Combination of Uniform Interpolants via Beth Definability

Uniform interpolants were largely studied in non-classical propositional logics since the nineties, and their connection to model completeness was pointed out in the literature. A successive parallel research line inside the automated reasoning community investigated uniform quantifier-free interpolants (sometimes referred to as “covers”) in first-order theories. In this paper, we investigate cover transfer to theory combinations in the disjoint signatures case. We prove that, for convex theories, cover algorithms can be transferred to theory combinations under the same hypothesis needed to transfer quantifier-free interpolation (i.e., the equality interpolating property, aka strong amalgamation property). The key feature of our algorithm relies on the extensive usage of the Beth definability property for primitive fragments to convert implicitly defined variables into their explicitly defining terms. In the non-convex case, we show by a counterexample that covers may not exist in the combined theories, even in case combined quantifier-free interpolants do exist. However, we exhibit a cover transfer algorithm operating also in the non-convex case for special kinds of theory combinations; these combinations (called ‘tame combinations’) concern multi-sorted theories arising in many model-checking applications (in particular, the ones oriented to verification of data-aware processes).


Introduction
This paper is devoted to combination results concerning uniform interpolants.In this introduction, we summarize the two main (quite independant indeed) research lines that investigated uniform interpolants in the last three decades.We first recall what uniform interpolants are; we fix a logic or a theory T and a suitable fragment (propositional, first-order quantifier-free, etc.) of its language L. Given an L-formula φ(x, y) (here x, y are the variables occurring in φ), a uniform interpolant of φ (w.r.t.y) is an L-formula φ (x) where only the x occur, and that satisfies the following two properties: (i) φ(x, y) T φ (x); (ii) for any further L-formula ψ(x, z) such that φ(x, y) T ψ(x, z), we have φ (x) T ψ(x, z).Whenever uniform interpolants exist, one can compute an interpolant for an entailment like φ(x, y) T ψ(x, z) in a way that is independent of ψ.
Uniform interpolants were originally studied in the context of non-classical logics, starting from the pioneering work by Pitts [40].Uniform interpolants have in such non-classical logics context a 'local' and a 'global' version, depending on how the entailment T is interpreted: in the local version it is interpreted as 'provability of implication', whereas in the global version is interpreted as 'provability under assumption' (the two versions coincide for intuitionistic logic, but not for modal logics).The local version of uniform interpolation allows an (albeit not faithful) interpretation of the second order propositional calculus into plain propositional calculus, whereas the global version can be used in the axiomatization of model completions for the corresponding classes of algebras (see below).Uniform interpolants can be sematically connected to some appropriate notion of bisimulation at the level of Kripke models [13].
The existence of uniform interpolants is an exceptional phenomenon, which is however not so infrequent, as witnessed by a large literature in non-classical logics (a non-exhaustive list includes [1,16,22,23,25,34,37,42,45,46]).The main results from the above papers are that uniform interpolants exist for intuitionistic logic and for some modal systems (like the Gödel-Löb system and the S4.Grz system); they do not exist for instance in S4 and K 4, whereas for the basic modal system K they exist for the local version but not for the global version (the opposite situation is also well-possible, already in the locally finite case, as a consequence of Maksimova's results on amalgamation and super-amalgamation [35,36]).The connection between (global) uniform interpolants and model completions (for equational theories axiomatizing the varieties corresponding to propositional logics) was first stated in [24] and further developed in [25,34,37,45].
In the last decade, also the automated reasoning community developed an increasing interest in uniform interpolants, with particular focus on quantifier-free fragments of firstorder theories.This is witnessed by various talks and drafts by D. Kapur presented in many conferences and workshops (FloC 2010, ISCAS 2013-14, SCS 2017 [33]), as well as by the paper [32] by Gulwani and Musuvathi in ESOP 2008.In this last paper uniform interpolants were renamed as covers, a terminology we shall frequently adopt in this paper too.In these contributions, examples of cover computations were supplied and also some algorithms were sketched.The first formal proof about existence of covers in EUF was however published by the present authors only in [6]; such a proof was equipped with powerful semantic tools (the Cover-by-Extensions Lemma 1 below) coming from the connection to model-completeness, as well as with an algorithm relying on a constrained variant of the Superposition Calculus (two simpler algorithms are studied in [27], the related completeness proofs are available in [26,30]).The usefulness of covers in model checking was already stressed in [32] and further motivated by our recent line of research on the verification of data-aware processes [4,5,7,9].Notably, it is also operationally mirrored in the MCMT [21] implementation since version 2.8.Covers (via quantifier elimination in model completions and hierarchical reasoning) play an important role in symbol elimination problems in theory extensions, as witnesssed in the comprehensive paper [43] and in related papers [39] studying invariant synthesis in model checking applications.
An important question suggested by the applications is the cover transfer problem for combined theories: for instance, when modeling and verifying data-aware processes, it is natural to consider the combination of different theories, such as the theories accounting for the read-write and read-only data storage of the process as well as those for the elements stored therein [5][6][7]10].Formally, the cover transfer problem can be stated as follows: by supposing that covers exist in theories T 1 , T 2 , under which conditions do they exist also in the combined theory T 1 ∪ T 2 ?In this paper we show that the answer is affirmative in the disjoint signatures convex case, using the same hypothesis (that is, the equality interpolating condition) under which quantifier-free interpolation transfers.Thus, for convex theories we essentially obtain a necessary and sufficient condition, in the precise sense captured by Theorem 6 below.We also prove that if convexity does not hold (as it happens, e.g., for integer difference logic IDL or for linear integer arithmetics LIA), the non-convex equality interpolating property [2] may not be sufficient to ensure the cover transfer property.As a witness for this, we show that EUF combined with integer difference logic or with linear integer arithmetics constitutes a counterexample.
The main tool employed in our combination result is the Beth definability theorem for primitive formulae (this theorem has been shown to be equivalent to the equality interpolating condition in [2]).In order to design a combined cover algorithm, we exploit the equivalence between implicit and explicit definability that is supplied by the Beth theorem.Implicit definability is reformulated, via covers for input theories, at the quantifier-free level.Thus, the combined cover algorithm guesses the implicitly definable variables, then eliminates them via explicit definability, and finally uses the component-wise input cover algorithms to eliminate the remaining (non implicitly definable) variables.The identification and the elimination of the implicitly defined variables via explicitly defining terms is an essential step towards the correctness of the combined cover algorithm: when computing a cover of a formula φ(x, y) (w.r.t.y), the variables x are (non-eliminable) parameters, and those variables among the y that are implicitly definable need to be discovered and treated in the same way as the parameters x.Only after this preliminary step (Lemma 6 below), the input cover algorithms can be suitably exploited (Proposition 2 below).
The combination result we obtain is quite strong, as it is a typical 'black box' combination result: it applies not only to theories used in verification (like the combination of real arithmetics with EUF), but also in other contexts.For instance, since the theory B of Boolean algebras satisfies our hypotheses (being model completable and strongly amalgamable [19]), we get that uniform interpolants exist in the combination of B with EUF.The latter is the equational theory algebraizing the basic non-normal classical modal logic system E from [41] (extended to n-ary modalities).Notice that this result must be contrasted with the case of many systems of Boolean algebras with operators where existence of uniform interpolation fails [34] (recall that operators on a Boolean algebra are not just arbitrary functions, but are required to be monotonic and also to preserve either joins or meets in each coordinate).
As a last important comment on related work, it is worth mentioning that Gulwani and Musuvathi in [32] also have a combined cover algorithm for some convex, signature disjoint theories.Their algorithm looks quite different from ours; apart from the fact that a full correctness and completeness proof for such an algorithm has never been published, we underline that our algorithm is rooted on different hypotheses.In fact, we only need the equality interpolating condition and we show that this hypothesis is not only sufficient, but also necessary for cover transfer in convex theories; consequently, our result is formally stronger.The equality interpolating condition was known to the authors of [32] (but not even mentioned in their paper [32]): in fact, it was introduced by one of them some years before [47].The equality interpolating condition was then extended to the non convex case in [2], where it was also semantically characterized via the strong amalgamation property.
The paper is organized as follows: after some preliminaries in Section 2, the crucial Covers-by-Extensions Lemma and the relationship between covers and model completions from [6] are recalled in Sect.3. In Sect.4, we present some preliminary results from the literature on interpolation, amalgamation, strong amalgamation and Beth definability that are instrumental to our machinery.After some useful facts about convex theories in Sect.5, we introduce the combined cover algorithms for the convex case and we prove its correctness in Sect.6; we also present a detailed example of application of the combined algorithm in case of the combination of EUF with linear real arithmetic, and we show that the equality interpolating condition is, in a natural sense, necessary for combining covers.In Sect.7 we exhibit a counterexample to the existence of combined covers in the non-convex case.Finally, in Sect.8 we prove that for the 'tame' multi-sorted theory combinations used in our applications to data-aware processes verification, covers existence transfers to the combined theory under only the stable infiniteness requirement for the shared sorts.Section 9 is devoted to the conclusions and discussion of future work.The current paper is the extended version of [8]; in addition to supplying full self-contained proofs of the results of [8], it contains the entirely new Sect.8 dedicated to the positive results for the non-convex tame case.

Preliminaries
We adopt the usual first-order syntactic notions of signature, term, atom, (ground) formula, and so on; our signatures are always finite or countable and include equality.To avoid considering limit cases, we assume that signatures always contain at least an individual constant.We compactly represent a tuple x 1 , . . ., x n of variables as x; by abuse of notation, we sometimes use x 1 , . . ., x n to denote also sets of variables (not just tuples).The notation t(x), φ(x) means that the term t, the formula φ has free variables included in the tuple x.This tuple is assumed to be formed by distinct variables, thus we underline that when we write e.g.φ(x, y), we mean that the tuples x, y are made of distinct variables that are also disjoint from each other.
A formula is said to be universal (resp., existential) if it has the form ∀x(φ(x)) (resp., ∃x(φ(x))), where φ is quantifier-free.Formulae with no free variables are called sentences.On the semantic side, we use the standard notion of Σ-structure M and of truth of a formula in a Σ-structure under a free variables assignment.The support of M is denoted as |M|.The interpretation of a (function, predicate) symbol σ in M is denoted σ M .
A Σ-theory T is a set of Σ-sentences; a model of T is a Σ-structure M where all sentences in T are true.We use the standard notation T | φ to say that φ is true in all models of T for every assignment to the variables occurring free in φ.We say that φ is T -satisfiable iff there is a model M of T and an assignment to the variables occurring free in φ making φ true in

M.
We now focus on the constraint satisfiability problem and quantifier elimination for a theory T .A Σ-formula φ is a Σ-constraint (or just a constraint) iff it is a conjunction of literals.The constraint satisfiability problem for T is the following: we are given a constraint φ(x) and we are asked whether there exist a model M of T and an assignment I to the free variables x such that M, I | φ(x).A theory T has quantifier elimination iff for every formula φ(x) in the signature of T there is a quantifier-free formula φ (x) such that T | φ(x) ↔ φ (x).Since we are in a computational logic context, when we speak of quantifier elimination, we assume that it is effective, namely that it comes with an algorithm for computing φ out of φ.It is well-known that quantifier elimination holds in case we can eliminate quantifiers from primitive formulae, i.e., formulae of the kind ∃y φ(x, y), with φ a constraint.
We recall also some further basic notions.Let Σ be a first-order signature.The signature obtained from Σ by adding to it a set a of new constants (i.e., 0-ary function symbols) is denoted by Σ a .Analogously, given a Σ-structure M, the signature Σ can be expanded to a new signature Σ |M| := Σ ∪ {ā | a ∈ |M|} by adding a constant ā (the name for a) for each element a in the support of M, with the convention that two distinct elements are denoted by different "name" constants.M can be expanded to a Σ |M| -structure M := (M, a) a∈|M| just interpreting the additional constants over the corresponding elements.From now on, when the meaning is clear from the context, we will freely use the notation M and M interchangeably: in particular, given a Σ-structure M and a Σ-formula φ(x) with free variables that are all in x, we will write, by abuse of notation, M | φ(a) instead of M | φ(ā).
We say that a theory T is stably infinite iff every T -satisfiable constraint is satisfiable in an infinite model of T .Moreover, a theory T is convex iff for every constraint δ, if T δ → n i=1 x i = y i then T δ → x i = y i holds for some i ∈ {1, . . ., n}.Strictly speaking, convexity says that if, for a set of literals φ and for a non empty disjunction of variables n i=1 x i = y i , we have T | φ → n i=1 x i = y i , then we have also T | φ → x i = y i for some i = 1, . . ., n. If, instead of variables, we have terms, the same property nevertheless applies: if we have T | φ → n i=1 t i = u i , then for fresh variables x i , y i we get T | φ ∧ n i=1 (x i = t i ∧ y i = u i ) → n i=1 x i = y i , which implies, by applying the definition of convexity, the same property for terms.
A Σ-homomorphism (or, simply, a homomorphism) between two Σ-structures M and N is a map μ : |M| −→ |N | among the support sets |M| of M and |N | of N satisfying the condition (M | ϕ ⇒ N | ϕ) for all Σ |M| -atoms ϕ (M is regarded as a Σ |M|structure, by interpreting each additional constant a ∈ |M| into itself and N is regarded as a Σ |M| -structure by interpreting each additional constant a ∈ |M| into μ(a)).In case the last condition holds for all Σ |M| -literals, the homomorphism μ is said to be an embedding and if it holds for all first order formulae, the embedding μ is said to be elementary.
If μ : M −→ N is an embedding which is just the identity inclusion |M| ⊆ |N |, we say that M is a substructure of N or that N is an extension of M. Universal theories can be characterized as those theories T having the property that if N | T and M is a substructure of N , then M | T (see [11]).If M is a structure and X ⊆ |M|, then there is the smallest substructure of M including X in its support; this is called the substructure generated by X .If X is the set of elements of a finite tuple a, then the substructure generated by X has in its support precisely the b ∈ |M| such that M | b = t(a) for some term t.
Let M be a Σ-structure.The diagram of M, written Δ Σ (M) (or just Δ(M)), is the set of ground Σ |M| -literals that are true in M.An easy but important result, called Robinson Diagram Lemma [11], says that, given any Σ-structure N , the embeddings μ : M −→ N are in bijective correspondence with expansions of N to Σ |M| -structures which are models of Δ Σ (M).The expansions and the embeddings are related in the obvious way: ā is interpreted as μ(a).

Uniform Interpolants
We report the notion of a cover taken from [32] and also the basic results proved in [6,10].Fix a theory T and an existential formula ∃e φ(e, y); call a residue of ∃e φ(e, y) any quantifier-free formula belonging to the set of quantifier-free formulae (the above two sets are trivially equal, by applying the ∃-left introduction rule).A quantifierfree formula ψ(y) is said to be a T -cover (or, simply, a cover) of ∃e φ(e, y) iff ψ(y) ∈ Res(∃e φ) and ψ(y) implies (modulo T ) all the other formulae in Res(∃e φ).The following "cover-by-extensions" Lemma [6] (to be widely used throughout the paper) supplies a semantic counterpart to the notion of a cover: Proof See [6].
We underline that, since our language is at most countable, we can assume that the models M, N from (ii) above are at most countable too, by a Löwenheim-Skolem argument.
We say that a theory T has uniform quantifier-free interpolation iff every existential formula ∃e φ(e, y) (equivalently, every primitive formula ∃e φ(e, y)) has a T -cover.Notice that a cover is also called (quantifier-free) uniform interpolant for the following reason.Indeed, it is clear that if T has uniform quantifier-free interpolation, then it has ordinary quantifier-free interpolation [2], in the sense that if we have T | φ(e, y) → φ (y, z) (for quantifier-free formulae φ, φ ), then there is a quantifier-free formula θ(y) such that T | φ(e, y) → θ(y) and T | θ(y) → φ (y, z).In fact, if T has uniform quantifier-free interpolation, then the interpolant θ is independent on φ (the same θ(y) can be used as interpolant for all entailments T | φ(e, y) → φ (y, z), varying φ ).Hence, it is straightforward to see that the definition of cover is equivalent to the one of uniform interpolant given in the introduction.
We say that a universal theory T has a model completion iff there is a stronger theory T * ⊇ T (still within the same signature Σ of T ) such that: Other equivalent definitions are possible [11]: for instance, (i) is equivalent to the fact that T and T * prove the same universal formulae or again to the fact that every model of T can be embedded into a model of T * .We recall that the model completion, if it exists, is unique and that its existence implies the quantifier-free interpolation property for T [11] (the latter can be seen directly or via the correspondence between quantifier-free interpolation and amalgamability, see [2]).
A close relationship between model completion and uniform interpolation emerged in the area of propositional logic (see the book [25]) and can be formulated roughly as follows.It is well-known that most propositional calculi, via Lindenbaum constructions, can be algebraized: the algebraic analogue of classical logic are Boolean algebras, the algebraic analogue of intuitionistic logic are Heyting algebras, the algebraic analogue of modal calculi are suitable varieties of modal algebras, etc.Under suitable hypotheses, it turns out that a propositional logic has uniform interpolation (for the global consequence relation) iff the equational theory axiomatizing the corresponding variety of algebras has a model completion [25].In the context of first order theories, we prove an even more direct connection: Theorem 1 Suppose that T is a universal theory.Then T has a model completion T * iff T has uniform quantifier-free interpolation.If this happens, T * is axiomatized by the infinitely many sentences where ∃e φ(e, y) is a primitive formula and ψ is a cover of it.

Equality Interpolating Condition and Beth Definability
We report here some definitions and results we need concerning combined quantifier-free interpolation.Most definitions and results come from [2], but are simplified here because we restrict them to the case of universal convex theories.We recall that a theory T is stably infinite iff every T -satisfiable constraint is satisfiable in an infinite model of T .The following lemma comes from a compactness argument:

Lemma 2 If T is stably infinite, then every finite or countable model M of T can be embedded in a model
where {c i } i is a countable set of fresh constants: by the Diagram Lemma and the downward Löwenheim-Skolem theorem [11], it is sufficient to show that this set is consistent (in fact if this set is consistent, there will be a superstructure N of M in which the countably many constants c i will be interpreted on elements which are different from each others and also different from the elements from the support of M).
Suppose the above set is not consistent; then by compactness However, this is a contradiction because by stable infiniteness Δ 0 (being satisfiable in M) is satisfiable in an infinite model of T .
We also recall that theory T is convex iff for every constraint δ, if T δ → n i=1 x i = y i then T δ → x i = y i holds for some i ∈ {1, . . ., n}.
A convex theory T is 'almost' stably infinite in the sense that it can be shown that every constraint which is T -satisfiable in a T -model whose support has at least two elements is satisfiable also in an infinite T -model.The one-element model can be used to build counterexamples, though: e.g., the theory of Boolean algebras is convex (like any other universal Horn theory) but the constraint x = 0 ∧ x = 1 is only satisfiable in the degenerate oneelement Boolean algebra.Since we take into account these limit cases, we do not assume that convexity implies stable infiniteness.

Definition 1 A convex universal theory T is equality interpolating iff
for every pair y 1 , y 2 of variables and for every pair of constraints there exists a term t(x) such that Quantifier-free interpolation and combined quantifier-free interpolation can be semantically characterized, as we are going to show.Definition 2 A universal theory T has the amalgamation property iff whenever we are given models M 1 and M 2 of T and their common substructure M 0 , there exists a further model M of T endowed with embeddings μ 1 : A universal theory T has the strong amalgamation property if the above embeddings μ 1 , μ 2 and the above model M can be chosen so as to satisfy the following additional condition: if for some m 1 , m 2 we have μ 1 (m 1 ) = μ 2 (m 2 ), then there exists an element a in Theorem 2 [2] The following two conditions are equivalent for a convex universal theory T :

(i) T is equality interpolating and has quantifier-free interpolation; (ii) T has the strong amalgamation property.
Proof For the sake of completeness, we report the proof of the implication (i) ⇒ (ii) (this is the only fact used in the paper).Suppose that T is equality interpolating and has quantifierfree interpolation; we prove that it is strongly amalgamable.If the latter property fails, by Robinson Diagram Lemma, there exist models M 1 , M 2 of T together with a shared submodel A such that the set of sentences If the disjunction is empty, we get T | δ 1 (a, m 1 ) → ¬δ 2 (a, m 2 ) and then we get a contradiction by the quantifier-free interpolation property (the argument is the same as below).Otherwise, by convexity, there are is T -valid.By the equality interpolating property, there is a term t(a) such that is T -valid.By the quantifier-free interpolation property, there is a quantifier-free formula θ(a) such that A and in M 2 as well (truth of quantifier-free formulae moves back and forth via substructures).
We underline that Theorem 2 extends also to the non convex case provided the notion of an equality interpolating theory is suitably adjusted [2].
Next two results (supplied without proof) will be used only in Sect.6.1 to show that, in some sense, the sufficient conditions of our main combination Theorem 5 are also necessary.
Theorem 3 [2,47] Let T 1 and T 2 be two universal, convex, stably infinite theories over disjoint signatures Σ 1 and Σ 2 .If both T 1 and T 2 are equality interpolating and have quantifier-free interpolation property, then so does T 1 ∪ T 2 .
The previous theorem essentially states that the equality interpolating property is a sufficient condition for the transfer of quantifier-free interpolation to theory combinations.There is a converse of the previous result, in the sense that it is possible to show that the equality interpolating property is, to some extent, necessary in order to guarantee the transfer of quantifier-free interpolation for minimal combinations with signatures adding only uninterpreted symbols.For this purpose, for a signature Σ, we call EUF(Σ) the pure equality theory over the signature Σ (this theory is equality interpolating and has the quantifier-free interpolation property).
Theorem 4 [2] Let T be a stably infinite, universal, convex theory admitting quantifier-free interpolation and let Σ be a signature disjoint from the signature of T containing at least a unary predicate symbol.Then, T ∪EUF(Σ) has quantifier-free interpolation iff T is equality interpolating.
In [2] the above definitions and results are extended to the non-convex case and a long list of universal quantifier-free interpolating and equality interpolating theories is given.The list includes EUF(Σ), recursive data theories, as well as linear arithmetics.For linear arithmetics (and fragments of its), it is essential to make a very careful choice of the signature, see again [2] (especially Subsection 4.1) for details.All the above theories admit a model completion (which coincides with the theory itself in case the theory admits quantifier elimination).
The equality interpolating property in a theory T can be equivalently characterized using Beth definability as follows.Consider a primitive formula ∃zφ(x, z, y) (here φ is a conjunction of literals); we say that ∃z φ(x, z, y) implicitly defines y in T iff the formula ∀y ∀y (∃zφ(x, z, y) ∧ ∃zφ(x, z, y is T -valid.We say that ∃zφ(x, z, y) explicitly defines y in T iff there is a term t(x) such that the formula For future use, we notice that, by trivial logical manipulations, the formulae (4) and ( 5) are logically equivalent to ∀y∀z∀y ∀z (φ(x, z, y) ∧ φ(x, z , y ) → y = y ) .(6) and to ∀y∀z(φ(x, z, y) → y = t(x)) (7) respectively (we shall use such equivalences without explicit mention).
We say that a theory T has the Beth definability property for primitive formulae iff whenever a primitive formula ∃z φ(x, z, y) implicitly defines the variable y then it also explicitly defines it.

Proposition 1 [2] A convex equality interpolating theory T has the Beth definability property for primitive formulae.
Proof Suppose that T is equality interpolating and that then there is a term t(x) such that Replacing z , y by z, y via a substitution, we get precisely (7).
We remark that the above Proposition can be inverted (see [2]).

Convex Theories
We now collect some useful facts concerning convex theories.We fix for this section a convex, stably infinite, equality interpolating universal theory T admitting a model completion T * .We let Σ be the signature of T .We fix also a Σ-constraint φ(x, y), where we assume that y = y 1 , . . ., y n (recall that the tuple x is disjoint from the tuple y according to our conventions from Sect. 2).For i = 1, . . ., n, we let the formula ImplDef T φ,y i (x) be the quantifier-free formula equivalent in T * to the formula where the y are renamed copies of the y.Notice that the variables occurring free in φ are x, y, whereas only the x occur free in ImplDef T φ,y i (x) (the variable y i is among the y and does not occur free in ImplDef T φ,y i (x)): these facts coming from our notational conventions are crucial and should be kept in mind when reading this and next section.We need a first semantic technical lemma.Proof Since T has a model completion, it has uniform quantifier-free interpolants by Theorem 1, hence it has also (ordinary) quantifier-free interpolants.By Theorem 2 it is strongly amalgamable because it is equality interpolating.In conclusion, we are allowed to use strong amalgamation in our proof.By strong amalgamability, we can freely assume that M is generated, as a Σ-structure, by the a: in fact, if we prove the statement for the substructure generated by the a, then strong amalgamability will provide the model we want.By using the Robinson Diagram Lemma, what we need is to prove the consistency of T ∪ Δ(M) with the set of ground sentences where t(x) varies over Σ(x)-terms, the b = b 1 , . . ., b n are fresh constants and i vary over 1, . . ., n.By convexity, 1 this set is inconsistent iff there exist a term t(x) and i = 1, . . ., n such that This however implies that T ∪ Δ(M) has the formula The following lemma supplies terms which will be used as ingredients in our combined covers algorithm: Then, for every j = 1, . . ., k i , there is a Σ(x)-term t i j (x) such that As a consequence, a formula of the kind ImplDef T φ,y i (x) ∧ ∃y (φ(x, y) ∧ ψ) is equivalent (modulo T ) to the formula Proof We have that ( j L i j ) ↔ ImplDef T φ,y i (x) is a tautology, hence from the definition of ImplDef T φ,y i (x), we have that however this formula is trivially equivalent to a universal formula (L i j does not depend on y, y ), hence since T and T * prove the same universal formulae, we get Using Beth definability property (Proposition 1), we get (9), as required, for some terms t i j (x).
Finally, the second claim of the lemma follows from (9) by trivial logical manipulations.
In all our concrete examples, the theory T has a decidable quantifier-free fragment (namely it is decidable whether a quantifier-free formula is a logical consequence of T or not), thus the terms t i j mentioned in Lemma 4 can be computed just by enumerating all possible Σ(x)terms: the computation terminates, because the above proof shows that the appropriate terms always exist.However, this is terribly inefficient and, from a practical point of view, one needs to have at disposal dedicated algorithms to find the required equality interpolating terms.For some common theories (EUF, Lisp-structures, linear real arithmetic), such algorithms are designed in [47]; in [2] [Lemma 4.3 and Theorem 4.4], the algorithms for computing equality interpolating terms are connected to quantifier elimination algorithms in the case of universal theories admitting quantifier elimination.
The following lemma will be useful in the next section: Lemma 5 Let T have a model completion T * and let the constraint φ(x, y) be of the kind α(x) ∧ φ (x, y), where y = y 1 , . . ., y n .Then for every i = 1, . . ., n, the formula Proof According to (8), the formula ImplDef T φ,y i (x) is obtained by eliminating quantifiers in T * from The latter is equivalent, modulo logical manipulations, to whence the claim (eliminating quantifiers in T * from ( 11) and ( 12) gives quantifiers-free T *equivalent formulae, hence also T -equivalent formulae because T and T * prove the same quantifier-free formulae).

The Convex Combined Cover Algorithm
Let us now fix two theories T 1 , T 2 over disjoint signatures Σ 1 , Σ 2 .
We assume that both of them satisfy the assumptions from the previous section, meaning that they are convex, stably infinite, equality interpolating, universal and admit model completions T * 1 , T * 2 respectively.We will prove in this section (Theorem 5) that T 1 ∪ T 2 admits a model completion too.We achieve this by supplying a combined algorithm, called ConvexCombCover, for computing T 1 ∪T 2 -covers: in order to construct the T 1 ∪T 2 -cover, this combined algorithm exploits the cover algorithms of the component theories We need to compute a cover for ∃e φ(x, e), where φ is a conjunction of Σ 1 ∪ Σ 2 -literals.By applying rewriting purification steps like (where d is a fresh variable and t is a pure term, i.e. it is either a Σ 1 -or a Σ 2 -term), we can assume that our formula φ is of the kind φ 1 ∧ φ 2 , where φ 1 is a Σ 1 -formula and φ 2 is a Σ 2 -formula.Thus we need to compute a cover for a formula of the kind ∃e (φ 1 (x, e) ∧ φ 2 (x, e)), (13) where φ i is a conjunction of Σ i -literals (i = 1, 2).By guessing a partition of the e and by replacing each variable e in e with the representative element of its equivalence class, we also assume that both φ 1 and φ 2 contain the literals e i = e j (for i = j) as a conjunct.
Remark 1 It is not clear whether this preliminary guessing step can be avoided.In fact, Nelson-Oppen [38] combined satisfiability for convex theories does not need it; however, combining covers algorithms is a more complicated problem than combining mere satisfiability algorithms and for technical reasons related to the correctness and completeness proofs below, we were forced to introduce guessing at this step.
To manipulate formulae, our algorithm employs acyclic explicit definitions as follows.When we write ExplDef(z, x) (where z, x are tuples of distinct variables), we mean any formula of the kind (let where the term t i is pure (i.e. it is a Σ i -term) and only the variables z 1 , . . ., z i−1 , x can occur in it.We notice that an existential formula like ∃z (ExplDef(z, x) ∧ ψ(z, x)) can be equivalently converted into a quantifier-free formula: indeed, since the 'explicit definitions' z i = t i are in fact arranged acyclically, the existentially quantified variables z can be recursively eliminated by substituting them with terms containing eventually only the parameters x.
A working formula is a formula of the kind where ψ 1 is a conjunction of Σ 1 -literals and ψ 2 is a conjunction of Σ 2 -literals.The variables x are called parameters, the variables z are called defined variables and the variables e (truly) existential variables.The parameters do not change during the execution of the algorithm.We assume that ψ 1 , ψ 2 in a working formula ( 14) always contain the literals e i = e j (for distinct e i , e j from e) as a conjunct.
In our starting formula (13), there are no defined variables.However, if via some syntactic check it happens that some of the existential variables can be recognized as defined, then it is useful to display them as such (this observation may avoid redundant cases -leading to inconsistent disjuncts -in the computations below).
A working formula like ( 14) is said to be terminal iff for every existential variable e i ∈ e we have that Roughly speaking, we can say that in a terminal working formula, all variables which are not parameters are either explicitly definable or recognized as not implicitly definable by both theories; of course, a working formula with no existential variables is terminal.

Lemma 6 Every working formula is equivalent (modulo T 1 ∪ T 2 ) to a disjunction of terminal working formulae.
Proof To compute the required terminal working formulae, it is sufficient to apply the following non-deterministic procedure (the output is the disjunction of all possible outcomes).The non-deterministic procedure applies one of the following alternatives.
(1) Update ψ 1 by adding to it a disjunct from the DNF of e i ∈e ¬ImplDef T 1 ψ 1 ,e i (x, z) and ψ 2 by adding to it a disjunct from the DNF of e i ∈e ¬ImplDef T 2 ψ 2 ,e i (x, z); (2.i) Select e i ∈ e and h ∈ {1, 2}; then update ψ h by adding to it a disjunct L i j from the DNF of ImplDef T h ψ h ,e i (x, z); the equality e i = t i j (where t i j is the term mentioned in Lemma 4)2 is added to ExplDef(z, x); the variable e i becomes in this way part of the defined variables.
Notice that in alternative (2.i), the index i in the label (2.i) refers to the variable e i chosen from e.
If alternative (1) is chosen, the procedure stops, otherwise it is recursively applied again and again: we have one truly existential variable less after applying alternative (2.i), so the procedure terminates, since eventually either no truly existential variable remains or alternative (1) is applied.The correctness of the procedure is due to the fact that the following formula is trivially a tautology: The first disjunct is used in alternative (1), the other disjuncts in alternative (2.i).At the end of the procedure, we get a terminal working formula.Indeed, if no truly existential variable remains, then the working formula is trivially terminal.It remains to prove that the working formula obtained after applying alternative (1) is indeed terminal.Let ψ k (for k = 1, 2) be the formula obtained from ψ k after applying alternative (1).We have that ψ k is α(x, z) ∧ ψ k (x, z, e), where α is a disjunct of the DNF of e i ∈e ¬ImplDef T k ψ k ,e i (x, z).We need to show that T k ψ k → ¬ImplDef T k ψ k ,e j (x, z) for every j.Fix such a j; according to Lemma 5, we must show that which is indeed the case because α(x, z) logically implies ¬ImplDef T k ψ k ,e j (x, z), since α(x, z) is a disjunct of the DNF of e i ∈e ¬ImplDef T k ψ k ,e i (x, z).
Thus we are left to the problem of computing a cover of a terminal working formula; this problem is solved in the following proposition: Proposition 2 A cover of a terminal working formula (14) can be obtained just by unravelling the explicit definitions of the variables z from the formula where θ 1 (x, z) is the T 1 -cover of ∃eψ 1 (x, z, e) and θ 2 (x, z) is the T 2 -cover of ∃eψ 2 (x, z, e).
Proof In order to show that Formula ( 16) is the T 1 ∪ T 2 -cover of a terminal working formula ( 14), we apply Lemma 1.The first condition of that lemma is easily fulfilled.Concerning the second condition, we prove that, for every By a Löwenheim-Skolem argument, since our languages are countable, we can suppose that M is at most countable and actually that it is countable by stable infiniteness of our theories, see Lemma 2 (the fact that T 1 ∪ T 2 is stably infinite in case both T 1 , T 2 are such, comes from the proof of Nelson-Oppen combination result, see [17,38,44]).
According to the conditions (15) and the definition of a cover (notice that the formulae ¬ImplDef T h ψ h ,e i (x, z) do not contain the e and are quantifier-free) we have that (for every e i ∈ e).Thus, since M | ImplDef T 1 ψ 1 ,e i (a, c) and M | ImplDef T 2 ψ 2 ,e i (a, c) hold for every e i ∈ e, we can apply Lemma 3 and conclude that there exist a T  But this means that, exactly as it happens in the proof of the completeness of the Nelson-Oppen combination procedure, the Σ 2 -structure on N 2 can be moved back via ι −1 to |N 1 | in such a way that the Σ 2 -substructure from M is fixed and in such a way that the tuple b 2 is mapped to the tuple b 1 .In this way, From Lemma 6, Proposition 2 and Theorem 1, we immediately get Theorem 5 Let T 1 , T 2 be convex, stably infinite, equality interpolating, universal theories over disjoint signatures admitting a model completion.Then T 1 ∪ T 2 admits a model completion too.Covers in T 1 ∪ T 2 can be effectively computed as shown above.
We recall from Theorem 3 that the equality interpolating property transfers to combination of theories too, when it holds in the component theories.
We now summarize the steps of the combined cover algorithm ConvexCombCover that takes as input the primitive formula ∃e φ(x, e), where φ is a conjunction of Σ 1 ∪ Σ 2 -literals: 1: Apply rewriting purification steps, like φ ⇒ ∃d (d = t ∧ φ(d/t)) (where d is a fresh variable and t is a pure term), until φ = φ 1 ∧ φ 2 , where φ i is a Σ i -formula (i = 1, 2).2: Guess a partition of the e and replace each e k with the representative element of its equivalence class.3: Apply the non-deterministic procedure of Lemma 6 to φ so as to get a disjunction of terminal working formulae T W j , where each disjunct T W j is ∃z (ExplDef j (z, x) ∧ ∃e (ψ j,1 (x, z, e) ∧ ψ j,2 (x, z, e))) 4: For every disjunct T W j , compute the T 1 -cover of ∃eψ j,1 (x, z, e), say θ j,1 (x, z), and the T 2 -cover of ∃eψ j,2 (x, z, e), say θ j,2 (x, z).5: Return as output the disjunction j ∃z (ExplDef j (z, x) ∧ θ j,1 (x, z) ∧ θ j,2 (x, z)).Notice that the input cover algorithms in the above combined cover computation algorithm are used not only in the final step described in Proposition 2, but also every time we need to compute a formula ImplDef T h ψ h ,e i (x, z): according to its definition, this formula is obtained by eliminating quantifiers in T * i from (8) (this is done via a cover computation, reading ∀ as ¬∃¬).In practice, implicit definability is not very frequent, so that in many concrete cases ImplDef T h ψ h ,e i (x, z) is trivially equivalent to ⊥ (in such cases, Step (2.i) above can obviously be disregarded).

The Necessity of the Equality Interpolating Condition
The following result shows that equality interpolating is a necessary condition for a transfer result, in the sense that it is already required for minimal combinations with signatures adding uninterpreted symbols: Theorem 6 Let T be a convex, stably infinite, universal theory admitting a model completion and let Σ be a signature disjoint from the signature of T containing at least a unary predicate symbol.Then T ∪ EUF(Σ) admits a model completion iff T is equality interpolating.
Proof The necessity can be shown by using the following argument.By Theorem 1, T ∪ EUF(Σ) has uniform quantifier-free interpolation, hence also ordinary quantifier-free interpolation.We can now apply Theorem 4 and get that T must be equality interpolating.Conversely, the sufficiency comes from Theorem 5 together with the fact that EUF(Σ) is trivially universal, convex, stably infinite, has a model completion [6] and is equality interpolating [2,47].

An Example of Combined Covers for the Convex Case
We now analyze an example in detail.Our results apply for instance to the case where T 1 is EUF(Σ) and T 2 is linear real arithmetic.By 'linear real arithmetic' we mean the set of sentences which are true in the reals under the natural interpretation of the symbols, in the language containing +, −, 0, 1, <, = and also infinitely many unary division operations by positive integer coefficients.This theory can be axiomatized as the theory of totally ordered abelian groups with the divisibility axiom n • (x/n) = x and with 0 = 1 (last axiom excludes degeneracy); this axiomatization is universal and ensures quantifier elimination (hence also the equality interpolating property, see [2] [ Theorem 4.4]).This theory is also convex: actually convexity comes from the geometric fact that if a convex set is included in a finite nonempty union of hyperplanes, then it is contained in one of them.
We recall that covers are computed in linear real arithmetic by quantifier elimination, whereas for EUF(Σ) one can apply the superposition-based algorithm from [6].Let us show that the cover of3 is the following formula Formula ( 17) is already purified.Notice also that the variables e 1 , e 2 are in fact already explicitly defined (only e 3 , e 4 are truly existential variables).
We first make the partition guessing.There is no need to involve defined variables into the partition guessing, hence we need to consider only two partitions; they are described by the following formulae: We first analyze the case of P 1 .The formulae ψ 1 and ψ 2 to which we need to apply exhaustively Step (1) and Step (2.i) of our algorithm are: We first compute the implicit definability formulae for the truly existential variables with respect to both T 1 and T 2 .
-We first consider ImplDef T 1 ψ 1 ,e 3 (x, z).Here we show that the cover of the negation of formula ( 8) is equivalent to (so that ImplDef T 1 ψ 1 ,e 3 (x, z) is equivalent to ⊥).We must quantify over truly existential variables and their duplications, thus we need to compute the cover of This is a saturated set according to the superposition based procedure of [6], hence the result is , as claimed.

So, if we apply Step 1 we get
Step (2.i) (for i=4) gives a formula logically equivalent (20).Notice that ( 20) is terminal too, because all existential variables are now explicitly defined (this is a lucky side-effect of the fact that e 3 has been moved to the defined variables).Thus the exhaustive application of Steps (1) and (2.i) is concluded.
Applying the final step of Proposition 2 to (20) is quite easy: it is sufficient to unravel the acyclic definitions.The result, after little simplification, is this can be further simplified to As to formula (19), we need to apply the final cover computations mentioned in Proposition 2. The formulae ψ 1 and ψ 2 are now The T 1 -cover of ψ 1 is .For the T 2 -cover of ψ 2 , eliminating with Fourier-Motzkin the variables e 4 and e 3 , we get after unravelling the explicit definitions of e 1 , e 2 .Thus, the analysis of the case of the partition P 1 gives, as a result, the disjunction of (21) and (22).
We now analyze the case of P 2 .Before proceeding, we replace e 4 with e 3 (since P 2 precisely asserts that these two variables coincide); our formulae ψ 1 and ψ 2 become From ψ 1 we deduce e 3 = x 1 , thus we can move e 3 to the explicitly defined variables (this avoids useless calculations: the implicit definability condition for variables having an entailed explicit definition is obviously , so making case split on it produces either tautological consequences or inconsistencies).In this way we get the terminal working formula Unravelling the explicit definitions, we get (after exhaustive simplifications) Now, the disjunction of ( 21), ( 22) and ( 24) is precisely the final result (18) claimed above.This concludes our detailed analysis of our example.
Notice that the example shows that combined cover computations may introduce terms with arbitrary alternations of symbols from both theories (like point is that when a variable becomes explicitly definable via a term in one of the theories, then using such additional variable may in turn cause some other variables to become explicitly definable via terms from the other theory, and so on and so forth; when ultimately the explicit definitions are unraveled, highly nested terms arise with many symbol alternations from both theories.

The Non-convex Case: A Counterexample
In this section, we show by giving a suitable counterexample that the convexity hypothesis cannot be dropped from Theorems 5, 6.We make use of basic facts about ultrapowers (see [11] for the essential information we need).We take as T 1 integer difference logic IDL, i.e. the theory of integer numbers under the unary operations of successor and predecessor, the constant 0 and the strict order relation <.This is stably infinite, universal and has quantifier elimination (thus it coincides with its own model completion).It is not convex, but it satisfies the equality interpolating condition, once the latter is suitably adjusted to non-convex theories, see [2] for the related definition and all the above mentioned facts.
As T 2 , we take EUF(Σ f ), where Σ f has just one unary free function symbol f (this f is supposed not to belong to the signature of T 1 ).
Proposition 3 Let T 1 , T 2 be as above; the formula does not have a cover in T 1 ∪ T 2 .
Proof Suppose that (25) has a cover φ(x).This means (according to Cover-by-Extensions Lemma 1) that for every model M of T 1 ∪ T 2 and for every element a ∈ |M| such that M | φ(a), there is an extension N of M such that N | ∃e (0 < e ∧ e < a ∧ f (e) = 0).Consider the model M, so specified: the support of M is the set of the integers, the symbols from the signature of T 1 are interpreted in the standard way and the symbol f is interpreted so that 0 is not in the image of f .Let a k be the number k > 0 (it is an element from the support of M).Clearly it is not possible to extend M so that ∃e (0 < e ∧ e < a k ∧ f (e) = 0) becomes true: indeed, we know that all the elements in the interval (0, k) are definable as iterated successors of 0 and, by using the axioms of IDL, no element can be added between a number and its successor, hence this interval cannot be enlarged in a superstructure.We conclude that M | ¬φ(a k ) for every k.
Consider now an ultrapower D M of M modulo a non-principal ultrafilter D and let a be the equivalence class of the tuple a k k∈N ; by the fundamental Los theorem [11], D M | ¬φ(a).We claim that it is possible to extend D M to a superstructure N such that N | ∃e (0 < e∧e < a ∧ f (e) = 0): this would entail, by definition of cover, that D M | φ(a), contradiction.We now show why the claim is true.Indeed, since a k k∈N has arbitrarily big numbers as its components, we have that, in D M, a is bigger than all standard numbers.
Thus, if we take a further non-principal ultrapower N of D M, it becomes possible to change in it the evaluation of f (b) for some b < a and set it to 0 (in fact, as it can be easily seen, there are elements b ∈ |N | less than a but not in the support of D M).
The counterexample still applies when replacing integer difference logic with linear integer arithmetics (the proof is literally the same).

Tame Combinations
So far, we only analyzed the case.However, many interesting examples arising in model-checking verification are multi-sorted: this is the case of array-based systems [20] and in particular of the array-based system used in data-aware processes verification [5,9].
The above examples suggest restrictions on the theories to be combined other than convexity, in particular they suggest restrictions that make sense in a multi-sorted context.
Most definitions we gave in Sect. 2 have straightforward natural extensions to the multisorted case (we leave the reader to formulate them).A little care is needed however for the disjoint signatures requirement.Let T 1 , T 2 be multisorted theories in the signatures Σ 1 , Σ 2 ; the disjointness requirement for Σ 1 and Σ 2 can be formulated in this context by saying that the only function or relation symbols in Σ 1 ∩ Σ 2 are the equality predicates over the common sorts in Σ 1 ∩Σ 2 .We want to strengthen this requirement: we say that the combination T 1 ∪ T 2 is tame iff the sorts in Σ 1 ∩ Σ 2 cannot be a domain sort of a symbol from Σ 1 other than an equality predicate.In other words, if a relation or a function symbol has as among its domain sorts a sort from Σ 1 ∩ Σ 2 , then this symbol is from Σ 2 (and not from Σ 1 , unless it is the equality predicate).
Tame combinations arise in infinite-state model-checking (in fact, the definition is suggested by this application domain), where signatures can be split into a signature Σ 2 used to represent 'datatypes' like integers and a signature Σ 1 for representing elements contained in a database: this is customary in the literature on data-aware processes verification [5,9].
Notice that the notion of a tame combination is not symmetric in T 1 and T 2 : to see this, notice that if the sorts of Σ 1 are included in the sorts of Σ 2 , then T 1 must be a pure equality theory (but this is not the case if we swap T 1 with T 2 ).The combination of IDL and EUF(Σ) used in the counterexample of Sect.7 is not tame: even if we formulate EUF(Σ) as a twosorted theory, the unique sort of IDL must be a sort of EUF(Σ) too, as witnessed by the impure atom f (e) = 0 in the formula (25).Because of this, for the combination to be tame, IDL should play the role of T 2 (the arithmetic operation symbols are defined on a shared sort); however, the unary function symbol f ∈ Σ has a shared sort as domain sort, so the combination is not tame anyway.
In a tame combination, an atomic formula A can only be of two kinds: (1) we say that A is of the first kind iff the sorts of its root predicate are from Σ 1 \ Σ 2 ; (2) we say that A is of the second kind iff the sorts of its root predicate are from Σ 2 .We use the roman letters e, x, . . .for variables ranging over sorts in Σ 1 \Σ 2 and the greek letters η, ξ, . . .for variables ranging over sorts in Σ 2 .Thus, if we want to display free variables, atoms of the first kind can be represented as A(e, x, . . .), whereas atoms of the second kind can be represented as A(η, ξ, . . ., t(e, x, . . .), . . .), where the t are Σ 1 -terms.In the following, given two tuples of Σ i -terms α := α 1 , . . ., α n and β := β 1 , . . ., β n (for some i = 1, 2), we use the notation α = β for denoting the conjunction of equalities j α j = β j .

Remark 2
We remark that if a formula ψ(η) is a Σ 1 -formula and η are variables of Σ 2 -sorts, according to the definition of a tame combination, ψ(η) must be a conjunction of equalities and disequalities between variables: indeed, in this case η need to range over the interpretation of a common sort S, and ψ cannot contain non-variable terms built out of η, because there cannot be a Σ 1 -function symbol having S as domain.
Suppose that T 1 ∪ T 2 is a tame combination and that T 1 , T 2 are universal theories admitting model completions T * 1 , T * 2 .We propose the following algorithm, called TameCombCover, compute the cover of a primitive formula; this formula must be of the kind ∃e ∃η(φ(e, x) ∧ ψ(η, ξ, t(e, x))) (26) where φ is a Σ 1 -conjunction of literals, ψ is a conjunction of Σ 2 -literals and the t are Σ 1 -terms.
The TameCombCover algorithm has three steps: (i) First Step.We flatten (26) and get ∃e ∃η ∃η (φ(e, x) ∧ η = t(e, x) ∧ ψ(η, ξ, η ))) (27) where the η are fresh variables abstracting out the t and η = t(e, x) is a component-wise conjunction of equalities.(ii) Second Step.We apply the cover algorithm of T 1 to the formula ∃e (φ(e, x) ∧ η = t(e, x)) ; (28) this gives as a result a formula φ(x, η ) that we put in DNF.A disjunct of φ will have the form φ 1 (x) ∧ φ 2 (η , t (x)) after separation of the literals of the first and of the second kind.We pick such a disjunct φ 1 (x) ∧ φ 2 (η , t (x)) of the DNF of φ(x, η ) and update our current primitive formula to (this step is nondeterministic: in the end we shall output the disjunction of all possible outcomes).Here again the ξ are fresh variables abstracting out the terms t . 4iii) Third Step.We apply the cover algorithm of T 2 to the formula ∃η ∃η (φ 2 (η , ξ ) ∧ ψ(η, ξ, η )) (30) this gives as a result a formula ψ (ξ , ξ ).We update our current formula to and finally to the equivalent quantifier-free formula We now show that the above algorithm is correct under very mild hypotheses.We need some technical facts about stably infinite theories in a multi-sorted context.We say that a multi-sorted theory T is stably infinite with respect to a set of sorts S from its signature iff every T -satisfiable constraint is satisfiable in a model M where, for every S ∈ S, the set S M (namely the interpretation of the sort S in M) is infinite.The next Lemma is a light generalization of Lemma 2 and is proved in the same way: Lemma 7 Let T be stably infinite with respect to a subset S of the set of sorts of the signature of T .Let M be a model of T and let, for every S ∈ S, X S be an at most countable superset of S M .Then there is an extension N of M such that for all S ∈ S we have S N ⊇ X S .
Proof Let us expand the signature of T with the set C of fresh constants (we take one constant for every c ∈ X S \ S M ).We need to prove the T -consistency of Δ(M) with a the set D of disequalities asserting that all c ∈ C are different from each other and from the names of the elements of the support of M. By compactness, it is sufficient to ensure the T -consistency of Δ 0 ∪ D 0 , where Δ 0 and D 0 are finite subsets of Δ(M) and D, respectively.Since M | Δ 0 , this set is T -consistent and hence it is satisfied in a T -model M where all the sorts in S are interpreted as infinite sets; in such M , it is trivially seen that we can interpret also the constants occurring in D 0 so as to make D 0 true too.
Lemma 8 Let T 1 , T 2 be universal signature disjoint theories which are stably infinite with respect to the set of shared sorts (we let Σ 1 be the signature of T 1 and Σ 2 be the signature of T 2 ).Let the index i be 1 or 2: we let M 0 be a model of T 1 ∪ T 2 and M 1 be a model of T i extending the Σ i -reduct of M 0 .Then there exists a model N of T 1 ∪ T 2 , extending M 0 as a Σ 1 ∪ Σ 2 -structure and whose Σ i -reduct extends M 1 .
Proof Using Lemma 7, we build infinitely many models M 0 , M 1 , M 2 , . . .such that: (i) The union over this chain of models will be the desired N .
We are now ready for the main result of this section:  c, b, c ) holds for some c, c .Since φ 1 (x) ∧ φ 2 (η , t (x)) implies the T 1 -cover of (28) and M | φ 1 (a) ∧ φ 2 (c , t(a)), then the Σ 1 -reduct of M can be extended to a T 1 -model where ( 28) is true when evaluating the x, η to the a, c .Again by Lemma 8, this model can be extended to a ).This means that N | ∃e ∃η(φ(e, a) ∧ ψ(η, b, t(e, a))), as desired.
We conclude this subsection discussing the applications that inspired tame combinations.In the context of data-aware processes verification [4,5,9], where relational databases can be extended with arithmetical values such as integers and reals, tame combinations become particularly interesting.Consider the combination T D B ∪ T int , where: It can be trivially seen that this combination is tame.As explained in [9], (Σ, T D B ) can be thought of as a DB schema, i.e. as the formalization of a classical relational database with primary and foreign keys: for instance, from unary functions f R,1 and f R,2 , one can reconstruct the corresponding database relation R(A 1 , A 2 , A 3 ), where each attribute A i has type S i (for i = 1, . . ., 3) and A 1 is the primary key of R. The interested reader is referred to [9,31] for details on this.In addition, S 3 , which is interpreted into a model of T int , can be used to formalize a value domain (using again the nomenclature of [9]), i.e., an infinite arithmetic domain whose elements are constrained by T int : in this sense, these elements can be thought of as (possibly infinitely many and fresh) values that can be injected into the database, e.g., by an external user (they are essential for applications in data-aware process verification).For details on this and its use in formal verification, see [31].

An Example of Combined Covers for the Tame Combination
Let T 1 be EUF(Σ 1 ), where Σ 1 is a multi-sorted signature with three sorts S 1 , S 2 and S 3 and with a function symbol f : S 1 × S 2 → S 3 .Let T 2 be LIA (which is not convex, see [2,Sect. 4] for a precise description of this theory), where its (unique) sort is S 3 , which is in common with Σ 1 .We notice that T 1 ∪ T 2 is a tame combination, since the common sort S 3 is the codomain sort (and not the domain sort) of the unique symbol f from Σ 1 different from equality.We show a simple example on how to compute a T 1 ∪ T 2 -cover using the above algorithm. Let be the formula for which we would like to compute a T 1 ∪T 2 -cover: the only truly existentially quantified variable here is e.We first apply the First Step, and we abstract out f (e, x 1 ) and f (e, x 2 ) by introducing two fresh variables η 1 and η 2 : Then, in order to apply the Second Step, we need to compute the T 1 -cover of the following formula: and we obtain: which, in turn, is equivalent to the following formula in DNF form: Now, we analyze the two different cases create by each disjunct in the previous formula.
First Case If we pick up the disjunct x 1 = x 2 , after updating Formula (33), we get the following equivalent formula: We now apply the Third Step, by computing the T 2 -cover of the formula: This is in general achieved by applying the Cooper's algorithm [12].In this case, it is sufficient to notice that Formula (36) implies: which provide lower and upper bounds for both η 1 and η 2 , as wanted.Hence, the T 2 -cover of Formula ( 36) is: We then update our Formula (35) and we get the first disjunct of our T 1 ∪ T 2 -cover: Second Case If we pick up the disjunct η 1 = η 2 , after updating Formula (33), we get the following equivalent formula: We now apply the Third Step, by computing the T 2 -cover of the previous formula.In this case, it is sufficient to notice that Formula (39) implies: which provide lower and upper bounds for both η 1 and η 2 , as wanted.Hence, the T 2 -cover of Formula (39) is: We then update our Formula (39) and we get the second disjunct of our T 1 ∪ T 2 -cover: Hence, by taking the disjunction of Formulae (38) and (41) it is straightforward to see that the T 1 ∪ T 2 -cover of Formula ( 32) is equivalent to:

Conclusions and Future Work
In this paper we showed that covers (aka uniform interpolants) exist in the combination of two convex universal theories over disjoint signatures in case they exist in the component theories and in case the component theories also satisfy the equality interpolating condition.Notice that the last condition is needed to transfer to combinations the existence of (ordinary) quantifier-free interpolants.In order to prove our result on combined covers, Beth definability property for primitive fragments turned out to be the crucial ingredient to extensively employ.
In case convexity fails, we showed by a counterexample that covers might not exist in the combined theory.The last result raises the following research problem: even if in general covers do not exist for the combination of non-convex theories, under which conditions can one decide whether covers exist and, if so, how can one compute them?Another interesting research question concerns complexity of the convex combined algorithm.It generates a tree whose depth is linear, hence the number of created nodes are in the worst case exponential.In order to generate new nodes, the algorithm makes use of the cover algorithms for the component theories and of the algorithms for generating the equality interpolating terms: these algorithms are given as input to our algorithm.Taking into consideration also the fact that these algorithms are used recursively, it is not immediate to give a significant upper bound to the overall complexity in the general case: instead, notice that this problem strongly depends on the component theories considered, hence it should be tackled separately for each involved theory and in view of the specific, concrete applications that the users have in mind.For these reasons, we leave an exhaustive investigation of this to future work, since it would require genuinely novel research and a thorough analysis of different examples of theories.
Applications suggested a different line of investigations, which led us to consider so-called 'tame combinations'.In data-aware processes verification [4,5,9] one uses tame combinations T 1 ∪ T 2 , where T 1 is a multi-sorted version of EUF(Σ) in a signature Σ containing only unary function symbols and relation symbols of any arity, and where T 2 is typically some fragment of linear arithmetics (T 2 -sorts are called value sorts in the terminology of [4,5,9]).In this context, quantifier elimination in T * 1 for primitive formulae is quadratic in complexity.Model-checkers like MCMT represent sets of reachable states by using conjunctions of literals and during preimage computations quantifier elimination needs to be applied to primitive formulae.Now, if all relation symbols are at most binary, such a quantifier elimination in T * 1 produces conjunctions of literals out of primitive formulae.Thus, step (ii) in the algorithm from Sect. 8 becomes deterministic and the only reason why such an algorithm may become expensive (i.e., non polynomial) lies in the final quantifier elimination step for T * 2 .This step might be extremely expensive if substantial arithmetic is involved, but it might still be efficiently handled in practical cases where only very limited arithmetic is used (e.g., difference bound constraints like x − y ≤ n or x ≤ n, where n is a constant).Our algorithm for covers in tame combinations has been implemented in version 3.0 of MCMT.
We also feel that this algorithm can be really useful in various model-checking applications.More specifically, such a model checking framework can be applied along the recent line of research concerning analysis of data-aware processes, in which data representation and manipulation capabilities can be extended with arithmetic.Like that, one could adapt the results of this paper to the existing formalism for data-aware extensions of the de-facto standard for business process modeling [4] or to data-aware classes of Petri nets [14,15,28,29].We leave it for future work.
A final future research line could consider cover transfer properties to non-disjoint signatures combinations, analogously to similar results obtained in [18,19] for the transfer of quantifier-free interpolation.
Funding Open access funding provided by Libera Università di Bolzano within the CRUI-CARE Agreement.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Lemma 1 [
Cover-by-Extensions] A formula ψ(y) is a T -cover of ∃e φ(e, y) iff it satisfies the following two conditions: (i) T | ∀y (∃e φ(e, y) → ψ(y)); (ii) for every model M of T , for every tuple of elements a from the support of M such that M | ψ(a) it is possible to find another model N of T such that M embeds into N and N | ∃e φ(e, a).

Lemma 3
Suppose that we are given a model M of T and elements a from the support of M such that M | ImplDef T φ,y i (a) for all i = 1, . . ., n.Then there exists an extension N of M such that for some b ∈ |N | \ |M| we have N | φ(a, b).
The tuples b 1 and b 2 have equal length because the ψ 1 , ψ 2 from our working formulae entail e i = e j , where e i , e j are different existential variables.Thus there is a bijection ι : |N 1 | → |N 2 | fixing all elements in M and mapping component-wise the b 1 onto the b 2 .

Theorem 7
Let T 1 ∪ T 2 be a tame combination of two universal theories admitting a model completion.If T 1 , T 2 are also stably infinite with respect to their shared sorts, then T 1 ∪ T 2 has a model completion.Covers in T 1 ∪ T 2 can be computed as shown in the above three-steps algorithm TameCombCover.Proof Since condition (i) of Lemma 1 is trivially true, we need only to check condition (ii), namely that given a T 1 ∪ T 2 -model M and elements a, b from its support such that M | φ 1 (a) ∧ ψ (b, t (a)) as in(31), then there is an extension N of M such that (26) is true in N when evaluating x over a and ξ over b.If we let b be the tuple such thatM | b = t (a), then we have M | b = t (a) ∧ φ (a) ∧ ψ (b, b ).Since ψ (ξ , ξ ) is the T 2 -cover of(30), the Σ 2 -reduct of M embeds into a T 2 -model where(30) is true under the evaluation of the ξ as the b.By Lemma 8, this model can be embedded into a T 1 ∪ T 2 -model M in such a way that M is an extension of M and that M both disjoint from |M|.By a Löwenheim-Skolem argument, we can suppose that N 1 , N 2 are countable and by Lemma 2 even that they are both countable extensions of

1 .
T D B is a multi-sorted version of EUF(Σ) in a signature Σ comprising three sorts S 1 , S 2 , S 3 , and two function symbols f R,1 : S 1 → S 2 and f R,2 : S 1 → S 3 ; 2. T int is some theory for linear arithmetics, e.g., LIA or LRA, such that the unique sort of T int coincides with S 3 .