Conflict-Driven Satisfiability for Theory Combination: Lemmas, Modules, and Proofs

Search-based satisfiability procedures try to build a model of the input formula by simultaneously proposing candidate models and deriving new formulae implied by the input. Conflict-driven procedures perform non-trivial inferences only when resolving conflicts between formulæ and assignments representing the candidate model. CDSAT (Conflict-Driven SATisfiability) is a method for conflict-driven reasoning in unions of theories. It combines inference systems for individual theories as theory modules within a solver for the union of the theories. This article augments CDSAT with a more general lemma learning capability and with proof generation. Furthermore, theory modules for several theories of practical interest are shown to fulfill the requirements for completeness and termination of CDSAT. Proof generation is accomplished by a proof-carrying version of the CDSAT transition system that produces proof objects in memory accommodating multiple proof formats. Alternatively, one can apply to CDSAT the LCF approach to proofs from interactive theorem proving, by defining a kernel of reasoning primitives that guarantees the correctness by construction of CDSAT proofs.


Introduction
The satisfiability problem is one of checking if a given formula has a model. In the propositional case (SAT) the input is usually a formula in conjunctive normal form (a set of clauses), and a model is an assignment of truth values to propositional variables that satisfies all the clauses. Many SAT solvers employ a conflict-driven search strategy, known as Conflict-Driven Clause Learning (CDCL), in which the solver extends a partial assignment until it satisfies all clauses, or a conflict arises as the assignment falsifies a clause. Non-trivial inference steps are performed in response to a conflict to roll back the partial assignment and direct the search elsewhere [44,45]. This conflict-driven style inspired the design of several solvers for quantifier-free fragments of arithmetic (e.g., [8,16,17,21,36,37,40,46] for more references). These conflict-driven theory solvers decide the satisfiability of sets of literals in the theory.
The problem of deciding the satisfiability of a quantifier-free formula in a theory is known as Satisfiability Modulo a Theory (SMT). MCSAT, for Model Constructing SATisfiability, integrates a CDCL-based SAT solver and a conflict-driven model-constructing theory solver [6,24,31,34,35,56]. CDSAT, for Conflict-Driven SATisfiability, generalizes MCSAT to a generic union of disjoint theories whose solvers may or may not be model-constructing [11].
In CDSAT, both Boolean and first-order terms are given assignments in a trail representing the candidate model as a partial assignment. First-order terms are assigned constant symbols representing individuals of the corresponding sort in a model's domain (e.g., integer terms are assigned integer constants). Since CDSAT accepts such first-order assignments also as part of the input, CDSAT is an engine to determine the satisfiability of a quantifier-free formula modulo a union of theories (SMT) and possibly modulo an initial assignment of values to terms appearing in the input formula. We call this generalization of SMT satisfiability modulo assignment (SMA).
CDSAT is presented as a transition system that combines multiple theory solvers, all or some of which are conflict-driven, into a conflict-driven solver for the union of the theories. More precisely, CDSAT combines theory inference systems, called theory modules, and performs the conflict-driven search for all theories. A theory module is an abstraction of a theory solver. Propositional logic is regarded as one of the theories. Every theory module can expand the trail in two ways: either by deciding the value of a term or by performing an inference. Theory inferences are applied to propagate consequences of the assignments on the trail, to detect conflicts, and to explain such conflicts, all in the respective theory. A conflict in CDSAT is a set of assignments from the trail that is unsatisfiable. The inferences can be used to transform the conflict into a Boolean one, susceptible of conflict analysis. The analysis solves the conflict, producing a lemma and undoing some assignments on the trail.
In conflict-driven reasoning, it is essential that the system learns a lemma from a solved conflict, because the lemma immediately thwarts any attempt to repeat a failed search path. In CDSAT [11], lemma learning is limited to the case of backjumping that simply flips the truth assignment of a Boolean term that was involved in the conflict. The first contribution of the present article is a CDSAT transition system with a more general and more flexible lemma learning capability. The new lemma learning mechanism subsumes the old one, allows both learn-and-backjump and learn-and-restart, and it enables CDSAT to form and learn new clauses. With this addition, CDSAT reduces to CDCL, if propositional logic is the only theory, and to MCSAT, if propositional logic and another theory with a conflict-driven solver are the only theories.
The theory modules need to satisfy a completeness property that is strong enough to ensure that CDSAT determines whether the input problem has a model in the union of the theories. For such a model to exist, the theories need to agree on what they have in common. As disjoint theories only share equality and sorts, the theories need to agree on which shared terms are equal and on the cardinalities of shared sorts. The standard approach to this problem in the literature is the equality-sharing (Nelson-Oppen) scheme (e.g., [9,23,42,48,49] for a survey covering also several extensions). In order to reach an agreement on which shared terms are equal, each theory solver propagates the (disjunctions of) equalities between shared variables that are entailed by its part of the problem. For cardinalities, the equality-sharing method requires the theories to be stably infinite (every satisfiable formula has a model with countably infinite domain), so that the shared sorts can be interpreted as countably infinite domains.
For model-constructing theory solvers the equality-sharing scheme can be implemented by model-based theory combination (MBTC) [23]. In MBTC a theory solver may decide an equality, between terms occurring in the problem, that is true in its candidate model, even if it is not entailed by its part of the problem. If it turns out later that such an equality is not entailed, it will cause a conflict, so that the responsible solver will retract it and amend its model. MBTC was born out of the observation that, especially when the input is found satisfiable, it is generally less expensive for a theory solver to enumerate the equalities satisfied in a candidate theory model than those entailed.
In the equality-sharing method, including MBTC, solvers are combined as black-boxes. If a conflict-driven model-constructing theory solver is included, as in MBTC, its modelconstructing and conflict-driven operations remain hidden inside the black-box. When combination of theories by equality sharing or MBTC is integrated with the CDCL procedure in the DPLL(T ) or CDCL(T ) paradigm (e.g., [13,23,42,50]), the candidate model on the trail and the public conflict-driven reasoning is propositional. The CDCL procedure plays a central role, while the theory solvers are satellites that signal theory conflicts or submits theory lemmas to CDCL.
In CDSAT all theory modules, including a CDCL module for propositional logic, cooperate as peers to build a model for the union of the theories on the shared trail, and the conflict-driven reasoning happens in the union of the theories. Each theory module has a view of the shared trail, comprising its theory assignments as well as equalities or disequalities implied by assignments of other theories. The idea of MBTC is subsumed, since in CDSAT any theory module can decide an equality that is true in its view of the shared trail. Furthermore, CDSAT does not require stable infiniteness, provided there is a leading theory, its module is complete, and the other modules are leading-theory-complete. The leading theory knows all the sorts in the union of theories, and it aggregates any constraints that the theories may impose on the cardinality of shared sorts. The aggregated constraints are enforced as axioms or theorems of the leading theory and as inference rules of its module. A theory module is complete if it can expand any assignment that is not satisfied by a model of its theory. Leading-theory-completeness also requires that the module can expand an assignment, if its theory model does not agree on cardinalities of shared sorts and equality of shared terms with a model of the leading theory.
In previous work [11] we showed that if the theory modules are sound and leadingtheory-complete, CDSAT is sound and complete. Furthermore, we exemplified the notion of theory module by listing theory modules for propositional logic, also known as the Boolean theory (Bool), the theory of equality with uninterpreted function symbols (EUF), the theory of arrays (Arr), and linear rational arithmetic (LRA). A non-conflict-driven solver can be abstracted into a black-box theory module, whose only inference rule invokes the solver to detect a theory conflict on the trail. However, it was not shown that these modules are leading-theory-complete. The second contribution of the present article is a collection of completeness theorems showing that the above theory modules are leading-theory-complete for all suitable leading theories. Moreover, we prove that if all modules are black-boxes, CDSAT emulates the equality-sharing method (covering also MBTC), and we demonstrate the role of the leading theory by considering the case where at-most cardinality constraints need to be enforced.
A key difference between conflict-driven theory reasoning and conflict-driven propositional reasoning is that theory inference rules may explain conflicts by inferences that generate new (i.e., non-input) terms. If the transition system allows this kind of expansion, termination requires that all new terms come from a finite basis (e.g., [24]). For conflict-driven reasoning in a union of theories, this issue must be approached locally, because no inference system should be authorized to generate infinitely many terms, and globally, because the interaction of multiple inference systems should preserve finiteness. In previous work [11] we showed that if every theory module is equipped with a finite local basis for its theory, and a finite global basis for the union of the theories does exist, CDSAT is guaranteed to halt. However, finite local bases for the above modules were not exhibited. The third contribution of the present article is a collection of finite local bases for those modules, with a technique for the generic construction of a finite global basis from given finite local bases.
Proofs are important in SMT/SMA, because many applications require the solver to generate either a satisfying assignment or a proof of unsatisfiability. CDCL-based SAT solvers generate proofs by resolution [57]. Since such proofs are huge, more sophisticated and compact proof formats have been investigated (e.g., [22,29,32,33]). The DPLL(T ) or CDCL(T ) paradigm naturally supports the generation of proofs by resolution, where the theory lemmas are plugged in as leaves with black-box subproofs [3,12,27,38]. This style has been implemented in solvers such as Z3 [3], veriT [2,27], and CVC4 [38] and extended in several ways (e.g., [2,38]). In CDSAT, the CDCL-based SAT solver loses its centrality as the only conflict-driven component, and all theory modules contribute directly to the proof, including new terms. Even if propositional resolution with theory subproofs is chosen as the final proof format, CDSAT proofs cannot be reconstructed in the same way as CDCL(T ) proofs, because the structure and the operations of CDSAT differ from those of CDCL(T ). The fourth contribution of the present article comprises two approaches to generate CDSAT proofs.
The first approach is a proof-carrying CDSAT transition system, where proof terms record the information needed to generate proofs. We describe different ways to turn proof terms into proofs, including producing resolution proofs with theory lemmas. These proof objects can then be checked directly by a verified checker [53] or exported to a proof format verifiable by proof checkers. Thus, proof-carrying CDSAT can slot into pipelines from proof-search to proof-checking [1,5,7], where a minimal amount of proof information (e.g., an unsatisfiable core) may be sufficient for a theorem prover to regenerate a proof in its own format. The second approach works by specifying a small kernel of primitives in LCF style [30,47], so that building proof objects in memory can be avoided. If CDSAT is implemented on top of this kernel, the LCF-type abstraction ensures that an unsat answer is correct by construction, and CDSAT can be used as a trusted external oracle for interactive proof tools.
In summary, the original contributions of the present article include: 1. An extension of the CDSAT transition system with a more general and more flexible lemma learning capability; 2. Definitions of finite local bases and proofs of leading-theory-completeness of the modules for Bool, EUF, Arr, and LRA, as well as for a generic black-box module, and a generic module for at-most cardinality constraints; 3. A general technique to construct a finite global basis for a union of theories from finite local bases of the theories; and 4. Approaches to endow CDSAT with proof generation either by producing proof objects in memory or in LCF style.
This article is organized as follows. Section 2 contains basic definitions for CDSAT. Section 3 is subdivided in three parts: Sect. 3.1 describes the CDSAT transition system with enhanced lemma learning; Sect. 3.2 illustrates via examples the novel lemma learning capabilities; and Sect. 3.3 presents other definitions, including that of leadingtheory-completeness, discussing how the soundness, completeness, and termination results for CDSAT [11] extend to the transition system in Sect. 3.1. Section 4 presents theory modules, local finite bases, and leading-theory-completeness theorems for Bool, LRA, EUF, Arr, a generic stably infinite theory, and a generic theory with at-most cardinality constraints. Section 5 portrays the technique to get a global basis from local ones. Sections 6 and 7 cover the two approaches to proof generation in CDSAT.
Lemma learning and proof generation for CDSAT appeared in a conference version [10] of the present article.

Basic Definitions
Let T 1 , . . . , T n be disjoint theories, each defined by its signature Σ k =(S k , F k ) and axiomatization A k , where S k is the set of sorts and F k is the set of symbols, for all k, 1 ≤ k ≤ n. Every theory has the sort prop of the Boolean values and sorted equality symbols: S = { s : s×s→prop | s ∈ S k } ⊆ F k . The sorts of equalities may be omitted. Disjointness means that the theories do not share symbols except equality on shared sorts. Often one of the theories is the Boolean theory Bool, with the logical connectives ¬, ∧, and ∨ as symbols. Formulae are terms of sort prop. The union of T 1 , . . . , T n is denoted T ∞ , with signature Σ ∞ =(S ∞ , F ∞ ), where S ∞ = n k=1 S k and F ∞ = n k=1 F k , and axiomatization n k=1 A k . Let T, Σ, and S stand for T k , Σ k , and S k (1 ≤ k ≤ n), or for T ∞ , Σ ∞ , and S ∞ . We assume a collection V = (V s ) s∈S of disjoint sets of variables, where V s is the set of variables of sort s. We use x, y, and z for variables, t and u for terms of any sort, l and p for formulae, and for the subterm ordering. If Σ = (S, F) is a signature with F ⊆ F ∞ , the Σ-foreign subterms of a term t are those subterms whose root symbol is not in F, including variables. Non-variable Σ-foreign subterms can be regarded as variables, without replacing them explicitly with new variables. This is accomplished by defining the free Σ-variables of t as its Σ-foreign subterms with a -maximal occurrence. For a term t, the set of its free Σ-variables is denoted fv Σ (t), and the set of its free Σ-variables of sort s is denoted fv s Σ (t). For a set X of terms, CDSAT works with assignments that assign to terms values of the appropriate sort. For example, assuming theories Bool, Arr, and a fragment of arithmetic, ((x > 1) ∨ (y < 0))←true, y←−1, z← √ 2, (store(a, i, v) b)←true, select(a, j)←3, and (select(a, j) v)←true are assignments. The standard approach to define what the values are is to extend the signature with sorted constant symbols to name all individuals in the domains used to interpret the sorts (e.g., the appropriate set of numerals for a fragment of arithmetic).
For each T k , 1 ≤ k ≤ n, a conservative theory extension T + k is a theory with signature where F + k adds to F k a possibly empty set of new constant symbols, called T k -values, accompanied by new axioms as needed (e.g., √ 2 with √ 2 · √ 2 2). For numerals, as for true and false, a T k -value is both the domain element and the constant symbol that names it. F + k may be infinite, but it is countable (e.g., using the algebraic reals as real numbers). The trivial extension only adds {true, false} as T k -values. We assume that the extended theories are still disjoint except for true and false. The The symbols c and q, possibly with subscripts, are used for values, reserving b for true or false.
Recalling that T stands for either is the subset of the terms of sort s in G(J ). The set of free variables of J is fv Σ (J ) = {u | u ∈ fv Σ (t), (t←c) ∈ J }. We use J for generic T -assignments, A for generic singleton assignments, L or K for Boolean singleton assignments, H and E for T ∞ -assignments.
The flip L of L assigns to the same formula the opposite Boolean value. Since ¬ is a function symbol in the signature of Bool, one can write l←true and l←false, that are one the flip of the other, and also ¬l←true and ¬l←false, that are also one the flip of the other. Clearly, l←true and ¬l←false are equivalent and so are l←false and ¬l←true. The simplest form is preferred when writing assignments: for example, if l is ¬a, where a is a propositional variable, it is preferable to use a←true and a←false. Furthermore, l←true is abbreviated as l, l←false as l, and (t u)←false as t u.
An assignment is plausible if for no L it contains both L and L. A Boolean assignment only assigns Boolean values, while a first-order assignment only assigns non-Boolean values. An SMT problem is presented as a plausible Boolean assignment {l 1 ←true, . . . , l m ←true}, abbreviated {l 1 , . . . , l m }, while an SMA problem also includes first-order assignments.
The theory view, or T-view, H T of a T ∞ -assignment H comprises the T-assignments in H and all equalities or disequalities between terms of a sort in S that are entailed by first-order assignments in H . If {x←3, y←3, z←4} ⊆ H , the T-view H T also includes x y, x z, and y z, for every T having the sort of x, y, and z. If H is Boolean, H T = H . As a T iassignment (1 ≤ i ≤ n) is a special case of T ∞ -assignment, the T-view of a T i -assignment is also defined.
A T + -model M endorses a T-assignment J , written M | J , if M satisfies u c for all pairs (u←c) ∈ J . It follows that if {u←c, t←c} ⊆ J , then M also satisfies u t. If M | J T , that is, M endorses the T-view of J , then M also satisfies u t, for all pairs u←c 1 and t←c 2 in J with c 1 = c 2 . Thus, M | J T is generally stronger than M | J .
A T-assignment J is satisfiable, if there is a T + -model M such that M | J T , and it is unsatisfiable otherwise, written J | ⊥. We write J | L if M | L for all T + -models M such that M | J T . All this applies to a T ∞ -assignment H , for which we say that M globally endorses H if M | H T ∞ , also written M | G H to emphasize "globally." A theory module I k for theory T k (1 ≤ k ≤ n) is an inference system with inferences of the form J I k L, or J k L for short, where J is a T k -assignment and L is a Boolean assignment. Theory modules are required to be sound: if J k L then J | L. In the sequel, assignment stands for T ∞ -assignment.

CDSAT with Lemma Learning
In this section we present the CDSAT transition system with lemma learning. Section 3.1 presents the CDSAT transition system as in [11], except that the Backjump rule of [11] is replaced by a new LearnBackjump rule that introduces a more general and more flexible lemma learning mechanism. Section 3.2 analyzes in detail the working of LearnBackjump: it is more general because it enables CDSAT to learn new clauses, whereas Backjump only flips a Boolean term; it is more flexible because it enables a CDSAT search plan to choose the destination level upon backjumping; and it can simulate the Backjump rule. Section 3.3 includes the definitions of basis and leading-theory-completeness (from [11]), and discusses how the arguments of the proofs of soundness, termination, and completeness of CDSAT in [11] are modified to have LearnBackjump in place of Backjump.

The CDSAT Transition System with Lemma Learning
CDSAT works with a trail Γ , defined as a sequence of distinct singleton assignments that are either decisions or justified assignments. A decision is written ? A to convey guessing, and it can be either a Boolean or a first-order assignment. A justified assignment is written H A, where H , the justification of A, is a set of singleton assignments that appear before A in Γ . The elements of the input assignment H 0 are listed in Γ as justified assignments with empty justification. The only justified assignments that are first-order assignments are the input first-order assignments of an SMA problem; all non-input justified assignments are Boolean. A non-input justified assignment J L is due to either an inference J k L for some theory T k , 1 ≤ k ≤ n, or a conflict-solving transition.
A trail can be seen as an assignment by ignoring order and justifications.
Given a trail Γ with assignments A 0 , . . . , A m , the level of a singleton assignment The level of a set of singleton assignments H ⊆ Γ is given by level Γ (H ) = 0, if H = ∅, and level Γ (H ) = max{level Γ (A) | A ∈ H }, otherwise. As the level of H A depends on its justification, not on its position on the trail, the trail is not organized as a stack, and H A can be added to the trail after assignments of greater level. This behavior and assignment A are called late propagation. Γ ≤m denotes the restriction of Γ to its elements of level at most m.
The state of a CDSAT-derivation is either a trail Γ or a conflict state Γ ; E , where Γ is a trail, and E is a conflict, that is, an assignment such that E ⊆ Γ and H 0 ∪ E | ⊥. The CDSAT transition system features trail rules, denoted −→, and conflict-state rules, denoted ⇒, with transitive closure ⇒ * and for disjoint union (see Fig. 1). As CDSAT may place on the trail assignments for new (i.e., non-input) terms, for termination all terms must come from a finite set B, called global basis, which is determined based on the input and does not change during the derivation. While terms come from B, values come from F + ∞ , which may be infinite: a derivation will use a finite subset of F + ∞ that is not fixed beforehand. An assignment H is in B if t ∈ B for all (t←c) ∈ H .
Rule Decide adds a decision u←c if it is acceptable for a theory module I k in its view Γ T k of trail Γ . Acceptability comprises three requirements: (1) Γ does not assign a T k -value to u; (2) if u←c is first-order, there is no inference J ∪ {u←c} I k L such that L ∈ Γ T k for J ⊆ Γ T k ; and (3) u is relevant to T k in Γ T k . The latter means that either (i) u ∈ G(Γ T k ), T k has its sort and values for it, so that I k can decide an assignment to u; or (ii) u is an equality u 1 u 2 such that u 1 , u 2 ∈ G(Γ T k ), T k has their sort, but does not have values for their sort, so that I k can decide the truth value of u 1 u 2 .
By Condition (1), if L ∈ Γ , both L and L are unacceptable for all theories.
where f is a function from colors to colors, u 1 ←yellow is relevant to a theory of colors by (i), while u 1 u 2 is relevant to EUF by (ii), provided EUF has the sort of colors. A decision u←c is forced when c is the only acceptable value for u, such as if {u t, t←c} ⊆ Γ for EUF, or {u ≤ t, t ≤ u, t←c} ⊆ Γ for LRA.
Rule Deduce expands Γ with a Boolean singleton assignment justified by a theory inference J k L from assignments J already in Γ . Sound theory inferences yield sound justified assignments. The system proceeds with decisions and deductions until a conflict arises: if J k L and L ∈ Γ , the assignment J ∪ {L} is a conflict. Deduce encompasses propagation, by deducing an assignment entailed in the theory by assignments in Γ , and conflict explanation, by performing theory inferences that allow a theory conflict to surface in Γ as a Boolean conflict. For example, given a series of decisions u 2 ←yellow, f (u 1 )←red, u 1 ←yellow, f (u 2 )←blue, a module for the theory of colors can deduce (propagate) f (u 1 ) f (u 2 ) and u 1 u 2 by equality inferences (cf. Fig. 3 in Sect. 3.3), and a module for EUF can detect the conflict by deducing Sect. 4.2). If the conflict is at level 0, rule Fail returns unsat. Otherwise, rule ConflictSolve returns the trail Γ produced by the conflict-state rules, so that the search can resume.
The conflict-state rules handle both first-order and Boolean assignments and their interplay. Conflict-solving as in CDCL involves flipping a Boolean assignment L into L, recording that L was tried and failed. A first-order assignment u←c cannot be flipped: its complement would be the set of all other values for u, which is not a singleton and not even a finite set in general. Thus, u←c is undone, not flipped. Since u←c may appear in justifications, undoing it requires the removal of all its consequences (i.e., justified assignments with u←c in the justification). A Boolean decision L is then forced (for a consequence L of u←c in the conflict) to prevent repeating the same first-order decision u←c that caused a conflict. Another remark is that since each assignment has a level, conflict solving can proceed by considering an assignment that stands out, because its level is the greatest level in the conflict. Clearly, such an assignment is not unique in general.
The main workhorse of conflict solving is the Resolve rule. Resolve explains a conflict E {A} by replacing a justified assignment A with its justification H (see Fig. 1). Since If A is first-order, it is an input assignment (H = ∅), and Resolve removes A from the conflict, not from the trail. For example, Resolve turns a conflict is on the trail. Intuitively, one can think of Resolve continuing to unfold the conflict, until it contains an assignment A that stands out in the above sense. This outstanding assignment A is either a first-order or a Boolean assignment.
If A is a first-order assignment with level Γ (A) = m, rule UndoClear applies by going back to Γ ≤m−1 (see Fig. 1), which means that it undoes A and clears the trail of all its consequences. Note that m−1 ≥ 0 implies m > 0, that is, A is a decision. UndoClear solves the above conflict produced by Resolve by removing f (u 2 )←blue, whose level is m = 4, and . Going back to Γ ≤ m−1 does not represent a loop, because Γ ≤m−1 is new, as it must contain some late propagation. Indeed, A was acceptable when it was decided, which means it did not cause a conflict. If A became later part of a conflict, it must be that some late propagation L with level Γ (L) < m was added to the trail after A, so that L is in Γ ≤m−1 . In the example, the late propagation is u 1 u 2 on level 3. A Deduce step based on If A is a Boolean assignment L in a conflict E {L} such that level Γ (E) = m and level Γ (L) > m, CDSAT [11] applies the Backjump rule, which solves the conflict by producing the trail Γ ≤m , E L. In other words, it jumps back to level m and adds to the trail the justified assignment E L, which is sound because Here the Backjump rule is replaced with the more general LearnBackjump, which behaves like Backjump when H and L in its definition in Fig. 1 are {L} and L, respectively. LearnBackjump and the notion of clausal form mentioned in Fig. 1  If an assignment other than L in the conflict has level m (see the condition of UndoDecide in Fig. 1), UndoDecide undoes A and its consequences by going back to Γ ≤m−1 and decides L. If L is the only assignment of level m in the conflict, LearnBackjump applies like Backjump.
The CDSAT transition system is non-deterministic, as it leaves room for heuristic choices. Thus, multiple CDSAT-derivations from a given input exist. The addition of a search plan that controls the application of the transition rules yields a CDSAT procedure, whose derivation from a given input is unique.

Lemma Learning in CDSAT
The CDCL procedure can learn a propositional resolvent that was generated to explain a conflict. For example, consider a CDSAT trail containing where ∅ a ∨ b and ∅ ¬a ∨ d belong to the input assignment H 0 and have level 0; ? d has level 1, ? b has level 2, and {d, ¬a ∨ d} a is a late propagation and has level 1. Clause a ∨ b is a conflict clause for CDCL, and {a ∨ b, a, b} is a conflict for CDSAT. The CDCL procedure can learn b ∨ d, resolvent of a ∨ b and the CDCL justification ¬a ∨ d of a.
CDSAT [11] can apply the Backjump rule, which fires when CDSAT reaches a con- Alternatively, CDSAT [11] can Resolve the conflict into {a ∨ b, d, ¬a ∨ d, b} and then apply Backjump to yield the trail Either way, CDSAT [11]  In general, LearnBackjump empowers CDSAT to turn any Boolean subset of a conflict into a disjunction of Boolean terms, that the system can learn, and that we call clause, slightly abusing the terminology because Boolean terms are formulae. This requires ∨ ∈ F ∞ , which is the case whenever T ∞ includes propositional logic. If ∨ / ∈ F ∞ , only unit clauses will be learned.   The new rule LearnBackjump allows CDSAT to perform learning and backjumping, or learning and restart, and it subsumes the Backjump rule [11], adding the capability of learning clauses. We examine these features in this order. Learning and backjumping is the generic behavior of LearnBackjump. This rule singles out a Boolean subset H of the conflict E H , such that level Γ (H ) > level Γ (E). Then, it solves the conflict by jumping back to a level m, such that level Γ (E) ≤ m < level Γ (H ), and learning a clausal form L of H . The system learns L by adding to the trail the justified assignment E L, which is sound, The derivation continues from level 2 with ¬l 2 ∨¬l 4 added to level 0.
We consider next learning and restart. It is common to restart after learning a clause, and search plans with aggressive restart proved successful in SAT solving. LearnBackjump makes this kind of search plan possible in CDSAT. Assume that the destination level m is chosen to be the smallest, that is, m = level Γ (E). If level Γ (E) is 0, LearnBackjump produces a trail of the form Γ ≤0 , E L, performing a restart and adding E L to level 0. We analyze next how LearnBackjump subsumes the Backjump rule [11] recalled in Sect. 3.1 and at the beginning of this section. LearnBackjump behaves in the same way as Backjump, if it picks as H a singleton L, as L is a clausal form of a singleton Boolean assignment L in a conflict. However, while Backjump goes back to level m = level Γ (E), LearnBackjump allows to choose any destination level m such that level Γ (E) ≤ m < level Γ (L).

Example 3
In the conflict on the last line of Fig. 2, the level of l 4 is greater than that of the rest of the conflict Thus, Backjump could apply; LearnBackjump mimics it with H = {l 4 } and m = 2 to yield The side-conditions L / ∈ Γ and L / ∈ Γ prevent LearnBackjump from breaking plausibility or adding to the trail a clause that is already there.
We inspect last the learning of clauses. In CDCL, the last conflict clause generated prior to backjumping is called backjump clause: the procedure learns this clause and jumps back to a prior level, undoing at least one decision and satisfying the learned clause by placing one of its literals on the trail. An assertion clause is a conflict clause such that only one of its literals, termed assertion literal, is falsified on the current, or greatest, level of the trail. The First Unique Implication Point (1UIP) heuristic [45] picks as backjump clause the first generated assertion clause, as destination level the smallest where the assertion literal is undefined and all other literals of the assertion clause are false, and places the assertion literal on the trail.
The Backjump rule of CDSAT [11] generalizes this behavior, taking into account that, unlike in CDCL, a CDSAT trail is not a stack. Backjump applies to a conflict E {L} such that level Γ (L)>level Γ (E), but level Γ (L) is not necessarily the current one, and Backjump puts E L on the trail without learning an assertion clause. However, if a CDSAT conflict has the form E {L} with level Γ (L)>level Γ (E), it is possible to extract from the conflict an assertion clause, and LearnBackjump does it.
Let κ = l 1 ∨· · ·∨l q be an assertion clause and l q its literal such that L = (l q ←false) is on the current level. Assume that κ ∈ B. In order to learn κ, it suffices to take the Boolean {L} of the conflict that makes κ false: for all i, 1≤i≤q, (l i ←false) ∈ H if and only if l i ∈ κ and (l i ←true) ∈ H if and only if ¬l i ∈ κ. By Definition 1, the assignment K = (κ←true) is a clausal form of H . Let E be the rest of the conflict. Then the system applies LearnBackjump with destination level m = level Γ (E H ), which means that m ≥ level Γ (H ). This choice satisfies the condition level and κ is learned. The theory module for Bool features inference rules for unit propagation (see Sect. 4.1) that allow the inference: (1) and H makes l 1 , . . . , l q−1 false, so that unit propagation infers l q . Since L makes l q false, L makes l q true. Because the destination level m of the LearnBackjump step was chosen in such a way that m ≥ level Γ (H ), the premises K , H of inference (1) are all on the trail Γ ≤m , E K . Furthermore, literal l q is in B, since L was on the trail. Thus, all conditions for a Deduce step with inference (1) are met. The resulting trail is which is similar to the Γ ≤m , E H L produced by Backjump, except for the learned clause K . The advantage is that K can be reused in future branches of the search. The smaller the level of E K , which is level Γ (E), the longer K may remain on the trail and be used for inferences.

Example 6 Continuing Example 1 from
rule Deduce with inference (1) generates A comparison between Examples 3 and 6 shows the difference between LearnBackjump imitating Backjump, and a LearnBackjump Deduce sequence that backjumps, learns the assertion clause, and asserts the assertion literal by Deduce. A CDSAT search plan may restrict the application of LearnBackjump to 1UIP assertion clauses and couple it with Deduce systematically.

Soundness, Completeness, and Termination with Lemma Learning
In this section we present definitions about theory modules that appeared in [11], but must be reproduced because they are indispensable for what follows in Sects. 4 and 5, and we discuss how replacing Backjump with LearnBackjump is harmless for the soundness, termination, and completeness of CDSAT. Every theory module includes the equality inference rules of Fig. 3. The first two rules allow any module to infer an assignment to an equality from assignments to its sides. Indeed, in the presence of first-order assignments, there are two ways to make an equality t 1 s t 2

Fig. 3
Equality inference rules, where t 1 , t 2 , and t 3 are terms of sort s true: either assign the same value to t 1 and t 2 or assign true to t 1 s t 2 . Dually, there are two ways to make t 1 s t 2 false: either assign distinct values to t 1 and t 2 or assign false to t 1 s t 2 . The first two equality rules provide a bridge between these two ways (cf. the two ways for a term to be relevant to a theory in Sect. 3.1). The remaining equality rules are standard rules for reflexivity, symmetry, and transitivity.
In order to explain theory conflicts, theory inferences may introduce new (i.e., non-input) terms. For termination, all new terms must come from a finite local basis associated with the module and dependent on the input problem. We say that a set X of terms is closed if (i) it is closed with respect to the subterm ordering, or -closed for short: for all u ∈ X , t u implies t ∈ X , and (ii) it is closed with respect to equality: for all t, u ∈ X of sort s, s = prop, (t s u) ∈ X . The second condition excludes prop, because otherwise a non-empty closed set is necessarily infinite, as it would contain, for all terms t of sort s, the infinite series

Definition 2 (Basis)
A basis for theory T with signature Σ is a function basis from sets of terms to sets of terms, such that for all sets X of terms:

no introduction of foreign terms).
For each theory T k in the union, 1 ≤ k ≤ n, the theory module I k has a basis, called local basis and denoted basis I k or basis k , such that for all sets X of terms (e.g., X = G(H 0 ) for input assignment H 0 in a CDSAT-derivation), basis k (X ) contains all terms that I k can generate starting from those in X . Given a T -assignment J , we abbreviate basis(G(J )) as

Definition 3 (Assignment expansion)
A T -module I with local basis basis expands a Tassignment J by adding either (1) a T -assignment A that is acceptable for I in J , or (2) a Boolean assignment l←b derived by an I-inference J I (l←b) such that J ⊆ J , (l←b) / ∈ J , and l ∈ basis(J ).

Definition 4 (One-theory-completeness) Given theory T , a T-module I is complete for
For completeness in a union T ∞ of theories, the theories need to agree on cardinalities of shared sorts and equalities between shared terms. CDSAT achieves this by requiring that every theory agrees on both counts with a leading theory, say T 1 , which has all the sorts, that is, such that S 1 = S ∞ .

Definition 5 (Leading-theory-compatibility)
Let T 1 be the leading theory, T , Σ, and S stand for T k , Σ k , and S k , 2 ≤ k ≤ n, and N be a set of terms.
Since in a worst-case scenario all terms are shared, the next definition picks as set of shared terms the set of all terms occurring in the assignment.

Definition 6 (Leading-theory-completeness) For a non-leading theory
Note that if I cannot expand J , all applicable equality inference steps (see Fig. 3) have been applied, and therefore J = J T .
The next theorem summarizes the requirements for soundness, termination, and completeness of CDSAT: Sects. 4 and 5 will show how to fulfill those for completeness and termination, respectively.

Theorem 1 CDSAT with lemma learning and global basis B is
-Sound: if the theory modules are sound, whenever a CDSAT-derivation reaches state unsat, the input problem is unsatisfiable; -Terminating: if B is finite and closed, every CDSAT-derivation from an input problem in B is guaranteed to terminate; and -Complete: if there is a leading theory T 1 , module I 1 is complete for T 1 , modules I k 's, 2 ≤ k ≤ n, are leading-theory-complete, and B is stable, whenever a CDSAT-derivation from an input problem in B reaches a state other than unsat such that no transition rule applies, there exists a T + ∞ -model that globally endorses the assignment on the trail, hence the input problem.
We conclude this section with a discussion of how the soundness, termination, and completeness arguments for CDSAT [11] carry over to CDSAT with LearnBackjump. The proof of soundness rests on soundness of the theory modules and on showing that CDSAT transitions transform sound states into sound states, meaning that justified assignments are sound and conflicts are indeed conflicts: LearnBackjump does not change this, because it adds sound justified assignments.
The proof of termination begins by using acceptability of decisions to show that a CDSAT trail does not contain distinct assignments to the same term, unless they are input assignments. For Boolean assignments, this means that CDSAT rules preserve plausibility, and so does LearnBackjump, since in essence it flips a Boolean assignment. Next, the closedness of B and the relevance of decided terms 1 are employed to show that if the input assignment H 0 is in B, so are all derived trails: this holds also with LearnBackjump, because the learned clause is required to be in B. Then, one uses the finiteness of B to get an upper bound on trail length, hence a trail measure, and shows that CDSAT transitions reduce the trail measure with respect to a well-founded ordering: LearnBackjump does it like Backjump.
For completeness, one preliminarily observes that if B is stable, then it is closed (by extensiveness and closedness of all basis k 's, see Definition 2). Then, one uses the closedness of B and the completeness of the theory modules to show that, whenever a CDSAT-derivation reaches a state other than unsat such that no transition rule applies, its trail Γ is modeldescribing. Replacing Backjump with LearnBackjump preserves this result, because if LearnBackjump does not apply, Backjump does not apply either, as LearnBackjump subsumes Backjump. Γ is model-describing if Γ T 1 is endorsed by a T + 1 -model, and for all k, 2 ≤ k ≤ n, Γ T k is leading-theory-compatible with T k sharing the set of shared terms of the problem. The generic assignment J of the definitions of leading-theory-compatibility and leading-theory-completeness (see Definitions 5 and 6) is instantiated to Γ T k , and a theory module I k , 2 ≤ k ≤ n, is leading-theory-complete sharing G(Γ T k ), hence sharing the set of shared terms of the problem, since the latter is a subset of G(Γ T k ) for all problems. The proof of completeness is achieved by showing that a model-describing trail is globally endorsed by a T + ∞ -model, which is independent of transition rules.

Completeness of Theory Modules
In previous work we defined theory modules for Bool, EUF, Arr, LRA, and generic Nelson-Oppen theories [11]. In this section we add a theory module for a generic non-stably infinite theory, we specify local bases for all these theory modules, and we prove that all these theory modules are leading-theory-complete for all suitable leading theories, fulfilling a key requirement for the completeness of CDSAT (see Theorem 1). A theory module is an inference system, that is, a set of inference rules, and it represents an abstraction with respect to a theory satisfiability procedure. A theory satisfiability procedure implements the inference rules of the module, a search plan, and other algorithmic components, such as those of a full-fledged CDCL procedure for Bool, a congruence-closure algorithm for EUF, or an LRA-procedure that keeps polynomials in normal form as sums of monomials and maintains lower and upper bounds for each rational variable.
We begin with a lemma that will be used several times in the sequel. Given a T -assignment J , let J s be the binary relation over G s (J ) defined by t 1 J s t 2 if and only if (t 1 s t 2 ) ∈ J . The lemma shows that if module I for theory T cannot expand J , the relation J s is an equivalence, and J provides T -values for all terms that are relevant to T . For terms of sort s other than prop, this result relies on two hypotheses: first, J does not exhaust the supply of s-sorted T -values, so that a decision is doable; second, the only I-rules with first-order assignments as premises are equality inferences (see Fig. 3), so that the analysis of acceptability of decisions is module-independent. If T + offers infinitely many s-sorted T -values, the first hypothesis is satisfied a priori. Proof All claims are proved by way of contradiction.

Lemma 1 If
1. Assume that J s is not reflexive. This means there exists a term t ∈ G s (J ) such that (t s t) / ∈ J . The Boolean assignment t s t can be derived by reflexivity (see Fig. 3), and (t s t) ∈ basis I (J ) since basis I (J ) is closed and therefore contains all equalities between terms in G s (J ) for s = prop. Thus, I can expand J , which is a contradiction. The cases for symmetry and transitivity are analogous. Similarly, assume that {t 1 ←c 1 , t 2 ←c 2 } ⊆ J , c 1 and c 2 are identical, but (t 1 s t 2 ) / ∈ J : then I can expand J by an equality inference deriving t 1 s t 2 . Conversely, assume (t 1 s t 2 ) ∈ J , and c 1 and c 2 are distinct: by plausibility (t 1 s t 2 ) / ∈ J , and I can expand J by an equality inference deriving t 1 s t 2 . 2. Assume l is a relevant formula without assigned value. Then l←b (for either truth value) is acceptable for I in J , and therefore I can expand J . 3. Assume that J does not assign a value to such a relevant term t. We find an acceptable assignment for t, so that I can expand J . It suffices to find a value that does not cause a conflict (see Sect. 3.1 for acceptability). Consider the J s -equivalence class e of t (the relation J s is an equivalence by Part (1)). If none of the terms in e are assigned a value in J , then t←c, where c is the T -value of sort s that J does not use, is acceptable, because otherwise there would be an assignment (t 2 ←c 2 ) ∈ J and an equality inference t←c, t 2 ←c 2 t t 2 such that (t t 2 ) ∈ J , meaning t 2 ∈ e is assigned a value. If for a term t 1 ∈ e, J contains t 1 ←c 1 , then t←c 1 is acceptable, because otherwise there would be an assignment (t 2 ←c 2 ) ∈ J and an equality inference t←c 1 and, by transitivity (since t 1 ∈ e), t 1 J s t 2 , so that c 1 and c 2 should be identical by Part (1).
The definition of leading-theory-compatibility with theory T (see Definition 5) refers to a generic set N of shared terms and considers models whose sets of variables include the set of free variables of J ∪ N , for J a T -assignment. The definition of leading-theorycompleteness (see Definition 6) instantiates N to be G(J ) in order to cover all possible sets of shared terms. Thus, when proving leading-theory-completeness we are interested in showing the existence of a T -model whose set of variables includes fv Σ (J ∪ G(J )), with Σ the signature of theory T . Clearly, fv Σ (J ∪ G(J )) = fv Σ (G(J )). On the other hand, in general, fv Σ (G(J )) = fv Σ (J ), because there can be two Σ-foreign terms u, t ∈ G(J ) such that u t, so that u ∈ fv Σ (G(J )), but u / ∈ fv Σ (J ). The following remark is stated as a corollary of Lemma 1, because Lemma 1 will be applied to show that a T -assignment J assigns values to all terms in G(J ), or to all equalities between terms in G(J ), and then the following corollary will be applied to conclude that in such cases fv Σ (G(J )) = fv Σ (J ), so that it suffices to build a T -model whose set of variables includes fv Σ (J ).

Corollary 1 For all signatures Σ = (S, F) and assignments J , if either (1) for all terms
The direction fv Σ (G(J )) ⊆ fv Σ (J ) follows from either hypothesis.
The corollary is true regardless of signature Σ; however, it will be applied to a T -assignment J and the signature Σ of theory T .
The following lemma is useful to prove leading-theory-completeness for a theory module I 1 and then extend the result to a module I 2 with additional inference rules, that is, such that I 1 ⊆ I 2 (modules are sets of inference rules).
Lemma 2 Let I 1 and I 2 such that I 1 ⊆ I 2 be modules for a theory T . If all inference rules in I 2 \I 1 take only Boolean assignments as premises, then if I 1 is leading-theory-complete, I 2 also is leading-theory-complete.
Proof We need to show that I 2 can expand a plausible T -assignment J whenever I 1 can (see Definition 6). If I 1 expands J by an inference (Case (2) of Definition 3), then I 2 can do it too, since I 1 ⊆ I 2 . If I 1 expands J by a decision (Case (1) of Definition 3), we need to show that the decision is acceptable also for I 2 . By way of contradiction, suppose that the decision is acceptable for I 1 but not for I 2 . By definition of acceptability (see Sect. 3), this means that the decision is a first-order assignment u←c and there is an inference J ∪ {u←c} I 2 L with L ∈ J and J ⊆ J . Furthermore, this I 2 -inference applies a rule in I 2 \I 1 , because u←c is acceptable for I 1 . It follows that this rule in I 2 \I 1 takes a first-order assignment as premise, contradicting the hypothesis that all rules in I 2 \I 1 take only Boolean assignments as premises.
Let x be an arbitrary variable of sort prop, stand for (x prop x)←true, and ⊥ for x prop x: no model endorses ⊥ and is an equality inference.

Propositional Logic
For propositional logic the signature Σ Bool has only the sort prop and symbols prop for equality, ¬: prop → prop for negation, ∨: (prop×prop) → prop for disjunction, and ∧: (prop×prop) → prop for conjunction. Let Bool + be the trivial extension, and I eval Bool the module that only adds to the equality inference rules of Fig. 3 an inference rule for evaluation of formulae: where l is in the closure of formulae l 1 , . . . , l m under the Σ Bool -connectives, and b is its truth value determined by b 1 , . . . , b m and the truth tables. Given a set X of terms, basis Bool (X ) contains all subformulae of formulae in X by closedness (see Definition 2), and all disjunctions of subformulae in X for lemma learning.
Let I Bool be the module that adds to I eval Bool rules for negation elimination, conjunction elimination, and unit propagation as in CDCL: Then by Lemma 2 we have Corollary 2 Module I Bool is leading-theory-complete for all leading theories.

The Theory of Equality
For the theory of equality EUF, with signature Σ EUF = (S, S ∪ F), the extension EUF + may either be trivial or add a countably infinite set of values for each sort in S\{prop} and no axioms. A minimal module I m EUF complements the equality inference rules (see Fig. 3) with an inference rule for all f ∈ F, that fires when the trail violates a congruence axiom of equality. In case of non-trivial extension, the equality inference rules are the only rules that make use of firstorder assignments, and values are employed as labels of congruence classes of terms. For example, the first-order assignment t 1 ←c, t 2 ←c, t 3 ←c 3 , t 4 ←c 4 , t 5 ←c 5 and the Boolean assignment represent the same four congruence classes. The first-order assignment is an optimization, because it encodes equalities and disequalities between terms without listing them explicitly, whereas a Boolean assignment requires m 2 hence O(m 2 ) literals for m terms in the worst case.
The local basis basis EUF has to ensure that all formulae that may be needed to reason about equality are available. Given a set X of terms, by closedness basis EUF (X ) contains all equalities between subterms of terms in X of a sort s other than prop. Then basis EUF adds the following equalities between formulae: the formula , and all equalities l prop l , such that either (i) l and l are formulae in X with the same root symbol f ∈ F, or (ii) X contains terms f (t 1 , . . . , t m , l, u 1 , . . . , u m ) and f (t 1 , . . . , t m , l , u 1 , . . . , u m ) with f ∈ F. We prove completeness assuming the non-trivial EUF + : the proof rests on showing that if I m EUF cannot expand an assignment, all equalities are determined.

Theorem 3 Module I m
EUF is leading-theory-complete for all leading theories.
Proof Let T 1 be a leading theory, with signature Σ 1 and extension T + 1 , and J a plausible EUF-assignment that I m EUF cannot expand. We show that J is leading-theory-compatible with EUF sharing G(J ). We begin by observing that every formula l ∈ G prop (J ) is relevant to EUF, and therefore J assigns a value to l by Part (2) of Lemma 1 ( †). For s other than prop, every term u ∈ G s (J ) is relevant to EUF, as EUF + has (infinitely many) values for such sorts. Moreover, the only EUF-inferences using first-order assignments are equality inferences, and therefore J assigns a value to every such term u by Part (3) ( f (t 1 , . . . , t m )).  t 1 , . . . , t m , u 1 , . . . , u m , f (t 1 , . . . , t m ), and f (u 1 , . . . , u m ). Also, J contains assignments (t i u i )←b i , for 1 ≤ i ≤ m, and ( f (t 1 , . . . , t m ) f (u 1 , . . . , u m ))←b, because otherwise an equality inference could expand it. The truth values b 1  If EUF + is trivial, I m EUF is still leading-theory complete. The proof follows the same pattern: it is simpler as there are no EUF-values and no first-order assignments, and the key point is that the assignment gives a value to t s u for all terms t and u of sort s ∈ S\{prop}. Let I EUF be the module obtained by adding to I m EUF inference rules that propagate consequences of assignments on the trail, according to the congruence axioms of equality for all f ∈ F:

Corollary 3
Module I EUF is leading-theory-complete for all leading theories.

The Theory of Arrays
The theory of arrays Arr features sorts for arrays, indices, and values, and function symbols to select and store array elements. Given a set of basic sorts that includes prop, let ⇒ be the array sort constructor, so that I ⇒V is the sort of arrays with indices of sort I and values of sort V . We use a, b, c, and d for variables of an I ⇒V sort, u and v for variables of sort V , and i, j, and k for variables of sort I . In signature Σ Arr = (S, F), the set of sorts S is the free closure of the set of basic sorts with respect to ⇒, and the set of symbols F is function diff maps two arrays to an index, called witness, where they differ. Similar to EUF, the extension Arr + may either be trivial, or add a countably infinite set of values for each sort in S\{prop} and no axioms. Module I Arr augments the equality inference rules of Fig. 3 with inference rules that apply when the trail violates an array axiom. Rules (3)-(5) detect violations of the congruence axioms for the Σ Arr -symbols: Violations of the select-over-store axioms are detected by rules (6) and (7) of The last inference rule builds into I Arr the extensionality axiom: Most Arr-satisfiability procedures replace every disequality between arrays with a disequality between their elements at the witness index in a preprocessing phase (see [9,Sect. 6 and 7] for more background and references). Rule (8) is the only rule of I Arr that produces new terms. Similar to I EUF , I Arr reasons about Arr-values, if present, by the equality inference rules, treating Arr-values as labels of equivalence classes. For the local basis, for all sets X of terms, basis Arr (X ) is the smallest closed set Y such that X ⊆ Y , ∈ Y , and: 1. For all terms l 1 and l 2 of sort prop that occur as subterms of terms in Y with select, store, or diff as root symbol, (l 1 prop l 2 ) ∈ Y ; 2. For all terms t, u ∈ Y of an array sort, t[diff(t, u)] ∈ Y and u[diff(t, u)] ∈ Y .
Clause (1) adds equalities between formulae that may be needed and whose presence is not already guaranteed by closedness of local bases. Clause (2) adds the terms that may be generated by rule (8); it preserves finiteness, because diff produces terms of an index sort which is structurally smaller, in terms of the array sort constructor ⇒, than the array sort of its arguments.
As arrays represent functions that can be updated, a model can interpret an array as an updatable function and an array sort as a set of updatable functions. Given generic sets U and V, let V U denote the set of functions from U to V. A set W ⊆ V U is an updatable function set from U to V, if every function obtained by a finite number of updates to a function in W is in W. As done for EUF, we prove completeness assuming a non-trivial extension.

Theorem 4
Module I Arr is leading-theory-complete for all leading theories T 1 such that for all T 1 -models M 1 and array sorts I ⇒V of Σ Arr , there is an updatable function set X from Proof Let J be a plausible Arr-assignment that I Arr cannot expand. We show that J is leadingtheory-compatible with Arr sharing G(J ). By the same reasoning at the beginning of the proof of Theorem 3, J assigns values to all terms in G(J ) ( †), and fv Σ Arr (G(J )) = fv Σ Arr (J ) by Corollary 1. Let T 1 be a leading theory that satisfies the hypothesis, Σ 1 its signature, T + 1 its extension, and M 1 a T + 1 [V 1 ]-model such that fv Σ 1 (G(J )) ⊆ V 1 and M 1 | J T 1 . For all array sorts I ⇒V of Σ Arr , let X be the updatable function set from I M 1 to V M 1 such that |(I ⇒V ) M 1 | = |X |. We organize the proof in two parts.
1. Definition of a bijective function φ : (I ⇒V ) M 1 → X : We pick an updatable function f 0 ∈ X that will be used as default in the sequel. Then, we begin by defining the restriction φ Y of φ to the finite subset Y ⊆ (I ⇒V ) M 1 consisting of those elements a such that M 1 (t) = a for some term t ∈ G(J ). For all a ∈ Y , let R a ⊆ I M 1 ×V M 1 be the relation defined by the following set of pairs: In other words, R a is the set of index-value pairs dictated by those terms in G(J ) where either select is applied to an array term that M 1 interprets as a or the application of store forms an array term that M 1 interprets as a. Since G(J ) is finite, R a is finite. Also, R a is a partial function R a : I M 1 → V M 1 , because otherwise I Arr could expand J by rules (6)- (7). Let φ Y (a) be the total function that is identical to R a where R a is defined, and maps every e ∈ I M 1 where R a is undefined to f 0 (e) ∈ V M 1 . Since R a is finite, φ Y (a) differs from f 0 by finitely many updates, and therefore φ Y (a) ∈ X .
Next, we show that φ Y is injective. By way of contradiction, suppose that there are two elements a, a ∈ Y such that a = a and φ Y (a) = φ Y (a ). Since a, a ∈ Y , it is a = M 1 (t) and a = M 1 (t ) for some terms t, t ∈ G(J ). This means that M 1 | t t . By ( †), J assigns values to t and t , and therefore it also assigns a truth value b to t t , because otherwise an equality inference could expand it. Also, ((t t )←b) ∈ J T 1 by definition of theory view. Since M 1 | t t and M 1 | J T 1 , b must be false, or, equivalently, (t t ) ∈ J . Therefore, also t[diff(t, t )] t [diff(t, t )] ∈ J , because otherwise I Arr could expand J by rule (8). As before, ). By definition of φ Y (a) for a generic a, we have: Since the two right-hand sides are different, the two left-hand sides are also different, so that φ Y (a) = φ Y (a ), a contradiction.
Given that φ Y is injective, we can extend φ Y to the sought-after bijective function φ, by taking as pre-images of the elements of X that are not images of elements of Y other elements of (I ⇒V ) M 1 and there are enough distinct such elements as |(I ⇒V ) M 1 | = |X |. The same property holds for the trivial Arr + with an almost identical proof, except that non-Boolean terms in G(J ) are not assigned values. Rules obtained from rules (3)-(7) by removing the last premise and adding its flip as conclusion can be added to I Arr , preserving leading-theory-completeness by Lemma 2.

Linear Rational Arithmetic
Theory LRA has signature Σ LRA with sorts S LRA = {prop, Q} and set of symbols F LRA with equality symbols {prop,Q} , the constant 1 : Q, the symbol +: (Q×Q)→Q for addition, the predicates <, ≤ : (Q×Q)→prop for the orderings, and the collection of unary function symbols {c·: Q→Q | c ∈ Q}, indexed by the set Q of the rational numbers, for multiplication by constants. The extension LRA + adds constants for all rational numbers, namely The Fourier-Motzkin (FM) algorithm [41,43,52] determines the satisfiability of a set of linear inequalities over the reals, by applying variable elimination until either it generates a contradiction, in the form of a constraint 0 ≤q with negativeq, in which case the algorithm returns unsatisfiable, or it eliminates all variables, in which case the algorithm returns satisfiable.
Variable elimination works as follows: select a variable x; if x appears only with positive, or negative, coefficients, remove all constraints where x appears; otherwise, compute all linear combinations of constraints t 1 +c 1 ·x≤u 1 and t 2 −c 2 ·x≤u 2 where x appears with positive and negative coefficient, respectively, generating the constraint c 2 ·t 1 +c 1 ·t 2 ≤c 2 ·u 1 +c 1 ·u 2 (if a premise is a strict inequality, the result is also strict). Alternatively, the constraints where x appears with positive coefficient are rearranged into upper bounds x ≤ t, those where x appears with negative coefficient are rearranged into lower bounds u ≤ x, and the computation of all linear combinations is replaced by that of all transitive closures, concatenating u ≤ x and x ≤ t to generate u ≤ t (if a premise is strict, the result is also).
Since a linear combination eliminating x recalls a propositional resolution inference eliminating the propositional variable of the literals resolved upon, a single linear combination, or transitive closure step, is known as Fourier-Motzkin (FM) resolution. A variable x appearing only with one sign parallels a pure literal in a set of clauses, and the elimination of all constraints where x occurs reminds one of the pure literal rule that eliminates, or deems satisfied, all clauses where a pure literal occurs [18]. The FM-algorithm resembles the level-saturation strategy for resolution: select a propositional variable l, add all resolvents generated by resolving upon l, remove all clauses where l appears, and repeat, until either the empty clause arises or the set is emptied.
Given m constraints in n variables the FM-algorithm generates m 2 n 4 n constraints in the worst case (e.g., [41]), whereas the simplex algorithm (e.g., [41,52]) is exponential in the worst case [39], but polynomial in practice [54]. Thus, most LRA-satisfiability procedures adopt a modern version of the simplex algorithm that deals also with strict inequalities [26]. However, conflict-driven LRA-satisfiability procedures [21,40,46] apply FM-resolution only to explain LRA-conflicts, just like the CDCL procedure applies resolution only to explain Boolean conflicts [44,45]. These procedures stand to the FM-algorithm like CDCL stands to level-saturation by resolution. Similar to MCSAT [35], CDSAT embeds a conflict-driven LRA-satisfiability procedure and applies FM-resolution only to solve conflicts. A difference between CDSAT and MCSAT in this regard is that the Deduce rule of CDSAT covers both propagation and conflict explanation, allowing CDSAT to apply FM-resolution more liberally. Therefore, we consider an I LRA module that features FM-resolution: where t 1 , t 2 , and t 3 are terms of sort Q, 1 , 2 , 3 ∈ {<, ≤}, and 3 is < if and only if either 1 or 2 is <. Since FM-resolution concatenates inequalities, I LRA has equality elimination rules to replace an equality by inequalities: and positivization rules to handle flipped inequalities based on the totality of the ordering on Q: Let t 0 , . . . , t m be terms of sort Q, and l a formula whose normal form is in the closure of t 1 , . . . , t m with respect to the symbols of F LRA . Module I LRA also has an evaluation rule to evaluate the truth value of l when values for t 1 , . . . , t m are available on the trail: For example, (z←1) LRA (w+2 Q w+z)←false is an evaluation inference, which does not need a value for w, because the normal form of w+2 Q w+z is −z + 2 Q 0. Let x be a free Σ LRA -variable of sort Q that does not occur free in t 0 , t 1 , and t 2 . The last rule of I LRA , beside the equality rules of Fig. 3, is disequality elimination, which detects a situation where there is no value for x: FM-resolution and disequality elimination apply also to formulae reducible to the form of their premises, as in y−x<0, 3·x<5 LRA y< 5 3 for FM-resolution. The FM-algorithm bundles in one step all FM-resolutions on one variable, eliminating it altogether; as there are finitely many variables, the algorithm terminates. However, other strategies for applying FM-resolution may generate infinitely many terms as shown in Fig. 4: the never-halting series alternates FM-resolutions on a variable x with FM-resolutions on another variable y.
In CDSAT, the FM-algorithm can be emulated with I LRA -inferences, as a series of Deduce transitions applied with a level-saturation search plan. The local basis can be set to those terms that are newly generated by the algorithm, in finite numbers, so that termination follows. This search plan thus provides a decision procedure for satisfiability, but it is not conflictdriven and is as inefficient as the FM-algorithm. Other search plans may be more interesting, but may raise termination issues: were it not for the finite global basis of CDSAT that forces termination, the infinite series of Fig. 4 could also be emulated in CDSAT, for instance as a never-ending search phase that never generates any conflict. While a conflict-driven search plan would not apply Deduce in this manner, this infinite series may ensue also if Deduce only explains conflicts, as detailed in the following example. A well-known solution to this problem assumes a total ordering ≺ LRA on Σ LRA -variables of sort Q and restricts FM-resolution by requiring that the resolved variable x is ≺ LRA -maximum in both premises [11,21,35,40,46].
In CDSAT, termination is ensured by the finiteness of the global basis B which restricts Deduce. For completeness, B must be stable, requiring in particular that basis LRA (B) ⊆ B for the local basis basis LRA . Thus, basis LRA must be limited so as to never introduce infinitely many terms, which is obtained by incorporating the restriction to FM-resolution as follows. For all sets X of terms, basis LRA (X ) is the smallest closed set Y such that X ⊆ Y , ∈ Y , and, for all terms t 1 and t 2 of sort Q: 3 is < if and only if either 1 or 2 is <, and x is the ≺ LRA -maximum variable in both fv Q Σ LRA (t 1 1 x) and fv Q Σ LRA (x 2 t 2 ). Clauses (1) and (2) add the terms that may be generated by the equality elimination and positivization rules, respectively, which do not challenge finiteness. Clause (3) adds the terms that may be inferred by FM-resolution, and it preserves finiteness thanks to the ≺ LRAbased restriction. The side-condition of Deduce (see Fig. 1

) ensures that the evaluation rule evaluates a formula in B.
For I LRA to be complete with FM-resolution thus restricted, it suffices to add the following inference rule, named detection of an empty solution space: , and {y 1 ←q 1 , . . . , y m ←q m } E is unsatisfiable. Alternatively, and in practice, since Deduce applies FM-resolution to explain LRA-conflicts typically due to decisions on rational variables, one may adopt a search plan that selects rational variables for decisions in ≺ LRA -increasing order. We call such a search plan sensible. An LRA-assignment J generated by a sensible search plan is also termed sensible and has the following property: for all variables x, y ∈ fv Q Σ LRA (J ), if x ≺ LRA y and J assigns a value to y, then J assigns a value to x.
Toward completeness, since I LRA does not fulfill Condition (ii) of Part (3) of Lemma 1, we prove another lemma. Preliminarily we observe that the evaluation rule of I LRA subsumes the equality inference rules that take as premises first-order assignments (the first two in Fig. 3), and therefore we can assume that evaluation and detection of an empty solution space are the only rules of I LRA that deal with first-order assignments. Also, the only sort of LRA other than prop is Q, and all terms in G Q (J ) are relevant to LRA in an LRA-assignment J . Given LRA-assignment J and variable x ∈ fv Q Σ LRA (J ), a unit constraint [35] about x in J is a singleton Boolean assignment L ∈ J where only x is unassigned: J assigns a value to all y, y ∈ fv Q Σ LRA (L) and y = x.

Lemma 3 If module I LRA cannot expand a plausible LRA-assignment J , then J assigns values to all terms in G Q (J ).
Proof As a preliminary remark, all Boolean assignments in J concern terms of the form t 1 ≤ t 2 , t 1 < t 2 , or t 1 Q t 2 , because otherwise an equality elimination or positivization inference rule could expand J . We begin by showing that J assigns values to all variables in fv Q Σ LRA (J ). By way of contradiction, assume this is not the case, and let x be the ≺ LRA -smallest variable to which J does not assign a value. If J is sensible, for all variables y ∈ fv Q Σ LRA (J ) such that y = x, if J assigns a value to y then y ≺ LRA x ( †). No LRA-assignment x←q is acceptable for I LRA in J ( ‡), because otherwise I LRA could expand J by a decision. Property ( ‡) implies that for all valuesq there exist L ∈ J and J ⊆ J such that J ∪ {x←q} LRA L. This means that the space of possible solutions for x is empty: we distinguish three cases.

For variable x the lower bound is greater than the upper bound:
E = {t 1 ≤ x, x ≤ t 2 , t 1 ←q 1 , t 2 ←q 2 } ⊆ J andq 2 <q 1 ; every assignment x←q triggers an evaluation inference contradicting either t 1 ≤ x or x ≤ t 2 or both. It follows that t 1 ≤ x and x ≤ t 2 are unit constraints about x in J , because the evaluation rule determines the value of a Boolean term when all its rational subterms are assigned. If {y 1 ←q 3 , . . . , y m ←q 3+k } ⊆ J (3 + k = m). As {y 1 ←q 3 , . . . , y m ←q 3+k } E is unsatisfiable, an inference by the detection of an empty solution space rule is enabled. 2. For variable x the lower bound and the upper bound are equal, but one of them is strict: The reasoning is the same as in Case (1) except that the enabled instance of FM-resolution is either 3. The lower bound and the upper bound for x are equal, and neither is strict, but a disequality excludes the only possible value: In all three cases an inference is enabled, contradicting the hypothesis. Thus, J assigns values to all variables in fv Q Σ LRA (J ). We complete the proof by showing that J assigns values to all non-variable terms t ∈ G Q (J ). Since J assigns values to all variables x 1 , . . . , x r in t (i.e., {x 1 ←q 1 , . . . , x r ←q r } ⊆ J ), these assignments dictates a valueq for t. If t←q is acceptable for I LRA in J , I LRA can expand J deciding t←q, a contradiction. If t←q is not acceptable for I LRA in J , it means that t←q enables an evaluation step generating L for some L ∈ J ; then also {x 1 ←q 1 , . . . , x r ←q r } enables an evaluation inference generating L, and I LRA can expand J , again a contradiction.
The above lemma applies to any plausible LRA-assignment J , without requiring that J is sensible: if J is sensible, the rule for detection of an empty solution space plays no role in the proof of the lemma, whereas it does if J is not sensible (cf. Case (1) in the proof). It follows that if the CDSAT search plan is sensible, and therefore all generated assignments are sensible, the rule for detection of an empty solution space is unnecessary.

Theorem 5 Module I LRA is leading-theory-complete for all leading theories whose models interpret Q as an infinite set.
Proof Let J be a plausible LRA-assignment that I LRA cannot expand. We show that J is leading-theory-compatible with LRA sharing G(J ). Assignment J gives values to all terms in G prop (J ) by Part (2)

t ).
A module I is unit-constraint complete [35] for sort s of its theory T , if for all trails Γ and unassigned variables x of sort s for which Γ contains a unit constraint, module I offers either an acceptable assignment x←c or an inference revealing a conflict. The above results show that I LRA is unit-constraint complete for Q. In general, unit-constraint completeness is subsumed by the CDSAT completeness requirements on theory modules.

Generic Theories: Stable Infiniteness and Beyond
We consider first a generic theory T with signature Σ = (S, F) that can be part of a combination by equality sharing (e.g., [42,48,49]): (i) there exists a decision procedure for the T -satisfiability of conjunctions, or, equivalently, sets of T -literals; and (ii) T is stably infinite (every T -satisfiable Σ-formula has a T -model with countably infinite domains for all sorts in S \ {prop}). In equality sharing the decision procedures cooperate by exchanging equalities between shared variables toward building an arrangement, namely a satisfiable set of sorted equalities and disequalities telling whether any two variables of the same sort are equal (e.g., [9,Sect. 3] for more background). CDSAT handles T with a black-box theory module I bb T . The extension T + either is trivial or adds a countably infinite set of values for each sort s∈S\{prop} and no axioms. Module I bb T includes the equality inference rules and a black-box inference rule where l 1 , . . . , l m are Σ-formulae (Σ-atoms as Σ has no connectives). A black-box inference J T ⊥ applies if the set of literals defined by the Boolean assignment J , namely C J = {l | (l←true) ∈ J } ∪ {¬l | (l←false) ∈ J }, is found T -unsatisfiable by the T -satisfiability procedure. If T + is non-trivial, the only rules of I bb T that may use first-order T -assignments are the equality inference rules, and T -values act as labels of congruence classes of terms. The local basis only adds : for all sets X of terms, basis T (X ) = X ∪ { }. Indeed, in equality sharing, no new terms introduced by non-trivial inferences are shared.

Theorem 6 Module I bb
T is leading-theory-complete for all leading theories whose models interpret all sorts other than prop as countably infinite sets.
Proof Let J be a plausible T -assignment that I bb T cannot expand. We show that J is leadingtheory-compatible with T sharing G(J ) (see Definition 5). Let T 1 be a leading theory satisfying the hypothesis, Σ 1 its signature, T + 1 its extension, and M 1 any T + 1 [V 1 ]-model such that fv Σ 1 (G(J )) ⊆ V 1 and M 1 | J T 1 . We distinguish two cases depending on the choice of T + . This theorem shows that the equality-sharing method is a special case of the CDSAT framework. Indeed, when the T -module cannot expand a T -assignment J (the T -view of the trail) it follows that: (1) there exists a T -model endorsing J , and (2) J determines the truth value of all equalities, hence it defines an arrangement of shared variables. If this is the case for all theories in T ∞ , an endorsing T ∞ -model also exists, by the CDSAT completeness theorem [11,Theorem 4]. This remark applies also to model-based theory combination [23], which is a way to implement equality sharing and relies on equality sharing for completeness. Theorem 6 still holds if the black-box rule is restricted to apply only to T -unsatisfiable cores or minimal T -unsatisfiable assignments, where it suffices to remove an element to make the assignment T -satisfiable.

Trivial
We describe next how CDSAT also handles a generic non-stably infinite theory T with signature Σ = (S, F). Suppose T is stably infinite for the sorts in S \ {prop, s 1 , . . . , s k }, whereas all T -models interpret sorts s 1 , . . . , s k as sets of fixed finite cardinalities m 1 , . . . , m k , respectively. The proof of Theorem 6 can be adapted to prove the following.

Theorem 7 Module I bb
T is leading-theory-complete for all leading theories whose models interpret all sorts in S \ {prop, s 1 , . . . , s k } as countably infinite sets and s 1 , . . . , s k as sets of cardinality m 1 , . . . , m k , respectively.
For example, T could be a theory of bitvectors of different lengths, where for all l, 1 ≤ l ≤ k, s l is the sort bv[l] of bitvectors of length l and m l = 2 l . Theorem 7 does not need k to be finite: for bitvectors, l could range over all nonzero natural numbers. Thus, the cardinality constraints in T affect the choice of the leading theory T 1 , for which S 1 = S ∞ . If the leading theory can be picked so that all theory modules involved in the combination are leadingtheory complete, the cardinality constraints in T are imposed to the other theories sharing {s 1 , . . . , s k } or a subset thereof. More generally, different theories in the union T ∞ may pose cardinality requirements on a shared sort s, and the leading theory T 1 acts as an aggregator of such requirements (see [11,Examples 9 and 10]). Once chosen, the leading theory T 1 needs a theory module I 1 that can be used in CDSAT and that enforces the cardinality constraints.
We illustrate this point for an at-most-m cardinality constraint on sort s, given an integer m>0. The constraint can be expressed by the sentence ∀x 0 , . . . , ∀x m . 0≤i =k≤m x i s x k , for x 0 , . . . , x m distinct variables of sort s, which could be an axiom or a theorem of one of the non-leading theories in T ∞ , or an axiom of the leading theory T 1 , resulting from aggregating cardinality constraints from non-leading theories in T ∞ . For instance, if T 2 entails the atmost-m 1 cardinality constraint on s and T 3 entails the at-most-m 2 cardinality constraint on s, the leading theory T 1 is picked so that its models satisfy the at-most-min(m 1 , m 2 ) cardinality constraint. Then, theory module I 1 for T 1 includes the at-most-m inference rule: where u 0 , . . . u m are any m + 1 distinct terms of sort s. If T + 1 is non-trivial with values for sort s, the at-most-m inference rule can be abbreviated as u 0 ←c 0 , . . . , u m ←c m T 1 ⊥, for c 0 , . . . , c m any distinct m+1 T 1 -values of sort s. If both T and the leading theory T 1 have non-trivial extensions, T + and T + 1 use different sets of constant symbols to name s-sorted elements, and the construction of a T ∞ -model for an assignment J that cannot be expanded establishes a bijection between the s-sorted T -values that appear in J and the s-sorted T 1values that appear in J (see [11,Sect. 9.3, Theorem 4]). A module with an at-most-m inference rule satisfies a lemma that complements Lemma 1.

Lemma 4 If a T -module I with the at-most-m inference rule for sort s cannot expand a plausible T -assignment J , the relation J s is an equivalence with at most m equivalence classes.
Proof By definition of J s (see the text in Sect. 4 preceding Lemma 1), for all t 1 , t 2 ∈ G s (J ), t 1 J s t 2 if and only if (t 1 s t 2 ) ∈ J . By Part (1) of Lemma 1 the relation J s is an equivalence. If J s had m+1 equivalence classes, J would contain an instance of the premises of the atmost-m inference rule for sort s, and I could expand J , a contradiction.
This lemma suffices to obtain the following theorem that says how to build a leading theory and its module to enforce the at-most cardinality constraint coming from the theories in T ∞ . Given a theory T 1 , let T s≤m 1 be T 1 plus the at-most-m cardinality constraint on sort s as additional axiom. Given a theory module I, let I s≤m be I plus the at-most-m inference rule on sort s.

Theorem 8
If I 1 is sound and complete for theory T 1 , then I s≤m 1 is sound and complete for theory T s≤m 1 .
Once the enforcement of cardinality constraints is handled by the leading theory module, it is not necessary to handle them in other modules.

Theorem 9 Given a theory T with signature Σ = (S, F) and a leading theory T 1 that entails the at-most-m constraint on sort s ∈ S, a T-module I is leading-theory complete if and only if I s≤m is leading-theory complete.
Proof The (⇒) direction holds by Lemma 2. The (⇐) direction holds because whenever the at-most-m inference rule of I s≤m can be applied to expand an assignment J , there can be no T 1 -model endorsing J T 1 so that leading-theory compatibility is vacuously true.
In summary, the completeness of a leading theory module with the appropriate at-most rules ensures that cardinality constraints on shared sorts are satisfied; and all theories sharing those sorts concur on their cardinalities by leading-theory-completeness of their modules.

Global Basis Construction
Termination of CDSAT requires the global basis B to be finite and closed, and completeness requires it to be stable (see Theorem 1). The meaning of stability of B (for all k, 1 ≤ k ≤ n, basis k (B) ⊆ B) is that the global basis "contains" the local bases basis 1 , . . . , basis n associated to the theory modules I 1 , . . . , I n for theories T 1 , . . . , T n : for all sets X of terms, if X ⊆ B then for all k, 1 ≤ k ≤ n, basis k (X ) ⊆ basis k (B) by monotonicity (see Definition 2) and basis k (X ) ⊆ B by stability. Thus, for all input assignments H , if H is in B, or, equivalently, G(H ) ⊆ B, no I k -inference can take us outside of B. In this section we show how to build a stable global basis from local ones.
The existence of a finite stable global basis does not necessarily follow from that of local bases. Given input assignment H and X 0 =G(H ), a module I k may introduce a term u 0 in Y 0 =basis k (X 0 ), which prompts I j to introduce a term t 1 in X 1 =basis j (basis k (X 0 )), which in turns prompts I k to introduce a term u 1 in Y 1 =basis k (basis j (basis k (X 0 ))), and so on. In other words, even if all these sets are finite, m≥0 X m may be infinite, where X m+1 =basis j (basis k (X m )). The aim is to find sufficient conditions on local bases to avoid such cyclic behavior. Since the problem arises from a cyclic alternation, the point is whether it is possible to permute local bases, relating basis j (basis k (X )) and basis k (basis j (X )). To this end, we introduce the following notions.

Definition 7 (Production and consumption of a sort)
Let basis be a basis for theory T with signature Σ = (S, F). For all sorts s ∈ S, basis produces sort s if for some closed set of terms X and term t of sort s, t ∈ basis(X ) \ X ; basis consumes sort s if for some closed set of terms X and term t of sort s, basis(X {t}) ⇓ (basis(X ) {t}), where t is either a Σ-variable or an equality whose strict subterms are in X .
In plain words, basis produces sort s if its application to a closed set X yields some term t of sort s which is not in X and does not arise from the closure of X , since X is already closed; basis consumes sort s if its application to X {t}, where t is a term of sort s, yields some term u which is not in ⇓ (basis(X ) {t}), where basis is applied to X only. The restrictions on what term t can be depend on what suffices for forthcoming Lemma 5.

Example 9
Most local bases produce prop, as they add ; basis Bool produces and consumes prop, as it forms clauses for lemma learning; basis EUF only produces prop by adding equalities and does not consume any sort. For Arr, basis Arr produces all sorts in Σ Arr and consumes all array sorts: given array terms t and u of sort I ⇒V , basis Arr consumes I ⇒V and produces sorts I and V , by introducing terms diff(t, u), t[diff(t, u)], and u[diff(t, u)]; it produces also array sorts, because arrays can be values or indices, as there can be arrays of arrays and arrayindexed arrays. For LRA, basis LRA produces sorts prop and Q and only consumes Q, where Q is produced when polynomials are reduced to normal form. For example, the FM-resolution y−x<0, 3·x<5 LRA y< 5 3 produces prop by introducing y< 5 3 and Q by introducing 5 3 . The bases of I bb and I m bb only produce prop and do not consume any sort.
The next move is to define a theory ordering on the theories that captures producerconsumer dependencies between their local bases: for all k, j such that 1 ≤ k = j ≤ n, let T k ≺ T j if there exists a sort s that basis k produces and basis j consumes. By the contrapositive, if T k ≺ T j , then basis j is independent of basis k , hence basis j (basis k (X )) ⊆ basis k (basis j (X )) for all X . Intuitively, if ≺ is acyclic, the cyclic behavior described above cannot happen. Formally, if ≺ is acyclic, the listing of the theories and a basis for T ∞ can be defined accordingly: for all k and j, 1≤k< j≤n, if T k ≺ T j then k < j, and for all sets X of terms, basis ∞ (X ) = basis n (. . . basis 1 (X )). The next lemma shows that under these hypotheses local bases can be permuted.

Lemma 5
If T 1 , . . . , T n are disjoint theories with an acyclic ordering ≺, then for all k and j, 1≤k< j≤n, and for all finite closed sets X of terms: (1) For all -closed sets Y of terms such that X ⊆Y ⊆basis j (X ), it holds that basis k (Y ) ⊆ ⇓ (basis k (X ) ∪ Y ); and (2) basis k (basis j (X )) ⊆ basis j (basis k (X )).
Proof First, k < j implies j < k, hence T j ≺ T k , so that no sort produced by basis j is consumed by basis k .
1. The proof is by induction on the (finite) cardinality of Y \X , denoted |Y \X |. For the base case, if |Y \X | = 0 (i.e., Y = X ), the claim is trivially true. For the induction hypothesis, let the claim be true for any such Y with |Y \X | = q ≥ 0. For the induction step, let |Y \X | = q + 1 and t be a term of largest size (symbol count) in Y \X . By hypothesis, t is in basis j (X ). Since the theories are disjoint, t is either Σ j -foreign, or Σ k -foreign, or an equality. By the last property of a basis in Definition 2, t being in V ∞ is the only way that it can be Σ j -foreign, in which case it is also Σ k -foreign. Therefore, it is either Σ k -foreign or an equality. By -closedness of Y , all strict subterms of t are in Y \{t}, hence in ⇓ (Y \{t}). Since t ∈ (basis j (X ) \ X ), the sort s of t is produced by basis j . Last, basis k does not consume s, because basis k does not depend on basis j , as k < j by hypothesis. By Definition 7 applied to basis k and the closed set ⇓ (Y \{t}), we get Next, we observe that X ⊆ (Y \{t}), since X ⊆ Y and t ∈ Y \ X , and Y \{t} is -closed: indeed, if it were t u for some term u ∈ Y , then either u ∈ X , in which case t ∈ X , because X is closed, or u ∈ Y \X , in which case t would not be a term of greatest size in Y \X . Therefore, we can apply the induction hypothesis to Y \{t} and get Then the claim is established as follows: by idempotence of ⇓ .
Next, we use Lemma 5 to show that basis ∞ (X ) is stable.

Lemma 6
If T 1 , . . . , T n are disjoint theories with an acyclic ordering that defines basis ∞ , then for all k, 1 ≤ k ≤ n, basis k (basis ∞ (X ))=basis ∞ (X ) for all finite sets X of terms.
Proof We prove a more general property, namely that ∀ j, 1 ≤ k ≤ j ≤ n, we have basis k (basis j (. . . basis 1 (X ))) = basis j (. . . basis 1 (X )). The ⊇-direction holds by extensiveness of basis k . For the ⊆-direction, the proof is by induction on j. For the base case, if j=k, the claim holds by idempotence. For the induction hypothesis, let the claim be true for j. For the induction step, we prove the claim for j+1. Let Z stand for basis j (. . . basis 1 (X )).
Theorem 10 Given disjoint theories T 1 , . . . , T n with modules I 1 , . . . , I n and local bases basis 1 , . . . , basis n such that the theory ordering is acyclic, if basis ∞ is defined based on the theory ordering, then for all input assignments H , the set B=basis ∞ (G(H )) is a finite stable global basis.
Proof The function basis ∞ is a basis for the union theory T ∞ according to Definition 2, as it inherits the properties of local bases. Thus, B is finite, as G(H ) is finite, and it is stable by Lemma 6.
For example, basis Bool (basis I (basis EUF (basis LRA (basis Arr (G)(H ))))), where I is a blackbox module for a generic theory T , is a global basis for the union of theories Bool, T , LRA, EUF, and Arr, given an input assignment H . The next section opens the part of the article devoted to proof generation in CDSAT.

Theory Proofs
Because CDSAT combines theory modules, proof reconstruction in CDSAT requires that all theory modules produce proofs. Therefore, we assume that each theory module is equipped with a proof annotation system that annotates theory inferences with theory proofs: J k j k : L states that module I k infers L from J with theory proof j k . A theory proof from I k is called T k -proof. Theory proofs, hence CDSAT proofs, may refer to singleton assignments by means of identifiers. A T-assignment with identifiers is a set of triples a (t←c), where a is the identifier of t←c. From now on all assignments are assignments with identifiers, the trail contains a T ∞ -assignment with identifiers, and the subset relation between assignments take identifiers into account. For example, I Bool -inference (1) from Sect. 3.2 can be annotated with a theory proof denoted UP(a, {a 1 , . . . , a n }), as follows: , {a 1 , . . . , a n }) : L where UP stands for unit propagation, and a 1 , . . . , a n are the identifiers of the assignments in H . Annotated I LRA -inferences include instances of Fourier-Motzkin resolution and of the evaluation rule: Equality inferences are annotated with theory proofs as shown in Fig. 5. Assuming J is a 1 (t 1 u 1 ), . . . , a m (t m u m ), an instance of annotated I EUF -inference is: where Cong stands for congruence.
If an assignment appears on the trail, its identifier in any theory proof is the same as its identifier on the trail: for a Deduce transition supported by a theory inference J k j k : L, the assignments in J appear on the trail Γ , and their identifiers in j k are the same as in Γ . Since identifiers are mere names, theory proof annotations are stable under their permutations: any permutation π of identifiers transforms a theory proof j k into a theory proof π( j k ), such that, if a 1 (t 1 ←c 1 ), . . . , a m (t m ←c m ) k j k : L then π(a 1 ) (t 1 ←c 1 ), . . . , π(a m ) (t m ←c m ) k π( j k ) : L.
For example, if 1 (x←c 1 ), 4 (y←c 1 ) k Cong(1, 4) : f (x) f (y), with π(1) = 4 and π(4) = 1, it is also 4 (x←c 1 ), 1 (y←c 1 ) k Cong(4, 1) : f (x) f (y). The assumption that theory modules have proof annotation systems is not a restriction, as the proof annotation system can be a trivial one that uses a dummy theory proof for all theory inferences. The resulting theory proofs convey no information, which is acceptable if they are not required to offer more.

Proof Terms, Proof System, and Invariants for CDSAT
In order to enable CDSAT to compose theory proofs into CDSAT proofs, we will equip the CDSAT transition system with the capability of building proof terms. These proof terms keep track of soundness invariants that ensure that transitions do not change the problem, so that invariant-preserving transition rules are sound. The CDSAT soundness invariants are: where H 0 is the input, or initial, assignment. A proof term is either a deduction proof term recording why a justified assignment is on the trail to enforce (1), or a conflict proof term recording why a conflict is a conflict to enforce (2). The two kinds of proof terms are defined mutually recursively as follows.

Definition 8 (CDSAT proof terms) A CDSAT proof term is
-Either a deduction proof term j ::= in(A) j k lem(H .c), -Or a conflict proof term c ::= cfl( j k , a) res( j, a A.c), where: (i) in, lem, cfl, and res, abbreviating initial, lemma, conflict, and resolve, respectively, are the CDSAT proof constructors; (ii) A is a singleton assignment, j k is a T k -proof for some k, 1 ≤ k ≤ n, H is a Boolean assignment with identifiers, a is the identifier of a singleton Boolean conflicting assignment in cfl( j k , a), and the identifier of A in res( j, a A.c); and (iii) the dot notation means that res( j, a A.c) binds a in c and lem(H .c) binds the identifiers of H in c.
The CDSAT proof terms come with the CDSAT proof system in Fig. 6. Its first three rules establish the derivability of judgments of the form H j : A. Proof term in(A) witnesses the fact that an initial assignment A holds. The second rule coerces a theory proof j k into a CDSAT deduction proof term. The third rule says that, whenever there is a conflict including a Boolean assignment H , a clausal form of H is a lemma entailed by the rest of the conflict. The proof term lem(H .c) carries H to record which part of the conflict became a lemma. If identifiers of assignments in H occur in c, such occurrences are bound in lem(H .c). The last two rules establish the derivability of judgments of the form E c : ⊥. Proof term cfl( j k , a) witnesses the conflict between the conclusion L of a theory inference, whose theory proof is coerced into a CDSAT deduction proof term, and its flip L (with identifier a). Proof term res( j, a A.c) is the only construct that combines two subproofs, connecting the conclusion A of the left premise with the hypothesis a A of the right premise: the proof of A from H is plugged as a subproof in the proof of ⊥ from E { a A} to get a proof of ⊥ from E ∪ H . Any occurrence of a in c is bound in res( j, a A.c). The following theorem connects provability in the CDSAT proof system with endorsement, showing the soundness of the CDSAT proof system.

The Proof-Carrying CDSAT Transition System
In the proof-carrying CDSAT transition system (see Fig. 7), justified assignments are decorated with deduction proof terms, and conflict states are triples of the form Γ ; E; c , where c is a conflict proof term. A justified assignment H j : A carries a deduction proof term j such that H j : A. Initial assignments have the form ∅ in(A) : A where the deduction proof term presents the initial assignment as a premise of the proof.
Comparing Figs. 1 and 7, Decide is unchanged as a decision does not carry a proof term; Deduce is modified as the supporting theory inference J k j k : L is annotated with a theory proof that the added justified assignment J j k : L carries with itself. In Fig. 1 the choice between Fail and ConflictSolve depends on the level of the conflict, whereas in Fig. 7 it depends on the outcome of the conflict resolution phase, because proof-carrying CDSAT fires Fail and returns unsat, if it can return a proof of unsatisfiability. If the outcome of the conflict resolution phase is a trail, the conflict was solved and ConflictSolve applies; if it is a state Γ ; ∅; c , the system is still in conflict state, but there is no conflict to solve. The system concludes that the input assignment is T + ∞ -unsatisfiable and that proof term c encodes the discovered proof of unsatisfiability: Fail applies and the derivation terminates in state unsat(c) returning proof term c. It is simple to show that the conflict state rules of proof-carrying CDSAT reduce a conflict state Γ ; E; c 1 , where E = ∅, to one of the form Γ ; ∅; c if and only if level Γ (E) = 0; and that they solve the conflict producing some trail Γ different from Γ if and only if level Γ (E) > 0.
Continuing with the conflict state rules, UndoClear and UndoDecide are unchanged. Proof-carrying LearnBackjump generates the proof term lem(H .c), recording that the learned lemma L is a clausal form of H , and turning the conflict proof term c that represents a proof of unsatisfiability of E H into a deduction proof term that represents a proof of L from E. The main rule for proof reconstruction is proof-carrying Resolve, which combines proof term c, witnessing the unsatisfiability of the conflict, with proof term j witnessing that one of the assignments in the conflict, named A, follows from prior assignments: A is retained in the proof term res( j, a A.c). By applying this mechanism, proof-carrying CDSAT connects a proof of why a conflict E follows from H 0 with a proof of why E is unsatisfiable, and generates a proof of unsatisfiability of H 0 . The following theorem shows that proof-carrying CDSAT maintains provability invariants connecting the operations of the transition system with provability in the CDSAT proof system. Theorems 11 and 12 together show that proof-carrying CDSAT builds a trace of proof terms in such a way to keep track of the CDSAT soundness invariants through the provability invariants. The next example expands Fig. 2 into a full derivation by proof-carrying CDSAT. For the sake of readability, we omit identifiers and we abuse the formalism by building proof terms made of assignments rather than their identifiers.

Example 10
Assume that the input assignment for the example in Fig. 2 is {¬l 4 ∨ l 5 , ¬l 2 ∨ ¬l 4 ∨ ¬l 5 , l 2 ∨ (z y), x ≤0 ∨ l 2 , x ≤0 ∨ l 4 , f (z)←blue, f (y)←red}, where l 2 is y≥0, l 4 is x+y>0, and x ≤0 abbreviates ¬(x≤0). The initial trail Γ 0 contains these assignments. The derivation proceeds as in Fig. 2 with decisions ? A 1 , ? l 2 , ? A 3 , ? l 4 , and propagation (¬l 4 ∨l 5 ), l 4 l 5 , but here we assume that A 1 is x← 3 /4. Let Γ 1 be the trail up to this point. The first conflict state is Γ 1 ; {¬l 2 ∨¬l 4 ∨¬l 5 , l 2 , l 4 , l 5 }; c 1 with conflict proof term that registers the conflict between l 5 and ¬l 5 , the latter derived by Unit Propagation from ¬l 2 ∨¬l 4 ∨¬l 5 , l 2 , and l 4 . The Resolve step from Fig. 2 replaces l 5 in the conflict by its justification {¬l 4 ∨l 5 , l 4 }, yielding conflict state Γ 1 ; {¬l 2 ∨¬l 4 ∨¬l 5 , l 2 , l 4 , ¬l 4 ∨l 5 }; c 2 . The associated conflict proof term is with deduction proof term j 1 =lem({l 2 , l 4 }.c 2 ) recording that conflict proof c 2 showed that the learned lemma ¬l 2 ∨¬l 4 is inferred from ¬l 2 ∨¬l 4 ∨¬l 5 and ¬l 4 ∨l 5 . Proceeding as in Example 6, a Deduce step adds (¬l 2 ∨¬l 4 ), l 2 j 2 : l 4 , with deduction proof term j 2 = UP(¬l 2 ∨¬l 4 , {l 2 }). Suppose that the derivation continues with a Deduce step encapsulating the LRA evaluation inference (see the cfl rule in Fig. 6) with conflict proof term The conflict state is Γ 2 ; l 2 , l 4 , x≤0; c 3 . A Resolve step replaces l 4 by its justification {¬l 2 ∨¬l 4 , l 2 }, producing conflict state Γ 2 ; {l 2 , ¬l 2 ∨¬l 4 , (x≤0)}; c 4 with conflict proof term c 4 = res( j 2 , l 4 .c 3 ) that expands upward leaf l 4 of c 3 with its proof j 2 . The system exits from this conflict by a LearnBackjump transition that jumps back to level 1 and learns lemma (x≤0)∨¬l 2 with deduction proof term j 4 = lem({x≤0, l 2 }.c 4 ). The resulting trail Γ 3 contains the initial assignments followed by With the last lemma the system has learned that if y ≥ 0 (l 2 ) implies x+y>0 (¬l 4 ), then y ≥ 0 implies x≤0. Next, Deduce expands Γ 3 with the assignments (x≤0)∨¬l 2 , x≤0 j 5 : l 2 , l 2 ∨(z y), l 2 j 6 : z y, carrying proof terms j 5 =UP(x≤0∨¬l 2 , {x ≤ 0}) and j 6 =UP(l 2 ∨(z y), A Resolve step yields conflict state Γ 4 ; { f (z) f (y), l 2 ∨(z y), l 2 }; c 6 , with conflict proof term c 6 = res( j 6 , (z y).c 5 ) that expands upward leaf z y of c 5 with its proof j 6 . Similarly, another Resolve step produces conflict state with conflict proof term c 7 = res( j 5 , l 2 .c 6 ) that expands upward leaf l 2 of c 6 with its proof j 5 . The conflict is solved by a LearnBackjump transition that jumps back to level 0 and learns x≤0 as with deduction proof term j 8 = lem({x≤0}.c 7 ). As a byproduct, decision A 1 is gone, and the resulting trail Γ 5 contains the initial assignments, the learned lemmas, namely ¬l 2 ∨ ¬l 4 , x≤0 ∨ l 2 , and x≤0, and the level 0 propagation f (z) f (y). Lemma x≤0 enables Deduce to perform two unit propagations involving input clauses: x ≤0∨l 2 , x≤0 j 9 : l 2 , x ≤0∨l 4 , x≤0 j 10 : l 4 , with j 9 = UP(x ≤0∨l 2 , {x≤0}) and j 10 = UP(x ≤0∨l 4 , {x≤0}). Let Γ 6 be Γ 5 thus expanded. At this point the conflict in Γ 6 ; {¬l 2 ∨¬l 4 , l 2 , l 4 }; c 8 is at level 0. Conflict proof term c 8 = cfl(UP(¬l 2 ∨¬l 4 , {l 2 }), l 4 ) records the conflict between l 4 and ¬l 4 , the latter derived by Unit Propagation from ¬l 2 ∨ ¬l 4 and l 2 . While CDSAT would halt, proof-carrying CDSAT performs the series of Resolve steps in Fig. 8. When Resolve replaces a justified assignment by its justification, the proof term evolves as seen before. When Resolve removes an initial assignment from the conflict, the corresponding leaf in the associated proof term gets surrounded by the in constructor to mark it as a leaf of the final proof. When the conflict is empty, Fail fires returning unsat(c 21 ). where j 11 = lem({l 4 }.c 2 ). Conflict {¬l 2 ∨¬l 4 , l 2 , l 4 } would not be detected as in Example 10, and more steps would be necessary to discover it. Such steps would build another proof of ¬l 2 ∨ ¬l 4 , possibly identical to the first forgotten one. Furthermore, lemmas can be reused and may appear multiple times in the final proof term. Lemma ¬l 2 ∨¬l 4 is used twice in Example 10, and it occurs twice in c 13 − c 21 : once in c 8 , and once in c 12 , because c 12 contains j 4 , which contains c 4 , which contains j 2 , where ¬l 2 ∨¬l 4 appears. Also, deduction proof terms referring to first-order decisions do not appear in the final proof term: an inspection of c 21 shows that j 3 is absent. The reason is that first-order decisions play a role in finding models, not proofs. An easy optimization avoids constructing deduction proof terms involving first-order decisions.

Proof Reconstruction: From Proof Terms to Proofs
The motivation for using the proof-carrying CDSAT system is the ability to justify the unsatisfiability of an input with a proof. When CDSAT concludes unsat(c), the proof term c and its associated derivation of c : ⊥ can be considered as a proof of unsatisfiability of the input, following Theorem 11. If need be, the rules of Fig. 6 can be used for proof checking. If another proof format is preferred, c indicates how a proof in that format can be reconstructed, having CDSAT traced in c how a contradiction was reached from a logical point of view. Indeed, a deduction proof term j with H j : A (resp. a conflict proof term c with E c : ⊥) can be decoded into, or can be seen as denoting, a proof of H 0 ∪ H | A (resp. H 0 ∪ E | ⊥) in the format of choice.
A first option is to decode proof terms into proofs after CDSAT halts, in a post-processing phase. A second option consists of identifying first the proof operations corresponding to the rules of Fig. 6 in the target proof format and then reading the proof-carrying CDSAT system as manipulating directly the proofs denoted by proof terms such as in(A), j k , lem(H .c), cfl( j k , a), and res( j, a A.c). In other words, a CDSAT-based solver would build in memory not the proof terms, but the proofs themselves. Of course, the execution of the above-mentioned proof operations during a CDSAT derivation may increase its runtime. In any case, proofcarrying CDSAT is modular in the way theory proofs are handled, reconstructed, and checked. In Sect. 7.1 we exemplify proof reconstruction by showing how CDSAT proof terms can be turned into resolution-style proof trees. In Sect. 7.2 we discuss yet another alternative consisting of applying to CDSAT the LCF approach to proofs. Fig. 9 Transformation of CDSAT proof terms into CDSAT resolution proofs singleton Boolean assignments labeling leaves and guarded clauses of the form ∅ → C labeling leaves or internal nodes. In other words, the reconstructed proof is a resolution refutation in the standard sense, with leaves labeled by input assignments or theory lemmas. On the other hand, Bool-lemmas are a non-standard feature that also enables the sharing of resolution proofs. For instance, in the refutation of Example 10, the conflict proof term c 19 = res( j 1 , ¬l 2 ∨¬l 4 .c 18 ) (see Fig. 8 In the proof reconstructed from c 21 , CDSAT clause ∅ → L 1 || L 2 resolves with initial assignments L 1 and L 2 to yield ∅ → ∅. The double occurrence of ¬l 2 ∨¬l 4 in c 18 (see Example 10), means that the resolution proof ¬l 2 ∨¬l 4 c 18 : ⊥ has two leaves labeled by the same Boollemma ∅ → (¬l 2 ∨¬l 4 ) || l 2 || l 4 .
An alternative refutation can be obtained by replacing those two leaves with the subproof translating c 2 , and replacing (¬l 2 ∨¬l 4 ) by L 1 || L 2 in all nodes underneath. This avoids the explicit conversions between the object-level clause ¬l 2 ∨¬l 4 and the CDSAT clause l 2 || l 4 . However, in this alternative proof, the subtree for c 2 is duplicated. Such duplications are customary in resolution proof trees where there is only one kind of clauses. By distinguishing between object-level clauses and CDSAT clauses, and using the former for input clauses and the latter for generated clauses, CDSAT natively supports the sharing of subproofs that one obtains by replacing trees with directed acyclic graphs.

An LCF Architecture for CDSAT
Another example of proof format is the "dummy" one, where proofs do not contain any information other than what they are supposed to be the proofs of : 1. A deduction proof for proof term j with H j : L is the pair H , L , and 2. A conflict proof for proof term c with H c : ⊥ is H .
Although this proof format does not allow any proof checking, the trustworthiness of a reasoner producing such proofs can still be established by the LCF programming abstraction [30,47]. This approach uses a type theorem , whose constructed inhabitants are provable formulae. Actually, this type is defined as an alias for the type formula of formulae, but this is known only to a fixed and well-identified piece of code, called the LCF kernel. This kernel hides the definition of theorem to the outside world and exports a range of kernel primitives to manipulate inhabitants of type theorem in a safe and provably correct way. For instance, assuming that ⇒ denotes implication, a primitive modus_ponens : theorem -> theorem -> theorem takes as arguments two inhabitants F and G of type theorem, checks that F is of the form G ⇒ R, and returns R as an inhabitant of theorem. The kernel can export a primitive that reveals that an inhabitant of theorem is a formula, but not one that casts any inhabitant of formula into type theorem. Thus, the existence of an inhabitant F of theorem witnesses the fact that F is provable, as an inhabitant only results from a series of correct manipulations by the kernel primitives: if the kernel code is trusted, then F can be trusted to be a theorem, while no proof has ever been constructed in memory. CDSAT is well-suited for the LCF approach: given a type assign for assignments and single_assign for singleton assignments, a trusted kernel defines types type deduction = assign * single_assign type conflict = assign hides their definitions to the outside world and exports a range of primitives corresponding to the proof term constructs.
The signature in Fig. 10 lists hidden-type definitions and exported primitives. The primitives check that the conditions of the rules in Fig. 6 are met: in checks that its argument is one of the initial assignments; lem takes as arguments a conflict E and an assignment H , checks that H is Boolean and included in E, computes a clausal form L of H , and produces the deduction E\H , L , where \ is set subtraction. Primitive res takes a deduction H , A and a conflict, checks that A occurs in the conflict, and returns the conflict where A is replaced by H . Primitives coerc and cfl take as arguments a T k -proof, 1 ≤ k ≤ n, given as an inhabitant of 'k theory_proof, a type parameterized by k. Their first argument is a handler for theory T k , whose type 'k theory_handler is parameterized by a matching k, as implemented for example by a generalized algebraic datatype [19,55]. The handler allows the primitives to check that T k is one of the combined theories before coercing the T k -proof, trusted to be correct, into a deduction or a conflict. Proof-carrying CDSAT can be programmed on top of this kernel, so that, when it halts with answer unsat(c), the proof term c is an inhabitant of type conflict. The reveal primitive applied to c will return the empty assignment. Although no proof has been constructed in memory, the answer is correct by construction.

Discussion
Conflict-driven satisfiability procedures work by building partial assignments, detecting conflicts when the assignment falsifies the input formula, and performing conflict-driven inferences to explain conflicts and reorient the search. In prior work [11], we presented CDSAT as a conflict-driven combination framework for disjoint theories and proved its soundness, termination, and completeness. The present article has extended the theoretical foundations of CDSAT in three main directions, namely lemma learning, properties of theory modules (i.e., the theory inference systems that CDSAT orchestrates), and proof generation.
We generalized the lemma learning capability of CDSAT, in such a way that new clauses can be formed and learned during backjumping from a conflict, and the destination level of backjumping can be chosen according to different heuristics, including learn and restart. Soundness, termination, and completeness of CDSAT are preserved.
We proved that the theory modules listed in [11] for the Boolean theory, equality, arrays with extensionality, and linear rational arithmetic, as well as generic black-box modules for stably infinite and non-stably infinite theories, are complete with respect to all suitable leading theories in a union of theories, and admit finite local bases. We also showed how to get a finite global basis for the union of the theories from finite local bases for the individual theories. These results mean that the assumptions for the termination and completeness of CDSAT can indeed be satisfied, complementing our previous general results [11]. By including blackbox modules for stably infinite theories CDSAT subsumes the equality-sharing method for theory combination [42,48,49], also known as Nelson-Oppen scheme, including model-based theory combination [23]. By handling also non-stably infinite theories, CDSAT goes beyond equality sharing (see [9] for a survey of other approaches to this issue).
We presented a proof-carrying CDSAT transition system that constructs and carries proof terms, so that a proof can be reconstructed when CDSAT discovers that the input problem is unsatisfiable. CDSAT proof terms can be rendered in a number of proof formats, and the resulting proofs checked by a trusted checker, or shown to be correct by construction in LCF style. A translation to resolution-style proofs is illustrated as example.
Research on CDSAT as a new paradigm for theory combination has just begun, and there are many directions for future work. A main objective is an implementation of CDSAT, either in the form of a CDSAT-based prototype (e.g., [6,14]) or by extending the implementation of MCSAT in the Yices SMT solver [25]. An implementation can be used for exploring and evaluating different search plans and proof formats, the latter in connection with the objective of efficient proof checking. The design of a CDSAT search plan involves both global issues about reasoning in the theory union and local issues about reasoning in each theory. At the local level, each theory search plan is in charge of detecting the applicability of inferences and the acceptability of decisions. At the global level, the search plan decides which CDSAT transition rule to apply next, coordinates the theory modules, prioritizing them with respect to both decisions and deductions, and controls lemma learning.
CDSAT proofs may be extended to account for preprocessing and inprocessing techniques (e.g., [2,38]), evaluating the cost of proof generation and proof checking (e.g., [2,3]), and studying proof formats to reduce it (e.g., [22]). At the foundational level, we may investigate empowering CDSAT to handle unions of non-disjoint theories (e.g., [20,28]), or formulae with quantifiers, considering model-based conflict-driven instantiation (e.g., [4,51]), or integrations with first-order logic modules (e.g., [13,15]). ratory of SRI International, whose support is greatly appreciated, and completed while the first author was participating in a program at the Simons Institute for the Theory of Computing. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF, DARPA, or the US Government.
Funding Open access funding provided by Università degli Studi di Verona within the CRUI-CARE Agreement.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.