=Paper=
{{Paper
|id=Vol-259/paper-15
|storemode=property
|title=A Sequent Calculus for Integer Arithmetic with Counterexample Generation
|pdfUrl=https://ceur-ws.org/Vol-259/paper15.pdf
|volume=Vol-259
|dblpUrl=https://dblp.org/rec/conf/cade/Rummer07
}}
==A Sequent Calculus for Integer Arithmetic with Counterexample Generation==
https://ceur-ws.org/Vol-259/paper15.pdf
A Sequent Calculus for Integer Arithmetic with
Counterexample Generation
Philipp Rümmer
Department of Computer Science and Engineering,
Chalmers University of Technology and Göteborg University, Sweden
philipp@chalmers.se
Abstract. We introduce a calculus for handling integer arithmetic in first-order logic.
The method is tailored to Java program verification and meant to be used both as a sup-
porting procedure and simplifier during interactive verification and as an automated tool
for discharging (ground) proof obligations. There are four main components: a complete
procedure for linear equations, a complete procedure for linear inequalities, an incom-
plete procedure for nonlinear (polynomial) equations, and an incomplete procedure for
nonlinear inequalities. The calculus is complete for the generation of counterexamples
for invalid ground formula in integer arithmetic. All parts described here have been
implemented as part of the KeY verification system.
1 Introduction
We introduce a Gentzen-style sequent calculus for integer arithmetic that is
tailored to integrated automated and interactive Java software verification. The
calculus was developed for dynamic logic for the Java language [1, Chapter 3] (a
classical first-order logic) and integrates well-known as well as new algorithms,
with the goal to meet the following features:
– Simplification of arithmetic expressions or formulas with the goal to keep
everything small and readable. A calculus for this purpose should always
terminate and should not cause proof splitting; completeness is a secondary.
– Transparency and the ability to create human-readable proofs and sequences
of simplification steps, otherwise it is difficult for a user to resume interac-
tive proving after a number of automated proof steps. The fastest way to
understand a proof goal is often to look at the history that led to the goal.
– Handling of nonlinear arithmetic guided by the user, which is necessary for
programs that happen to contain multiplication or division operations. The
cost of interactive software verification should be justified by the ability to
also handle more complex programs than automatic tools.
– Generation of counterexamples for invalid formulas, which is useful during
specification and when proving with induction and invariants.
– Handling of the actual modular Java integers, which in our system is modelled
by a mapping to the mathematical integers [1, Chapter 12]. Reasoning in
this setting requires good support for simplifying expressions, for instance by
�180 Philipp Rümmer
(implicitly) proving the absence of overflows. The methods that we developed
to this end are beyond the scope of the paper, but are based on the presented
calculus.
– Most importantly: it should be easy to use!
Only some of these points can be solved using external procedures and the-
orem provers (which are, nevertheless, extremely useful for dealing with simpler
proof obligations). As a complementary approach, we have developed a novel cal-
culus for integer arithmetic that is directly implemented in our theorem prover
KeY [1] in form of derived (i.e., verified) proof rules. The rules are deliberately
kept as elementary as possible and are here presented in sequent calculus nota-
tion. The calculus is driven by a proof strategy that controls the rule application
and realises the following components: (i) a simplification procedure that works
on single terms and formulas and is responsible for normalisation of polynomi-
als (Sect. 2), (ii) a complete procedure for systems of linear equations, based
on Gaussian elimination and the Euclidian algorithm (Sect. 3), (iii) a complete
procedure for systems of linear inequalities, based on Fourier-Motzkin variable
elimination (Sect. 4), (iv) an incomplete procedure for nonlinear (polynomial)
equations, based on Gröbner bases (Sect. 5), (v) an incomplete procedure for
nonlinear inequalities using cross-multiplication of inequalities and systematic
case analysis (Sect. 6).
The development of the method was mostly an engineering process with the
goal of handling cases that practically occur in Java program verification. It was
successful in the sense that many proofs that before only were possible with the
help of external provers can now be handled by KeY alone (e.g., the case study
[2]), and that many proofs that before were impossible have become feasible.
We do not consider quantifiers or uninterpreted functions in this paper. The
calculus is proof confluent (cf. [3]) and can basically be used in two different
modes: (i) for simplification, which disables the handling of nonlinear inequal-
ities, prevents case splits and guarantees termination (Procedure 4 in Sect. 5),
and (ii) for proving and countermodel construction, which enables all parts (Pro-
cedure 5 in Sect. 6).
Introductory example. We start with an example and show how the following
statement can be proven within our calculus (in the “full” mode):1
.
11a + 7b = 1 ⊢ h b=a*c-1; if (c>=a) a=a/b; i true (1)
In Java dynamic logic, this sequent expresses that the program in angle brack-
ets terminates normally, i.e., in particular does not raise exceptions, given the
.
assumption 11a + 7b = 1. A proof is conducted by rewriting the program follow-
ing the symbolic execution paradigm [4], whereby the calculus presented in this
1
On an Intel Pentium M processor with 1.6 GHz, the KeY implementation of the procedure needs
about 460 inference steps and 2 seconds to find this proof.
� A Sequent Calculus for Integer Arithmetic with Counterexample Generation 181
. . . . .
5c ≥ −7e − 8, e ≤ −1, c ≤ −1, c ≥ 7e + 2, 7ce = −2c + 1 ⊢ (13)
. . . . .
ce ≥ −c − e − 1, e ≤ −1, c ≤ −1, c ≥ 7e + 2, 7ce = −2c + 1 ⊢ (12)
. . . .
e ≤ −1, c ≤ −1, c ≥ 7e + 2, 7ce = −2c + 1 ⊢ (11)
. . .
··· c ≤ −1, c ≥ 7e + 2, 7ce = −2c + 1 ⊢ (10)
. .
. . . , c ≥ 7e + 2, 7ce = −2c + 1 ⊢ (9)
. . . .
a = 7e + 2, b = −11e − 3, c ≥ 7e + 2 ⊢ 7ce + 2c − 1 6= 0 (8)
. . .
··· a = 7e + 2, b = −11e − 3, c ≥ 7e + 2 ⊢ {b := 7ce + 2c − 1}h a=a/b; i true (7)
. .
a = 7e + 2, b = −11e − 3 ⊢ {b := 7ce + 2c − 1}h if (c>=a) a=a/b; i true (6)
. .
a = 7e + 2, b = −11e − 3 ⊢ {b := a · c − 1}h if (c>=a) a=a/b; i true (5)
. . .
a = 7e + 2, b = −11e − 3, d = 3e + 1 ⊢ h b=a*c-1; if (c>=a) a=a/b; i true (4)
. .
3a = 7d − 1, b = −2a + d ⊢ h b=a*c-1; if (c>=a) a=a/b; i true (3)
.
7b = −11a + 1 ⊢ h b=a*c-1; if (c>=a) a=a/b; i true (2)
.
11a + 7b = 1 ⊢ h b=a*c-1; if (c>=a) a=a/b; i true (1)
Fig. 1. Proof tree for the introductory example
.
paper is permanently applied on the path condition (in (1), 11a + 7b = 1) and
the symbolic variable assignment (in (1), the identity).
The complete proof is shown in Fig. 1. As first step, all formulas are nor-
malised: we choose an arbitrary well-ordering 0. Furthermore, all inequalities are moved to the
antecedent, and in case αs − t is a constant polynomial an equation or inequality
is directly replaced with true or false.
We always demand that the coefficients of non-constant terms in an equation
or inequality are coprime (do not have non-trivial factors in common), and oth-
erwise divide all coefficients by the greatest common divisor. This also detects
.
that equations like 2y. = 1 − 6c are unsolvable and equivalent to false,
.
and that
an inequality like 2y ≤ 1 − 6c can be simplified and rounded to y ≤ −3c thanks
to the discreteness of the integers.
Finally, we add
.
a simple subsumption check for inequalities that eliminates
an. inequality s ≤ t from the antecedent in. case there is a second inequality
s ≤ t − β with β ≥ 0 (correspondingly for ≥).
3 Equation Handling: Gaussian Variable Elimination
In contrast to many decision procedures or SMT provers, equation and inequality
handling for integers are kept separate in our system. The initial reason for this
was that we believe that a reduction of equations to inequalities is not an option
for interactive proving. Much later we became aware that we also can design
more efficient, elegant and practical calculi for linear integer equations than for
inequalities, which afterwards justifies the decision. We believe that this is also
an important insight when working with the modular Java arithmetic, where
the handling of such equations is essential. The sequent calculus described in
this section is based on Gaussian elimination and the Euclidian algorithm.3 It
is complete, does not involve proof splitting, and is fast for all problems and
benchmarks that we so far have looked at.
3
The calculus is in parts inspired by [5, Chapter 4.5.2], but in contrast to [5] we perform both row
and column operations.
�184 Philipp Rümmer
Row Operations. The primary rule of the calculus reduces an expression with
the help of an equation in the antecedent. The application of the rule is only
.
allowed if s′ is not a subterm of s = t (u is an arbitrary term):4
.
Γ, s = t ⊢ φ[s′ + u · (s − t)], ∆
. red
Γ, s = t ⊢ φ[s′ ], ∆ if s′ + u · (s − t) 1, (s − αu) = min 0, β > 0
.
The resulting inequality βt ≤ αt′ does no longer contain the monomial s and is
therefore 0 && decPart < 0 ) {
intPart--; decPart = (short)( decPart + PRECISION );
} else if ( intPart < 0 && decPart > 0 ) {
intPart++; decPart = (short)( decPart - PRECISION ); }
decPart += f;
if ( intPart > 0 && decPart < 0 ) {
intPart--; decPart = (short)( decPart + PRECISION );
} else if ( intPart < 0 && decPart > 0 ) {
intPart++; decPart = (short)( decPart - PRECISION );
} else {
short retenue = 0; short signe = 1;
if ( decPart < 0 ) {
signe = -1; decPart = (short)( -decPart ); }
retenue = (short)( decPart / PRECISION );
decPart = (short)( decPart % PRECISION );
retenue *= signe; decPart *= signe; intPart += retenue;
} }
Fig. 2. Addition method of class Decimal taken from [15], where it was verified using the Loop tool
and PVS [11]. This method is part of the JavaCard Purse applet by Gemplus [16]. Using the KeY
implementation of our calculus, it takes about 200 seconds and 26000 rule applications to automatically
verify that the method adheres to its specification, reasoning about the modular arithmetic of Java.
Procedure 2. For an invalid sequent, a fair strategy eventually produces goals in
which all inequalities have been replaced with equations and where Procedure 1
can take over and produce a counterexample.
Case distinctions are also necessary to handle equations in the succedent:
. .
Γ ⊢ s ≤ t, ∆ Γ ⊢ s ≥ t, ∆
. split-eq
Γ ⊢ s = t, ∆
Procedure 3. Apply Procedure 2 (the incomplete method) with the highest pri-
ority, the rule split-eq with second highest priority, and the rule strengthen
with lowest priority and in a fair manner.
Lemma 3. This procedure is complete and proof confluent, and it eventually
produces a counterexample for an invalid sequent.
�188 Philipp Rümmer
Example 3. Consider the following example taken from [17]: Because Proce-
.
dure 2 is not able to derive a contraction, we apply strengthen to x ≤ 2
. .
and obtain two cases x = 1, x = 2 (thanks to anti-symm), the second of which
leads to a counterexample:
. .
∗ y = 1, x = 2 ⊢
. . . fm-elim . . . anti-symm
y ≥ 1, y ≤ 0, x = 1 ⊢ y ≥ 1, y ≤ 1, x = 2 ⊢
.. ..
.. ..
. . . . . .
4y ≥ x + 1, 4y ≤ x + 2, x = 1 ⊢ 4y ≥ x + 1, 4y ≤ x + 2, x = 2 ⊢
..
..
. . . . strengthen
4y ≥ x + 1, 4y ≤ x + 2, x ≤ 2, x ≥ 1 ⊢
5 Handling of Nonlinear Polynomial Equations:
Pseudo-Reduction and Gröbner Bases
The validity of equations or inequalities over arbitrary (possibly nonlinear) poly-
nomials over the integers is known to be undecidable [18]. This means that all
rules and procedures that we give from now on can never be complete and have
been employed or developed with the aim of handling the common cases: when
verifying programs, a large amount of the occurring nonlinear proof obligations
can and should be taken care of automatically by incomplete calculi. The most
important step to this end is to normalise nonlinear expressions (Sect. 2). We
describe a comparatively cheap extension—that does not cause any proof split-
ting and is suited for interactive proving—of Procedure 1 to deal with nonlinear
equation.
Pseudo-Reduction. As in Sect. 3, the primary rule for rewriting with (non-
linear) equations is red. Because we do not apply the rule col-red to non-
.
linear equations, however, there are cases where equations αs = t with α > 1
remain
.
in. the antecedent that. cannot be simplified further. In the sequent
.
x ≥ 1, y ≥ 1, 2z 2 = y ⊢ xz 2 ≤ xy, for instance, none of the rules so far can
be applied. In order to handle such cases, we introduce a further reduction rule
that is based on pseudo-division and works by first multiplying the target ex-
.
pression with a constant (cf. [5]). The rule must only be applied if αs = t and
.
u · t = αt′ are different equations:
. .
Γ, αs = t ⊢ φ[u · t = αt′ ], ∆
. . pseudo-red
Γ, αs = t ⊢ φ[s′ = t′ ], ∆ if deg s > 1, α > 1, s′ = u · s
. .
There are similar rules for inequalities s′ ≤ t′ , s′ ≥ t′ . We apply pseudo-red
.
only if the left-hand side of the equation αs = t is nonlinear and α > 1. Other-
wise, the normal reduction rule red can be used, possibly after turning α into
1 with help of col-red.
� A Sequent Calculus for Integer Arithmetic with Counterexample Generation 189
Gröbner Bases. Rewriting with nonlinear equations using the rules red and
pseudo-red is not confluent and is not able to decide ideal membership in a ring
of polynomials. Ideal membership is an approximation of semantic entailment
of (nonlinear) equations that we can practically decide: we complete the set of
antecedent equations by computing a Gröbner basis [6].
The simplest way to generate a Gröbner basis is to saturate the antecedent
with “S-polynomial”-equations by considering all critical pairs of existing integer
equations—the Buchberger algorithm [6]. Our calculus produces a non-reduced
Gröbner basis over the field of rational numbers that only consists of polyno-
mial equations with integer coefficients, which are easier to compute and almost
as useful for reduction as actual Gröbner bases over the integers. Given two
equations with overlapping left-hand sides, S-polynomials are added as follows:
s = gcd(s, s′ ) · sr ,
. . . s′ = gcd(s, s′ ) · s′r ,
Γ, s = t, s′ = t′ , s′r · t = sr · t′ ⊢ ∆ 0 < deg sr < deg s,
. . s-poly
Γ, s = t, s′ = t′ ⊢ ∆ 0 < deg s′r < deg s′
Similarly to the Fourier-Motzkin elimination rule, this rule must not be applied
repeatedly for the same pair of equations to ensure termination. The performance
of this naive implementation of Buchberger’s algorithm is not comparable with
more advanced methods, of course. We have yet to find, however, a verification
problem where this would be a problem.
Procedure 4. Apply Procedure 1 (linear equations) with highest priority, the
rule pseudo-red with second highest priority, the rule s-poly with third highest
priority, and Procedure 2 (linear inequalities) with lowest priority.
Lemma 4. Procedure 4 terminates when applied to a sequent containing arbi-
trary equations and inequalities.
6 Handling of Nonlinear Polynomial Inequalities:
Cross-Multiplication and Case Splits
The handling of nonlinear polynomial inequalities is realised as an extension of
the linear inequality handling (Sect. 4). In order to apply linear reasoning to non-
linear arithmetic, we generate linear approximations of products and incremen-
tally strengthen the precision of the approximations through case distinctions.
Likewise, case splits are used to ensure the existence of linear approximations.
Our method has been developed as a heuristic, and we do not have an exact
description of the fragment of nonlinear arithmetic that it can handle. The main
application areas where the method has proven to be extremely useful are cor-
rectness proofs for lemma rules that can be loaded by the prover KeY [1], and
the verification of programs with the actual modular integer semantics of Java.
�190 Philipp Rümmer
Similarly to the approach in ACL2 [14, 19] (and using their terminology), the
primary rule to handle nonlinear inequalities is cross-multiplication:
. . .
Γ, s ≤ t, s′ ≤ t′ , 0 ≤ (t − s) · (t′ − s′ ) ⊢ ∆
. . cross-mult
Γ, s ≤ t, s′ ≤ t′ ⊢ ∆
.
There are corresponding rules for ≥ and for mixed pairs of inequalities. As usual
in order to ensure termination, cross-mult must not be applied repeatedly to
the same pair of inequalities.
We can give. a geometric
.
interpretation of cross-multiplication: for two linear
inequalities x ≤ α, y ≤ β, cross-multiplication introduces a linear approximation
of the product (the bilinear term) xy. In this particular case, the right-hand side
.
of the new inequality xy ≥ βx + αy − αβ is the greatest.
plane
.
that bounds the
expression xy from below (under the assumptions x ≤ α, y ≤ β). More generally,
the result of cross-multiplication is a bound on the value of a monomial in
terms of 0 ⊢ ∆
sign-cases
Γ ⊢ ∆
.
Ternary splits are motivated by the observation that the case x = 0 usually
is easy to handle (significantly easier than the original problem), while at the
� A Sequent Calculus for Integer Arithmetic with Counterexample Generation 191
.
same time a strict inequality
.
x > 0 appears to be of much greater use in cross-
.
multiplication than x ≥ 0 (and correspondingly for x < 0). In our experience,
the rule sign-cases outperforms binary cuts.
Point (ii) is accommodated by using the rule strengthen from Sect. 4,
which we apply to linear inequalities in order to incrementally restrict the domain
.
of a variable.
.
For the example above, after strengthening the inequality x ≤ α
to x ≤ α − 1, we can also derive a better bound βx + (α − 1)y − αβ + β for the
value of xy.
Procedure 5. Apply Procedure 4 (equations handling and the incomplete proce-
dure for linear inequalities) with the highest priority, the rule split-eq with sec-
ond highest priority, and the rules cross-mult, sign-cases and strengthen
with the lowest priority and in a fair manner.
Example 4. We give three further examples that can be proven using Proce-
dure 5 (the last two ones are taken from [14, 19]). In practice, it can often be
observed that Procedure 5 is able to solve nonlinear equational problems that
cannot be proven using Procedure 4 (only using Gröbner bases).
. . . . . . . .
xy = 0 ⊢ x = 0, y = 0 x2 = 2 ⊢ 0 < ab, 0 < cd, 0 < ac ⊢ 0 < bd
Example 5. A valid sequent that. is not provable
.
due. to the restriction on the
.
application of cross-mult is ac ≤ bd − 1, de
.
≤ a, c ≥. 1, ce = b ⊢ . The prob-
lem can be solved by cross-multiplying de ≤ a and c ≥ 1.
Lemma 5. When applied to an invalid sequent (containing arbitrary equations
and inequalities), Procedure 5 will eventually produce a counterexample.
7 Related Work
Most similar to our approach is the arithmetic handling in ACL2 [13, 14], which
also employs Fourier-Motzkin for linear and cross-multiplication for nonlinear
arithmetic. Concerning differences, ACL2 runs arithmetic handling as a purely
automated procedure, supports also rationals, does not have separate procedures
for equations and does not seem to perform a systematic case analysis.
An method for handling linear equations and inequalities similar to our ap-
proach (but lacking counterexample generation) is described in [17] and imple-
mented in the Tecton tool. Related is also [20] about the extension of linear
reasoning to nonlinear reasoning.
Higher-order proof assistants usually support integer arithmetic and are so
general that arbitrary procedures can be implemented on top of them, often
targeting mathematical proofs. In comparison, we tried to develop a simple cal-
culus/procedure specifically for Java verification that works “out of the box”
�192 Philipp Rümmer
and requires little expertise. The PVS proof assistant [11] can handle linear
integer arithmetic and can simplify nonlinear expressions (involving multiplica-
tion and division) to some degree, but does (apparently) not go as far as our
approach or ACL2. The Coq system [12] implements an incomplete version of
the Omega method for deciding Presburger arithmetic (linear integer arithmetic
with quantifiers) that essentially boils down to Fourier-Motzkin. Coq can also
simplify ring expressions like polynomials. For HOL light [21], a number of tac-
tics and decision procedures for arithmetic have been implemented, including
Cooper’s method for deciding Presburger arithmetic, handling of congruences
and simplification of polynomial expressions.
Linear arithmetic is one of the most important theories supported by SMT
solvers (which generally provide incomparably better performance for linear
arithmetic than our implementation based on a general theorem prover frame-
work), see [22] for a list. To the best of our knowledge, no SMT solver offers
support for nonlinear arithmetic similar to our approach or ACL2. SMT solvers
typically use linear programming techniques like Simplex, combined with meth-
ods like branch-and-bound or Gomory’s cutting planes to realise completeness
on the integers.
8 Conclusions and Future Work
We have presented the main components of a proof procedure for linear and
nonlinear integer arithmetic, represented as sequent calculus rules together with
application strategies. The procedure is completely implemented, and the sound-
ness of the implementation is verified in the prover KeY itself. In addition to
the calculus shown here, KeY also supports division and modulo operations and
provides further methods like polynomial division. Based on this, we have for-
malised the Java semantics of integer operations.
For the future, we are considering a more efficient stand-alone implemen-
tation of the calculus, possibly based on the DPLL(T) framework. As a more
conceptual extension, we plan to combine the calculus with free-variable rea-
soning for handling quantifiers. The general approach for this is described in
[23], but needs to be investigated more carefully. Finally, we would like to add
support for bit-wise operations (as they can be found in Java).
Acknowledgements. I want to thank Wolfgang Ahrendt and Richard Bubel for
many inspiring discussions and comments on this paper. Thanks are also due to
the anonymous referees for helpful comments.
References
1. Beckert, B., Hähnle, R., Schmitt, P.H., eds.: Verification of Object-Oriented Software: The KeY
Approach. LNCS 4334. Springer-Verlag (2007)
� A Sequent Calculus for Integer Arithmetic with Counterexample Generation 193
2. Mostowski, W.: Fully verified JavaCard API reference implementation. In: 4th International
Verification Workshop. (2007) To appear.
3. Fitting, M.C.: First-Order Logic and Automated Theorem Proving. 2nd edn. Springer-Verlag,
New York (1996)
4. King, J.C.: Symbolic execution and program testing. Communications of the ACM 19 (1976)
385–394
5. Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms. Addison-Wesley
(1997) Third edition.
6. Buchberger, B.: An algorithmical criterion for the solvability of algebraic systems. Aequationes
Mathematicae 4 (1970) 374–383 (German).
7. Buchberger, B.: A critical-pair/completion algorithm for finitely generated ideals in rings. In: Pro-
ceedings of the Symposium ”Rekursive Kombinatorik” on Logic and Machines: Decision Problems
and Complexity, London, UK, Springer-Verlag (1984) 137–161
8. Dershowitz, N.: Termination of rewriting. J. Symb. Comput. 3 (1987) 69–116
9. Dershowitz, N., Manna, Z.: Proving termination with multiset orderings. Commun. ACM 22
(1979) 465–476
10. Schrijver, A.: Theory of Linear and Integer Programming. Wiley (1986)
11. Owre, S., Rajan, S., Rushby, J., Shankar, N., Srivas, M.: PVS: Combining specification, proof
checking, and model checking. In Alur, R., Henzinger, T.A., eds.: Proceedings, CAV. Volume
1102 of LNCS., Springer (1996) 411–414
12. Dowek, G., Felty, A., Herbelin, H., Huet, G., Murthy, C., Parent, C., Paulin-Mohring, C., Werner,
B.: The Coq proof assistant user’s guide. Rapport Techniques 154, INRIA, Rocquencourt, France
(1993) Version 5.8.
13. Kaufmann, M., Moore, J.S.: ACL2: An industrial strength version of nqthm. In: Compass’96:
Eleventh Annual Conference on Computer Assurance, Gaithersburg, Maryland, National Institute
of Standards and Technology (1996)
14. Warren A. Hunt, J., Krug, R.B., Moore, J.S.: Linear and nonlinear arithmetic in ACL2. In Geist,
D., Tronci, E., eds.: CHARME. Volume 2860 of Lecture Notes in Computer Science., Springer
(2003) 319–333
15. Breunesse, C.B., Jacobs, B., van den Berg, J.: Specifying and verifying a decimal representa-
tion in java for smart cards. In: Proceedings of the 9th International Conference on Algebraic
Methodology and Software Technology, London, UK, Springer-Verlag (2002) 304–318
16. : Gemplus purse applet. (http://www.gemplus.com/smart/r d/publications/case-study/)
17. Kapur, D., Nie, X.: Reasoning about numbers in tecton. In: International Symposium on Method-
ologies for Intelligent Systems, Charlotte, North Carolina. (1994)
18. Matijasevic, Y.: Enumerable sets are diophantine (Russian). Dokl. Akad. Nauk SSSR 191 (1970)
279–282 Translation in Soviet Math Doklady, Vol 11, 1970.
19. Warren A. Hunt, J., Krug, R.B., Moore, J.S.: Integrating nonlinear arithmetic into into ACL2. In:
Fifth International Workshop on the ACL2 Theorem Prover and Its Applications (ACL2-2004).
(2004)
20. Kapur, D., Cyrluk, D.: Reasoning about nonlinear inequality constraints: a multi-level approach.
In: Proceedings of a workshop on Image understanding workshop, San Francisco, CA, USA,
Morgan Kaufmann Publishers Inc. (1989) 904–915
21. Harrison, J.: The HOL light manual (1.1) (2000)
22. Ranise, S., Tinelli, C.: The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org
(2006)
23. Rümmer, P., Shah, M.A.: Proving programs incorrect using a sequent calculus for Java Dynamic
Logic. In: International Conference on Tests And Proofs (TAP). LNCS, Springer (2007) To
appear.
A Proofs (-Sketches)
Proof. (Lem. 1) Termination: the termination of simp and red is immediate.
.
We call the left-hand sides x of equations x = s (x a variable) in the antecedent
�194 Philipp Rümmer
“defined variables,” and all other variables “independent variables.” When ap-
plying red exhaustively, each defined variable will eventually occur in exactly
one place in the sequent (namely, in the defining equation).
For proving termination when col-red is added, we show that the leading
.
coefficients α > 1 of equations αx = s constantly get smaller. We introduce a
well-founded ordering on the set of multisets over N
∪ {∞} by lexicographic
comparison: for a1 ≤ · · · ≤ an , b1 ≤ · · · ≤ bm , we define:
{{a1 , . . . , an }}