A Decidable Fragment of Second Order Logic With Applications to Synthesis

# A Decidable Fragment of Second Order Logic With Applications to Synthesis

P. Madhusudan University of Illinois, Urbana Champaign, USA    Umang Mathur University of Illinois, Urbana Champaign, USA    Shambwaditya Saha University of Illinois, Urbana Champaign, USA    Mahesh Viswanathan University of Illinois, Urbana Champaign, USA
###### Abstract

We propose a fragment of many-sorted second order logic ESMT and show that checking satisfiability of sentences in this fragment is decidable. This logic has an quantifier prefix that is conducive to modeling synthesis problems. Moreover, it allows reasoning using a combination of background theories provided that they have a decidable satisfiability problem for the FO-fragment (e.g., linear arithmetic). Our decision procedure reduces the satisfiability of ESMT formulae to satisfiability queries of the background theories, allowing us to use existing efficient SMT solvers for these theories; hence our procedure can be seen as effectively SMT (ESMT) reasoning.

###### Keywords:
second order logic, synthesis, decidable fragment

## 1 Introduction

The goal of program synthesis is to automatically construct a program that satisfies a given specification. The problem has received a lot of attention from the research community in recent years [3]. Several different approaches have been proposed to address this challenge (see [3] for some of these). One approach to program synthesis is to reduce the problem to the satisfiability problem in a decidable logic by constructing a sentence whose existentially quantified variables identify the program to be synthesized, and the formula expresses the requirements that the program needs to meet.

This paper furthers this research program by identifying a decidable second-order logic that is suitable for encoding problems in program synthesis. To get useful results, one needs to constrain the semantics of functions and relations used in encoding the synthesis problem. Therefore our logic has a set of background theories, where each of the background theories is assumed to be independently axiomatized and equipped with a solver. Finally, to leverage the advances made by logic solvers, our aim is to develop an algorithm for satisfiability for our logic that makes black-box calls to the decision procedures for the background theories.

With the above goal in mind, let us describe our logic. It is a multisorted logic that can be roughly described as an uninterpreted combination of theories (UCT) [9]. A UCT has a many-sorted universe where there is a special sort that is declared to be a foreground sort, while the other sorts () are declared background sorts. We assume that there is some fixed signature of functions, relations, and constants over each individual background sort that is purely over that sort. Furthermore, we assume that each background sort () comes with an associated background theory ; can be arbitrary, even infinite, but is constrained to formulas involving functions, relations and constants that only involve the background sort . Our main result is a decidability result for the satisfiability problem modulo these background theories for boolean combinations of sentences of the form

 (∃x)(∃\mathbfcalR)(∃F)(∀y)(∀\mathbfcalP)(∀G)ψ

where

• [noitemsep]

• is a set of existentially quantified first order variables. These variables can take on values in any of the sorts (background or foreground);

• is a set of existentially quantified relation variables, whose arguments are restricted to be over the foreground sort ;

• is a set of existentially quantified function variables, which take as arguments elements from the foreground sort , and return a value in any of the background sorts ;

• is a set of universally quantified first order variables over any of the sorts;

• is a set of universally quantified relation variables, whose arguments could be of any of the sorts; and

• is a set of universally quantified function variables, whose arguments can be from any sort and could return values of any sort.

Thus our logic has sentences with prefix , allowing for quantification over both first order variables and second-order variables (relational and functional). To obtain decidability, we carefully restrict the types of second-order variables that are existentially and universally quantified, as described above.

Our decidability result proceeds as follows. By crucially exploting the disjointness of the universes of background theories and through a series of simple observations and transformations like Ackermanization, decision procedures similar to the EPR logic (or the Bernays-Schönfinkel-Ramsey class) that exploit the finite model property, we reduce the satisfiability problem for our logic to the satisfiability of pure first-order logic formulas over the individual background theories . Consequently, if the background theories admitted (individually) a decidable satisfiability problem for the fragment, then satisfiability for our logic is decidable. Examples of such background theories include Presburger arithmetic, the theory of real-closed fields, and the theory of linear arithmetic over rationals. Our algorithm for satisfiability, therefore, makes finitely many black-box calls to the engines for the individual background theories.

### Salient aspects of our logic and our decidability result

Expressing Synthesis Problems: The primary design principle of our logic is to express synthesis problems. Synthesis problems typically can be expressed in fragments, where we ask whether there exists an object that we wish to synthesize (using the block of existential quantifiers) such that the object satisfies certain properties (expressed by a universally quantified formula). For instance, if we are synthesizing a program snippet that is required to satisfy a pre/post condition, we can encode this by asking whether there is a program snippet such that for all values of variables (modeling the input to the snippet), the verification condition corresponding to the Hoare triple holds. In this context, the existentially quantified variables (first order and second order) can be used to model program snippets. Furthermore, allowing second-order universal quantification over functions allows us to model aspects of the program state that require uninterpreted functions, and in particular pointer fields to model the heap.

Design for decidability: Our logic is also defined to carefully avoid the undecidability that looms in any logic of such power. First, note that while quantifier-free decidable logics can be combined to get decidable logics using Nelson-Oppen combinations [15], combining quantified logics is notoriously hard. Our design choice forces communication between theories using the foreground sort, and further keeping the universes of the different sorts disjoint allows a decidable combination of theories.

Illustrative Examples for Synthesis: We illustrate the applicability of our logic for two classes of synthesis problems.

The first class involves synthesizing recursive programs that work over inductive data-structures. Given the precise pre/post condition for the program to be synthesized, we show how to model recursive program synthesis by synthesizing only a straight-line program (by having the output of recursive calls provided as inputs to the straightline program). We then show how the correctness condition of the recursive program can be modeled using a (universally quantified) verification condition that can be validated using first-order logic over a theory that combines uninterpreted functions and (Presburger) arithmetic using a technique in the literature called natural proofs [9, 20, 17]. We then show that synthesis of bounded-sized programs (with possibly integers in the program that are unbounded) can be modeled in our logic. In this modeling, the universal quantification over functions plays a crucial role in modeling the pointers in heaps, and modeling uninterpreted predicates that capture inductive data-structure predicates (such as list, lseg, etc.). We illustrate the above class of examples by showing a modeling of synthesis of a recursive program that searches for a key in a singly linked list.

The second class of synthesis involves taking a recursive definition of a function, and synthesizing a non-recursive (and iteration free) function equivalent to it. In our modeling, the existential quantification over the foreground sort as well as the background sort of integers is utilized, as the synthesized function involves integers. We show that we can synthesize a closed-form non-recursive function equivalent to generalizations of the recursively defined McCarthy’s 91 function.

The crux of our contribution, therefore, is providing a decidable logic that can express synthesis problems succinctly. We believe such a logic is very useful for researchers working on practical applications of program/expression synthesis. Implementing the decision procedure effectively can be then engineered efficiently by researchers working on logic engines.

## 2 Motivating Esmt for synthesis applications

Program synthesis problems can be conveniently encode in ESMT, which we define formally in Section 3. ESMT allows existential and universal quantification over variables, relations and functions over many-sorted signatures (with some restrictions on the types of existentially quantified relations and functions, in order to ensure decidability). Sentences in ESMT have an initial block of existential quantifiers (-Block), followed by universal quantifiers (-Block):

 ϕ=(∃x)(∃\mathbfcalR)(∃F)∃-Block(∀y)(∀\mathbfcalP)(∀G)∀-Blockψ (1)

In Section 4, we show that if the constituent background theories admit decision procedures for satisfiability of their respective fragments, then so does the fragment ESMT. Examples of such background theories include Presburger arithmetic, linear arithmetic of rationals, and the theory of real closed fields.

In program synthesis, the goal is to search for programs of bounded size, which satisfy a given specification. The -Block in Equation 1 can be used to express the search for such programs, in terms of existential quantification. If the specification of a candidate program can be expressed as a universally quantified formula, then, we can encode it in the -Block in Equation 1.

One of the salient features of the fragment ESMT is the ability to quantify over functions and relations. Often, specifications for programs, such as those that manipulate heaps, involve a universal quantification over uninterpreted functions. ESMT aptly provides this functionality, while still remaining within the boundaries of decidability.

Let us now throw some light on the many-sorted aspect of ESMT. This aspect is particularly useful in synthesis of programs that manipulate objects with a wide variety of types (such as integers, arrays, lists, strings, sets, heaps, etc.,). Our logic ESMT allows existential quantification over variables of many different sorts, thus allowing for synthesis of a richer class of programs. We believe this and other unique aspects of ESMT will be useful in modeling synthesis of more general models of computation such as reactive and hybrid systems.

We now proceed to give a concrete example of a synthesis problem which will demonstrate the usability of ESMT. Below is the specification of a function , which is a slight variant of the classical McCarthy’s function[14].

 Mthree(n)={n−30 if n>13Mthree(Mthree(Mthree(n+61))) % otherwise

We are interested in synthesizing a straight line program that implements , and can be expressed as a term over the grammar in Fig 1.

Expressions over the above grammar are trees. Let us fix the maximum height of the tree we are looking for, say to be 2. Also, any node in this tree can have at most 3 children (because the maximum arity of any function in the grammar is , corresponding to ite). A skeleton of such a expression tree is show in Fig 2. Every node in the tree is labeled according to its path from the root node.

The synthesis problem can then be encoded as formula in ESMT

 ϕMthree= (∃c1,c2,c3:N)(∃\small ADD% ,\small ITE,\small LT,\small EQ,\small GT,\small INPUT,\small CONST1,\small CONST2,\small CONST3) ∃op0,op00,op01,…op022(φdistinct∧φop∧φspec)

The symbols ADD (addition), ITE (), LT (), EQ (), GT (), INPUT () and (, with ), represent the allowed operations in our programs. By existentially quantifying over variables of sort , we allow our program to have numeric constants, The variables represent the choice of operator at node labeled .

The formula constrains the interpretations for to be pairwise different:

 φdistinct=¬(\small ADD=% \small ITE)∧¬(\small ADD=\small LT)∧⋯∧¬(\small CONST3=\small CONST2)

and imposes the constraint that all the operators on internal nodes are one of , and those on leaf nodes are one of the -arity symbols:

 φop= ⋀ρ(opρ=\small ADD∨opρ=\small ITE∨⋯∨opρ=\small CONST3)

The constraint encodes the specification of the program, which in this case is the definition of the function . universally quantifies over the values returned by the operators , and the value at will be required to satisfy .

For the purpose of evaluating the effectiveness of our logic, we encoded the above ESMT formula in the z3 SMT solver, which synthesized the following expression.

 f(n)=ite(n>13,n−30,−16)

Indeed the above function satisfies the specification of the function , thus implying the effectiveness of our approach. In Section 6, we show that we can synthesize a large class of such programs amongst others.

## 3 Many-sorted Second Order Logic and the Esmt Fragment

We briefly recall the syntax and semantics of general many-sorted second order logic, and then present the ESMT fragment of second order logic.

### Many-sorted second-order logic

A many-sorted signature is a tuple where, is a nonempty finite set of sorts, , , , , are, respectively, sets of function symbols, relation symbols, first order variables, function variables and relation variables. Each variables is associated with a type, which is one of the sorts , represented as . Each function symbol or function variable also has an associated type , and each relation symbol and relation variable has a type . We assume that the set of symbols in and are either finite or countably infinite, and that , , and are all countably infinite. Constants are modeled using -ary functions. We say that is unsorted if is a singleton sort.

Terms over a many-sorted signature have an associated sort and are inductively defined by the grammar

 t::σ:=x:σ|f(t1:σ1,t2:σ2,…,tm:σm)|F(t1:σ1,t2:σ2,…,tn:σn)

where , and .

Formulae over are inductively defined as

 ϕ::= ⊥|ϕ⇒ϕ|t:σ=t′:σ|R(t1:σ1,t2:σ2,…,tm:σm)| R(t1:σ1,t2:σ2,…,tn:σn)|(∃x:σ)ϕ|(∃F:w,σ)ϕ|(∃R′:w)ϕ

where , are relation variables, is a function variable, of appropriate types. Note that equality is allowed only for terms of same sort. A formula is said to be first-order if it does not use any function or relation variables.

The semantics of many sorted logics are described using many-sorted structures. A -structure is a tuple where is a collection of pairwise disjoint indexed universes, and is an interpretation function that maps each each variable to an element in the universe , each function symbol and each function variable to a function of the appropriate type on the underlying universe. Similarly, relation symbols and relation variables are also assigned relations of the appropriate type on the underlying universe. For an interpretation , as is standard, we use to denote the interpretation that maps to , and is otherwise identical to . For function variable and relation variable , and are defined analogously.

Interpretation of terms in a model is the usual one obtained by interpreting variables, functions, and function variables using their underlying interpretation in the model; we skip the details. The satisfaction relation is also defined in the usual sense, and we will skip the details

A first-order theory is a tuple , where is a set of (possibly infinite) first-order sentences. Theory is complete if every sentence or its negation is entailed by , i.e., either every model satisfying satisfies , or every model satisfying satisfies . A theory is consistent if it is not the case that there is a sentence such that both and are entailed.

### The logic Esmt

We now describe ESMT, the fragment of many-sorted second order logic that we prove decidable in this paper and that we show can model synthesis problems.

Let be a many sorted signature. is a pure signature if (a) the type of every function symbol and every relation symbol is over a single sort (however, function variables and relation variables are allowed to mix sorts), (b) there is a special sort (which we call the foreground sort, while other sorts are called background sorts) and there are no function or relation symbols involving .

The fragment ESMT is the set of sentences defined over a pure signature , with foreground sort and background sorts , by the following grammar

 ϕ:=∃(x:σ)ϕ|(∃R:w)ϕ|(∃F:w,σi)ϕ|φ

where, , , , and is defined by the grammar

 φ:=∀(y:σ)φ|(∀R:w′)φ|(∀F:w′,σ)φ|ψ

where, , , and is quantifier free over .

The formulas above consist of an existential quantification block followed by a universal quantification block. The existential block can have first-order variables of any sort, relation variables that are over the foreground sort only, and function variables that map tuples of the foreground sort to a background sort. The inner universal block allows all forms of quantification — first-order variables, function variables, and relation variables of all possible types. The inner formula is quantifier-free. We will retrict our attention to sentences in this logic, i.e., we will assume that all variables (first-order/function/relation) are quantified. We will denote by (resp. ), the set of existentially (resp. universally) quantified first order variables of sort , for every .

### The problem

The problem we consider is that of deciding satisfiability of ESMT with background theories for the background sorts. First we introduce some concepts.

An uninterpreted combination of theories (UCT) over a pure signature with sorts is the union of theories , where each is a theory over signature . A sentence is -satisfiable if there is a multi-sorted structure that satisfies and all the sentences in .

The satisfiability problem for ESMT with background theories is the following. Given a UCT and a sentence , determine if is -satisfiable. We show that this is a decidable problem, and furthermore, there is a decision procedure that uses a finite number of black-box calls to satisfiability solvers of the underlying theories to check satisfiability of ESMT sentences.

For the rest of this paper, for technical convenience, we will assume that the boolean theory is one of the background theories. This means and the constants . The set of sentences in is . Note that checking satisfiability of a sentence over is decidable.

## 4 The Decision Procedure for Esmt

In this section we present our decidability result for sentences over ESMT in presence of background theories. Let us first state the main result of this paper.

###### Theorem 4.1

Let be a pure signature with foreground sort and background sorts . Let be a UCT such that, for each , checking -satisfiability of first-order sentences is decidable. Then the problem of checking -satisfiability of ESMT sentences is decidable.∎

We will prove the above theorem by showing that any given ESMT sentence over a UCT signature can be transformed, using a sequence of three steps of satisfiability preserving transformations, and finally to the satisfiability of first-order formulae over the individual theories.

We give a brief overview of the sequence of transformations (Steps through ). In Step 1, we replace the occurrence of every relation variable (quantified universally or existentially) of sort by a function variable of sort . Note that doing this for the outer existentially quantified relation variables keeps us within the syntactic fragment.

In Step 2, we eliminate function variables that are existentially quantified. This crucially relies on the small model property for the foreground universe, similar to EPR. This process however adds both existential first-order variables and universally quantified function variables.

In Step 3, we eliminate the universally quantified function variables using a standard Ackermann reduction [19], which adds more universally quantified first-order variables.

The above steps result in a first-order sentence over the combined background theories, and the empty theory for the foreground sort. In Step 4, we show that the satisfiability of such a formula can be reduced to a finite number of satisfiability queries of sentences over individual theories. Since

### Step 1 : Eliminating relation variables

The idea is here to introduce, for every relational variable , a function variable that corresponds to the characteristic function of .

Let be ESMT formula over . We will transform to a ESMT formula over the same signature . Every occurrence of an atom of the form in , is replaced by in . Further, every quantification is replaced by , where . The correctness of the above transformation is captured by the following lemma.

###### Lemma 1

is -satisfiable iff is -satisfiable.

### Step 2: Eliminating existentially quantified function variables

We first note a small-model property with respect to the foreground sort for ESMT sentences. This property crucially relies on the fact that existentially quantified function variables do not have their ranges over the foreground sort.

###### Lemma 2 (Small-model property for σ0)

Let be a ESMT sentence with foreground sort and background sorts . Let be the number of existentially quantified variables of sort in . Then, is -satisfiable iff there is a structure , with at most elements in , such that and .

In fact, the proof sketch shows that if there is a model, then there is a model where the foreground universe contains only elements that are interpretations of the first-order variables over the foreground sort (and hence bounded). Consequently, instead of existentially quantifying over a function (of arity ) from the foreground sort to some background sort , we can instead quantify over first-order variables of sort that capture the image of these functions for each -ary combination of .

Let be the ESMT sentence over , with no occurrence of relation variables . Let be the quantifier free part (or matrix) of .

Now, define

 ˜ψ=ψrestrict∧ψStep-1, % where, ψrestrict=⋀y∈y0(⋁x∈x0y=x).

Let the sentence obtained by replacing the matrix in , by . Then, the correctness of this transformation is noted below.

###### Lemma 3

is -satisfiable iff is -satisfiable.

We now eliminate the existentially quantified function variables in , one by one. Let , where is a background sort. For every -tuple over the set , we introduce the variable of sort . Let be the set of all such variables, where is the number of existential first order variables of sort in . Next, we introduce a fresh function variable of sort , and quantify it universally. will be used to emulate the .

Now we define

and is obtained by replacing all occurrences of in by .

Now define to be the sentence

 ϕStep-2=(∃xF:σ)∃∗∀∗(∀GF:σm0,σ)ψStep-2.

The following lemma states the correctness guarantee of this transformation.

###### Lemma 4

is -satisfiable iff is -satisfiable.

### Step 3 : Eliminating universal function variables

The recipe here is to perform Ackermann reduction [2]. For every universally quantified function variable of arity , we will introduce a fresh variable of its range sort for every occurrence of term in . We will then augment the quantifier free part with a formula that ensures consistency of this transformation. Let , where is the quantifier free part of , and let .

For every term of the form in , we introduce a fresh first order variable of sort , and replace every occurrence of the term in with , to get . Let be the collection of all these newly introduced variables.

Let us now define , where

 ψack=⋀yFt,yFt′∈yF(m⋀j=1t[j]=t′[j])⟹(yFt=yFt′)

Then, the transformed formula is correct in the following sense.

###### Lemma 5

is -satisfiable iff is -satisfiable.

### Step-4: Decomposition and black box calls to ∃∗∀∗ Theory solvers

The ESMT sentence obtained after the sequence of steps 1 through 3 is a first order sentence over . This sentence, however, may possibly contain occurrences of variables of the foreground sort . The objective of this step is, roughly, to decompose into sentences over a single sort alone, and then use decision procedures for the respective theories to decide satisfiability of the decomposed (single sorted) sentences. Since such a decomposition can result into sentences over the foreground sort, we must ensure that there is indeed a decision procedure to achieve this. For this purpose, let us define be the empty theory (that is ). Checking satisfiability of sentences over is decidable. Also, satisfiability is preserved in the presence of in the following sense.

###### Lemma 6

is -satisfiable iff is -satisfiable.

We first transform the quantifier free part of into an equivalent CNF formula , let be obtained by replacing by . Let be a conjunction of clauses , . That is,

 ϕCNF=∃∗∀∗ψCNF, where, ψCNF=r⋀j=1ψi

where is a disjunction of atoms.

Since is a first order formula over a pure signature, all atoms are either of the form or (with a possibly leading negation). Now, equality atoms are restricted to terms of the same sort. Also since is pure, the argument terms of all relation applications have the same sort. This means, for every atom , there is a unique associated sort , which we will denote by .

For a clause in , let be the set of atoms in . Let , and let . Then, we have the identity . We now state our decomposition lemma.

###### Lemma 7

is -satisfiable iff there is a mapping such that for each , the formula is -satisfiable.

The contract above identifies for each clause the atomic constraint that makes the clause true. Thus, in order to decide satisfiability of , a straightforward decision procedure involves enumerating all contracts, . For such contract and for each sort , we construct the sentence , and make a black-box call to the theory solver for . If there is a contract for which each of these calls return ‘SATISFIABLE’, then (and thus, the original formula ) is satisfiable. Otherwise, is unsatisfiable.

## 5 Undecidability Results

The logic that we have defined was carefully chosen to avoid undecidability of the satisfiability problem. We now show that natural generalizations or removal of restrictions in our logic renders the satisfiability problem undecidable. We believe our results are hence not simple to generalize any further.

One restriction that we have is that the functions that are existentially quantified cannot have as their range sort. A related restriction is that the universal quantification block quantify all uninterpreted function symbols, as otherwise they must be existentially quantified on the outside block.

Let us now consider the fragment of logic where formulas are of the form where in fact we do not even have any background theory. Since the formula is over a single sort, we have droped the sort annotations on the variables. It is not hard to see that this logic is undecidable.

###### Theorem 5.1

Consider signature with a single sort (and no background sorts). The satisfiability problem for sentences of the following form is undecidable.

 (∃x0)(∃F)(∀y0)ψ

The theorem above has a simple proof, but the theorem is not new; in fact, even more restrictive logics are known to be undecidable (see [6]).

Another important restriction that we have is that the foreground sort and the various background sorts are pariwise disjoint. This requirement is also not negotiable if decidability is desired, as it is easy to show the following

###### Theorem 5.2

Consider a signature with a single sort and let be the theory of Presburger arithmetic. The satisfiability problem for sentences of the form

 (∃x1)(∃R)(∀y1)ψ

is undecidable 111Once again we have dropped sort annotations, since we only have single sort..

Stepping further back, there are very few subclasses of first-order logic with equality that have a decidable satisfiability problem, and the only standard class that admits prefixes is the Bernays-Schönfinkel-Ramsey class (see [4]). Our results can be seen as an extension of this class with background theories, where the background theories admit locally a decidable satisfiability problem for the fragment.

## 6 Applications to Synthesis

### Synthesis: Validity or Satisfiability?

Though we argued in Section 2 that synthesis problems can be modeled using satisfiability of ESMT sentences, there is one subtlety that we would like to highlight. In synthesis problems, we are asked to find an expression such that the expression satisfies a specification expressed in logic. Assuming the specification is modeled as a universally quantified formula over background theories, we would like to know if holds for the synthesized expression . However, in a logical setting, we have to qualify what “holds” means; the most natural way of phrasing this is that is valid over the underlying background theories, i.e., holds in all models that satisfy the background theories. However, the existential block that models the existence of an expression is clearly best seen as a satisfiability problem, as it asks whether there is some foreground model that captures an expression. Requiring that it holds in all foreground models (including those that might have only one element) would be unreasonable.

To summarize, the synthesis problem is most naturally modeled as a logical problem where we ask whether there is some foreground model such that for all background models that satisfy their respective background theories, the inner formula expressing that the synthesized expression captured by the foreground model satisfies the specification. This is, strictly speaking, neither a satisfiability problem nor a validity problem!

We resolve this by considering only complete and consistent background theories. Hence validity of a formula under a background theory is equivalent to -satisfiability. Consequently, synthesis problems using such theories can be seen as asking whether there is a foreground universe modeling the expression to be synthesized and some background models where the specification holds for the expression. We can hence model synthesis as purely a satisfiability problem of ESMT, as described in Section 2.

Many of the background theories used in verification/synthesis and SMT solvers are complete theories (like Presburger arithmetic, FOL over reals, etc.). One incomplete theory often used in verification is the theory of uninterpreted functions. However, in this case, notice that since the functions over this sort are uninterpreted, validity of formulas can be modeled using a universal quantification over functions, which our logic supports! The only other adjustment is to ensure that this background theory has only infinite models (we can choose this background theory to be the theory of , which has a decidable satisfiability problem). In various scenarios such as modeling pointers in heaps, arrays, etc., the formulation of them using uninterpreted functions can be done over this domain naturally.

The second issue in modeling synthesis problems as satisfiability problems for ESMT is that in synthesis, we need to construct the expression, rather than just know one exists. It is easy to see that if the individual background theory solvers support finding concrete values for the existentially quantified variables, then we can pull back these values back across our reductions to give the values of the existentially quantified first-order variables (over all sorts), the existentially quantified function variables as well as the existentially quantified relation variables, from which the expression to be synthesized can be constructed.

### Expressing synthesis problems in Esmt

We illustrate the applicability of our result for solving synthesis problems.

Modeling synthesis of recursive heap-manipulating problems. We want to model the problem of synthesizing recursive programs manipulating data-structures, given their pre/post contract . We seek a program that will meet the contract only assuming that recursive calls on smaller data-structures satisfy the same contract . Though the programs we seek are recursive, we can model certain classes of programs using simply straight-line programs.

Let us take the example of synthesizing a program that finds a particular key in a linked list. We can instead ask whether there is a straight-line program which takes an additional input which models the return value of a possible recursive call made on the tail of the list. The straight-line program must then work on the head of the list and this additional input (which is assumed to satisfy the contract ) to produce an output that meets the same contract .

For this problem, we modeled the program to be synthesized using existential quantification (over a grammar that generates bounded length programs) as described in Section 2. The pointer next and recursive data structures list, lseg in the verification condition were modeled using universal quantification over function variables and relation variables, respectively. Moreover, in order to have a tractable verification condition, we used the technique of natural proofs [9, 17, 20] that soundly formulates the condition in a decidable theory. , Though we do not have an implementation of our decision procedure, we did several of our steps manually, and finally encoded the problem in the SyGuS format [3] and used an off-the-shelf enumerative counter-example guided synthesis (CEGIS) solver. This tool solved the problem within a second and reported a solution which manually verified to be correct.

We are convinced that recursive program synthesis (of bounded size) against separation logics specifications expressed using natural proofs (as in [17]) can be all handled using our logic.

Modeling synthesis of straight-line programs equivalent to given recursive programs. In the second class of examples, we turn to synthesizing straight-line programs given a recursive function as their specification. For example, consider Knuth’s generalization of the recursive McCarthy 91 function:

 M(n)={n−bif n>aMc(n+d))otherwise

for every integer , and where . The usual McCarthy function has , , , and .

Consider the problem of synthesizing an equivalent recursion-free expression. The programs we consider may have if-then-else statements of nesting depth 2, with conditionals over linear expressions having unbounded constants. Existential quantification over the background arithmetic sort allowed us to model synthesizing these unbounded constants. Our specification demanded that the value of the expression for satisfy the recursive equations given above.

Though we do not have an implementation of our logic engine, we modeled the foreground model inside arithmetic, and converted our synthesis problem to a first-order sentence over Presburger arithmetic and Booleans. We experimented with several values for (with ), and interestingly, solutions were synthesized only when . Given Knuth’s result that a closed form expression involves taking remainder modulo this expression (and since we did not have taking remainder in our syntax), it turns out that simple expressions do not exist otherwise. Also, whenever the solution was found, it matched the recursion-free expression given by Knuth (see Theorem 1 in [12]). For instance, when , , , , we found the solution in about 25s. We also verified for the following values of (, , , ): , , , , and , which took , , , , and , respectively, to solve. All the solutions agreed with Knuth’s closed form solution.

We also modeled the Tak function (by Takeuchi) given by the specification

 t(x,y,z)={yif x≤yt(t(x−1,y,z),t(y−1,z,x),t(z−1,x,y))otherwise

We again modeled asking for a recursion-free expression for this function using a grammar generating finitely many programs, and we got the solution in 100s.

## 7 Related Work

There are several logics known in the literature that can express synthesis problems and are decidable. The foremost example is the monadic second-order theory over trees, which can express Church’s synthesis problem [7] and other reactive synthesis problems over finite data domains, and its decidability (Rabin’s theorem [21])is one of the most celebrated theorems in logic that is applicable to computer science. Reactive synthesis has been well studied and applied in computer science (see, for example, [5]) The work reported in [13] is a tad closer to program synthesis as done today, as it synthesizes syntactically restricted programs with recursion that work on finite domains.

Caulfield et al [8] have considered the decidability of syntax-guided synthesis (SyGuS) problems, where the synthesized expressions are constrained to belong to a grammar (with operators that have the usual semantics axiomatized by a standard theory such as arithmetic) that satisfy a universally quantified constraint. They show that the problem is undecidable in many cases, but identify a class that asks for expressions satisfying a regular grammar with uninterpreted function theory constraints to be decidable.

The fragment of pure predicate logic (without function symbols) was shown to be decidable by Bernays and Schönfinkel (without equality) and by Ramsey (with equality) [4], and is often called Effectively Propositional Reasoning (EPR) class. It is one of the few fragments of first-order logic known to be decidable. The EPR class has been used in program verification [11, 16], and efficient SMT solvers supporting EPR have been developed [18].

The work by [1] extends EPR to stratified typed logics, which has some similarity with our restriction that the universes of the foreground and background be disjoint. However, the logic therein does not allow background SMT theories unlike ours. In [10], EPR with simple liner arithmetic (without addition) is shown to be decidable.

A recent paper [9] develops sound and complete reasoning for a so-called safe FO fragment of an uninterpreted combination of theories. However, the logic is undecidable, in general, and also does not support second-order quantification.

The SyGuS format has recently been proposed as a language to express syntax guided synthesis problems, and there have been several synthesis engines developed for various tracks of SyGuS [3]. However, the syntax typically allows unbounded programs, and hence the synthesis problem is not decidable. Furthermore, unlike our logic, the grammar does not allow arbitrarily large constants (like integers) to be synthesized as part of the program.

## 8 Conclusions and Future Work

The logic ESMTdefined herein is meant to be a decidable logic for communication between researchers modeling program synthesis problems and researchers developing efficient logic solvers. Such liaisons have been extremely fruitful in verification, where SMT solvers have served this purpose. We have shown the logic to be decidable and its efficacy in modeling synthesis problems. However, the decision procedure has several costs that should not be paid up front in any practical synthesis tool. Ways to curb such costs are known in the literature of building efficient synthesis tools. In particular, searching for foreground models is similar to EPR where efficient engines have been developed [18], and the search can also be guided by counter-example as in the CEGIS approaches [3]. And the exponential blow-up caused by guessing contracts between solvers (in Step 4 of our procedure) is similar to arrangements agreed upon by theories combined using the Nelson-Oppen method, again for which efficient solvers have been developed. Our hope is that researchers working on logic engines will engineer an efficient decision procedure for ESMTthat can solve synthesis problems.

## References

• [1] Abadi, A., Rabinovich, A., Sagiv, M.: Decidable fragments of many-sorted logic. J. Symb. Comput. (2010)
• [2] Ackermann, W., Ackermann, F.W.: Solvable cases of the decision problem (1954)
• [3] ALUR, R., BODIK, R., DALLAL, E., FISMAN, D., GARG, P., JUNIWAL, G., KRESS-GAZIT, H., MADHUSUDAN, P., MARTIN, M.M., RAGHOTHAMAN, M., et al.: Syntax-guided synthesis
• [4] Bernays, P., Schönfinkel, M.: Zum entscheidungsproblem der mathematischen logik. Mathematische Annalen (1928)
• [5] Bloem, R., Galler, S., Jobstmann, B., Piterman, N., Pnueli, A., Weiglhofer, M.: Interactive presentation: Automatic hardware synthesis from specifications: A case study. In: Proceedings of the Conference on Design, Automation and Test in Europe. DATE ’07 (2007)
• [6] Börger, E., Grädel, E., Gurevich, Y.: The classical decision problem. Springer Science & Business Media (2001)
• [7] Buchi, J.R., Landweber, L.H.: Solving sequential conditions by finite-state strategies. Transactions of the American Mathematical Society (1969)
• [8] Caulfield, B., Rabe, M.N., Seshia, S.A., Tripakis, S.: What’s decidable about syntax-guided synthesis? (2015)
• [9] Christof Loding, P. Madhusudan, L.P.: Foundations for Natural Proofs and Quantifier Instantiation. Tech. rep. (2017), http://madhu.cs.illinois.edu/FoundationsForNaturalProofs.pdf
• [10] Horbach, M., Voigt, M., Weidenbach, C.: On the Combination of the Bernays–Schönfinkel–Ramsey Fragment with Simple Linear Integer Arithmetic (2017)
• [11] Itzhaky, S., Banerjee, A., Immerman, N., Nanevski, A., Sagiv, M.: Effectively-propositional reasoning about reachability in linked data structures. In: International Conference on Computer Aided Verification (2013)
• [12] Knuth, D.E.: Textbook examples of recursion. Artificial Intelligence and Mathematical Theory of Computation: Papers in Honor of John McCarthy (1991)
• [13] Madhusudan, P.: Synthesizing Reactive Programs. In: Computer Science Logic (CSL’11) - 25th International Workshop/20th Annual Conference of the EACSL (2011)
• [14] Manna, Z., McCarthy, J.: Properties of programs and partial function logic. Tech. rep., STANFORD UNIV CALIF DEPT OF COMPUTER SCIENCE (1969)
• [15] Nelson, G., Oppen, D.C.: Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems (TOPLAS) 1(2), 245–257 (1979)
• [16] Padon, O., McMillan, K.L., Panda, A., Sagiv, M., Shoham, S.: Ivy: safety verification by interactive generalization. ACM SIGPLAN Notices (2016)
• [17] Pek, E., Qiu, X., Madhusudan, P.: Natural proofs for data structure manipulation in c using separation logic. In: ACM SIGPLAN Notices (2014)
• [18] Piskac, R., de Moura, L., Bjørner, N.: Deciding effectively propositional logic with equality. Tech. rep., Technical Report MSR-TR-2008-181, Microsoft Research (2008)
• [19] Pnueli, A., Rodeh, Y., Strichman, O., Siegel, M.: The small model property: How small can it be? Information and computation (2002)
• [20] Qiu, X., Garg, P., Ştefănescu, A., Madhusudan, P.: Natural proofs for structure, data, and separation. ACM SIGPLAN Notices (2013)
• [21] Rabin, M.O.: Decidability of second-order theories and automata on infinite trees. Transactions of the american Mathematical Society (1969)

## Appendix 0.A Proofs from Section 4

### 0.a.1 Proof of Lemma 2

###### Proof (Sketch)

We present the more interesting direction here. Consider a model such that and .

Let be the interpretation function that extends so that , where is the inner universally quantified subformula of . Let . be the restriction of the foreground universe to the interpretations of the variables . Clearly, .

Let us first show that .

For this, first see that for every extension of , we must have have

 (U,I∃∀)⊨ψ. (2)

Here is the quantifier free part of (and thus also of ).

Now, clearly Equation 2 must also hold for those extensions which map all universal variables in to the set and maps all universally quantified function variables of range sort to function interpretations whose ranges are limited to the set .

Thus, it must also be the case that when we restrict the universe to the set , we have that . This is because every universal extension of is also a projection of one of these interpretations.

### 0.a.2 Proof of Lemma 7

###### Proof (Sketch)

Let us consider the equi-satisfiable Skolem norm form , where is obtained from by replacing all existential variables by Skolem constants. The propositional (or boolean) structure of , , and we will use the same notation for the clause of . Then, consider a structure such that and . Now, suppose, on the contrary, that there is a clause such that for every sort , we have . This means, for every sort , there is a interpretation (that extends with valuations of ), such that either leads to falsity of or the clause . Let be the values assigned to the universal variables in . Then, construct an interpretation extending with the variables interpreted with ’s . This interpretation can be shown to either violate one of the theory axioms or the formula . In any case, we have a contradiction.

## Appendix 0.B Proofs from Section 5

### 0.b.1 Proof of Lemma 5.1

###### Proof (Sketch)

We can show this as a mild modification of standard proofs of the undecidability of first-order logic. We can existentially quantify over a variable and a function succ, demand that for any element , is not , and for every , if , then . This establishes an infinite model with distinct elements , for every . We can then proceed to encode the problem of non-halting of a 2-counter machine using a relation , which stands for the 2CM is in state at time with counters and , respectively. It is easy to see that all this can be done using only universal quantification (the relation can be modeled as a function easily).

### 0.b.2 Proof of Lemma 5.2

###### Proof (Sketch)

We can use a similar proof as the theorem above, except now that we use the successor function available in Presburger arithmetic. We can again reduce non-halting of Turing machines (or 2-counter machines) to satisfiability of such formulas.

You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters