On the Convexity of a Fragment of Pure Set Theory with Applications within a Nelson-Oppen Framework

Introduction

In the process of developing reliable and provably correct software, it is often necessary to express and then subsequently verify properties that belong to different logical languages. Thus, the correctness of a software system depends on being able to prove these conditions, expressed in distinct first-order signatures with equality. The search for a satisfying assignment of a given formula with respect to some background first-order theory is known as the SMT (Satisfiability Modulo Theories) problem.

SMT solvers [3]

are particularly useful tools for the automated verification of properties expressed with quantifier-free first-order formulae. Some theories usually integrated with common SMT solvers are the theory of arrays, of bit-vectors, of linear arithmetic, and the theory of uninterpreted functions.

Every background theory used in some SMT solver comes along with its own satisfiability procedure. The problem of modularly combining such special-purpose algorithms is highly non-trivial, since without the appropriate restrictions it is not even decidable [4].

We will now briefly introduce some definitions to understand how to tackle this question and under which assumptions one can do it effectively.

A first-order quantifier-free theory $T$ , identified with the set of its theorems, is stably infinite if every formula $φ$ satisfiable in $T$ is satisfiable in an infinite model of $T$ . Let $Σ_{1}$ and $Σ_{2}$ be signatures for a first-order language. A $(Σ_{1} \cup Σ_{2})$ -formula $φ$ is pure if every literal in $φ$ is a $Σ_{1}$ -literal or a $Σ_{2}$ -literal. It is easy to see that every quantifier-free $(Σ_{1} \cup Σ_{2})$ -formula $φ$ can be purified, yet maintaining satisfiability, by (i) substituting every impure subterm of the form $f (t)$ with $f (x)$ , where $x$ is a new variable, (ii) adding to $φ$ the conjunct $x = t$ , and (iii) recursively purifying the term $t$ , if needed.

We say that two theories $T_{1}$ and $T_{2}$ over the signatures $Σ_{1}$ and $Σ_{2}$ , respectively, are disjoint when $Σ_{1}$ and $Σ_{2}$ do not share any non-logical symbols.¹¹1Besides propositional connectives, logical symbols comprise equality. The Nelson-Oppen [17] procedure provides a method for combining decision procedures for disjoint, stably infinite theories $T_{1}$ and $T_{2}$ into one for $T_{1} \oplus T_{2}$ , namely the $(Σ_{1} \cup Σ_{2})$ -theory defined as the deductive closure of the union of the theories $T_{1}$ and $T_{2}$ .

A theory $T$ is convex if for all conjunctions of literals $φ$ in $T$ and for all nonempty disjunctions $⋁_{i = 1}^{n} x_{i} = y_{i}$ of equalities, $φ$ implies $⋁_{i = 1}^{n} x_{i} = y_{i}$ in $T$ if and only if $φ$ implies $x_{i} = y_{i}$ in $T$ for some $i \in {1, . . ., n}$ .

Examples of convex theories are the theory of Linear Rational Arithmetic $T_{L R A}$ and the theory of list structure $T_{L}$ .

The non-logical symbols of the theory of $T_{L R A}$ are $+$ , $-$ , $⩽$ , $0$ , $1$ ; following [5, Chapter 3.4.2], its axioms (universally quantified) are:

	$x + 0 = x,$	$x + (- x) = 0,$
	$(x + y) + z = x + (y + z),$	$x + y = y + x,$
	$x ⩽ y \land y ⩽ x \to x = y,$	$x ⩽ y \lor y ⩽ x,$
	$x ⩽ y \to x + z ⩽ y + z,$	$x ⩽ y \land y ⩽ z \to x ⩽ z,$
	$n x = 0 \to x = 0,$	$(\exists y) x = n y (for each positive integer n),$

where $n x$ stands for $x + \dots + x      n times$ . After [17], the non-logical symbols of the theory of list structure $T_{L}$ are car, cdr, cons, and atom, and its axioms are:

	$car (cons (x, y)) = x,$
	$cdr (cons (x, y)) = y,$
	$\neg atom (x) \to cons (car (x), cdr (x)) = x,$
	$\neg atom (cons (x, y)),$

where (i) cons is a binary function, with $cons (x, y)$ representing the list constructed by prepending the object $x$ to the list $y$ , (ii) car and cdr are unary functions, the left and right projections, respectively, and (iii) atom is true if and only if $x$ is a single-element list.

Given two disjoint stable infinite theories $T_{1}$ and $T_{2}$ , the Nelson-Oppen combination technique establishes the satisfiability of a conjunction of pure formulae $φ_{1} \land φ_{2}$ (where $φ_{i}$ has signature $Σ_{i}$ ) in $T_{1} \oplus T_{2}$ from the decision procedures for $φ_{1}$ and $φ_{2}$ . The key idea is to propagate equalities $x = y$ to $φ_{2}$ whenever $T_{1} \cup φ_{1}$ implies $x = y$ , and conversely. This iterative process can be performed quickly in polynomial time, when the theories involved are convex. On the other hand, case-splitting would occur when dealing with non-convex theories, since only one of the equalities of the disjunct implied by $φ_{i}$ must be chosen at every step.

In [20, 22, 21], variants of the Nelson-Oppen method were used to combine theories involving sets/multisets of urelements (i.e., objects with no internal structure) with the theory of integers and with the theory of cardinal numbers in presence of a cardinality operator. The SMT problem in the context of the theory of finite sets is considered in [2].

In this paper, we start an investigation for combining decidable fragments of pure Zermelo-Fraenkel set theory (in which sets are recursively built up from other sets) with other theories within the Nelson-Oppen framework. More specifically, our main result is that the theory Multi-Level Syllogistic (the basic language of computable set theory—MLS for short) is convex and therefore its decision procedure (and those of its several polynomial fragments [9, 11]) can be efficiently combined with the decision procedures of other basic decidable theories, such as for instance the theory of lists and the theory of linear rational arithmetic, since set theory is plainly stably infinite.

—————

The paper is organized as follows. Section 1 introduces the syntax and semantics of the theory MLS of our interest. Then, in Section 2, we prove the main result of the paper, namely that the theory MLS is convex. We also review several fragments of MLS endowed with polynomial-time decision procedures, since these inherit convexity from MLS and are therefore particularly interesting for efficient combinations with other convex decidable theories. Subsequently, in Section 3, we prove the non-convexity of various extensions of MLS. Finally, in Section 4, we provide some closing remarks and plans for future research.

1 Syntax and semantics of Mls

Multi-Level Syllogistic (MLS) is the quantifier-free propositional closure of atoms of the types:

x = \emptyset, x = y, x \subseteq y, x \in y, x = y ∖ z, x = y \cup z, x = y \cap z,

(1)

where $x, y, z$ stand for set variables. We denote by $V a r s (φ)$ the collection of the set variables occurring in any MLS-formula $φ$ .

The satisfiability problem for MLS has been first solved in the seminal paper [15]. Its NP-completeness (and that of its extension MLSS with the singleton operator) has been later proved in [12]. Several extensions of MLS have been proved decidable over the years, giving rise to the field of Computable Set Theory (see [10, 13, 19, 14] for an in-depth account).

The semantics of MLS is defined in the most natural way by means of set assignments.

A set assignment $M$ is any map from a finite collection of set variables $V$ , denoted $dom (M)$ , into the von Neumann universe $V$ .

We recall that $V$ is the cumulative hierarchy constructed in stages by transfinite recursion over the class $O n$ of all ordinals. Specifically,

V\coloneqq⋃α∈OnVα,

where, recursively,

Vα\coloneqq⋃β<αP(Vβ),

for every $α \in O n$ , with $P (\cdot)$ denoting the powerset operator.

The notion of rank of a set is strictly connected to the construction steps of the von Neumann hierarchy. Specifically, for any set $s \in$ $V$ , the rank of $s$ (denoted $r k (s)$ ) is defined as the least ordinal $α$ such that $s \subseteq V_{α}$ . The rank function is extended to set assignments $M$ , by putting $rk(M)\coloneqqmax{rk(Mx)∣x∈dom(M)}$ .

The set operators and relators of MLS are interpreted according to their usual semantics. Thus, given a set assignment $M$ , we put:

	$M (x ⋆ y)$	$\coloneqqMx⋆My$
and
	$M (x = y) = true$	$⟺ M x = M y,$
	$M (x \in y) = true$	$⟺ M x \in M y,$
	$M (x = y ⋆ z) = true$	$⟺ M x = M (y ⋆ z),$

where $⋆ \in {\cup, \cap, ∖}$ and $x, y, z \in dom (M)$ .

Finally, for all MLS-formulae $φ$ and $ψ$ , we put by structural recursion:

	$M(¬φ)\coloneqq¬M(φ),$	$M(φ∧ψ)\coloneqqMφ∧Mψ,$
	$M(φ∨ψ)\coloneqqMφ∨Mψ,$	$M(φ→ψ)\coloneqqMφ→Mψ.$

An MLS-formula $φ$ is satisfiable if there exists a set assignment $M$ over $V a r s (φ)$ such that $M φ = true$ , in which case we also write $M ⊨ φ$ and say that $M$ is a model for $φ$ . If $φ$ is satisfied by all set assignments, we say that $φ$ is true and write $⊨ φ$ .

By way of disjunctive normal form, the satisfiability problem for MLS can be reduced to the satisfiability problem for conjunctions of MLS-literals, namely MLS-atoms of types (1) and their negation. In addition, for the purposes of simplifying some proofs, we can further restrict ourselves to MLS-conjunctions involving a minimal number of literal types. As shown in [9], all the atoms in (1) and their negations can be rewritten in terms of atoms of type $x \in y$ and $x = y ∖ z$ only by repeatedly applying the following equivalences much as rewrite rules (the existential quantifiers are then just dropped while the quantified variables are replaced by fresh ones):

$⊨ x = \emptyset ⟷ x = x ∖ x$ ,
$⊨ x \neq \emptyset ⟷ (\exists w) w \in x$ ,
$⊨ x \notin y ⟷ (\exists w) (x \in w \land w = w ∖ y)$ ,
$⊨ x = y ⟷ (\exists e) (x = y ∖ e \land e = e ∖ e)$ ,
$⊨ x = y \cap z ⟷ (\exists w) (w = y ∖ z \land x = y ∖ w)$ ,
$⊨ x = y \cup z ⟷ (\exists e, w) (w = x ∖ y \land w = z ∖ y \land e = y ∖ x \land e = e ∖ e)$ ,
$⊨ x \subseteq y ⟷ x = y \cap x$ ,
$⊨ x \neq y ⟷ (\exists v, w, z) (w = x \cup y \land z = x \cap y \land v \in w \land v \notin z)$ ,
$⊨ x \neq y ⋆ z ⟷ (\exists w) (x \neq w \land w = y ⋆ z)$ ,

where $⋆ \in {\cup, \cap, ∖}$ .

Henceforth, we will restrict ourselves to MLS-formulae that are conjunctions of atoms of the following two types only:

x \in y, x = y ∖ z .

(2)

In the rest of the paper, these will be simply referred to as MLS-conjunctions.

Finally, as a piece of notation, for any given finite set $L$ of literals, we write $⋀ L$ (resp., $⋁ L$ ) to denote the conjunction (resp., disjunction) of all the literals in $L$ .

2 Convexity of Mls

Our main goal is to prove that the theory MLS is convex, namely that, for any MLS-conjunction $φ$ and any given finite nonempty set $E$ of equalities among variables, we have:

⊨φ⟶⋁E⟹⊨φ⟶x=y, \leavevmode\nobreak\ for some equality x=y% in E.

To prove that the theory MLS is convex, we will proceed by way of contradiction.

Thus, let us suppose that there exists an MLS-conjunction $φ$ (namely a conjunction of literals of type (2)) and a finite, nonempty set $E$ of equalities among variables such that:

[label=(C0)]
$⊨ φ ⟶ ⋁ E$ ;
$⊭ φ ⟶ x = y$ , for any $x = y$ in $E$
(that is, for every $x = y$ in $E$ there exists some set assignment $M_{x, y}$ such that $M_{x, y} ⊨ φ \land x \neq y$ ).

It is not restrictive to additionally assume that $V a r s (E) \subseteq V a r s (φ)$ .²²2Indeed, without disrupting conditions 1 and 2, for any variable $x \in V a r s (E)$ one may add to $φ$ the literal $x \in w$ , where $w$ stands for some fresh variable.

In view of condition 2, our conjunction $φ$ is satisfiable. Among all the models for $φ$ , we select one, say $M$ , that satisfies as few as possible equalities in $E$ , namely such that the cardinality of $E+M\coloneqq{ℓ∈E∣M⊨ℓ}$ is minimal. We also set $E−M\coloneqq{¬ℓ∣ℓ∈E∖E+M}$ , so $E_{M}^{-}$ is the collection of the inequalities $x \neq y$ such that $x = y$ is in $E$ and $M ⊭ x = y$ (hence, $M ⊨ x \neq y$ ).

Plainly, we have $M ⊨ φ \land ⋀ E_{M}^{+} \land ⋀ E_{M}^{-}$ . Notice that, while $⋀ E_{M}^{-}$ may be empty, the conjunction $⋀ E_{M}^{+}$ must contain at least one literal, since $M ⊨ ⋁ E$ by condition 1.

Let $¯ ℓ$ be any equality $¯ ¯ ¯ x = ¯ ¯ ¯ y$ in $⋀ E_{M}^{+}$ , which will be referred to in the rest of our proof as the designated equality of $E$ . We will prove that the conjunction

φ∗ \makebox[0.0pt]\tiny Def:= φ ∧ ⋀(E+M∖{¯ℓ}) ∧ ⋀E−M ∧ ¯¯¯x≠¯¯¯y

is satisfiable, thereby contradicting the assumed minimality of $M$ , since for every model $M^{*}$ for $φ^{*}$ we would have $E_{M^{*}}^{+} = E_{M}^{+} ∖ {¯ ℓ}$ , and therefore $| E_{M^{*}}^{+} | < | E_{M}^{+} |$ .

Before diving into the details of the proof, we provide an overview of how the set assignment $M$ can be suitably enlarged into another set assignment $M^{*}$ that satisfies all the conjuncts of $φ \land ⋀ E_{M}^{+} \land ⋀ E_{M}^{-}$ but the designated equality $¯ ℓ$ , thus proving that $φ^{*}$ is satisfiable.

Proof overview

The construction of $M^{*}$ consists in two phases: the first one, the Boolean phase, takes care of the satisfiability of the Boolean literals of $φ^{*}$ , namely the literals in $φ^{*}$ of type $x = y ∖ z$ , $x = y$ , and $x \neq y$ , whereas the second one, the membership phase, takes care of the satisfiability of the membership literals of $φ^{*}$ , namely those of the form $x \in y$ .

In order to model $¯ ¯ ¯ x \neq ¯ ¯ ¯ y$ , we add to exactly one between $M ¯ ¯ ¯ x$ and $M ¯ ¯ ¯ y$ a new member $s$ not already occurring in $⋃_{x \in V a r s (φ)} M x$ . The set $s$ must be chosen with care to prevent that no set produced during the subsequent membership phase is new to the current set assignment. In addition, the set $s$ must be added to the right sets $M x$ in order that the resulting assignment keeps satisfying all of the Boolean literals in $φ \land ⋀ E_{M}^{+} \land ⋀ E_{M}^{-}$ other than the designated equality $¯ ¯ ¯ x = ¯ ¯ ¯ y$ . The first problem is solved by selecting as $s$ any set of rank strictly greater than that of $M$ . As for the second condition, recalling that, by 2, the conjunction $φ \land ¯ ¯ ¯ x \neq ¯ ¯ ¯ y$ is satisfiable, we can select a model $¯ ¯¯¯¯ ¯ M$ for it. Therefore $¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ x \neq ¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ y$ , and so we can pick some element $t$ belonging to exactly one of the sets $¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ x$ and $¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ y$ . By adding our special set $s$ as an element to all and only those sets $M x$ such that $t \in ¯ ¯¯¯¯ ¯ M x$ , for $x \in V a r s (φ)$ , we obtain a new assignment, which will be denoted $M_{0}$ . It turns out that $M_{0}$ correctly models all the conjuncts in $φ^{*}$ , but the membership literals $x \in y$ for which $M_{0} x \neq M x$ . We denote by $V_{0}$ the collection of variables $x$ in $φ$ such that $M_{0} x \neq M x$ .

Example 2.1.

We illustrate the Boolean phase of our enlargement process with the following MLS-conjunction

φ \makebox[0.0pt]\tiny Def:= x=¯¯¯y∖z ∧ x=¯¯¯x∖w ∧ x≠¯¯¯y ∧ ¯¯¯y∈w ∧ w∈v ∧ z∈v

and with the equality $¯ ¯ ¯ x = ¯ ¯ ¯ y$ .

Let $M$ and $¯ ¯¯¯¯ ¯ M$ be the set assignments over $V a r s (φ) = {v, w, x, ¯ ¯ ¯ x, ¯ ¯ ¯ y, z}$ so defined, where to enhance readability we use the shorthand ${∅}2\coloneqq{{∅}}$ —likewise, ${\emptyset}^{4}$ will denote the set ${{{{\emptyset}}}}$ :

	$M x$	$= \emptyset,$	$M ¯ ¯ ¯ x$	$= M ¯ ¯ ¯ y = {\emptyset},$	$M z$	$= M w = {\emptyset, {\emptyset}},$	$M v$	$= {{\emptyset, {\emptyset}}},$
	$¯ ¯¯¯¯ ¯ M x$	$= \emptyset,$	$¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ y$	$= ¯ ¯¯¯¯ ¯ M z = {\emptyset},$	$¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ x$	$= ¯ ¯¯¯¯ ¯ M w = {\emptyset}^{2},$	$¯ ¯¯¯¯ ¯ M v$	$= {{\emptyset}, {\emptyset}^{2}} .$

It can easily be checked that $M ⊨ φ \land ¯ ¯ ¯ x = ¯ ¯ ¯ y$ and $¯ ¯¯¯¯ ¯ M ⊨ φ \land ¯ ¯ ¯ x \neq ¯ ¯ ¯ y$ hold.

Let $s\coloneqq{∅}4$ , so that $r k (s) = 4 > 3 = r k (M v) = r k (M)$ . Since $\emptyset \in ¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ y ∖ ¯ ¯¯¯¯ ¯ M ¯ ¯ ¯ x$ , we can put $t\coloneqq∅$ , and so we have:

M_{0} u = ⎧ ⎨ ⎩ \begin{matrix} {\emptyset, s} & if u = ¯ ¯ ¯ y {\emptyset, {\emptyset}, s} & if u = z M u & otherwise \end{matrix}

and $V_{0} = {¯ ¯ ¯ y, z}$ .

Plainly, $M_{0}$ satisfies all literals in $φ \land ¯ ¯ ¯ x \neq ¯ ¯ ¯ y$ but the literals $¯ ¯ ¯ y \in w$ and $z \in v$ . ∎

The subsequent membership phase performs the following enlargement step, for $k = 0, 1, 2, \dots$ , until needed:

extend the assignment $M_{k}$ by putting, for each $u \in V_{k}$ ,

$Mk+1u \coloneqq Mku ∪ {Mkv∣v∈Vk and Mv∈Mu},$

while setting $Mk+1u\coloneqqMku$ for the remaining variables $u$ in $V a r s (φ)$ , and define $V_{k + 1}$ as the collection of variables $u$ in $V a r s (φ)$ such that $M_{k + 1} u \neq M_{k} u$ .

For $k = 0, 1, 2, \dots$ , it turns out that each $M_{k}$ correctly models all the Boolean literals in $φ^{*}$ and all the membership literals in $φ^{*}$ but those of the form $x \in y$ with $x \in V_{k + 1}$ . Hence, as soon as some $V_{k}$ is empty, the assignment $M_{k}$ is plainly a model for $φ^{*}$ , and so the membership phase can stop. By the well-foundedness of the membership relation, such a situation occurs in at most $¯¯¯n\coloneqq|Vars(φ)|$ steps, and therefore $M_{¯ ¯ ¯ n}$ is a model for $φ^{*}$ , proving that $φ^{*}$ is satisfiable.

Example 2.1 (cont’d).

We continue our example by illustrating the membership phase of our enlargement process. We recall that $V_{0} = {¯ ¯ ¯ y, z}$ . Since $M ¯ ¯ ¯ y \in M w = M z$ and $M z \in M v$ , we have $V_{1} = {z, w, v}$ , $M_{1} z = {\emptyset, {\emptyset}, s, {\emptyset, s}}$ , $M_{1} w = {\emptyset, {\emptyset}, {\emptyset, s}}$ , $M_{1} v = {{\emptyset, {\emptyset}}, {\emptyset, {\emptyset}, s}}$ , and $M_{1} u = M_{0} u$ for all $u \neq z, w, v$ . Next, since $M w \in M v$ and $M z \in M v$ , we have $V_{2} = {v}$ , $M_{2} u = M_{1} u$ for all $u \neq v$ , and

$M_{2} v = {{\emptyset, {\emptyset}}, {\emptyset, {\emptyset}, s}, {\emptyset, {\emptyset}, s, {\emptyset, s}}, {\emptyset, {\emptyset}, {\emptyset, s}}} .$

Finally, since $M v \notin ⋃_{u \in V a r s (φ)} M u$ , we can actually stop. In fact, at this point we have

M_{2} = M_{3} = M_{4} = \dots .

Plainly, $M_{2} ⊨ φ \land ¯ ¯ ¯ x \neq ¯ ¯ ¯ y$ . ∎

Proof details

For any $V \subseteq V a r s (φ)$ , we will use the notation $M V$ to denote the set ${M v ∣ v \in V}$ . Let $s$ be any fixed set whose rank is larger than the rank of $M$ , namely such that $r k (s) > r k (M)$ .

We define by recursion two sequences ${V_{n}}_{n \in N}$ and ${M_{n}}_{n \in N}$ , respectively of subsets of $V a r s (φ)$ and of set assignments over $V a r s (φ)$ , by putting:

	$V_{0}$	$\coloneqq{u∈Vars(φ) \| t∈¯¯¯¯¯¯Mu},$	(3)
	$V_{n}$	$\coloneqq{u∈Vars(φ) \| Mu∩MVn−1≠∅}, for n⩾1,$	(4)
and
	$M_{0} v$	$\coloneqq{Mv∪{s}if v∈V0Mvif v∈Vars(φ)∖V0,$	(5)
	$M_{n} v$	$\coloneqq{Mn−1v∪Mn−1{u∈Vn−1∣Mu∈Mv}if v∈VnMn−1vif v∈Vars(φ)∖Vn,$	(6)
		$\coloneqq for n⩾1 and v∈Vars(φ).$

As a direct consequence of (5) and (6), the following results can be easily proved by induction:

Lemma 2.2.

[label=()]
For every $v \in V a r s (φ)$ , we have

$Mv ⊆ M0v ⊆ ⋯ ⊆ Mnv ⊆ ⋯\/.$
For all $v \in V a r s (φ)$ and $n \in N$ , we have:

$M_{n} v \subseteq M v \cup {s} \cup n - 1 ⋃ k = 0 M_{k} {u \in V_{k} ∣ M u \in M v} .$

Lemma 2.2 1 implies that the sequence of assignments ${M_{n}}_{n \in N}$ is plainly pointwise convergent. As a consequence of the next lemma and corollary, it will follow in fact that ${M_{n}}_{n \in N}$ converges “uniformly”, and it does so in at most $| V a r s (φ) |$ steps.

Lemma 2.3.

Let $k \in N$ . We have:

[label=()]
if $V_{k} = \emptyset$ then, for all $n ⩾ k$ ,
1. [label=(a $_{0}$ )]
2. $V_{n} = \emptyset$ ,
3. $M_{n} = M_{k}$ ;
if $V_{k} \neq \emptyset$ , then

$k ⩽ min (| V a r s (φ) | - 1, r k (M)) .$ (7)

Proof.

If $V_{k} = \emptyset$ , then $V_{k + 1} = \emptyset$ and $M_{k + 1} = M_{k}$ by (4) and (6), respectively. By iterating the same argument, one can easily prove that $V_{n} = \emptyset$ and $M_{n} = M_{k}$ , for all $n \in N$ , proving 1.

As for 2, we preliminarily observe that, by (4), for all $v \in V a r s (φ)$ and $n ⩾ 1$ we have

v \in V_{n} ⟹ (\exists u \in V_{n - 1}) M u \in M v .

(8)

Thus, if $V_{k} \neq \emptyset$ , by picking any $v_{k} \in V_{k}$ and by repeatedly applying (8), it follows that there exist $v_{0}, v_{1}, \dots, v_{k - 1} \in V a r s (φ)$ such that

M v_{0} \in M v_{1} \in \dots \in M v_{k - 1} \in M v_{k} .

(9)

By the well-foundedness of $\in$ , the variables $v_{0}, v_{1}, \dots, v_{k - 1}, v_{k}$ must be pairwise distinct. Hence, $k + 1 ⩽ | V a r s (φ) |$ . In addition, (9) also yields $k ⩽ r k (M v_{k}) ⩽ r k (M)$ . Thus, (7) follows, proving 2. ∎

The preceding lemma yields immediately the following result.

Corollary 2.4.

For all $h, k > min (| V a r s (φ) | - 1, r k (M))$ , we have $M_{h} = M_{k}$ .

Letting $¯¯¯n\coloneqq|Vars(φ)|$ , Corollary 2.4 implies that $M_{n} = M_{¯ ¯ ¯ n}$ , for all $n ⩾ ¯ ¯ ¯ n$ .

Next we prove a number of technical lemmas that will culminate in the proof that

M_{¯ ¯ ¯ n} ⊨ φ \land ⋀ E_{M}^{-} \land ¯ ¯ ¯ x \neq ¯ ¯ ¯ y,

where $¯ ¯ ¯ x = ¯ ¯ ¯ y$ is the designated equality of $E$ . Thus, we will have that

E_{M}^{-} ⊊ E_{M_{¯ n}}^{-} and | E_{M_{¯ n}}^{+} | < | E_{M}^{+} |,

contradicting the minimality of $| E_{M}^{+} |$ . Hence, the convexity of MLS will follow, since our initial assumption on $φ$ and $E$ that conditions 1 and 2 hold will be proved to be untenable.

The following lemma provides some useful bounds on the rank of $M_{n} v$ , for $n \in N$ and $v \in V a r s (φ)$ .

Lemma 2.5.

For all $n \in N$ and $v \in V a r s (φ)$ , we have

[label=-]
$r k (M_{n} v) = r k (s) + n + 1$ , if $v \in V_{n}$ ,
$r k (M_{n} v) ⩽ r k (s) + n$ , if $v \notin V_{n}$ .

Proof.

We proceed by induction on $n$ . For $n = 0$ and $v \in V_{0}$ , from (5) we have $M_{0} v = M v \cup {s}$ . Hence, $r k (M_{0} v) = max {r k (M v), r k ({s})} = r k (s) + 1$ , since $r k (s) > r k (M v)$ . On the other hand, if $v \notin V_{0}$ , then $r k (M_{0} v) = r k (M v) < r k (s)$ .

Next, let $n > 0$ and $v \in V_{n}$ . By (6), we have:

r k (M_{n} v) = max (r k (M_{n - 1} v), r k (M_{n - 1} {z \in V_{n - 1} ∣ M z \in M v})) .

(10)

By inductive hypothesis, we readily have

[label=-]
$r k (M_{n - 1} v) ⩽ r k (s) + n$ , and
$r k (M_{n - 1} {z \in V_{n - 1} ∣ M z \in M v}) ⩽ r k (s) + n + 1$ .

In addition, since $v \in V_{n}$ , then by (4), $M u \in M v$ for some $u \in V_{n - 1}$ . Hence, again by inductive hypothesis, $r k (M u) = r k (s) + n$ , and since $u \in {z \in V_{n - 1} ∣ M z \in M v}$ , we have

r k (M_{n - 1} {z \in V_{n - 1} ∣ M z \in M v}) = r k (s) + n + 1.

Thus, by (10), we get $r k (M_{n} v) = r k (s) + n + 1$ .

On the other hand, if $v \notin V_{n}$ , then by (6) and by the inductive hypothesis we have $r k (M_{n} v) = r k (M_{n - 1} v) ⩽ r k (s) + n$ . ∎

Next we prove that the set $s$ can enter $M_{n}$ only when $n = 0$ .

Lemma 2.6.

For all $n \in N$ and $v \in V a r s (φ)$ , we have:

[label=()]
$M_{n} v \neq s$ ;
$s \in M_{n} x ⟺ s \in M_{0} x$ .

Proof.

Concerning 1, we proceed by induction on $n$ .

For $n = 0$ , by (5) we have:

[label=-]
$r k (M_{0} v) = r k (s) + 1$ , if $v \in V_{0}$ (by Lemma 2.5);
$r k (M_{0} v) = r k (M v) < r k (s)$ , if $v \notin V_{0}$ .

In both cases, it follows that $M_{0} v \neq s$ .

For the inductive step, let $n > 1$ . If $v \in V_{n}$ , then by Lemma 2.5 we have $r k (M_{n} v) = r k (s) + n + 1$ , and therefore $M_{n} v \neq s$ . On the other hand, if $v \notin V_{n}$ , then $M_{n} v = M_{n - 1} v \neq s$ , by (6) and by the inductive hypothesis.

Next we prove 2 by induction on $n$ .

The base case $n = 0$ is trivial.

For the inductive step, let $n > 0$ . If $s \in M_{0} x$ , then Lemma 2.2 1 yields readily $s \in M_{n} x$ . Conversely, let $s \in M_{n} x$ . If $x \notin V_{n}$ , then by (6) we have $s \in M_{n} x = M_{n - 1} x$ , and therefore by inductive hypothesis $s \in M_{0} x$ . On the other hand, if $x \in V_{n}$ , then again by (6) we have

s \in M_{n} x = M_{n - 1} x \cup M_{n - 1} {y \in V_{n - 1} ∣ M y \in M x} .

In view of 1, the latter formula yields $s \in M_{n - 1} x$ , and therefore $s \in M_{0} x$ follows again by inductive hypothesis, completing the proof of 2, and in turn of the lemma. ∎

The following lemma proves that, at each construction step of the assignments $M_{n}$ ’s, only elements of rank at least $r k (s)$ can enter into play.

Lemma 2.7.

For every set $q \in M_{n} x$ , for some $x \in V a r s (φ)$ and $n \in N$ , if $r k (q) < r k (s)$ then $q \in M x$ .

Proof.

Let $x \in V a r s (φ)$ , $n \in N$ , and $q \in M_{n} x$ , with $r k (q) < r k (s)$ . From Lemma 2.2 2, we have

M_{n} x \subseteq M x \cup {s} \cup n - 1 ⋃ k = 0 M_{k} {y \in V_{k} ∣ M y \in M x} .

Since, by Lemma 2.5, the rank of each member of ${s} \cup ⋃_{k = 0}^{n - 1} M_{k} {y \in V_{k} ∣ M y \in M x}$ is greater than or equal to $r k (s)$ , then necessarily $q \in M x$ ∎

All the inequalities $x \neq y$ satisfied by $M$ are satisfied by every $M_{n}$ , as proved in the following corollary.

Corollary 2.8.

If $M x \neq M y$ , for some $x, y \in V a r s (φ)$ , then $M_{n} x \neq M_{n} y$ , for every $n \in N$ .

Proof.

W.l.o.g., let us assume that $M x ⊈ M y$ , and let $q \in M x ∖ M y$ . Also, let $n \in N$ . By Lemma 2.2 1, $q \in M_{n} x$ . Plainly, $r k (q) < r k (M x) < r k (s)$ and $q \notin M y$ . Thus, Lemma 2.7 yields $q \notin M_{n} y$ , proving that $M_{n} x \neq M_{n} y$ . ∎

To show that every membership $x \in y$ satisfied by $M$ is correctly modeled by $M_{¯ ¯ ¯ n}$ , we will need the following result.

Lemma 2.9.

For all $n \in N$ and $x, y \in V a r s (φ)$ , if $x \in V_{n}$ and $M x \in M y$ , then $y \in V_{n + 1}$ and $M_{n} x \in M_{n + 1} y$ .

Proof.

Let $n \in N$ and assume that $M x \in M y$ , for some $x, y \in V a r s (φ)$ , and that $x \in V_{n}$ . Then, by (4), $y \in V_{n + 1}$ . In addition, from (6), the latter membership relation yields immediately that $M_{n} x \in M_{n + 1} y$ . ∎

We are now ready to prove our main lemma.

Lemma 2.10.

The assignment $M_{¯ ¯ ¯ n}$ satisfies $φ$ .

Proof.

We prove the lemma, by showing that $M_{¯ ¯ ¯ n}$ correctly models all the conjuncts in $φ$ . We recall that, in view of the reduction process outlined in Section 1, our formula $φ$ contains conjuncts of two types only, namely $x \in y$ and $x = y ∖ z$ .

Conjuncts of type $x \in y$ .

Let $x \in y$ occur in $φ$ , so that $M x \in M y$ holds. If $x \notin V_{n}$ for all $n \in N$ , then $M_{¯ ¯ ¯ n} x = M x \in M y \subseteq M_{¯ ¯ ¯ n} y$ (by Lemma 2.2 1), from which $M_{¯ ¯ ¯ n} x \in M_{¯ ¯ ¯ n} y$ follows.
Conversely, if $x \in V_{n}$ , for some $n \in N$ , we set $¯¯¯¯¯m\coloneqqmax{n∈N∣x∈Vn}$ . In addition, since $M x \in M y$ and $x \in V_{¯ ¯¯ ¯ m}$ , Lemma 2.9 implies $y \in V_{¯ ¯¯ ¯ m + 1}$ and therefore, by Lemma 2.3 2, $¯ ¯¯¯ ¯ m + 1 ⩽ | V a r s (φ) | - 1 ⩽ ¯ ¯ ¯ n$ . Thus, Lemma 2.9 again together with Lemma 2.2 1 yields $M_{¯ ¯ ¯ n} x = M_{¯ ¯¯ ¯ m} x \in M_{¯ ¯¯ ¯ m + 1} y \subseteq M_{¯ ¯ ¯ n} y$ , from which $M_{¯ ¯ ¯ n} x \in M_{¯ ¯ ¯ n} y$ follows.

Conjuncts of type $x = y ∖ z$ .

Let $x = y ∖ z$ occur in $φ$ , so that $M x = M y ∖ M z$ holds. We will prove that $M_{¯ ¯ ¯ n} ⊨ x = y ∖ z$ , by proving that $M_{¯ ¯ ¯ n} x \subseteq M_{¯ ¯ ¯ n} y ∖ M_{¯ ¯ ¯ n} z$ and $M_{¯ ¯ ¯ n} y ∖ M_{¯ ¯ ¯ n} z \subseteq M_{¯ ¯ ¯ n} x$ hold.
Proof of $M_{¯ ¯ ¯ n} x \subseteq M_{¯ ¯ ¯ n} y ∖ M_{¯ ¯ ¯ n} z$ . From Lemma 2.2 2, we have:

M_{¯ ¯ ¯ n} x \subseteq M x \cup {s} \cup ¯ ¯ ¯ n - 1 ⋃ k = 0 M_{k} {u \in V_{k} ∣ M u \in M x} .

Let $q \in M_{¯ ¯ ¯ n} x$ . We first consider that case in which $q \in M x$ . Then $q \in M y ∖ M z$ . Hence, by Lemma 2.2 1, $q \in M_{¯ ¯ ¯ n} y$ . In addition, since $q \notin M z$ and $r k (q) < r k (s)$ , Lemma 2.7 yields $q \notin M_{¯ ¯ ¯ n} z$ . Thus, $q \in M_{¯ ¯ ¯ n} y ∖ M_{¯ ¯ ¯ n} z$ .
Next, let $q = s$ . Hence, $s \in M_{0} x$ (by Lemma 2.6 2), so that $x \in V_{0}$ (by (5) and (3)), and therefore $t \in ¯ ¯¯¯¯ ¯ M x$ . Since $¯ ¯¯¯¯ ¯ M x = ¯ ¯¯¯¯ ¯ M y ∖ ¯ ¯¯¯¯ ¯$

On the Convexity of a Fragment of Pure Set Theory with Applications within a Nelson-Oppen Framework

A Decidable Fragment of Second Order Logic With Applications to Synthesis

Politeness for the Theory of Algebraic Datatypes

Computing Tropical Prevarieties with Satisfiability Modulo Theories (SMT) Solvers

Proving Program Properties as First-Order Satisfiability

Complexity of Combinations of Qualitative Constraint Satisfaction Problems

Solving bitvectors with MCSAT: explanations from bits and pieces (long version)

A Generic Framework for Implicate Generation Modulo Theories

Introduction

1 Syntax and semantics of Mls

2 Convexity of Mls

Proof overview

Example 2.1.

Example 2.1 (cont’d).

Proof details

Lemma 2.2.

Lemma 2.3.

Proof.

Corollary 2.4.

Lemma 2.5.

Proof.

Lemma 2.6.

Proof.

Lemma 2.7.

Proof.

Corollary 2.8.

Proof.

Lemma 2.9.

Proof.

Lemma 2.10.

Proof.

Conjuncts of type $x \in y$ .

Conjuncts of type $x = y ∖ z$ .

On the Convexity of a Fragment of Pure Set Theory with Applications within a Nelson-Oppen Framework

Related Research

A Decidable Fragment of Second Order Logic With Applications to Synthesis

Politeness for the Theory of Algebraic Datatypes

Computing Tropical Prevarieties with Satisfiability Modulo Theories (SMT) Solvers

Proving Program Properties as First-Order Satisfiability

Complexity of Combinations of Qualitative Constraint Satisfaction Problems

Solving bitvectors with MCSAT: explanations from bits and pieces (long version)

A Generic Framework for Implicate Generation Modulo Theories

Introduction

1 Syntax and semantics of Mls

2 Convexity of Mls

Proof overview

Example 2.1.

Example 2.1 (cont’d).

Proof details

Lemma 2.2.

Lemma 2.3.

Proof.

Corollary 2.4.

Lemma 2.5.

Proof.

Lemma 2.6.

Proof.

Lemma 2.7.

Proof.

Corollary 2.8.

Proof.

Lemma 2.9.

Proof.

Lemma 2.10.

Proof.

Conjuncts of type x∈y.

Conjuncts of type x=y∖z.

Conjuncts of type $x \in y$ .

Conjuncts of type $x = y ∖ z$ .