key: cord-0046587-chwcgydw
authors: Calvanese, Diego; Ghilardi, Silvio; Gianola, Alessandro; Montali, Marco; Rivkin, Andrey
title: Combined Covers and Beth Definability
date: 2020-05-30
journal: Automated Reasoning
DOI: 10.1007/978-3-030-51074-9_11
sha: 55977712092b4e2ac6c4d152ce67df2ca7870a72
doc_id: 46587
cord_uid: chwcgydw

Uniform interpolants were largely studied in non-classical propositional logics since the nineties, and their connection to model completeness was pointed out in the literature. A successive parallel research line inside the automated reasoning community investigated uniform quantifier-free interpolants (sometimes referred to as “covers”) in first-order theories. In this paper, we investigate cover transfer to theory combinations in the disjoint signatures case. We prove that, for convex theories, cover algorithms can be transferred to theory combinations under the same hypothesis needed to transfer quantifier-free interpolation (i.e., the equality interpolating property, aka strong amalgamation property). The key feature of our algorithm relies on the extensive usage of the Beth definability property for primitive fragments to convert implicitly defined variables into their explicitly defining terms. In the non-convex case, we show by a counterexample that cover may not exist in the combined theories, even in case combined quantifier-free interpolants do exist.

Uniform interpolants were originally studied in the context of non-classical logics, starting from the pioneering work by Pitts [26] . We briefly recall what uniform interpolants are; we fix a logic or a theory T and a suitable fragment (propositional, first-order quantifier-free, etc.) of its language L. Given an L-formula φ(x, y) (here x, y are the variables occurring free in φ), a uniform interpolant of φ (w.r.t. y) is a formula φ (x) where only the x occur free, and that satisfies the following two properties: (i) φ(x, y) T φ (x); (ii) for any further L-formula ψ(x, z) such that φ(x, y) T ψ(x, z), we have φ (x) T ψ(x, z). Whenever uniform interpolants exist, one can compute an interpolant for an entailment like φ(x, y) T ψ(x, z) in a way that is independent of ψ.

The existence of uniform interpolants is an exceptional phenomenon, which is however not so infrequent; it has been extensively studied in non-classical logics starting from the nineties, as witnessed by a large literature (a non-exhaustive list includes [1, 11, [17] [18] [19] 23, 28, 31, 32] ). The main results from the above papers are that uniform interpolants exist for intuitionistic logic and for some modal systems (like the Gödel-Löb system and the S4.Grz system); they do not exist for instance in S4 and K4, whereas for the basic modal system K they exist for the local consequence relation but not for the global consequence relation. The connection between uniform interpolants and model completions (for equational theories axiomatizing the varieties corresponding to propositional logics) was first stated in [20] and further developed in [17, 23, 31] .

In the last decade, also the automated reasoning community developed an increasing interest in uniform interpolants, with particular focus on quantifierfree fragments of first-order theories. This is witnessed by various talks and drafts by D. Kapur presented in many conferences and workshops (FloC 2010, ISCAS 2013-14, SCS 2017 [22] ), as well as by the paper [21] by Gulwani and Musuvathi in ESOP 2008 . In this last paper uniform interpolants were renamed as covers, a terminology we shall adopt in this paper too. In these contributions, examples of cover computations were supplied and also some algorithms were sketched. The first formal proof about existence of covers in EUF was however published by the present authors only in [7] ; such a proof was equipped with powerful semantic tools (the Cover-by-Extensions Lemma 1 below) coming from the connection to model-completeness, as well as with an algorithm relying on a constrained variant of the Superposition Calculus (two simpler algorithms are studied in [15] ). The usefulness of covers in model checking was already stressed in [21] and further motivated by our recent line of research on the verification of data-aware processes [5, 6, 8, 9] . Notably, it is also operationally mirrored in the MCMT [16] implementation since version 2.8. Covers (via quantifier elimination in model completions and hierarchical reasoning) play an important role in symbol elimination problems in theory extensions, as witnessed in the comprehensive paper [29] and in related papers (e.g., [25] ) studying invariant synthesis in model checking applications.

An important question suggested by the applications is the cover transfer problem for combined theories: for instance, when modeling and verifying dataaware processes, it is natural to consider the combination of different theories, such as the theories accounting for the read-write and read-only data storage of the process as well as those for the elements stored therein [6] [7] [8] . Formally, the cover transfer problem can be stated as follows: by supposing that covers exist in theories T 1 , T 2 , under which conditions do they exist also in the combined theory T 1 ∪ T 2 ? In this paper we show that the answer is affirmative in the disjoint signatures convex case, using the same hypothesis (that is, the equality interpolating condition) under which quantifier-free interpolation transfers. Thus, for convex theories we essentially obtain a necessary and sufficient condition, in the precise sense captured by Theorem 6 below. We also prove that if convexity fails, the non-convex equality interpolating property [2] may not be sufficient to ensure the cover transfer property. As a witness for this, we show that EUF combined with integer difference logic or with linear integer arithmetics constitutes a counterexample.

The main tool employed in our combination result is the Beth definability theorem for primitive formulae (this theorem has been shown to be equivalent to the equality interpolating condition in [2] ). In order to design a combined cover algorithm, we exploit the equivalence between implicit and explicit definability that is supplied by the Beth theorem. Implicit definability is reformulated, via covers for input theories, at the quantifier-free level. Thus, the combined cover algorithm guesses the implicitly definable variables, then eliminates them via explicit definability, and finally uses the component-wise input cover algorithms to eliminate the remaining (non implicitly definable) variables. The identification and the elimination of the implicitly defined variables via explicitly defining terms is an essential step towards the correctness of the combined cover algorithm: when computing a cover of a formula φ(x, y) (w.r.t. y), the variables x are (non-eliminable) parameters, and those variables among the y that are implicitly definable need to be discovered and treated in the same way as the parameters x. Only after this preliminary step (Lemma 5 below), the input cover algorithms can be suitably exploited (Proposition 1 below).

The combination result we obtain is quite strong, as it is a typical 'black box' combination result: it applies not only to theories used in verification (like the combination of real arithmetics with EUF), but also in other contexts. For instance, since the theory B of Boolean algebras satisfies our hypotheses (being model completable and strongly amalgamable [14] ), we get that uniform interpolants exist in the combination of B with EUF. The latter is the equational theory algebraizing the basic non-normal classical modal logic system E from [27] (extended to n-ary modalities). Notice that this result must be contrasted with the case of many systems of Boolean algebras with operators where existence of uniform interpolation fails [23] (recall that operators on a Boolean algebra are not just arbitrary functions, but are required to be monotonic and also to preserve either joins or meets in each coordinate).

As a last important comment on related work, it is worth mentioning that Gulwani and Musuvathi in [21] also have a combined cover algorithm for convex, signature disjoint theories. Their algorithm looks quite different from ours; apart from the fact that a full correctness and completeness proof for such an algorithm has never been published, we underline that our algorithm is rooted on different hypotheses. In fact, we only need the equality interpolating condition and we show that this hypothesis is not only sufficient, but also necessary for cover transfer in convex theories; consequently, our result is formally stronger. The equality interpolating condition was known to the authors of [21] (but not even mentioned in their paper [21] ): in fact, it was introduced by one of them some years before [33] . The equality interpolating condition was then extended to the non convex case in [2] , where it was also semantically characterized via the strong amalgamation property.

The paper is organized as follows: after some preliminaries in Sect. 2, the crucial Covers-by-Extensions Lemma and the relationship between covers and model completions from [7] are recalled in Sect. 3. In Sect. 4, we present some preliminary results on interpolation and Beth definability that are instrumental to our machinery. After some useful facts about convex theories in Sect. 5, we introduce the combined cover algorithms for the convex case and we prove its correctness in Sect. 6; we also present a detailed example of application of the combined algorithm in case of the combination of EUF with linear real arithmetic, and we show that the equality interpolating condition is necessary (in some sense) for combining covers. In Sect. 7 we exhibit a counteraxample to the existence of combined covers in the non-convex case. Section 8 is devoted to the conclusions and discussion of future work. The extended version of the current paper with full proofs and details is available online in [4] .

We adopt the usual first-order syntactic notions of signature, term, atom, (ground) formula, and so on; our signatures are always finite or countable and include equality. To avoid considering limit cases, we assume that signatures always contain at least an individual constant. We compactly represent a tuple x 1 , . . . , x n of variables as x. The notation t(x), φ(x) means that the term t, the formula φ has free variables included in the tuple x. This tuple is assumed to be formed by distinct variables, thus we underline that when we write e.g. φ(x, y), we mean that the tuples x, y are made of distinct variables that are also disjoint from each other.

A formula is said to be universal (resp., existential ) if it has the form ∀x(φ(x)) (resp., ∃x(φ(x))), where φ is quantifier-free. Formulae with no free variables are called sentences. On the semantic side, we use the standard notion of Σ-structure M and of truth of a formula in a Σ-structure under a free variables assignment. The support of M is denoted as |M|. The interpretation of a (function, predicate) symbol σ in M is denoted σ M .

A Σ-theory T is a set of Σ-sentences; a model of T is a Σ-structure M where all sentences in T are true. We use the standard notation T |= φ to say that φ is true in all models of T for every assignment to the variables occurring free in φ. We say that φ is T -satisfiable iff there is a model M of T and an assignment to the variables occurring free in φ making φ true in M.

We now focus on the constraint satisfiability problem and quantifier elimination for a theory T . A Σ-formula φ is a Σ-constraint (or just a constraint) iff it is a conjunction of literals. The constraint satisfiability problem for T is the following: we are given a constraint φ(x) and we are asked whether there exist a model M of T and an assignment I to the free variables x such that M, I |= φ(x). A theory T has quantifier elimination iff for every formula φ(x) in the signature of T there is a quantifier-free formula φ (x) such that T |= φ(x) ↔ φ (x). Since we are in a computational logic context, when we speak of quantifier elimination, we assume that it is effective, namely that it comes with an algorithm for computing φ out of φ. It is well-known that quantifier elimination holds in case we can eliminate quantifiers from primitive formulae, i.e., formulae of the kind ∃y φ(x, y), with φ a constraint.

We recall also some further basic notions. Let Σ be a first-order signature. The signature obtained from Σ by adding to it a set a of new constants (i.e., 0-ary function symbols) is denoted by Σ a . Analogously, given a Σ-structure M, the signature Σ can be expanded to a new signature Σ |M| := Σ ∪ {ā | a ∈ |M|} by adding a set of new constantsā (the name for a), one for each element a in the support of M, with the convention that two distinct elements are denoted by different "name" constants. M can be expanded to a Σ |M| -structure M := (M, a) a∈|M| just interpreting the additional constants over the corresponding elements. From now on, when the meaning is clear from the context, we will freely use the notation M and M interchangeably: in particular, given a Σstructure M and a Σ-formula φ(x) with free variables that are all in x, we will write, by abuse of notation,

A Σ-homomorphism (or, simply, a homomorphism) between two Σ-structures M and N is a map μ : |M| −→ |N | among the support sets |M| of M and |N | of N satisfying the condition (M |= ϕ ⇒ N | = ϕ) for all Σ |M| -atoms ϕ (M is regarded as a Σ |M| -structure, by interpreting each additional constant a ∈ |M| into itself and N is regarded as a Σ |M| -structure by interpreting each additional constant a ∈ |M| into μ(a)). In case the last condition holds for all Σ |M| -literals, the homomorphism μ is said to be an embedding and if it holds for all first order formulae, the embedding μ is said to be elementary. If μ : M −→ N is an embedding which is just the identity inclusion |M| ⊆ |N |, we say that M is a substructure of N or that N is an extension of M. Universal theories can be characterized as those theories T having the property that if M |= T and N is a substructure of M, then N |= T (see [10] ). If M is a structure and X ⊆ |M|, then there is the smallest substructure of M including X in its support; this is called the substructure generated by X. If X is the set of elements of a finite tuple a, then the substructure generated by X has in its support precisely the b ∈ |M| such that M |= b = t(a) for some term t.

Let M be a Σ-structure. The diagram of M, written Δ Σ (M) (or just Δ(M)), is the set of ground Σ |M| -literals that are true in M. An easy but important result, called Robinson Diagram Lemma [10] , says that, given any Σ-structure N , the embeddings μ : M −→ N are in bijective correspondence with expansions of N to Σ |M| -structures which are models of Δ Σ (M). The expansions and the embeddings are related in the obvious way:ā is interpreted as μ(a).

We report the notion of cover taken from [21] and also the basic results proved in [7] . Fix a theory T and an existential formula ∃e φ(e, y); call a residue of ∃e φ(e, y) any quantifier-free formula belonging to the set of quantifier-free formulae Res(∃e φ) = {θ(y, z) | T |= φ(e, y) → θ(y, z)}. A quantifier-free formula ψ(y) is said to be a T -cover (or, simply, a cover ) of ∃e φ(e, y) iff ψ(y) ∈ Res(∃e φ) and ψ(y) implies (modulo T ) all the other formulae in Res(∃e φ). The following "cover-by-extensions" Lemma [7] (to be widely used throughout the paper) supplies a semantic counterpart to the notion of a cover:

iff it satisfies the following two conditions:(i) T |= ∀y (∃e φ(e, y) → ψ(y)); (ii) for every model M of T , for every tuple of elements a from the support of M such that M |= ψ(a) it is possible to find another model N of T such that M embeds into N and N |= ∃e φ(e, a).

We underline that, since our language is at most countable, we can assume that the models M, N from (ii) above are at most countable too, by a Löwenheim-Skolem argument.

We say that a theory T has uniform quantifier-free interpolation iff every existential formula ∃e φ(e, y) (equivalently, every primitive formula ∃e φ(e, y)) has a T -cover.

It is clear that if T has uniform quantifier-free interpolation, then it has ordinary quantifier-free interpolation [2] , in the sense that if we have T |= φ(e, y) → φ (y, z) (for quantifier-free formulae φ, φ ), then there is a quantifier-free formula θ(y) such that T |= φ(e, y) → θ(y) and T |= θ(y) → φ (y, z). In fact, if T has uniform quantifier-free interpolation, then the interpolant θ is independent on φ (the same θ(y) can be used as interpolant for all entailments

We say that a universal theory T has a model completion iff there is a stronger theory T * ⊇ T (still within the same signature Σ of T ) such that (i) every Σconstraint that is satisfiable in a model of T is satisfiable in a model of T * ; (ii) T * eliminates quantifiers. Other equivalent definitions are possible [10] : for instance, (i) is equivalent to the fact that T and T * prove the same universal formulae or again to the fact that every model of T can be embedded into a model of T * . We recall that the model completion, if it exists, is unique and that its existence implies the quantifier-free interpolation property for T [10] (the latter can be seen directly or via the correspondence between quantifier-free interpolation and amalgamability, see [2] ).

A close relationship between model completion and uniform interpolation emerged in the area of propositional logic (see the book [17] ) and can be formulated roughly as follows. It is well-known that most propositional calculi, via Lindembaum constructions, can be algebraized: the algebraic analogue of classical logic are Boolean algebras, the algebraic analogue of intuitionistic logic are Heyting algebras, the algebraic analogue of modal calculi are suitable variaties of modal agebras, etc. Under suitable hypotheses, it turns out that a propositional logic has uniform interpolation (for the global consequence relation) iff the equational theory axiomatizing the corresponding variety of algebras has a model completion [17] . In the context of first order theories, we prove an even more direct connection: Theorem 1. Suppose that T is a universal theory. Then T has a model completion T * iff T has uniform quantifier-free interpolation. If this happens, T * is axiomatized by the infinitely many sentences ∀y (ψ(y) → ∃e φ(e, y)), where ∃e φ(e, y) is a primitive formula and ψ is a cover of it.

The proof (via Lemma 1, by iterating a chain construction) is in [9] (see also [3] ).

We report here some definitions and results we need concerning combined quantifier-free interpolation. Most definitions and result come from [2] , but are simplified here because we restrict them to the case of universal convex theories. Further information on the semantic side is supplied in the extended version of this paper [4] .

A theory T is stably infinite iff every T -satisfiable constraint is satisfiable in an infinite model of T . The following Lemma comes from a compactness argument (see [4] for a proof):

A convex theory T is 'almost' stably infinite in the sense that it can be shown that every constraint which is T -satisfiable in a T -model whose support has at least two elements is satisfiable also in an infinite T -model. The one-element model can be used to build counterexamples, though: e.g., the theory of Boolean algebras is convex (like any other universal Horn theory) but the constraint x = 0 ∧ x = 1 is only satisfiable in the degenerate one-element Boolean algebra. Since we take into account these limit cases, we do not assume that convexity implies stable infiniteness.

A convex universal theory T is equality interpolating iff for every pair y 1 , y 2 of variables and for every pair of constraints δ 1 (x, z 1 , y 1 ),

there exists a term t(x) such that

Theorem 2 [2, 33] . Let T 1 and T 2 be two universal, convex, stably infinite theories over disjoint signatures Σ 1 and Σ 2 . If both T 1 and T 2 are equality interpolating and have quantifier-free interpolation property, then so does

There is a converse of the previous result; for a signature Σ, let us call EUF(Σ) the pure equality theory over the signature Σ (this theory is equality interpolating and has the quantifier-free interpolation property).

Theorem 3 [2] . Let T be a stably infinite, universal, convex theory admitting quantifier-free interpolation and let Σ be a signature disjoint from the signature of T containing at least a unary predicate symbol. Then, T ∪ EUF(Σ) has quantifier-free interpolation iff T is equality interpolating.

In [2] the above definitions and results are extended to the non-convex case and a long list of universal quantifier-free interpolating and equality interpolating theories is given. The list includes EUF(Σ), recursive data theories, as well as linear arithmetics. For linear arithmetics (and fragments of its), it is essential to make a very careful choice of the signature, see again [2] (especially Subsection 4.1) for details. All the above theories admit a model completion (which coincides with the theory itself in case the theory admits quantifier elimination).

The equality interpolating property in a theory T can be equivalently characterized using Beth definability as follows. Consider a primitive formula ∃zφ(x, z, y) (here φ is a conjunction of literals); we say that ∃z φ(x, z, y) implicitly defines y in T iff the formula

is T -valid. We say that ∃zφ(x, z, y) explicitly defines y in T iff there is a term t(x) such that the formula

is T -valid.

For future use, we notice that, by trivial logical manipulations, the formulae (3) and (4) are logically equivalent to

and to ∀y∀z(φ(x, z, y) → y = t(x))

respectively (we shall use such equivalences without explicit mention). We say that a theory T has the Beth definability property for primitive formulae iff whenever a primitive formula ∃z φ(x, z, y) implicitly defines the variable y then it also explicitly defines it.

Theorem 4 [2] . A convex theory T having quantifier-free interpolation is equality interpolating iff it has the Beth definability property for primitive formulae.

Proof. We recall the easy proof of the left-to-right side (this is the only side we need in this paper). Suppose that T is equality interpolating and that

Replacing z , y by z, y via a substitution, we get precisely (6).

We now collect some useful facts concerning convex theories. We fix for this section a convex, stably infinite, equality interpolating universal theory T admitting a model completion T * . We let Σ be the signature of T . We fix also a Σ-constraint φ(x, y), where we assume that y = y 1 , . . . , y n (recall that the tuple x is disjoint from the tuple y according to our conventions from Sect. 2).

For i = 1, . . . , n, we let the formula ImplDef T φ,yi (x) be the quantifier-free formula equivalent in T * to the formula

where the y are renamed copies of the y. Notice that the variables occurring free in φ are x, y, whereas only the x occur free in ImplDef T φ,yi (x) (the variable y i is among the y and does not occur free in ImplDef T φ,yi (x)): these facts coming from our notational conventions are crucial and should be kept in mind when reading this and next section. The following semantic technical lemma is proved in the extended version of this paper [4] : N |= φ(a, b) .

The following Lemma supplies terms which will be used as ingredients in our combined covers algorithm:

Proof. We have that ( j L ij ) ↔ ImplDef T φ,yi (x) is a tautology, hence from the definition of ImplDef T φ,yi (x), we have that

however this formula is trivially equivalent to a universal formula (L ij does not depend on y, y ), hence since T and T * prove the same universal formulae, we get

Using Beth definability property (Theorem 4), we get (8), as required, for some terms t ij (x). Finally, the second claim of the lemma follows from (8) by trivial logical manipulations.

In all our concrete examples, the theory T has decidable quantifier-free fragment (namely it is decidable whether a quantifier-free formula is a logical consequence of T or not), thus the terms t ij mentioned in Lemma 4 can be computed just by enumerating all possible Σ(x)-terms: the computation terminates, because the above proof shows that the appropriate terms always exist. However, this is terribly inefficient and, from a practical point of view, one needs to have at disposal dedicated algorithms to find the required equality interpolating terms. For some common theories (EUF, Lisp-structures, linear real arithmetic), such algorithms are designed in [33] ; in [2] [Lemma 4.3 and Theorem 4.4], the algorithms for computing equality interpolating terms are connected to quantifier elimination algorithms in the case of universal theories admitting quantifier elimination. Still, an extensive investigation on te topic seems to be missed in the SMT literature.

Let us now fix two theories T 1 , T 2 over disjoint signatures Σ 1 , Σ 2 . We assume that both of them satisfy the assumptions from the previous section, meaning that they are convex, stably infinite, equality interpolating, universal and admit model completions T * 1 , T * 2 respectively. We shall supply a cover algorithm for T 1 ∪ T 2 (thus proving that T 1 ∪ T 2 has a model completion too).

We need to compute a cover for ∃e φ(x, e), where φ is a conjunction of Σ 1 ∪Σ 2literals. By applying rewriting purification steps like

(where d is a fresh variable and t is a pure term, i.e. it is either a Σ 1 -or a Σ 2 -term), we can assume that our formula φ is of the kind φ 1 ∧ φ 2 , where φ 1 is a Σ 1 -formula and φ 2 is a Σ 2 -formula. Thus we need to compute a cover for a formula of the kind

where φ i is a conjunction of Σ i -literals (i = 1, 2). We also assume that both φ 1 and φ 2 contain the literals e i = e j (for i = j) as a conjunct: this can be achieved by guessing a partition of the e and by replacing each e i with the representative element of its equivalence class.

It is not clear whether this preliminary guessing step can be avoided. In fact, Nelson-Oppen [24] combined satisfiability for convex theories does not need it; however, combining covers algorithms is a more complicated problem than combining mere satisfiability algorithms and for technical reasons related to the correctness and completeness proofs below, we were forced to introduce guessing at this step.

To manipulate formulae, our algorithm employs acyclic explicit definitions as follows. When we write ExplDef(z, x) (where z, x are tuples of distinct variables), we mean any formula of the kind (let z := z 1 

where the term t i is pure (i.e. it is a Σ i -term) and only the variables z 1 , . . . , z i−1 , x can occur in it. When we assert a formula like ∃z (ExplDef(z, x) ∧ ψ(z, x) ), we are in fact in the condition of recursively eliminating the variables z from it via terms containing only the parameters x (the 'explicit definitions' z i = t i are in fact arranged acyclically).

A working formula is a formula of the kind

where ψ 1 is a conjunction of Σ 1 -literals and ψ 2 is a conjunction of Σ 2 -literals.

The variables x are called parameters, the variables z are called defined variables and the variables e (truly) existential variables. The parameters do not change during the execution of the algorithm. We assume that ψ 1 , ψ 2 in a working formula (11) always contain the literals e i = e j (for distinct e i , e j from e) as a conjunct.

In our starting formula (10) , there are no defined variables. However, if via some syntactic check it happens that some of the existential variables can be recognized as defined, then it is useful to display them as such (this observation may avoid redundant cases -leading to inconsistent disjuncts -in the computations below).

A working formula like (11) is said to be terminal iff for every existential variable e i ∈ e we have that

ψ1,ei (x, z) and T 2 ψ 2 → ¬ImplDef T2 ψ2,ei (x, z). (12) Roughly speaking, we can say that in a terminal working formula, all variables which are not parameters are either explicitly definable or recognized as not implicitly definable by both theories; of course, a working formula with no existential variables is terminal.

Proof. We only sketch the proof of this Lemma (see the extended version [4] for full details), by describing the algorithm underlying it. To compute the required terminal working formulae, it is sufficient to apply the following nondeterministic procedure (the output is the disjunction of all possible outcomes). The non-deterministic procedure applies one of the following alternatives.

(1) Update ψ 1 by adding it a disjunct from the DNF of ei∈e ¬ImplDef T1 ψ1,ei (x, z) and ψ 2 by adding to it a disjunct from the DNF of ei∈e ¬ ImplDef T2 ψ1,ei (x, z);

(2.i) Select e i ∈ e and h ∈ {1, 2}; then update ψ h by adding to it a disjunct L ij from the DNF of ImplDef T h ψ h ,ei (x, z); the equality e i = t ij (where t ij is the term mentioned in Lemma 4) 1 is added to ExplDef(z, x); the variable e i becomes in this way part of the defined variables.

If alternative (1) is chosen, the procedure stops, otherwise it is recursively applied again and again (we have one truly existential variable less after applying alternative (2.i), so we eventually terminate).

Thus we are left to the problem of computing a cover of a terminal working formula; this problem is solved in the following proposition: Proposition 1. A cover of a terminal working formula (11) can be obtained just by unravelling the explicit definitions of the variables z from the formula

Proof. In order to show that Formula (13) is the T 1 ∪ T 2 -cover of a terminal working formula (11), we prove, by using the Cover-by-Extensions Lemma 1, that, for every T 1 ∪ T 2 -model M, for every tuple a, c from |M| such that M |= θ 1 (a, c)∧θ 2 (a, c) there is an extension N of M such that N is still a model of T 1 ∪ T 2 and N |= ∃e (ψ 1 (a, c, e)∧ψ 2 (a, c, e) ). By a Löwenheim-Skolem argument, since our languages are countable, we can suppose that M is at most countable and actually that it is countable by stable infiniteness of our theories, see Lemma 2 (the fact that T 1 ∪ T 2 is stably infinite in case both T 1 , T 2 are such, comes from the proof of Nelson-Oppen combination result, see [12, 24, 30] ). According to the conditions (12) and the definition of a cover (notice that the formulae ¬ImplDef T h ψ h ,ei (x, z) do not contain the e and are quantifier-free) we have that

(for every e i ∈ e). Thus, since M |= ImplDef T1 ψ1,ei (a, c) and M |= ImplDef T2 ψ2,ei (a, c) holds for every e i ∈ e, we can apply Lemma 3 and conclude that there exist a T 1 -model N 1 and a T 2 -model N 2 such that N 1 |= ψ 1 (a, c, b 1 ) and N 2 |= ψ 2 (a, c, b 2 ) for tuples b 1 ∈ |N 1 | and b 2 ∈ |N 2 |, both disjoint from |M|. By a Löwenheim-Skolem argument, we can suppose that N 1 , N 2 are countable and by Lemma 2 even that they are both countable extensions of M. The tuples b 1 and b 2 have equal length because the ψ 1 , ψ 2 from our working formulae entail e i = e j , where e i , e j are different existential variables. Thus there is a bijection ι : |N 1 | → |N 2 | fixing all elements in M and mapping componentwise the b 1 onto the b 2 . But this means that, exactly as it happens in the proof of the completeness of the Nelson-Oppen combination procedure, the Σ 2 -structure on N 2 can be moved back via ι −1 to |N 1 | in such a way that the Σ 2 -substructure from M is fixed and in such a way that the tuple b 2 is mapped to the tuple b 1 . In this way, N 1 becomes a Σ 1 ∪ Σ 2 -structure which is a model of T 1 ∪ T 2 and which is such that N 1 |= ψ 1 (a, c, b 1 ) ∧ ψ 2 (a, c, b 1 ) , as required.

From Lemma 5, Proposition 1 and Theorem 1, we immediately get Theorem 5. Let T 1 , T 2 be convex, stably infinite, equality interpolating, universal theories over disjoint signatures admitting a model completion. Then T 1 ∪ T 2 admits a model completion too. Covers in T 1 ∪ T 2 can be effectively computed as shown above.

Notice that the input cover algorithms in the above combined cover computation algorithm are used not only in the final step described in Proposition 1, but also every time we need to compute a formula ImplDef T h ψ h ,ei (x, z): according to its definition, this formula is obtained by eliminating quantifiers in T * i from (7) (this is done via a cover computation, reading ∀ as ¬∃¬). In practice, implicit definability is not very frequent, so that in many concrete cases ImplDef T h ψ h ,ei (x, z) is trivially equivalent to ⊥ (in such cases, Step (2.i) above can obviously be disregarded).

An Example. We now analyze an example in detail. Our results apply for instance to the case where T 1 is EUF(Σ) and T 2 is linear real arithmetic. We recall that covers are computed in real arithmetic by quantifier elimination, whereas for EUF(Σ) one can apply the superposition-based algorithm from [7] . Let us show that the cover of

is the following formula

Formula (14) is already purified. Notice also that the variables e 1 , e 2 are in fact already explicitly defined (only e 3 , e 4 are truly existential variables).

We first make the partition guessing. There is no need to involve defined variables into the partition guessing, hence we need to consider only two partitions; they are described by the following formulae: 4 ) ≡ e 3 = e 4 P 2 (e 3 , e 4 ) ≡ e 3 = e 4 We first analyze the case of P 1 . The formulae ψ 1 and ψ 2 to which we need to apply exhaustively Step (1) and

Step (2.i) of our algorithm are:

We first compute the implicit definability formulae for the truly existential variables with respect to both T 1 and T 2 .

-We first consider ImplDef T1 ψ1,e3 (x, z). Here we show that the cover of the negation of formula (7) is equivalent to (so that ImplDef T1 ψ1,e3 (x, z) is equivalent to ⊥). We must quantify over truly existential variables and their duplications, thus we need to compute the cover of

This is a saturated set according to the superposition based procedure of [7] , hence the result is , as claimed.

-The formula ImplDef T1 ψ1,e4 (x, z) is also equivalent to ⊥, by the same argument as above.

-To compute ImplDef T2 ψ2,e3 (x, z) we use Fourier-Motzkin quantifier elimination. We need to eliminate the variables e 3 , e 3 , e 4 , e 4 (intended as existentially quantified variables) from

This gives x 1 + e 1 = x 2 + e 2 ∧ x 2 = 0, so that ImplDef T2 ψ2,e3 (x, z) is x 1 + e 1 = x 2 + e 2 ∧ x 2 = 0. The corresponding equality interpolating term for e 3 is x 1 + e 1 .

-The formula ImplDef T2 ψ2,e4 (x, z) is also equivalent to x 1 +e 1 = x 2 +e 2 ∧x 2 = 0 and the equality interpolating term for e 4 is x 1 + e 1 + x 2 .

So, if we apply Step 1 we get (16) (notice that the literal x 2 = 0 is entailed by ψ 2 , so we can simplify it to in ImplDef T2 ψ2,e3 (x, z) and ImplDef T2 ψ2,e4 (x, z)). If we apply Step (2.i) (for i = 3), we get (after removing implied equalities)

Step (2.i) (for i = 4) gives a formula logically equivalent to (17) . Notice that (17) is terminal too, because all existential variables are now explicitly defined (this is a lucky side-effect of the fact that e 3 has been moved to the defined variables). Thus the exhaustive application of Steps (1) and (2.i) is concluded.

Applying the final step of Proposition 1 to (17) is quite easy: it is sufficient to unravel the acyclic definitions. The result, after little simplification, is

this can be further simplified to

As to formula (16), we need to apply the final cover computations mentioned in Proposition 1. The formulae ψ 1 and ψ 2 are now

The T 1 -cover of ψ 1 is . For the T 2 -cover of ψ 2 , eliminating with Fourier-Motzkin the variables e 4 and e 3 , we get

after unravelling the explicit definitions of e 1 , e 2 . Thus, the analysis of the case of the partition P 1 gives, as a result, the disjunction of (18) and (19) . We now analyze the case of P 2 . Before proceeding, we replace e 4 with e 3 (since P 2 precisely asserts that these two variables coincide); our formulae ψ 1 and ψ 2 become

From ψ 1 we deduce e 3 = x 1 , thus we can move e 3 to the explicitly defined variables (this avoids useless calculations: the implicit definability condition for variables having an entailed explicit definition is obviously , so making case split on it produces either tautological consequences or inconsistencies). In this way we get the terminal working formula

Unravelling the explicit definitions, we get (after exhaustive simplifications)

Now, the disjunction of (18), (19) and (21) is precisely the final result (15) claimed above. This concludes our detailed analysis of our example.

Notice that the example shows that combined cover computations may introduce terms with arbitrary alternations of symbols from both theories (like f (x 2 +f (x 1 +f (x 1 ))) above). The point is that when a variable becomes explicitly definable via a term in one of the theories, then using such additional variable may in turn cause some other variables to become explicitly definable via terms from the other theory, and so on and so forth; when ultimately the explicit definitions are unraveled, highly nested terms arise with many symbol alternations from both theories.

The Necessity of the Equality Interpolating Condition. The following result shows that equality interpolating is a necessary condition for a transfer result, in the sense that it is already required for minimal combinations with signatures adding uninterpreted symbols: Theorem 6. Let T be a convex, stably infinite, universal theory admitting a model completion and let Σ be a signature disjoint from the signature of T containing at least a unary predicate symbol. Then T ∪ EUF(Σ) admits a model completion iff T is equality interpolating.

Proof. The necessity can be shown by using the following argument. By Theorem 1, T ∪ EUF(Σ) has uniform quantifier-free interpolation, hence also ordinary quantifier-free interpolation. We can now apply Theorem 3 and get that T must be equality interpolating. Conversely, the sufficiency comes from Theorem 5 together with the fact that EUF(Σ) is trivially universal, convex, stably infinite, has a model completion [7] and is equality interpolating [2, 33] .

In this section, we show by giving a suitable counterexample that the convexity hypothesis cannot be dropped from Theorems 5, 6. We make use of basic facts about ultrapowers (see [10] for the essential information we need). We take as T 1 integer difference logic IDL, i.e. the theory of integer numbers under the unary operations of successor and predecessor, the constant 0 and the strict order relation <. This is stably infinite, universal and has quantifier elimination (thus it coincides with its own model completion). It is not convex, but it satisfies the equality interpolating condition, once the latter is suitably adjusted to nonconvex theories, see [2] for the related definition and all the above mentioned facts.

As T 2 , we take EUF(Σ f ), where Σ f has just one unary free function symbol f (this f is supposed not to belong to the signature of T 1 ).

Let T 1 , T 2 be as above; the formula ∃e (0 < e ∧ e < x ∧ f (e) = 0) (22) does not have a cover in T 1 ∪ T 2 .

Proof. Suppose that (22) has a cover φ(x). This means (according to Coverby-Extensions Lemma 1) that for every model M of T 1 ∪ T 2 and for every element a ∈ |M| such that M |= φ(a), there is an extension N of M such that N |= ∃e (0 < e ∧ e < a ∧ f (e) = 0). Consider the model M, so specified: the support of M is the set of the integers, the symbols from the signature of T 1 are interpreted in the standard way and the symbol f is interpreted so that 0 is not in the image of f . Let a k be the number k > 0 (it is an element from the support of M). Clearly it is not possible to extend M so that ∃e (0 < e ∧ e < a k ∧ f (e) = 0) becomes true: indeed, we know that all the elements in the interval (0, k) are definable as iterated successors of 0 and, by using the axioms of IDL, no element can be added between a number and its successor, hence this interval cannot be enlarged in a superstructure. We conclude that M |= ¬φ(a k ) for every k.

Consider now an ultrapower Π D M of M modulo a non-principal ultrafilter D and let a be the equivalence class of the tuple a k k∈N ; by the fundamental Los theorem [10] , Π D M |= ¬φ(a). We claim that it is possible to extend Π D M to a superstructure N such that N |= ∃e (0 < e ∧ e < a ∧ f (e) = 0): this would entail, by definition of cover, that Π D M |= φ(a), contradiction. We now show why the claim is true. Indeed, since a k k∈N has arbitrarily big numbers as its components, we have that, in Π D M, a is bigger than all standard numbers. Thus, if we take a further non-principal ultrapower N of Π D M, it becomes possible to change in it the evaluation of f (b) for some b < a and set it to 0 (in fact, as it can be easily seen, there are elements b ∈ |N | less than a but not in the support of Π D M).

The counterexample still applies when replacing integer difference logic with linear integer arithmetics.

In this paper we showed that covers (aka uniform interpolants) exist in the combination of two convex universal theories over disjoint signatures in case they exist in the component theories and in case the component theories also satisfy the equality interpolating condition -this further condition is nevertheless needed in order to transfer the existence of (ordinary) quantifier-free interpolants. In order to prove that, Beth definability property for primitive fragments turned out to be the crucial ingredient to extensively employ. In case convexity fails, we showed by a counterexample that covers might not exist anymore in the combined theory. The last result raises the following research problem. Even if in general covers do not exist for combination of non-convex theories, it would be interesting to see under what conditions one can decide whether a given cover exists and, in the affirmative case, to compute it.

Applications suggest a different line of investigations. In database-driven verification [5, 6, 9] one uses only 'tame' theory combinations. A tame combination of two multi-sorted theories T 1 , T 2 in their respective signatures Σ 1 , Σ 2 is characterized as follows: the shared sorts can only be the codomain sort (and not a domain sort) of a symbol from Σ 1 other than an equality predicate. In other words, if a relation or a function symbol has among its domain sorts a sort from Σ 1 ∩ Σ 2 , then this symbol is from Σ 2 (and not from Σ 1 , unless it is the equality predicate). The key result for tame combination is that covers existence transfers to a tame combination T 1 ∪ T 2 in case covers exist in the two component theories (the two component theories are only assumed to be stably infinite with respect to all shared sorts). Moreover, the transfer algorithm, in the case relevant for applications to database driven verification (where T 2 is linear arithmetics and T 1 is a multi-sorted version of EUF(Σ) in a signature Σ containing only unary function symbols and relations of any arity), is relatively well-behaved also from the complexity viewpoint because its cost is dominated by the cost of the covers computation in T 2 . These results on tame combinations are included in the larger ArXiv version [4] of the present paper; an implementation in the beta version 2.9 of the model-checker MCMT is already available from the web site http:// users.mat.unimi.it/users/ghilardi/mcmt.

A final future research line could consider cover transfer properties to nondisjoint signatures combinations, analogously to similar results obtained in [13, 14] for the transfer of quantifier-free interpolation.

Uniform interpolation and propositional quantifiers in modal logics

Quantifier-free interpolation in combinations of equality interpolating theories

Quantifier elimination for database driven verification

Combined covers and Beth definability (extended version)

Formal modeling and SMT-based parameterized verification of data-aware BPMN

From model completeness to verification of data aware processes

Model completeness, covers and superposition

Verification of data-aware processes: challenges and opportunities for automated reasoning

SMT-based verification of data-aware processes: a model-theoretic approach

Model Theory

An algebraic theory of normal forms

Model theoretic methods in combined constraint satisfiability

Interpolation, amalgamation and combination (The nondisjoint signatures case)

Modularity results for interpolation, amalgamation and superamalgamation

Compactly representing uniform interpolants for EUF using (conditional) DAGS

MCMT: a model checker modulo theories

Sheaves, Games, and Model Completions: A Categorical Approach to Nonclassical Propositional Logics. Trends in Logic-Studia Logica Library

A sheaf representation and duality for finitely presenting heyting algebras

Undefinability of propositional quantifiers in the modal system S4

Model completions, r-Heyting categories

Cover algorithms and their combination

Nonlinear polynomials, interpolants and invariant generation for system analysis

Uniform interpolation and coherence

Simplification by cooperating decision procedures

On invariant synthesis for parametric systems

On an interpretation of second order quantification in first order intuitionistic propositional logic

An Essay in Classical Modal Logic

Subalgebras of diagonalizable algebras of theories containing arithmetic

On interpolation and symbol elimination in theory extensions

A new correctness proof of the Nelson-Oppen combination procedure

Uniform interpolation and compact congruences

Uniform interpolation and layered bisimulation

A combination method for generating interpolants