Quasi-decidability of a Fragment of theFirst-order Theory of Real NumbersThis is an extended and revised version of a paper that appeared in the proceedings of the 36th International Symposium on Mathematical Foundations of Computer Science [18]. The work of Stefan Ratschan and Peter Franek was supported by MŠMT project number OC10048 and the Czech Science Foundation (GACR) grants number P202/12/J060 and 15-14484S with institutional support RVO:67985807.

Quasi-decidability of a Fragment of the First-order Theory of Real Numbers1

Abstract

In this paper we consider a fragment of the first-order theory of the real numbers that includes systems of equations in variables, and for which all functions are computable in the sense that it is possible to compute arbitrarily close interval approximations. Even though this fragment is undecidable, we prove that—under the additional assumption of bounded domains—there is a (possibly non-terminating) algorithm for checking satisfiability such that (1) whenever it terminates, it computes a correct answer, and (2) it always terminates when the input is robust. A formula is robust, if its satisfiability does not change under small continuous perturbations. We also prove that it is not possible to generalize this result to the full first-order language—removing the restriction on the number of equations versus number of variables. As a basic tool for our algorithm we use the notion of degree from the field of topology.

1 Introduction

It is well known that, while the theory of real numbers with addition and multiplication is decidable [42], any periodic function makes the problem undecidable, since it allows encoding of the integers. The root existence problem for uni-variate functions defined by addition, multiplication, the sine function and the constant is also undecidable [43]. This even holds if we consider only functions on bounded domains, because an algorithm deciding it could be used to compute a fixed point of a continuous function from a ball to itself which is known to be non-computable for some computable functions [4, 33].

Recently, several papers [19, 35, 37, 13] have argued, that in continuous domains (where we have notions of neighborhood, perturbation etc.) such undecidability results do not always have much practical relevance. The reason is, that real-world manifestations of abstract mathematical objects in such domains will always be exposed to perturbations (imprecision of production, engineering approximations, unpredictable influences of the environment etc.). Engineers take these perturbations into account by coming up with robust designs, that is, designs that do not change essentially under such perturbations. Hence, in this context, it is sufficient to come up with algorithms that are able to decide such robust problem instances. They are allowed to run forever in non-robust cases, but must not return incorrect results, in whatever case. In a recent paper we called problems possessing such an algorithm quasi-decidable [38].

The main contribution of this paper can be summarized as follows:

  • We show quasi-decidability of a certain fragment of the first-order theory of the reals (Theorem 1). The basic building blocks are existentially quantified disjunctions of systems of equalities over at most variables and arbitrarily many inequalities. Those blocks may be combined using universal quantifiers, conjunctions, and disjunctions. All variables are assumed to range over closed and bounded intervals.

  • We show that the result cannot be extended to the full first-order language. More specifically, in the basic building blocks (systems of equalities and inequalities) it is impossible to remove the restriction that the number of variables has to be at most the number of equalities (Theorem 2). Still, while we show that this restriction cannot be removed completely, this leaves open the possibility to replace the restriction by a weaker constraint on the number of variables and equations.

The allowed function symbols include addition, multiplication, exponentiation, and sine. More specifically, they have to be continuous, and for compact intervals , we need to be able to compute an interval such that the over-approximation of over can be made arbitrarily small.

The main tool we use is the notion of the degree of a continuous function that comes from differential topology. For continuous functions , the degree is iff and have the same sign, otherwise the degree is either or , depending on whether the sign changes from negative to positive or the other way round. If is continuous and the degree is nonzero, then the equation has a solution by the intermediate value theorem. For higher dimensional functions, the degree is a computable [1, 17] integer whose value may be greater than , and a nonzero degree still indicates the existence of a root of . The converse is not true and the existence of a root does not imply nonzero degree in general. We show how, for robustly satisfiable formulas built up from certain blocks of equations in variables, to make the degree test eventually succeed, while at the same time handling inequalities and logical symbols.

The proof of our second contribution—the class of equations and inequalities with no relation between the number of equations and variables is not quasi-decidable—is based on a reduction from a recent undecidability result [16] for a related robust satisfiability problem, cited in Theorem 10.

Even though this work applies results from a quite distant field—topology—to automated reasoning, the paper is largely self-contained. Usage of results from topology that are not explicitly delineated in this paper is concentrated exclusively in Section 6.

The content of the paper is as follows: In Section 2, we define the notions of robustness and quasi-decidability, and state the two main theorems of the paper. In Section 3, we provide the quasi-decision procedure whose existence is claimed by the first main theorem. In Section 4, we present the notion of topological degree and describe its main properties. In Section 5, we show that the quasi-decision procedure always returns a correct result. In Section 6 we show some non-algorithmic properties of the degree that will be the essential for showing termination for robust inputs in Section 7. In Section 8 we prove the second main theorem. In Section 9 we discuss related work. Finally, in Section 10, we conclude the paper.

2 Statement of the Results

We will start this section with informal discussion of a motivating example. Consider the first-order predicate logic formula

with the usual interpretation over the real numbers. This formula is true, and remains true, even if it is perturbed a little bit. On the other hand, the formula

is also true, but does not remain true when perturbing it, for example by increasing the right-most number a little bit. We will later call formulas of the first type robust, and formulas of the second type non-robust. Our first theorem will state that, for a certain class of formulas over the reals that includes function symbols such as , there exists an algorithm (a ”quasi-decision procedure”) that decides whether a given formula is true, but that is only required to terminate for robust inputs while it may run forever for non-robust inputs.

In the rest of the section, after fixing notation, we define the class of functions that we consider (Definition 1). Then we will formalize the notion of perturbing predicate-logical formulas (Definition 2) which results in a precisely defined notion of a formula being robust (Definition 3). Finally, we state Theorem 1 that ensures the existence of such a quasi-decision procedure and the negative Theorem 2 that puts a limit on generalization of the approach.

We define a box in (or also -box) to be the Cartesian product of closed intervals of finite length (i.e., a hyper-rectangle). The width of a box is the maximum of the width of the constituting intervals of . For , will refer to its maximum norm and for a continuous function , we use the supremum norm . If for some , we say that is an -perturbation of in . If is clear from the context then we will simply write , or say that is an -perturbation of , without explicitly mentioning . For a set , is its closure, its interior and its boundary with respect to the Euclidean topology. We will call the closure of an open connected bounded set a closed region.

For defining the class of formulas, we will first fix the class of functions that we handle. Intuitively, we allow functions whose range can be arbitrarly closely approximated by boxes:

Definition 1

Let be a box with rational vertices. We say that a function is interval computable, iff there exists a corresponding algorithm that computes, for any box with rational vertices, an -box with rational vertices such that

  • , and

  • for every there is a such that for every box with , .

Each interval computable function is uniformly continuous. Moreover, a function , with a box with rational vertices, is interval computable iff it is computable in the sense of computable analysis [8] (for seeing this, note especially that a function that is computable in the sense of computable analysis has a computable modulus of continuity [27, Theorem 2.13]).

For common function symbols that can be written in terms of symbolic expressions containing symbols denoting rational constants, the constant , addition, multiplication, exponentiation, trigonometric functions and square root, the algorithm can be implemented from the expression by interval arithmetic [30, 29] with arbitrary precision interval endpoints.

In the rest of the paper, we assume that a set of function and predicate symbols is given, together with structure assigning to each function symbol an interval computable function and to each predicate symbol a corresponding relation over the real numbers. We assume that this symbol set contains at least all rational constants, addition, multiplication, and the predicate symbols and with their usual interpretation. Whenever we will write concrete function or predicate symbols, this structure will assign their standard meaning over the real numbers. From now on, we will restrict ourselves to formulas from the first-order language corresponding to the given symbol set.

We also assume that a map is given that assigns, to each function symbol , an algorithm satisfying the specification in Definition 1. This map is assumed to be algorithmic. Such assignment naturally extends to terms of the language via composition of interval functions: if is a term of the language, then the algorithm represents the corresponding function and satisfies both assumptions of Definition 1. In addition, we will assume that every variable ranges over a closed bounded interval introduced by a corresponding quantifier of the form or . Throughout the paper we will require those bounds to be small enough to avoid any function application outside of the domain of any interval computable function. In a similar way, whenever we introduce bounds on the free variables of a formula, we assume them to be small enough to avoid such function applications.

As usual, a sentence will refer to a formula without free variables. Now we formalize perturbations of formulas by defining some notion of distance on sentences.

Definition 2

Let be two sentences. We say that and have the same structure iff one can be obtained from the other by only exchanging terms (i.e., they have the same Boolean and quantification structure including bounds of quantified variables, and the same predicate symbols).

We define the distance on sentences as follows. If two sentences and do not have the same structure, then . In the case where they do have the same structure, assume that the sentence contains terms denoting functions and the sentence contains in the corresponding places terms denoting the functions . We define the distance

where denotes the respective domain of those functions, that is, the box defined by the quantification of all the variables.

For example, the sentences

and

have the same structure, because the only difference is in the terms involved. The distance , because—with —we have that , , and . As another example, the sentences and do not have the same structure, and hence their distance is .

Definition 3

Let be a sentence and . We say that is -robust iff for every sentence , implies that and have the same truth value. We say that the sentence is robust iff there is an such that is -robust. We say that a sentence is robustly true iff it is both robust and true. We say that a sentence is robustly false iff it is both robust and false.

Note that, since we restricted ourselves to formulas with function symbols denoting interval-computable functions, all functions involved in the above definitions are interval computable, hence uniformly continuous.

Also note that equivalence of two formulas does not necessarily imply the same robustness. For example, the formula is robust, but the formula is not, since both occurrences of the function can be perturbed independently.

Definition 4

A quasi-decision procedure for some class of formulas is an algorithm that takes as inputs a sentence from and an algorithm converting function symbols to algorithms . The algorithm computes the truth value of whenever is robust. If is non-robust, the algorithm may run forever but must not return an incorrect result.

If such a quasi-decision procedure exists for some class , then we say that is quasi-decidable.

Now we are ready to state our first result.

Theorem 1

The following class of formulas , defined recursively below, is quasi-decidable:

  1. contains all formulas of the form

    where are terms denoting interval-computable functions, is an -box (the expression denoting a block of existential quantifiers) with rational vertices and either or . The integer may be arbitrary and we also admit (i.e., the case without inequalities).

  2. Let be a closed bounded interval with rational endpoints. If is in , then

    is also in .

  3. If are in , then

    are also in .

The formulas corresponding to represent systems of equations and inequalities. However, we assume that there are no more existential quantifiers than equations in , corresponding to the condition .

The following sentence is an example of a formula in class :


         
                  .

The following sentence is an example of a sentence not in

because the domain of the particular function is a -dimensional box and there is only one equation, so the assumptions in are violated.

Throughout we will use the convention that logical connectives bind stronger than quantifiers. Moreover, we use brackets to denote Boolean structure of formulas. Sometimes we will use line breaks instead of brackets for this purpose. We will use the symbol to denote equality of first-order formulas.

If and are in the class , then is robust if and only if the formula is robust and they are equi-satisfiable. Hence a quasi-decision procedure for can handle disjunctions within existential quantification, too. In the following, however, we will restrict ourselves to the class .

The following theorem shows a limitation of possible extension of quasi-decidability of the class to the whole first-order theory removing the restriction on the number of equations versus number of variables:

Theorem 2

Assume that the our symbol set is rich enough to contain function symbols for all piecewise linear functions defined on rational triangulations of boxes with rational values in the vertices. Then there is no algorithm with the following specification:

  • Q is quasi-decision procedure for the class of sentences of the form

    where and and are arbitrary.

  • Q can access all functions , in the formula only via the oracle , resp. . That is, can call and arbitrary many times but has no access to the syntactical representation of and .

As will be seen from the proof in Section 8, the second condition in Theorem 2 may be replaced by the alternative condition:

  • Q does not terminate whenever the input is non-robust.

Whether or not the second condition in Theorem 2 can be omitted completely is—up to the best of our knowledge—an open problem.

3 The Quasi-decision Procedure

In this section, we construct an algorithm that decides, whether a robust sentence in is true. The algorithm serves purely for proving Theorem 1. We do not claim it to be practically efficient whatsoever and leave a practically efficient quasi-decision procedure for future work.

For any formula , variable and we denote by the formula derived from by substituting for in every free occurrence of in . We also allow to be an -tuple of variables, and , in which case denotes the parallel substitution of entries of with their corresponding entries of .

In our algorithms, we use an alternative form of the Cartesian product that concatenates tuples from the argument sets, instead of forming pairs. That is, for sets and it produces the set . Especially, for the set containing the -tuple, will be . The width of , viewed as a box, is zero by definition.

We construct an auxiliary algorithm with the following specification:

Input:
  • a formula from in free variables ,

  • an -box bounding the free variables of ,

  • ,

such that the width of is at most .

Output:

a nonempty subset of

with the following two properties:

Correctness:

If the algorithm returns (), then for all , is robustly true (robustly false).

Definiteness:

If for a given -box bounding the free variables of , either for all the sentence is robustly true or for all the sentence is robustly false, then there exists an such that for every and every sub-box with width smaller than , the algorithm returns or (as opposed to ).

CheckSat(S, P, r) terminates always, but may return the indefinite result . The existence of such an algorithm immediately implies Theorem 1, because then the algorithm below is a quasi-decision procedure for . {ntabbing}        ¯0.8cm ¯0.8cm ¯0.8cm ¯0.8cm ¯
loop\+
                                   
if then /̀/ is either or
return s.t.
else
Note that the specification of CheckSat does not only result in a quasi-decision procedure, but also checks robustness of the input.

We will now define the algorithm in detail. We will leave the proof that it fulfills the specification to Sections 5 (correctness) and 7 (definiteness). The algorithm is recursive, following the definition of class . We will now describe the parts corresponding to the individual cases of this definition.

3.1 System of Equations and Inequalities

We first consider the case of class , that is, a formula of the form

where is an -box. In an abuse of notation we also use and for the functions denoted by those terms. They are functions in with , where is the number of free variables of . We assume that the order of the arguments of those functions is the same as the order in which the respective variables are quantified in the overall formula. Finally, we denote by the function defined by the components and by the function defined by the components .

Disproving the formula is straight-forward using the information given by and . However, in order to ensure that the computed over-approximation is not too big, instead of working with and we work with elements of a partition of into small enough pieces, where “small enough” is determined by the parameter (Line 3.1 of the algorithm SoEI below). For this, we will call a set of boxes a grid covering iff and for every and , .

The core of the algorithm for proving the formula is a test whether a system of equations has a solution in a bounded region. The test analyzes the boundary of the region and exploits continuity to deduce existence of a zero in the interior.

In the one-dimensional case, a bounded region is simply a closed interval. If has opposite sign on the two end-points of the interval, the intermediate value theorem tells us, that has a solution in the interior. Here has to be non-zero on both interval endpoints (since is in general non-polynomial, we cannot verify that is zero on an interval endpoint, we can only exclude this). In general, we use the notion of the degree from the field of differential topology [28, 32]. For a continuous function where is a bounded open set and , the degree of with respect to and a point is an integer denoted by . If then the equation has a solution in . Since the degree is a non-trivial mathematical notion, we defer more details on the degree to Section 4 below.

For ensuring that the test eventually succeeds we have to make sure that encloses a robust zero closely enough (the notion “closely enough” will be made precise in Sections 6 and 7). So, also in this case, we work with the partition of , and we compute the degree of the individual pieces. However, for ensuring that is non-zero on the boundary of the pieces, we merge those pieces of the partition for which we cannot prove that (Line 3.1).

Checking the inequalities is straight-forward (Lines 3.1 to 3.1) using . In order to ensure that the used boxes are small enough, we undo the mergings before the check (Line 3.1) and apply to the individual boxes (Line 3.1).

The algorithm looks as follows:

Algorithm // System of equations and inequalities {ntabbing}       ¯0.6cm ¯0.6cm ¯0.6cm ¯0.6cm ¯Let be the -box for the domain of the quantified variables in .
Let be a grid of boxes covering s.t.
each grid element has width at most .
if for every box \+
either or then\+
return
/̀/ has no solution
if then\+
Merge all boxes in containing a common face s.t. .
Remove all grid elements in containing a face s.t. and .
Let be an arbitrary element of
for each grid element do\+
if
then /̀/ equations hold, so check inequalities \+
Let be a grid of boxes covering of width at most
if for all , then\+
return

return /̀/ no test succeeded, or Here we suppose that is present in the formula (i.e., ). The algorithm can be easily adapted to the case, where it is not. In the case , the algorithm can simply return , see Lemma 5 below. An illustration of the algorithm is shown in Figure 1.

Figure 1: Illustration of the SoEI algorithm. Assume that has two zeros and , and assume that is to the right of the thick curve. The algorithm creates a grid of boxes (line 3.1). If each element of the grid provably does not contain a solution (check at line 3.1), it returns . If this is not the case, then it checks whether is non-zero on all boundaries of grid elements (line 3.1). In our example, is close to zero on the common boundary of and and so the algorithm merges them into one grid element . If , then it checks whether for each , on and (line 3.1). If this is true as well, then is robustly satisfiable on and the algorithm terminates with . In case of another box containing a robust zero of , the given partition may not provide enough evidence for the claim that for each (in which case the condition on line 3.1 is not satisfied).

3.2 Universal Quantifiers

The recursive call corresponding to Case (b) of class looks as follows:

Algorithm : Let be a grid of sub-intervals of of width at most return

Here, in the return statement, the symbol denotes the lifting of Boolean conjunction to sets of Boolean values:

3.3 Conjunctions and Disjunctions

Finally, the recursive call corresponding to Case (c) of class looks as follows:

Algorithm return                                     where () is the projection of                                         to the free variables of (, respectively).

Here, in the return statement, the symbol again denotes the lifting of conjunction to sets of Boolean values. The algorithm for disjunction is completely analogous, replacing with (and its lifting to sets of Boolean values).

4 Degree of a Continuous Function

In this section we describe some basic properties of the topological degree. We already mentioned in the introduction that in the one-dimensional case, that is, for continuous functions with and , the degree is iff and have the same sign, otherwise the degree is either or , depending on whether the sign changes from negative to positive or the other way round. Hence, in this case, the degree gives the information given by the intermediate value theorem plus some directional information.

In dimension two, the degree of a continuous function from a disc to is just the number of times winds around the origin counter-clockwise as follows the circle forming the boundary of the disc (i.e., the “winding number”). Again, a non-zero winding number implies that has a zero.

There are several ways of defining the degree in general. We work with an axiomatic definition, that can be shown to be unique [32, Section I.5]. Let be open and bounded, continuous, and . Then is an integer satisfying the following properties [31, Thm. 1.2.6.]:

  1. For the identity function , iff

  2. If then has a solution in

  3. If there is a continuous function (a “homotopy”) such that , and for all , then

  4. If , , , and , then

  5. , as a function of , is constant on any connected component of .

The first axiom says that for the identity function, the degree counts the zeros in precisely. Due to the second axiom one can infer existence of a zero from a non-zero degree. Due to the third axiom, the degree is invariant under continuous deformations of the function that do not cause any essential change of the boundary information. From this it can be immediately seen that the degree depends only on the boundary : for two functions and that agree on , the function is a homotopy between and , as needed by the premise of Axiom 3.

In the SoEI algorithm, we apply the degree to the triple where is not open but the closure of an open set (it is the union of boxes). For completeness, we define where is the interior of , whenever .

Many algorithms for computing the degree have been proposed [15, 25, 7, 1, 17]. More specifically, if is an -box, is interval computable, and an algorithm is given, then the degree can be algorithmically computed. This justifies the use of line 10 of algorithm SoEI in Section 3.1.

The axioms defining the degree only argue about zeros, but not about robustness. Still, a nonzero degree is closely connected with the existence of a robust root:

Lemma 1

Let be a closed region with interior , be continuous, and let .

Then any continuous such that has a zero in .

Proof.  Let . For any such that , we define a homotopy between and . We see that for and ,

so that for . From Properties 2 and 3, we see that has a solution.

In particular, this implies that the sentence is not only true, but also robust, whenever . The upper bound on the distance between and results in an such that this sentence is -robust. This allows extensions of the algorithms of this paper to return such an , which may be useful in applications.

For proving definiteness, we will need a partial converse of this statement which will be given by Theorem 6 in Section 6.

5 Proof of Correctness

We will prove here that the algorithm proposed in Section 3 fulfills the first part of its specification, that is: it always returns a correct result. The proof will again be divided into the cases constituting the definition of class , from which correctness of the overall, recursive algorithm follows by induction.

Before that, we prove some technical results on the relationship between the class and robustness.

Note that, in this section, the assumption that our symbol set contains addition and multiplication, is not used. Hence the algorithm is correct even if we do not have those symbols in the symbol set.

5.1 Robustness and the Class

First we prove a lemma on the effect of substitution of nearby constants on robustness.

Lemma 2

Let be a formula in free variables, an -box bounding the free variables of and be a point in the interior of . If is a robust sentence, then there exists a neighborhood of , such that for all , is robust and has the same truth value as .

Proof.  Assume that is robust. Then there is an such that for all formulas with , and have the same truth value. Since all functions in are interval-computable, they are uniformly continuous. Hence for , there exists a number such that for each function occurring in it holds that whenever and . In other words, there exists a s.t. for all with , , and hence and have equal truth value. We claim that is also robust: this is because if is any sentence with , then and has still the same truth value as . So the neighborhood of satisfies the required properties.

Due to the syntactical structure of formulas in the class we automatically have robustness in the false case:

Lemma 3

Let be a sentence from . If is false, then it is robustly false.

Proof.  We proceed by induction, following the cases of class . Let be the sentence , where , and are the usual short-cuts for conjunctions of equalities, and inequalities, respectively. Let be false. If has no solution in , then for some and for small enough perturbations of . Similarly, if on , then the same is true for small enough perturbations of . Finally, if and are both nonempty, then they are compact and disjoint, which implies that they have a positive distance. For small perturbations of and , and are still disjoint, which implies that is robustly false.

Further, assume that is a compact interval and is a false sentence. Then there exists an such that is false. From the induction hypothesis, it is robustly false. Let be such that is -robust and let be a formula such that . Then and is false. So, is false and it follows that is robustly false.

Finally, let and be sentences in and be false. Then either or is false and the induction hypothesis says that it is robustly false. So, is robustly false. Similarly, if is false, then both and are robustly false and is robustly false.

In the case of this lemma, the proof goes through for any number of equalities, independent of the restriction that class puts on this number. Further, the last lemma remains true even if we leave the set of interval-computable functions and allow arbitrary, small enough continuous perturbations. Moreover, it holds even if all functions in the original formula are only continuous and not interval computable. We only have used continuity of the perturbations and the proof does not use any algorithmic input.

Universal quantification preserves robustness in the following sense:

Lemma 4

Let be a formula containing a free variable and let be a bounded closed interval. Then the sentence is robustly true for all in if and only if the sentence is robustly true.

Proof.  Let be -robust and true, and let be an arbitrary, but fixed element of the interval . Then clearly is true. For showing that it is also robust, we assume an arbitrary, but fixed sentence such that and prove that is true, as well. Let , resp. be the functions that occur in on the places corresponding to ; this is well-defined, because and have the same structure. Consider the formula that is equal to except for the fact that every equality of the form is replaced by and is replaced by . The distance and so, due to -robustness of , is true. In particular, is true and it follows that is -robust and true.

For the converse, assume that for all , is robustly true. Let

Clearly, is a continuous function in and has strict lower bound on the compact interval . So, for each , is -robust. If , then for each , and is true. So, is true and is robustly true.

Again, the last lemma remains true in the stronger formulation where we consider a statement robustly true iff any small enough continuous perturbation of its function symbols is true—that is, perturbation by functions that do not necessarily correspond to terms formed from the given set of function symbols or functions that are not necessarily interval computable.

5.2 System of Equations and Inequalities

For proving correctness of the algorithm we again start with the case of class , that is, a formula of the form

where is an -box. Assuming that the formula has free variables, we again denote by the function defined by the components and the function defined by the components .

Theorem 3

The algorithm fulfills the correctness property of the specification of (defined at the beginning of Section 3).

Proof.

Assume first that the algorithm terminates with a negative result . It follows directly from Definition 1, that the input sentence is false for any . Lemma 3 implies robustness.

Now assume that it terminates with a positive result . Then there exists a point and a connected grid element such that . For any , and can be connected by a curve , and is then a homotopy between and nowhere zero on . So, and it follows from Lemma 1 that has a robust solution in . Moreover, the successful check whether for all , implies that for some small enough , for all , and , . It follows that the input formula is robustly true for all parameter values in .

5.3 Universal Quantifiers

Theorem 4

Let be a formula containing free variables . Let be an -box and a closed interval. Assume that an algorithm fulfilling the correctness property is given. Then also the algorithm fulfills the correctness property.

Proof.  If returns , then returned for some and it follows that for all and , is robustly false. Then is false for each and it follows from Lemma 3 that it is robustly false.

If the algorithm returns , then returned for all and the sentence is robustly true for all and . It follows from Lemma 4 that for each , is robustly true, so the result is correct.

5.4 Conjunction and Disjunction

Theorem 5

Let and be two formulas in and assume that fulfills the correctness property both when applied to , and when applied to . Then also fulfills the correctness property.

Proof.  Let , and , respectively, be the function that projects any -tuple corresponding to the free variables of to those components corresponding to the free variables of , and , respectively.

If returned then the recursive calls for both and returned . Hence, by correctness of the result of the recursive calls, for all , and are robustly true, and hence also .

If returned then the recursive calls for either or returned . Hence, by correctness of the result of the recursive calls, either for all , is robustly false, or for all , is robustly false. Hence, also for all , is robustly false.

For disjunctions the situation is analogous.

6 From Robustness To Non-Zero Degree

For proving that the algorithm CheckSat fulfills the second part of its specification, definiteness, we need to prove that for a robust system of equations, the test provided by a non-zero topological degree eventually succeeds. While the algorithmic aspects of the proof are part of the next section, in this section we prove two properties of the degree necessary for this (Lemma 5 and Theorem 6). The first property, Lemma 5, simply says that in the case overdetermined system of equations in variables, the input cannot be robust, and hence the implication (robust input implies succeeding test for non-zero degree) holds vacuously. The second property, Theorem 6, shows that robustness implies existence of a region for which the degree is non-zero. More precisely, we will show a partial converse to Lemma 1, that is, that a robust solution of on implies the existence of a region s.t. and .

The rest of the paper will only refer to the two mentioned properties, so a reader can safely skip this section after noting Lemma 5 and Theorem 6. The proofs in the section are the only place in the paper that uses results from topology that are not explicitly delineated in this paper.

Lemma 5

Let be a closed region in , and be continuous. Then for each there exists a function , , with no root.

Proof.  We assume that for some , it holds that each closer to than has a root, and derive a contradiction. It follows from the Stone-Weierstrass theorem that the continuous function may be approximated arbitrarily precisely with a smooth function (even with a polynomial), and so we can approximate it by a smooth function closer than to . Moreover, each such with has a root. In particular, has a root for any constant , and so contains a neighborhood of . However, all values in are critical values (that is, for each , the rank of —a matrix —is smaller than ). Due to Sard’s theorem [28, Chapter 2] the set of critical values of a smooth function has zero measure in , and so cannot contain a neighborhood of , a contradiction.

The rest of the section considers the case of equal dimensions . First we show that a zero degree of a function implies that any possible zero of the function can be removed by a change of the function only in the interior. Moreover, the result of the change will be small in a certain sense.

Lemma 6

Let be a closed region in , continuous, and . Then there exists a continuous nowhere zero function such that on and .

Proof.  If , we may take . Otherwise, take a neighborhood of such that is an -manifold (i.e. locally homeomorphic to ). Such a neighborhood might be constructed as a finite union of balls. It follows from the degree axioms that and it is a well-known fact in differential topology that can be extended to a function iff the degree is zero [24, Theorem 8.1.]. Let be an extension of (such extension exists due to Tietze’s Extension Theorem [9, Thm. 4.22]) and let be the inclusion. Then is a nowhere zero extension of . Define by for and for . This function is continuous, nowhere zero and coincides with on . Possibly multiplying by a positive scalar valued function that equals 1 on and is small inside , we achieve that