Bradley, Manna. The Calculus of Computation, Springer, 2007
.pdf
200 7 Quantified Linear Arithmetic
with free variables or some quantifier alternation? For example, consider the formula
G : y1. · · · ym. x1. · · · xn. F [x1, . . . , xn, y1, . . . , ym] .
Eliminating the inner block produces the TZ-equivalent formula |
||
|
|
c |
δ1 |
· · · |
δn |
G′ : y1. · · · ym. |
F ′[j1, . . . , jn, y1, . . . , ym] . |
|
j1 =1 |
|
jn =1 |
Order the free variables free(F ′) = {j1, . . . , jn, y1, . . . , ym} so that the yi’s precede the ji’s. In the resulting triangulated system, as few constraints as possible contain yi variables. Drop all resulting constraints that contain a yi variable, and solve the remaining constraints. A variable ji that does not appear in the final set of constraints must be instantiated to all values in its range [1, δi].
7.3 Quantifier Elimination over Rationals
c
QE for the theory of rationals TQ is simpler than for TZ . Recall that TQ has the following signature:
ΣQ : {0, 1, +, −, =, ≥} ,
where
•0 and 1 are constants;
•+ is a binary function;
•− is a unary function;
•and = and ≥ are binary predicates.
To be consistent with our presentation of Cooper’s method, we switch from weak inequality ≥ to strict inequality >. Of course, they are interchangeable:
x ≥ y x > y x = y and x > y x ≥ y ¬(x = y) .
7.3.1 Ferrante and Racko ’s Method
Given a ΣQ-formula x. F [x] as input, where F is quantifier-free, the algorithm proceeds according to the following steps.
Step 1
Put F [x] in NNF. The output x. F1[x] is TQ-equivalent to x. F [x] and is such that F1 is a positive Boolean combination (only and ) of literals.
7.3 Quantifier Elimination over Rationals |
201 |
Step 2
Replace literals according to the following TQ-equivalences, applied from left to right:
¬(s < t) |
|
t < s t = s |
¬(s = t) |
|
t < s t > s |
The output x. F2[x] is TQ-equivalent to x. F [x] and does not contain any negations.
Step 3
Solve for x in each atom of F2[x]: for example, replace the atom
t < cx ,
where c Z \ {0} and t is a term not containing x, with
t
c < x .
Atoms in the output x. F3[x] now have the form
(A)x < a
(B)b < x
(C)x = c
where a, b, c are terms that do not contain x. x. F3[x] is TQ-equivalent to
x. F [x].
Step 4
Construct the left infinite projection F−∞ from F3[x] by replacing
(A) atoms x < a by , (B) atoms b < x by ,
and
(C) atoms x = c by .
Construct the right infinite projection F+∞ from F3[x] by replacing
(A) atoms x < a by , (B) atoms b < x by ,
and
(C) atoms x = c by .
202 7 Quantified Linear Arithmetic
(a) |
b |
|
|
||
|
||
(b) |
b |
|
|
||
|
Fig. 7.2. Satisfying points: (a)
|
b+a |
a |
|
|
2 |
||
|
• |
|
|
c |
b+a |
a |
|
2 |
|||
• |
|
◦ |
|
|
|||
b+a (b) c+c |
|
||
2 |
2 |
|
|
The left (right) infinite projection captures the case when small (large) n Q satisfy F3[n].
Let S be the set of a, b, and c terms from the (A), (B), and (C) atoms. Construct the final output
F4 : F−∞ F+∞ |
s,t S F3 |
s |
2 |
|
, |
|
_ |
|
+ t |
|
|
|
|
|
|
|
which is TQ-equivalent to x. F [x].
The disjunct F−∞ captures the possibility that all rationals n less than some value a satisfy F4[n]. The disjunct F+∞ captures the symmetric case for large n. Finally, the last disjunct can be seen as capturing two possibilities. First, disjuncts in which s and t are the same terms check whether any term
sS satisfies F4[s]. Second, consider the remaining O(|S|2) disjuncts in which
sand t are di erent terms. In any TQ-interpretation, |S| − 1 pairs s, t S are
adjacent; for such a pair, (s, t) is an interval in which no other s′ |
|
S lies. If |
||||||||
|
s+t |
], then it can be shown that every other point n |
|
|
|
|
||||
F4[ |
2 |
(s, t) also satisfies |
||||||||
|
s+t |
|
|
|
|
|
|
|||
F4[n]. In other words, |
2 |
represents the whole interval (s, t). Since no single |
||||||||
TQ-interpretation is fixed in advance, all O(|S|2) pairs are considered (but see |
||||||||||
Exercise 7.8 for an optimization). |
|
|
|
|
|
|
||||
|
Figure 7.2 illustrates two cases in which a, b, and c terms are constant. |
|||||||||
Figure 7.2(a) visualizes the formula b < x |
x < a, for which |
b+a |
is a |
|||||||
2 |
||||||||||
satisfying point. Triangles represent inequalities; the solid circle represents
b+a . All points in the interval (b, a) are satisfying, but |
b+a |
is the representative |
2 |
2 |
|
of this interval. Figure 7.2(b) includes an additional literal, x = c (the solid
circle); now, b+a |
(the open circle) is not a satisfying point, but |
c+c = c is. |
|
|
2 |
|
2 |
Example 7.17. Consider the ΣQ-formula |
|
||
x. |
2x = y . |
|
|
|
F [x] |
|
|
|
| {z } |
|
|
In Step 3, solving for x produces |
|
||
F ′ : x. x = |
y |
|
|
2 |
|
||
so that |
′S = {y2 }. The left F−∞ and right F+∞ infinite projections are both |
||
, as F |
contains a single (C) atom. Hence, simplifying |
|
|
7.3 Quantifier Elimination over Rationals |
203 |
F4 |
: s,t S s |
2 |
= 2 |
|
|
_ |
+ t |
y |
|
|
|
|
reveals the TQ-equivalent quantifier-free formulax. F [x] is TQ-valid.
Example 7.18. Consider the ΣQ-formula
x. 3x + 1 < 10 7x − 6 > 7 . |
|
| |
{z } |
F [x]
y2 = y2 , or . Therefore,
Solving for x gives
F ′ : x. x < 3 x > 13
| {z 7}
F3 [x]
and S = {3, 137 }. Since x < 3 is an (A) atom and x > F−∞ and F+∞ simplify to , leaving
F4 |
: s,t S s |
2 < 3 |
2 |
> 7 |
. |
|
_ |
+ t |
s + t |
13 |
|
|
|
|
137 is a (B) atom, both
s+t |
takes on three expressions: 3, |
13 |
, and |
137 +3 |
. The first two expressions arise |
||||||||
2 |
7 |
2 |
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|||
when s and t are the same terms. F3[3] and F3[ 137 ] both simplify to since |
|||||||||||||
the inequalities are strict; however, |
|
|
|
|
|||||||||
|
F3 7 |
2 |
: |
7 |
2 |
< 3 |
7 |
2 |
> |
7 |
|
||
|
|
13 |
+ 3 |
13 |
+ 3 |
|
13 |
+ 3 |
13 |
|
|||
simplifies to . Thus, F4 |
: is TQ-equivalent to x. F [x], so x. F [x] is |
||||||||||||
TQ-valid. |
|
|
|
|
|
|
|
|
|
|
|
||
Example 7.19. Consider the ΣQ-formula |
|
|
|||||||||||
|
G : x. x < y . |
|
|
|
|
|
|
|
|
|
|||
To eliminate x, consider the subformula F of |
|
||||||||||||
|
G′ : ¬( x. ¬(x < y)) . |
|
|
|
|
|
|
||||||
Step 2 |
|
| |
{z } |
|
|
|
|
|
|
|
|||
|
|
|
|
F [x] |
|
|
|
|
|
|
|
|
|
|
|
rewrites F as |
|
|
|
|
|
|
|
|
|||
|
x. y < x |
y = x . |
|
|
|
|
|
|
|
||||
The literals are already in solved form for x in Step 3. Then |
|||||||||||||
|
F−∞ : |
|
and |
|
F+∞ : |
|
|
||||||
simplify to and , respectively. Since F+∞ is , we need not consider the
rest of Step′ |
4, but instead declare that x. F [x] is TQ-equivalent to F4 : |
. |
Then G is ¬, so that G is TQ-equivalent to . |
|
|
204 7 Quantified Linear Arithmetic
Theorem 7.20 (Correct). Given ΣQ-formula x. F [x] in which F is quantifier-free, Ferrante and Racko ’s method returns a TQ-equivalent quantifier-free formula.
Exercise 7.9 asks the reader to prove the theorem.
A limited form of the block elimination optimization discussed in Section 7.2.4 can be adapted to this QE procedure: commute disjunction and existential quantification. This step reduces the size of the term set S in each subproblem.
7.4 Complexity
Fischer and Rabin proved the following lower bounds. The length n of a formula is the number of symbols.
c
Theorem 7.21 (TZ Lower Bound). There is a fixed constant c > 0 such
c
that for all su ciently large n, there is a ΣZ -formula of length n that requires at least 22cn steps to decide its validity.
Theorem 7.22 (TQ Lower Bound). There is a fixed constant c > 0 such that for all su ciently large n, there is a ΣQ-formula of length n that requires at least 2cn steps to decide its validity.
Oppen analyzed Cooper’s method to prove the following upper bound.
c |
|
for |
c |
p > 0. |
Theorem 7.23 (TZ |
Upper Bound). On a ΣZ -formula of length n, Cooper’s |
|||
method requires deterministic time 2 |
22pn |
some fixed constant |
|
|
|
|
|||
Ferrante and Racko proved the following upper bound.
Theorem 7.24 (TQ Upper Bound). On a ΣQ-formula of length n, Ferrante and Racko ’s method requires deterministic time 22pn for some fixed constant p > 0.
Closing the gap between the lower and upper bounds would require answering long-standing open questions in complexity theory.
7.5 Summary
Quantifier elimination is a standard technique for reasoning about theories in which satisfiability is decidable even with arbitrary quantification. This chapter presents the technique in the context of arithmetic over integers and over rationals or reals. It covers:
Exercises 205
•Quantifier elimination in general. Based on structural induction, one only
needs to consider the special case of formulae of the form x. F [x], in which F is quantifier-free but may contain free variables in addition to x; arbitrary formulae may then be treated compositionally.
•Elimination over integers, TZ . The basic theory of integers does not admit quantifier elimination; it must be augmented with divisibility predicates. This situation, in which additional predicates are required to develop a quantifier elimination procedure, is common. The main idea of the procedure is to identify intervals with periodic behavior induced by the divisibility predicates.
•Elimination over rationals, TQ. The main idea of the procedure is to partition the rationals into a finite number of points and intervals.
The optimizations of Cooper’s method, particularly solving divides constraints, make the procedure acceptably fast in practice on quantifier-free ΣZ -formulae. However, faster decision procedures exist for deciding ΣQ- satisfiability of quantifier-free ΣQ-formulae; we study one in Chapter 8.
In addition to handling quantifiers, the algorithms of this chapter treat arbitrary Boolean combinations of literals. The decision procedures of subsequent chapters require the Boolean structure to be simple: formulae are just conjunctions of literals. Treating formulae with arbitrary Boolean structure directly avoids the potential exponential increase in size associated with converting to DNF.
Bibliographic Remarks
Presburger proves that arithmetic over the natural numbers without multiplication TN is decidable [73]. Cooper presents the version of the quantifierelimination procedure for TZ that we describe [19]. Fischer and Rabin provide the lower bound on the complexity of the decision problem for TZ [33], while Oppen analyzes Cooper’s procedure to obtain an upper bound [68].
Ferrante and Racko describe the quantifier-elimination procedure that we present and the lower and upper complexity bounds on the problem [32].
Exercises
7.1 (TZ does not admit QE). Prove Lemma 7.4. Hint : Apply structural induction; the base cases involve comparisons between ay and c, for constants a and c.
c). Apply quantifier-elimination to the following Σ -formulae.
7.2 (QE for TZ Z
(a) y. 3 < x + 2y 2x + y < 3 (b) y. 3 < x + 2y 2x + y < 3
206 7 Quantified Linear Arithmetic
(c) y. x = 2y y < x
(d) x. ( y. x = 2y) → ( y. 3x = 2y)
c
7.3 (QE for TZ ). Construct new ΣZ -formulae such that
(a) the F−∞ component of the elimination simplifies to ; (b) the F−∞ component of the elimination simplifies to ;
(c) using the right infinite projection is better than using the left infinite projections.
In each case, describe the elimination.
7.4 (Block elimination in TZ ). Apply quantifier-elimination to the following ΣZ -formulae. Use block elimination.
(a) x. y. 2x + 3y = 7 x < y (b) x. y. 2x + 3y = 7 y < x
(c) x. y. 2x + 3y = 7 x < y 0 < x 0 < y
(d) x. y. 3x + 3y < 8 8 < 3x + 2y
(e) x. y. x = 2y z. x = 3z
7.5(Divides constraints). Apply the divides-constraints elimination to the ΣZ -formulae of Exercise 7.4.
7.6(QE for TQ). Apply quantifier-elimination to the formulae of Exercise 7.2, but treat them as ΣQ-formula.
7.7(QE for TQ). Construct new ΣQ-formulae such that
(a) the F−∞ and F+∞ components of the elimination simplify to and , respectively;
(b) the F−∞ and F+∞ components of the elimination simplify to and , respectively.
In each case, describe the elimination.
7.8 (Su cient set). Step 4 of Ferrante and Racko ’s method examines terms
s+t for all s, t S, where S is the set of all a, b, and c terms. Describe a
2
smaller set of terms that is still su cient. According to this new definition, which terms should be examined in Example 7.18 and Exercise 7.6?
7.9( Theorem 7.20). Prove Theorem 7.20. Hint : Apply the strategy employed in the proof of Theorem 7.10.
7.10( Optimization problem). Consider the optimization problem max{f (x) : F [x]} in which the objective function f (x) is a linear expression over the problem variables x, and the constraint F [x] is a ΣZ -formula
such that free(F [x]) = x. The solution to the problem is the largest number n such that there exists some evaluation v of x for which f (v) = n and F [v] is true. Show how to use QE for TZ to solve this optimization problem.
8
Quantifier-Free Linear Arithmetic
Because my mathematics has its origin in a real problem doesn’t make it less interesting to me — just the other way around, I find it makes the puzzle I am working on all the more exciting. I get satisfaction out of knowing that I’m working on a relevant problem.
— George Dantzig
An Interview with George B. Dantzig: The Father of Linear Programming, 1986
This chapter considers satisfiability in the quantifier-free fragment of the theory of rationals TQ. Addressing this fragment is motivated by two observations. First, program verification typically requires just considering formulae from the quantifier-free fragments of theories such as TQ. Second, deciding satisfiability in the full theory of TQ is computationally expensive, while deciding satisfiability in just the quantifier-free fragment of TQ is fast in practice when using, for example, the simplex method for linear programming.
A linear program is an optimization problem in which the goal is to find a point satisfying a set of linear constraints that maximizes a linear objective function. The linear constraints are a quantifier-free conjunctive ΣQ-formula in which each atom is a weak inequality. The objective function is a linear function. Deciding TQ-satisfiability can be cast as solving a linear program, so we benefit from existing algorithms for solving them.
Section 8.1 motivates studying the quantifier-free fragments of theories in general. Section 8.2 reviews concepts from linear algebra. Then Section 8.3 introduces linear programs and shows how to decide TQ-satisfiability by solving a linear program. Finally, Section 8.4 presents the simplex method for solving linear programs.
8.1 Decision Procedures for Quantifier-Free Fragments
The time complexities of the algorithms of Chapter 7 limit their practical impact. Additionally, Ferrante and Racko ’s method is not optimal for the
208 8 Quantifier-Free Linear Arithmetic
quantifier-free fragment of TQ. For other theories, the situation is worse: satisfiability in the full theories such as equality TE, lists Tcons, and arrays TA is undecidable. Fortunately, for verification and other applications, we typically need to decide satisfiability of quantifier-free formulae rather than of arbitrarily quantified formulae.
Recall that the quantifier-free fragment of a theory T with signature Σ consists of the axioms of T and valid Σ-formulae of the form
G : x1, . . . , xn. F [x1, . . . , xn] ,
where F is quantifier-free and free(F ) = {x1, . . . , xn}. While such formulae have quantifiers, the point is that they do not have quantifier alternations: all quantifiers are universal. Using our conventions, we would ordinarily ask whether the formula F is T -valid — whether its universal closure . F is T -valid. F is indeed quantifier-free.
T -validity of G corresponds to T -unsatisfiability of
¬G : x1, . . . , xn. ¬F [x1, . . . , xn] ,
or, using our conventions, simply T -unsatisfiability of ¬F . Hence, the quantifiers are “natural” for satisfiability checking: ¬G is T -satisfiable i there exists a T -interpretation I and an assignment to x1, . . . , xn under which ¬F evaluates to true.
Fortunately, the quantifier-free fragments of many theories are decidable, often e ciently so. In Chapters 8-10, we focus on decision procedures for the quantifier-free fragments of theories.
For ease of exposition, we consider only conjunctive quantifier-free Σ- formulae in each theory T that we examine. Conjunctive Σ-formulae are conjunctions of Σ-literals. This restriction does not limit the scope of the decision procedures. For given arbitrary quantifier-free Σ-formula F , we can convert it into DNF Σ-formula
F1 · · · Fk
in which each Fi is conjunctive. F is T -satisfiable i at least one Fi is T - satisfiable. Decide the T -satisfiability of F by considering each Fi.
Remark 8.1 ( Complexity). This restriction does, however, a ect complexity. Because satisfiability in PL is NP-complete, any decision procedure that considers arbitrary quantifier-free formulae must be at least NP-hard, as it must handle not only the theory-specific aspects of the formulae but also the combinatorial (PL) aspects. However, considering only conjunctive formulae allows us to give more insightful complexity bounds. For example, satisfiability in the conjunctive quantifier-free fragments of TQ, TE, Tcons, and their union theory is in PTIME. Thus, the “hard” part of deciding satisfiability of arbitrary quantifier-free formulae in these theories is handling the underlying PL structure. Analyzing the theory-specific aspects is comparatively easy.
8.2 Preliminary Concepts and Notation |
209 |
8.2 Preliminary Concepts and Notation
We define basic concepts and notation of linear algebra, covering only what is required for understanding the remainder of the chapter. We refer the reader interested in learning more about linear algebra to relevant texts in Bibliographic Remarks.
Basic Concepts and Notation
A variable n-vector x is a column of n variables x1, . . . , xn. An n-vector is a column a Qn of n rationals, and its transpose aT is a row with elements listed in the same order:
|
|
a1 |
|
|
|
|
|
· · · |
|
|
an |
|
|
|
|||||
a = |
|
. |
|
and a |
T |
= |
a1 |
|
an . |
|
|
. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An m × n-matrix A Qm×n consists of n columns of m rationals each (alternatively, m rows of n rationals each), and its transpose AT is an n ×m- matrix in which element aij is swapped with element aji:
A = |
|
.. |
|
|
and |
A = |
|
.. |
. |
|
|
|
|
|
|
a11 |
· · · |
a1n |
|
|
|
|
a11 |
· · · |
am1 |
|
|
|
|
|
am1 |
. |
amn |
|
|
|
T |
a1n |
. |
amn |
|
|
|
|
|
|
· · · |
|
|
|
|
|
|
· · · |
|
|
|
|
|
|
|
|
|
|
j |
|
|
|
|
|
|
1j · · · |
|
|
When we refer to a row ai of A, we mean the row vector ai1 · · · ain , and |
||||||||||||||
when we refer to a column a of A, we mean the column vector |
a |
|
amj |
T. |
||||||||||
We use this compact notation of transposed row vectors for column |
vectors |
|||||||||||||
|
|
|||||||||||||
to save vertical space. |
|
|
|
|
|
|
|
|
|
|
|
|||
Vector-vector multiplication works as follows: |
|
|
|
|
||||||||||
a b = a1 |
· · · an |
.. |
= |
aibi . |
|
|
|
|
|
|
||||
|
|
|
b1 |
|
|
n |
|
|
|
|
|
|
|
|
|
|
bn |
|
X |
|
|
|
|
|
|
|
|||
T |
|
|
|
. |
|
|
|
|
|
|
|
|
|
|
i=1
Matrix-vector multiplication works as follows:
|
a11 |
|
a1n |
|
x1 |
|
i=1 a1ixi |
|||||
|
|
|
|
|
|
|
|
|
|
n |
|
|
Ax = |
|
|
· · · |
|
|
.. |
= |
|
X |
.. |
. |
|
|
|
.. |
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a |
m1 |
|
a |
mn |
|
x |
|
|
n |
|
|
|
. |
|
n |
|
|
. |
|
|||||
|
|
|
· · · |
|
|
|
|
|
|
|
amixi |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
i=1 |
|
|
|