In Chapter 4 we extend our results to provethe decidability of the first-order theory of Knuth-Bendix order.

We also plan to extend this work to reason about the combination of data structures with integersin richer languages such as the theory of term algebras with subterm relation [57].

2.9. PROOFS 67

2.9 Proofs

In the following proofs we need to express legitimate lengths of trees. To support those expressionswe use the following proposition, which is a well-known result following from the Euclideanalgorithm for computing greatest common divisors.

Proposition 2.5 (Linear Combination). Let d1, . . . , dn be positive integers and gcd their greatest com-mon divisor. Then

if ∃x1, . . . , xn ≥ 0(

x =n∑

i=1xidi

)

then gcd | x . (2.73)

In addition, there exists Nd such that for any x ≥ Nd the reverse also holds, that is,

if gcd | x then ∃x1, . . . , xn ≥ 0(

x =n∑

i=1xidi

)

. (2.74)

For 1 ≤ x < Nd, however, there is no closed formula to decide if x is a non-negative linearcombination of d1, . . . , dn. Finding the smallest Nd for gcd = 1 is known as the Frobenius CoinProblem, and has been shown to be NP-hard.

Below we present the proofs not included in the main text of this chapter. For ease of referencewe restate the propositions and theorems.

Proposition 2.2 (LCC in TAωZ). Φ∆ obtained by Algorithm 2.4 is expressible in a quantifier-free

Presburger formula linear in the size of ΦT.

Proof. Let n be the size of ΦT. Then the size of GT is O(n). For each node in GT we add (on average)at most four integer constraints. For an equivalence class t1, . . . , tn, we only need to add n − 1equalities, namely |t1| = |t2| = · · · = |tn|. So it suffices to show that the integer constraints Tree(|t|)and Treeα(|t|) can be expressed in quantifier-free Presburger formulas linear in the size of ΦT.

Let d1, . . . , dn be the distinct arities of the non-nullary constructors in the given language. Sincen and di (1 ≤ i ≤ n) are constant values (in the given language), the predicates Tree(x) and Treeα(x)are of constant length (with quantifiers). By Cooper’s method, there exist equivalent quantifier-freeformulas with length at most triple exponential in the length of Tree(x) (or Treeα(x)) [44]. Of course,these equivalent quantifier-free formulas are still of constant length.

In fact Tree(x) can be expressed directly by a quantifier-free formula. Indeed, Tree(x) statesthat x − 1 is a non-negative linear combination of d1, . . . , dn. By Proposition 2.5 this condition isequivalent to gcd | x − 1 provided x − 1 ≥ Nd where gcd and Nd are as stated in the proposition.Therefore Tree(x) is equivalent to

∨

s∈S(x − 1 = s) ∨

(

x − 1 ≥ Nd ∧ gcd | x − 1)

.

where S ⊆ 1, . . . ,Nd−1 can be precomputed for the given language to contain exactly those values1 ≤ s < Nd such that

∃x1, . . . , xn ≥ 0(

s =n∑

i=1xidi

)

.

Theorem 2.3 (LCC in TAωZ). Φ∆ obtained by Algorithm 2.4 is an LCC for ΦT.

Proof. To show that Φ∆ computed by Algorithm 2.4 is an LCC for ΦT, we need to show, by Defini-tion 2.8, the validity of

(∀x : T)[

ΦT(x) → (∃z : Z)(

Φ∆(z) ∧ |x| = z) ]

, (2.8)

(∀z : Z)[

Φ∆(z) → (∃x : T)(

ΦT(x) ∧ |x| = z) ]

. (2.9)

Clearly, from the description of Algorithm 2.4, for any variable assignment σ satisfying ΦT, |σ|satisfies ΦT and thus (2.8) holds.

To demonstrate the validity of (2.9), let σ∆ be a satisfying assignment of Φ∆. We have to showthat there exists a variable assignment σT such that |σT| = σ∆ and σT satisfies ΦT. Let σ be anarbitrary variable assignment such that |σ| = σ∆. Clearly such an assignment exists; it may not,however, satisfy ΦT. We show how σ can be transformed into an assignment σT that is guaranteedto satisfy ΦT. Let GT be the DAG of ΦT and R be the bidirectional closure induced by ΦT. LetG′T

be the extension of GT that represents the variable assignment σ, that is G′T

is obtained from GTby replacing each leaf labeled by a variable v by the ground tree representing σ(v). Without loss ofgenerality we assume that all leaf vertexes in GT are labeled by either constants or variables; thiscan be achieved by variable abstraction of selector terms, as illustrated in Example 2.24 below.

To obtain σT from σ, apply the following two steps:

1. substitute each variable asserted to be a constant in ΦT by a fresh constant. This is possible,since TAω

Z has infinitely many constants.

2. for each equivalence class v1, . . . , vk set σT(vk) = · · · = σT(v2) = σ(v1).

We claim that σT is a satisfying assignment for ΦT. Clearly |σT| = |σ| = σ∆ since the transformationdoes not affect the lengths of the terms. Moreover, σT respects R, that is, for any terms t and s,(t, s) ∈ R implies σT(t) = σT(s) (or G′t = G′s). It remains to show that for any two nonequivalentvertexes s and t in GT, G′s , G′t.

Let s and t be two vertexes such that s , t in ΦT, but suppose, for a proof by contradiction, thatG′s = G′t . Let ht(s) denote the height of G′s and similar for ht(t). Without loss of generality, assumethat among all pairs of vertices t1, t2 such that t1 , t2 in ΦT, but G′t1

= G′t2, h = ht(t1) = ht(t2) is

minimal. If h = 1, then both s and t are variables in distinct equivalence classes, and thus they

2.9. PROOFS 69

v1

111

1111

1111

111 v3

111

1111

1111

111 v4

v5 v6 v7 v8

v1 : x v5 : car(x)v2 : − − − v6 : cdr(x)v3 : cons(cdr(x), z) v7 : yv4 : cons(y, z) v8 : z

Figure 2-13: The DAG of Iscons(x) ∧ cons(y, z) = cons(cdr(x), z) ∧ car(x) , z.

were assigned distinct constants in step (1), a contradiction. If h > 1, then σT(t) = σT(s) implies thatσT(t[1]) = σT(s[1]). But ht(t[1]) = ht(s[1]) = h − 1 < h, contradicting the minimality of h.

Example 2.24 (Assignment in TAωZ). To illustrate the variable abstraction and the construction of a sat-

isfying variable assignment consider the following constraint

Iscons(x) ∧ cons(y, z) = cons(cdr(x), z) ∧ car(x) , z . (2.75)

The DAG of (2.75), shown in Figure 2-13, is almost the same as that of Example 2.5 except that v2 is notincluded here, and similar to that example, R (without v2) is

(v3, v4), (v6, v7) .

To eliminate the selector terms labeling the leaf nodes v5 and v6, we introduce two new variables, x1 andx2, and let x1 = car(x) and x2 = cdr(x). Now x can be replaced by cons(x1, x2) and thus is not part of thevariable assignment.

A satisfying integer assignment for Φ∆ is

σ∆ : |x1| := 1, |x2| := 5, |y| := 5, |z| := 1 .

A corresponding term assignment σ such that |σ| = σ∆ is

σ : x1 := a, x2 := cons(cons(a, a), a), y := cons(a, cons(a, a)), z := a .

The first step of the transformation produces

x1 := a1, x2 := cons(cons(a2, b2), c2), y := cons(a3, cons(b3, c3)), z := a4 .

Since x2 and y are in the same equivalence class, the second step of the transformation produces

σT : x1 := a1, x2 := cons(cons(a2, b2), c2), y := cons(cons(a2, b2), c2), z := a4 .


which satisfies (2.75).

Theorem 2.4 (Counting Constraints in TAZ). CNTαk,n(x) and CNTk,n(x) are expressible by quantifier-free Presburger formulas that can be computed in time O(n).

Proof. Let the language LT have m non-nullary constructors α1, . . . , αm with arities d1, . . . , dm. LetN (x) denote the number of distinct term trees of length x. Recall that CNTk,n(x) holds if and onlyif N (x) > n for a constant domain of size k. Thus it suffices to express N (x) > n as quantifier-freePresburger formula of size O(n).

It is easily seen that N (0) = 0 and N (1) = k. For x > 1, N (x) can be expressed as a recurrencerelation:

N (x) =m∑

i=1

∑

〈x1,...,xdi 〉 | x1+···+xdi=x−1

di∏

j=1N (x j) . (2.76)

The relation can be explained as follows: there are m ways to label the root of a tree; for a root withd children with lengths x1, . . . , xd, respectively, there are

∏dj=1 N (x j) combinations. Using dynamic

programming we can compute N (1),N (2), . . ., until we reach the first xmin such that N (xmin) > n.

We first consider the special case that d1 = · · · = dm, where we have for any x1, x2 > 0 thefollowing monotonicity property:

Tree(x1) ∧ Tree(x2) ∧ x1 > x2 → N (x1) > N (x2) . (2.77)

The reason is that in this case term trees always “grow continuously”, that is, the next larger tree isalways obtained by expanding one of the vertexes of the previous tree.

For this special case N (x) > n reduces to Tree(x) ∧ x ≥ xmin. To show that Tree(x) ∧ x ≥ xmin

can be computed in O(n) time, let d be the maximum arity. There are O(xd−1) different sequences ofpositive numbers with sum x − 1, and thus N (x) can be obtained by O(xd) arithmetic operations.As N (x) grows exponentially in x, xmin is at the scale of O(lg n). Moreover, as all integers in thecomputation are less than n, any arithmetic operation costs time O(lg n). Therefore the search forsuch xmin can be done in O(n) time.

Unfortunately, (2.77) does not hold in general when arities are different. For example, ford1 = 3, d2 = 10 and k = 1, N (10) = 12, while N (11) = 1. The problem is that in this case termtrees do not necessarily grow continuously. Indeed, a tree of length 10 must consist of a root withthree children, with lengths either 4, 4, and 1, or 7, 1, and 1. A tree of length 11, on the other hand,can only consist of a root with 10 children each of size 1. Consequently, a tree of length 10 cannot“grow” into a tree of length 11, and therefore N (10) and N (11) are completely unrelated.

2.9. PROOFS 71

However, there exists Nd such that for any x ≥ xmin +Nd,

N (x) > N (xmin) iff Tree(x) .

Let Nd be as in Proposition 2.5 and let gcd be the greatest common divisor of d1, . . . , dm. The “onlyif” direction is trivial. For the “if” direction, suppose Tree(x) holds, that is, x − 1 can be expressedas a non-negative linear combination of d1, . . . , dm. By Proposition 2.5, (2.73), gcd | x − 1. For thesame reason, we have gcd | xmin − 1, and since x − xmin = (x− 1)− (xmin − 1) we have gcd | x − xmin.By assumption, x − xmin ≥ Nd, and therefore, by Proposition 2.5, (2.74), x − xmin can be expressed asa non-negative linear combination of d1, . . . , dm, and thus a tree of length xmin can grow into a treeof length x by replacing one of its vertexes with a tree of size x− xmin + 1. Therefore, N (x) > n, andthus CNTk,n(x) can be expressed by

∨

s∈Sn

(x = s) ∨(

x ≥ xmin +Nd ∧ Tree(x))

,

where

Sn = xmin ≤ s < xmin +Nd | N (s) > n .

Since Nd and the size of Sn are constant, CNTk,n(x) can be computed in O(n) time as desired.The proof for CNTαk,n(x) is similar.

Proposition 2.3 (RLCC in TAZ). Φ∆ obtained by Algorithm 2.6 is expressible in a quantifier-freePresburger formula of size linear in the size of ΦT ∧ θZ.

Proof. By Proposition 2.2, the call to Algorithm 2.4 to obtain Φ∆ takes time O(n) where n is the sizeof the input ΦT ∧ θZ. Next, for each α-cluster of size m, Algorithm 2.6 adds CNTαk,m(x) to Φ∆. ByTheorem 2.4, CNTαk,m(x) can be computed in time O(m). Since the sum of sizes of all clusters is O(n),it follows that Φ∆ can be computed in O(n), and hence the size of Φ∆ is O(n).

Theorem 2.5 (RLCC in TAZ). Φ∆ obtained by Algorithm 2.6 is an RLCC for ΦT/θZ.

Proof. Let ΦT(x) be a type- and equality-complete term constraint and θZ(|x|) be a Presburgerformula. To show that Φ∆ computed by Algorithm 2.6 is an RLCC for ΦT/θZ, we need to show, byDefinition 2.9, the validity of

(∀x : T)[

ΦT(x) ∧ θZ(x) → (∃z : Z)(

Φ∆(z) ∧ |x| = z) ]

, (2.11)

(∀z : Z)[

Φ∆(z) → (∃x : T)(

ΦT(x) ∧ θZ(x) ∧ |x| = z) ]

. (2.12)

For (2.11) consider an arbitrary variable assignment σ such that ΦT ∧ θZ is true. By Algorithm 2.6,Φ∆ consists of Φ∆,4 ∧ θZ ∧ (CNTαk,n)i, where Φ∆,4 is the constraint computed by Algorithm 2.4 and

(CNTαk,n)i are the counting constraints added in step (3). By Theorem 2.3, there exists an integerassignment σ∆ such that σ∆ = |σT| such thatΦ∆,4 is true, and obviously this assignment also makesθZtrue. Finally, the counting constraints impose a restriction on the length of terms. By Algorithm 2.6,for any term t such that CLSαn(t, t1, . . . , tn) is implied byΦT∧θZ,Φ∆ includes the counting constraintCNTαk,n(t, t1, . . . , tn), or equivalently, N (|t|) > n, with N (|t|) as before. Sinceσ satisfiesΦT∧θZ, it musthave assigned different terms to t, t1, . . . , tn, and thus their length necessarily satisfies N (|t|) > n.

For (2.12) consider an arbitrary integer assignment σ∆, assigning z := d, such that Φ∆(d) holds.We have to show that there exists a term assignment σT, assigning x := t such that |t| = d andΦT(t) and θZ(t) hold. In contrast with the proof of Theorem 2.3, it is not immediately obvious thatsuch an assignment exists, because we no longer assume an infinite constant domain. Therefore weincrementally construct σT, starting with terms of smallest length.

Let GT be the DAG and R the bidirectional closure for ΦT as constructed in Algorithm 2.1. Weassume, as in the proof of Theorem 2.3, that all selectors have been eliminated and thus leaf nodesof GT are labeled by either constants or variables. Let G′

Tbe identical to GT except that all nodes

corresponding to equivalence classes in R have been merged. Since ΦT is equality-complete anytwo distinct vertices in G′

Tmust correspond to distinct terms.

To construct σT, we order all term lengths according to the values assigned by σ∆:

|t(1)0 | = · · · = |t

(1)n1 |

︸︷︷︸

block 1

< |t(2)0 | = · · · = |t

(2)n2 |

︸︷︷︸

block 2

< · · · · · · < |t(k)0 | = · · · = |t

(k)nk |

︸︷︷︸

block k

Note that any term t in ΦT appears in Φ∆ and hence |t| is assigned a length by σ∆ and appears in theabove sequence. Let li be the length of the terms in block i. For simplicity, we assume all terms inblock i are of type αi. Starting with the terms in the first block, that is, t(1)

1 , . . . , t(1)n1 , we incrementally

construct a satisfying assignment σT for ΦT such that |σT| = σ∆.

Obviously t(1)i (i ≤ n1) is either a constant or a term variable as its length is the smallest, and we

only need to consider t(1)i which are term variables. By Algorithm 2.7 we know that CNTα1

k,n1(l1) is in

Φ∆. As σ∆ satisfiesΦ∆, there are at least n1+1 different α1-terms of length l1. Therefore we can simplyassign each t(1)

i (if it is a variable) a distinct term. Now we proceed to the (i + 1)th block assumingthat the terms in the ith block have been assigned. At this time the values of all non-variable termsin the (i+ 1)th block have been fixed because variables (if any) in those terms have length less than li

and those variables have been assigned by the ith round. By the same argument as before, due to thepresence of CNTαi+1

k,ni+1(li+1) in Φ∆, we are able to assign each variable in the (i + 1)th block a different

tree of length li+1. The assignment in each round will not create any equality between terms in G′T

simply because terms of the same type and the same length are assigned to different values. Byinduction we can eventually construct a satisfying assignment σT for ΦT such that |σT| = σ∆.

Since Φ∆ includes θZ, θZ(d) holds, and therefore σT also satisfies θZ, as required.

2.9. PROOFS 73

Theorem 2.6 (Counting Constraints in RBZ). CNTrbn (x1, x2), CNTr

n(x1, x2) and CNTbn(x1, x2) are ex-

pressible by quantifier-free Presburger formulas that can be computed in O(n).

Proof. The proof follows closely the one for Theorem 2.4. We first consider three counting functions:

f (n1, n2) = |S| where S = t | |t|max = n1 ∧ |t|min = n2 ,f r(n1, n2) = |S| where S = t | |t|max = n1 ∧ |t|min = n2 ∧ Isred(t) ,f b(n1, n2) = |S| where S = t | |t|max = n1 ∧ |t|min = n2 ∧ Isblack(t) ,

where f (n1, n2) (n1, n2 > 0) gives the number of distinct trees whose maximal black path has length n1

and minimal black path has length n2. Similarly, f r(n1, n2) (resp. f b(n1, n2)) gives the correspondingnumber for trees with red (resp. black) root.

These three functions are computable as they can be defined recursively as follows.

f (1, 1) = 2 , (2.78)

f (n1, n2) = f r(n1, n2) + f b(n1, n2) for n1 , 1 ∨ n2 , 1 , (2.79)

f r(0, n2) = f r(n1, 0) = 0 , (2.80)

f r(1, 1) = 1 , (2.81)

f r(n1, 1) = 2∑

i≤n1

f b(n1, i) for n1 > 1 , (2.82)

f r(n1, n2) =

( ∑

n2< j≤i<n1

f b(i, j))

· f b(n1, n2) + (2.83)

∑

n2≤i<n1

f b(i, n2) ·∑

n2≤ j≤n1

f b(n1, j) + (2.84)

∑

n2< j≤n1

f b(n1, j) ·∑

n2≤i≤n1

f b(i, n2) + (2.85)

f b(n1, n2) ·∑

n2≤ j≤i≤n1

f b(i, j)

for n2 > 1 , (2.86)

f b(0, n2) = f b(n1, 0) = 0 , (2.87)

f b(n1, 1) = 0 , (2.88)

f b(n1 + 1, 2) = 2∑

i≤n1

f b(n1, i) + 2∑

i≤n1

f r(n1, i) , (2.89)

f b(n1 + 1, n2 + 1) =

∑

(\,])∈(r,b),(r,r),(b,b),(b,r)[ ( ∑

n2< j≤i<n1

f \(i, j))

· f ](n1, n2) + (2.90)

∑

n2≤i<n1

f \(i, n2) ·∑

n2≤ j≤n1

f ](n1, j) + (2.91)

∑

n2< j≤n1

f \(n1, j) ·∑

n2≤i≤n1

f ](i, n2) + (2.92)

f \(n1, n2) ·∑

n2≤ j≤i≤n1

f ](i, j)]

for n2 > 1 . (2.93)

Note that f (n1, n2) is defined to be the sum of f r(n1, n2) and f b(n1, n2) except when n1 = n2 = 1. Thereason is that in this case nil counts as a tree having both a maximal black path and a minimal blackpath of length 1. The recurrence relation for f r(n1, n2) is defined by (2.80)-(2.86). Formulas (2.80)-(2.82) take care of irregular basic cases. In particular, f r(n1, 1) (n1 > 1) is so defined as a tree with aminimal black path of length 1 must have nil as one child and a tree with black root as the other child.For n2 > 1, f r(n1, n2) is defined as a sum of four terms (2.83)-(2.86). Term (2.83) corresponds to thecases that the left child contains neither a maximal black path nor a minimal black path. Term (2.84)corresponds to the cases that the left child contains a minimal black path but no maximal blackpath. Term (2.85) corresponds to the cases that the left child contains a maximal black path but nominimal black path. Term (2.86) corresponds to the cases that the left child contains both a maximalblack path and a minimal black path. The recurrence relation for f b(n1+1, n2+1) is defined by (2.87)-(2.93). Similar as before, formulas (2.87)-(2.89) take care of basic but irregular cases. For n2 > 1,f b(n1 + 1, n2 + 1) is obtained in a similar way as f r(n1, n2) (when n2 > 1) but taking into account thateach aforementioned term splits into four terms because there are four ways to color the root of theleft child and the root of the right child. As a result, f b(n1 + 1, n2 + 1) (n2 > 1) contains 16 terms.

In the following we show that CNTn(x1, x2) is expressible in PA. The expressibility of CNTrn(x1, x2)

and CNTbn(x1, x2) can be similarly obtained. Since CNTn(x1, x2) define the set U = (x, y) ∈ N2 |

f (x, y) > n, we can express CNTn(x1, x2) in PA if and only if we can finitely represent U in PA. Firstwe note that f is non-decreasing. If f (x, y) > n then f (x + 1, y) > n because every tree with at leasttwo paths and measure (x, y) can grow into a tree of measure (x + 1, y) by appending black(nil,nil)to a leaf node on a maximal black path. The exception happens to nil which only has one path.However, we still have f (2, 1) = f (1, 1) = 2 > 1. Also if f (x, y) > n and y < x, then f (x, y + 1) > nbecause every tree with measure (x, y) can grow into a tree of measure (x, y + 1) by appendingblack(nil,nil) to leaf nodes on all minimal black paths. It follows that if f (x, y) > n, x′ ≥ x, y′ ≥ y,and x′ ≥ y′ then we have f (x′, y′) > n. Next we exploit this property to finitely represent U in PA.

Let D = (x, y) ∈N2 | x ≥ y be the domain of legitimate pairs; for the length of a maximal blackpath must be greater than or equal to the length of a minimal black path. Let <c, ≤c∈ D2 be thepartial covering orderings such that

(x, y) <c (x′, y′) iff x ≤ x′ ∧ y ≤ y′ ∧ x + y < x′ + y′ ,(x, y) ≤c (x′, y′) iff (x, y) = (x′, y′) ∨ (x, y) <c (x′, y′) .

We say that (x, y) is covered (resp. strictly covered) by (x′, y′) if (x, y) ≤c (x′, y′) (resp. (x, y) <c (x′, y′)).

2.9. PROOFS 75

The non-decreasing property implies that if f (x, y) > n and (x, y) ≤c (x′, y′), then f (x′, y′) > n. Itfollows that for a fixed n, U is upper closed under ≤c, or equivalently U is a filter of 〈D,≤c〉. We canpresent U in PA if we can find a finite base set B ⊂ D generating U in the sense that

(a) ∀(x, y) ∈ B f (x, y) > n, and

(b) ∀(x, y) ∈ U∃(x′, y′) ∈ B (x′, y′) ≤c (x, y).

In other words, U is the upper closure of B in 〈D,≤c〉. Below we construct such B.Let (x, y) = (x′, y′) denote x = x′∧ y = y′. Let <l,≤l:∈ D2 be the contra-variant lexicographical linear

orderings such that

(x1, y1) <l (x2, y2) iff x1 < x2 ∨ (x1 = x2 ∧ y2 < y1) ,(x1, y1) ≤l (x2, y2) iff (x, y) = (x′, y′) ∨ (x1, y1) <l (x2, y2) .

It follows from (2.87)-(2.86) that the computation of f r(x, y) relies on the values of f b(x′, y′) where(x′, y′) ≤l (x, y), and the computation of f b(x, y) relies on the values of f b(x′, y′) and of f r(x′, y′) where(x′, y′) <l (x, y). Therefore, we can use dynamic programming to compute f b and f r inductivelywith respect to <l. So obtained is f . Eventually we will find the first pair (xmin, ymax) (with respect to<l) such that f (xmin, ymax) > n. In a similar way, for each positive i < ymax, we can find the smallestx(i)

min such that f (x(i)min, i) > n. We claim that B is

(xmin, ymax) ∪ (x(i)min, i) | 0 n then there exists (x′, y′) ∈ B such that(x′, y′) ≤c (x, y). By the definition of <l and the fact that (xmin, ymax) is the first pair (with respect to<l) such that f (xmin, ymax) > n, we have x ≥ xmin. If y ≥ ymax, then (xmin, ymax) ≤c (x, y). So withoutloss of generality assume 0 < y < ymax. Since x(y)

min is the smallest number such that f (x(y)min, y) > n,

we have x ≥ x(y)min and hence (x(y)

min, y) ≤c (x, y). So if f (x, y) > n then (x, y) covers some pairs in B andhence B is a finite base for U.

Therefore we define CNTn(x1, x2) as

x1 ≥ x2 > 0 ∧( ∨

(i, j)∈B(x1, x2) ≥c (i, j)

)

.

Clearly, f (x1, x2) grows exponentially in terms of x1 or x2. Hence the size of B is O(n), so is the sizeof CNTn(x1, x2). Similarly, we can obtain CNTr

n(x1, x2) and CNTbn(x1, x2) of size O(n).

Theorem 2.7 (RLCC in RBZ). Φ∆ obtained by Algorithm 2.9 is an RLCC forΦRB/θZ and is express-ible in a quantifier-free Presburger formula of size linear in the size of ΦRB ∧ θZ.

Proof. It follows immediately from Algorithm 2.9 that Φ∆ is expressible in a quantifier-free Pres-burger formula of size linear in the size of ΦRB ∧ θZ. We are left to show the validity of (2.21)and (2.22). The validity of (2.21) is obvious as every rule in Algorithm 2.9 is sound. We establish(2.22) by showing that given a satisfying assignment σ∆ for Φ∆(z), there is a satisfying assignmentσRB for ΦRB(x) such that |σRB| = σ∆, that is, |~t(x)| = ~z for each corresponding t(x) and z ∈ z.We assume that ΦRB(x) is consistent; otherwise (2.22) is trivially true. Note that for simplicity wealready assumed that L Z

RB does not have selectors.

It is easily seen that the contra-variant lexicographical order<l has subterm property (with respectto ‖ · ‖), that is, for t1, t2 ∈ Trb, we have

‖t1‖ <l ‖black(t1, t2)‖ ‖t2‖ <l ‖black(t1, t2)‖ , if ‖black(t1, t2)‖ > 0 ;‖t1‖ ≤l ‖red(t1, t2)‖ ‖t2‖ ≤l ‖red(t1, t2)‖ , if ‖red(t1, t2)‖ > 0 .

Let σ∆ be a satisfying assignment of Φ∆. We order all integer terms according to the measure asinduced by σ∆ as follows.

‖t(1)0 ‖ = · · · = ‖t

(1)n1 ‖

︸︷︷︸

block 1

<l ‖t(2)0 ‖ = · · · = ‖t

(2)n2 ‖

︸︷︷︸

block 2

<l · · · · · · <l ‖t(k)0 ‖ = · · · = ‖t

(k)nk ‖

︸︷︷︸

block k

We assume that no variable is asserted to be nil as such an variable can be removed by instanti-ation. Let Mi denote the measure of terms in the i-th block. For each i > 0, the i-th block containsni terms in which there are n(b)

i black-terms and n(r)i red-terms. In general, ni = n(b)

i + n(r)i except for

the block containing nil. Without loss of generality we assume that the first block contains terms ofmeasure (0, 0); that is, terms violating red-black tree property (4) (Definition 2.12). Let us begin tobuild a partial assignment σRB from the second block which has measure (1, 1). Only two distincttrees, namely nil and red(nil,nil) have measure (1, 1), and hence CNTr

n(1, 1)(x) will be false for anyn > 0. Since Φ∆ is satisfiable and contains CNTr

n(1, 1)(x), we have n = 0, i.e., there is at most onered-term in this block. If it is a variable, then it can be assigned red(nil,nil). Let us assume wehave partially assigned all terms up to the i-th block. For the (i + 1)-th block, we first considerall black-terms, i.e., constructor terms of the form black(t1, t2) and variables of black-type. Sinceboth ‖t1‖ <l ‖black(t1, t2)‖ and ‖t2‖ <l ‖black(t1, t2)‖, t1 and t2 must have been assigned. So has beenblack(t1, t2). Due to the presence of CNTb

n(b)i+1

(Mi+1) in Φ∆, we are able to assign each such variable ablack-tree of measure Mi+1. Now let us consider the rest red-terms. For all constructor term of theform red(t1, t2), we know that t1 and t2 must be black-terms or nil (because otherwise Mi+1 = (0, 0)).As before we also have ‖t1‖ ≤l ‖red(t1, t2)‖ and ‖t2‖ ≤l ‖red(t1, t2)‖. So t1 and t2 can only appear inthe first i blocks or in this block. In the former case, they have been assigned. In the latter case,they have been assigned too because they are black-trees. So unassigned terms are only variables ofred-type. As CNTr

n(r)i+1

(Mi+1) is present in Φ∆, we are able to assign each variable a distinct red-trees

2.9. PROOFS 77

of measure Mi+1. By induction we can build a partial assignment up to the k-th block.

Now let us go back to the first block which contains terms violating property (4). Terms appearingin this block are constructor terms that may be variables or may contain variables appearing in otherblocks of higher order. Let us denote y those variables appearing in other blocks and by x the restof variables. y have been assigned values, which have measure greater than (with respect to <l)(0, 0). We assign x distinct trees having only red internal nodes and make sure that for any x1, x2 ∈ x,the difference between the heights (the longest paths) of ~x1 and ~x2 is greater than the numberof terms appearing so far, including those in the assignment. Since there are infinitely many treesviolating property 4, this is obviously feasible. We now finished the construction of σRB.

It is clear that σRB satisfies all disequalities between terms from the 2-nd to k-th blocks. Let usconsider disequalities of the form x , t(x, y) where x ∈ x is in the first block. t(x, y) can not besome y ∈ y since it will have measure (0, 0), contradicting the fact it appears in other blocks. Forthe same reason we will not have disequalities y , t(x, y) for y ∈ y. Now if t(x, y) is some x′ ∈ x,then obviously ~x , ~x′ as they are assigned distinct trees. If t(x, y) is a proper constructor termscontaining some of x, then we still have ~x , ~t(x, y) as by the choice of values of x, ~x and~t(x, y) are trees of different height. All in all, σRB respects all disequalities in the first block, andhence σRB is a satisfying assignment such that |σRB| = σ∆.

Theorem 2.9 (Soundness of Algorithm 2.13). All transformations in Algorithm 2.13 keep equiva-lence.

Proof. Recall that Algorithm 2.13 first calls Algorithm 2.11 to transform a formula into one in solvedform, that is in the form

(∃x)[ ∧


∧


]

∧∧


∧

lGl yg(l) = Hlyh(l) . (2.43)

It then eliminates the quantifiers by removing all literals containing x. It is straightforward to showthat all transformations in Algorithm 2.11 preserve equivalence, and we omit the proof. It remainsto show that (2.43) is equivalent to

∧


∧

lGlyg(l) = Hlyh(l) ,

that is, that

(∀y : T)(∃x : T)[ ∧


∧


]

(2.44)


is valid, or that∧

ixp(i) , ti(x, b) ∧

∧

jL jbq( j) , s j(x, b) (2.94)

is satisfiable for an arbitrary sequence b of fixed TA-terms. For simplicity, we assume that all non-nullary constructors have the same arity. The general case can be proved via a minor modification.

Let x be x1, . . . , xn. Let ξ be the maximal length of terms not containing x in (2.94) and let ρ > ξbe such that there exist at least n distinct nonconstant terms d = d1, . . . , dn of length ρ. We claim thatd satisfies (2.94). Observe that, due to step (4) of Algorithm 2.11, none of the xi are constrained tobe constants, and thus all variables can be assigned nonconstant terms.

To show that L jbq( j) , s j(d, b) holds, we assume that the constructor term s j actually contains x.If not, the literal L jyq( j) , s j(x, y) can be moved out of the scope of ∃x. Since s j is a constructor term,|s j(d, b)| ≥ ρ > ξ. On the other hand, L j is a selector sequence and thus |L jbq( j) | ≤ ξ. Therefore, forall j, L jbq( j) , s j(d, b).

To show that dp(i) , ti(d, b), consider the following four cases depending on the structure of ti.

1. ti does not contain any variable in x. Then |ti(b)| ≤ ξwhile |dp(i)| = ρ > ξ, and hence dp(i) , ti(b).

2. ti properly contains a variable in x. Then |dp(i)| = ρ but |ti(d, b)| > ρ, and hence dp(i) , ti(b).

3. ti is a constant ci. Then dp(i) , ci holds since none of terms in d is a constant.

4. ti is a variable in x. Then ti ≡ xp(i′) where p(i′) , p(i) (or xp(i) , xp(i) simplifies to false). Sincep(i) , p(i′), dp(i) , dp(i′) holds by the selection of d.

Theorem 2.10 (Complexity of Algorithm 2.13). Algorithm 2.13 removes a block of quantifiers intime 2O(n).

Proof. First note that we need not be concerned with the increase of the matrix size by the sub-stitution, since we can represent a conjunction of literals efficiently using the DAG representation(Definition 2.4), in which substitution can simply be done by rearranging edges in the graph. Forexample, consider the following sequence of formulas

x1 = α(x2, x2) , x2 = α(x3, x3) , . . . , xn = α(xm+1, xm+1) .

Instead of generating a formula of size 2O(m), the substitution only gives a linear “double-edged”path from x1 to xm+1. For details see [45].

It suffices to analyze each step of Algorithm 2.11. Let n be the size of the matrix. Step (1) (typecompletion) generates at most 2O(n) disjuncts, as for a formula containing n selector terms, there areat most 2O(n) combinations of tester literals. Step (2) (selector elimination) can be done in O(n) as a

2.9. PROOFS 79

selector term can be transformed to a formula in the constructor language in linear size. Step (3)(decomposition, Algorithm 2.12) generates at most 2O(n) disjuncts. In addition, it can increase thematrix size to O(n2), due to solving x in terms of y (step (3) of Algorithm 2.12); the total lengths ofall paths in a tree of size n is bound by n2. Note that the size increase comes from the increase ofterm occurrences and the number of distinct terms is still in O(n). Step (4) (constant elimination)produces at most 2O(n) disjuncts. All put together, steps (1)-(4) generate 2O(n) disjuncts each of whichhas size O(n2) and contains O(n) distinct terms.

Theorem 2.11 (RLCC with Parameters in TAZ). If ΦT(x, y) ∧ θZ(x, y) is strongly solved in x andcluster complete, then Φ∆(x, y) computed by Algorithm 2.6 is an RLCC for ΦT(x, y)/x/θZ(x, y).

Proof. To show that Φ∆ computed by Algorithm 2.6 is an RLCC for ΦT(x, y)/x/θZ(x, y), we need toshow, by Definition 2.18, the validity of

(∀x, y : T)[

ΦT(x, y) ∧ θZ(x, y) → (∃z : Z)(

Φ∆(z, y) ∧ |x| = z) ]

, (2.53)

(∀y : T)(∀z : Z)[

Φ(2)T

(y) ∧ Φ∆(z, y) → (∃x : T)(

ΦT(x, y) ∧ θZ(x, y) ∧ |x| = z) ]

. (2.54)

The validity of (2.53) can be shown by a similar argument as was given for (2.11) in the proof ofTheorem 2.5.

To prove (2.54) consider arbitrary assignments σ∆ and σ(y)T

, assigning z := p and y := s respec-tively, such that Φ∆(p, s) and Φ(2)

T(s) hold. We have to show that there exists a term assignment σ(x)

T,

assigning x := t such that |t| = |p| and ΦT(t, s) and θZ(t, s) hold. As in the proof of Theorem 2.5, weincrementally construct σ(x)

T, starting with terms of smallest length.

To construct σ(x)T

, we order all term lengths according to the values assigned by σ∆:

|u(1)0 | = · · · = |u

(1)n1 |

︸︷︷︸

block 1

< |u(2)0 | = · · · = |u

(2)n2 |

︸︷︷︸

block 2

< · · · · · · < |u( j)0 | = · · · = |u

( j)n j |

︸︷︷︸

block j

Let li be the length of terms in the ith block. For any TA-term t occurring in ΦT(x, y), |t| appears inΦ∆(x, y) and hence in the above sequence. In general a block can contain more than one cluster foreach type. By Proposition 2.4, however, maximal clusters are mutually independent, and therefore,without loss of generality, we can assume each block i consists of only one maximal αi-cluster.

Beginning with terms in the first block, namely u(1)1 , . . . , u

(1)n1 , we incrementally construct a satis-

fying assignment for θZ(x, s). We only need to consider u( j)n j which contains x. Obviously u(1)

i (i ≤ n1)is either a constant or a variable in x as its length is the smallest. By Algorithm 2.6 we know thatCNTα1

k,n1(l1) is in Φ∆(x, y). As p satisfies Φ∆(x, s), there are at least n1 + 1 different terms of length l1.

Therefore we can simply assign each u(1)i (if it is a variable) a distinct α1-term.

Now suppose that all variables in the ith block have been assigned. Consider the (i+1)th block.At this time values of all non-variable terms in the (i + 1)th block have been determined, because x

only appear inside constructor terms, and hence have been assigned values by the ith round. Forexample, suppose that t(x) is a constructor term in the (i+1)th block. Since |x| < |t(x)|, x was assignedby the ith round and so is the value of t(x). Due to the presence of CNTαi+1

k,ni+1(li+1) in Φ∆(x, y), we

are able to assign each variable in the (i + 1)th block a different term of length li+1. The variableassignment in each round does not create any equality between terms in a block, i. e., it does notviolate any disequalities.

Up to now the proof is essentially the same as the one for Theorem 2.5. The only problematiccase is that a cluster may have selector terms containing y as well as constructor terms containing x.For example, suppose that a cluster C in the ith block contains both Ly and αi(t1(x, y), . . . , tk(x, y)) forar(αi) = k. ~Ly is fixed by σ(y)

Tand ~t1(x, y), . . . , ~tk(x, y) have been determined before the ith round

and hence ~αi(t1(x, y), . . . , tk(x, y)) is determined too. By Definition 2.19, however, the disequalityLy , t(x, y) is redundant, which can only be the case if for some j (1 ≤ j ≤ k), sαi

j Ly , t j(x, y) isimplied byΦT. Since |t j(x, y)| < |αi(t j(x, y), . . . , tk(x, y))|, t j(x, y) has been assigned before the ith roundsuch that ~sαi

j Ly , ~t j(x, y). As a consequence we have ~Ly , ~αi(t1(x, y), . . . , tk(x, y)).Since at each step we can build a satisfying partial assignment for x, by induction, we can

eventually construct a satisfying assignment t such that ΦT(t, s) and |t| = p. It is clear that θZ(t, s)also holds as Φ∆ implies θZ (thanks to step (2) of Algorithm 2.6).

Proposition 2.4 (Strongly Solved Form). Algorithm 2.14 produces a formula which is in stronglysolved form and cluster complete.

Proof. The production of strong solved form is guaranteed by Algorithm 2.16. It suffices to showthat Algorithm 2.16 preserves cluster completeness. Step (1a) of Algorithm 2.16 may generate newequalities as well as new disequality literals of the form Ly , t′(x, y), which in general destroysthe mutual independence of clusters. Step (2) (Algorithm 2.15), however, is called after each runof step (1a) to restore cluster completeness. The termination argument has been given in thedescription of the algorithm.

Theorem 2.12 (Soundness of Algorithm 2.17). All transformations in Algorithm 2.17 keep equiv-alence.

Proof. Clearly, Algorithm 2.14 preserves equivalence. So, it suffices to show the equivalence be-tween (2.60) and (2.62), copied below,

(∃x : T)[

Φ(1)T

(x, y) ∧ Φ(2)T

(y) ∧ θZ(x, y) ∧ ΦZ(x, y, z)]

, (2.60)

Φ(2)T

(y) ∧ (∃u : Z)[

Φ∆(u, y) ∧ ΦZ(u, y, z)]

. (2.62)

By Proposition 2.4ΦT(x, y)∧θZ(x, y) is in strongly solved form and cluster complete, and henceby Theorem 2.11,Φ∆(x, y) is an RLCC forΦT(x, y)/x/θZ(x, y). By Proposition 2.1,Φ∆(x, y)∧ΦZ(x, y, z)is an RLCC for ΦT(x, y)/x/(θZ(x, y) ∧ ΦZ(x, y, z)).

2.9. PROOFS 81

To show that (2.60) implies (2.62), assume that for all y and for all z there exists x such thatΦ

(1)T

(x, y) ∧ Φ(2)T

(y) ∧ θZ(x, y) ∧ ΦZ(x, y, z) holds. Then by Definition 2.18, (2.53), there exists u = |x|such that Φ∆(u, y) ∧ ΦZ(u, y, z) holds, and hence (2.62) holds.

To show that (2.62) implies (2.60), assume that for all y and for all z there exists u such thatΦ

(2)T

(y) ∧ Φ∆(u, y) ∧ ΦZ(u, y, z) holds. Then by Definition 2.18, (2.54), there exists x such that |x| = uandΦT(x, y)∧θZ(x, y)∧ΦZ(x, y, z) holds, and hence, noting thatΦT(x, y) ≡ Φ(1)

T(x, y)∧Φ(2)

T(y), (2.60)

holds, as required.

Theorem 2.13 (Complexity of Algorithm 2.17). Algorithm 2.17 eliminates a block of quantifiers intime 2O(n2 lg n).

Proof. We only need to analyze each step of Algorithm 2.14. As shown in the proof of Theorem 2.10,step (1) (basic normalization, Algorithm 2.11) generates 2O(n) disjuncts each of which contains O(n)distinct terms.

Step (2) (cluster completion, Algorithm 2.15) takes 2O(n lg n). It follows from the fact that anequality completion corresponds to a valid product of a partition of terms on syntactic equality anda partition of terms on length equality. For a set of size n the number of distinct partitions is calledthe Bell number, denoted by B(n). An asymptotical expression for B(n) is 1√

nρ(n)n+ 12 eρ(n)−n−1, where

ρ(n) is implicitly defined by ρ(n) lgρ(n) = n [33]. Obviously B(n) is bounded by 2O(n lg n), and so isthe number of cluster completions.

Step (3) (Algorithm 2.16) is a bit more costly. At the beginning of Algorithm 2.16, the matrixof (2.44) induces at most n clusters containing variables in x. Let us assume that each rank r isassigned a number n(r) in [1, n] such that if r1 < r2, then n(r1) < n(r2). The sum of all rank numbersis bounded by n2. Each run of step (1)-(2) will reduce the sum at least by 1, and generates at mostone new term appearing in disequalities. The total number of distinct terms after Algorithm 2.16 isbounded by O(n2). The number of cluster completions is therefore bounded by 2O(n2 lg n2)

= 2O(n2 lg n).This calculation has included the cost of Algorithm 2.15 and Algorithm 2.12, both of which couldbe called O(n2) times in the run of Algorithm 2.16.

Chapter 3

Queues with Integers

01:38:44:460

Tank : Okay, so what do you need? Besides a miracle.Neo : Guns. Lots of guns.

—The Matrix.

Queues provide an important synchronization mechanism in modeling distributed proto-cols; they are the basis of many concurrent algorithms. In this chapter we extend the theoryof queues with a length function that maps a queue to its size, resulting in a combinedtheory of queues and Presburger arithmetic. In order to handle the special properties ofqueue structure, we adapt the reduction technique presented in the previous chapter withnew normalization procedures. We present decision procedures for quantifier-free theoriesand a quantifier elimination procedure for the first-order theory that can remove a block ofexistential quantifiers in one step.

82

3.1. INTRODUCTION. 83

3.1 Introduction.

Queues are widely used in many fields of computer science such as communication networks,job scheduling and simulation. They also provide an important synchronization mechanism inmodeling distributed protocols and hence form the basis of many concurrent algorithms. In thischapter we extend the theory of queues with a length function which maps a queue to its size.The extended language has three sorts; atoms (A), integers (Z), and queues (Q). As in the case ofterm algebras, the language is the set-theoretic union of the language of queues and the languageof Presburger arithmetic. Formulas are formed from atom, queue, and integer literals using logicalconnectives and quantifications. The two theories are connected by the length function | · | : Q →N.It allows us to express semantics of string operations in the C language. For example, strncmpcan be expressed in the existential theory of queues with prefix relation and integer arithmetic asfollows.

strncmp(const char ∗s1, const char ∗s2, size t n) :

res = 0 ∧ ∃q ( |q| = n ∧ q s1 ∧ q s2 )

∨ res > 0 ∧[

(s1 , s2 ∧ s2 s1 ∧ |s2| ≤ n) ∨ ∃q(∨

c<c′(q c′ s1 ∧ q c s2 ∧ |q| < n)

) ]

∨ res < 0 ∧[

(s1 , s2 ∧ s1 s2 ∧ |s1| ≤ n) ∨ ∃q(∨

c<c′(q c′ s2 ∧ q c s1 ∧ |q| < n)

) ]

.

With the full expressive power of Presburger arithmetic, we are able to express linear relationsbetween sizes of queues. For example, in a queuing network with n input queues denoted byqi : (i < n), the property that the influx is bounded by B can be expressed as

n−1∑

i=0|qi| < B .

We present decision procedures for quantifier-free theories of queues with integer arithmetic.We consider two kinds of quantifier-free theories, based on whether they include prefix relationor not. We also present a quantifier elimination procedure for the first-order theory of queueswith integers. The elimination procedure removes a block of existential quantifiers in one step. Inall developments, we assume that the atom domain is finite; the decision problems in an infinitedomain are considerably easier.

Related Work and Comparison. Bjørner gave a decision procedure for the quantifier-free theoryof queues with subsequence relations which consist of prefix, suffix and sub-queue relations [5].Bjørner also discussed the integer combination for the case of infinite atom domain without thesubsequence relations. The quantifier elimination and the complexity of the first-order theory of

84 CHAPTER 3. QUEUES WITH INTEGERS

queues were given by [48] and [50], respectively. By a standard encoding (in which a queue isrepresented as sets of natural numbers), the first order theory of queues with prefix relation can beinterpreted by WS1S, and hence it is decidable. This theory also admits quantifier elimination [4].Thomas studied theories of words with “equal length” predicate which can be viewed as specialinteger constraints [52].

Recently Klaedtke and Ruess showed the decidability of a fragment of WS1S with cardinalityconstraints (WS1Scard) and the undecidability of WS1Scard for certain fragments with second-orderquantifier alternation [24]. By the standard encoding, the first-order theory of queues with prefixrelation and integers can be interpreted in WS1Scard. In particular, the quantifier-free fragmentcan be interpreted in the decidable fragment of WS1Scard which does not contain alternation ofsecond-order quantifiers on variables occurring in cardinality constraints. Though interpretationin general renders elegant decidability results, it produces less efficient decision procedures inpractice, especially if the host theory has high complexity (in this case even the existential WS1S isnon-elementary). Moreover, it is unlikely that any interpretation can put the full first-order theoryof queues with integer arithmetic into a decidable fragment of WS1Scard.

In Chapter 2 we gave decision procedures for the theory of term algebras with integer con-straints. The method relies on a key normalization process to extract integer constraints from termconstraints. The normalization partitions terms into stratified clusters such that

1. each cluster consists of pairwise unequal terms (trees) of the same length, and

2. disequalities between composite terms (proper trees) in a cluster are implied by disequalitiesin the clusters of lower ranks.

Property (2) allows the construction of a satisfying assignment in a bottom-up fashion, whileproviding integer constraints that precisely characterize the satisfiability of the clusters. Thus, (1)and (2) allow us to reduce the satisfiability of the original formula to the satisfiability of computableinteger constraints. The decision procedures presented in this chapter rely on the same idea. But forqueues, disequalities cannot be normalized into stratified clusters, because queues are not uniquelygenerated (they can grow at both ends). Consider, for example, the constraint

X , Y ∧ aX , Yb ∧ Xa , bY ∧ |X| = |Y| .

Clearly infinitely many assignments of the form X = (ba)nb,Y = a(ba)n satisfy X , Y, but neitheraX , Yb nor Xa , bY. As a consequence, we cannot construct a satisfying assignment inductively.In this chapter we present new normalization procedures that allow the computation of a cut lengthLt for all queue variables: below Lt all satisfying assignments can be enumerated, above Lt integerconstraints can be computed that are equisatisfiable with the original formula.

3.2. THE THEORY OF QUEUES 85

Chapter Organization. Section 3.2 defines the language and structure of queues and presentssome word properties. Section 3.3 describes a decision procedure for the quantifier-free theory ofqueues [5], the basis for our decision procedures. Section 3.4.1 introduces the theory of queuesaugmented with Presburger arithmetic and presents the technical machinery for the decision proce-dures. Section 3.4 presents the main contribution of this chapter: it adapts the technique presentedin Section 2.4.2 to derive a decision procedure for the extended theory of queues. Section 3.5 refinesthe results in Section 3.4 for the extended theory of queues with prefix relation and integer arith-metic. Section 3.6 applies the technique to give a quantifier elimination procedure for the extendedfirst-order theory of queues (without the prefix relation). Section 3.7 concludes with some ideas forfuture work. Most proofs are given in Section 3.8.

3.2 The Theory of Queues

Definition 3.1 (Queues). The structure of queues Q : 〈Q;A,C,S〉 consists of

1. A: A finite set of atoms: a, b, c, . . . We use εA to denote the “phantom atom” whose only purpose is tokeep functions on queues total.

2. Q: The domain of queues, which consists of sequences of atoms. We use εQ to denote the empty queue.

3. C: Two constructors: the left insertion la : A × Q → Q and the right insertion ra : A × Q → Qsuch that for α ∈ Q,

la(εA, α) = α , ra(εA, α) = α ,

and for a ∈ A \ εA, 〈s1, . . . , sn〉 ∈ Q,

la(a, εQ) = 〈a〉 , ra(a, εQ) = 〈a〉 ,la(a, 〈s1, . . . , sn〉) = 〈a , s1, . . . , sn〉 , ra(a, 〈s1, . . . , sn〉) = 〈s1, . . . , sn, a〉 .

4. S: Four selectors: the left head lh : Q → A, the left tail lt : Q → Q, the right head rh : Q → A,and the right tail rt : Q → Q such that

lh(εQ) = εA , lt(εQ) = εQ ,

rh(εQ) = εA , rt(εQ) = εQ ,

lh(〈s1〉) = s1 , lt(〈s1〉) = εQ ,

rh(〈s1〉) = s1 , rt(〈s1〉) = εQ ,

and for 〈s1, . . . , sn〉 ∈ Q (n > 1),

lh(〈s1, . . . , sn〉) = s1 , lt(〈s1, . . . , sn〉) = 〈s2, . . . , sn〉 ,rh(〈s1, . . . , sn〉) = sn , rt(〈s1, . . . , sn〉) = 〈s1, . . . , sn−1〉 .

We use LQ to denote the language of queues and LA the equational sub-language of LQ onA.

Queues are finite words constructed from letters in A, i. e., Q = A∗. We assume |A|>1 as queueconstraints trivially reduce to integer constraints ifA is a singleton. Because of finiteness ofA, weassume only constant atoms appear in formulas (i. e., no occurrences of atom variables). For clarity,X,Y,Z, . . . are reserved for queue variables, a, b, c, . . . for constant atoms and α, β, γ, . . . for constantqueues. We use concatenation to express constructor operations. For example, aXb stands foreither ra(b, la(a,X)) or la(a, ra(b,X)). Often we even omit unless necessary for clarity.

The expressive power of the constructor language (the language without selectors) is the sameas that of LQ.

Proposition 3.1 (Elimination of Selectors). For any ϕ in LQ, one can effectively compute an equivalentϕ′ such that

1. ϕ′ contains no selectors, and

2. if ϕ is quantifier-free, then ϕ′ can be put into either ∃1 or ∀1 form.

So in terms of satisfiability or validity, even in the quantifier-free fragment of LQ, selectors aredispensable without compromising expressiveness. From now on we assume LQ is the constructorlanguage except in Section 3.6 where selectors are used in quantifier elimination. In a constructorlanguage, a queue variable can occur at most once in a term, and hence we can assume all terms ofsort Q are in the form αXβ, where α, β are constant words and X is a queue variable.

We use “word”, ”letter” in semantic discussions and use “queue”, “atom” to refer to theirrespective counterparts in the formal language. For a word α, |α| denotes the length of α; α[i](0 < i ≤ |α|) denotes the letter at position i; α[m..n] (0 < m, n ≤ |α|) denotes the consecutive fragmentfrom position m to position n; αm denotes the word obtained by concatenating m copies of α. Fork < |α|, we define

α∗ = αm | m ≥ 0 ,α+ = αm | m > 0 ,

ext(α,m, k) = αmα[1..k] ,

orb(α, k) =⋃

m≥0ext(α,m, k) ,

orb(α) =⋃

k≥0orb(α, k) .

3.2. THE THEORY OF QUEUES 87

ONMLHIJKaaba

ONMLHIJKabaauu

ONMLHIJKaaab 55ONMLHIJKbaaa

WW

Figure 3-1: aaba, abaa, aaab and baaa are pairwise conjugate.

Here orb(α), called orbit of α, is the set of all words of the form α∗α[1..i] (i < |α|) and orb(α, k) is thesubset of orb(α) consisting of words ending with α[1..k].

Example 3.1 (Orbits). Let β = aba. Then ext(β, 1, 2) = abaab, orb(β) are words in one of the followingforms (aba)∗, (aba)∗a, (aba)∗ab, which are orb(β, 0), orb(β, 1) and orb(β, 2).

The equations in LQ can express certain “circular properties” on words.

Definition 3.2 (Conjugacy [32]). Two words α, β are conjugate if there exist words u, v (v , εQ) suchthat α = uv and β = vu. In other words, α is obtained from β by circular shift, and vice versa. We say that αis k-conjugate with β if |u| = k.

Example 3.2 (Conjugacy). Figure 3-1 shows four words, aaba, abaa, aaab and baaa, which are pairwiseconjugate.

Proposition 3.2 (Conjugacy [32]). Two words α and β are conjugate if and only if there exists γ such thatαγ = γβ. Moreover, α and β are k-conjugate if and only if for all γ, αγ = γβ if and only if γ ∈ orb(α, k).

This proposition says that if α = u1u2, β = u2u1, then the solution set of αX = Xβ is (u1u2)∗u1. Asa consequence, we define X ∈ orb(α, k) as “syntactic sugar” for αX = Xα[k + 1..|α|]α[1..k]; similarlyX < orb(α, k) for αX , Xα[k + 1..|α|]α[1..k].

Definition 3.3 (Primitive Words). A word β is primitive if β , αn (n ≥ 1) for any proper prefix α of β,and is strongly primitive if in addition β < orb(α).

Example 3.3 (Primitive Words). Consider α ≡ aba, β ≡ abab and γ ≡ abb. It is clear that β is non-primitive, α is primitive but not strongly primitive and γ is strongly primitive.

If β is non-primitive, then there exists α such that β ∈ α∗. We call the shortest such α the generatorof β, denoted by gen(β). It is easily seen that orb(β) = orb(gen(β)), i. e., every orbit is uniquelygenerated. Thus, without loss of generality, we always assume the occurrences of β in orb(β, k) tobe primitive.

Proposition 3.3 (Exclusiveness of Orbit Literals [5, 48]). Let α, β be two distinct primitive words andγ a word of length n. Then γ ∈ orb(α) ∩ orb(β) implies n < |α| + |β| − 1.

This proposition says that X ∈ orb(α) and X ∈ orb(β) (whereα . β), are mutually exclusive except for afinite number of cases which can be enumerated by comparing two orbits of α and β coordinate-wiseup to |α| + |β| − 2. We have

Theorem 3.1 (Exclusiveness of Orbit Literals [5, 48]). A conjunction of literals of the form∧

0<i≤nX ∈ orb(αi) ∧

∧

0< j≤mX < orb(β j) (3.1)

can be simplified to a formula in which at most one of X ∈ orb(αi) appears, and if this happens, no X < orb(β j)occurs. In addition, if n > 1, (3.1) simplifies to either false or a finite set of solutions.

Example 3.4 (Exclusiveness of Orbit Literals). X ∈ orb(ab)∧X ∈ orb(aba) simplifies to X ∈ a, b, aba,and X ∈ orb(ab) ∧ X < orb(aba) simplifies to X ∈ orb(ab) ∧ X < a, b, aba.

3.3 Decision Procedure for Th∀(Q)

The basis of the decision procedures for the combined theory is the decision procedure for thequantifier-free theory of queues, Th∀(Q) [5].

The key component of all decision procedures presented in this chapter is normalization, whichincludes elimination of certain forms of equalities, disequalities and prefix relations (when present).The common constituent of all normalization procedures is equality elimination.

Definition 3.4 (Solved Form inQ). A set of equalities E is in solved form if every E ∈ E has the formx = t(x) where x neither occurs in x nor in any other equations in E.

A set of solved equalities can be obtained by substitution; when a solution X = t is obtained,other occurrences of X are replaced by t. Such substitution can detect certain inconsistencies, e.g.,when X = αXβ is generated with α . εQ or β . εQ. Obviously a set of equalities in solved form poseno restriction on the solution, and hence those equalities can be considered “virtually eliminated”.

Definition 3.5 (Normal Form in Q). A queue constraint ΦQ is in normal form if

1. all equalities are in solved form,

2. for each queue variable X there exists at most one literal X ∈ orb(α, k), and

3. disequalities are in the form X , α, or αX , Yβ for X . Y.

The following algorithm, a simplified version of [5], reduces a set of equalities and inequalitiesto normal form.

3.3. DECISION PROCEDURE FOR TH∀(Q) 89

Algorithm 3.1 (Normalization in Q, cf. [5]). Input ΦQ : E ∪ D where E, D are sets of equalities anddisequalities, respectively.

1. Reduce literals of the forms

αXβ = β′ , αXβ , β′ , αXβ = α′Yβ′ , αXβ , α′Yβ′ ,

where α, β, α′, β′ are constant queues and X, Y are queue variables, to

X = β , X , β , αX = Yβ , αX , Yβ .

by position-wise removing prefixes and suffixes. For example, abXcd = abcYdd reduces to false andabXcd , abcYd to Xc , cY.

2. Eliminate equalities of the form αX = Yβ where X . Y, and either α . εQ or β . εQ.

(a) For |X| < |β|, αX = Yβ reduces to

X = β[|β| − |X| + 1..|β|] ∧ Y = αβ[1..|β| − |X|] .

(b) For |X| ≥ |β|, αX = Yβ reduces to

X = X′β ∧ Y = αX′ ,

where X′ is a fresh queue variable.

3. Eliminate equalities of the form αX = Xβ. By Proposition 3.2 if α, β are not conjugate, then αX = Xβsimplifies to false. If α, β are k-conjugate, αX = Xβ is replaced by X ∈ orb(α, k).

4. Eliminate disequalities of the form αX , Xβ. Again by Proposition 3.2, if α, β are not conjugate,αX , Xβ simplifies to true. If α, β are k-conjugate, αX , Xβ is replaced by X < orb(α, k).

Note that equalities are only syntactically eliminated in the normalization. Literals like X ∈orb(α, k) introduced in step (3) are implicit equalities, and they are the only kind equalities that canoccur in a normal form. Theorem 3.1, however, ensures that a conjunction of more than one suchequality is either inconsistent or a finite set of solutions can be computed, and that in the presence ofX ∈ orb(α, k), all occurrences X < orb(α′, k′) (which are implicit disequalities introduced in step (4))can be eliminated.

We claim that a constraint in normal form is satisfiable: a satisfiable assignment can be con-structed incrementally by assigning each queue variable a queue with length distinct from allpreviously assigned terms.

Proposition 3.4 (Normal Form inQ). A constraint in normal form is satisfiable.


This proposition justifies the following algorithm.

Algorithm 3.2 (Decision Procedure for Queues [5]). Input: Φ ≡ E ∪D.

1. Transform Φ to Φ′ : E′ ∪D′ which is in normal form.

2. If an inconsistency is discovered, return FAIL; otherwise, return SUCCESS.

Note that an inconsistency may be due to a conflict in the atom domain. For example, acontradiction arises ifΦQ requires at least n+1 distinct atoms in a domain of cardinality n. However,because of finiteness, any formula in LA is essentially ground by instantiation and hence the validityproblem is readily decidable. Thus, for simplicity we omit discussions related to the atom domainin the above and the subsequent algorithms. Also note that in case of an infinite atom domain, avariable partition [22] serves the same purpose as instantiation, and of course the partition methodis also applicable in the finite case.

3.4 Decision Procedures for Th∀(QZ)

In this section we present decision procedures for Th∀(QZ), the quantifier-free theory of queuesaugmented with a length function and Presburger arithmetic. First, in Section 3.4.1 we describethe theory and outline the adaptation of the approach introduced in Section 2.4.2 for constructingdecision procedures for this theory.

3.4.1 The Theory of Queues with Integers

Definition 3.6 (Queues with Integers). The structure of queues with integers isQZ : 〈Q,PA; | · |〉whereQ is the structure of queues, PA is Presburger arithmetic, and | · | : Q → N is the length function such that|X| denotes the number of atoms in the queue X.

We use subscriptsA,Q,Z (or prefixesA-,Q-, PA-) to denote notions related to atom sort, queuesort and integer sort, respectively. For example, ΦQ denotes a queue formula andVQ denotes thecollection of queue variables. As in Chapter 2, we use an integer term |t(X)| in two ways; as thefunction value of t(X) when t(X) is in discussion, and as a purely syntactic integer variable (calledpseudo integer variable). In the latter case, supposeΦZ(X) is given, thenΦZ(z) is the formula obtainedby substituting each pseudo integer variable |X| (X ∈ X) for a real integer variable z (z ∈ z). |X| = zdenotes

∧

i |Xi| = zi. If σ is an assignment for VQ, then |σ| denotes the corresponding assignmentfor pseudo integer variables.

Similar as in term algebras, in a combined constraint ΦQ ∧ ΦZ, ΦZ restricts solutions to ΦQ.

3.4. DECISION PROCEDURES FOR TH∀(QZ) 91

Example 3.5 (Hidden Length Constraints inQZ). The constraint

ΦQ : Xba , abY ∧ Xab , baY ∧ Xaa , baY ∧ Xab , aaY

is not satisfiable with ΦZ : |X| = |Y| = 1, in QZ withA = a, b. It can be easily verified by enumerating allfour combinations. On the other hand, both ΦQ and ΦZ are obviously satisfiable in their respective domains.

Our combination strategy is exactly the same as that introduced in Section 2.4. We have the samenotions of LCC, RLCC and the same high-level generic structure for combining decision procedures.For clarity, however, we rewrite the definitions and algorithms using the notation of queues.

Definition 3.7 (Length Constraint Completion (LCC) inQZ). A formula Φ∆(X) in LZ is a lengthconstraint completion (LCC) for ΦQ(X) if the following formulae are valid:

(∀X : Q)[

ΦQ(X) → (∃z : Z)(

Φ∆(z) ∧ |X| = z) ]

, (3.2)

(∀z : Z)[

Φ∆(z) → (∃X : Q)(

ΦQ(X) ∧ |X| = z) ]

. (3.3)

where Φ∆(z) is obtained from Φ∆(X) by substituting a fresh z for each pseudo integer variable of the form|t(X)|.

Example 3.6 (LCC in QZ). Consider ΦQ in Example 3.5 and,

Φ∆+ : true , Φ∆− : |X| = |Y| = 2 , Φ∆ : |X| = |Y| ∧ |X| , 1 .

Φ∆+ is not realizable by ΦQ because the integer assignment σ∆ : |X| = |Y| = 1 can not be realized. Onthe other hand, Φ∆− is not sound because it does not satisfy the queue assignment σQ : X = εQ,Y = εQ.Finally, Φ∆ is both sound and realizable w.r.t. ΦQ and hence is an LCC for ΦQ.

Definition 3.8 (Relativized LCC (RLCC) inQZ). A formula Φ∆(X) is a length constraint completionforΦQ(X) relativized to θZ(X), (in short,Φ∆(X) is an RLCC forΦQ(X)/θZ(X)), if the following formulae arevalid:

(∀X : Q)[

ΦQ(X) ∧ θZ(X) → (∃z : Z)(

Φ∆(z) ∧ |X| = z) ]

, (3.4)

(∀z : Z)[

Φ∆(z) → (∃X : Q)(

ΦQ(X) ∧ θZ(X) ∧ |X| = z) ]

. (3.5)

Example 3.7 (RLCC in QZ). Revisiting Example 3.6, we partition ΦQ into

(ΦQ ∧ |X| , |Y|) ∨ (ΦQ ∧ |X| = |Y|) .

The first disjunct simplifies to |X| , |Y| as |X| , |Y| implies ΦQ. Now consider the second disjunct. It is clearthat the RLCC for ΦQ/(|X| = |Y|) is |X| = |Y| ∧ |X| , 1.


Similar to Algorithm 2.3, we have

Algorithm 3.3 (Generic Decision Procedure). Input: ΦQ ∧ΦZ.

1. Return FAIL if TA 6|=∃ ΦQ.

2. For each partition Φ(i)Q ∧ θ

(i)Z

of ΦQ:

(a) Compute an RLCC Φ(i)∆

for Φ(i)Q /θ

(i)Z

.

(b) Return SUCCESS if PA |=∃ Φ(i)∆∧ ΦZ.

3. Return FAIL.

3.4.2 Decision Procedure for Th∀(QZ)

Recall that our strategy is to partition the search space for ΦQ until the RLCC is easily obtained.The partition divides into a series of steps. When |X| is known to be bounded by a constant l, wecan instantiate X with a constant queue of length l. AsA is finite, there are only finitely many suchqueues. When we make changes to ΦQ by introducing new variables or instantiation, θZ and ΦZare updated accordingly. For example, in case X is replaced by X′α, |X| is replaced by |X′| + |α|. Tosave notation, ΦQ and θZ always refer to the updated version for one of the partitions.

First we assume ΦQ ∧ θZ satisfies the following condition.

Definition 3.9 (Equality Completeness). ΦQ ∧ θZ is equality complete if t1 , t2 ∈ ΦQ, then |t1| =|t2| ∈ θZ.

This condition can be realized by the following algorithm.

Algorithm 3.4 (Equality Completion). Input: ΦQ ∧ θZ. For each t1 , t2,

1. Add exactly one of |t1| = |t2| and |t1| , |t2| to θZ.

2. Remove t1 , t2 from ΦQ if |t1| , |t2| is in θZ.

Definition 3.10 (Normal Form inQZ). ΦQ is in normal form in QZ if ΦQ satisfies Definition 3.5 andsatisfies

1. no occurrence of disequalities like X , α;

2. if αX , Yβ occurs with either X ∈ orb(α′, k) or Y ∈ orb(β′, l), then α ≡ εQ;

3. αX , Yβ does not occur with both X ∈ orb(α′, k) and Y ∈ orb(β′, l).

Algorithm 3.5 (Normalization inQZ). Repeatedly execute the following sub-procedures until no updatecan be made.

1. Call Algorithm 3.1 to normalize ΦQ.

2. For disequalities X , α, we must have |X| = |α| due to equality completeness, and hence X can beremoved by instantiation. For disequalities αX , Yβ with |X| < |β| or |Y| < |α|, replace X and Y byinstantiations. In the remaining steps we assume |X| ≥ |β| and |Y| ≥ |α| are in θZ.

3. Consider each subconstraint of the form

αX , Yβ ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) , (3.6)

which asserts that X is of the form (α′)∗α′[1..k] and similar for Y. If β is not a prefix of X or α is not aprefix of Y, αX , Yβ simplifies to true. Otherwise (3.6) can be replaced by

X′ , Y′ ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) ∧ X = X′β ∧ Y = αY′

which can be further reduced to

X′ , Y′ ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l)

∧ X′ ∈ orb(α′, k′) ∧ Y′ ∈ orb(β′′, l′) ∧ |X| = |β| + |X′| ∧ |Y| = |α| + |Y′| , (3.7)

where

k′ =(

k + |α′| − (|β|mod |α′|))

mod |α′| , (3.8)

β′′ = β′[(|α|mod |β′|) + 1..|β′|] β′[1..(|α|mod |β′|)] , (3.9)

l′ =(

l + |β′| − (|α|mod |β′|))

mod |β′| . (3.10)

If α′ = β′′, then k′ = l′, because |X′| = |Y′|. Thus (3.7) is false and so is (3.6). If α′ , β′′, then thereare only finitely many cases that X′ = Y′ which can be computed and excluded.


αX , Yβ ∧ X ∈ orb(α′, k) . (3.11)

Guess a word α′′ such that |α′′| = |α| and set Y = α′′Y′. For α . α′′, replace αX , Yβ by Y = α′′Y′,otherwise, replace αX , Yβ by Y = αY′ ∧ X , Y′β.


αX , Yβ ∧ Y ∈ orb(β′, l) . (3.12)

If α is not a prefix of Y (which has the form (β′)∗β′[1..l]), then (3.12) simplifies to true. Otherwise

(3.12) can be replaced by

X , Y′β ∧ Y ∈ orb(β′, l) ∧ Y = αY′ ,

which can be further simplified to

X , Y′β ∧ Y ∈ orb(β′, l) ∧ Y′ ∈ orb(β′′, l′) ∧ |Y| = |α| + |Y′| (3.13)

with β′′ and l′ the same as in (3.9) and (3.10) respectively.

Proposition 3.5 (Normal Form inQZ). Algorithm 3.5 preserves equivalence and terminates with ΦQ inthe normal form as given by Definition 3.10.

Algorithm 3.6 (Computation of Φ∆+ inQZ). Input: ΦQ ∧ θZ. Initially set Φ∆+ = ∅. Add to Φ∆+:

1. |t1| = |t2|, if t1 , t2 or t1 = t2;

2. |X| + |α| = |αX| = |Xα|, if αX or Xα occurs;

3. |X| ≡ k( mod |α|), if X ∈ orb(α, k).

ΦQ can be satisfied by sufficiently long queues: there exists a cut length δ such that if Q |=∃ ΦQ,then for any solution (li)n (i. e., l0, . . . , ln) for Φ∆+ such that li ≥ δ, there exists a solution (αi)n for ΦQsuch that |αi| = li. Let CΦ(δ) denote

∧

X∈VQ(ΦQ)|X| ≥ δ .

It is clear that Φ∆+ ∧CΦ(δ)∧θZ is an RLCC forΦQ/(θZ ∧CΦ(δ)). It is not true, however, that δ is thesmallest max(µi)n such that

QZ |=∃ ΦQ ∧∧

0<i≤n|Xi| = µi ,

where (Xi)n enumerateVQ(ΦQ).

Example 3.8 (Anomaly). Revisiting Example 3.5 we see an anomaly where X := εQ,Y := εQ is a solutionfor ΦQ (with |X| = |Y| = 0), while there exists no solution for ΦQ such that |X| = |Y| = 1.

To avoid such anomalies we separate the search for a satisfying assignment into two cases. Wecompute a cut length Lt ≥ δ and enumerate all assignments σwith |~Xσ| < Lt, while for |~Xσ| ≥ Lt

the satisfiability of the queue constraints is reduced to the satisfiability of integer constraints in thesame way as in Chapter 2.

The computation of Lt is based on the observation that an assignment σ is satisfying if every~Xσ includes a unique “marker” at the same, fixed, position. Such a marker can be constructedby concatenating a “shortest unused prefix” and a unique identifier for each queue variable andproper constant queue.

Let PREΦ denote the set of all words α such that αX is a proper term in ΦQ. Let |PREΦ| be thecardinality of PREΦ and let

sup(PREΦ) = max |α| | α ∈ PREΦ .

Definition 3.11 (Delimiters inQ). A word q is called a delimiter of ΦQ in LQ if q is strongly primitiveand q < orb(α) for any α ∈ PREΦ.

A delimiter always exists for a finite PREΦ. In particular any strongly primitive word longerthan sup(PREΦ) is a delimiter. In general, the length of a delimiter can be much shorter, because fora fixed k, there are at most |PREΦ| distinct prefixes of words in PREΦ having length k, while thereare 2O(k) strongly primitive words of length k provided LQ has more than two atoms.

Now let dp denote an arbitrary shortest delimiter (there can be more than one) and let Lp = |dp|.Let Lc be the smallest number of letters necessary to create a unique identifying word dc, called acolor, for each queue variable and constant queue properly occurring in ΦQ. We define a tag as aconcatenation of dp and a color dc. We say that a word α is tagged by q, if q is a tag and is a prefix ofα. We claim that Lc + Lp = Lt ≥ δ.

Example 3.9 (Computation of Lt). Consider again ΦQ in Example 3.5. Here PREΦ = ab, ba, aa; ashortest delimiter is aab, and thus Lp = 3. ΦQ includes two queue variables, requiring one letter to identifythem with two letters in the alphabet. Thus, we need four letters to construct a unique identifying word,resulting in Lt = 4.

Theorem 3.2 (RLCC inQZ). Φ∆+ ∧ θZ ∧ CΦ(Lt) is an RLCC for ΦQ/(θZ ∧ CΦ(Lt)).

Definition 3.12 (Length Configurations in QZ). A length configuration for ΦQ (in QZ) is a conjunc-tion

∧

X∈VQ(ΦQ)AX , (3.14)

where AX is either |X| = i (for some i < Lt) or |X| ≥ Lt.

Let C be the set of all configurations. Clearly C creates a finite partition of the search spacethat includes CΦ(Lt). A partial assignment ∂ is compatible with a configuration C if for any variableX, ~X∂ is defined if and only if |X| = i (for some i < Lt) occurs in C. The empty assignment isvacuously a satisfying partial assignment, the only one compatible with CΦ(Lt). It can be shown


that a C-compatible substitution can only reduce PREΦ and hence Lt. So Φ∆+ ∧ C ∧ θZ (all updatedby variable instantiation) is an RLCC for ΦQ/(θZ ∧ C) (also the updated version after by variableinstantiation). As a consequence of Theorem 3.2, we have

Algorithm 3.7 (Decision Procedures for QZ). Input: ΦQ ∧ θZ ∧ΦZ where ΦQ ∧ θZ denotes one of thepartitions.

1. For each C ∈ C,

(a) Guess a satisfying ∂ compatible with C and update C, Φ∆+, θZ and ΦZ accordingly.(b) If succeed, return SUCCESS if PA |=∃ C ∧ Φ∆+ ∧ θZ ∧ΦZ.

2. Return FAIL.

In fact we can encode configurations more efficiently because Φ∆+ induces a partition on queuevariables. Let ΦQ and Φ∆+ be as stated in Algorithm 3.6. We say that two queue variables X, Y inV(ΦQ) are connected, written X ∼Z Y, if |X| = |Y| +m is implied by Φ∆+. We write X ≤Z Y if m ≥ 0.It is easily seen that connectedness relation ∼Z is an equivalence relation. A block (w.r.t. ΦQ) is anequivalence class induced by ∼Z. Variables in a block B can be linearly ordered by ≤Z. We call aminimum in B with respect to ≤Z the base variable of B, written XB. Let X0, . . . ,Xn be an increasingenumeration of variables in B. We have X0 ≡ XB, |Xi| = |XB| + li where i ≤ n and li ≤ l j for i ≤ j ≤ n.It is obvious that we only need to consider configurations on base variables.

Example 3.10 (Blocks). Consider ΦQ be

Xab , bY ∧ abaX , Zb ∧ W ∈ orb(aba, 1) .

Then Φ∆+ implies |Y| = |X| + 1 and |Z| = |X| + 2, which induces two blocks B1 : X,Y,Z and B2 : W.We have XB1 = X, XB2 = W, and X, Y, Z are in the increasing order with respect to ≤Z. It suffices to onlyconsider configurations on X and W.

Theorem 3.3 (Complexity of Th∀(QZ)). The decision problem for Th∀(QZ) is NP-complete.

Proof. Clearly Th∀(QZ) is NP-hard as it is a super theory of Th∀(Q) and Th∀(Z), which are both NP-complete. Algorithm 3.6 computes Φ∆+ in O(n). As |PREΦ| is bounded by O(n), Lt can be computedin O(n) too. By the nondeterministic nature of our algorithms, we can show that each branch ofcomputation in the normalization procedures and in Algorithm 3.7 is in P. Therefore Th∀(QZ) isNP-complete.

3.5 Decision Procedure for Th∀(Q+Z

)

In this section we add the prefix relation to the theory of queues, and construct a decision procedurefor this theory of queues with integers.

3.5. DECISION PROCEDURE FOR TH∀(Q+Z

) 97

Definition 3.13 (Queues with Prefix). The structure of queues with prefix relation is Q+ : 〈Q;≺〉 whereQ is as in Definition 3.1 and ≺ : Q × Q → B such that 〈s0, . . . , sn〉 ≺ 〈t1, . . . , tm〉 if and only if m < n andsi = ti for any i ≤ m. Let LQ+ denote the language of Q+.

Definition 3.14 (Queues with Prefix and Integers). The structure of queues with prefix relation andintegers is Q+

Z: 〈Q+,PA; | · |〉. Let L Z

Q+ denote the language of Q+Z

.

The basic idea is simple; finite words are partially ordered by the prefix relation into a treestructure. Intuitively we want to order all queue variables in a given formula into a tree (assumingεQ be the common root) where each path is induced by a chain of positive ≺-literals in the form

X0β0 ≺ X1 , X1β1 ≺ X2 , . . . , Xnβn ≺ Xn+1 . (3.15)

In this way we are able to build a solution inductively from the root. However, the normalizationprocedure needs considerable modification to deal with combinations of literals. Eventually we arelooking for a normal form satisfying the following conditions.

Definition 3.15 (Normal Form inQ+Z

). ΦQ is in normal form (inQ+Z

) if ΦQ satisfies Definition 3.5 andthe following conditions:

1. All literals contain two variables.

2. Negative ≺-literals are either in the form αX ⊀ Y or in the form X ⊀ αY (for X . Y).

3. Positive ≺-literals in ΦQ are in the form Xβ ≺ Y (for X . Y) and they partially order queue variablesinto a tree structure in which each path is induced by a chain of the form (3.15).

4. For a chain like (3.15)

(a) if Xi ∈ orb(α, k) occurs, then i = 0, and

(b) no literals of the form Xi ⊀ X j (i < j ≤ n + 1) occurs.

5. For each of the following combinations, α must be εQ.

(a) αX , Yβ occurs with Y ∈ orb(β′, l).

(b) αX ⊀ Y occurs with Y ∈ orb(β′, l).

(c) X ⊀ αY occurs with X ∈ orb(β′, l).

6. None of αX , Yβ, αX ⊀ Y and X ⊀ αY occurs with both X ∈ orb(α′, k) and Y ∈ orb(β′, l).

7. If αX , Yβ appears, then X and Y do not occur in the same chain.

8. X ⊀ αY does not occur with Yβ ≺ X.

9. There does not exist a literal αX ⊀ Y such that

(a) X appears in a positive orbit literal while Y does not appear in any positive orbit literal.

(b) Y appears in a chain whose head X′ appears in a positive orbit literal, and X′β ≺ Y is induced bythe chain.

(c) θZ does not contain |α| + |X| ≥ |X′| + |β| + |dp| were dp is the delimiter in LQ+ defined in thesequel.

For a chain of the form (3.15), we call X0 the head of the chain. We say that the chain is pure if X0

does not appear in positive orbit literals. Note that with respect to =-literals only, condition (2) inthe above definition is in fact weaker than condition (2) in Definition 3.10 as the former requires αbe εQ only when Y appears in an orbit literal while the latter in addition requires α be εQ when Xappears in an orbit literal. This is a technical choice to avoid generating literals of the form Y = αY′

as in step (3.11) in Algorithm 3.5.We divide this normalization into several steps. First we define prefix completeness.

Definition 3.16 (Prefix Completeness). ΦQ ∧ θZ is prefix complete if the following two conditions aresatisfied.

1. if t1 ⊀ t2 ∈ ΦQ, then |t1| < |t2| ∈ θZ.

2. if t1 ≺ t ∈ ΦQ and t2 ≺ t ∈ ΦQ, then exactly one of t1 = t2, t1 ≺ t2 and t2 ≺ t1 is in ΦQ.

ΦQ ∧ θZ can be made prefix complete by the following algorithm

Algorithm 3.8 (Prefix Completion). Input: ΦQ ∧ θZ.

1. For each t1 ≺ t and t2 ≺ t in ΦQ, add exactly one of t1 = t2, t1 ≺ t2 and t2 ≺ t1 to ΦQ.

2. For each t1 ⊀ t2,

(a) Add exactly one of |t1| = |t2|, |t1| > |t2| and |t1| < |t2| to θZ.

(b) Remove t1 ⊀ t2 from ΦQ if |t1| > |t2| or |t1| = |t2| is in θZ.

Step (2) is justified by the fact that prefixes of a term are linearly ordered by ≺. In generalsuppose we have

∧

0<i≤n ti ≺ t, we guess an order completion of ti:

tp(1) C tp(2) C · · · C tp(n) ≺ t ,

where p is permutation function on [1, n] and C stands for either = or ≺.We define a partial order with respect to a given constraint Φ : ΦQ ∧ θZ as follows.

X <Φ Y iff (∃α, α′, β, β′ ∈ Q) αXβ ≺ α′Yβ′ ∈ ΦQ .

) 99

Obviously, <Φ is a transitive relation, and for simplicity, we also use <Φ to denote the corre-sponding transitive closure.

Condition (1) of Definition 3.15 can be satisfied with the following algorithm.

Algorithm 3.9 (Elimination of Single Variable Literals).

1. For literals of the forms X , α, Xβ ≺ α, Xβ ⊀ α, we instantiate X because by equality completeness orprefix completeness, |X| is bounded.

2. α ≺ Xβ. Instantiate X if we guess |X| ≤ |α|. Otherwise rewrite α ≺ Xβ to X = αX′ ∧ |X′| > 0.

3. α ⊀ Xβ. Instantiate X if we guess |X| < |α|. Otherwise guess an α′ . α such that |α′| = |α|, andrewrite α ⊀ Xβ to X = α′X′.

Condition (2) of Definition 3.15 can be satisfied with the following algorithm.

Algorithm 3.10 (Simplification of Negative ≺ Literals).

1. β-Elimination. By peeling off constant prefixes or suffixes coordinate-wise, we can assume negative≺-literals are of the form

αXβ ⊀ Yβ′ , (3.16)

Xβ ⊀ α′Yβ′ . (3.17)

Rewrite (3.16)-(3.17), respectively, to

αXβ ⊀ Y ∨∨

β′′⊀β′ ∧ |β′′ |<|β′ |αXβ = Yβ′′ , (3.18)

Xβ ⊀ α′Y ∨∨

β′′⊀β′ ∧ |β′′ |<|β′ |Xβ = α′Yβ′′ . (3.19)

Now we can assume that negative ≺-literals are in the forms

αXβ ⊀ Y , (3.20)

Xβ ⊀ α′Y . (3.21)

Continue to rewrite (3.20)-(3.21), respectively, to

(αX ⊀ Y ∧ |αX| < |Y|) ∨∨

β′.β ∧ |β′ |≤|β|αXβ′ ≺ Y , (3.22)

(X ⊀ Y ∧ |X| < |Y|) ∨∨

β′.β ∧ |β′ |≤|β|Xβ′ ≺ Y . (3.23)

2. Self-loop Elimination.

(a) Rewrite αX ⊀ X to true.

(b) Rewrite X ⊀ αX to∧

k<|α|X < orb(α, k) .

In order to satisfy condition (3) of Definition 3.15, we need first to put positive ≺ literals into theform of Xβ ≺ Y. Intuitively this can be achieved by the following two simple algorithms.

Algorithm 3.11 (Upward Alignment). Input: αXβ ≺ Y.

Case |Y| < |α|. Instantiate Y.

Case |Y| ≥ |α|. Rewrite αXβ ≺ Y to Xβ ≺ Y′ ∧ Y = αY′.

Algorithm 3.12 (Downward Alignment). Input: Xβ ≺ αY.

Case |X| < |α|. Instantiate X.

Case |X| ≥ |α|. Rewrite Xβ ≺ αY to X′β ≺ Y ∧ X = αX′.

However, we cannot simply call Algorithms 3.11 and 3.12 to get all positive ≺-literals into theform of Xα ≺ Y. For example, consider the formula

aX ≺ Y ∧ X ≺ Y . (3.24)

Applying Algorithm 3.11 to (3.24) we will obtain (one of choices)

X ≺ Y′ ∧ X ≺ aY′ . (3.25)

Then applying Algorithm 3.12 to (3.25) we will obtain (one of choices)

aX′ ≺ Y′ ∧ X′ ≺ Y′ , (3.26)

which is equivalent to (3.24) up to variable renaming.To guarantee progress, we need the following sub-conditions.

1. Positive ≺-literals are of the form

αXβ ≺ Y (X . Y) , (3.27)

Xβ ≺ α′Y (X . Y) . (3.28)

) 101

2. There exists no variable X such that X <Φ X.

3. For any X, Y, if X <Φ Y, there exists at most one path from X to Y. More precisely, if

α0Xβ0 ≺ α′1X1β′1 , α1X1β1 ≺ α′2X2β′2 , . . . , αn−1Xn−1βn−1 ≺ α′nYβ′n ,

γ0Xη0 ≺ γ′1X′1η′1 , γ1X′1η1 ≺ γ′2X′2η′2 , . . . , γm−1X′m−1ηm−1 ≺ γ′mYη′m ,

then we have m = n, αi ≡ γi, α′i ≡ γ′i , βi ≡ ηi, β′i ≡ η′i and Xi ≡ X′i for 0 < i ≤ m − 1.

Subcondition (1) can be satisfied with the following algorithm.

Algorithm 3.13 (Simplification of Positive ≺ Literals).

1. By peeling off constant prefixes or suffixes coordinate-wise, we can assume ≺-literals are of the form

αXβ ≺ Yβ′ , (3.29)

Xβ ≺ α′Yβ′ . (3.30)

Rewrite (3.29)-(3.30), respectively, to

αXβ ≺ Y ∨∨

i<|β′ |αXβ = Yβ′[1..i] , (3.31)

Xβ ≺ α′Y ∨∨

i<|β′ |Xβ = α′Yβ′[1..i] . (3.32)

2. Self-loop Elimination.

(a) Case αXβ ≺ X. Simplify αXβ ≺ X to false.

(b) Case Xβ ≺ αX.

i. If |α| ≤ |β|, then Xβ ≺ αX simplifies to false.ii. Otherwise, it simplifies to

∨

β | |β|=|α|−|β|Xββ = αX .

Sub-condition (2) can be satisfied by the following algorithm.

Algorithm 3.14 (Loop Elimination). Repeat until there is no chain of the form

α0Xβ0 ≺ α′1X1β′1 , α1X1β1 ≺ α′2X2β

′2 , . . . , αn−1Xn−1βn−1 ≺ α′nXβ′n .

Choose a minimal chain of the above form (i. e., no subchain of it has this form). Consider two cases.

1. The length of the chain is 1. It must be the case that Xβ ≺ αX, which is rewritten by step (2) inAlgorithm 3.13 to a disjunction of equalities accordingly.

2. The length of the chain is greater than 1. There are four combinations for the first two positive≺-literals.

(1) α1Xβ1 ≺ Y , α2Yβ2 ≺ Z ;(2) α1Xβ1 ≺ Y , Yβ2 ≺ α′2Z ;(2) Xβ1 ≺ α′1Y , α2Yβ2 ≺ Z ;(4) Xβ1 ≺ α′1Y , Yβ2 ≺ α′2Z .

By Algorithm 3.11 we can rewrite them respectively to

(1) Xβ1 ≺ Y′ , α2α1Y′β2 ≺ Z ;(2) Xβ1 ≺ Y′ , α1Y′β2 ≺ α′2Z ;(3) Xβ1 ≺ α′1Y , α2Yβ2 ≺ Z ;(4) Xβ1 ≺ α′1Y , Yβ2 ≺ α′2Z .

Continue with Y or Y′ in the chain. Eventually we have a left aligned tower of words sandwichedbetween Xβ and αX, By step (2) in Algorithm 3.13 Xβ ≺ αX either is false or is equivalent toX ∈ orb(α, k) for some k < |α|. All other variables appearing in the chain must be in orb(α). Literalsof the form t1 ≺ t2 in the chain then can be replaced by

|t1| < |t2| ∧ t1 ∈ orb(α) ∧ t2 ∈ orb(α) .

The chain is so eliminated.

Sub-condition (3) can be satisfied by the following algorithm.

Algorithm 3.15 (Multi-path Elimination). Repeat until there is no variable Y such that there is morethan one literal of the form Xβ ≺ αY or of the form αX ≺ Y. Pick such a Y (maximal respect to <Φ).

1. For all literals of the form Xβ ≺ αY, consider two cases:

(a) X . Y.i. |X| < |α|. Then X is replaced by instantiation.

ii. |X| ≥ |α|. Then Xβ ≺ αY is replaced by

X′β ≺ Y ∧ X = αX′ .

(b) X ≡ Y. It must be the case that |β| < |α|. So Xβ ≺ αY becomes∨

β | |β|=|α|−|β|Xββ = α′X .

) 103

2. Now we can assume that Y only exists in ≺-literals of the form t ≺ Y. Consider all chains of thefollowing forms

t(1)1 ≺ t(1)

2 ≺ · · · ≺ t(1)n1 ≺ Y ,

· · · · · · · · ·t(m)1 ≺ t(m)

2 ≺ · · · ≺ t(m)nm ≺ Y .

We replace these chains by (guessing) an order completion for terms t(i)ni and Y.

Now condition (3) of Definition 3.15 can be satisfied by the following algorithm under theassumption that all sub-conditions hold.

Algorithm 3.16 (Alignment of Positive ≺ Literals). Repeat until there are no positive ≺-literals of theform αXβ ≺ Y (α . εQ) or of the form Xβ ≺ αY (α . εQ).

Case αXβ ≺ Y. Call Algorithm 3.11.

Case Xβ ≺ αY. Call Algorithm 3.12.

Condition (4) of Definition 3.15 can be satisfied by the following algorithm.

Algorithm 3.17 (Chain Normalization). Repeat for each chain of the form (3.15).

1. Simplify Xi ⊀ X j ( j > i) to false.

2. If Xi ∈ orb(α, k) (i > 0) occurs in (3.15), then for each j < i, guess X j ∈ orb(α, k j) for somek j < |α| such that X jα j ∈ orb(α). If there is no such an arrangement, return false. Otherwise, replaceX jβ j ≺ X j+1 by |X j| + |β j| < |X j+1| for j < i.

Conditions (5) and (6) of Definition 3.15 can be realized by the following algorithm.

Algorithm 3.18 (Alignment with Presence of Orbit Literals). In the following we assume |Y| ≥ |α|and |X| ≥ max(|α|, |β|). Otherwise, variables can be removed by instantiation.

1. For each subconstraint of the form

αX , Yβ ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) , (3.6)

do the same transformation as in step (3) in Algorithm 3.5.


αX ⊀ Y ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) , (3.33)

which asserts that X is of the form (α′)∗α′[1..k] and similar for Y. If α is not a prefix of Y, then αX ⊀ Ysimplifies to true. Otherwise (3.33) can be replaced by

X ⊀ Y′ ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) ∧ Y = αY′ ,


X ⊀ Y′ ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) ∧ Y′ ∈ orb(β′′, l′) ∧ |Y| = |α| + |Y′| (3.34)

with β′′ and l′ the same as in (3.9) and (3.10), respectively. If α′ = β′′, then (3.34) is false (because|X′| < |Y′|) and so is (3.33). If α′ , β′′, then there are only finitely many cases that X′ ≺ Y′ which canbe computed and excluded.


X ⊀ αY ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) , (3.35)

which asserts that X is of the form (α′)∗α′[1..k] and similar for Y. If α is not a prefix of X, then X ⊀ αYsimplifies to true. Otherwise (3.35) can be replaced by

X′ ⊀ Y ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) ∧ X = αX′ ,


X′ ⊀ Y ∧ X ∈ orb(α′, k) ∧ Y ∈ orb(β′, l) ∧ X′ ∈ orb(α′′, k′) ∧ |X| = |α| + |X′| , (3.36)

where

k′ =(

l + |α′| − (|α|mod |α′|))

mod |α′| , (3.37)

α′′ = α′[(|α|mod |α′|) + 1..|α′|] α′[1..(|α|mod |α′|)] . (3.38)

If α′′ = β′, then (3.36) is false (because |X′| < |Y|) and so is (3.35). If α′′ , β′, then there are onlyfinitely many cases that X′ ≺ Y which can be computed and excluded.

4. For each subconstraint of the form

αX , Yβ ∧ Y ∈ orb(β′, l) , (3.12)

do the same transformation as in step (5) in Algorithm 3.5.


) 105


αX ⊀ Y ∧ Y ∈ orb(β′, l) , (3.39)

which asserts Y is of the form (β′)∗β′[1..l]. If α is not a prefix of Y, then αX ⊀ Y simplifies to true.Otherwise (3.39) can be replaced by

X ⊀ Y′ ∧ Y ∈ orb(β′, l) ∧ Y = αY′ ,


X ⊀ Y′ ∧ Y ∈ orb(β′, l) ∧ Y′ ∈ orb(β′′, l′) ∧ |Y| = |α| + |Y′| (3.40)

with β′′ and l′ the same as in (3.9) and (3.10), respectively.


X ⊀ αY ∧ X ∈ orb(α′, k) , (3.41)

which asserts that X is of the form (α′)∗α′[1..k]. If α is not a prefix of X, then X ⊀ αY simplifies totrue. Otherwise (3.41) can be replaced by

X′ ⊀ Y ∧ X ∈ orb(α′, k) ∧ X = αX′ ,


X′ ⊀ Y ∧ X ∈ orb(α′, k) ∧ X′ ∈ orb(α′′, k′) ∧ |X| = |α| + |X′| (3.42)

with k′ and α′′ the same as in (3.37) and (3.38), respectively.

Condition (7) of Definition 3.15 is obtained by the following algorithm.

Algorithm 3.19 (Elimination of Chains with Disequalities). Repeat until there exist no literals αX ,Yβ such that X and Y appear in the same chain.

1. Xβ′ ≺ Y is induced by a chain of the form

Xβ ≺ X0 , X0β0 ≺ X1 , . . . , Xnβn ≺ Y . (3.43)

(a) If |α| − |β| − |β′| ≤ 0, then return false.

(b) Guess a sequence β′′, β′0, . . . , β′n such that |β′′| > 0, |β′i | > 0 (i ≤ n), and

|β′′| + |β0| + |β′0| + · · · + |βn| + |β′n| = |α| − |β| − |β′| .

(c) Remove (3.43) and add

X0 = Xβ′β′′ ,

Xi+1 = Xiβiβ′i , (i < n)

Y = Xnβnβ′n .

2. Yβ′ ≺ X is induced by a chain. Similar to the previous case.

Condition (8) of Definition 3.15 is obtained by the following algorithm.

Algorithm 3.20 (Elimination of Chains with Negative ≺-Literals). Repeat until X ⊀ αY does not oc-cur when Yβ ≺ X is induced by a chain

Yβ ≺ X0, X0β0 ≺ X1, . . . , Xnβn ≺ X . (3.44)

1. If |α| − |β| − 1 ≤ 0, return false.

2. Guess a sequence β′, β′0, . . . , β′n such that |β′| > 0, |β′i | > 0 (i ≤ n), and

|β′| + |β0| + |β′0| + · · · + |βn| + |β′n| = |α| − |β| − 1 .

3. Remove (3.44) and add

X0 = Yββ′ ,

Xi+1 = Xiβiβ′i , (i < n)

X = Xnβnβ′n .

To obtain condition (9) of Definition 3.15, we need to redefine the notations of delimiter and tag.Let SUFΦ denote the set of all words β such that Xβ is a proper term in ΦQ. Let |SUFΦ| be thecardinality of SUFΦ and let

sup(SUFΦ) = max |α| | α ∈ SUFΦ .

Definition 3.17 (Delimiters inQ+). A word q is called a delimiter of ΦQ in LQ+ if neither q is a subse-quence in orb(α) for any α ∈ PREΦ nor q is a subsequence of any β ∈ SUFΦ.

) 107

A delimiter always exists for finite SUFΦ and PREΦ. In particular any strongly primitive wordlonger than sup(PREΦ) and sup(SUFΦ) is a delimiter. In general, the length of a delimiter can bemuch shorter. Let n = max|PREΦ|, |SUFΦ| and m = maxsup(PREΦ), sup(SUFΦ). For a fixed k, thereare at most O(mn) words of length k that cannot be delimiter, while there are 2O(k) strongly primitivewords of length k in a language having more than two atoms.

Recall dp is a shortest delimiter. In the following dp always refers to the delimiter for the currentΦQ. Condition (9) of Definition 3.15 is obtained by the following algorithm.

Algorithm 3.21 (Elimination of Negative ≺-Literals with Chains). Choose one of the following twobranches.

1. For each instance αX ⊀ Y ∧ X′β ≺ Y that violates conditions (9) in Definition 3.15, add to θZ

|α| + |X| ≥ |X′| + |β| + |dp| .

Then return.

2. Split on an instance αX ⊀ Y ∧ X′β ≺ Y which violates conditions (9) and choose one of the followingthree choices.

(a) Add |α| + |X| = |X′| + |β| to θZ and replace αX ⊀ Y by αX , X′β.

(b) Add |α| + |X| < |X′| + |β| to θZ and replace αX ⊀ Y by αX ⊀ X′β.

(c) Guess β′ of length less than |dp| and replace αX ⊀ Y by X′ββ′ ≺ Y ∧ αX , X′ββ′.

Put all together we have

Algorithm 3.22 (Normalization inQ+Z

). Input: ΦQ ∧ θZ. Repeatedly call the following algorithms inorder until no update to ΦQ ∧ θZ can be made.

1. Algorithm 3.1 (Normalization in Q).

2. Algorithm 3.4 (Equality Completion).

3. Algorithm 3.8 (Prefix Completion).

4. Algorithm 3.9 (Elimination of Single Variable Literals).

5. Algorithm 3.10 (Simplification of Negative ≺-Literals).

6. Algorithm 3.13 (Simplification of Positive ≺-Literals).

7. Algorithm 3.14 (≺-Loop Elimination).

8. Algorithm 3.15 (≺-Multipath Elimination).

9. Algorithm 3.16 (Alignment of Positive ≺-Literals).

10. Algorithm 3.17 (Basic Chain Normalization).

11. Algorithm 3.18 (Alignment of Negative ≺-Literals).

12. Algorithm 3.19 (Elimination of Chains with Disequalities).

13. Algorithm 3.20 (Elimination of Chains with Negative ≺-Literals).

14. Algorithm 3.21 (Elimination of Negative ≺-Literals with Chains).

Proposition 3.6 (Normalization inQ+Z

). Algorithm 3.22 preserves equivalence and terminates with ΦQin the normal form as given by Definition 3.15.

Proof. It is easily seen that all transformations in Algorithm 3.22 are sound. We are left to show thetermination of Algorithm 3.22. Examining all branches in the algorithm, we see that each branchnever generates more ≺-literals. Only newly generated equalities and disequalities can destroyproperties established by the previous round. Equalities and disequalities are generated at theexpense of ≺-literals. So each branch eventually stops generating equalities and disequalities. Afterthat each sub-procedure needs to run at most once to obtain the normal form.

From now on, let us assume ΦQ ∧ θZ is in the normal form as in Definition 3.15.

Algorithm 3.23 (Computation of Φ∆+ inQ+Z

). Input: ΦQ ∧ θZ in normal form. Initially set Φ∆+ := ∅.Add to Φ∆+:

1. |t1| = |t2|, if t1 , t2 or t1 = t2;

2. |t1| < |t2|, if t1 ⊀ t2 or t1 ≺ t2;

3. |X| + |α| = |αX| = |Xα|, if αX or Xα occurs;

4. |X| ≡ k( mod |α|), if X ∈ orb(α, k).

For any variable X, let inf(X) denote the term t such that t ≺ X occurs ΦQ. Since ΦQ is in normalform, there exists at most one such t. If there is no such t in (3.15), let inf(X) be εQ. We redefine a tagas a concatenation of dp, a color dc and again dp. For technical reasons, we require

1. |dp| > |dc|,

2. dc[1] = dp[1] and dc[1] is not a part of the encoding, and

3. no dc is equal to any word in SUFΦ.

) 109

The latter two conditions mean |dc| may be greater than the shortest length for an encoding. LetL+t = 2|dp| + |dc|, the length of a tag. Define C+

Φ(δ) as

∧

X∈VQ(ΦQ)|X| ≥ | inf(X)| + δ .

Similar to Theorem 3.2, we show that | inf(X)|+ L+t is greater than or equal to the relative cut lengthof X.

Theorem 3.4 (RLCC inQ+Z

). Φ∆+ ∧ θZ ∧ CΦ(L+t ) is an RLCC for ΦQ/(θZ ∧ CΦ(L+t )).

Definition 3.18 (Length Configurations in Q+Z

). A length configuration (in Q+Z

) is either CΦ(L+t ) or|X| = | inf(X)| + i (i < L+t ) for some X ∈ VQ.

The set of all configurations, C, covers the search space, but does not partition the search space asbefore. If we take CΦ(L+t ), then by Theorem 3.4 we are done. However, there exists one complication.In the case ofQZ, for a length configuration C, the updated version ofΦ∆+∧C∧θZ (after instantiatingvariables) is an RLCC for the updated version ofΦQ/(θZ∧C), because instantiation can only reducePREΦ and hence Lt. The case ofQ+

Zis complicated as an instantiation in general destroys the normal

form by introducing longer β which occurs in terms Yβ. It may also enlarge SUFΦ and hence L+t .Nevertheless, progress can still be made. Suppose θZ contains another

C : |X| = | inf(X)| + i (i < L+t ) .

By substitution, we can remove X. If inf(X) ≡ εQ, such a substitution is just an instantiation. Forexample, consider Q+

Zwith A = a, b. Xa ≺ Y ∧ |Y| = |Xa| + 1 is replaced by either Y = Xaa or

Y = Yab. Thus we obtain a constraint which has fewer variables than the original. However, arerun of the normalization is needed for the updated constraints. We summarize the procedure asfollows.

Algorithm 3.24 (Decision Procedure for Q+Z

). Input: ΦQ ∧ θZ ∧ ΦZ where θZ ≡ ∅.

1. If ΦQ ∧ θZ ∧ΦZ contains no variables, then

(a) return SUCCESS if it is satisfiable;

(b) return FAIL otherwise.

2. Normalize ΦQ ∧ θZ by Algorithm 3.22.

3. Return SUCCESS if PA |=∃ CΦ(L+t ) ∧ Φ∆+ ∧ θZ ∧ ΦZ.

4. Guess a C ∈ C\CΦ(L+t ) and a substitution compatible with C, and updateΦQ,θZ andΦZ accordingly.

5. Call itself using updated ΦQ, θZ and ΦZ.


Theorem 3.5 (Complexity of Th∀(Q+Z

)). The decision problem for Th∀(Q+Z

) is NP-complete.

Proof. Clearly Th∀(Q+Z

) is NP-hard. Algorithm 3.23 computes Φ∆+ in O(n). The number of sub-sequences in PREΦ or SUFΦ is bounded by O(n2). So L+t can be computed in O(n2). By thenondeterministic nature of our algorithms, we can show that each branch of computation in thenormalization procedures and in Algorithm 3.24 is in P. Therefore Th∀(Q+

Z) is NP-complete.

By symmetry, with minor modifications, this algorithm also applies to the theory of queues withsuffix relation.

3.6 Decision Procedure for Th(QZ)

In this section we present a quantifier elimination for the first-order theory of queues with integers,Th(QZ). The procedure removes a block of quantifiers of the same type in a single step.

Since the extended theory has three sorts, namely, atoms, integers, and queues, we need to showelimination of quantifiers of all three sorts. The elimination procedure consists of the followingthree sub-procedures.

Elimination of Quantifiers on Atom Variables We assume formulae with quantifiers on atomvariables are in the form

(∃x : A)[

ΦA(x, y, X) ∧ ΦQ(x, y, X) ∧ ΦZ(u, X)]

, (3.45)

where X ⊆ VQ, x, y ⊆ VA and u ⊆ VZ. Note that X occur in ΦA(x, y, X) by selector functions andoccur in ΦZ(u, X) by the length function. As the atom domain is finite, all such quantifiers can beeliminated by instantiation, i. e., (3.45) is equivalent to

∨

a∈A∗ΦA(a, y, X) ∧ ΦQ(a, y, X) ∧ ΦZ(u, X) .

Elimination of Quantifiers on Integer Variables We assume formulas with quantifiers on integervariables are in the form

(∃u : Z)[

ΦQ(X) ∧ ΦZ(u, v, X)]

, (3.46)

where X ⊆ VQ and v, u ⊆ VZ. Since ΦQ(X) does not contain u, we can move them out of the scopeof (∃u), and then obtain

ΦQ(X) ∧ (∃u : Z)ΦZ(u, v, X) . (3.47)

3.6. DECISION PROCEDURE FOR TH(QZ) 111

Since in ΦZ(u, v, X), X occur as pseudo integer variables, (∃u : Z)ΦZ(u, v, X) is essentially a Pres-burger formula and we can proceed to remove the quantifier using Cooper’s method [12]. In factwe can defer the elimination until all other types of quantifiers are removed.

Elimination of Quantifiers on Queue Variables We assume formulas with quantifiers on queuevariables are in the form

(∃X : Q)[

ΦQ(X, Y) ∧ ΦZ(u, X, Y)]

, (3.48)

where X, Y ⊆ VQ, u ⊆ VZ, and ΦZ(u, X, Y) can be an arbitrary Presburger formula (not necessarilyquantifier-free). By Proposition 3.1, we can assume X does not occur in selectors. Though elimina-tion of selectors in general adds more existential quantifiers of sort queue or atom, the newly addedquantifiers will be removed together with the original ones.

We can assume s0(s1(. . . (sn(Y) . . .)) is proper, i. e., |Y| > n is in ΦZ. We need to extend the notionof RLCC to deal with parameters.

Definition 3.19 (RLCC with Parameters inQZ). Consider (∃X :Q) [ΦQ(X, Y) ∧ θZ(X, Y)], where Y areparameters. Let Φ(2)

Q (Y) be the maximum subset of ΦQ(X, Y) not containing X and Φ(1)Q (X, Y) := ΦQ(X, Y) \

Φ(2)Q (Y). A formula Φ∆(X, Y) is an RLCC in X for ΦQ(X, Y) relativized to θZ(X, Y), (in short, Φ∆(X, Y) is an

RLCC for ΦQ(X, Y)/X/θZ(X, Y)), if the following hold:

(∀X, Y : Q)[

ΦQ(X, Y) ∧ θZ(X, Y) → (∃z : Z)(

Φ∆(z, Y) ∧ |X| = z) ]

, (3.49)

(∀Y : Q)(∀z : Z)[

Φ(2)Q (Y) ∧ Φ∆(z, Y) → (∃X : Q)

(

ΦQ(X, Y) ∧ θZ(X, Y) ∧ |X| = z) ]

. (3.50)

We also need to update the notion of normal form for parameters.

Definition 3.20 (Normal Form with Parameters inQZ ). ΦQ is in normal form in QZ (with param-eters) if ΦQ satisfies Definition 3.10 and the following condition: if αXβ , t(Y) (where Y is a parameter)appears in ΦQ, then α ≡ β ≡ εQ and X does not occur in literals of the form X ∈ orb(α, k).

3.6.1 Normalization in QZ with Parameters Y

Algorithm 3.5 has taken care of literals without parameters and we do not need to touch literalsbuilt up only by parameters. Thus, we are left with literals of the form t(X) = t′(Y) or t(X) , t′(Y).

Algorithm 3.25 (Normalization with Parameters inQZ).

1. Call Algorithm 3.5 to process literals without parameters.

2. Pick a literal and consider four cases:

(a) αX = Yβ: if |X| < |β| we remove X by an instantiation; otherwise we replace αX = Yβ by

X = lt|α|(Y) β ∧|α|∧

i=1α[i] = lh(lti−1(Y)) ,

where ltn denotes n applications of lt.

(b) Xα = βY: Similar to (a), if |X| < |β| we remove X by an instantiation; otherwise we replaceXα = βY by

X = β rt|α|(Y) ∧|α|∧

i=1α[i] = rh(rti−1(Y)) ,

where rtn denotes n applications of rt.

(c) αX , Yβ: negation of (a).

(d) Xα , βY: negation of (b).

In all cases, if Y has been decomposed, i. e., newly generated selector terms contain Y, we express Y inconcatenation notation and use it to replace other occurrences. For example, if lh(lti−1(Y)) occurs, werewrite other occurrences of Y by

lh(Y) · · · lh(lt j(Y)) · · · lh(lti−1(Y)) lti(Y) . (3.51)

3. Replace conjunctions of the form

X ∈ orb(α, k) ∧∧

iX , ti(Yi) ,

where ti(Yi)’s are terms containing parameters, by

X ∈ orb(α, k) ∧∧

iti(Yi) < orb(α, k) .

The equivalence of this transformation is easily seen under the side condition |X| = |ti(Yi)|.

We treatQ-terms of the form t(Y) as distinct variables. Let Lc,Lp and Lt be as defined in Section 3.4and we obtain CΦ(Lt) and Φ∆+(X, Y) accordingly.

Theorem 3.6 (RLCC with Parameters inQZ). Φ∆+(X, Y) ∧ θZ(X, Y) ∧ CΦ(Lt) is an RLCC forΦQ(X, Y)/X/(θZ(X, Y) ∧ CΦ(Lt)).

Algorithm 3.26 (Elimination of Queue Quantifiers).

1. Guess and add a C ∈ C to (3.48).

3.7. CONCLUSION 113

2. Instantiate each X such that |X| = i (i < Lt) occurs in C, and update C, ΦQ, θZ and ΦZ accordingly.

3. Rewrite (3.48) to

(∃X : Q)[

ΦQ(X, Y) ∧ C ∧ θZ(X, Y) ∧ ΦZ(u, X, Y)]

, (3.52)

which is equivalent to

Φ(2)Q (Y) ∧ (∃v : Z)

[

Φ∆+(v, Y) ∧ C ∧ θZ(v, Y) ∧ ΦZ(u, v, Y)]

. (3.53)

Theorem 3.7 (Soundness of Algorithm 3.26). Algorithm 3.26 terminates and preserves equivalence.

3.7 Conclusion

We presented decision procedures for the theory of queues with integer constraints. Our methodcombines the extraction of integer constraints from queue constraints, and in case of the quantifiedtheory, with a reduction of quantifiers on queue variables to quantifiers on integer variables.

We plan to extend our results to theories with more expressive power, e.g., the theory ofconcatenation [35] and the theory of queues with subsequence relations (including subqueue,prefix and suffix relation) [5]. We also plan to investigate decidability of the first-order theory ofqueues with integers and prefix or suffix relation. Note that for the first-order theory we cannotobtain decidability in a language with both prefix and suffix relations, nor in a language withprefix relation (resp. suffix relation) and the right insertion constructor (resp. the left insertionconstructor), because all extensions are sufficiently expressive to interpret the first-order theory ofarrays, which is well-known to be undecidable.

3.8 Proofs

In this section we present the proofs not included in the main text of this chapter. For ease ofreference we restate the propositions and theorems.

Proposition 3.1 (Elimination of Selectors). For anyϕ in LQ, one can effectively compute an equiv-alent ϕ′ such that

1. ϕ′ contains no selectors, and

2. if ϕ is quantifier-free, then ϕ′ can be put into either ∃1 or ∀1 form.

Proof. Below we use constructors to define selectors lh and lt in the ∃1-fragment.

lh(X) = y ↔ (∃Y ∈ Q)(X = yY) ,

lt(X) = Y ↔ (∃x ∈ A)(X = xY) ,

lh(X) , y ↔ (∃Y ∈ Q)(∃y′ ∈ A)(

X = y′Y ∧ y′ , y)

,

lt(X) , Y ↔ (∃Y′ ∈ Q)(∃y ∈ A)(

X = yY′ ∧ Y′ , Y)

.

We can also define them in the ∀1-fragment as follows.

lh(X) = y ↔ (∀Y ∈ Q)(∀y′ ∈ A)(

y′ , y → X , y′Y)

,

lt(X) = Y ↔ (∀Y′ ∈ Q)(∀y ∈ A)(

Y , Y′ → X , yY′)

,

lh(X) , y ↔ (∀Y ∈ Q)(X , yY) ,

lt(X) , Y ↔ (∀x ∈ A)(X , xY) .

Similar definitions for rh and rt.

Proposition 3.4 (Normal Form inQ). A constraint in normal form is satisfiable.

Proof. Let ΦQ be a constraint in normal form and VQ(ΦQ) = X0, . . . ,Xn. We build a satisfyingassignment for ΦQ as follows. Beginning with X0, set ~X0 to an arbitrary word if neither X0 ∈orb(α, k) nor X0 < orb(α′, k′) occurs. If X0 ∈ orb(α, k) is present, set ~X0 to a word in orb(α, k).If

∧

0<i≤n X0 < orb(αi, ki) is present, set ~X0 to a word in⋂

0<i≤n(∼ orb(αi, ki)) which is infinite.The partial assignment ~X0 is obviously satisfiable. Assuming X0, . . . ,Xi have been assignedsuch that ~X0, . . . ,Xi is a satisfying partial assignment. Let T (X0, . . . ,Xi) denote the set of allterms in ΦQ built up using X0, . . . ,Xi and ~T (X0, . . . ,Xi) the corresponding set of assigned values.Obviously, ~T (X0, . . . ,Xi) is finite. Choose ~Xi+1 to be a word which is longer than any wordsin ~T (X0, . . . ,Xi). This can always be done even if Xi+1 ∈ orb(α, k) or Xi+1 < orb(α′, k′) occurs,because both orb(α, k) and

⋂

0<i≤n(∼orb(αi, ki)) are infinite. It follows that any word in ~T (Xi+1)

3.8. PROOFS 115

is longer than words in ~T (X0, . . . ,Xi), and so disequalities between terms in T (X0, . . . ,Xi,Xi+1)are respected, that is, ~X0, . . . ,Xi+1 is a satisfying partial assignment of ΦQ. By induction, ΦQ issatisfiable.

Proposition 3.5 (Normal Form inQZ). Algorithm 3.5 preserves equivalence and terminates withΦQ in the normal form as given by Definition 3.10.

Proof. Soundness is clear from the description of the algorithm. We now show termination. The onlyproblematic case is step (4) where we generate Y = α′′Y′. If there exists a disequality Y , Zγ, thenthe substitution will produce α′′Y′ , Zγ. However, there are no literals of the form Y′ ∈ orb(β′, l′).Otherwise, since Y′ is fresh, there must be literals of the form Y ∈ orb(β, l). Then we should havehad the first case (step (3)) as X already appears in X ∈ orb(α′, k). Therefore, α′′Y′ , Zγ can onlytrigger the third case (step (5)) when there exists a literal of the form Z ∈ orb(γ′,m). To be in linewith the notation in the algorithm description, let us rename α′′, Y′, Z, γ, γ′ and m respectively, byα, X, Y, β, β′ and l. Step (5) transforms αX , Yβ ∧ Y ∈ orb(β′, l) to

X , Y′β ∧ Y′ ∈ orb(β′′, l′) ∧ Y ∈ orb(β′, l) ∧ |Y| = |α| + |Y′| , (3.13)

where β′′ and l′ are the same as in (3.9) and (3.10) respectively. Here we introduce a new variableY′ but no new term with a non-empty prefix. Termination follows.

Proposition 3.7 (Tags in αβ). If β is tagged by q, then αβ is not, where α ∈ PREΦ.

Proof. Let q = dpdc where dp is the delimiter and dc is a color. If αβ is tagged by q, then |dq| > |α| sincedq can not be a prefix of α by the definition. This implies that dp = α β[1..|dp| − |α|]. On the otherhand, we have dp = β[1..|dp|] as β is tagged by q. Put together, α β[1..|dp| − |α|] = β[1..|dp|] implies

dp[1..|dp| − |α|] = dp[|α| + 1..|dp|] ,

which means that dp is not strongly primitive, contradicting the definition of delimiter.

Theorem 3.2 (RLCC inQZ). Φ∆+ ∧ θZ ∧ CΦ(Lt) is an RLCC for ΦQ/(θZ ∧ CΦ(Lt)).

Proof. We need to show the validity of (3.4) and (3.5) with

θZ(X) := θZ(X) ∧ CΦ(Lt) ,

Φ∆ := Φ∆+ ∧ θZ(X) ∧ CΦ(Lt) .

The soundness is immediate. Now let σZ = |Xi| := li | i < n be a satisfying assignment forΦ∆+ ∧ θZ(X) ∧ CΦ(Lt). We need to find a solution σQ for ΦQ such that |~XiσQ| = li for i < n. Since

ΦQ contains no equalities, it suffices to show σQ satisfying literals of the following forms

αX , Yβ , (3.54)

X ∈ orb(α, k) , (3.55)

X < orb(α, k) . (3.56)

Let us assign each distinct queue variable or proper constant queue a unique color. Let cX denotethe color assigned to variable X and cα the color assigned to α. For each variable X, we define ~XσQas follows.

1. If X ∈ orb(α, k) occurs in ΦQ, then

~XσQ := ext(α,m, k) , (3.57)

where m ∗ |α| + k = ~|X|σZ. This definition is sound as

(a) Φ∆+ contains |X| ≡ k( mod |α|) (Algorithm 3.6), and

(b) X appears in at most one literal of the form X ∈ orb(α, k) (Algorithm 3.1).

2. If X ∈ orb(α, k) does not occur in ΦQ, then

~XσQ := dp cX pX , (3.58)

where pX denotes an arbitrary padding to make ~XσQ has length ~|X|σZ.

Clearly by the definition |~XσQ| = ~|X|σZ. So we are left to show that σQ is satisfying. Fornotation simplicity, we drop σQ and use ~t to denote the value assigned to term t under σQ. Wefirst analyze four cases to show literals of the form αX , Yβ are satisfied.

1. αX , Yβ occurs with both X ∈ orb(α′, k) and Y ∈ orb(β′, l). This can not happen as step (3) ofAlgorithm 3.5 would have replaced X, Y by instantiation.

2. αX , Yβ occurs with X ∈ orb(α′, k) but not with Y ∈ orb(β′, l). Then α ≡ εQ (thanks toAlgorithm 3.5) and Y is assigned a tag as in (3.58). Thus, ~X , ~Yβ as |dp| ≤ |~X| anddp < orb(α′).

3. αX , Yβ occurs with Y ∈ orb(β′, l) but not with X ∈ orb(α′, k). Then α ≡ εQ (again thanksto Algorithm 3.5) and X is assigned a tag as in (3.58). Thus, ~X , ~Yβ as |dp| ≤ |~Y| anddp < orb(β′).

4. αX , Yβ occurs with neither X ∈ orb(α′, k) nor Y ∈ orb(β′, l). Then both ~X and ~Y beginwith a tag. If α ≡ εQ, then ~X , ~Yβ because cX , cY. If α . εQ, then by Proposition 3.7,~αX is not tagged while ~Yβ is tagged by dp cY. Hence ~αX , ~Yβ.

3.8. PROOFS 117

For literals of the form X ∈ orb(α, k), ~X must be defined according to (3.57), and henceX ∈ orb(α, k) is clearly satisfied. For literals of the form X < orb(α, k), ~Xmust be defined accordingto (3.58) as by Algorithm 3.1, X does not appear in literals of the form X ∈ orb(α, k). Since dp < orb(α),we have ~X < orb(α, k).

Thus, we can find a solution σQ for ΦQ such that |~Xi| = li for i < n, provided that σZ = |Xi| :li | i < n satisfyΦ∆+∧θZ∧CΦ(Lt). Therefore,Φ∆+∧θZ∧CΦ(Lt) is realizable and hence it is an RLCCfor ΦQ/(θZ ∧ CΦ(Lt)).

Theorem 3.4 (RLCC inQ+Z

). Φ∆+ ∧ θZ ∧ CΦ(L+t ) is an RLCC for ΦQ/(θZ ∧ CΦ(L+t )).

Proof. As in the proof of Theorem 3.2, soundness is immediate. Now let σZ = |Xi| := li | i < n bea satisfying assignment for Φ∆+ ∧ θZ(X) ∧ CΦ(L+t ). We need to find a solution σQ for ΦQ such that|~XiσQ| = li for i < n. It suffices to show that σQ satisfies literals like (3.54)-(3.56) and literals of theforms

Xβ ≺ Y , (3.59)

αX ⊀ Y , (3.60)

X ⊀ αY . (3.61)

Recall ΦQ is in normal form and literals of the form Xα ≺ Y are arranged in a tree structure(assuming εQ is the common root). We build an satisfying assignment incrementally. For a variableX, if inf(X) ≡ εQ, i.e. X is in the head of a chain (ignoring the root εQ), then we assign X as inthe proof of Theorem 3.2. Here we require the padding pX be in the form a∗ where a , dp[1]. Ifinf(X) . εQ and ~inf(X) is determined, we assign

~X := ~inf(X) dp cX dp pX .

Let us denote this assignment by σ. We need the following propositions for the rest of the proof.

Proposition 3.8 (Tags in Chains). Given a chain of the form

X0β0 ≺ X1 , X1β1 ≺ X2 , . . . , Xnβn ≺ Xn+1 . (3.15)

1. If X0 does not occur in any positive orbit literals, then ~Xi (i ≤ n + 1) contains exactly i + 1 non-overlapping tags, namely tX0 , . . . , tXi where for j ≤ i, tX j is the tag for X j beginning after ~inf(X j).

2. If X0 occur in any positive orbit literals, then ~Xi contains exactly i unique and non-overlapping tags,namely tX1 , . . . , tXi .

Proof. Let us first assume that X0 does not occur in any positive orbit literals. Suppose there existsa tag tX in ~Xi such that tX does not coincide with any of tX0 , . . . , tXi . Let tX be d1

p cX d2p where

d1p ≡ d2

p ≡ dp with the superscripts denoting the different occurrences. It is clear that d1p must appear

in a fragment of the form

d(1)p cX j d(2)

p pX j β j , (3.62)

for j < i or in the fragment

d(1)p cXi d(2)

p pX j , (3.63)

where d(1)p cX j d(2)

p is tX j and d(1)p ≡ d(2)

p ≡ dp (again with the superscripts denoting the differentoccurrences). Let us first consider overlapping of the form (3.62) for j < i.

1. d1p cannot begin properly in d(1)

p , i. e., d1p[1] = d(1)

p [i] for i > 1, as otherwise dp is not stronglyprimitive.

2. Similarly, d1p cannot begin properly in d(2)

p .

3. d1p can not begin in cX j because |dp| > |cX j | and hence d1

p overlaps with d(2)p , again implying dp is

not strongly primitive.

4. d1p cannot begin in β j. Suppose otherwise, then either d1

p overlaps with the beginning delimiterof ~X j+1 or d1

p is a subsequence of β j. Both lead to contradictions.

5. d1p cannot begin in pX j as by definition pX j only contains a letter a and a , dp[1].

6. d1p cannot be in the same position as d(1)

p because then tX coincides with tX j .

7. The only possibility left is that d1p occurs in the same position as d(2)

p . Consider two cases.

(a) If pX j . εQ, then pX j is not a prefix of any color dc. because pX j [1] , dc[1]. Therefore, tX isan invalid tag.

(b) Suppose pX j ≡ εQ. If |cX| = |β j|, then the overlapping cannot happen because cX , β j.If |cX| < |β j|, then d2

p overlaps with the beginning delimiter of X j+1, a contradiction. If|cX| > |β j|, then d2

p still overlaps with the beginning delimiter of X j+1 because for any colordc, |dp| > |dc| and hence |cX| < |β j| + |dp|.

The argument for overlapping of the form (3.63) is similar, except that we do not need to worryabout cases involving β j.

Now suppose that X0 does not appear in positive orbit literals. We only need to show that d1p

does not appear in ~X0β0.

1. Suppose d1p begins in β0. Then either d1

p overlaps with the beginning delimiter of ~X1 or d1p is

a subsequence of β0. Both lead to contradictions. For the same reason d2p cannot begin in β0

either.

3.8. PROOFS 119

2. Suppose d1p begins in ~X0 ∈ orb(α, k). Then d1

p cannot end in ~X0 ∈ orb(α, k), since otherwised1

p is a subsequence in orb(α, k). So d1p must end in β0 or otherwise it overlaps with the

beginning delimiter of ~X1. Because |cX| < |dp|, d2p has to begin in the beginning delimiter of

~X1, a contradiction.

Note that we in fact showed that ~Xiβi (i < n + 1) contains i non-overlapping tags (in case thatX0 ∈ orb(α, k) occurs) and i + 1 non-overlapping tags otherwise.

Proposition 3.9 (Tags in αX). For any variable X occurring in X ∈ orb(α′, k′), ~αX does not contain anytags.

Proof. Suppose there is a tag d1p tX d2

p occurring in ~αX. d1p cannot be a subsequence of α because

otherwise d1p is a subsequence in orb(α). This forces d2

p to be a subsequence of ~X, a contradiction,because d2

p is a subsequence of orb(α′).

Let us resume the proof. We consider all combinations for literals of the forms (3.54)-(3.56) and(3.59)-(3.61).

1. Xβ ≺ Y. Literals of this type form a tree structure. In addition, If X appears in a positive orbitliteral, then X should be the head of a chain (ignoring the root εQ). That also means Y cannotappear in a positive orbit literal. So by the inductive definition, we have ~Xβ ≺ ~Y.

2. X ∈ orb(α, k). Then X must be the head of a chain (which may be just itself). In addition,neither there is an occurrence of X ∈ orb(α′, k′) (k . k′ or α . α′) nor there is an occurrence ofX < orb(α′′, k′′). So by definition we have ~X ∈ orb(α, k).

3. X < orb(α, k). Then there is no occurrence of X ∈ orb(α′, k′). So ~X begins with dp cX dp.As dp cannot be a subsequence in orb(α), we have ~X < orb(α, k).

4. αX , Yβ. There are four cases.

(a) αX , Yβ occurs with both X ∈ orb(α′, k) and Y ∈ orb(β′, l). This could not happen asstep (1) of Algorithm 3.18 would have replaced X, Y by instantiation.

(b) αX , Yβ occurs with X ∈ orb(α′, k) but not with Y ∈ orb(β′, l). Then Y must be in a chainwhose head variable is not itself. By Proposition 3.8 ~Yβ contains the tag tY while byProposition 3.9 ~αX does not contain any tags. So ~αX , ~Yβ.

(c) αX , Yβ occurs with Y ∈ orb(β′, l) but not with X ∈ orb(α′, k). Then by the second partof Proposition 3.8, ~Yβ does not contain any tags while ~αX contains the tag tX, and so~αX , ~Yβ.

(d) αX , Yβ occurs with neither X ∈ orb(α′, k) nor Y ∈ orb(β′, l). Then by condition 7 inDefinition 3.15, X and Y are not in the same chain. Therefore, ~αX contains the tag tX

while ~Yβ does not. So ~αX , ~Yβ.


5. X ⊀ αY.

(a) X ⊀ αY occurs with both X ∈ orb(α′, k) and Y ∈ orb(β′, l). This could not happen asstep (3) of Algorithm 3.18 would have replaced X, Y by instantiation.

(b) X ⊀ αY occurs with X ∈ orb(α′, k) but not with Y ∈ orb(β′, l). Then by condition (5c)in Definition 3.15, α ≡ εQ. By condition (4b) in Definition 3.15, Xβ ≺ Y is not impliedby any chain. Neither is Yβ ≺ X due to prefix completeness. Hence X and Y are not inthe same chain. If Y is in a pure chain, then it begins with dp, which then is a prefix of~X ∈ orb(α′, k), a contradiction. Suppose Y appear in an impure chain with the head X′

such that X′β ≺ Y is induced by the chain. Let X′β ≺ X′′ be the first literal in the chain.By condition (9) in Definition 3.15, we have |X| ≥ |X′| + |β| + |dp| in θZ. So if ~X ≺ ~Y,then ~X has to contain dp because tX′′ ≡ dp cX′′ dp and ~X′β tX′′ is a prefix of ~Y.We have a contradiction as ~X ∈ orb(α′, k). Therefore ~X ⊀ ~Y.

(c) X ⊀ αY occurs with Y ∈ orb(β′, l) but not with X ∈ orb(α′, k). Then ~X contains the tagtX while by Proposition 3.9 ~αY does not. So ~X ⊀ ~αY.

(d) X ⊀ αY occurs with neither X ∈ orb(α′, k) nor Y ∈ orb(β′, l). Suppose that X and Y are notin the same chain. Then ~X contains the tag tX while ~αY does not. So ~X ⊀ ~αY.Suppose that X and Y are in the same chain. Yβ ≺ X cannot be implied by the chaindue to condition (8) in Definition 3.15. Then it must be the case Xβ ≺ Y is implied andα . εQ. It follows that ~αXβ ≺ ~αY and hence ~X ≺ ~αXβ. Then ~X ∈ orb(α, k)which cannot have dp as a prefix. But ~Y begins with dp, a contradiction.

6. αX ⊀ Y.

(a) αX ⊀ Y occurs with both X ∈ orb(α′, k) and Y ∈ orb(β′, l). This could not happen asstep (2) of Algorithm 3.18 would have replaced X, Y by instantiation.

(b) αX ⊀ Y occurs with X ∈ orb(α′, k) but not with Y ∈ orb(β′, l). Suppose ~αX ≺ ~Y. If Y isin a pure chain with head X′, then it begins with dp cX′ dp. If |dp| ≤ |α|, then dp is a prefixof α, a contradiction. If |dp| > |α|, then the second occurrence of dp must be a subsequenceof ~X ∈ orb(α′, k), contradicting the choice of dp. So Y must appear in an impure chainwith the head X′ such that X′β ≺ Y is induced by the chain. Let X′β ≺ X′′ be the firstliteral in the chain. By condition (9) in Definition 3.15, we have |X| + |α| ≥ |X′| + |β| + |dp|in θZ. Since ~αX ≺ ~Y, ~X has to contain dp because |~X| > |dp|, tX′′ ≡ dp cX′′ dp

and ~X′β tX′′ is a prefix of ~Y. We have a contradiction as ~X ∈ orb(α′, k). Therefore~αX ⊀ ~Y.

(c) αX ⊀ Y occurs with Y ∈ orb(β′, l) but not with X ∈ orb(α′, k). Then ~αX contains tag tX

while ~Y does not. Hence ~αX ⊀ ~Y.

3.8. PROOFS 121

(d) αX ⊀ Y occurs with neither X ∈ orb(α′, k) nor Y ∈ orb(β′, l). Suppose that X and Y are notin the same chain. Then ~αX contains the tag tX while ~Y does not. Hence ~αX ⊀ ~Y.Suppose that X and Y are in the same chain. The chain cannot imply Yβ ≺ X due toorder completeness. Then it must be the case Xβ ≺ Y is implied and α . εQ. Supposethat ~αX ≺ ~Y. Then we have three cases: (i) ~αX = ~Xβ, (ii) ~αX ≺ ~Xβ or (iii)~Xβ ≺ ~αX. In all cases, we have ~X ∈ orb(α, k). But the assignment requires ~Xcontain tag tX and hence dp, a contradiction.

Thus, we can find a solution (Xi)n forΦQ for each corresponding integer solution forΦ∆+ ∧θZ ∧CΦ(L+t ). That means Φ∆+ ∧ θZ ∧ CΦ(L+t ) is an RLCC for ΦQ/(θZ ∧ CΦ(L+t )).

Theorem 3.6 (RLCC with Parameters in QZ). Φ∆+(X, Y) ∧ θZ(X, Y) ∧ CΦ(Lt) is an RLCC forΦQ(X, Y)/X/(θZ(X, Y) ∧ CΦ(Lt)).

Proof. Similar to the proof of Theorem 3.2. Now we view parameters Y as arbitrary but fixedconstant queues. So Q-terms like t(Y) are fixed too. For every variable X, we can assign a uniquecolor cX such that for any t(Y),

cX , t(Y)[Lp + 1 .. Lp + Lc] . (3.64)

This can be done because we treat syntactically different t(Y) as distinct variables and Lc is longenough to be able to encode all Q-variables and proper constant queues. We are left to show thesatisfiability of

X , t(Y) .

By Algorithm 3.25, literals of the form X ∈ orb(α, k) do not occur. So ~X is defined by (3.58). Itfollows directly from (3.64) that ~X , t(Y) holds.

Theorem 3.7 (Soundness of Algorithm 3.26). Algorithm 3.26 terminates and preserves equiva-lence.

Proof. The termination of Algorithm 3.26 is straightforward. Steps (1)-(2) are obviously sound. Thecorrectness then reduces to the equivalence between (3.52) and (3.53).

(∃X : Q)[

ΦQ(X, Y) ∧ C ∧ θZ(X, Y) ∧ ΦZ(u, X, Y)]

, (3.52)

Φ(2)Q (Y) ∧ (∃v : Z)

[

Φ∆+(v, Y) ∧ C ∧ θZ(v, Y) ∧ ΦZ(u, v, Y)]

. (3.53)

Note that after step (2), for the variables left in X, we have |X| ≥ Lt in C and so we can assume C isCΦ(Lt). By Theorem 3.6,Φ∆+(v, Y)∧θZ(v, Y)∧CΦ(Lt) is an RLCC forΦQ(X, Y)/X/(θZ(v, Y)∧CΦ(Lt)).


By Theorem 3.6, “(3.52) ⇒ (3.53)” follows from (3.49) and “(3.53) ⇒ (3.52)” follows from (3.50)noting that ΦQ(X, Y) ≡ Φ(1)

Q (X, Y) ∧ Φ(2)Q (Y), and (by the additive property of RLCC)

Φ∆+(v, Y) ∧ θZ(v, Y) ∧ CΦ(Lt) ∧ ΦZ(u, v, Y)

is an RLCC for

ΦQ(X, Y)/X/(θZ(v, Y) ∧ CΦ(Lt) ∧ ΦZ(u, v, Y)) .

Chapter 4

Decidability of Knuth-Bendix Order

01:39:04:310

Trinity : No one has ever done anything like this.Neo : That’s why it’s going to work.

—The Matrix.

Two kinds of orderings are widely used in term rewriting and theorem proving, namelyrecursive path ordering (RPO) and Knuth-Bendix ordering (KBO). They provide powerfultools to prove the termination of rewriting systems. They are also applied in orderedresolution to prune the search space without compromising refutational completeness.Solving ordering constraints is therefore essential to the successful application of orderedrewriting and ordered resolution. Besides the needs for decision procedures for quantifier-free theories, situations arise in constrained deduction where the truth value of quantifiedformulas must be decided. Unfortunately, the full first-order theory of lexicographic pathordering (LPO), the most popular form of RPO, is undecidable. This leaves an open questionwhether the first-order theory of KBO is decidable. In this chapter, we give a positive answerto this question using the very reduction technique presented in the previous chapters.

123

124 CHAPTER 4. DECIDABILITY OF KNUTH-BENDIX ORDER

4.1 Introduction

Two kinds of orderings are widely used in term rewriting and theorem proving. One is recursivepath ordering (RPO) which is based on syntactic precedence [14]. The other is Knuth-Bendix ordering(KBO) which is of hybrid nature; it relies on numerical values assigned to symbols as well assyntactic precedence [25]. In ordered term rewriting, a strategy built on ordering constraints candynamically orient an equation, at the time of instantiation, even if the equation is not uniformlyorientable. This provides a powerful tool to prove the termination of rewriting systems [10]. Inordered resolution and paramodulation, ordering constraints are used to select maximal literals toperform resolution. It also serves as enabling conditions for inference rules and such conditionscan be inherited from previous inferences at each deduction step. This helps to prune redundancyof the search space without compromising refutational completeness [43].

Solving ordering constraints is therefore essential to the successful application of ordered rewrit-ing and ordered resolution. The decision procedures for quantifier-free constraints of both typesof orderings have been well-studied [7, 21, 41, 38, 42, 26, 27]. However, situations arise where weneed to decide the truth values of quantified formulas on those orderings, especially in the ∀∗∃∗

fragment. Examples include checking the soundness of simplification rules in constrained deduc-tion. Consider a “total simplification scheme” given in [23, 11].

s → t | cs[v]p → t | (c ∧ c′ ∧ s|p = u)

(u → v | c′) ,

where s|p denotes the subterm occurring at position p in s and s[v]p denotes the term obtained froms by substituting v for s|p, states that s → t | c is simplified to s[v]p → t | (c ∧ c′ ∧ s|p = u) byu→ v | c′ provided for all assignments for variables in s which satisfies c, there exists an assignmentfor variables in u which satisfies c′ and s|p = u. The soundness of this rule is formally expressed as

TA |= ∀V(s)∃V(u)[

c → (c′ ∧ s|p = u)]

,

which necessarily involves quantifier alternation. To determine the soundness of such simplificationrules, we need to be able to reason in the ∀∗∃∗ fragment.

Unfortunately, the full first-order theory of lexicographic path ordering (LPO), the most popularform of RPO, is undecidable [56, 11] except for the special case where the language only has unaryfunctions and the precedence order is total [37]. Until now it has been an open question whetherthe first-order theory of Knuth-Bendix order is decidable (RTA open problem ] 99). Here we answerthis question affirmatively by showing that an extended theory of term algebras with Knuth-Bendixorder admits quantifier elimination.

The basic framework is the combination of term algebras with Presburger arithmetic. Thecombination is more tightly coupled than TAZ presented in Chapter 2: not only do we have a

4.1. INTRODUCTION 125

weight function mapping terms to integers, but we also have various boundary functions mappingintegers to terms. In addition, the Knuth-Bendix order is expanded in two directions. First, theorder is decomposed into three disjoint suborders depending on which of three conditions is usedin the definition. Secondly, all orders (including the suborders) are extended to gap orders, whichassert the least number of distinct objects between two terms. Moreover, as Knuth-Bendix orderis recursively defined on a lexicographic extension of itself, gap orders are extended to tuples ofterms. Thus we actually establish the decidability of a richer theory.

Related Work and Comparison. The decidability of the theory of RPO has been well-studied.Comon proves the decidability of the quantifier-free theory of total lexicographic path ordering(LPO, a variant of RPO) [7]. A similar result holds for RPO [21]. Nieuwenhuis establishes theNP-completeness for the quantifier-free theory of LPO [41]. Narendran, Rusinowitch and Vermaobtain a similar result for RPO [38]. A more efficient algorithm for the quantifier-free theory ofRPO is given by Nieuwenhuis and Rivero [42]. Comon and Treinen show the undecidability ofthe first-order theory of LPO and the undecidability of the first-order theory of RPO in case ofpartial precedence [56, 11]. The decidability of the first-order theory of RPO (LPO) in case of unarysignature and total precedence is due to Narendran and Rusinowitch [37]. The decidability of thefirst-order theory of RPO in case of total precedence remains open.

Recently some partial decidability results for the theory of KBO have been obtained. Korovinand Voronkov show the decidability of the quantifier-free theory of term algebras with KBO [26].They later improve the algorithm and shows that the quantifier-free theory of KBO is NP-complete[27]. Analogous to [37], they also show the decidability of the first-order theory of KBO in the casewhere all functions are unary [28].

In this chapter, we show the general decidability result for an extended theory of KBO witharbitrary function symbols and weight functions.

Chapter Organization. Section 4.2 introduces the theory of term algebras with Knuth-Bendixordering and presents the technical machinery for eliminating quantifiers. Section 4.3 presents themain contribution of this chapter: it expands the elimination procedure in [60] for the extendedtheory of KBO and proves its correctness. Section 4.4 explains how to adapt the eliminationprocedure to the special case where the language contains a unary function of weight 0. Section 4.5concludes with some ideas for future work. Most proofs are given in Section 4.6. They are supportedby integer predicates and functions defined in Section 4.7 and reductions of gap order literals listedin Section 4.8.

4.2 Term Algebras with Knuth-Bendix Order

In this section we introduce the theory of term algebras with KBO and present the technical ma-chinery needed in the quantifier elimination procedure.

Let Σ be a finite signature in the constructor language (i. e., Σ = C in Definition 2.1) andw : Σ → N a weight function. We expand dom(w) to the ground term domain T by recursivelydefining w(α(t1, . . . , tk)) = w(α) +

∑ki=1 w(ti). Let ≺Σ be a linear precedence order on symbols in Σ.

We enumerate all symbols in the decreasing ≺Σ-order such that α1 Σ α2 Σ · · · Σ α|Σ|.

Definition 4.1 (Knuth-Bendix Order [25]). A Knuth-Bendix order (KBO) ≺kb (parameterized with aweight function w and a precedence order ≺Σ) is defined recursively on T such that for u, v ∈ T, u ≺kb v ifand only if one of the following conditions holds:

1. w(u) < w(v);

2. w(u) = w(v) and type(u) ≺Σ type(v);

3. w(u) = w(v), u ≡ α(u1, . . . , uk), v ≡ α(v1, . . . , vk) and

(∃i)[

0 < i ≤ k ∧ ui ≺kb vi ∧ ∀ j(0 < j < i→ u j = v j)]

. (4.1)

The KBO ≺kb is a well-founded total order on T [25, 2]. To guarantee well-foundedness, twocompatibility conditions for w and ≺Σ are required:

(i) w(a) > 0 for any constant a, and

(ii) a unary function of weight 0, if present, should be the maximum in ≺Σ.

Let us denote by ⊥ the smallest term with respect to ≺kb. It follows from (i) and (ii) that ⊥ mustbe a constant and so it can be determined when w and ≺Σ are given. By (ii) if a unary function ofweight 0 exists, it must be unique. For presentation simplicity, we assume that w(α1) > 0. However,the existence of such function in fact considerably simplifies our decision procedure. We defer thediscussion to Section 4.4.

Definition 4.2 (Term Algebras with Knuth-Bendix Order). The structure of term algebras with KBOis TAkb = 〈TA;≺kb〉. Let Lkb denote the language of TAkb.

In the rest of this chapter, we assume our formal language does not have constructors (exceptconstants). This does not compromise expressiveness as constructors can be defined by selectorsand testers. Moreover, this simplification reduces chances of confusion by separating semanticobjects (ground constructor terms) in T from syntactic objects (selector terms) in Lkb.

4.2. TERM ALGEBRAS WITH KNUTH-BENDIX ORDER 127

4.2.1 Proof Plan

We shall show the decidability of Th(TAkb) by quantifier elimination. The procedure relies on thefollowing two ideas: solved form and depth reduction.

1. Solved Form. A quantifier-free formula ϕ(x, y) is solved in x if it is in the form∧

i≤mui ≺kb x ∧

∧

j≤nx ≺kb v j ∧ ϕ′(y) , (4.2)

where x does not appear in ui, vi and ϕ′. It is not hard to argue that (∃x) ϕ(x, y) simplifies to∧

i≤m, j≤nui ≺kb

2 v j ∧ ϕ′(y) , (4.3)

where ≺kbn , called gap order, is an extension of ≺kb such that x ≺kb

n y states there is an increasingchain from x to y with at least n − 1 elements in between [16, page 196]. It is clear that theelimination of ∃x, the transformation from (4.2) to (4.3), becomes straightforward once thematrixϕ(x, y) is solved in x, or equivalently, depthϕ(x) = 0. That leads us to the notion of depthreduction.

2. Depth Reduction. Let us first consider the simple case where x is α-typed for a proper con-structor α and all occurrences of x have depth greater than 0. By introducing new variablesx1, . . . , xar(α) (called the descendants of x) to represent x, we can rewrite ∃xϕ(x, y) to

∃x1, . . . ,∃xar(α) ϕ′(x1, . . . , xar(α), y) , (4.4)

where ϕ′(x1, . . . , xar(α), y) is obtained from ϕ(x, y) by substituting xi for sαi x (0 < i ≤ ar(α)). Itis clear that depthϕ′(xi) < depthϕ(x). If all occurrences of x have the same depth, then byrepeating the process we can generate a formula solved in x∗ where x∗ are descendants of x.A difficulty arises when not all occurrences of x have equal depth. So eventually we meetthe situation where some occurrences of x have depth 0 and some do not. Here we have torepresent all occurrences of x of depth 0 in terms of sα1(x), . . . , sαar(α)(x). This amounts to reducingliterals of the form x ≺kb

n t and literals of the form t ≺kbn x to quantifier-free formulas using

sα1 (x), . . . , sαar(α)(x). After that we can introduce new variables and do quantifier manipulationjust as in the simple case to bring ∃xϕ(x, y) into the form of (4.4). Therefore by the depthreduction of x, we actually mean reducing the depths of the descendants of x, and thisessentially depends on the reduction of x ≺kb

n t and t ≺kbn x. In order to carry out the reduction

we need to extend the language extensively as follows.

(a) We decompose ≺kb into three disjoint suborders ≺w, ≺p and ≺l, each of which is alsoextended to gap orders.

(b) We introduce Presburger arithmetic explicitly in order to define counting constraints tocount how many distinct terms there are at certain weight, and define boundary functionsto delineate gap orders.

(c) The reduction of literals like x ≺kbn t or t ≺kb

n x eventually comes down to resolvingrelations between two terms of the same weight and of the same type. So we need toextend all aforementioned notions to tuples of terms of the same total weight.

In the rest of this section we define these extensions.

4.2.2 Decomposition of Knuth-Bendix Order

Definition 4.3 (Decomposition of KBO). A Knuth-Bendix order ≺kb can be decomposed into three dis-joint orders, a weight order ≺w, a precedence order ≺p, and a lexicographic order ≺l, as follows:

u ≺w v ↔ w(u) < w(v) ,

u ≺p v ↔ w(u) = w(v) ∧ type(u) ≺Σ type(v) ,

u ≺l v ↔ w(u) = w(v) ∧ type(u) = type(v) ∧ u ≺kb v .

It is clear that u ≺kb v is equivalent to u ≺w v ∨ u ≺p v ∨ u ≺l v. We write u ≺pl v for u ≺p v ∨ u ≺l vand u ] v for u ≺] v ∨ u = v (] ∈ kb,w, p, l,pl). We say that w has the highest priority, followedby p and l, and define the maximum and minimum of a set of suborders accordingly. For example,maxw, p, l = w and minw, p, l = l.

4.2.3 Gap Orders

To express formulas of the form ∃x(u ≺] x ≺] v) (] ∈ kb,w, p, l,pl), in a quantifier-free language weneed to extend all aforementioned orders to gap orders.

Definition 4.4 (Gap Orders). Define ≺kbn (n ≥ 0) such that ≺kb

0 is = and for n > 0

u ≺kbn v ↔ (∃u1, . . . ,∃un)

[

u ≺kb u1 ≺kb · · · ≺kb un kb v]

.

Let ] ∈ w, p, l,pl. Define two orders ≺]n and ]n (n ≥ 0) such that ≺]0 is ] and ]0 is =, and for n > 0

u ≺]n v ↔ u ≺kbn v ∧ u ≺] v ,

u ]n v ↔ u ≺]n v ∧ ¬ (u ≺]n+1 v) .

Note that ≺]1 is just ≺], and for n ≥ 0, we have

u ≺]n v ↔ u ≺]n+1 v ∨ u ]n v .

A gap order u ≺]n v (n > 0) states that “u is less than v w.r.t. ≺], and there are at least n − 1 elementsin between.” Similarly, u ]n v (n > 0) states that “u is less than v w.r.t. ≺], and there are exactly n− 1elements in between”. We call ≺]n and ]n stretchable gap orders and rigid gap orders, respectively.Accordingly, u ≺]n v are stretchable gap order literals and u ]n v are rigid gap order literals.

Example 4.1 (Elimination in Linear Order). The formula ∃x(u ≺l x ≺l v) reduces to u ≺l2 v if u, v do

not contain x.

4.2.4 Boundary Functions

Consider the formula u w1 v. Intuitively it states “w(u) < w(v) and there are no terms z such that

u ≺kb z ≺kb v, that is, u is the largest term of weight w(u) and v is the smallest term of weight w(v)”.To express this we introduce boundary functions.

Definition 4.5 (Boundary Functions). Let n, p > 0. The following functions are called boundary func-tions:

1. 0w :N→ T such that 0w(n) is the smallest term (w.r.t. ≺kb) of weight n,

2. 0p :N2 → T such that 0p(n, p) is the smallest term (w.r.t. ≺kb) of weight n and type αp,

3. 1w :N→ T such that 1w(n) is the largest term (w.r.t. ≺kb) of weight n,

4. 1p :N2 → T such that 1p(n, p) is the largest term (w.r.t. ≺kb) of weight n and type αp,

where, for all of the above, f (n) = ⊥ and f (n, p) = ⊥, if no such term exists.

We write 0](...) for 0](. . .) and 1](...) for 1](. . .). We call 0](...) lower boundary functions and 1](...) upperboundary functions. TA-terms having one of these functions as root symbol are called boundary terms,distinguishing them from ordinary TA-terms. Correspondingly, we have lower boundary terms andupper boundary terms. A literal of the form u ? v, where ? is either a term equality or a gap order,is open if both u and v are ordinary TA-terms, closed if both u and v are boundary terms, and half-open otherwise. Although by definition boundary terms are syntactic objects, with little chance ofconfusion, we also call the corresponding semantic terms in T (ground) boundary terms.

4.2.5 Extension of Knuth-Bendix Order

We build the extension on TAZ with the length function | · | being replaced by the weight function( . )w. As before we use integer occurrence for a TA-term appearing inside the weight function, todistinguish it from the normal term occurrence. We use depthϕ(x) to denote the maximum depth ofterm occurrences of x in ϕ.


Example 4.2 (Extension of Knuth-Bendix Order). The formula

(∃x : T)[

0w(xw) ≺pl x ∧ x ≺pl 1w

(xw)

]

states that there exists a term x ∈ T such that there are at least three elements with the same weight as x(including x itself). Note that the first and the third occurrences of x are integral while the second one is anordinary term.

Definition 4.6 (Term Algebras with KBO and Its Extensions). The structure of term algebras withKBO, extended with gap orders, boundary functions and Presburger arithmetic, is

TAZkb+ = 〈TAkb; TAZ; ≺]n,]n, ] ∈ kb,w, p, l,pl, n ≥ 0; 0∗(...), 1∗(...), ∗ ∈ w, p〉 .

We denote by Lkb+ the language extending Lkb with gap orders and boundary terms and by LZ thelanguage of Presburger arithmetic (including weight functions on terms). The complete languageis denoted by L Z

kb+ .

4.2.6 Tuples of Terms

The extensions for tuples of terms are defined as follows:

Definition 4.7 (KBO on Tuples). Let u = 〈u1, . . . , uk〉, v = 〈v1, . . . , vk〉 such that∑k

i=1 w(ui) =∑k

i=1 w(vi).The lexicographic extension ≺k;kb (k ≥ 1) of ≺kb on k-tuples of the same weight is defined such that u ≺k;kb vif and only if (4.1) holds.

Definition 4.8 (Suborders on Tuples). Let u = 〈u1, . . . , uk〉, v = 〈v1, . . . , vk〉 ∈ Tk, ] ∈ w, p, l,pl. Wedefine those composite orders on tuples as follows.

u ≺k;] v ↔ u1 ≺] v1 ∨ (u1 = v1 ∧ 〈u2, . . . , uk〉 ≺k−1;kb 〈v2, . . . , vk〉) .

We say that ≺k;] is a tuple order of length k. We identify tuple orders of length 1 with term orders.We say that u ≺k;] v is proper if u1 ≺] v1 and we have

u ≺k;kb v ↔ u ≺k;w v ∨ u ≺k;p v ∨ u ≺k;l v .

We write u ≺k;pl v for u ≺k;p v ∨ u ≺k;l v and u k;] v for u = v ∨ u ≺k;] v (] ∈ kb,w, p, l,pl).

Definition 4.9 (Tuple Gap Orders). We define ≺k;kbn (k > 0; n ≥ 0) such that ≺k;kb

0 is = and for n > 0

u ≺k;kbn v ↔ (∃u1, . . . ,∃un : Tk)

[

u ≺k;kb u1 ≺k;kb · · · ≺k;kb un k;kb v]

.


Let ] ∈ w, p, l,pl. Define two orders ≺k;]n and k;]

n (k ≥ 1; n ≥ 0) such that ≺k;]0 is k;], k;]

0 is =, and forn > 0

u ≺k;]n v ↔ u ≺k;kb

n v ∧ u ≺k;] v ,

u k;]n v ↔ u ≺k;]

n v ∧ ¬ (u ≺k;]n+1 v) .

Similar as term gap orders, ≺k;]1 is just ≺k;], and we have

u ≺k;]n v ↔ u ≺k;]

n+1 v ∨ u k;]n v .

As before we call ≺k;]n and k;]

n stretchable tuple gap orders and rigid tuple gap orders, respectively.Accordingly, u ≺k;]

n v are stretchable tuple gap order literals and u k;]n v are rigid tuple gap order

literals.

Definition 4.10 (Tuple Boundary Functions). Let k, n,m, p > 0. Define partial functions:

1. 0k;kb :N→ Tk (k ≥ 1) such that 0k;kb(n) is the smallest k-tuple (w.r.t. ≺k;kb) of weight n.

2. 0k;w : N2 → Tk (k ≥ 1) such that 0k;w(n,m) is the smallest k-tuple (w.r.t. ≺k;kb) of weight n and itsfirst component has weight m.

3. 0k;p : N3 → Tk (k ≥ 1) such that 0k;p(n,m, p) is the smallest k-tuple (w.r.t. ≺k;kb) of weight n and itsfirst component has weight m and type αp.

4. 1k;kb :N→ Tk (k ≥ 1) such that 0k;kb(n) is the largest k-tuple (w.r.t. ≺k;kb) of weight n.

5. 1k;w :N2 → Tk (k ≥ 1) such that 0k;w(n,m) is the largest k-tuple (w.r.t. ≺k;kb) of weight n and its firstcomponent has weight m.

6. 1k;p : N3 → Tk (k ≥ 1) such that 0k;p(n,m, p) is the largest k-tuple (w.r.t. ≺k;kb) of weight n and itsfirst component has weight m and type αp.

As before these functions are made total by assigning 〈⊥, . . .⊥〉 to undefined values. We write0k;]

(...) for 0k;](. . .) and 1k;](...) for 1k;](. . .). We call 0k;]

(...) lower tuple boundary functions and 1k;](...) upper tuple

boundary functions. Terms having one of these functions as root symbol are called boundary tuples.Correspondingly, we have lower boundary tuples and upper boundary tuples. As before we call a tupleliteral u? v open if both u and v are ordinary tuples, closed if both u and v are boundary tuples, andhalf-open otherwise.

To avoid unnecessary complications, we choose to treat tuples (including boundary tuples) as“syntactic sugar”; they are only used in the intermediate steps of the reduction. Lemma 4.7 showsthat literals containing tuples can be reduced to formulas in L Z

kb+ .

•⊥ •x1 •

x2 •x3 •

x4

p−intvloo p−intvl // p−intvloo p−intvl // p−intvloo p−intvl //w−intvloo w−intvl // w−intvloo w−intvl //

Figure 4-1: An order arrangement of x1 ≺wn1

x2 ≺pn2 x3 ≺l

n3 x4.

4.2.7 Delineated Gap Order Completion

Revisiting the transformation from (4.2) to (4.3), we see that the number of gap orders in (4.3)is quadratic in the number of gap orders in (4.2). This complicates the termination proof forthe elimination procedure. Nevertheless, we can avoid this difficulty by postulating the relativepositions of parameters. This leads to the notion of order completion.

Definition 4.11 (Gap Order Completion). A gap order completion (GOC) of a set of terms t1, . . . , tnis the chain

t f (1) E1 t f (2) E2 · · · En−1 t f (n) ,

where f is a permutation function on 1, . . . , n and Ei (0 0). By a GOC of a formula ϕ, we mean a GOC of T (ϕ), the set of terms in ϕ.

Example 4.3 (Gap Order Completion). A possible GOC of ϕ(x, y, z) : x ≺w9 y ∧ x ≺pl z ∧ z ≺w y is

x ≺pl5 z ≺w

4 y.

However, gap order completions are not sufficient. It is quite clear to see (∃x : T)[u ≺w x ≺p v]implies u ≺w

2 v. But for the converse to hold, v , 0w(vw) is required. As another example, (∃x : T)[u ≺p

x ≺p v] implies u ≺p2 v, but not vice versa, because there may exist only two p-intervals at weight

w(u) while (∃x : T)[u ≺p x ≺p v] requires that u, x and v all be in different p-intervals. In order topreserve equivalence, intuitively, we need to “delineate” a GOC to make sure ordinary terms indifferent intervals (a notion to be define precisely soon) are not related in any gap orders.

Example 4.4 (Order Arrangement). Figure 4-1 shows an order arrangement of the linear order

x1 ≺wn1

x2 ≺pn2 x3 ≺l

n3x4 .

The weight of x1 is strictly lower than that of x2, x3, and x4. The weight of x2, x3, and x4 is the same, but theprecedence of x2 is lower than that of x3 and x4. Finally, x3 is smaller than x4 in the lexicographic order. Wecall a maximal list of elements with the same weight a w-interval, and similarly a maximal list of elementswith the same weight and precedence order a p-interval. Thus, the second w-interval above has two innerp-intervals.


We want to avoid relating ordinary elements at different levels in different intervals. There-fore we augment the gap order completion with boundary terms, called a delineated gap ordercompletion.

Definition 4.12 (Delineated Gap Order Completion). A delineated gap order completion (DGOC) of aset of terms S is a GOC of S in which if there occurs the following pattern v1 E

]n1 u E\n2 v2, where n1, n2 > 0,

E stands for either ≺ or , ], \ ∈ w, p, l,pl, and u is an ordinary term in Lkb, then either ] ≡ \ ≡ pl or] ≡ \ ≡ l. I.e., ordinary terms do not delineate two intervals unless they are asserted equal to boundary terms.By a DGOC of a formula ϕ, we mean a DGOC of T (ϕ), the set of terms in ϕ.

We assume in a DGOC that both the smallest element and the largest element are boundary terms.

Example 4.5 (Delineated Gap Order Completion). Revisit Example 4.3. A possible DGOC ofϕ(x, y, z)is

ϕ′(x, y, z) : 0w(xw) ≺

pl1 x ≺pl

5 z ≺pl2 1w

(xw)︸︷︷︸

w-interval

≺w1 0w

(yw) ≺pl1 y ≺pl

1 1w(yw)

︸︷︷︸

w-interval

.

We have

(∃z : T)ϕ′(x, y, z) ↔ 0w(xw) ≺

pl1 x ≺pl

7 1w(xw) ≺w

1 0w(yw) ≺

pl1 y ≺pl

1 1w(yw) .

4.2.8 Lemmas

In this section we state a sequence of lemmas which will justify the elimination procedure given inthe next section. These lemmas share the following common features.

1. They state the soundness of symbolic transformations for formulas in primitive form, a specialprenex form where the prefix only consists of existential quantifiers and the matrix is aconjunction of literals;

2. A formulaϕ is transformed to a finite disjunction∨

i ϕi where for any i, ϕi is in primitive formand the matrix of ϕi, a conjunction of literals, contains no more open gap order literals thanthat of ϕ does. In the following whenever we say that a reduction does not introduce moreopen gap order literals, we always mean that it does not introduce more in each resultingconjunction of literals.

To save space, however, we omit these conditions in the description of each lemma.The following lemma allows us to assume that a formula in Lkb+ only contains positive order

literals, positive tester literals and term equality literals.

Lemma 4.1 (Elimination of Negative Literals). Assume formulas are type complete.

1. Any negative tester literal is equivalent to a disjunction of positive tester literals.

2. Any negative term equality literal (i. e., disequality between TA-terms) is equivalent to a disjunctionof positive order literals.

3. Any negative order literal is equivalent to a disjunction of integer literals, tester literals and positiveorder literals.

The following lemma allows us to assume that the matrix in a primitive formula is a delineatedgap order completion.

Lemma 4.2 (Delineated Gap Order Completion). Any conjunction of positive order literals in Lkb+

can be effectively transformed to an equivalent finite disjunction of delineated gap order completions.

In principle, boundary terms can appear in the weight function or in selectors, selector termscan occur in the weight function, and the weight function can be used to construct boundaryterms. Repeating this process we can build more and more complex terms. The following lemmaeliminates this superficial complication.

Lemma 4.3 (No Embedding of Boundary Terms). Any formula in L Zkb+ can be effectively reduced to an

equivalent formula in which no boundary terms appear inside selectors or the weight function.

From now on, we assume that boundary terms are not properly embedded in other terms. Thefollowing lemma states that term gap order literals between a variable x of non-constant type αp

and another TA-term can be expressed using x’s immediate descendants sαpi x.

Lemma 4.4 (Reduction of Term Gap Order Literals). Let

? ∈ ≺kbn ,≺w

n ,≺pn,≺l

n,≺pln ,

kbn ,

wn ,

pn,

ln,

pln (n > 0) .

If x is a TA-variable of type αp with αp = (sαp1 , . . . , s

αpk ) and t is an arbitrary TA-term, then x? t (t?x) can be

effectively reduced to an equivalent quantifier-free formula ϕ(sαp1 x, . . . , sαp

k x) (in L Zkb+) where x only occurs

in sαpi x (0 < i ≤ k).

By this lemma we can always assume that all term occurrences of a TA-variable have the samedepth, and hence we are able to reduce them all together to depth 0. As we mentioned before, thisis the main battlefield of quantifier elimination. To streamline the proof, we introduce the followingthree lemmas. The first one takes care of closed term literals generated during the reduction.

Lemma 4.5 (Reduction of Closed Term Literals). Let

? ∈ =,≺kbn ,≺w

n ,≺pn,≺l

n,≺pln ,

kbn ,

wn ,

pn,

ln,

pln (n > 0) .

If u ? v is closed, i. e., both u and v are boundary terms, then it can be effectively reduced to an equivalentPresburger formula.

The second one solves the case where no term occurrence of x appears in the other side of thegap order literal.

Lemma 4.6 (Reduction of Non-closed Term Gap Order Literals). Let

? ∈ ≺kbn ,≺w

n ,≺pn,≺l

n,≺pln ,

kbn ,

wn ,

pn,

ln,

pln (n > 0) .


αpk ) and t is either a boundary term or an ordinary

TA-term not containing x, then x? t (t?x) can be effectively reduced to an equivalent quantifier-free formulaϕ(sαp

1 x, . . . , sαpk x) where x only occurs in s

αpi x (0 < i ≤ k).

This lemma in fact deals with the most sophisticated part of the reduction that eventually comesdown to the success of reducing relations between tuples of the same weight, as is stated by thethird lemma.

Lemma 4.7 (Reduction of Tuple Literals). Let U,V be k-tuples of the same weight, and

? ∈ =,≺k;kbn ,≺k;w

n ,≺k;pn ,≺k;l

n ,≺k;pln ,k;kb

n ,k;wn ,k;p

n ,k;ln ,

k;pln (k > 0, n > 0) .

1. If U = 〈u1, . . . , uk〉 is an ordinary tuple, then U?V (V?U) can be effectively reduced to an equivalentquantifier-free formula ϕ(u1, . . . , uk) (in L Z

kb+) in which ui (0 < i ≤ k) does not occur inside selectors.

2. If U ? V (V ?U) is a closed tuple, i. e., both U and V are boundary tuples, then it can be effectivelyreduced to an equivalent Presburger formula.

We never need to reduce open or half-open term equality literals, because, as shown below, wecan carry out elimination on (∃x)[x = t ∧ ϕ(x)] even if t contains x.

Lemma 4.8 (Elimination of Term Quantifiers). Let x be a term variable,ϕkb+(x) a conjunction of literalsin Lkb+ with depthϕkb+ (x) = 0, andϕZ(x) a Presburger formula in which x occurs inside the weight function.Then

(∃x : T)[

ϕkb+ (x) ∧ ϕZ(x)]

can be effectively reduced to ϕ′kb+ ∧ ϕ′Z in which x does not occur and ϕ′kb+ is quantifier-free.

In fact term quantifiers are reduced to integer quantifiers that can be eliminated according tothe following lemma.

Lemma 4.9 (Elimination of Integer Quantifiers). Let z be an integer variable, ϕkb+(z) a conjunction ofliterals in Lkb+ where z occurs inside boundary terms, and ϕZ(z) a Presburger formula. Then

(∃z : Z)[

ϕkb+(z) ∧ ϕZ(z)]


can be effectively reduced to ϕ′kb+ ∧ ϕ′Z where no z occurs and ϕ′kb+ is quantifier-free.

4.3 Quantifier Elimination for Th(TAZkb+)

In this section we present a quantifier elimination procedure for Th(TAZkb+ ) by extending the elimi-nation procedure for Th(TAZ) ([64]), which is in turn based on the elimination procedure for Th(TA)[19]. We first recall the following notation conventions.

1. Primitive Form. All transformations are carried out on formulas of the form (1.1). Each stepof the transformations manipulates (1.1) to produce a version of the same form (or multipleversions of the same form in case disjunctions are introduced).

2. Positive Literals. All order literals have positive occurrence. This is guaranteed by Lemma 4.1.

3. Nondeterminism. Whenever we say “guess ψ”, we mean split on a finite disjunction∨

i ϕi,which is valid in the context and contains ψ as a disjunct.

4. Type Completeness. All formulas are type-complete. But we omit listing tester literals unlessthey are needed for the correctness proof.

4.3.1 The Elimination Procedure

The elimination procedure consists of the following two algorithms:

Algorithm 4.1 (Elimination of Integer Quantifiers in TAZkb+ ). We assume that formulas with quanti-fiers on integer variables are in the form

(∃z : Z)[

ϕZ(x, y, z) ∧ ϕkb+(x, y, z)]

, (4.5)

where y, z are integer variables, x are term variables. Note that x may occur inside the weight function inϕZ(x, y, z) and y, z may appear inside boundary terms in ϕkb+ (x, y, z).

Repeatedly apply the following steps (1) and (2) to (4.5) until z = ∅.

1. If none of z appears inside any boundary terms, then ϕkb+(x, y, z) is just ϕkb+ (x, y), which can bemoved out of ∃z. We then obtain

(∃z : Z)[

ϕZ(x, y, z)]

∧ ϕkb+(x, y) .

Since (∃z : Z)[ϕZ(x, y, z)] is in LZ, we can proceed to remove the block of existential quantifiersusing Cooper’s method [12, 46]. As the elimination of integer quantifiers in TAZ, we can defer theactual elimination on (∃z : Z)[ϕZ(x, y, z)] until all term quantifiers have been eliminated. The reason

4.3. QUANTIFIER ELIMINATION FOR TH(TAZKB+) 137

is the same, that the elimination of term quantifiers does not require the integer constraint in (4.6) tobe quantifier-free.

2. If for some z ∈ z, z occurs inside some boundary terms, we set

ϕ′Z(x, y, z \ z) ∧ ϕ′kb+(x, y, z \ z) := -(

(∃z : Z)[

ϕZ(x, y, z) ∧ ϕkb+(x, y, z))] )

,

(∃z : Z)[

ϕZ(x, y, z) ∧ ϕkb+(x, y, z)]

:=(

∃(z \ z) : Z) [

ϕ′Z(x, y, z \ z) ∧ ϕ′kb+(x, y, z \ z)]

.

The existence of - is guaranteed by Lemma 4.9.

Algorithm 4.2 (Elimination of Term Quantifiers in TAZkb+). We assume that formulas with quantifierson term variables are in the form

(∃x : T)[

ϕkb+(x, y, z) ∧ ϕZ(x, y, z)]

, (4.6)

where x, y are term variables, z are integer variables. Note that z may occur inside boundary terms inϕkb+(x, y, z), and x, y may occur inside the weight function in ϕZ(x, y, z).

Repeatedly apply the following steps (1) and (2) to (4.6) until x = ∅.

1. Depth Reduction. If (∀x ∈ x) depthϕkb+ (x) > 0.

(a) V S. Select a α-typed variable x ∈ x for some α = (sα1 , . . . , sαar(α)). This selection

is always possible as depthϕkb+ (x) > 0. We require that in the next run of (1a), we choose oneof the variables generated by this run of (1b). I.e., the variable selection is done in depth-firstmanner. This is crucial to guarantee that a run eventually leaves (1). Let x′ ≡ x \ x.

(b) D. We rewrite (4.6) to:(

∃ x′, x1, . . . , xar(α), x : T) [

Isα(x) ∧∧

0<i≤ar(α)sαi (x) = xi

∧ ϕkb+(x, y, z) ∧ ϕZ(x, y, z)]

.

(4.7)

(c) S. Exhaustively apply the following simplification rules to ϕkb+ and ϕZ in (4.7):

i. replace sαi (x) by xi (0 < i ≤ ar(α));ii. replace xw by w(α) +

∑ar(α)i=1 xw

i ;iii. replace x ≺]n t by - ( x ≺]n t ); similar for t ≺]n x, x ]n t and t ]n x.

The existence of - follows from Lemma 4.4. Let the resulting formula be

(

∃ x′, x1, . . . , xar(α), x : T) [

Isα(x) ∧∧


ϕ′kb+(x′, sα1(x), . . . , sαar(α)(x), y, z) ∧ ϕ′Z(x′, sα1 (x), . . . , sαar(α)(x), y, z)

]

. (4.8)

Input: (∃x : T) [ ϕkb+(x, y, z) ∧ ϕZ(x, y, z) ].while x , ∅ do

if (∀x ∈ x) depthϕkb+ (x) > 0 then(1) Depth Reduction

(1a) V S(1b) D(1c) S

else (∃x ∈ x) depthϕkb+ (x) = 0(2) Elimination

end ifend while

Figure 4-2: Quantifier Elimination in TAZkb+ .

It is now clear that if x occurs in ϕ′kb+ and ϕ′Z

it occurs inside some of sα1 (x), . . . , sαar(α)(x). Since

(

∀x1, . . . , xar(α) : T) (

∃x : T) [

Isα(x) ∧∧


]

is valid in TA, we can replace in (4.8), sα1 (x), . . . , sαar(α)(x), respectively, by x1, . . . , xar(α), andhence remove ∧

0<i≤ar(α) sαi (x) = xi, Isα(x) together with ∃x, obtaining

(

∃ x′, x1, . . . , xar(α) : T) [

ϕ′kb+(x′, x1, . . . , xar(α), y, z) ∧ ϕ′Z(x′, x1, . . . , xar(α), y, z)

]

. (4.9)

2. Elimination. If (∃x ∈ x) depthϕkb+ (x) = 0.Take the x as in the guard condition, guess a DGOC for all terms related with x in gap order literals(by Lemma 4.2) and then eliminate x by Lemma 4.8. Formally we set

ϕ′kb+(x \ x, y, z) ∧ ϕ′Z(x \ x, y, z) := -(

(∃x : T)[

ϕkb+(x, y, z) ∧ ϕZ(x, y, z)] )

,(

∃x : T) [

ϕkb+ (x, y, z) ∧ ϕZ(x, y, z)]

:=(

∃(x \ x) : T) [

ϕ′kb+(x \ x, y, z) ∧ ϕ′Z(x \ x, y, z)]

.

For the ease of understanding Algorithm 4.2, we show its high-level control-flow in Figure 4-2. Itis now easily seen that Algorithm 4.2 is a greedy algorithm in the sense that it tries to do Elimination(step (2)) as soon as the elimination condition holds, that is, all term occurrences of this variableare of depth 0. Otherwise, the algorithm tries to create the elimination condition using DepthReduction (step (1)) which includes three sequential sub-procedures: V S (step (1a)),D (step (1b)) and S (step (1c)). We require that V S bedone in depth-first manner. As all depths are finite, this guarantees that a run eventually leavesDepth Reduction and enter Elimination.

Lemma 4.10 (Soundness of Algorithms 4.1). Each transformation step in Algorithms 4.1 and 4.2 pre-serves equivalence.

4.3. QUANTIFIER ELIMINATION FOR TH(TAZKB+) 139

x ?

uullllllllll

((RRRRRRRRR y

x1

xxxx

##FFF

F x2

!!CCC

C

x11 x12

xxxx

##FFF

F x21 x22

x121 x122

x : x , y : y ,

x1 : car(x) , x2 : cdr(x) ,x21 : car(car(x)) , x22 : cdr(cdr(x)) ,x11 : car(car(x)) , x12 : cdr(car(x)) ,

x121 : car(cdr(car(x))) , x122 : cdr(cdr(car(x))) .

Figure 4-3: Quantifier Elimination on (∃x) [car(x) ≺l2 cdr(cdr(x)) ∧ cdr(cdr(car(x))) ≺l

3 y].

Proof. Equivalence preservation has been assured by the lemmas in Section 4.2.8. More precisely,Lemma 4.9 justifies the soundness of Algorithm 4.1. For Algorithm 4.2, Axioms (1)-(6) in Section 2.2justify step (1b); Lemma 4.4, with the help of Lemmas 4.5, 4.6 and 4.7, justifies step (1c); Lemma 4.8justifies step (2).

Lemma 4.11 (Termination). Both Algorithm 4.1 and Algorithm 4.2 terminate.

Theorem 4.1 (Decidability). Th(TAZkb+ ) is decidable, and hence so is Th(TAkb).

Proof. By Lemmas 4.10 and 4.11.

4.3.2 An Example

Example 4.6 (Quantifier Elimination in ListZkb+). Let us go through an example with emphasis on thedepth reduction. We only show one simple trace of the reduction. Consider in ListZkb+ the following formula

(∃x)[

car(x) ≺l2 cdr(cdr(x)) ∧ cdr(cdr(car(x))) ≺l

3 y]

, (4.10)

where depth(4.10)(x) = 3. Figure 4-3 shows the DAG of (4.10) which is sibling complete. Formula (4.10)states that there exists a tree x whose descendants x1, x22, x122 and a parameter y satisfy certain order relations.

At the first run of step (1), we introduce fresh variables x1 and x2 to replace car(x) and cdr(x), respectively.By a standard quantifier manipulation we obtain

(∃x1∃x2)[

x1 ≺l2 cdr(x2) ∧ cdr(cdr(x1)) ≺l

3 y]

, (4.11)

where depth(4.11)(x1) = 2 and depth(4.11)(x2) = 1, both less than depth(4.10)(x). In the second run of step (1),we pick x1 and replace x1 ≺l

2 cdr(x2) by car(x1) = car(cdr(x2)) ∧ cdr(x1) ≺l2 cdr(cdr(x2)) (which is one of

several choices). We obtain

(∃x2∃x11∃x12)[

x11 = car(cdr(x2)) ∧ x12 ≺l2 cdr(cdr(x2)) ∧ cdr(x12) ≺l

3 y]

. (4.12)


At this point we have depth(4.12)(x11) = 0 and the run enters step (2). In this case we can immediately remove∃x11, obtaining

(∃x2∃x12)[

x12 ≺l2 cdr(cdr(x2)) ∧ cdr(x12) ≺l

3 y]

, (4.13)

where depth(4.13)(x12) = 1 and depth(4.13)(x2) = 2. At the third run of step (1), we select x12. The run couldgive us

(∃x2∃x121∃x122)[

x121 = car(cdr(cdr(x2))) ∧ x122 ≺l2 cdr(cdr(x2)) ∧ x122 ≺l

3 y]

, (4.14)

which as before by step (2) simplifies to

(∃x2∃x122)[

x122 ≺l2 cdr(cdr(x2)) ∧ x122 ≺l

3 y]

. (4.15)

Still we have depth(4.15)(x122) = 0 which justifies another run of step (2). Let us take a gap order completionx122 ≺l

2 cdr(cdr(x2)) ≺l1 y (which again is just one of many choices) and rewrite (4.15) to

(∃x2∃x122)[

x122 ≺l2 cdr(cdr(x2)) ≺l

1 y]

. (4.16)

With the help of boundary functions, (4.16) reduces to

(∃x2)[

0w((cdr(cdr(x2)))w) ≺l

2 cdr(cdr(x2)) ≺l1 y

]

. (4.17)

The fourth and the fifth runs of step (1) (with the same trick of quantifier manipulation) give us

(∃x222)[

0w(xw

222) ≺l2 x222 ≺l

1 y]

. (4.18)

After that the run comes back again to step (2) as depth(4.18)(x222) = 0. Here we have to reduce termquantifiers to integer quantifiers in that x222 also appears in boundary terms. By Lemma 4.8, (4.18) isequivalent to

(∃z)[

0w(z) ≺l

3 y ∧ Treecons(z)]

, (4.19)

which simplifies to 0w(yw) ≺l

3 y ∧ Treecons(yw), and in turn to

0w(yw) ≺l

3 y , (4.20)

as 0w(yw) ≺l

3 y implies Treecons(yw). It is not hard to verify that (4.20) implies (4.10) as desired. (We do nothave equivalence because this is just one trace of the reduction.) In fact, the above elimination procedure tellsus how to obtain an solution to (4.10) provided (4.20) holds. Let us show the construction in bottom-up

4.4. PRESENCE OF A 0-WEIGHT UNARY FUNCTION 141

fashion. By x], we refer to labels in Figure 4-3. First, we set x122 to 0w(yw) to take care of x122 ≺l

3 y. Second,we find x11, x121 and x22 to satisfy x1 ≺l

2 x22. This can always be done as there is no constraints on x11, x121

and x22. Third, we set x21 to an arbitrary value. In this way we obtain an x which is the solution to (4.10).

We note that the depth reduction of a variable is at the expense of increasing the depth of a termon the other side of a gap order predicate. This happens when ϕkb+ contains x ? t (or t ? x) anddepthϕkb+ (x) > 0. For example, from (4.11) to (4.12), the depth of x2 increases by 1. Moreover, thedepth reduction in general introduces more existential quantifiers and more equalities in at leastone resulting formula (e.g., this also happens in the reduction from (4.11) to (4.12)). In every stepof the transformation, however, the number of open gap order literals in each resulting primitiveformula is no more than that in the original formula. Moreover, the final elimination procedureremoves at least one open gap order literal if the eliminated variable occurs in such literals (e.g.,from (4.16) to (4.17) and from (4.18) to (4.19)). When all open gap order literals are gone, the depthsof terms will be strictly decreasing. This forces the run of Algorithm 4.2 to eventually leave step (1)and from then on to stay in step (2) until all existential quantifiers are removed.

4.4 Presence of a 0-weight Unary Function

Up to now we have assumed that the language does not contain a unary function f of weight 0.However, the presence of such a function considerably simplifies the reduction procedure. First wenote that there exists no maximum ground TA-term 1w

(m) of weight m for any m > 0 (when we do notconsider the artificial fix using the sink value ⊥), because otherwise we will have a contradictionas 1w

(m) ≺kb f (1w(m)) and w(1w

(m)) = w( f (1w(m))). As a consequence, ≺w

n is dense in the sense that if u ≺wn v

(n > 0), there are infinitely many ground TA-terms in between u and v with respect to ≺kb. Similarly,there exists no maximum ground TA-term 1p

(m, p) of weight m and typeαp except when αp is a constantand m = w(αp), and hence ≺p

n is dense except when the left operand is a constant. Moreover, ≺ln is

dense except when the order is resolved between the corresponding rightmost immediate subtermsof its operands. To make the above statements precise, we present reductions for open gap orderliterals involving ≺w

n , ≺pn, ≺l

n, wn , p

n, and ln (n > 0).

4.4.1 Reduction of u ≺wn v and u w

n v

Clearly, u ≺wn v implies u ≺w v and assuming u ≺w v, we have an infinite chain

u ≺pl f (u) ≺pl f 2(u) ≺pl · · · ≺pl f n(u) ≺pl · · · ≺w v .

Therefore u ≺wn v simplifies to u ≺w v, which further simplifies to the integer literal w(u) < w(v).

Due to the existence of the infinite chain from u to v, u wn v simplifies to false.

4.4.2 Reduction of u ≺pn v and u p

n v

Reduction of u ≺pn v and u p

n v when u is not a constant. Let t be a proper subterm of u andwe denote u by u[t] to emphasize this occurrence of t. Let u[t′] be the term obtained from u bysubstituting t′ for t. Assuming u ≺p v, we have an infinite increasing chain

u[t] ≺l u[ f (t)] ≺l u[ f 2(t)] ≺l · · · ≺l u[ f n(t)] ≺l · · · ≺p v .

Therefore, u ≺pn v simplifies to u ≺p v, which is just q < p assuming αp = type(u) and αq = type(v).

For the same reason as before, u pn v simplifies to false.

Reduction of u ≺pn v and u p

n v when u is not a constant. Let type(v) = αq. We first check ifthere exists a non-constant ground TA-term t[s] (where s is a proper subterm) such that w(t[s]) = w(u)and type(t[s]) = αp, and u ≺Σ αp ≺Σ αq. This condition can be formally expressed as

∨

q<p<u, αp<ATreeαp(uw) , (4.21)

whose truth value can be determined statically given a fixed signature. If (4.21) holds, we have aninfinite chain

u ≺p t[s] ≺l t[ f (s)] ≺l t[ f 2(s)] ≺l · · · ≺l t[ f n(s)] ≺l · · · ≺p v . (4.22)

Therefore u ≺pn v simplifies to true and u p

n v simplifies to false. If (4.21) does not hold, thenall ground TA-terms in between u and 0p

(vw, q) must be constants. Let us assume there are m − 1constants in between u and 0p

(vw , q). If m > n, then u ≺pn v simplifies to true while u p

n v simplifiesto false. If m = n, then both u ≺p

n v and u pn v simplify to true. If m < n, then u ≺p

n v simplifiesto 0p

(vw , q) ≺ln−m v while u p

n v simplifies to 0p(vw , q)

ln−m v. We need further consider three subcases

under the assumption that m < n.

1. v is a constant. Then 0p(vw , q) = v, and so both u ≺p

n v and u pn v simplify to false.

2. v is of type f . Since (4.21) does not hold, 0p(vw , q) must be f (c1) where c1 is the smallest constant

of weight w(v). Suppose that there are r constants of weight w(v) and they are ordered as

c1 ≺kb c2 ≺kb · · · ≺kb cr .

Then v must be of the form f l(cr′) (0 < r′ ≤ r), where f l denotes l applications of f . We have

the following tight chain

f (c1) ≺kb · · · ≺kb f (cr−1) ≺kb f (cr)

≺kb f 2(c1) ≺kb · · · ≺kb f 2(cr−1) ≺kb f 2(cr)

≺kb · · · · · ·≺kb f l(c1) ≺kb · · · ≺kb f l(cr′−1) ≺kb f l(cr′) .

So 0p(vw, q) ≺l

n−m v is true if and only if (l − 1)r + (r′ − 1) ≥ n − m. The reduct can be formallyexpressed as

∨

1≤r′≤rIs f (v) ∧ Is f (s f v) ∧ · · · ∧ Is f ((s f )l(r′)−1v) ∧ cr′ = (s f )l(r′)v , (4.23)

where l(r′) is the minimum integer such that (l(r′)−1)r+(r′−1) ≥ n−m. A similar simplificationholds for 0p

(vw , q) ln−m v except that we require that (l(r′) − 1)r + (r′ − 1) = n −m.

3. v is not a constant and not of type f . Let us assume ar(αq) = k > 0. Let 〈l1, . . . , lk〉 be thesmallest k-integer tuple of weight w(v) −w(αq) (with respect to the lexicographic extension ofthe integer ordering) such that Tree(li) holds for all i ∈ [1, k]. We first assume that for somek′ ∈ [1, k],

∧

1≤i≤k′−1(sαq

i v)w= li ∧ (sαq

k′ v)w , lk′ . (4.24)

In fact we must have (sαqk′ v)w > lk′ because 〈l1, . . . , lk〉 is the smallest such k-tuples. Then we

have 0w(lk′ )≺w s

αqk′ v, and hence f n(0w

(lk′ )) ≺w s

αqk′ v for any n > 0. Therefore we have an infinite

chain

0p(vw , q)

l αq(0w(i1), . . . , 0

w(ik′ ), . . . , 0

w(ik))

≺l αq(0w(i1), . . . , f (0w

(ik′ )), . . . , 0w(ik))

≺l αq(0w(i1), . . . , f 2(0w

(ik′ )), . . . , 0w(ik))

≺l · · · · · ·≺l αq(sαq

1 v, . . . , sαqk′ v, . . . , s

αqk v) = v .

Hence under condition (4.24), 0p(vw , q) ≺l

n−m v simplifies to true and 0p(vw , q)

ln−m v simplifies to

false. Next we assume∧

0<i≤k(sαq

i v)w= li ∧

∧

0<i≤ksαqi v = 0w

(li) . (4.25)

Under this condition, 0p(vw , q) = v, and hence both 0p

(vw , q) ≺ln−m v and 0p

(vw , q) ln−m v simplify to

false. If we assume that for some k′ ∈ [1, k − 1],∧

0<i≤k(sαq

i v)w= li ∧ s

αqk′ v , 0w

(lk′ ) , (4.26)

then we must have 0w(lk′ )≺pl s

αqk′ v. So we still have an infinite chain

0p(vw , q)

l αq(0w(i1), . . . , 0

w(ik′ ), . . . , 0

w(ik))

≺l αq(0w(i1), . . . , 0

w(ik′ ), . . . , f (0w

(ik)))

≺l αq(0w(i1), . . . , 0

w(ik′ ), . . . , f 2(0w

(ik)))

≺l · · · · · ·≺l αq(sαq

1 v, . . . , sαqk′ v, . . . , s

αqk v) = v .

Therefore under condition (4.26), 0p(vw , q) ≺l

n−m v simplifies to true and 0p(vw , q)

ln−m v simplifies

to false. The last case is that∧

0<i≤k(sαq

i v)w= li ∧

∧

1≤i≤k−1sαqi v = 0w

(li) ∧ sαqk v , 0w

(lk) . (4.27)

Then 0p(vw , q) ≺l

n−m v reduces to 0w(lk) ≺

pln−m s

αqk v and 0p

(vw , q) ln−m v reduces to 0w

(lk) pln−m s

αqk v. Now

we have to reapply the above reduction to 0w(lk) ≺

pln−m s

αqk v and to 0w

(lk) pln−m s

αqk v. But since

lk < w(v), this process eventually terminates.

Note that the lower boundary terms we used in the reduction are all defined on known constantweights, and hence they are fixed ground TA-terms which can be expressed using selector termsand constants.

4.4.3 Reduction of u ≺ln v and u l

n v

If either u or v is a constant, then both u ≺ln v and u l

n v simplify to false. Now assume type(u) =type(v) = αq and ar(αq) = k > 0. So

u = αq(sαq1 u, . . . , sαq

k u) , v = αq(sαq1 v, . . . , sαq

k v) .

If we assume that∧

1≤i≤k′−1sαqi u = s

αqi v ∧ s

αqk′ u ≺

kb sαqk′ v (4.28)

for some k′ ∈ [1, k − 1], then we have an infinite chain

u = αq(sαq1 u, . . . , sαq

k′ u . . . , sαqk u)

≺l αq(sαq1 u, . . . , sαq

k′ u . . . , f (sαqk u))

≺l αq(sαq1 u, . . . , sαq

k′ u . . . , f 2(sαqk u))

≺l · · · · · ·≺l αq(sαq

1 v, . . . , sαqk′ v . . . , s

αqk v) = v .

Therefore under condition (4.28), u ≺ln v simplifies to true and u l

n v simplifies to false. The onlypossibility left is

∧

1≤i≤k−1sαqi u = s

αqi v ∧ s

αqk u ≺kb s

αqk v . (4.29)

Under this condition, u ≺ln v simplifies to s

αqk u ≺kb

n sαqk v, and u l

n v simplifies to sαqk u kb

n sαqk v.

This concludes all reductions we need to consider. Although we carried out the reductions atsemantic level by case distinction, all preconditions and the corresponding reducts are expressiblein our formal language, and hence so are the reductions themselves. For example, The reductionsof u ≺l

n v and u ln v, respectively, are

u ≺ln v → s

αqk u ≺kb

n sαqk v ∨

∨

0<i<ksαqi u ≺kb s

αqi v ,

u ln v → s

αqk u ≺kb

n sαqk v ∧

∧

0<i<ksαqi u = s

αqi v .

Note that it is to delineate ≺wn , ≺p

n, wn and p

n, and to decompose ≺ln and l

n that we introducedboundary functions. In the above reductions, however, not only are upper boundary functionsundefined, but also the lower boundary functions have no use in these reductions (except in theintermediate steps). As a result, we do not need to introduce any boundary functions into L Z

kb+

at all. Also note that it is to decompose ≺ln and l

n that we introduced tuple gap orders and tupleboundary functions, which, however, are of no use in the above reductions. Hence we do not needto introduce tuple gap orders and tuple boundary functions into L Z

kb+ either. All in all, the presenceof a 0-weight unary function significantly simplifies the depth reduction procedure. In fact, wehave already presented the proof for Lemmas 4.4. All other lemmas related to tuples and boundaryfunctions in Section 4.2.8 and the corresponding proofs in Section 4.6 are no longer needed. Neitheris Section 4.7 nor Section 4.8 therefore.


4.5 Conclusion

We showed the decidability of the first-order theory of term algebras with Knuth-Bendix orderby quantifier elimination. Our method combines the extraction of integer constraints from termconstraints with the reduction of quantifiers on term variables to quantifiers on integer variables.In fact, we established the decidability of a much more expressive theory.

Two problems related to practical complexity need further investigation. First, as a rule ofthumb, more expressive power means higher complexity. Even if the theoretical complexity boundis the same, in practice the efficiency will be compromised. It is worthwhile to search for the smallestextension of KBO that admits quantifier elimination. Second, the elimination is intrinsically limitedto processing quantified variables one at a time. We plan to extend the method in Chapter 2 toeliminate a block of quantifiers of the same kind in one step. We believe this will be a significantimprovement in pragmatic terms, since in most applications the quantifier alternation depth issmall.

We also plan to investigate the decidability issue of the first-order theory of KBO in a non-groundterm domain [25], or with a partial precedence order on the signature [2].

4.6. PROOFS 147

4.6 Proofs

In this section we present the proofs not included in the main text of this chapter. These proofsrely on definitions about integer predicates and functions defined in Section 4.7 and reductions ofequalities and gap order literals presented in Section 4.8. In this and the following sections we stillassume that our language does not contain a 0-weight unary function. For ease of reference werestate the lemmas and theorems.

Lemma 4.1 (Elimination of Negative Literals). Assume formulas are type complete.

1. Any negative tester literal is equivalent to a disjunction of positive tester literals.

2. Any negative term equality literal (i. e., disequality between TA-terms) is equivalent to adisjunction of positive order literals.

3. Any negative order literal is equivalent to a disjunction of integer literals, tester literals andpositive order literals.

Proof. Negative tester literals can be eliminated using the following two equivalence relations.

¬ Isαp (x) ↔∨

αq∈C,αp.αq

Isαq (x) , ¬ IsA(x) ↔∨

αp∈C\AIsαp (x) .

Term disequalities can be eliminated according to

u , v ↔ u ≺w v ∨ u ≺p v ∨ u ≺l v ∨ v ≺w u ∨ v ≺p u ∨ v ≺l u .

Now let ] ∈ w, p, l and n > 0. It is easily seen that the following equivalence relations hold.

u ≺]n v ↔ u ≺]n+1 v ∨ u ]n v ,

¬ (u ≺]n v) ↔ ¬ (u ≺]n+1 v) ∧ ¬ (u ]n v) ,

u ]n v ↔ (u ≺]n v) ∧ ¬ (u ≺]n+1 v) ,

¬ (u ]n v) ↔ ¬ (u ≺]n v) ∨ u ≺]n+1 v .

Therefore, for n > 0, we have the following equivalence relations.

¬ (u ≺wn v) ↔ vw ≤ uw ∨

∨

i<nu w

i v ,

¬ (u wn v) ↔ vw ≤ uw ∨

∨

i<nu w

i v ∨ u ≺wn+1 v ,

¬ (u ≺pn v) ↔ uw , vw ∨

( ∨

0<p≤|Σ|Isαp (u) ↔ Isαp (v)

)

∨ v ≺p u ∨∨

i<nu p

i v ,

¬ (u pn v) ↔ uw , vw ∨

( ∨

0<p≤|Σ|Isαp (u) ↔ Isαp (v)

)

∨ v ≺p u ∨∨

i<nu p

i v ∨ u ≺pn+1 v ,

¬ (u ≺ln v) ↔ uw , vw ∨

( ∧

0<p≤|Σ|Isαp (u) ↔ ¬ Isαp(v)

)

∨ v ≺l u ∨∨

i<nu l

i v ,

¬ (u ln v) ↔ uw , vw ∨

( ∧

0<p≤|Σ|Isαp (u) ↔ ¬ Isαp(v)

)

∨ v ≺l u ∨∨

i<nu l

i v ∨ u ≺ln+1 v .

Note that ¬ (u ≺]0 v) is u , v ∧ ¬ (u ≺] v) and ¬ (u ]0 v) is just u , v. Under the assumption oftype completeness, the truth values of tester literals are predetermined, and hence no conjunction isintroduced in the above reductions. And obviously, none of the above reductions introduces moreopen gap order literals in each of the reducts.

Lemma 4.2 (Delineated Gap Order Completion). Any conjunction of positive order literals inLkb+ can be effectively transformed to an equivalent finite disjunction of delineated gap ordercompletions.

Proof. Let ϕkb+ be a conjunction of positive order literals in Lkb+ . Without loss of generality weassume that ϕkb+ only contains literals like u ]n v and u ≺]n v (] ∈ w, p, l) for n > 0. Let T (ϕkb+)be the set of all TA-terms in ϕkb+ . In the following we describe an nondeterministic algorithm tocompute a disjunction of DGOCs equivalent to ϕkb+ .

We view ϕkb+ as a labeled directed graph Gkb+ in which TA-terms in T (ϕkb+) are vertex labelsand u ]n v (or u ≺]n v) represents a directed edge from u to v with number label n and color label]. An edge corresponding to a stretchable gap order literal u ≺]n v (resp. a rigid gap order literalu ]n v) is called stretchable (resp. rigid). A path is rigid if every edge on the path is rigid; it isstretchable otherwise. A length of a path is the sum of all number labels on the path.

First we guess an equality partition for T (ϕkb+). All vertexes in the same equivalence class aremerged by consolidating corresponding outgoing and incoming edges. We choose an arbitraryrepresentative for each equivalence class as the vertex label.

Second we guess a linear order with respect to ]1 and ≺]1 for T (ϕkb+). It amounts to adding toGkb+ a Hamilton path, a path between two distinct vertexes of Gkb+ that visits each vertex exactlyonce. We call this path primary path and edges on the path primary edges. This primary pathcorresponds to a gap order completion and it is a prototype of the delineated gap order completionwe are about to construct. At this phase, a primary edge may be labeled by any color in w, p, l, butall number labels are 1.

Third we insert boundary terms to delineate the primary path if necessary.Up to now there may exist two types of inconsistency.

1. Gkb+ contains a loop.

4.6. PROOFS 149

2. The color of a non-primary edge is incompatible with colors on the corresponding primarypath. Let order w, p, l as l ≺c p ≺c w. We say that the color c of a non-primary edge isincompatible with colors ci | 0 < i ≤ k on the corresponding primary path if c , maxci | 0 <i ≤ k with respect to ≺c. For example, u ≺l

n1v ≺p

n2 w is incompatible with neither u ≺wn3

w noru ≺l

n4 w while it is compatible with u ≺pn5 w.

If an inconsistency is detected, the constraint simplifies to false.To reduce ϕkb+ to a DGOC, we need to remove all non-primary edges. A non-primary edge

from u to v is called an over-edge (resp. under-edge, para-edge) if its length is greater than (resp. lessthan, equal to) the length of the primary path from u to v. We say that a non-primary edge from uto v covers all primary edges on the path from u to v.

We remove all redundant edges which either are para-edges or stretchable under-edges. If thereexists a rigid under-edge, then the constraint simplifies to false. Now we assume that all under-edges are removed.

The existence of an over-edge means the current gap order completion “over-approximates”ϕkb+ . To discharge an over-edge, we distribute the extra length over the number labels on primarystretchable edges that is covered by this over-edge. For example consider the following primarypath from u to v to w.

u p1−→ v p2−→ w , (4.30)

where both two edges are stretchable. Suppose that there exists an over-edge from u to w with thenumber label p > p1 + p2. We replace the subgraph (4.30) by one of the following.

u p1+n1−→ v p2+n2−→ w , (4.31)

where n1, n2 ≥ 0 and n1 + n2 = p − p1 − p2. Note that we do not add extra length to rigid primaryedges, and if the corresponding primary path is not stretchable, then ϕkb+ simplifies to false. Afterthe distribution, we make each stretchable primary edge rigid if the corresponding over-edge thatcovers it is rigid. Now the original over-edge becomes redundant and we remove it. One by one, wecan remove all over-edges and obtain a graph which only has primary edges (false can be viewedas x ≺w x).

Lemma 4.12 (Open Gap Order Literals in DGOCs). Formulas of the form

m∧

i=1ui E

]ipi x ∧

n∧

j=1x E\ j

q j v j , (4.32)

where x is an ordinary TA-term, E stands for ≺ or , ]i, \ j ∈ w, p, l, and pi, q j > 0, can be effectivelytransformed to an equivalent finite disjunction of DGOCs and the number of open gap order literals in each

DGOC is no more than that in the original formula. Moreover, if both the predecessor and the successor ofx in a DGOC are boundary terms, then the DGOC has one fewer open gap order literals than the originalformula provided the original formula contains at least one open gap order literal.

Proof. By Lemma 4.2 it suffices to show that in each DGOC the number of open gap order literals isno more than that in the original formula. Let us assume there are m1 ≤ m ordinary TA-terms whichare less than x and n1 ≤ n ordinary TA-terms which are greater than x. So in the original formulathere are m1 + n1 + 1 ordinary terms and m1 + n1 open gap order literals. In each obtained DGOC,the number of ordinary TA-terms can not exceed m1 + n1 + 1 as no new ordinary TA-terms areintroduced. It is easily seen that in a linear order containing k > 0 ordinary TA-terms, the numberof open gap order literals is at most k − 1. So there are at most m1 + n1 open gap order literals ateach resulting DGOC. The introduction of boundary terms (to delineate a gap order) and the mergeof two vertexes (to equalize two terms) can only decrease the number of open gap order literals.Moreover, suppose the original formula contains at least one open gap order literal. Without lossof generality, let us assume it is u1 E1 x, and so m1 > 0. Since both the predecessor and the successorof x in the DGOC are boundary terms, x is separated from other ordinary TA-terms, and so thereare at most m1 − 1 open gap order literals at the left-hand side of x in the DGOC. Also there are atmost n1 open gap order literals at the right-hand side of x. Therefore, the total number of open gaporder literals is m1 + n1 − 1, one less than that in the original formula.

Lemma 4.3 (No Embedding of Boundary Terms). Any formula in L Zkb+ can be effectively reduced

to an equivalent formula in which no boundary terms appear inside selectors or the weight function.

Proof. By the following equivalence relations we can eliminate all integer terms formed by applyingthe weight function to boundary terms.

(0w(m))

w ↔ (WD0w(m) ∧ m) ∨ (¬WD0w(m) ∧ w(⊥)) ,

(0p(m,p))

w ↔ (WD0w(m, p) ∧ m) ∨ (¬WD0w (m, p) ∧ w(⊥)) ,

(1w(m))

w ↔ (WD1w(m) ∧ m) ∨ (¬WD1w(m) ∧ w(⊥)) ,

(1p(m,p))

w ↔ (WD1w(m, p) ∧ m) ∨ (¬WD1w (m, p) ∧ w(⊥)) .

Next we show how to eliminate selectors in front of boundary terms. For a selector term sαpi 0w

(m)(where ar(αp) = k), we consider four cases.

1. 0w(m) is not well-defined. In this case 0w

(m) = ⊥, and hence sαpi 0w

(m) simplifies to ⊥.

2. 0w(m) is well-defined, but Tree(αp)(m) is false. Since Tree(αp)(m) does not hold, 0w

(m) can not be oftype αp, and so s

αpi 0w

(m) simplifies to 0w(m).

3. Tree(αp)(m) holds but there exists p′ such that p < p′ ≤ |Σ| and Tree(αp′ )(m) holds. Sinceαp′ ≺Σ αp,0w

(m) can not be of type αp, and hence sαpi 0w

(m) simplifies to 0w(m).

4.6. PROOFS 151

4. Tree(αp)(m) is true and for any p′ such that p < p′ ≤ |Σ|, Tree(αp′ )(m) does not hold. The conditionsays that 0w

(m) is of type αp, i. e., 0w(m) = α(t1, . . . , tar(αp)). It is not hard to argue that 〈t1, . . . , tar(αp)〉

should be the smallest k-tuple of weight n. Therefore, sαpi 0w

(m) simplifies to 0w(CWSk

i (m−w(αp))),

where CWSki (n) returns the weight of the ith component of a k-tuple which is the smallest

(with respect to ≺k;kb) k-tuple of weight n. Here CWSki (n) is defined in Presburger arithmetic

(Section 4.7).

The above four preconditions can be respectively expressed as

¬WD0w(m) ,

WD0w (m) ∧ ¬ Tree(αp)(m) ,

Tree(αp)(m) ∧∨

p<p′≤|Σ|Tree(αp′ )(m) ,

Tree(αp)(m) ∧∧

p<p′≤|Σ|¬ Tree(αp′ )(m) .

Similarly we can handle terms of the form sαpj 1w

(m).For a selector term s

αpj 0p

(m,p′) (where ar(αp) = k), we consider three cases.

1. 0p(m,p′) is not well-defined. Then s

αpj 0p

(m,p′) simplifies to ⊥.

2. 0p(m,p′) is well-defined, but p , p′. Then s

αpj 0p

(m,p′) simplifies to 0p(m,p′).

3. 0p(m,p′) is well-defined, and p = p′. The condition says that 0p

(m,p) = α(t1, . . . , tar(αp)) and〈t1, . . . , tar(αp)〉 is the smallest k-tuple of weight n. As case (4) in the reduction of s

αpi 0w

(m),sαpj 0p

(m,p′) simplifies to 0w(CWSk

j (m−w(αp))).

The above three preconditions can be respectively expressed as

¬WD0p(m, p′) ,

WD0p (m, p′) ∧ p , p′ ,

WD0p (m, p′) ∧ p = p′ .

Similarly we can handle terms of the form sαpj 1p

(m,p′).Repeating this transformation, eventually all selectors in front of boundary terms are removed

and we obtain a formula in which no boundary terms occur inside selectors.We note that the above reduction is purely syntactic as for each case, both the precondition and

the corresponding reduct are expressible in our formal language. In general, let ϕ[t] be a formulain which term t occurs. Suppose there are n disjoint cases in total for the reduction of t and foreach case i (0 < i ≤ n), t is reduced to ti under the precondition θi. Then ϕ[t] can be equivalently

rewritten as∨

0<i≤n

(

θi ∧ ϕ[ti])

. (4.33)

It is easily seen from (4.33) that the transformation involves disjunctive splittings and since θi

are Presburger formulas, the transformation does not increase the number of open gap order literalsin each of the resulting conjunctions of literals.

Lemma 4.4 (Reduction of Term Gap Order Literals). Let

? ∈ ≺kbn ,≺w

n ,≺pn,≺l

n,≺pln ,

kbn ,

wn ,

pn,

ln,

pln (n > 0) .


αpk ) and t is an arbitrary TA-term, then x? t (t? x)

can be effectively reduced to an equivalent quantifier-free formula ϕ(sαp1 x, . . . , sαp

k x) (in L Zkb+) where

x only occurs in sαpi x (0 0. If t is a TA-term not

containing x, then the result follows directly from Lemma 4.6. Suppose otherwise. Then t must bein the form Lx where L is a non-empty block of selectors. We have two cases depending on whetherLx is at the left-hand side or the right-hand side of ?.

Case 1. x ? Lx. Since L is a non-empty and constraints are type-complete, Lx is a proper subtermof x. If x? Lx, then x ≺kb Lx, violating the subterm property of KBO [2]. Therefore, x? Lx simplifiesto false.

Case 2. Lx?x. If? is ≺wn (resp. ≺p

n), reduction 4.197 (resp. 4.198) puts x and Lx in separate literals,and hence the problem goes away. Similarly if ? is w

n or pn. The last two cases are Lx ≺l

n x andLx l

n x, which are only possible when the language contains the unary function f of weight 0.To save notation, we use s f to denote the corresponding selector of f . Now Lx ≺l

n x and Lx ln x,

respectively, are in the forms

sif (x) ≺l

n x and sif (x) l

n x ,

where i > 0 and sif denote i applications of s f . Note that both si

f (x) ≺ln x and si

f (x) ln x imply

Is f (sif (x)). In the rest of the proof, we view x as a fixed ground TA-term unless it appears in a

formula in the formal language. Let us consider two subcases.

A. There is a non-constant ground TA-term whose weight is w(x) and type is not f .Let g(t1, . . . , t j) be such a term; i. e., g . f and w(g(t1, . . . , t j)) = w(x).

4.6. PROOFS 153

(a) If sif (x) is f k(a) (where k > 0 and a is a constant), then x is f i+k(a). We have either

a ≺p g(t1, . . . , t j) or g(t1, . . . , t j) ≺p a, as w(g(t1, . . . , t j)) = w(x) = w(a).

i. a ≺p g(t1, . . . , t j). Then we have

f k(a) ≺l f k(g(t1, . . . , t j)) ≺l · · · ≺l f k(g( f l(t1), . . . , t j)) ≺l · · · ≺l f i+k(a) .

ii. g(t1, . . . , t j) ≺p a. Then we have

f k(a) ≺l f i+k(g(t1, . . . , t j)) ≺l · · · ≺l f i+k(g( f l(t1), . . . , t j)) ≺l · · · ≺l f i+k(a) .

(b) If sif (x) is f k(h(t1, . . . , t j)) (where k > 0 and h . f ), then x is f k+i(h(t1, . . . , t j)). Then we have

f k(h(t1, . . . , t j)) ≺l · · · ≺l f k(h( f l(t1), . . . , t j)) ≺l · · · ≺l f i+k(a) .

In all cases, there are infinitely many terms in between sif (x) and x. Hence si

f (x) ≺ln x simplifies

to Is f (sif (x)) and si

f (x) ln x simplifies to false.

B. Any term of weight w(x) is either a f -term ( f -type term) or a constant. The condition says thatsi

f (x) must be in the form f k(c) (for some constant c and k > 0) and then x is in the form f k+i(c).In this case, f k(c) l

r f k+i(c) where r is i times the number of constants of weight w(x). Moreprecisely, let us assume that there are m constants of weight w(x) ordered as follows:

c1 ≺kb · · · ≺kb c j ≺kb · · · ≺kb cm ,

where c ≡ c j. Then we have i tight chains each of which has length m as follows.

f k(c j) ≺kb · · · ≺kb f k(cm) ≺kb f k+1(c1) ≺kb · · · ≺kb f k+1(c j) ,

· · · · · ·f k+i−1(c j) ≺kb · · · ≺kb f k(cm) ≺kb f k+i(c1) ≺kb · · · ≺kb f k+i(c j) .

Therefore, sif (x) ≺l

n x simplifies to

Is f (sif (x)) ∧ CNTm(xw) ,

where m = dn/ie − 1 and CNTm(xw) is defined in the language with f removed, and sif (x) l

n xsimplifies to

Is f (sif (x)) ∧ CNTm(xw) ∧ ¬ CNTm+1(xw) ∧ i | n ,

where m = dn/ie − 1 and CNTm(xw) is defined the same.

Finally we note that each precondition can be expressed in Presburger arithmetic. Condition (A)

is∨

α∈C\A\ f Treeα(xw) , (4.34)

and condition (B) is just the negation of (4.34).

Lemma 4.5 (Reduction of Closed Term Literals). Let

? ∈ =,≺kbn ,≺w

n ,≺pn,≺l

n,≺pln ,

kbn ,

wn ,

pn,

ln,

pln (n > 0) .

If u ? v is closed, i. e., both u and v are boundary terms, then it can be effectively reduced to anequivalent Presburger formula.

Proof. There are many combinations of closed term literals. Here we only highlight the key com-ponents in the proof and leave the details to Sections 4.8.1, 4.8.2 and 4.8.3.

Counting Constraints. A closed term literal states that a certain number of ground TA-termsexist in a continuous segment formed by concatenating adjacent w-intervals or p-intervals. Theidea of the reduction is to count how many ground TA-terms are in each interval. For example,1w

(m) = 0w(m′ ) means that m = m′ and there is exactly one ground TA-term of weight m, which can be

formally expressed as

m = m′ ∧ Tree(m) ∧ ¬ CNT1(m) .

As another example, 1w(m) ≺w

n 0w(m′) (n > 0) reduces to (reduction (4.93), copied below)

(n = 1 → m < m′)

∧

n > 1 →∨

0<r<n(∃z1 . . .∃zr)

m < z1 < · · · < zr < m′

∧∨

∑ri=1 ni=n−1

n1,...,nr>0

∧

0<i≤rCNTni−1(zi)

. (4.93)

We briefly explain the meaning of (4.93). Since 1w(m) is the largest TA-term of weight m and 0w

(m′)is the smallest TA-term of weight of m′, 1w

(m) ≺wn 0w

(m′) means that there are at least n − 1 TA-termswhose weights are in (m,m′). If n = 1, then 1w

(m) ≺wn 0w

(m′) obviously reduces to m < m′. In case n > 1,

4.6. PROOFS 155

we assume the n − 1 TA-terms in between 1w(m) and 0w

(m′) are distributed in r (0 < r < n) differentlevels measured by weights, which is formally represented by

∨

∑ri=1 ni=n−1

n1 ,...,nr>0

∧

0<i≤rCNTni−1(zi) .

Since r ranges from 1 to n − 1 which is a constant, (4.93) is an abbreviation for a first-order formula.

The reduction of 1w(m)

wn 0w

(m′) is similarly obtained as (reduction (4.141), copied below)

n = 1 →(

m < m′ ∧ ∀z(

m < z < m′ → ¬ Tree(z)))

∧

n > 1 →∨

0<r<n(∃z1 . . .∃zr)

m < z1 < · · · < zr < m′

∧¬ (∃z1 . . .∃zr+1)

(

m < z1 < · · · < zr+1 < m′)

∧∨

∑ri=1 ni=n−1

n1,...,nr>0

∧


. (4.141)

Here we need to add two more conjuncts. When n = 1 we need

∀z(

m < z < m′ → ¬ Tree(z))

to make sure that there exists no term whose weight is in (m,m′). When n > 1, we need

¬ (∃z1 . . .∃zr)(

m < z1 < · · · < zr+1 < m′)

to guarantee that for a fixed r ∈ (0, n) there are exactly r legitimate weights in (m,m′).

Well-definedness of Boundary Terms. The reductions listed in Sections 4.8.1-4.8.5 implicitlyassume well-definedness of boundary terms. The final reduction results should incorporate well-definedness predicates (in short, WD predicates, see Section 4.7). For example, for n > 1, 1w

(m) ≺wn 0w

(m′)is equivalent to

(

WD1w(m) ∧ WD0w (m′) ∧ (4.93))

∨(

¬WD1w (m) ∧ WD0w(m′) ∧ ⊥ ≺wn 0w

(m′)

)

∨(

WD1w(m) ∧ ¬WD0w(m′) ∧ 1w(m) ≺w

n ⊥)

∨(

¬WD1w(m) ∧ ¬WD0w (m′) ∧ ⊥ ≺wn ⊥

)

.

However, we do not need to go through this detour if the parameters in boundary terms come fromweights of TA-terms, because WD predicates are valid. For example, for n > 1, the final reductionresult of 1w

(xw) ≺wn 0w

(yw) is just

(n = 1 → xw < yw)

∧

n > 1 →∨

0<r<n(∃z1 . . .∃zr)

xw < z1 < · · · < zr < yw

∧∨

∑ri=1 ni=n−1

n1,...,nr>0

∧


.

Note that we use ⊥ as the “sink value” to make boundary functions total. In general, the choiceof a sink value affects the truth values of formulas in L Z

kb+ ; i. e., Th(TAZkb+) varies with the sink value.However, Th(TAkb) remains the same thanks to the incorporation of WD predicates.

Reduction of Relations Involving Constants. There is no separate list of reductions involvingconstants, as constants are just boundary terms. For example, 0p

(w(αp),p) is another name for a constantαp. So is 1p

(w(αp),p).

Summary

1. Section 4.8.1 lists reductions of closed term equalities.

2. Section 4.8.2 lists reductions of closed stretchable term gap order literals.

3. Section 4.8.3 lists reductions of closed rigid term gap order literals.

Lemma 4.6 (Reduction of Non-closed Term Gap Order Literals). Let

? ∈ ≺kbn ,≺w

n ,≺pn,≺l

n,≺pln ,

kbn ,

wn ,

pn,

ln,

pln (n > 0) .


αpk ) and t is either a boundary term or an ordinary

TA-term not containing x, then x? t (t?x) can be effectively reduced to an equivalent quantifier-freeformula ϕ(sαp

1 x, . . . , sαpk x) where x only occurs in s

αpi x (0 0. As before, we leave the

detailed reductions to Sections 4.8.4-4.8.7, and only highlight the key components different fromthose in the proof of Lemma 4.5.

4.6. PROOFS 157

Gap Order Delineation. The general reduction rule is to delineate a gap order to “indecompos-able” intervals by inserting boundary terms. Let us first consider open gap order literals. Supposeboth u and v are ordinary TA-terms, u ≺w

n v (n > 1) reduces to∨

n1+n2+n3=nn2>0

u ≺pln1 1w

(uw) ≺wn2

0w(vw) ≺

pln3 v . (4.35)

Here is the intuition behind this reduction. u ≺wn v states that u ≺w v and there is an increasing chain

of length n from u to v. On this chain from u to v we have to go across two boundaries, 1w(uw) first and

0w(vw) second. The two boundaries delineate the chain into three segments and the sum of the lengths

of the three segments should be greater than or equal to n. Since there are infinitely many suchcombinations, a naive representation would require infinitely many disjunctions of conjunctions ofliterals. However, we can find a finite cover (an equivalent finite subset) by requiring that the sumof the lengths of the three segments is just equal to n, because for any k > 0,

∀n1, . . . ,∀nk(

k∑

i=1ni ≥ n → (∃n′1 ≤ n1), . . . , (∃n′k ≤ nk)

k∑

i=1n′i = n

)

is valid inN, and because for any n, n′ ∈N, n < n′ implies that

∀x, y(

x ≺]n y ↔ (x ≺]n y ∨ x ≺]n′ y))

,

where ] ∈ w, p, l, is valid in L Zkb+ .

The reduction for rigid gap order literals is similar. For example, u wn v (n > 1) reduces to

∨

n1+n2+n3=nn2>0

u pln1 1w

(uw) wn2 0w

(vw) pln3 v .

Recall that x ≺pl y ≡ x ≺p y ∨ x ≺l y. Suppose we choose the branch

u ≺pn1 1w

(uw) ≺wn2 0w

(vw) ≺pn3 v . (4.36)

Assuming u is of type αp, v is of type αq, we can further delineate (4.36) to∨

n1=n11+n12n3=n31+n32

u ≺ln11 1p

(uw,p) ≺pn12 1w

(uw) ≺wn2 0w

(vw) ≺pn31 0p

(vw ,q) ≺pln32 v . (4.37)

In general we delineate u ≺]n v by inserting m boundary terms t1, . . . , tm in between u and v

satisfying

u ]0 t1 ]1 t2 ]2 · · · ]m−1 tm ]m v , (4.38)

where ]i ∈ w, p, l (i ≤ m) and max]i | i ≤ m = ]. Recall that l ≺c p ≺c w. For example, maxw, p = w

and minp, l = l. It is not hard to argue that u ≺]n v is equivalent to∨

n0+···+nm=nu ≺]0

n0 t1 ≺]1n1 t2 ≺]2

n2 · · · ≺]m−1nm−1 tm ≺]m

nm v . (4.39)

In such a delineation, ≺]0 can be read as =. This saves unnecessary splittings for ]. However, it isnot essential as the termination of our reductions does not rely on the decrease of gap counts.

Similarly, u ]n v can be delineated as∨

n0+···+nm=nu ]0

n0 t1 ]1n1 t2

]2n2 · · ·

]m−1nm−1 tm

]mnm v . (4.40)

The delineation of half open gap order literals is similar.

Termination The termination of these reductions does not rely on the decrease of gap counts.Rather, it relies on the fact that a gap order is eventually delineated to “indecomposable” p-intervals.A closed equality literal or a closed gap order literal can be reduced to a Presburger formula(Sections 4.8.1- 4.8.3). So eventually half open gap order literals and open gap order literals onlyinvolve TA-terms in the same p-interval; i. e., they are in the forms x ≺l

n t, t ≺ln x, x l

n t and t ln x

(n > 0) where x and t are of type αp for some αp = (sαp1 , . . . , s

αpk ).

Let us first consider literals like x ≺ln t. Suppose that t is an ordinary term. Then x =

αp(sαp1 x, . . . , sαp

k x), t = αp(sαp1 t, . . . , sαp

k t), and x ≺ln t is equivalent to

〈sαp1 x, . . . , sαp

k x〉 ≺k;kbn 〈sαp

1 t, . . . , sαpk t〉 ,

which, by Lemma 4.7, further reduces to a formula in L Zkb+ in terms of s

αpi x and s

αpi t (0 < i ≤ k).

Now suppose that t is a boundary term, say t ≡ 0w(m). We can rewrite t as αp(sαp

1 0w(m), . . . , s

αpk 0w

(m)).So x ≺l

n t is equivalent to

〈sαp1 x, . . . , sαp

k x〉 ≺k;kbn 〈sαp

1 0w(m), . . . , s

αpk 0w

(m)〉 ,

which, by Lemma 4.7, further reduces to a formula in L Zkb+ in terms of s

αpi x and s

αpi 0w

(m) (0 < i ≤ k).Each s

αpi 0w

(m) must be the smallest (w.r.t. ≺kb) of weight (sαpi 0w

(m))w. By Lemma 4.3, s

αp1 0w

(m), . . . , sαpk 0w

(m)are simplified to boundary terms not occurring inside selectors, say 0w

( f1(m)), . . . , 0w( fk(m)) where f1, . . . , fk

are integer functions definable in Presburger arithmetic (Section 4.7).

4.6. PROOFS 159

We have similar results for t ≺ln x, x l

n t and t ln x.

Summary

1. Section 4.8.4 lists reductions of half-open stretchable gap order literals.

2. Section 4.8.5 lists reductions of half-open rigid gap order literals.

3. Section 4.8.6 lists reductions of open stretchable gap literals.

4. Section 4.8.7 lists reductions of open rigid gap literals.

Lemma 4.7 (Reduction of Tuple Literals). Let U,V be k-tuples of the same weight, and

? ∈ =,≺k;kbn ,≺k;w

n ,≺k;pn ,≺k;l

n ,≺k;pln ,k;kb

n ,k;wn ,k;p

n ,k;ln ,

k;pln (k > 0, n > 0) .

1. If U = 〈u1, . . . , uk〉 is an ordinary tuple, then U ? V (V ? U) can be effectively reduced to anequivalent quantifier-free formula ϕ(u1, . . . , uk) (in L Z

kb+) in which ui (0 < i ≤ k) does not occurinside selectors.

2. If U ? V (V ? U) is a closed tuple, i. e., both U and V are boundary tuples, then it can beeffectively reduced to an equivalent Presburger formula.

Proof. There are many types of tuple literals, especially the closed tuple literals. However, as tuplesare only used in the intermediate steps in the reduction, we only encounter a small portion of thecombinations. The detailed reductions are given in Sections 4.8.8-4.8.15. Here we only highlightthe key components of the proof.

Notations First recall that we define tuple relations between tuples of the same weight. So tuplerelations are not only parameterized by k, the tuple length, but also parameterized by m, the totalweight.

Second recall that we define suborders on tuples 〈u1, . . . , uk〉 ≺k;] 〈v1, . . . , vk〉 (] ∈ w, p, l) as

u1 ≺] v1 ∨(

u1 = v1 ∧ 〈u2, . . . , uk〉 ≺k;kb 〈v2, . . . , vk〉)

, (4.41)

instead of as

∃i(0 < i ≤ k)[

ui ≺] vi ∧ ∀ j(1 ≤ j < i)u j = v j]

. (4.42)

As we shall see soon, this technical choice gives reducts (reduced formulas) a uniform appearance.


Third recall that 〈u1, . . . , uk〉 ≺k;]n 〈v1, . . . , vk〉 is proper if u1 ≺] v1. We claim that improper orders

can be decomposed to a Boolean combination of proper orders between k-tuples and proper ordersbetween tuples of shorter length. We first show that we can always write U ≺k;]

n V into the form

〈u1, . . . , uk〉 ≺k;]n 〈v1, . . . , vk〉 .

This trivially holds if both U and V are ordinary tuples. Now suppose U is a boundary tuple. Weclaim that U = 〈v1, . . . , vk〉where u1, . . . , uk are boundary terms. In fact we have

1k;kb(sum) = 〈 1w

(CWLk1(sum)), 1

w(CWLk

2(sum)), . . . , 1w(CWLk

k(sum)) 〉 ,

1k;w(sum,m) = 〈 1w

(m), 1w(CWLk−1

1 (sum−m)), . . . , 1w(CWLk−1

k−1(sum−m)) 〉 ,

1k;p(sum,m,p) = 〈 1w

(m,p), 1w(CWLk−1

1 (sum−m)) , . . . , 1w(CWLk−1

k−1(sum−m)) 〉 ,

0k;kb(sum) = 〈 0w

(CWSk1(sum)), 0

w(CWSk

2(sum)), . . . , 0w(CWSk

k(sum)) 〉 ,

0k;w(sum,m) = 〈 0w

(m), 0w(CWSk−1

1 (sum−m)), . . . , 0w(CWSk−1

k−1(sum−m)) 〉 ,

0k;p(sum,m,p) = 〈 0w

(m,p), 0w(CWSk−1

1 (sum−m)) , . . . , 0w(CWSk−1

k−1(sum−m)) 〉 ,

where CWLki (n) (resp. CWSk

i (n)) gives the weight of the ith component of the largest (resp. thesmallest) k-tuple (w.r.t. ≺k;kb) of weight n (Section 4.7). The case that V is a boundary tuple issimilar.

Therefore, U ≺k;]n V reduces to

(

(u1 = v1) ∧ 〈u2, . . . , uk〉 ≺k;kbn 〈v2, . . . , vk〉

)

∨(

(u1 ≺] v1) ∧ 〈u1, . . . , uk〉 ≺k;]n 〈v1, . . . , vk〉

)

,

which contains two disjuncts; the first is a tuple order on tuples of a shorter length and the secondis a proper tuple order on tuples of the same length. Iteratively applying the process, an improperk-tuple order can be decomposed to a Boolean combination of proper k′-tuple orders for k′ ≤ k.Therefore, it suffices to show proper reductions, the reductions of proper orders on tuples of the sameweight, which are given in Sections 4.8.8-4.8.15. All reduction rules therefore contain an implicitside condition u1 ≺] v1 or u1

] v1 in the redex (target formula).

Gap Order Delineation and Tuple Length Reduction. The general reduction rule is the sameas in the proof of Lemma 4.6, namely, using boundary tuples to delineate a tuple order to “inde-composable” intervals. For example, Let U = 〈u1, . . . , uk〉, V = 〈v1, . . . , vk〉 be ordinary tuples, and

4.6. PROOFS 161

sum =∑k

i=1 uwi =

∑ki=1 vw

i . U ≺k;wn V (n > 0) reduces to (reduction (4.339), copied below)

∨

n1+n2+n3=nn2>0

〈u1, . . . , uk〉 ≺k;pln1 1k;w

(sum,uw1 ) ≺

k;wn2 0k;w

(sum,vw1 ) ≺

k;pln3 〈v1, . . . , vk〉 . (4.339)

Now it is clear why we define 〈u1, . . . , uk〉 ≺k;]n 〈v1, . . . , vk〉 by (4.41), other than by (4.42). Suppose

we did it in the other way. Then in the reduction of (4.339), we are not able to have 〈u1, . . . , uk〉 ≺k;pln1

1k;w(sum,uw

1 ), because the order between 〈u1, . . . , uk〉 and 1k;w(sum,uw

1 ) may be determined by the weight of theith components for some i > 1.

Besides gap order delineation, we also need to decompose a tuple gap order using tuple gaporders of shorter lengths and term gap orders. For example, 〈u1, . . . , uk〉 ≺k;p

n1 1k;w(sum,uw

1 ), which is aconjunct in a disjunct of (4.339), reduces to (reduction (4.322), copied below)

∨

n11(n12+1)+n13≥n1,n11,n12,n13≤n1

u1 ≺pn11 1w

(uw1 ) ∧ 0k−1;kb

(sum−uw1 ) ≺

k−1;kbn12 1k−1;kb

(sum−uw1 )

∧ 〈u2, . . . , uk〉 ≺k−1;kbn13 1k−1;kb

(sum−uw1 ) .

(4.322)

We briefly explain the reason behind (4.322). The tuples in between 〈u1, . . . , uk〉 and 1k;w(sum,uw

1 ) can bedivided into n11 + 1 segments where n11 + 1 is the number of ground TA-terms in between u1 and1w

(uw1 ) ( including u1 and 1w

(uw1 )). Each of the first n11 segments contains n12 + 1 k-tuples, where n12 + 1

is the number of (k − 1)-tuples of weight sum − uw1 . The last segment contains n13 k-tuples because

n13 is the number of (k − 1)-tuples greater than or equal to 〈u2, . . . , uk〉 but less than 1k−1;kb(sum−uw

1 ). Werequire n11(n12 + 1) + n13 ≥ n1 and n11, n12, n13 ≤ n1 to have finitely many disjunctions. It sufficesbecause for any k > 0 and for any polynomial P(x1, . . . , xk) only containing positive coefficients, thefollowing formula is valid inN.

∀m1, . . . ,∀mk[

P(m1, . . . ,mk) ≥ m → ∃m′1 ≤ m, . . . ,∃m′k ≤ m(

k∧

i=1m′i ≤ mi ∧ P(m′1, . . . ,m′k) ≥ m

) ]

.

The reduction of U k;]n V is similarly defined with stretchable gap orders replaced by corresponding

rigid gap orders. For example, 〈u1, . . . , uk〉 k;pn1 1k;w

(sum,uw1 ), reduces to (reduction (4.334), copied below)

∨

n11(n12+1)+n13=n1,n11,n12,n13≤n1

u1 pn11 1w

(uw1 ) ∧ 0k−1;kb

(sum−uw1 )


(sum−uw1 )

∧ 〈u2, . . . , uk〉 k−1;kbn13 1k−1;kb

(sum−uw1 ) .

(4.334)

Here we require n11(n12 + 1) + n13 = n1 instead of n11(n12 + 1) + n13 ≥ n1.

As an example for closed relations, we consider 1k;w(sum,m) ≺

k;wn 0k;w

(sum,m′) which reduces to (reduc-tion (4.243), copied below)

(n = 1 → m < m′)

∧

n > 1 →

∨

0<r<n

m < CWk1(sum,m,m′) < · · · < CWk

r(sum,m,m′) < m′

∧∨

∑ri=1 ni=n−1

ni>0

∧

0<i≤r0k;w

(sum,CWki (sum,m,m′))

≺k;wni−1 1k;w


. (4.243)

We explain the meaning of (4.243). Since 1k;w(sum,m) is the largest k-tuple of weight sum with the first

component having weight m and 0w(m′) is the smallest tuple of weight of sum with the first component

having weight m′, 1k;w(sum,m) ≺

k;wn 0k;w

(sum,m′) means that there are at least n − 1 k-tuples of weight sum inbetween 1k;w

(sum,m) and 0k;w(sum,m′) (but including neither 1k;w

(sum,m) nor 0k;w(sum,m′)) and in each of these k-tuples

the weight of the first component is greater than m but smaller than m′. If n = 1, then obviously1k;w

(sum,m) ≺k;wn 0k;w

(sum,m′) reduces to m < m′. If n > 1, then for some r (0 < r < n), the n − 1 k-tuplesdistribute into r different levels according to their weights, which is formally represented as

∨

∑ri=1 ni=n−1

ni≥1

∧

0<i≤r0k;w


≺k;wni−1 1k;w


,

where CWki (n,m,m′) gives the ith smallest integer in (m,m′) which is the weight of a component in

a k-tuple of weight n (Section 4.7), and

0k;w(sum,CWk

i (sum,m,m′))≺k;w

ni−1 1k;w(sum,CWk

i (sum,m,m′))

states that there are ni k-tuples of weight sum with the first component of weight CWki (sum,m,m′).

We require∑r

i=1 ni = n − 1 and ni ≥ 1 for 1 ≤ i ≤ r.

4.6. PROOFS 163

The reduction of 1k;w(sum,m)

k;wn 0k;w

(sum,m′) is similarly obtained as (reduction (4.291), copied below)

n = 1 →(

m < m′ ∧ ∀z(

m < z < m′ → ¬ IsTWk(m)))

∧

n > 1 →

∨

0<r<n

m < CWk1(sum,m,m′) < · · · < CWk


∧¬

(

m < CWk1(sum,m,m′) < · · · < CWk

r+1(sum,m,m′) < m′)

∧∨

∑ri=1 ni=n−1

ni>0

∧

0<i≤r0k;w


k;wni−1 1k;w


. (4.291)

Here we need to add two more conjuncts. When n = 1 we need

∀z(

m < z < m′ → ¬ IsTWk(m))

to make sure that there exists no k-tuple whose weight is in (m,m′). When n > 1, we need

¬(

m < CWk1(sum,m,m′) < · · · < CWk

r+1(sum,m,m′) < m′)

to guarantee that for a fixed r ∈ (0, n) there are exactly r legitimate (tuple) weights in (m,m′).

Termination As Lemma 4.6, the termination of these reductions does not rely on the decrease ofgap counts. Rather, a tuple gap order is first delineated to “indecomposable” intervals which is inturn reduced to tuple gap orders of shorter lengths. Recall that tuple gap orders of length 1 areessentially term gap orders. Repeatedly applying the reduction, eventually only term gap orders≺]n and ]n (] ∈ w, p, l) appear, i. e., a tuple gap order reduces to a formula in L Z

kb+ , and hencethe reduction terminates. In particular, a closed tuple gap order or a closed tuple equality literalreduces to a Presburger formula.

Well-definedness of Boundary Tuples Reductions listed in Sections 4.8.8-4.8.15 implicitly relyon the assumption that boundary tuples are well-defined. This assumption holds because parame-ters of boundary tuples come from weights of well-defined TA-terms.

Reduction of Literals Involving 0k;kb(sum) or 1k;kb

(sum). There is no separate list for reductions of tuplegap orders involving 0k;kb

(sum) or 1k;kb(sum), as they can be expressed, respectively, by

0k;kb(sum) = 0k;w

(sum,MinCWk(sum)), 1k;kb

(sum) = 1k;w(sum,MaxCWk(sum))

,

where MinCWk(sum) (resp. MaxCWk(sum)) gives the smallest (resp. the largest) integer in (0, sum+1)that is the weight of a component in a k-tuple having weight sum (Section 4.7).

The Number of Open Gap Order Literals. As we mentioned before, tuple gap orders reduceto term gap orders. The reduction does not increase the number of open term gap order literals.The only places generating new open term gap order literals are the reduction of 〈u1, . . . , uk〉 ≺k;l

n

〈v1, . . . , vk〉 (reduction (4.341)) and the reduction of 〈u1, . . . , uk〉 k;ln 〈v1, . . . , vk〉 (reduction (4.344)).

Consider reduction (4.341) (copied below)

∨

n1+n2+n3=nn3>0

〈u2, . . . , uk〉 ≺k−1;kbn1 1k−1;kb

(rem)

∧0k−1;kb

(rem) ≺k−1;kbn2 〈v2, . . . , vk〉

∧

∨

(m1+1)(m2−1)≥(n3−1)m2>0,m1,m2<n3

0k−1;kb(rem) ≺

k−1;kbm1 1k−1;kb

(rem)

∧u1 ≺l

m2v1

, (4.341)

where rem =∑k

i=2 uwi =

∑ki=2 vw

i . It is clear that in (4.341), each disjunct (conjunction of literals) onlycontains one open gap order literal, namely u1 ≺l

m2 v1. Since the reduction is triggered by an opengap order literal, there is no increase to the number of open gap order literals. Though u1 ≺l v1 is animplicit open gap order literal in the redex, it is not included in any reducts, as it has been replacedby the more precise relation u1 ≺l

m2v1.

The case for reduction (4.344) is similar.

Summary

1. Section 4.8.8 lists reductions of closed tuple equality literals.

2. Section 4.8.9 lists reductions of half-open tuple equality literals.

3. Section 4.8.10 lists reductions of closed stretchable tuple gap order literals.

4. Section 4.8.11 lists reductions of closed rigid tuple gap order literals.

4.6. PROOFS 165

5. Section 4.8.12 lists reductions of half-open stretchable tuple gap order literals.

6. Section 4.8.13 lists reductions of half-open rigid tuple gap order literals.

7. Section 4.8.14 lists reductions of open stretchable tuple gap order literals.

8. Section 4.8.15 lists reductions of open rigid tuple gap order literals.

Lemma 4.8 (Elimination of Term Quantifiers). Let x be a term variable, ϕkb+(x) a conjunction ofliterals in Lkb+ with depthϕkb+ (x) = 0, and ϕZ(x) a Presburger formula in which x occurs inside theweight function. Then

(∃x : T)[

ϕkb+ (x) ∧ ϕZ(x)]

can be effectively reduced to ϕ′kb+ ∧ ϕ′Z in which x does not occur and ϕ′kb+ is quantifier-free.

Proof. The antecedent of the lemma only requires that all term occurrences of x have depth 0 and sox may have arbitrarily many integer occurrences of the form (Lx)w where L is a (possibly empty)selector sequence. We divide the proof into two parts.

Part 1. ϕkb+(x) contains x = t where t may contain x. We rewrite (∃x : T)[ϕkb+(x)∧ ϕZ(x)] as

(∃x : T)[

x = t ∧ ϕ(x)]

, (4.43)

where ϕ(x) is a conjunction of literals in L Zkb+ . We consider four cases.

1. t does not contain x. Then (4.43) simplifies to ϕ(t).

2. t ≡ x. Then (4.43) simplifies to (∃x)ϕ(x).

3. t ≡ Lx where L is a non-empty selector block. Then (4.43) simplifies to false, since we assumethat terms like Lx are proper (Definition 2.2).

4. t is a boundary term in which (Lix)w (i ≤ n) occur in an integer function. In this case we assumethat (4.43) has the form

(∃x : T)[

x = t[ f ((L0x)w, . . . , (Lnx)w)] ∧ ϕ(x)]

, (4.44)

where L0x ≡ x (i. e., L0 ≡ ∅), L0x, . . . , Lnx enumerate all selector terms containing x (includingimproper selector terms inside selectors), and f ((L0x)w, . . . , (Lnx)w) denotes the maximum inte-ger term in t. We assume t[ f ((L0x)w, . . . , (Lnx)w)] is a well-defined boundary term (Section 4.7).Otherwise t = ⊥ and hence (4.43) reduces to ϕ(⊥). The set of terms Lix | i ≤ n corresponds a


tree with root x. We assume that this tree is sibling complete, that is, sibling nodes coexist. Forexample, a formula in List is sibling complete if for any term t it either contains both car(t)and cdr(t) or contains neither. In general, if we need L′x to appear, we can just set

f ((L0x)w, . . . , (Lnx)w, (L′x)w) := f ((L0x)w, . . . , (Lnx)w, xw) + (L′x)w − (L′x)w .

It is easily seen that (4.44) is equivalent to

(∃x : T)[

x = t[ f ((L0x)w, . . . , (Lnx)w)] ∧ ϕ(t[ f ((L0x)w, . . . , (Lnx)w)])]

, (4.45)

where x only has one term occurrence, namely, as the left-hand side of

x = t[ f ((L0x)w, . . . , (Lnx)w)] . (4.46)

Note that the substitution that we used to transform (4.44) to (4.45) may put a boundary terminside a selector term. In fact, it is only this type of substitution that makes a boundary termappear inside a selector. However, Lemma 4.3 eliminates this superficial complication. Weclaim that (4.45) is equivalent to

(∃(L0x)w, . . . , (Lnx)w : Z)[

ϕ(t[ f ((L0x)w, . . . , (Lnx)w)]) ∧ ϕ∆((L0x)w, . . . , (Lnx)w)]

, (4.47)

where (Lix)w are pseudo integer variables, and ϕ∆ is the integer constraint on weights ofsubterms of x satisfying the following conditions.

(a) ϕ∆ requires that x be a legitimate term.

i. For each leaf node Lix, ϕ∆ includes Treeαp ((Lix)w), where type(Lix) = αp. This statesthat each leaf has a well-defined weight.

ii. For each non-leaf node Lix, ϕ∆ includes

(Lix)w= w(αp) +

k∑

j=1(sαp

j Lix)w ,

where type(Lix) = αp = (sαp1 , . . . , s

αpk ) and s

αp1 Lix, . . . , sαp

k Lix are immediate children ofLix. This states that the weight of a tree is the sum of the weight of the root and theweights of the immediate children of the root.

(b) ϕ∆ requires that x be a legitimate boundary term. For example, suppose

t ≡ 0w( f ((L0x)w ,...,(Lnx)w)) . (4.48)

i. ϕ∆ includes xw= f ((L0x)w, . . . , (Lnx)w).

4.6. PROOFS 167

ii. Each node Lix must be the smallest (w.r.t. ≺kb) of weight (Lix)w. If type(Lix) = αp,then there exists no p′ such that p < p′ ≤ |Σ| and Treeαp′ ((Lix)w) holds. This constraintis formally expressed as

∧

p<p′≤|Σ|¬ Treeαp′ ((Lix)w) .

iii. Each non-leaf node must have the smallest tuple of children (w.r.t. ≺k;kb). If Lix has kimmediate siblings s

αp1 Lix, . . . , sαp

k Lix (in the order from left to right), we require that〈sαp

1 Lix, . . . , sαpk Lix〉 be the smallest k-tuple (w.r.t. ≺k;kb) of weight n =

∑kj=1(sαp

j Lix)w.This constraint is formally expressed as

∧

0< j≤k(sαp

j Lix)w= CWSk

j(n) ,

where CWSkj(n) gives the weight of the jth component of the smallest k-tuple (w.r.t.

≺k;kb) of weight n (Section 4.7).

Similarly we can obtain constraints for

t ≡ 0p( f ((L0x)w ,...,(Lnx)w), p) , t ≡ 1w

( f ((L0x)w,...,(Lnx)w)) , t ≡ 1p( f ((L0x)w,...,(Lnx)w), p) .

The intuition behind this reduction is that when a term x occurs inside the weight function, allits term properties (that are expressible in the formal language) can be fully characterized byinteger properties that are expressible in LZ. We therefore view (Lix)w as syntactical integervariables. By variable renaming we transform (4.47) to

(∃z0, . . . , zn : Z)[

ϕ(t[ f (z0, . . . , zn)]) ∧ ϕ∆(z0, . . . , zn)]

. (4.49)

We show equivalence of (4.45) and (4.49). Suppose x is a ground boundary term satisfying(4.45), then w(L0x), . . . ,w(Lnx) clearly satisfy ϕ∆((L0x)w, . . . , (Lnx)w) that describes integer con-straints on L0x, . . . , Lnx. Therefore, (4.45) implies (4.49). For the reverse direction, let z0, . . . , zn

be integers satisfying (4.49). Without loss of generality we assume t to be as in (4.48). Weobtain an x by setting Lix := 0p(zi, p) for each leaf node Lix with type αp. Such x is clearlywell-defined ground boundary term 0w

( f (z0,...,zn)) due to the fact that ϕ∆(z0, . . . , zn) is a completeinteger constraints on weights of all subterms of 0w

( f (z0,...,zn)). Therefore, (4.45) is so satisfied.

Part 2. ϕkb+(x) does not contain equalities like x = t. Since x is the only term occurrence of x inϕkb+ , we can move other literals not containing x out of (∃x : T), and hence we assume that ϕkb+ is

in the form∧

0<i≤lui Ei x ∧

∧

0< j≤mx El+ j v j , (4.50)

where Ei (0 < i ≤ l + m) are gap orders. By Lemma 4.12, ϕkb+ is equivalent to a disjunction ofdelineated gap order completions, each of which contains no more open gap order literals thanϕkb+(x) does. Now we assume ϕkb+ (x) is a DGOC, denoted by

DGOC(x, (L0x)w, . . . , (Lnx)w) ,

where (as in Part 1) L0 ≡ x, L0x, . . . , Lnx enumerate all selector terms containing x and form asibling-complete tree with x being the root, and (L0x)w, . . . , (Lnx)w enumerate all integer occurrencesof x that may occur in ϕZ(x) as well as inside boundary terms in ϕkb+(x). Let xw abbreviate(L0x)w, . . . , (Lnx)w. Since DGOC(x, xw) is delineated, we assume that DGOC(x, xw) has the form

t1 E1 · · · Ei−2 ti−1︸︷︷︸

Head(xw )

Ei−1 x Ei ti+1 Ei+1 · · · En−1 tn︸︷︷︸

Tail(xw)

,

where Ei−1 ∈ ≺]n1 ,]n1, Ei ∈ ≺\n2 ,

\n2, ] ≡ \ ∈ l,pl, and Head(xw) (resp. Tail(xw)) denote the

linear order before x (resp. after x) in the above sequence. Without loss of generality, we furtherassume Ei−1 is ≺l

n1and Ei is ≺l

n2for n1, n2 > 0. Accordingly, DGOC(x, xw) has the form

Head(xw) ≺ln1 x ≺l

n2 Tail(xw) .

We write Head(xw) ≺]n1+n2Tail(xw) to denote

t1 E1 · · · Ei−2 ti−1︸︷︷︸

Head(xw )

≺ln1+n2 ti+1 Ei+1 · · · En−1 tn

︸︷︷︸

Tail(xw)

,

the ordering obtained from DGOC(x, xw) by removing the term occurrence of x and accordinglyjoining two gap orders before and after such occurrence. We claim that

(∃x : T)[

Head(xw) ≺ln1

x ≺ln2

Tail(xw) ∧ ϕZ(xw)]

(4.51)

is equivalent to

(∃xw : Z)[

Head(xw) ≺ln1+n2

Tail(xw) ∧ ϕ∆(xw) ∧ ϕZ(xw)]

, (4.52)

4.6. PROOFS 169

where xw are pseudo integer variables as in Part 1, ϕ∆(xw) consists of xw = (ti−1)w, and integerconstraints requiring that L0x, . . . , Lnx form a legitimate tree (condition (4a) for ϕ∆(xw) in Part 1).By variable renaming we rewrite (4.52) as

(∃z : Z)[

Head(z) ≺ln1+n2

Tail(z) ∧ ϕ∆(z) ∧ ϕZ(z)]

, (4.53)

where z = z0, . . . , zn.We show equivalence of (4.51) and (4.53). It is clear that (4.51) is equivalent to

(∃x : T)(∃z : Z)[

ϕ∆(xw) ∧ ϕZ(xw) ∧ Head(xw) ≺ln1

x ≺ln2

Tail(xw) ∧ z = xw]

, (4.54)

where z = xw stands forn∧

i=0zi = (Lix)w. We can rewrite (4.54) to

(∃z : Z)(∃x : T)[

ϕ∆(z) ∧ ϕZ(z) ∧ Head(z) ≺ln1

x ≺ln2

Tail(z) ∧ z = xw]

, (4.55)

which is equivalent to (4.53) after eliminating x using the fact that weight properties about x andits subterms are completely characterized by ϕZ(xw). Now by Lemma 4.9 we eliminate ∃z from(4.53), obtaining ϕ′kb+ ∧ ϕ′Z in which x does not occur and ϕ′kb+ is quantifier-free, as desired.

The elimination procedure needs no essential change for other choices of Ei−1 and Ei. We onlynote that if both Ei−1 and Ei are rigid gap orders, then the order between Head(xw) and Tail(xw)should be rigid too. For example, let Ei−1 be l

n1and Ei be l

n2. We have

(∃x : T)[

Head(xw) ln1

x ln2

Tail(xw) ∧ ϕZ(xw)]

,

which reduces to

(∃z : Z)[

Head(z) ln1+n2

Tail(z) ∧ ϕ∆(z) ∧ ϕZ(z)]

.

Finally note that we carry out the elimination even if x has other integer occurrences with depthsgreater than 0. We could have strengthened the precondition that requires that all occurrences ofx has depth 0. To satisfy this precondition, however, the simplification procedure, step (1c) inAlgorithm 4.2 has to include a sub-procedure for decomposing literals like x = t using properselector terms containing x. We choose to hide this complexity in the proof rather than exposing itin the algorithm.

Lemma 4.9 (Elimination of Integer Quantifiers). Let z be an integer variable,ϕkb+ (z) a conjunctionof literals in Lkb+ where z occurs inside boundary terms, and ϕZ(z) a Presburger formula. Then

(∃z : Z)[

ϕkb+(z) ∧ ϕZ(z)]

can be effectively reduced to ϕ′kb+ ∧ ϕ′Z where no z occurs and ϕ′kb+ is quantifier-free.

Proof. Let z, ϕkb+(z) and ϕZ(z) be as stated above. Let us assume z has n occurrences in ϕkb+(z),namely in n maximum integer functions enumerated below

f1(z) , . . . , fn(z) ,

where fi (0 < i ≤ n) are arbitrary integer functions definable in Presburger arithmetic, and fi(z)(0 < i ≤ n) occur inside boundary terms. Note that fi’s are introduced during reductions inSection 4.8, and they are constructed using those integer functions defined in Section 4.7.

For each 0 < i ≤ n, we proceed as follows. Without loss of generality, we assume fi(z) properlyoccurs inside a boundary term t, that is, t has one of the following forms:

0w( fi(z)) , 0p

( fi(z), p) , 1w( fi(z)) , 1p

( fi(z), p) .

We do case analysis according to the occurrences of t in ϕkb+(z).

1. t occurs in literals of the forms

t ≺]n t′ , t ]n t′ , t′ ≺]n t , t′ ]n t , t = t′ ,

where n > 0, ] ∈ w, p, l and t′ is also a boundary term. By Lemma 4.6, we can remove allsuch closed literals from ϕkb+(z) and add the corresponding equivalent Presburger formulasto ϕZ(z).


t ≺∗n t′ , t ∗n t′ , t′ ≺∗n t , t′ ∗n t , t = t′ ,

where n > 0, ∗ ∈ p, l and t′ is an ordinary term. Then we replace every occurrence of fi(z) inϕkb+(z) by (t′)w and add fi(z) = (t′)w to ϕZ(z). Formally, we set

ϕkb+(z) := ϕkb+(z)[

fi(z)/(t′)w]

,

ϕZ(z) := ϕZ(z) ∧ fi(z) = (t′)w .


t ≺wn t′ , t w

n t′ , t′ ≺wn t , t′ w

n t ,

where n > 0 and t′ is an ordinary term. In this case, we introduce new boundary terms to

4.6. PROOFS 171

delineate those gap orders. For example, t ≺wn t′ is replaced by

∨

n1+n2=nt ≺w

n10w

((t′)w) ≺pln2 t′ .

Similar transformations apply to t wn t′, t′ ≺w

n t and t′ wn t. Then we reduce this case to case 1

and to case 2.

In this way we can remove all fi(z) from ϕkb+ , obtaining

(∃z : Z)[

ϕ′kb+ ∧ ϕ′Z(z)]

,

where ϕ′kb+ does not contain z. So we can move ϕ′kb+ out of ∃z, obtaining

ϕ′kb+ ∧ ( ∃z : Z)ϕ′Z(z) ,

as desired.

Lemma 4.11 (Termination). Both Algorithm 4.1 and Algorithm 4.2 terminate.

Proof. The termination of Algorithm 4.1 is straightforward. The termination of Algorithm 4.2 needsa careful examination. The subtlety comes from step (1). It is clear that each run of step (1) terminatesas the decomposition (step (1b)) is done in depth-first manner, which eventually produces a variablewhose term occurrences are all of depth 0. However, this step may introduce more existentiallyquantified variables, gap order literals and equality literals and it may also increase the depth ofvariables that are not the target of the reduction. Consider in ListZkb+ . The formula

(∃x)[

x ≺ln1 t ∧ car(x) ≺l

n−2 t]

,

where depth(x) = 1 and depth(t) = 0, reduces to (one of choices)

(∃x1)(∃x2)[

x1 = car(t) ∧ x2 ≺ln1 cdr(t) ∧ x1 ≺l

n−2 t]

,

where depth(x1) = depth(x2) = 0 but depth(t) = 1. Here we have one more existentially quantifiedvariable and a new equality literal, and the depth of t is increased by 1. Reduction (4.197) shows acase where the number of gap order literals increases.

A careful examination of the reductions in Section 4.8 reveals that in all transformations thenumber of open gap order literals is never increasing, which is crucial in this termination proof. Weproceed by first establishing five claims.

1. The number of open gap order literals in each reduct is no more than that in the correspondingredex.


2. The total number of occurrences of newly introduced variables in the reduct is no more thanthe number of occurrences of the decomposed variable in the redex.

3. Without reductions (4.199) and (4.202), the sum of the depths of variables strictly decreases ineach run of step (1).

4. Reductions (4.199) and (4.202) are only triggered by step (1) targeting variables occurring inopen gap order literals.

5. A run of step (1) targeting a variable x that occurs in an open gap order literal produces fourtypes of outcomes.

(a) The sum of the depths of variables in the reduct decreases.(b) The reduct contains fewer open gap order literals than the redex.(c) The reduct contains a newly introduced variable x′ that occurs in an open gap order

literal and is the target for the next run of step (1).(d) The reduct contains a newly introduced variable x′ that occurs in an open gap order

literal and is the target for the next run of step (2).

Proof of Claim (1). Recall that this statement is included in every lemma regarding equivalenttransformation. Here we list the transformation steps and their corresponding justifications.

Depth Reduction Lemma 4.6Elimination of Negative Literals Lemma 4.1Equality Elimination Lemma 4.8, Part 1Term Elimination Lemma 4.8, Part 2Delineated Gap Order Completion Lemma 4.12

Proof of Claim (2). In all tuple reductions in Sections 4.8.8-4.8.15, if 〈u1, . . . , uk〉 appears in a redex,then each ui appears at most once in each corresponding reduct. The claim is then proved byinduction.

Proof of Claim (3). It can be shown by checking reductions in Sections 4.8.6, 4.8.7, 4.8.14 and 4.8.15that (i) the depth of a term can only increase in reductions (4.341) and (4.344) which are triggeredby reductions (4.199) and (4.202), respectively, or in a substitution due to eliminating x appearingin an open equality literal of the form x = t (Part 1 of the proof of Lemma 4.8); (ii) an open equalityliteral is only generated in reductions (4.341) and (4.344). As a consequence, reductions (4.199)and (4.202) are the only sources of increasing depths of variables. In each run of step (1), the depthsof newly introduced variables are less than the depth of the decomposed variable in the redex. Byclaim (2), without reductions (4.199) and (4.202), the sum of the depths of variables must be strictlydecreasing in each run of step (1).

4.6. PROOFS 173

Proof of Claim (4). A check of the reductions in Section 4.8 justifies this claim.

Proof of Claim (5). There are two main cases.

1. All occurrences of the targeted variable x have depth greater than 0.Then step (1) only involves simplification of selector terms (step (1(c)i)) and simplificationof integer terms (step (1(c)ii)). The simplification of integer terms clearly does not affect thedepths of variables. For the simplification of selector terms, let us consider Lsαi x ? L′sα′i′ x′

where type(x) = α, type(x′) = α′. If x ≡ x′, then α ≡ α′, and this literal simplifies to Lxi ? L′xi′ .If x . x′, then this literal simplifies to Lxi?L′sα′i′ x′. In both cases, depth(xi) is less than depth(x),and the depths of other variables do not increase. Therefore, the sum of the depths of variablesdecreases. The case for L′sα′i′ x′ ? Lsαi x is similar.

2. depth(x) > 0 and x ? t (or t ? x) occurs.Then step (1) also involves reductions of gap order literals (step (1(c)iii)). If neither reduc-tion (4.199) nor reduction (4.202) is used, then x and t are separated by boundary terms, andhence at least one open gap order literal is removed with no new one generated. If eitherreduction (4.199) or reduction (4.202) is used, then ? must be ≺l

n or ln. Let us consider x ≺l

n t(the cases for t ≺l

n x, x ln t and t l

n x are similar). Reduction (4.199) triggers reduction (4.341),which produces a reduct containing the following conjuncts

x1 = sα1 t , . . . , xi−1 = sαi−1t , xi ≺]n′ sαi t ,

where ≺]∈ w, p, l and n′ ≤ n. All newly introduced variables x1, . . . , xi−1 will be removed bysubstitution directly. If depth(xi) > 0 in the reduct, then xi becomes the target in the next runof step (1). Otherwise, step (2) is activated with xi being the elimination target.

Now suppose that Algorithm 4.2 does not terminate. The run must visit step (1) infinitely manytimes, because only step (1) can generate more existentially quantified variables. We claim thateither reduction (4.199) or reduction (4.202) runs infinitely often. Suppose otherwise, then fromsome point on, there are no runs of reductions (4.199) and (4.202). Then by claim (3), a run of step (1)always reduces the sum of the depths of variables. Eventually the depths of all variables are 0 andstep (1) is disabled and the run of Algorithm 4.2 stays in step (2) forever, a contradiction.

Now we assume that either reduction (4.199) or reduction (4.202) occurs infinitely often. Itfollows that there must be infinitely many runs of step (1) targeting variables occurring in open gaporder literals, because by claim (4) only such runs can trigger reduction (4.199) or reduction (4.202).However, it is not going to be the case even if there are infinitely many such runs of step (1). Weanalyze all types of outcomes of step (1) targeting variables occurring in open gap order literals.Outcome (5b) clearly does not happen infinitely many times because at least one open gap orderliteral is removed each time. Outcome (5d) cannot happen infinitely often either, because (thanks

to Lemma 4.12) each occurrence triggers step (2) that reduces the number of open gap order literalsat least by one. Thanks to variable selection (step (1a)) in depth-first manner, outcome (5c) cannothappen continuously infinitely many times as the depths of variables are finite. If outcome (5c)happens, then the next outcome is either (5c) again or (5d). So if outcome (5c) happens infinitelymany times, then so does outcome (5d), a contradiction. The only possibility left is that outcome (5a)happens infinitely often. And in fact it will be continuously happening from some point on. Thismeans that from that point on the sum of the depths of variables strictly decreases, and henceeventually step (1) is disabled forever, contradicting our initial assumption.

We have exhausted all cases and all of them lead to contradictions. Hence Algorithm 4.2terminates.

4.7 Definitions

In this section, we show that the integer functions and predicates used in the proofs in Section 4.6and in the reductions in Section 4.8 can be defined in Presburger arithmetic.

Definition of Integer Predicates

1. CNTα

k,n(x) (k > 0, n ≥ 0): there are exactly n+1 different α-terms of length x in TA with |A| = k.

CNTα

k,n(x) def== CNTαk,n(x) ∧ ¬ CNTαk,n+1(x) .

CNTk,n(x) is similarly defined with α-terms replaced by TA-terms.

CNTk,n(x) def== CNTk,n(x) ∧ ¬ CNTk,n+1(x) .

2. IsTWk(n): n is the weight of a k-tuple.

IsTWk(n) def== (∃z1, . . . ,∃zk > 0)

(k∑

i=1zi = n ∧

∧

0<i≤kTree(zi)

)

.

3. IsCWk(n,m): m is the weight of a component in a k-tuple of weight n.

IsCWk(n,m) def== IsTWk(n) ∧

(

(k > 1 ∧ IsTWk−1(n −m)) ∨ (k = 1 ∧ m = n))

.

4.7. DEFINITIONS 175

4. IsTWk(n, p): n is the weight of a k-tuple whose first component is of type αp.

IsTWk(n, p) def== (∃z1, . . . ,∃zk > 0)

(k∑

i=1zi = n ∧

∧

0<i≤kTree(zi) ∧ Treeαp (z1)

)

.

5. IsCWk(n,m, p): n is the weight of a k-tuple whose first component has weight m and type αp.

IsCWk(n,m, p) def== IsCWk(n,m) ∧ Tree(αp)(m) .

6. WDΩ(∆) : Ω(∆) is a well-defined boundary term or boundary tuple.

WD0w (m) def== Tree(m) , WD1w(m) def

== Tree(m) ,

WD0p (m, p) def== Tree(αp)(m) , WD1p(m, p) def

== Tree(αp)(m) ,

WD0k;kb (n) def== IsTWk(n) , WD1k;kb (n) def

== IsTWk(n) ,

WD0k;w (n,m) def== IsCWk(n,m) , WD1k;w (n,m) def

== IsCWk(n,m) ,

WD0k;p (n,m, p) def== IsCWk(n,m, p) , WD1k;p (n,m, p) def

== IsCWk(n,m, p) .

Definition of Integer Functions

1. x = MinCWk(n, r, r′) : x is the smallest integer in (r, r′) which is the weight of a component ina k-tuple of weight n; x = r if there is no such integer.

[ (

¬ IsTWk(n) ∨ ∀z(r < z < r′ → ¬ IsCWk(n, z)))

∧ x = r]

∨[

IsCWk(n, x) ∧ r < x < r′ ∧ ∀z(r < z < x → ¬ IsCWk(n, z))]

. (4.56)

2. x =MaxCWk(n, r, r′) : x is the largest integer in (r, r′) which is the weight of a component in ak-tuple of weight n; x = r if there is no such integer.

[ (

¬ IsTWk(n) ∨ ∀z(r < z < r′ → ¬ IsCWk(n, z)))

∧ x = r]

∨[

IsCWk(n, x) ∧ r < x < r′ ∧ ∀z(x < z < r′ → ¬ IsCWk(n, z))]

. (4.57)

3. x = CWki (n, r, r′) (i > 0) : x is the ith smallest integer in (r, r′) which is the weight of a component

in a k-tuple of weight n; x = MaxCWk(n, r, r′) if no such integer exists. We give the definitionby induction on i.

Case i = 1.

x =MinCWk(n, r, r′).

Case i > 1.

[

x > CWki−1(n, r, r′) ∧ r < x < r′ ∧ IsCWk(n, x) ∧

∀z(

CWki−1(n, r, r′) < z < x → ¬ IsCWk(n, z)

) ]

∨[

x = CWki−1(n, r, r′) ∧ ∀z

(

(z > CWki−1(n, r, r′) ∧ r < z < r′) → ¬ IsCWk(n, z)

) ]

. (4.58)

With no risk of confusion, we make the following abbreviations.

MinCWk(n) abbr. MinCWk(n, 0, n + 1) ,MaxCWk(n) abbr. MaxCWk(n, 0, n + 1) ,CWk

i (n) abbr. CWki (n, 0, n + 1) .

4. x = CWSki (n) (0 < i ≤ k) : x is the weight of the ith component of the smallest k-tuple (w.r.t.

≺k;kb) of weight n; x = 0 if no such weight exists. We define it inductively as follows.Case i = 1.

x =MinCWk(n) .

Case 1 < i ≤ k.

(

¬ IsTWk(n) → x = 0)

∧(

IsTWk(n) → x =MinCWk−i+1(

n −i−1∑

j=1CWSk

j(n)) )

.

5. x = CWLki (n) (0 < i ≤ k) : x is the weight of the ith component of the largest k-tuple (w.r.t. ≺k;kb)

of weight n; x = 0 if no such weight exists. We define it inductively as follows.Case i = 1.

x =MaxCWk(n) .

Case 1 < i ≤ k.

(

¬ IsTWk(n) → x = 0)

∧(

IsTWk(n) → x =MaxCWk−i+1(

n −i−1∑

j=1CWSk

j(n)) )

.

4.8. REDUCTIONS 177

4.8 Reductions

In this section we present all reductions that can occur in Algorithm 4.2. The following outlines thecontents in each subsection.

4.8.1 Closed Term Equalities 4.8.8 Closed Tuple Equalities—— (No Half-open Term Equalities) 4.8.9 Half-open Tuple Equalities4.8.2 Closed Stretchable Gap Orders 4.8.10 Closed Stretchable Tuple Gap Orders4.8.3 Closed Rigid Gap Orders 4.8.11 Closed Rigid Tuple Gap Orders4.8.4 Half-open Stretchable Gap Orders 4.8.12 Half-open Stretchable Tuple Gap Orders4.8.5 Half-open Rigid Gap Orders 4.8.13 Half-open Rigid Tuple Gap Orders4.8.6 Open Stretchable Gap Orders 4.8.14 Open Stretchable Tuple Gap Orders4.8.7 Open Rigid Gap Orders 4.8.15 Open Rigid Tuple Gap Orders

We assume that all gap order counts in redexes are positive numbers.

4.8.1 Reduction of Closed Equalities

0w(m) = 0w

(m′) 7→ m = m′ (4.59)

0w(m) = 0p

(m′ ,p′) 7→ m = m′ ∧∧

p′<i≤|Σ|¬ Tree(αi)(m) (4.60)

0w(m) = 1w

(m′) 7→ m = m′ ∧ ¬ CNT1(m) (4.61)

0w(m) = 1p

(m′ ,p′) 7→ m = m′ ∧∧

p′<i≤|Σ|¬ Tree(αi)(m) ∧ ¬ CNT(αp′ )

1 (m) (4.62)

0p(m,p) = 0p

(m′ ,p′) 7→ m = m′ ∧ p = p′ (4.63)

0p(m,p) = 1w

(m′) 7→ m = m′ ∧∧

0<i<p¬ Tree(αi)(m) ∧ ¬ CNT(αp)

1 (m) (4.64)

0p(m,p) = 1p

(m′ ,p′) 7→ m = m′ ∧ p = p′ ∧ ¬ CNT(αp)1 (m) (4.65)

1w(m) = 1w

(m′) 7→ m = m′ (4.66)

1w(m) = 1p

(m′ ,p′) 7→ m = m′ ∧∧

0<i<p′¬ Tree(αi)(m) (4.67)

1p(m,p) = 1p

(m′ ,p′) 7→ m = m′ ∧ p = p′ (4.68)

4.8.2 Reduction of Closed Stretchable Gap Orders

0w(m) ≺w

n 0w(m′) 7→

∨

n1+n2=nn2>0

0w(m) ≺

pln1 1w

(m) ≺wn2 0w

(m′) (4.69)

0w(m) ≺

pn 0w

(m′) 7→ false (4.70)

0w(m) ≺l

n 0w(m′) 7→ false (4.71)

0w(m) ≺w

n 0p(m′ ,p′) 7→

∨

n1+n2+n3=nn2>0

0w(m) ≺

pln1 1w

(m) ≺wn2 0w

(m′) ≺wn3 0p

(m′ ,p′) (4.72)

0w(m) ≺

pn 0p

(m′ ,p′) 7→ m = m′ ∧∨

np′+1+···+n|Σ|=n

∧

p′<i≤|Σ|

(

ni > 0 → CNT(αi)ni−1(m)

)

(4.73)

0w(m) ≺l

n 0p(m′ ,p′) 7→ false (4.74)

0w(m) ≺w

n 1w(m′) 7→

∨

n1+n2+n3=nn2>0

0w(m) ≺

pln1 1w

(m) ≺wn2

0w(m′) ≺

pln3 1w

(m′) (4.75)

0w(m) ≺

pn 1w

(m′) 7→

m = m′ ∧∨

p,p′∈1,...,|Σ|p,p′

(

Tree(αp)(m) ∧ Tree(αp′ )(m))

∧∨

n1+···+n|Σ|=n+1

∧

0<i≤|Σ|

(


)

(4.76)

0w(m) ≺l

n 1w(m′) 7→

m = m′ ∧∧

p,p′∈1,...,|Σ|p,p′

(

Tree(αp)(m) → ¬ Tree(αp′ )(m))

∧∨

0<i≤|Σ|CNT(αi)

n (m)

(4.77)

0w(m) ≺w

n 1p(m′ ,p′) 7→

∨

n1+n2+n3+n4=nn2>0

0w(m) ≺

pln1 1w

(m) ≺wn2

0w(m′ ) ≺

pln3 0w

(m′ ,p′) ≺pln4 1w

(m′ ,p′) (4.78)

0w(m) ≺

pn 1p

(m′ ,p′) 7→

m = m′ ∧∨

p′<p≤|Σ|Tree(αp)(m)

∧∨

np′+···+n|Σ|=n+1

∧

p′≤i≤|Σ|

(


)

(4.79)

0w(m) ≺l

n 1p(m′ ,p′) 7→ m = m′ ∧

∧

p′<p≤|Σ|¬ Tree(αp)(m) ∧ CNT(αp′ )

n (m) (4.80)

4.8. REDUCTIONS 179

0p(m,p) ≺

wn 0w

(m′) 7→∨

n1+n2=nn2>0

0p(m,p) ≺

pln1 1w

(m) ≺wn2

0w(m′) (4.81)

0p(m,p) ≺

pn 0w

(m′) 7→ false (4.82)

0p(m,p) ≺

ln 0w

(m′) 7→ false (4.83)

0p(m,p) ≺

wn 0p

(m′ ,p′) 7→∨

n1+n2+n3+n4=nn3>0

0p(m,p) ≺

pln1 1p

(m,p) ≺pln2 1w

(m) ≺wn3 0w

(m′) ≺pln4 0p

(m′ ,p′) (4.84)

0p(m,p) ≺

pn 0p

(m′ ,p′) 7→

m = m′ ∧ p′ 0

0p(m,p) ≺

pln1 1p

(m,p) ≺pln2 1w

(m) ≺wn3

0w(m′) ≺

pln4 1w

(m′) (4.87)

0p(m,p) ≺

pn 1w

(m′) 7→

m = m′ ∧∨

0<i<pTree(αi)(m)

∧∨

n1+···+np=n+1

∧

0<i≤p

(


)

(4.88)

0p(m,p) ≺

ln 1w

(m′) 7→ m = m′ ∧∧

0<i<p¬ Tree(αi)(m) ∧ CNT(αp)

n (m) (4.89)

0p(m,p) ≺

wn 1p

(m′ ,p′) 7→∨

∑5i=1 ni=nn3>0

0p(m,p) ≺

ln1 1p

(m,p) ≺pln2 1w

(m) ≺wn3 0w

(m′) ≺pln4 0p

(m′ ,p′) ≺ln5 1p

(m′ ,p′) (4.90)

0p(m,p) ≺

pn 1p

(m′ ,p′) 7→

m = m′ ∧ p′ < p

∧∨

np′+···+np=n+1

∧

p′≤i≤p

(


)

(4.91)

0p(m,p) ≺

ln 1p

(m′ ,p′) 7→ m = m′ ∧ p = p′ ∧ CNT(αp)n (m) (4.92)

1w(m) ≺w

n 0w(m′) 7→

(n = 1 → m < m′)

∧

n > 1 →∨

0<r<n(∃z1 . . .∃zr)

m < z1 < · · · < zr < m′

∧∨

∑ri=1 ni=n−1

n1,...,nr>0

∧


(4.93)

1w(m) ≺

pn 0w

(m′) 7→ false (4.94)

1w(m) ≺l

n 0w(m′) 7→ false (4.95)

1w(m) ≺w

n 0p(m′ ,p′) 7→

∨

n1+n2=nn1>0

1w(m) ≺w

n10w

(m′) ≺pln2 0p

(m′ ,p′) (4.96)

1w(m) ≺

pn 0p

(m′ ,p′) 7→ false (4.97)

1w(m) ≺l

n 0p(m′ ,p′) 7→ false (4.98)

1w(m) ≺w

n 1w(m′) 7→

∨

n1+n2=nn1>0

1w(m) ≺w

n10w

(m′) ≺pln2 1w

(m′) (4.99)

1w(m) ≺

pn 1w

(m′) 7→ false (4.100)

1w(m) ≺l

n 1w(m′) 7→ false (4.101)

1w(m) ≺w

n 1p(m′ ,p′) 7→

∨

n1+n2+n3=nn1>0

1w(m) ≺w

n1 0w(m′) ≺

pln2 0w

(m′ ,p′) ≺pln3 1w

(m′ ,p′) (4.102)

1w(m) ≺

pn 1p

(m′ ,p′) 7→ false (4.103)

1w(m) ≺l

n 1p(m′ ,p′) 7→ false (4.104)

1p(m,p) ≺

wn 0w

(m′) 7→∨

n1+n2=nn2>0

1p(m,p) ≺

pln1 1w

(m) ≺wn2

0w(m′) (4.105)

1p(m,p) ≺

pn 0w

(m′) 7→ false (4.106)

1p(m,p) ≺

ln 0w

(m′) 7→ false (4.107)

1p(m,p) ≺

wn 0p

(m′ ,p′) 7→∨

n1+n2+n3=nn2>0

1p(m,p) ≺

pln1 1w

(m) ≺wn2 0w

(m′) ≺wn3 0p

(m′ ,p′) (4.108)

4.8. REDUCTIONS 181

1p(m,p) ≺

pn 0p

(m′ ,p′) 7→

n = 1 → (m = m′ ∧ p′ < p)

∧

n > 1 →

m = m′ ∧ p′ 0

1p(m,p) ≺

pln1 1w

(m) ≺wn2 0w

(m′) ≺pln3 1w

(m′) (4.111)

1p(m,p) ≺

pn 1w

(m′) 7→ m = m′ ∧∨

n1+···+np−1=n

∧

0<i0

1p(m,p) ≺

pln1 1w

(m) ≺wn2

0w(m′) ≺

pln3 0w

(m′ ,p′) ≺pln4 1w

(m′ ,p′) (4.114)

1p(m,p) ≺

pn 1p

(m′ ,p′) 7→

m = m′ ∧ p′ 0

0w(m)

pln1 1w

(m) wn2 0w

(m′) (4.117)

0w(m)

pn 0w

(m′) 7→ false (4.118)

0w(m)

ln 0w

(m′) 7→ false (4.119)

0w(m)

wn 0p

(m′ ,p′) 7→∨

n1+n2+n3=nn2>0

0w(m)

pln1 1w

(m) wn2 0w

(m′) wn3 0p

(m′ ,p′) (4.120)

0w(m)

pn 0p

(m′ ,p′) 7→ m = m′ ∧∨

np′+1+···+n|Σ|=n

∧

p′<i≤|Σ|

(


)

(4.121)

0w(m)

ln 0p

(m′ ,p′) 7→ false (4.122)

0w(m)

wn 1w

(m′) 7→∨

n1+n2+n3=nn2>0

0w(m)

pln1 1w

(m) wn2 0w

(m′) pln3 1w

(m′) (4.123)

0w(m)

pn 1w

(m′) 7→

m = m′ ∧∨

p,p′∈1,...,|Σ|p,p′

(

Tree(αp)(m) ∧ Tree(αp′ )(m))

∧∨

n1+···+n|Σ|=n+1

∧

0<i≤|Σ|

(


)

(4.124)

0w(m)

ln 1w

(m′) 7→

m = m′ ∧∧

p,p′∈1,...,|Σ|p,p′

(

Tree(αp)(m) → ¬ Tree(αp′ )(m))

∧∨

0<i≤|Σ|CNT

(αi)n (m)

(4.125)

0w(m)

wn 1p

(m′ ,p′) 7→∨

n1+n2+n3+n4=nn2>0

0w(m)

pln1 1w

(m) wn2

0w(m′)

pln3 0w

(m′ ,p′) pln4 1w

(m′ ,p′) (4.126)

0w(m)

pn 1p

(m′ ,p′) 7→

m = m′ ∧∨

p′<p≤|Σ|Tree(αp)(m)

∧∨

np′+···+n|Σ|=n+1

∧

p′≤i≤|Σ|

(


)

(4.127)

0w(m)

ln 1p

(m′ ,p′) 7→ m = m′ ∧∧

p′<p≤|Σ|¬ Tree(αp)(m) ∧ CNT

(αp′ )n (m) (4.128)

0p(m,p)

wn 0w

(m′) 7→∨

n1+n2=nn2>0

0p(m,p)

pln1 1w

(m) wn2 0w

(m′) (4.129)

0p(m,p)

pn 0w

(m′) 7→ false (4.130)

0p(m,p)

ln 0w

(m′) 7→ false (4.131)

0p(m,p)

wn 0p

(m′ ,p′) 7→∨

n1+n2+n3+n4=nn3>0

0p(m,p)

pln1 1p

(m,p) pln2 1w

(m) wn3 0w

(m′) pln4 0p

(m′ ,p′) (4.132)

4.8. REDUCTIONS 183

0p(m,p)

pn 0p

(m′ ,p′) 7→

m = m′ ∧ p′ 0

0p(m,p)

pln1 1p

(m,p) pln2 1w

(m) wn3

0w(m′)

pln4 1w

(m′) (4.135)

0p(m,p)

pn 1w

(m′) 7→

m = m′ ∧∨

0<i<pTree(αi)(m)

∧∨

n1+···+np=n+1

∧

0<i≤p

(


)

(4.136)

0p(m,p)

ln 1w

(m′) 7→ m = m′ ∧∧

0<i<p¬ Tree(αi)(m) ∧ CNT

(αp)n (m). (4.137)

0p(m,p)

wn 1p

(m′ ,p′) 7→∨

∑5i=1 ni=nn3>0

0p(m,p)

ln1 1p

(m,p) pln2 1w

(m) wn3 0w

(m′) pln4 0p

(m′ ,p′) ln5 1p

(m′ ,p′) (4.138)

0p(m,p)

pn 1p

(m′ ,p′) 7→

m = m′ ∧ p′ 1 →∨

0<r<n(∃z1 . . .∃zr)

m < z1 < · · · < zr < m′

∧

¬ (∃z1 . . .∃zr+1)(

m < z1 < · · · < zr+1 < m′)

∧∨

∑ri=1 ni=n−1

n1 ,...,nr>0

∧


(4.141)

1w(m)

pn 0w

(m′) 7→ false (4.142)

1w(m)

ln 0w

(m′) 7→ false (4.143)

1w(m)

wn 0p

(m′ ,p′) 7→∨

n1+n2=nn1>0

1w(m)

wn1

0w(m′)

pln2 0p

(m′ ,p′) (4.144)

1w(m)

pn 0p

(m′ ,p′) 7→ false (4.145)

1w(m)

ln 0p

(m′ ,p′) 7→ false (4.146)

1w(m)

wn 1w

(m′) 7→∨

n1+n2=nn1>0

1w(m)

wn1

0w(m′)

pln2 1w

(m′) (4.147)

1w(m)

pn 1w

(m′) 7→ false (4.148)

1w(m)

ln 1w

(m′) 7→ false (4.149)

1w(m)

wn 1p

(m′ ,p′) 7→∨

n1+n2+n3=nn1>0

1w(m)

wn1 0w

(m′) pln2 0w

(m′ ,p′) pln3 1w

(m′ ,p′) (4.150)

1w(m)

pn 1p

(m′ ,p′) 7→ false (4.151)

1w(m)

ln 1p

(m′ ,p′) 7→ false (4.152)

1p(m,p)

wn 0w

(m′) 7→∨

n1+n2=nn2>0

1p(m,p)

pln1 1w

(m) wn2

0w(m′) (4.153)

1p(m,p)

pn 0w

(m′) 7→ false (4.154)

1p(m,p)

ln 0w

(m′) 7→ false (4.155)

1p(m,p)

wn 0p

(m′ ,p′) 7→∨

n1+n2+n3=nn2>0

1p(m,p)

pln1 1w

(m) wn2 0w

(m′) wn3 0p

(m′ ,p′) (4.156)

1p(m,p)

pn 0p

(m′ ,p′) 7→

n = 1 →(

m = m′ ∧ p′ 1 →

m = m′ ∧ p′ < p − 1 ∧∨

np′+1+···+np−1=n−1

∧

p′<i<p

(


)

(4.157)

1p(m,p)

ln 0p

(m′ ,p′) 7→ false (4.158)

4.8. REDUCTIONS 185

1p(m,p)

wn 1w

(m′) 7→∨

n1+n2+n3=nn2>0

1p(m,p)

pln1 1w

(m) wn2

0w(m′)

pln3 1w

(m′) (4.159)

1p(m,p)

pn 1w

(m′) 7→ m = m′ ∧∨

n1+···+np−1=n

∧

0<i0

1p(m,p)

pln1 1w

(m) wn2

0w(m′)

pln3 0w

(m′ ,p′) pln4 1w

(m′ ,p′) (4.162)

1p(m,p)

pn 1p

(m′ ,p′) 7→

m = m′ ∧ p′ < p

∧∨

np′+···+np−1=n

∧

p′≤i0

0w(m) ≺w

n1 0w(uw) ≺

pln2 u (4.165)

0w(m) ≺

pn u 7→

∨

n1+n2=nn1>0

0w(m) ≺

pn1 0p

(m,q) ≺ln2 u (4.166)

0w(m) ≺l

n u 7→ Isαq (u) ∧ m = uw ∧∧

q<i≤|Σ|¬ Tree(αi)(uw) ∧ 0k;kb

(m−w(αq)) ≺k;kbn 〈u1, . . . , uk〉 (4.167)

0p(m,p) ≺

wn u 7→

∨

n1+n2=nn1>0

0p(m,p) ≺

wn1 0w

(uw) ≺pln2 u (4.168)

0p(m,p) ≺

pn u 7→

∨

n1+n2=nn1>0

0p(m,p) ≺

pn1 0p

(m,q) ≺ln2

u (4.169)

0p(m,p) ≺

ln u 7→ p = q ∧ Isαq (u) ∧ m = uw ∧ 0k;kb

(m−w(αq)) ≺k;kbn 〈u1, . . . , uk〉 (4.170)

1w(m) ≺w

n u 7→∨

n1+n2=nn1>0

1w(m) ≺w

n10w

(uw) ≺pln2 u (4.171)

1p(m,p) ≺

wn u 7→

∨

n1+n2=nn1>0

1p(m,p) ≺

wn1

0w(uw) ≺

pln2 u (4.172)

u ≺wn 1w

(m) 7→∨

n1+n2=nn2>0

u ≺pln1 1w

(uw) ≺wn2 1w

(m) (4.173)

u ≺pn 1w

(m) 7→∨

n1+n2=nn2>0

u ≺ln1 1p

(m,q) ≺pn2 1w

(m) (4.174)

u ≺ln 1w

(m) 7→ Isαq (u) ∧ m = uw ∧∧

0<i<q¬ Tree(αi)(uw) ∧ 〈u1, . . . , uk〉 ≺k;kb

n 1k;kb(m−w(αq)) (4.175)

u ≺wn 1p

(m,p) 7→∨

n1+n2=nn2>0

u ≺pln1 1w

(uw) ≺wn2 1p

(m,p) (4.176)

u ≺pn 1p

(m,p) 7→∨

n1+n2=nn2>0

u ≺ln1 1p

(m,q) ≺pn2 1p

(m,p) (4.177)

u ≺ln 1p

(m,p) 7→ p = q ∧ Isαq (u) ∧ m = uw ∧ 〈u1, . . . , uk〉 ≺k;kbn 1k;kb

(m−w(αq)) (4.178)

u ≺wn 0w

(m) 7→∨

n1+n2=nn2>0

u ≺pln1 1w

(uw) ≺wn2

0w(m) (4.179)

u ≺wn 0p

(m,p) 7→∨

n1+n2=nn2>0

u ≺pln1 1w

(uw) ≺wn2

0p(m,p) (4.180)

4.8.5 Reduction of Half Open Rigid Gap Orders

Let u = αq(u1, . . . , uk).

0w(m)

wn u 7→

∨

n1+n2=nn1>0

0w(m)

wn1 0w

(uw) pln2 u (4.181)

0w(m)

pn u 7→

∨

n1+n2=nn1>0

0w(m)

pn1 0p

(m,q) ln2

u (4.182)

0w(m)

ln u 7→ Isαq (u) ∧ m = uw ∧

∧

q<i≤|Σ|¬ Tree(αi)(uw) ∧ 0k;kb

(m−w(αq)) k;kbn 〈u1, . . . , uk〉 (4.183)

0p(m,p)

wn u 7→

∨

n1+n2=nn1>0

0p(m,p)

wn1

0w(uw)

pln2 u (4.184)

4.8. REDUCTIONS 187

0p(m,p)

pn u 7→

∨

n1+n2=nn1>0

0p(m,p)

pn1 0p

(m,q) ln2

u (4.185)

0p(m,p)

ln u 7→ p = q ∧ Isαq (u) ∧ m = uw ∧ 0k;kb

(m−w(αq)) k;kbn 〈u1, . . . , uk〉 (4.186)

1w(m)

wn u 7→

∨

n1+n2=nn1>0

1w(m)

wn1

0w(uw)

pln2 u (4.187)

1p(m,p)

wn u 7→

∨

n1+n2=nn1>0

1p(m,p)

wn1 0w

(uw) pln2 u (4.188)

u wn 1w

(m) 7→∨

n1+n2=nn2>0

u pln1 1w

(uw) wn2 1w

(m) (4.189)

u pn 1w

(m) 7→∨

n1+n2=nn2>0

u ln1

1p(m,q)

pn2 1w

(m) (4.190)

u ln 1w

(m) 7→ Isαq (u) ∧ m = uw ∧∧

0<i<q¬ Tree(αi)(uw) ∧ 〈u1, . . . , uk〉 k;kb

n 1k;kb(m−w(αq)) (4.191)

u wn 1p

(m,p) 7→∨

n1+n2=nn2>0

u pln1 1w

(uw) wn2

1p(m,p) (4.192)

u pn 1p

(m,p) 7→∨

n1+n2=nn2>0

u ln1

1p(m,q)

pn2 1p

(m,p) (4.193)

u ln 1p

(m,p) 7→ p = q ∧ Isαq (u) ∧ m = uw ∧ 〈u1, . . . , uk〉 k;kbn 1k;kb

(m−w(αq)) (4.194)

u wn 0w

(m) 7→∨

n1+n2=nn2>0

u pln1 1w

(uw) wn2 0w

(m) (4.195)

u wn 0p

(m,p) 7→∨

n1+n2=nn2>0

u pln1 1w

(uw) wn2 0p

(m,p) (4.196)

4.8.6 Reductions of Open Stretchable Gap Orders

u ≺wn v 7→

∨

n1+n2+n3=nn2>0

u ≺pln1 1w

(uw) ≺wn2

0w(vw) ≺

pln3 v (4.197)

u ≺pn v 7→

∨

n1+n2+n3=nn2>0

u ≺ln1 1p

(uw , p) ≺pn2 0p

(vw , q) ≺ln3 v (4.198)

where type(u) = αp and type(v) = αq

u ≺ln v 7→ 〈u1, . . . , uk〉 ≺k;kb

n 〈v1, . . . , vk〉 (4.199)

where u = α(u1, . . . , uk) and v = α(v1, . . . , vk)

4.8.7 Reductions of Open Rigid Gap Orders

u wn v 7→

∨

n1+n2+n3=nn2>0

u pln1 1w

(uw) wn2

0w(vw)

pln3 v (4.200)

u pn v 7→

∨

n1+n2+n3=nn2>0

u ln1 1p

(uw , p) pn2 0p

(vw , q) ln3 v (4.201)

where type(u) = αp and type(v) = αq

u ln v 7→ 〈u1, . . . , uk〉 k;kb

n 〈v1, . . . , vk〉 (4.202)

where u = α(u1, . . . , uk) and v = α(v1, . . . , vk)

4.8.8 Reduction of Closed Tuple Equalities

0k;w(sum,m) = 0k;w

(sum′,m′) 7→ sum = sum′ ∧ m = m′ (4.203)

0k;w(sum,m) = 0k;p

(sum′ ,m′,p′) 7→ sum = sum′ ∧ m = m′ ∧∧

p′<i≤|Σ|¬ Tree(αi)(m) (4.204)

0k;w(sum,m) = 1k;w

(sum′,m′) 7→

sum = sum′ ∧ m = m′ ∧ ¬ CNT1(m)

∧ 0k−1;kb(sum−m) = 1k−1;kb

(sum′−m′)

(4.205)

0k;w(sum,m) = 1k;p

(sum′ ,m′,p′) 7→

sum = sum′ ∧ m = m′ ∧∧

p′<i≤|Σ|¬ Tree(αi)(m)

∧ ¬ CNT(αp′ )1 (m) ∧ 0k−1;kb

(sum−m) = 1k−1;kb(sum′−m′)

(4.206)

0k;p(sum,m,p) = 0k;p

(sum′ ,m′,p′) 7→ sum = sum′ ∧ m = m′ ∧ p = p′ (4.207)

0k;p(sum,m,p) = 1k;w

(sum′,m′) 7→

sum = sum′ ∧ m = m′ ∧∧

0<i<p¬ Tree(αi)(m)

∧ ¬ CNT(αp)1 (m) ∧ 0k−1;kb


(4.208)

4.8. REDUCTIONS 189


(sum′ ,m′,p′) 7→

sum = sum′ ∧ m = m′ ∧ p = p′

∧ ¬ CNT(αp)1 (m) ∧ 0k−1;kb


(4.209)

1k;w(sum,m) = 1k;w

(sum′ ,m′) 7→ sum = sum′ ∧ m = m′ (4.210)

1k;w(sum,m) = 1k;p

(sum′ ,m′,p′) 7→ sum = sum′ ∧ m = m′ ∧∧

0<i<p′¬ Tree(αi)(m) (4.211)


(sum′ ,m′,p′) 7→ sum = sum′ ∧ m = m′ ∧ p = p′ (4.212)

4.8.9 Reduction of Half Open Tuple Equalities.

0k;kb(sum) = 〈u1, . . . , uk〉 7→ 0k;w

(sum,MinCWk(sum))= 〈u1, . . . , uk〉 (4.213)

0k;w(sum,m) = 〈u1, . . . , uk〉 7→ 0w

(m) = u1 ∧ 0k−1;kb(sum−m) = 〈u2, . . . , uk〉 (4.214)

0k;p(sum,m,p) = 〈u1, . . . , uk〉 7→ 0p

(m,p) = u1 ∧ 0k−1;kb(sum−m) = 〈u2, . . . , uk〉 (4.215)

1k;kb(sum) = 〈u1, . . . , uk〉 7→ 1k;w

(sum,MaxCWk(sum))= 〈u1, . . . , uk〉 (4.216)

1k;w(sum,m) = 〈u1, . . . , uk〉 7→ 1w

(m) = u1 ∧ 1k−1;kb(sum−m) = 〈u2, . . . , uk〉 (4.217)

1k;p(sum,m,p) = 〈u1, . . . , uk〉 7→ 1w

(m,p) = u1 ∧ 1k−1;kb(sum−m) = 〈u2, . . . , uk〉 (4.218)

4.8.10 Reductions of Closed Stretchable Tuple Gap Orders

All reductions shown from this section to Section 4.8.15 are reductions of proper gap orders betweentuples of the same weight. This amounts to assuming that in each redex (reduction target) we havean implicit side condition u1 ≺] v1 or u1

] v1 where u1 (resp. v1) is the leftmost immediate subtermof the left (resp. the right) operand.

0k;w(sum,m) ≺

k;wn 0k;w

(sum,m′) 7→∨

n1+n2=nn2>0

0k;w(sum,m) ≺

k;pln1 1k;w

(sum,m) ≺k;wn2 0k;w

(sum,m′) (4.219)

0k;w(sum,m) ≺

k;pn 0k;w

(sum,m′) 7→ false (4.220)

0k;w(sum,m) ≺

k;ln 0k;w

(sum,m′) 7→ false (4.221)

0k;w(sum,m) ≺

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn2>0

0k;w(sum,m) ≺

k;pln1 1k;w


(sum,m′) ≺k;pln3 0k;p

(sum,m′ ,p′) (4.222)

0k;w(sum,m) ≺

k;pn 0k;p

(sum,m′ ,p′) 7→

∨

n1(n2+1)≥nn1>0,n1,n2≤n

0w(m) ≺

pn1 0p

(m′ ,p′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.223)

0k;w(sum,m) ≺

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.224)

0k;w(sum,m) ≺

k;wn 1k;w

(sum,m′) 7→

m = m′ →∨

(n1+1)(n2+1)≥n+1n1,n2≤(n+1)

0w(m) ≺w

n11w

(m)

∧ 0k−1;kbsum−m ≺k−1;kb

n2 1k−1;kbsum−m

∧

m < m′ →

∨

1<r≤n+1

l < CWk1(sum, l, l′) < · · · < CWk

r(sum, l, l′) < l′

∧∨

∑ri=1 ni=n+1

ni>0

∧

0<i≤r0k;w

(sum,CWki (sum,l,l′))

≺k;wni−1 1k;w


where l ≡ m − 1 and l′ ≡ m′ + 1. (4.225)

0k;w(sum,m) ≺

k;pn 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0w(m) ≺

pn1 1w

(m′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.226)

0k;w(sum,m) ≺

k;ln 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0w(m) ≺l

n11w

(m′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.227)

0k;w(sum,m) ≺

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4=nn2>0

0k;w(sum,m) ≺

k;pln1 1k;w


(sum,m′)

≺k;pln3 0k;p

(sum,m′ ,p′) ≺k;pln4 1k;p

(sum,m′ ,p′)

(4.228)

0k;w(sum,m) ≺

k;pn 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0w(m) ≺

pn1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.229)

0k;w(sum,m) ≺

k;ln 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0w(m) ≺l

n1 1p(m′ ,p′) ∧ 0k−1;kb

(sum−m) ≺k−1;kbn2 1k−1;kb

(sum−m) (4.230)

0k;p(sum,m,p) ≺

k;wn 0k;w

(sum,m′) 7→∨

n1+n2=nn2>0

0k;p(sum,m,p) ≺

k;pln1 1k;w


(sum,m′) (4.231)

0k;p(sum,m,p) ≺

k;pn 0k;w

(sum,m′) 7→ false (4.232)

4.8. REDUCTIONS 191

0k;p(sum,m,p) ≺

k;ln 0k;w

(sum,m′) 7→ false (4.233)

0k;p(sum,m,p) ≺

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4=nn3>0

0k;p(sum,m,p) ≺

k;pln1 1k;p

(sum,m,p) ≺k;pln2 1k;w

(sum,m)

≺k;wn3 0k;w


(sum,m′ ,p′)

(4.234)

0k;p(sum,m,p) ≺

k;pn 0k;p

(sum,m′ ,p′) 7→

∨

n1(n2+1)≥nn1>0,n1,n2≤n

0p(m,p) ≺

pn1 0p

(m′ ,p′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.235)

0k;p(sum,m,p) ≺

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.236)

0k;p(sum,m,p) ≺

k;wn 1k;w

(sum,m′) 7→∨

n1+n2+n3+n4=nn3>0

0k;p(sum,m,p) ≺

k;pln1 1k;p

(sum,m,p) ≺k;wn2 1k;w

(sum,m)

≺k;pln3 0k;w

(sum,m′) ≺k;pln4 1k;w

(sum,m′)

(4.237)

0k;p(sum,m,p) ≺

k;pn 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0p(m,p) ≺

pn1 1w

(m′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.238)

0k;p(sum,m,p) ≺

k;ln 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0p(m,p) ≺

ln1 1w

(m′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.239)

0k;p(sum,m,p) ≺

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4+n+5=nn3>0

0k;p(sum,m,p) ≺

k;pln1 1k;p

(sum,m,p) ≺k;pln2 1k;w

(sum,m,p)

≺k;wn3 0k;w


(sum,m′ ,p′)

≺k;pln5 1k;p

(sum,m′,p′)

(4.240)

0k;p(sum,m,p) ≺

k;pn 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0p(m,p) ≺

pn1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.241)

0k;p(sum,m,p) ≺

k;ln 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)≥n+1n1>0,n1,n2≤n+1

0p(m,p) ≺

ln1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.242)

1k;w(sum,m) ≺

k;wn 0k;w

(sum,m′) 7→

(n = 1 → m < m′)

∧

n > 1 →

∨

0<r<n

m < CWk1(sum,m,m′) < · · · < CWk


∧∨

∑ri=1 ni=n−1

ni>0

∧

0<i≤r0k;w


≺k;wni−1 1k;w


(4.243)

1k;w(sum,m) ≺

k;pn 0k;w

(sum,m′) 7→ false (4.244)

1k;w(sum,m) ≺

k;ln 0k;w

(sum,m′) 7→ false (4.245)

1k;w(sum,m) ≺

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn1>0

1k;w(sum,m) ≺

k;wn1 0k;w


(sum,m′ ,p′) (4.246)

1k;w(sum,m) ≺

k;pn 0k;p

(sum,m′ ,p′) 7→ false (4.247)

1k;w(sum,m) ≺

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.248)

1k;w(sum,m) ≺

k;wn 1k;w

(sum,m′) 7→∨

n1+n2=nn1>0

1k;w(sum,m) ≺

k;wn1 0k;w


(sum,m′) (4.249)

1k;w(sum,m) ≺

k;pn 1k;w

(sum,m′) 7→ false (4.250)

1k;w(sum,m) ≺

k;ln 1k;w

(sum,m′) 7→ false (4.251)

1k;w(sum,m) ≺

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn1>0

1k;w(sum,m) ≺

k;wn1 0k;w



(sum,m′ ,p′) (4.252)

1k;w(sum,m) ≺

k;pn 1k;p

(sum,m′ ,p′) 7→ false (4.253)

1k;w(sum,m) ≺

k;ln 1k;p

(sum,m′ ,p′) 7→ false (4.254)

1k;p(sum,m,p) ≺

k;wn 0k;w

(sum,m′) 7→∨

n1+n2=nn2>0

1k;p(sum,m,p) ≺

k;pln1 1k;w


(sum,m′) (4.255)

1k;p(sum,m,p) ≺

k;pn 0k;w

(sum,m′) 7→ false (4.256)

1k;p(sum,m,p) ≺

k;ln 0k;w

(sum,m′) 7→ false (4.257)

1k;p(sum,m,p) ≺

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn2>0

1k;p(sum,m,p) ≺

k;pln1 1k;w



(sum,m′,p′) (4.258)

1k;p(sum,m,p) ≺

k;pn 0k;p

(sum,m′ ,p′) 7→

∨

(n1−1)(n2+1)≥n−1n1>0,n1,n2<n

0p(m) ≺

pn1 1p

(m) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.259)

1k;p(sum,m,p) ≺

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.260)

1k;p(sum,m,p) ≺

k;wn 1k;w

(sum,m′) 7→∨

n1+n2+n3+n4=nn2>0

1k;p(sum,m,p) ≺

k;pln1 1k;w



(sum,m′) (4.261)

1k;p(sum,m,p) ≺

k;pn 1k;w

(sum,m′) 7→

∨

(n1)(n2+1)≥nn1>0,n1,n2≤n

1p(m,p) ≺

pn1 1w

(m′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.262)

4.8. REDUCTIONS 193

1k;p(sum,m,p) ≺

k;ln 1k;w

(sum,m′) 7→ false (4.263)

1k;p(sum,m,p) ≺

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4=nn2>0

1k;p(sum,m,p) ≺

k;pln1 1k;w


(sum,m′)

≺k;pln3 0k;p


(sum,m′,p′)

(4.264)

1k;p(sum,m,p) ≺

k;pn 1k;p

(sum,m′ ,p′) 7→

∨

n1(n2+1)≥nn1>0,n1,n2≤n

1p(m,p) ≺

pn1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m) ≺


(sum−m) (4.265)

1k;p(sum,m,p) ≺

k;ln 1k;p

(sum,m′ ,p′) 7→ false (4.266)

4.8.11 Reductions of Closed Rigid Tuple Gap Orders

0k;w(sum,m)

k;wn 0k;w

(sum,m′) 7→∨

n1+n2=nn2>0

0k;w(sum,m)

k;pln1 1k;w

(sum,m) k;wn2 0k;w

(sum,m′) (4.267)

0k;w(sum,m)

k;pn 0k;w

(sum,m′) 7→ false (4.268)

0k;w(sum,m)

k;ln 0k;w

(sum,m′) 7→ false (4.269)

0k;w(sum,m)

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn2>0

0k;w(sum,m)

k;pln1 1k;w

(sum,m) k;wn2 0k;w

(sum,m′) k;pln3 0k;p

(sum,m′ ,p′) (4.270)

0k;w(sum,m)

k;pn 0k;p

(sum,m′ ,p′) 7→∨

n1(n2+1)=nn1>0,n1,n2≤n

0w(m)

pn1 0p

(m′ ,p′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.271)

0k;w(sum,m)

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.272)

0k;w(sum,m)

k;wn 1k;w

(sum,m′) 7→

m = m′ →∨

(n1+1)(n2+1)=n+1n1,n2≤(n+1)

0w(m)

wn1

1w(m)

∧ 0k−1;kbsum−m


sum−m

∧

m < m′ →

∨

1<r≤n+1

l < CWk1(sum, l, l′) < · · · < CWk

r(sum, l, l′) < l′

∧¬

(

l ≤ CWk1(sum, l, l′) < · · · < CWk

r+1(sum, l, l′) < l′)

∧∨

∑ri=1 ni=n+1

ni>0

∧

0<i≤r0k;w


k;wni−1 1k;w


where l ≡ m − 1 and l′ ≡ m′ + 1. (4.273)

0k;w(sum,m)

k;pn 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0w(m)

pn1 1w

(m′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.274)

0k;w(sum,m)

k;ln 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0w(m)

ln1

1w(m′) ∧ 0k−1;kb

(sum−m) k−1;kbn2 1k−1;kb

(sum−m) (4.275)

0k;w(sum,m)

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4=nn2>0

0k;w(sum,m)

k;pln1 1k;w

(sum,m) k;wn2 0k;w

(sum,m′)

k;pln3 0k;p

(sum,m′ ,p′) k;pln4 1k;p

(sum,m′ ,p′)

(4.276)

0k;w(sum,m)

k;pn 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0w(m)

pn1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.277)

0k;w(sum,m)

k;ln 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0w(m)

ln1

1p(m′ ,p′) ∧ 0k−1;kb


(sum−m) (4.278)

0k;p(sum,m,p)

k;wn 0k;w

(sum,m′) 7→∨

n1+n2=nn2>0

0k;p(sum,m,p)

k;pln1 1k;w

(sum,m) k;wn2 0k;w

(sum,m′) (4.279)

0k;p(sum,m,p)

k;pn 0k;w

(sum,m′) 7→ false (4.280)

0k;p(sum,m,p)

k;ln 0k;w

(sum,m′) 7→ false (4.281)

0k;p(sum,m,p)

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4=nn3>0

0k;p(sum,m,p)

k;pln1 1k;p

(sum,m,p) k;pln2 1k;w

(sum,m)

k;wn3 0k;w


(sum,m′ ,p′)

(4.282)

4.8. REDUCTIONS 195

0k;p(sum,m,p)

k;pn 0k;p

(sum,m′ ,p′) 7→

∨

n1(n2+1)=nn1>0,n1,n2≤n

0p(m,p)

pn1 0p

(m′ ,p′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.283)

0k;p(sum,m,p)

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.284)

0k;p(sum,m,p)

k;wn 1k;w

(sum,m′) 7→∨

n1+n2+n3+n4=nn3>0

0k;p(sum,m,p)

k;pln1 1k;p

(sum,m,p) k;wn2 1k;w

(sum,m)

k;pln3 0k;w

(sum,m′) k;pln4 1k;w

(sum,m′)

(4.285)

0k;p(sum,m,p)

k;pn 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0p(m,p)

pn1 1w

(m′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.286)

0k;p(sum,m,p)

k;ln 1k;w

(sum,m′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0p(m,p)

ln1

1w(m′) ∧ 0k−1;kb


(sum−m) (4.287)

0k;p(sum,m,p)

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4+n+5=nn3>0

0k;p(sum,m,p)

k;pln1 1k;p

(sum,m,p) k;pln2 1k;w

(sum,m,p)

k;wn3 0k;w


(sum,m′ ,p′)

k;pln5 1k;p

(sum,m′,p′)

(4.288)

0k;p(sum,m,p)

k;pn 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0p(m,p)

pn1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.289)

0k;p(sum,m,p)

k;ln 1k;p

(sum,m′ ,p′) 7→

∨

(n1+1)(n2+1)=n+1n1>0,n1,n2≤n+1

0p(m,p)

ln1

1p(m′ ,p′) ∧ 0k−1;kb


(sum−m) (4.290)

1k;w(sum,m)

k;wn 0k;w

(sum,m′) 7→

n = 1 →(

m < m′ ∧ ∀z(

m < z < m′ → ¬ IsTWk(m)))

∧

n > 1 →

∨

0<r<n

m < CWk1(sum,m,m′) < · · · < CWk


∧¬

(

m < CWk1(sum,m,m′) < · · · < CWk

r+1(sum,m,m′) < m′)

∧∨

∑ri=1 ni=n−1

ni>0

∧

0<i≤r0k;w


k;wni−1 1k;w


(4.291)

1k;w(sum,m)

k;pn 0k;w

(sum,m′) 7→ false (4.292)

1k;w(sum,m)

k;ln 0k;w

(sum,m′) 7→ false (4.293)

1k;w(sum,m)

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn1>0

1k;w(sum,m)

k;wn1 0k;w


(sum,m′ ,p′) (4.294)

1k;w(sum,m)

k;pn 0k;p

(sum,m′ ,p′) 7→ false (4.295)

1k;w(sum,m)

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.296)

1k;w(sum,m)

k;wn 1k;w

(sum,m′) 7→∨

n1+n2=nn1>0

1k;w(sum,m)

k;wn1 0k;w


(sum,m′) (4.297)

1k;w(sum,m)

k;pn 1k;w

(sum,m′) 7→ false (4.298)

1k;w(sum,m)

k;ln 1k;w

(sum,m′) 7→ false (4.299)

1k;w(sum,m)

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn1>0

1k;w(sum,m)

k;wn1 0k;w



(sum,m′ ,p′) (4.300)

1k;w(sum,m)

k;pn 1k;p

(sum,m′ ,p′) 7→ false (4.301)

1k;w(sum,m)

k;ln 1k;p

(sum,m′ ,p′) 7→ false (4.302)

1k;p(sum,m,p)

k;wn 0k;w

(sum,m′) 7→∨

n1+n2=nn2>0

1k;p(sum,m,p)

k;pln1 1k;w

(sum,m) k;wn2 0k;w

(sum,m′) (4.303)

1k;p(sum,m,p)

k;pn 0k;w

(sum,m′) 7→ false (4.304)

1k;p(sum,m,p)

k;ln 0k;w

(sum,m′) 7→ false (4.305)

1k;p(sum,m,p)

k;wn 0k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3=nn2>0

1k;p(sum,m,p)

k;pln1 1k;w

(sum,m) k;wn2 0k;w


(sum,m′,p′) (4.306)

1k;p(sum,m,p)

k;pn 0k;p

(sum,m′ ,p′) 7→

∨

(n1−1)(n2+1)=n−1n1>0,n1,n2<n

0p(m)

pn1 1p

(m) ∧ 0k−1;kb(sum−m)


(sum−m) (4.307)

1k;p(sum,m,p)

k;ln 0k;p

(sum,m′ ,p′) 7→ false (4.308)

1k;p(sum,m,p)

k;wn 1k;w

(sum,m′) 7→∨

n1+n2+n3+n4=nn2>0

1k;p(sum,m,p)

k;pln1 1k;w

(sum,m) k;wn2 0k;w


(sum,m′) (4.309)

1k;p(sum,m,p)

k;pn 1k;w

(sum,m′) 7→

∨

(n1)(n2+1)=nn1>0,n1,n2≤n

1p(m,p)

pn1 1w

(m′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.310)

1k;p(sum,m,p)

k;ln 1k;w

(sum,m′) 7→ false (4.311)

4.8. REDUCTIONS 197

1k;p(sum,m,p)

k;wn 1k;p

(sum,m′ ,p′) 7→∨

n1+n2+n3+n4=nn2>0

1k;p(sum,m,p)

k;pln1 1k;w

(sum,m) k;wn2 0k;w

(sum,m′)

k;pln3 0k;p


(sum,m′,p′)

(4.312)

1k;p(sum,m,p)

k;pn 1k;p

(sum,m′ ,p′) 7→

∨

n1(n2+1)=nn1>0,n1,n2≤n

1p(m,p)

pn1 1p

(m′ ,p′) ∧ 0k−1;kb(sum−m)


(sum−m) (4.313)

1k;p(sum,m,p)

k;ln 1k;p

(sum,m′ ,p′) 7→ false (4.314)

4.8.12 Reductions of Half Open Stretchable Tuple Gap Orders

0k;w(sum,m) ≺

k;wn 〈u1, . . . , uk〉 7→

∨

n1+n2=nn1>0

0k;w(sum,m) ≺

k;wn1 0k;w

(sum,uw1 ) ≺

k;pln2 〈u1, . . . , uk〉 (4.315)

0k;w(sum,m) ≺

k;pn 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3≥nn1,n2,n3≤n

0w(m) ≺

pn1 u1

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 0k−1;kb(sum−m) ≺

k−1;kbn3 〈u2, . . . , uk〉

(4.316)

0k;w(sum,m) ≺

k;ln 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3≥nn1,n2,n3≤n

0w(m) ≺l

n1 u1

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 0k−1;kb(sum−m) ≺

k−1;kbn3 〈u2, . . . , uk〉

(4.317)

0k;p(sum,m,p) ≺

k;wn 〈u1, . . . , uk〉 7→

∨

n1+n2=nn1>0

0k;p(sum,m,p) ≺

k;wn1 0k;w

(sum,uw1 ) ≺

k;pln2 〈u1, . . . , uk〉 (4.318)

0k;p(sum,m,p) ≺

k;pn 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3≥nn1,n2,n3≤n

0p(m,p) ≺

pn1 u1

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 0k−1;kb(sum−m) ≺

k−1;kbn3 〈u2, . . . , uk〉

(4.319)

0k;p(sum,m,p) ≺

k;ln 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3≥nn1,n2,n3≤n

0p(m,p) ≺

ln1

u1

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 0k−1;kb(sum−m) ≺

k−1;kbn3 〈u2, . . . , uk〉

(4.320)

〈u1, . . . , uk〉 ≺k;wn 1k;w

(sum,m) 7→∨

n1+n2=nn2>0

〈u1, . . . , uk〉 ≺k;pln1 1k;w

(sum,uw1 ) ≺

k;wn2 1k;w

(sum,m) (4.321)


〈u1, . . . , uk〉 ≺k;pn 1k;w

(sum,m) 7→∨

n1(n2+1)+n3≥nn1 ,n2,n3≤n

u1 ≺pn1 1w

(m)

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 〈u2, . . . , uk〉 ≺k−1;kbn3 1k−1;kb

(sum−m)

(4.322)

〈u1, . . . , uk〉 ≺k;ln 1k;w

(sum,m) 7→∨

n1(n2+1)+n3≥nn1 ,n2,n3≤n

u1 ≺ln1 1w

(m)

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 〈u2, . . . , uk〉 ≺k−1;kbn3 1k−1;kb

(sum−m)

(4.323)

〈u1, . . . , uk〉 ≺k;wn 1k;p

(sum,m,p) 7→∨

n1+n2=nn2>0

〈u1, . . . , uk〉 ≺k;pln1 1k;w

(sum,uw1 ) ≺

k;wn2 1k;p

(sum,m,p) (4.324)

〈u1, . . . , uk〉 ≺k;pn 1k;p

(sum,m,p) 7→∨

n1(n2+1)+n3≥nn1 ,n2,n3≤n

u1 ≺pn1 1p

(m,p)

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 〈u2, . . . , uk〉 ≺k−1;kbn3 1k−1;kb

(sum−m)

(4.325)

〈u1, . . . , uk〉 ≺k;ln 1k;p

(sum,m,p) 7→∨

n1(n2+1)+n3≥nn1 ,n2,n3≤n

u1 ≺ln1 1p

(m,p)

∧ 0k−1;kb(sum−m) ≺


(sum−m)

∧ 〈u2, . . . , uk〉 ≺k−1;kbn3 1k−1;kb

(sum−m)

(4.326)

4.8.13 Reductions of Half Open Rigid Tuple Gap Orders

0k;w(sum,m)

k;wn 〈u1, . . . , uk〉 7→

∨

n1+n2=nn1>0

0k;w(sum,m)

k;wn1 0k;w

(sum,uw1 )

k;pln2 〈u1, . . . , uk〉 (4.327)

0k;w(sum,m)

k;pn 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3=nn1 ,n2,n3≤n

0w(m)

pn1 u1

∧ 0k−1;kb(sum−m)


(sum−m)


k−1;kbn3 〈u2, . . . , uk〉

(4.328)

0k;w(sum,m)

k;ln 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3=nn1 ,n2,n3≤n

0w(m)

ln1 u1



(sum−m)


k−1;kbn3 〈u2, . . . , uk〉

(4.329)

0k;p(sum,m,p)

k;wn 〈u1, . . . , uk〉 7→

∨

n1+n2=nn1>0

0k;p(sum,m,p)

k;wn1 0k;w

(sum,uw1 )

k;pln2 〈u1, . . . , uk〉 (4.330)

4.8. REDUCTIONS 199

0k;p(sum,m,p)

k;pn 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3=nn1,n2,n3≤n

0p(m,p)

pn1 u1



(sum−m)


k−1;kbn3 〈u2, . . . , uk〉

(4.331)

0k;p(sum,m,p)

k;ln 〈u1, . . . , uk〉 7→

∨

n1(n2+1)+n3=nn1,n2,n3≤n

0p(m,p)

ln1

u1



(sum−m)


k−1;kbn3 〈u2, . . . , uk〉

(4.332)

〈u1, . . . , uk〉 k;wn 1k;w

(sum,m) 7→∨

n1+n2=nn2>0

〈u1, . . . , uk〉 k;pln1 1k;w

(sum,uw1 )

k;wn2 1k;w

(sum,m) (4.333)

〈u1, . . . , uk〉 k;pn 1k;w

(sum,m) 7→∨

n1(n2+1)+n3=nn1,n2,n3≤n

u1 pn1 1w

(m)



(sum−m)

∧ 〈u2, . . . , uk〉 k−1;kbn3 1k−1;kb

(sum−m)

(4.334)

〈u1, . . . , uk〉 k;ln 1k;w

(sum,m) 7→∨

n1(n2+1)+n3=nn1,n2,n3≤n

u1 ln1

1w(m)



(sum−m)

∧ 〈u2, . . . , uk〉 k−1;kbn3 1k−1;kb

(sum−m)

(4.335)

〈u1, . . . , uk〉 k;wn 1k;p

(sum,m,p) 7→∨

n1+n2=nn2>0

〈u1, . . . , uk〉 k;pln1 1k;w

(sum,uw1 )

k;wn2 1k;p

(sum,m,p) (4.336)

〈u1, . . . , uk〉 k;pn 1k;p

(sum,m,p) 7→∨

n1(n2+1)+n3=nn1,n2,n3≤n

u1 pn1 1p

(m,p)



(sum−m)

∧ 〈u2, . . . , uk〉 k−1;kbn3 1k−1;kb

(sum−m)

(4.337)

〈u1, . . . , uk〉 k;ln 1k;p

(sum,m,p) 7→∨

n1(n2+1)+n3=nn1,n2,n3≤n

u1 ln1 1p

(m,p)



(sum−m)

∧ 〈u2, . . . , uk〉 k−1;kbn3 1k−1;kb

(sum−m)

(4.338)

4.8.14 Reductions of Open Stretchable Tuple Gap Orders

Let sum =∑k

i=1 uwi =

∑ki=1 vw

i and rem =∑k

i=2 uwi =

∑ki=2 vw

i . Let type(u1) = αp and type(v1) = αp′ .

〈u1, . . . , uk〉 ≺k;wn 〈v1, . . . , vk〉 7→

∨

n1+n2+n3=nn2>0

〈u1, . . . , uk〉 ≺k;pln1 1k;w

(sum,uw1 )

≺k;wn2 0k;w

(sum,vw1 ) ≺

k;pln3 〈v1, . . . , vk〉

(4.339)

〈u1, . . . , uk〉 ≺k;pn 〈v1, . . . , vk〉 7→

∨

n1+n2+n3=nn2>0

〈u1, . . . , uk〉 ≺k;ln1 1k;p

(sum,uw1 ,p)

≺k;pn2 0k;p

(sum,vw1 ,p′)≺k;l

n3 〈v1, . . . , vk〉

(4.340)

〈u1, . . . , uk〉 ≺k;ln 〈v1, . . . , vk〉 7→

∨

n1+n2+n3=nn3>0

〈u2, . . . , uk〉 ≺k−1;kbn1 1k−1;kb

(rem)

∧0k−1;kb

(rem) ≺k−1;kbn2 〈v2, . . . , vk〉

∧

∨

(m1+1)(m2−1)≥(n3−1)m2>0,m1,m2<n3

0k−1;kb(rem) ≺


(rem)

∧u1 ≺l

m2v1

(4.341)

4.8.15 Reductions of Open Rigid Tuple Gap Orders

Let sum =∑k

i=1 uwi =

∑ki=1 vw

i and rem =∑k

i=2 uwi =

∑ki=2 vw

i . Let type(u1) = αp and type(v1) = αp′ .

〈u1, . . . , uk〉 k;wn 〈v1, . . . , vk〉 7→

∨

n1+n2+n3=nn2>0

〈u1, . . . , uk〉 k;pln1 1k;w

(sum,uw1 )

k;wn2 0k;w

(sum,vw1 )

k;pln3 〈v1, . . . , vk〉

(4.342)

〈u1, . . . , uk〉 k;pn 〈v1, . . . , vk〉 7→

∨

n1+n2+n3=nn2>0

〈u1, . . . , uk〉 k;ln1 1k;p

(sum,uw1 ,p)

k;pn2 0k;p

(sum,vw1 ,p′)

k;ln3 〈v1, . . . , vk〉

(4.343)

4.8. REDUCTIONS 201

〈u1, . . . , uk〉 k;ln 〈v1, . . . , vk〉 7→

∨

n1+n2+n3=nn3>0

〈u2, . . . , uk〉 k−1;kbn1 1k−1;kb

(rem)

∧0k−1;kb

(rem) k−1;kbn2 〈v2, . . . , vk〉

∧

∨

(m1+1)(m2−1)=(n3−1)m2>0,m1,m2<n3

0k−1;kb(rem)


(rem)

∧u1

lm2 v1

(4.344)

Chapter 5

Conclusion

02:07:59:900

Neo : I know you’re out there. I can feel you now. I know that you’re afraid. You’reafraid of us. You’re afraid of change. I don’t know the future. I didn’t come here to tellyou how this is going to end. I came here to tell you how it’s going to begin. I’ll hangup this phone. And then I’ll show these people what you don’t want them to see. I’mgoing to show them a world without you. A world without rules and controls, withoutborders or boundaries. A world where anything is possible. Where we go from there isa choice I leave to you.

—The Matrix.

In the previous chapters we presented techniques to construct decision procedures fortheories of data structures with integer arithmetic. In this chapter, we conclude this thesiswith discussion of future research.

202

203

This thesis offers novel solutions to an important class of decision problems, the mixed con-straints on data structures with quantitative properties. We developed the reduction technique,namely, extraction of accurate integer constraints from data constraints, and in case of quantifiedtheories, reduction of quantifiers on data objects to quantifiers on integers. From the constructionof accurate integer constraints that precisely characterize data constraints, we can derive decisionprocedures for the combined constraints by utilizing decision procedures for data structures anddecision procedures for integer arithmetic. We presented decision procedures for term algebraswith integers and decision procedures for queues with integers. Using our reduction techniqueand quantifier elimination, we proved the decidability of the first-order theory of Knuth-BendixOrder, thereby solving a long-standing open problem in term rewriting (officially listed as RTAopen problem 99 since 2000).

We envisage that decision procedures will play a bigger role in formal methods, model checkingand program analysis. They will render more valuable tools for specifying and analyzing securityapplications, and embedded and reactive systems. We plan to expand the thesis work in thefollowing directions.

Security Verification. A vast majority of security problems of software systems is caused by mem-ory access violations such as stack or heap overflow and out-of-bound array access. This bringsunprecedented demands in reasoning about memory safety properties, that is, memory accesses, interms of various data manipulations, always stay within designated boundaries. In fact, mem-ory safety properties are a subclass of the more general quantitative properties of resource reallocationwhich can be expressed in the language of data structures with integer constraints. We believe workin this thesis can be used as the basis for specifying and verifying such quantitative properties.

High-level Static Analysis. Many advanced data structures are widely used in industry-sizedapplications such as Java Runtime Library and C++ Standard Template Library. They includelinked lists, heaps, priority queues, hash tables, skip lists, splay trees, etc. Program reliabilityand efficiency rely on high-level properties of these data structures. The traditional low-level logicrepresentation of these structures easily leads to undecidability. Here the challenge is to strikethe right balance between expressive power and complexity. A specification language should bewell-designed so that it can model the core properties of a data structure while retaining decidabilityor even low complexity. We believe more new decision procedures for advanced data structureswill make important contributions to high-level static analysis.

Verification of Embedded and Reactive Systems. It is of essential importance to develop tech-niques for designing and analyzing embedded and reactive systems, as they are ubiquitous in ourdaily lives, particularly in many safety-critical devices that we use. One of the challenges thatwe would like to focus on is to carry out symbolic exploration of the state-space efficiently. Such

204 CHAPTER 5. CONCLUSION

symbolic computation unavoidably involves quantified formulas, while many first-order theorieseither are undecidable or intractable due to high complexity. As many have observed, however, wehardly deal with formulas with a large quantifier alternation depth, and hence it is worthwhile toinvestigate the class of formulas that can have arbitrarily long sequences of quantifiers of the samekind while the total number of quantifier alternations is bounded by a constant number. In thesearch of quantifier elimination procedures for the theory of term algebras with integers and for thetheory of queues with integers, we already aimed at and successfully obtained block-wise quantifiereliminations which are practically more efficient than single-variable quantifier eliminations. Wepropose to continue the development of more efficient quantifier eliminations, in particular elimi-nation procedures for the combined theory of integer and real arithmetic, which finds applicationsin the verification of hybrid systems and real-time systems.

More Powerful Decision Theories. On the theoretical front, we plan to search for new powerfultools to prove decision problems. Currently we are investigating the decidability of the theory ofqueues with integers and with subsequence relations including subqueue, prefix and suffix relations.This theory has a very strong expressive power; it can interpret the theory of word concatenationwith length function, the theory of Presburger arithmetic with divisibility predicate, the theoryof arrays, etc. Determining the decidability of this theory will have far-reaching consequencesfor solving other decision problems. In particular, it could give us a better understanding andclassification of solutions to word equations. Besides the theoretical importance, the decidabilityof this theory may give us more powerful algorithms in pattern matching, which has numerousapplications in computer science. It can precisely characterize the semantics of common stringoperations in the C language, and hence would be a powerful tool to reason about memory safetyproperties. It may also lead to a decision procedure for the theory of unbounded bit-vectors whichpotentially has many applications in hardware verification.

00:44:07:932

Oracle : . . . Because you didn’t come here to make the choice. You’ve already made it.You’re here to try to understand why you made it.

—The Matrix Reloaded.

Bibliography

[1] Alessandro Armando, Silvio Ranise, and Michael Rusinowitch. Uniform derivation of decisionprocedures by superposition. In Proceedings of the 15th International Workshop on Computer ScienceLogic (CSL’01) volume 2142 of Lecture Notes in Computer Science, pages 513–527.Springer-Verlag,2001.

[2] Franz Baader and Tobias Nipkow. Term Rewriting and All That. Cambridge University Press,Cambridge, UK, 1999.

[3] Rolf Backofen. A complete axiomatization of a theory with feature and arity constraints. Journalof Logical Programming, 24(1&2):37–71, 1995.

[4] Michael Benedikt, Leonid Libkin, Thomas Schwentick, and Luc Segoufin. A model-theoreticapproach to regular string relations. In Proceedings of the 16th IEEE Symposium on Logic inComputer Science, pages 431–440. IEEE Computer Society Press, 2001.

[5] Nikolaj S. Bjørner. Integrating Decision Procedures for Temporal Verification. PhD thesis, ComputerScience Department, Stanford University, November 1998.

[6] Nikolaj S. Bjørner, Anca Browne, Michael Colon, Bernd Finkbeiner, Zohar Manna, Henny B.Sipma, and Tomas E. Uribe. Verifying temporal properties of reactive systems: A STeP tutorial.Formal Methods in System Design, 16(3):227–270, June 2000.

[7] Hubert Comon. Solving symbolic ordering constraints. International Journal of Foundations ofComputer Science, 1(4):387–411, 1990.

[8] Hubert Comon and Catherine Delor. Equational formulae with membership constraints. In-formation and Computation, 112(2):167–216, 1994.

[9] Hubert Comon and Pierre Lescanne. Equational problems and disunification. Journal ofSymbolic Computation, 7:371–425, 1989.

[10] Hubert Comon and Ralf Treinen. Ordering constraints on trees. In Sophie Tison, editor,Proceedings of the 19th International Colloquium on Trees in Algebra and Programming (CAAP’94),volume 787 of Lecture Notes in Computer Science, pages 1–14. Springer-Verlag, 1994.

205

206 BIBLIOGRAPHY

[11] Hubert Comon and Ralf Treinen. The first-order theory of lexicographic path orderings isundecidable. Theoretical Computer Science, 176(1-2):67–87, 1997.

[12] David C. Cooper. Theorem proving in arithmetic without multiplication. In Machine Intelligence,volume 7, pages 91–99. American Elsevier, 1972.

[13] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction toAlgorithms. The MIT Press, Cambridge, Massachusetts, 2001.

[14] Nachum Dershowitz. Orderings for term-rewriting systems. Theoretical Computer Science,7:279–301, 1982.

[15] Peter J. Downey, Ravi Sethi, and Robert E. Tarjan. Variations of the common subexpressionproblem. Journal of ACM, 27:758–771, 1980.

[16] Herbert B. Enderton. A Mathematical Introduction to Logic. Academic Press, 2001.

[17] Solomon Feferman and Robert L. Vaught. The first order properties of products of algebraicsystems. Fundamenta Mathematicae, 47:57–103, 1959.

[18] Silvio Ghilardi. Model-theoretic methods in combined constraint satisfiability. Journal ofAutomated Reasoning, 33(3-4):221–249, 2005.

[19] Wilfrid Hodges. Model Theory. Cambridge University Press, Cambridge, UK, 1993.

[20] John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Languages, and Com-putation. Addison-Wesley Publishing Company, 1979.

[21] Jean-Pierre Jouannaud and Mitsuhiro Okada. Satisfiability of systems of ordinal notationwith the subterm property is decidable. In Proceedings of the 18th International Colloquium onAutomata, Languages and Programming, volume 510 of Lecture Notes in Computer Science, pages455–468. Springer-Verlag, 1991.

[22] H. Jerome Keisler and Chen C. Chang. Model Theory. Elsevier Science, Netherlands, 1990.

[23] Claude Kirchner, Helene Kirchner, and Michael Rusinowitch. Deduction with symbolic con-straints. Revue Francaise d’ Intelligence Artificielle, 4(3):9–52, 1990. Special issue on automateddeduction.

[24] Felix Klaedtke and Harald Rueß. Monadic second-order logics with cardinalities. In Jos C. M.Baeten, Jan Karel Lenstra, Joachim Parrow, and Gerhard J. Woeginger, editors, Proceedings ofthe 30th International Colloquium on Automata, Languages and Programming, ICALP’2003, volume2719 of Lecture Notes in Computer Science. Springer-Verlag, 2003.

BIBLIOGRAPHY 207

[25] Donald E. Knuth and Peter Bendix. Simple word problems in universal algebras. In Com-putational Problems in Abstract Algebra, pages 263–297. Pergamon Press, 1970. Reprinted inAutomation of Reasoning, Vol. 2 Jurgen Siekmann and G. Wrightson, editors, pages 342-376,Springer-Verlag, 1983.

[26] Konstantin Korovin and Andrei Voronkov. A decision procedure for the existential theory ofterm algebras with the Knuth-Bendix ordering. In Proceedings of the 15th IEEE Symposium onLogic in Computer Science, pages 291 – 302. IEEE Computer Society Press, 2000.

[27] Konstantin Korovin and Andrei Voronkov. Knuth-Bendix constraint solving is NP-complete. InProceedings of 28th International Colloquium on Automata, Languages and Programming (ICALP’01),volume 2076 of Lecture Notes in Computer Science, pages 979–992. Springer-Verlag, 2001.

[28] Konstantin Korovin and Andrei Voronkov. The decidability of the first-order theory of theKnuth-Bendix order in the case of unary signatures. In Proceedings of the 22th Conference onFoundations of Software Technology and Theoretical Computer Science, (FSTTCS’02), volume 2556of Lecture Notes in Computer Science, pages 230–240. Springer-Verlag, 2002.

[29] Viktor Kuncak and Martin Rinard. On the theory of structural subtyping. Technical ReportMIT-LCS-TR-879, Massachusetts Institute of Technology, January 2003.

[30] Viktor Kuncak and Martin Rinard. The structural subtyping of non-recursive types is decidable.In Proceedings of the 18th IEEE Symposium on Logic in Computer Science, pages 96–107. IEEEComputer Society Press, 2003.

[31] Viktor Kuncak and Martin Rinard. An algorithm for deciding BAPA: Boolean algebra withPresburger arithmetic. In Proceedings of the 20th International Conference on Automated Deduction(CADE’05), volume 3632 of Lecture Notes in Computer Science, pages 260–277. Springer-Verlag,2005.

[32] M. Lothaire. Combinatorics on Words. Addison-Wesley, Massachusetts, USA, 1983. M. Lothaireis a joint pseudonym for the following: Robert Cor, Dominque Perrin, Jean Berstel, ChristianChoffrut, Dominque Foata, Jean Eric Pin, Guiseppe Pirillo, Christophe Reutenauer, Marcel P.Schutzenberger, Jadcques Sakaroovitch, and Imre Simon.

[33] Laszlo Lovasz. Combinatorial Problems and Exercises. Elsevier, Horth-Holland, 1993.

[34] Michael J. Maher. Complete axiomatizations of the algebras of finite, rational and infinite tree.In Proceedings of the 3rd Annual Symposium on Logic in Computer Science, pages 348–357. IEEEComputer Society Press, 1988.

[35] Gennady S. Makanin. The problem of solvability of equations in a free semigroup. Math.Sbornik, 103:147–236, 1977.

208 BIBLIOGRAPHY

[36] Anatoly I. Malcev. Axiomatizable classes of locally free algebras of various types. In TheMetamathematics of Algebraic Systems, Collected Papers, chapter 23, pages 262–281. North Holland,1971.

[37] Paliath Narendran and Michael Rusinowitch. The theory of total unary RPO is decidable. InProceedings of the 1st International Conference on Computational Logic (CL 2000), volume 1861 ofLecture Notes in Artificial Intelligence, pages 660–672. Springer-Verlag, 2000.

[38] Paliath Narendran, Michael Rusinowitch, and Rakesh M. Verma. RPO constraint solving is inNP. In Proceedings of the 12th International Workshop on Computer Science Logic (CSL 98), volume1584 of Lecture Notes in Computer Science, pages 385 – 398. Springer-Verlag, 1999.

[39] Greg Nelson and Derek C. Oppen. Simplification by cooperating decision procedures. ACMTransaction on Programming Languages and Systems, 1(2):245–257, October 1979.

[40] Greg Nelson and Derek C. Oppen. Fast decision procedures based on congruence closure.Journal of ACM, 27(2):356–364, April 1980.

[41] Robert Nieuwenhuis. Simple LPO constraint solving methods. Information Processing Letters,47(2):65–69, 1993.

[42] Robert Nieuwenhuis and Jose M. Rivero. Solved forms for path ordering constraints. InProceeding of 10th International Conference on Rewriting Techniques and Applications (RTA), volume1631 of Lecture Notes in Computer Science, pages 1–15. Springer-Verlag, 1999.

[43] Robert Nieuwenhuis and Albert Rubio. Theorem proving with ordering and equality con-strained clauses. Journal of Symbolic Computation, 19(4):321–351, 1995.

[44] Derek C. Oppen. Elementary bounds for Presburger arithmetic. In Proceedings of the 5th AnnualACM Symposium on Theory of Computing, pages 34–37. ACM Press, 1973.

[45] Derek C. Oppen. Reasoning about recursively defined data structures. Journal of ACM, 27(3),July 1980.

[46] Cattamanchi R. Reddy and Donald W. Loveland. Presburger arithmetic with bounded quanti-fier alternation. In Proceedings of the 10th Annual ACM Symposium on Theory of Computing, pages320–325. ACM Press, 1978.

[47] Peter Revesz. Quantifier-elimination for the first-order theory of boolean algebras with lin-ear cardinality constraints. In Proceedings of the 18th Conference on Advances in Databases andInformation Systems (ADBIS’04), volume 3255 of Lecture Notes in Computer Science, pages 1–21.Springer-Verlag, 2004.

BIBLIOGRAPHY 209

[48] Tatiana Rybina and Andrei Voronkov. A decision procedure for term algebras with queues.In Proceedings of the 15th IEEE Symposium on Logic in Computer Science, pages 279 – 290. IEEEComputer Society Press, 2000.

[49] Tatiana Rybina and Andrei Voronkov. A decision procedure for term algebras with queues.ACM Transactions on Computational Logic, 2(2):155–181, 2001.

[50] Tatiana Rybina and Andrei Voronkov. Upper bounds for a theory of queues. In Proceedings of30th International Colloquium on Automata, Languages and Programming (ICALP’03), volume 2719of Lecture Notes in Computer Science, pages 714–724. Springer-Verlag, 2003.

[51] Thoralf A. Skolem. Untersuchungen uber die Axiome des Klassenkalkuls und uberProduktations- und Summationsprobleme, welche gewisse Klassen von Aussagen betreffen.In Jens Erik Fenstad, editor, Selected works in logic, pages 67–101. Universitetsforlaget, 1970.

[52] Wolfgang Thomas. Infinite trees and automaton-definable relations over ω-words. TheoreticalComputer Science, 103:143–159, 1992.

[53] Cesare Tinelli and Mehdi T. Harandi. A new correctness proof of the Nelson–Oppen combi-nation procedure. In F. Baader and Klaus U. Schulz, editors, Proceedings of the 1st InternationalWorkshop on Frontiers of Combining Systems (FroCos’96), Applied Logic Series, Vol. 3, pages103–120. Kluwer Academic Publishers, 1996.

[54] Cesare Tinelli and Christophe Ringeissen. Unions of non-disjoint theories and combinationsof satisfiability procedures. Theoretical Computer Science, 290(1):291–353, January 2003.

[55] Cesare Tinelli and Calogero G. Zarba. Combining decision procedures for sorted theories. InJose Julio Alferes and Joao Alexandre Leite, editors, Proceedings of the 9th European Conferenceon Logic in Artificial Intelligence (JELIA’04), volume 3229 of Lecture Notes in Computer Science,pages 641–653. Springer-Verlag, 2004.

[56] Ralf Treinen. A new method for undecidability proofs of first order theories. Journal of SymbolicComputation, 14:437–457, 1992.

[57] K. N. Venkataraman. Decidability of the purely existential fragment of the theory of termalgebras. Journal of ACM, 34(2):492–510, 1987.

[58] Calogero G. Zarba. Combining multisets with integers. In Andrei Voronkov, editor, Proceedingsof the 18th International Conference on Automated Deduction, volume 2392 of Lecture Notes inArtificial Intelligence, pages 363–376. Springer-Verlag, 2002.

[59] Calogero G. Zarba. Combining sets with integers. In Alessandro Armando, editor, Proceedingsof the 4th International Workshop on Frontiers of Combining Systems (FroCoS’02), volume 2309 ofLecture Notes in Artificial Intelligence, pages 103–116. Springer-Verlag, 2002.

210 BIBLIOGRAPHY

[60] Ting Zhang, Henny B. Sipma, and Zohar Manna. Decision procedures for recursive datastructures with integer constraints. In Proceedings of the 2nd International Joint Conference onAutomated Reasoning (IJCAR’04), volume 3097 of Lecture Notes in Computer Science, pages 152–167. Springer-Verlag, 2004.

[61] Ting Zhang, Henny B. Sipma, and Zohar Manna. Term algebras with length function andbounded quantifier alternation. In Proceedings of the 17th International Conference on TheoremProving in Higher Order Logics (TPHOLs’04), volume 3223 of Lecture Notes in Computer Science,pages 321–336. Springer-Verlag, 2004.

[62] Ting Zhang, Henny B. Sipma, and Zohar Manna. The decidability of the first-order theory ofterm algebras with Knuth-Bendix order. In Robert Nieuwenhuis, editor, the 20th InternationalConference on Automated Deduction (CADE’05), volume 3632 of Lecture Notes in Computer Science,pages 131–148. Springer-Verlag, 2005.

[63] Ting Zhang, Henny B. Sipma, and Zohar Manna. Decision procedures for queues with integerconstraints. In R. Ramanujam and Sandeep Sen, editors, Proceedings of the 25th International Con-ference on the Foundatations of Software Technology and Theoretical Computer Science (FSTTCS’05),volume 3821 of Lecture Notes in Computer Science, pages 225–237. Springer-Verlag, 2005.

[64] Ting Zhang, Henny B. Sipma, and Zohar Manna. Decision procedures for term algebras withinteger constraints. Information and Computation, 204(10):1526–1574, October 2006.

[65] Zohar Manna, Henny B. Sipma, and Ting Zhang. Verifying Balanced Trees. Symposium onLogical Foundations of Computer Science, 2007. To appear.

List of Definitions

Definition 2.1 Term Algebras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Definition 2.2 Type Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Definition 2.3 Convexity Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Definition 2.4 DAG Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Definition 2.5 Unification Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Definition 2.6 Congruence Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Definition 2.7 Term Algebras with Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Definition 2.8 Length Constraint Completion (LCC) in TAZ . . . . . . . . . . . . . . . . . . 22Definition 2.9 Relativized LCC (RLCC) in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . 24Definition 2.10 Counting Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Definition 2.11 Equality Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Definition 2.12 Red-black Trees [13] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Definition 2.13 Colored Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Definition 2.14 Structure of Red-black Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Definition 2.15 Relativized LCC (RLCC) in RBZ . . . . . . . . . . . . . . . . . . . . . . . . . 34Definition 2.16 Solved Form in TA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Definition 2.17 Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Definition 2.18 RLCC with Parameters in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . 55Definition 2.19 Strongly Solved Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Definition 3.1 Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Definition 3.2 Conjugacy [32] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Definition 3.3 Primitive Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Definition 3.4 Solved Form inQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Definition 3.5 Normal Form inQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Definition 3.6 Queues with Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Definition 3.7 Length Constraint Completion (LCC) inQZ . . . . . . . . . . . . . . . . . . 91Definition 3.8 Relativized LCC (RLCC) inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . 91Definition 3.9 Equality Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

211

212 LIST OF DEFINITIONS

Definition 3.10 Normal Form inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Definition 3.11 Delimiters inQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Definition 3.12 Length Configurations inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Definition 3.13 Queues with Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Definition 3.14 Queues with Prefix and Integers . . . . . . . . . . . . . . . . . . . . . . . . . 97Definition 3.15 Normal Form inQ+

Z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Definition 3.16 Prefix Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Definition 3.17 Delimiters inQ+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Definition 3.18 Length Configurations inQ+

Z. . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Definition 3.19 RLCC with Parameters inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Definition 3.20 Normal Form with Parameters inQZ . . . . . . . . . . . . . . . . . . . . . . 111Definition 4.1 Knuth-Bendix Order [25] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Definition 4.2 Term Algebras with Knuth-Bendix Order . . . . . . . . . . . . . . . . . . . . 126Definition 4.3 Decomposition of KBO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Definition 4.4 Gap Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Definition 4.5 Boundary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Definition 4.6 Term Algebras with KBO and Its Extensions . . . . . . . . . . . . . . . . . . 130Definition 4.7 KBO on Tuples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Definition 4.8 Suborders on Tuples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Definition 4.9 Tuple Gap Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Definition 4.10 Tuple Boundary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Definition 4.11 Gap Order Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Definition 4.12 Delineated Gap Order Completion . . . . . . . . . . . . . . . . . . . . . . . . 133

List of Algorithms

Algorithm 2.1 Oppen’s Decision Procedure for Th∀(TA) [45] . . . . . . . . . . . . . . . . . . 18Algorithm 2.2 Decision Procedure for Th∀(TA) with Selectors . . . . . . . . . . . . . . . . . 19Algorithm 2.3 Generic Decision Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Algorithm 2.4 Computation of LCC in TAω

Z . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Algorithm 2.5 Decision Procedure for Th∀(TAω

Z) . . . . . . . . . . . . . . . . . . . . . . . . . 26Algorithm 2.6 Computation of RLCC in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Algorithm 2.7 Decision Procedure for Th∀(TAZ) . . . . . . . . . . . . . . . . . . . . . . . . . 29Algorithm 2.8 Left-Rotation of Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Algorithm 2.9 Computation of RLCC in RBZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Algorithm 2.10 RB-Insertion with Left-Rotation and Right-Rotation Integrated . . . . . . . 36Algorithm 2.11 Normalization in TA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Algorithm 2.12 Decomposition of Constructor Terms . . . . . . . . . . . . . . . . . . . . . . 51Algorithm 2.13 Quantifier Elimination in TA . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Algorithm 2.14 Normalization with Parameters TAZ . . . . . . . . . . . . . . . . . . . . . . . 57Algorithm 2.15 Cluster Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Algorithm 2.16 Decomposition of Disequalities Containing x . . . . . . . . . . . . . . . . . 59Algorithm 2.17 Elimination of Term Quantifiers in TAZ . . . . . . . . . . . . . . . . . . . . . 61Algorithm 3.1 Normalization inQ, cf. [5] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Algorithm 3.2 Decision Procedure for Queues [5] . . . . . . . . . . . . . . . . . . . . . . . . 90Algorithm 3.3 Generic Decision Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Algorithm 3.4 Equality Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Algorithm 3.5 Normalization inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Algorithm 3.6 Computation of Φ∆+ inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Algorithm 3.7 Decision Procedures for QZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Algorithm 3.8 Prefix Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Algorithm 3.9 Elimination of Single Variable Literals . . . . . . . . . . . . . . . . . . . . . 99Algorithm 3.10 Simplification of Negative ≺ Literals . . . . . . . . . . . . . . . . . . . . . . . 99Algorithm 3.11 Upward Alignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

213

214 LIST OF ALGORITHMS

Algorithm 3.12 Downward Alignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Algorithm 3.13 Simplification of Positive ≺ Literals . . . . . . . . . . . . . . . . . . . . . . . 101Algorithm 3.14 Loop Elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Algorithm 3.15 Multi-path Elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Algorithm 3.16 Alignment of Positive ≺ Literals . . . . . . . . . . . . . . . . . . . . . . . . . 103Algorithm 3.17 Chain Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Algorithm 3.18 Alignment with Presence of Orbit Literals . . . . . . . . . . . . . . . . . . . 103Algorithm 3.19 Elimination of Chains with Disequalities . . . . . . . . . . . . . . . . . . . . 105Algorithm 3.20 Elimination of Chains with Negative ≺-Literals . . . . . . . . . . . . . . . . 106Algorithm 3.21 Elimination of Negative ≺-Literals with Chains . . . . . . . . . . . . . . . . 107Algorithm 3.22 Normalization inQ+

Z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Algorithm 3.23 Computation of Φ∆+ inQ+Z

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Algorithm 3.24 Decision Procedure for Q+

Z. . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Algorithm 3.25 Normalization with Parameters inQZ . . . . . . . . . . . . . . . . . . . . . . 111Algorithm 3.26 Elimination of Queue Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . 112Algorithm 4.1 Elimination of Integer Quantifiers in TAZkb+ . . . . . . . . . . . . . . . . . . . 136Algorithm 4.2 Elimination of Term Quantifiers in TAZkb+ . . . . . . . . . . . . . . . . . . . . 137

List of Propositions

Proposition 2.1 Additivity of RLCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Proposition 2.2 LCC in TAω

Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Proposition 2.3 RLCC in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Proposition 2.4 Strongly Solved Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Proposition 2.5 Linear Combination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Proposition 3.1 Elimination of Selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Proposition 3.2 Conjugacy [32] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Proposition 3.3 Exclusiveness of Orbit Literals [5, 48] . . . . . . . . . . . . . . . . . . . . . 88Proposition 3.4 Normal Form inQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Proposition 3.5 Normal Form inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Proposition 3.6 Normalization inQ+

Z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Proposition 3.7 Tags in αβ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Proposition 3.8 Tags in Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Proposition 3.9 Tags in αX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

215

List of Lemmas

Lemma 4.1 Elimination of Negative Literals . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Lemma 4.2 Delineated Gap Order Completion . . . . . . . . . . . . . . . . . . . . . . . . . 134Lemma 4.3 No Embedding of Boundary Terms . . . . . . . . . . . . . . . . . . . . . . . . . 134Lemma 4.4 Reduction of Term Gap Order Literals . . . . . . . . . . . . . . . . . . . . . . . 134Lemma 4.5 Reduction of Closed Term Literals . . . . . . . . . . . . . . . . . . . . . . . . . . 134Lemma 4.6 Reduction of Non-closed Term Gap Order Literals . . . . . . . . . . . . . . . . 135Lemma 4.7 Reduction of Tuple Literals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Lemma 4.8 Elimination of Term Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Lemma 4.9 Elimination of Integer Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . 135Lemma 4.10 Soundness of Algorithms 4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Lemma 4.11 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Lemma 4.12 Open Gap Order Literals in DGOCs . . . . . . . . . . . . . . . . . . . . . . . . . 149

216

List of Theorems

Theorem 2.1 Reduction with LCC [60] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Theorem 2.2 Reduction with RLCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Theorem 2.3 LCC in TAω

Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Theorem 2.4 Counting Constraints in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Theorem 2.5 RLCC in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Theorem 2.6 Counting Constraints in RBZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Theorem 2.7 RLCC in RBZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Theorem 2.8 Decidability of Th∀(RBZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Theorem 2.9 Soundness of Algorithm 2.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Theorem 2.10 Complexity of Algorithm 2.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Theorem 2.11 RLCC with Parameters in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Theorem 2.12 Soundness of Algorithm 2.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Theorem 2.13 Complexity of Algorithm 2.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Theorem 3.1 Exclusiveness of Orbit Literals [5, 48] . . . . . . . . . . . . . . . . . . . . . . . 88Theorem 3.2 RLCC inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Theorem 3.3 Complexity of Th∀(QZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Theorem 3.4 RLCC inQ+

Z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Theorem 3.5 Complexity of Th∀(Q+Z

) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Theorem 3.6 RLCC with Parameters in QZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Theorem 3.7 Soundness of Algorithm 3.26 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Theorem 4.1 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

217

List of Example

Example 2.1 LISP Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Example 2.2 Type Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Example 2.3 Type Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Example 2.4 Type Completion and Simplification . . . . . . . . . . . . . . . . . . . . . . . . 16Example 2.5 Oppen’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Example 2.6 Notation for Pseudo Integer Variables . . . . . . . . . . . . . . . . . . . . . . . 21Example 2.7 Hidden Length Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Example 2.8 More Hidden Length Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . 22Example 2.9 LCC in ListZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Example 2.10 RLCC in List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Example 2.11 LCC in TAω

Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Example 2.12 Hidden Length Constraints in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . 27Example 2.13 Counting Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Example 2.14 Equality Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Example 2.15 RLCC in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Example 2.16 Elimination of Selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Example 2.17 Solving Equalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Example 2.18 Quantifier Elimination in TA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Example 2.19 Mutually Independent Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Example 2.20 Cluster Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Example 2.21 Strongly Solved Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Example 2.22 Removal of Disequalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Example 2.23 Quantifier Elimination in TAZ . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Example 2.24 Assignment in TAω

Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Example 3.1 Orbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Example 3.2 Conjugacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Example 3.3 Primitive Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Example 3.4 Exclusiveness of Orbit Literals . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

218

LIST OF EXAMPLES 219

Example 3.5 Hidden Length Constraints inQZ . . . . . . . . . . . . . . . . . . . . . . . . . 90Example 3.6 LCC inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Example 3.7 RLCC inQZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Example 3.8 Anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Example 3.9 Computation of Lt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Example 3.10 Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Example 4.1 Elimination in Linear Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Example 4.2 Extension of Knuth-Bendix Order . . . . . . . . . . . . . . . . . . . . . . . . . 130Example 4.3 Gap Order Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Example 4.4 Order Arrangement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Example 4.5 Delineated Gap Order Completion . . . . . . . . . . . . . . . . . . . . . . . . . 133Example 4.6 Quantifier Elimination in ListZkb+ . . . . . . . . . . . . . . . . . . . . . . . . . . 139

List of Figures

2-1 The DAG of cons(y, z) = cons(x, z) ∧ cons(x, y) , z. . . . . . . . . . . . . . . . . . . . 182-2 The DAG of cons(y, z) = cons(cdr(x), z) ∧ cons(car(x), y) , x ∧ Iscons(x). . . . . . . . 192-3 The DAG of x = cons(car(y), y) ∧ |cons(car(y), y)| < 2|car(x)| ∧ Iscons(y). . . . . . . . . 262-4 A run of RB-Insertion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372-5 Paths from the root of the tree to x. In each of (a)-(d), the first row shows the sequence

of nodes from the root to x; the second row shows whether the node above it is a left(←) or right (→) sibling; the third row shows the sibling tree of the node in the toprow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2-6 A detailed run of RB-Insertion step (b). . . . . . . . . . . . . . . . . . . . . . . . . . . . 402-7 A detailed run of RB-Insertion step (c). . . . . . . . . . . . . . . . . . . . . . . . . . . . 412-8 A detailed run of RB-Insertion step (d) with x − 2 = root. . . . . . . . . . . . . . . . . 422-9 A detailed run of RB-Insertion step (d) with x − 2 , root ∧ T[x − 2].dir = right. . . . . 442-10 A detailed run of RB-Insertion step (d) with x−2 , root∧T[x−2].dir = right (continued). 452-11 A detailed run of RB-Insertion step (d) with x − 2 , root ∧ T[x − 2].dir = le f t. . . . . . 462-12 A detailed run of RB-Insertion step (d) with x−2 , root∧T[x−2].dir = le f t (continued). 472-13 The DAG of Iscons(x) ∧ cons(y, z) = cons(cdr(x), z) ∧ car(x) , z. . . . . . . . . . . . . 69

3-1 aaba, abaa, aaab and baaa are pairwise conjugate. . . . . . . . . . . . . . . . . . . . . . . 87

4-1 An order arrangement of x1 ≺wn1 x2 ≺p

n2 x3 ≺ln3 x4. . . . . . . . . . . . . . . . . . . . . . 132

4-2 Quantifier Elimination in TAZkb+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384-3 Quantifier Elimination on (∃x) [car(x) ≺l

2 cdr(cdr(x)) ∧ cdr(cdr(car(x))) ≺l3 y]. . . . . 139

220

Index

A, see TesterA, see Constantblack, see Red-black treeC, see ConstructorCLS, see ClusterCNT

]

\, see Counting constraint, Integer functionCNT]

\, see Counting constraint, Integer function

CWL]\, see Integer function

CWS]\, see Integer function

CW]\, see Integer function

DGOC, see Delineated gap order completionIs, see TesterIsCW], see Integer functionIsTW], see Integer functionLA, see QueueLkb, see Term algebra with KBOL Z

kb+ , see Term algebra with KBO and integersLQ, see QueueL ZQ , see Queue with integers

LQ+ , see Queue with prefixL ZQ+ , see Queue with prefix and integers

LRB, see Colored treeL Z

RB, see Red-black treeLT, see Term algebraL ZT

, see Term algebra with integersLZ, see Presburger arithmeticList, see LISP listMaxCW], see Integer functionMinCW], see Integer functionNode], 25

PA, see Presburger arithmeticPRE, see DelimiterQ, see QueueQZ, see Queue with integersQ+Z

, see Queue with prefix and integersQ+, see Queue with prefixQ, see QueueRB, see Colored treeRBZ, see Red-black treeR, see Unification closureR, see Bidirectional closurered, see Red-black treeR, see Congruence closureSUF, see DelimiterTA, see Term algebraTAkb, see Term algebra with KBOTAZkb+ , see Term algebra with KBO and integersTAZ, see Term algebra with integersTAωZ, see Term algebra with integers

TAω, see Term algebraT, see Term domainTrb, see Colored treeTh, see TheoryTh∀, see Quantifier-free theoryTree], 25WD, see Well-definednessZ, see Presburger arithmeticεA, see Queuear, see Arity, see ConstructorT , 5

221

222 INDEX

V, 5car, see LISP listcdr, see LISP listcons, see LISP listdepth, see DepthεQ, see Queueext, see OrbitA, see Σ-structuregen, see Orbitla, see Queuelh, see Queue]n, see Gap order≺]n, see Gap orderlist, see LISP listlt, see Queuenil, see LISP list6|=∃, see Unsatisfiability1(...), see Upper boundary functionorb, see Orbitra, see Queuercons, see Queuerh, see Queuert, see Queues, see Selector|=∃, see Satisfiabilitytype, see Term algebra

k;]n , see Tuple gap order≺k;]

n , see Tuple gap order1(...), see Upper tuple boundary function0(...), see Lower tuple boundary function(·)w, see Weight function0(...), see Lower boundary function

∀1-formula, 6∀1-fragment, 6Arity, 5Atom, 85Atomic formula, 5

Bidirectional closure, 18Block, 96Boundary function, 129

lower, 129on tuples, 131

lower, 131upper, 131

upper, 129Boundary term, 129

lower, 129upper, 129

Boundary tuple, 131lower, 131upper, 131

Closed term literal, 129Closed tuple literal, 131Cluster, 54Cluster completeness, 55Cluster completion, 55Color, 95Colored Tree, 32Completeness

of clusters, 55of equality

of queues with integers, 92of term algebras with integers, 28

of prefix, 98of sibling, 17of type, 15

Completionof clusters, 55of delineated gap order, 133of equality


of gap order, 132of prefix, 98

INDEX 223

of sibling, 17of type, 15

Congruence closure, 18Conjugacy, 87Connected variable, 96Constant, 5

of term algebras, 13Constructor

of queue, 85of term algebras, 13

Constructor term, 15Convexity theory, 17Counting constraint, 28Cut length, 94

dp, see DelimiterDAG, see Directed acyclic graphDelimiter

of queues with integers, 95of queues with prefix and integers, 106

Delineated gap order completion, 133Depth, 15DGOC, see Delineated gap order completionDirected acyclic graph, 17

of a formula, 17Disjunctive normal form, 5Domain, 6


∃1-formula, 6∃1-fragment, 6Equality completeness


Equality completionof queues with integers, 92of term algebras with integers, 28

Existential closure, 6Expression, 6

Free occurrence, 5Function symbol, 5

Gap order, 128rigid, 129stretchable, 129tuple, 130

Gap order completion, 132GOC, see Gap order completionGround formula, 5

Half-open term literal, 129Half-open tuple literal, 131

Integer function, 175Integer predicate, 174

KBO, see Knuth-Bendix orderKnuth-Bendix order, 126

on tuples, 130suborders, 130

suborders, 128lexicographic order, 128precedence order, 128weight order, 128

LCC, see Length constraint completionLength configuration, 95Length constraint completion


LISP list, 14Literal, 5

closed, 129half-open, 129open, 129tuple, 131

224 INDEX

closed, 131half-open, 131open, 131

Lower boundary function, 129Lower boundary term, 129Lower boundary tuple, 131Lower tuple boundary function, 131

Matrix, 6Model, 6Multi-sorted logic, 7

Nondeterminism, 8Normal form

of queues, 88of queues with integers, 92

with parameters, 111of queues with prefix and integers, 97

Open term literal, 129Open tuple literal, 131Orbit, 87

Precedence, 126Predicate symbol, 5Prefix completeness, 98Prefix completion, 98Prenex form, 6Presburger arithmetic, 8Primitive form, 7Primitive formula, see Primitive formPrimitive word, 87

Quantifier elimination, 7Quantifier-free formula, 5Quantifier-free fragment, 6Quantifier-free theory, 6Queue, 85Queue with prefix, 97

Queue with prefix and integers, 97Queues with integers, 90

Red-black tree, 33Red-black trees, 32Redex, 8Reduct, 8Refutational decision procedure, 7Relativized length constraint completion

of queues with integers, 91with parameters, 111

of red-black trees, 34of term algebras with integers, 24

with parameters, 55Rigid gap order, 129Rigid tuple gap order, 131RLCC, see Relativized length constraint comple-

tion

Satisfiability, 6Satisfiable formula, 6Selector


Selector term, 15proper, 15

Sentence, 5Sibling completeness, 17Sibling completion, 17Σ-structure, 6Σ-term, 5Solved form

KBO, 127of queues, 88of term algebras, 49

Sort, see Multi-sorted logicStretchable gap order, 129Stretchable tuple gap order, 131

INDEX 225

Strongly primitive word, 87Strongly solved form

of term algebras with integers, 56Structure, see Σ-structure

multi-sorted, 7of colored trees, 32of queues, 85of queues with integers, 90of queues with prefix, 97of queues with prefix and integers, 97of red-black trees, 33of term algebras, 13of term algebras with integers, 20of term algebras with KBO, 126of term algebras with KBO and integers, 130

Tagof queues with integers, 95of queues with prefix and integers, 108

Term, see Σ-termconstructor, 15depth of, 15selector, 15

Term algebra, 13Term algebra with integers, 20Term algebra with KBO, 126Term algebra with KBO and integers, 130Tester, 13Theory, 6Tuple gap order

rigid, 131stretchable, 131

Type completeness, 15Type completion, 15

Unification closure, 18Universal closure, 6Unsatisfiability, 6

Unsatisfiable formula, 6Upper boundary function, 129Upper boundary term, 129Upper boundary tuple, 131Upper tuple boundary function, 131

Valid formula, 6Validity, 6

Weight function, 126

arithmetic integration of decision procedures a

Documents