On Local Reasoning in Verification

On Local Reasoning in Verification Carsten Ihlemann, Swen Jacobs, and Viorica Sofronie-Stokkermans Max-Planck-Institut für Informatik, Campus E1 4, Saarbrücken, Germany {ihlemann,sjacobs,sofronie}@mpi-inf.mpg.de Abstract. We present a general framework which allows to identify complex theories important in verification for which efficient reasoning methods exist. The framework we present is based on a general notion of locality. We show that locality considerations allow us to obtain parameterized decidability and complexity results for many (combinations of) theories important in verification in general and in the verification of parametric systems in particular. We give numerous examples; in particular we show that several theories of data structures studied in the verification literature are local extensions of a base theory. The general framework we use allows us to identify situations in which some of the syntactical restrictions imposed in previous papers can be relaxed. 1 Introduction Many problems in verification can be reduced to proving the satisfiability of conjunctions of literals in a background theory (which can be a standard theory, the extension of a theory with additional functions – free, monotone, or recursively defined – or a combination of theories). It is very important to identify situations where the search space can be controlled without losing completeness. Solutions to this problem were proposed in proof theory, algebra and verification: In [8,11], McAllester and Givan studied the proof-theoretical notion of “local inference systems” – where for proving/disproving a goal only ground instances of the inference rules are needed which contain ground terms which appear in the goal to be proved. In universal algebra, Burris [3] established a link between ptime decidability of the uniform word problem in quasi-varieties of algebras and embeddability of partial into total models. A link to the notion of locality was established by Ganzinger [5]. In the verification literature, locality properties were investigated in the context of reasoning in pointer data structures by McPeak, Necula [12] and in the study of fragments of the theory of arrays by Bradley, Manna and Sipma [1] and Ghilardi, Nicolini, Ranise and Zucchelli [7]. The applications in verification usually require reasoning in complex domains. In [6,13] we study local extensions of theories and show that in such extensions proof tasks can be reduced, hierarchically, to proof tasks in the base theory. The main contributions of this paper can be described as follows: (1) We introduce generalized notions of locality and stable locality and show that theories important in verification (e.g. the theory of arrays in [1] and the theory of pointer structures in [12]) satisfy such locality conditions. C.R. Ramakrishnan and J. Rehof (Eds.): TACAS 2008, LNCS 4963, pp. 265–281, 2008. c Springer-Verlag Berlin Heidelberg 2008  266 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans (2) We present a general framework which allows to identify local theories important in verification. This allows us to also handle fragments which do not satisfy all syntactical restrictions imposed in previous papers. In particular, the axiom sets which we consider may contain alternations of quantifiers. (3) We use these results to give new examples of local theories of data types. (4) We discuss the experiments we made with an implementation. The paper is structured as follows. We start (Sect. 1.1 and 1.2) by discussing the application domains we consider and illustrating our main idea. Section 2 contains basic definitions. In Sect. 3 local extensions are defined, results on hierarchical reasoning, parameterized decidability and complexity results, and possibilities of recognizing local extensions are summarized. Section 4 contains a large number of examples, ranging from extensions with monotonicity, injectivity and (guarded) boundedness properties to theories of data structures (pointers, arrays). A general framework for recognizing locality in verification is presented in Sect. 5. We describe our implementation and some experiments in Sect. 6. 1.1 Application Domains The application domains we consider are mainly related to the verification of parametric systems (parametric either w.r.t. the number of subsystems involved, or w.r.t. some data used to describe the states and their updates). We model systems using transition constraint systems T = (V, Σ, Init, Update) which specify: the variables (V ) and function symbols (Σ) whose values change over time; a formula Init specifying the properties of initial states; a formula Update with variables in V ∪V ′ and function symbols in Σ∪Σ ′ (where V ′ and Σ ′ are copies of V resp. Σ, denoting the variables resp. functions after the transition) which specifies the relationship between the values of variables x and function symbols f before a transition and their values (x′ , f ′ ) after the transition. Such descriptions can be obtained from system specifications (for an example cf. [4]). With every specification, a background theory TS – describing the data types used in the specification and their properties – is associated. The verification problems we consider are invariant checking and bounded model checking. Invariant checking. We can check whether a formula Ψ is an inductive invariant of a transition constraint system T =(V, Σ, Init, Update) in two steps: (1) prove that TS , Init |= Ψ ; (2) prove that TS , Ψ, Update |= Ψ ′ , where Ψ ′ results from Ψ by replacing each x ∈ V by x′ and each f ∈ Σ by f ′ . Failure to prove (2) means that Ψ is not an invariant, or Ψ is not inductive w.r.t. T .1 Bounded model checking. We check whether, for a fixed k, unsafe states are reachable in at most k steps. Formally, we check whether: j  Updatei ∧ ¬Ψj |=⊥ for all 0 ≤ j ≤ k, TS ∧ Init0 ∧ i=1 1 Proving that Ψ is an invariant of the system in general requires to find a stronger formula Γ (i.e., TS |= Γ → Ψ ) and prove that Γ is an inductive invariant. On Local Reasoning in Verification 267 where Updatei is obtained from Update by replacing all variables x ∈ V by xi and any f ∈ Σ by fi , and all x′ ∈ V ′ , f ′ ∈ Σ ′ by xi+1 , fi+1 ; Init0 is Init with x0 replacing x ∈ V and f0 replacing f ∈ Σ; Ψi is obtained from Ψ similarly. We are interested in checking whether a safety property (expressed by a suitable formula) is an invariant, or holds for paths of bounded length, for given instances of the parameters, or under given constraints on parameters. We aim at identifying situations in which decision procedures exist. We will show that this is often the case, by investigating locality phenomena in verification. As a by-product, this will allow us to consider problems more general than usual tasks in verification, namely to derive constraints between parameters which guarantee safety. These constraints may also be used to solve optimization problems (maximize/minimize some of the parameters) such that safety is guaranteed. 1.2 Illustration We illustrate the problems as well as our solution on the following example.2 Consider a parametric number m of processes. The priorities associated with the processes (non-negative real numbers) are stored in an array p. The states of the processes – enabled (1) or disabled (0) are stored in an array a. At each step only the process with maximal priority is enabled, its priority is set to x and the priorities of the waiting processes are increased by y. This can be expressed with the following set of axioms which we denote by Update(a, p, a′ , p′ ) ∀i(1 ≤ i ≤ m ∧ (∀j(1 ≤ j ∀i(1 ≤ i ≤ m ∧ (∀j(1 ≤ j ∀i(1 ≤ i ≤ m ∧ ¬(∀j(1 ≤ j ∀i(1 ≤ i ≤ m ∧ ¬(∀j(1 ≤ j ≤m∧j ≤m∧j ≤m∧j ≤m∧j = i → p(i) > p(j))) −→ a′ (i) = 1) = i → p(i) > p(j))) −→ p′ (i) = x) = i → p(i) > p(j))) −→ a′ (i) = 0) = i → p(i) > p(j))) −→ p′ (i) = p(i)+y) where x and y are considered to be parameters. We may need to check whether if at the beginning the priority list is injective, i.e. formula (Inj)(p) holds: Inj(p) ∀i, j(1 ≤ i ≤ m ∧ 1 ≤ j ≤ m ∧ i = j → p(i) = p(j)) then it remains injective after the update, i.e. check the satisfiability of: (Z∪R+ ∪{0, 1})∧Inj(p)∧Update(a, p, a′ , p′ )∧1≤c≤m∧1≤d≤m∧c=d∧p′ (c)=p′ (d). We may need to check satisfiability of the formula under certain assumptions on the values of x and y (for instance if x = 0 and y = 1), or to determine constraints on x and y for which the formula is (un)satisfiable. Problem. The problem above is a satisfiability problem for a formula with (alternations of) quantifiers in a combination of theories. SMT provers heuristically compute ground instances of the problems, and return unsatisfiable if a contradiction is found, and unknown if no contradiction can be derived from these instances. It is important to find a set of ground instances which are sufficient for deriving a contradiction if one exists. [1] presents a fragment of the theory 2 All the examples in this paper will address invariant checking only. Bounded model checking problems can be handled in a similar way. 268 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans of arrays for which this is possible. The formula above does not belong to this fragment: Inj(p) contains the premise i=j; Update(a, p, a′ , p′ ) contains ∀∃ axioms. Idea. Let T0 be the many-sorted combination of the theory of integers (for indices), of real numbers (priorities), and {0, 1} (enabled/disabled). We consider: (i) The extension T1 of T0 with the functions a : Z → {0, 1} (a free function) and p : Z → R+ satisfying Inj(p); (ii) The extension T2 of T1 with the functions a′ : Z → {0, 1}, p′ : Z → R+ satisfying the update axioms Update(a, p, a′ , p′ ). We show that both extensions have a locality property which allows us to use determined instances of the axioms without loss of completeness; the satisfiability problem w.r.t. T2 can be hierarchically reduced to a satisfiability problem w.r.t. T1 and then to a satisfiability problem w.r.t. T0 . The purpose of this paper is to show that we can do this in a systematic way in a large number of situations. 2 Preliminaries We assume known standard definitions from first-order logic. (Logical) theories can be regarded as collections of formulae (i.e. can be described as the consequences of a set of axioms), as collections of models (the set of all models of a set of axioms, or concrete models such as Z or R), or both. If T is a theory and φ, ψ are formulae, we say that T ∧ φ |= ψ (written also φ |=T ψ) if ψ is true in all models of T which satisfy φ. If T ∧ φ |=⊥ (where ⊥ is false), there are no models of T which satisfy φ, i.e. φ is unsatisfiable w.r.t. T . For the verification tasks mentioned above, efficient reasoning in certain theories, which depend on the specification of the systems under consideration, is extremely important. Local theory extensions. We consider extensions T0 ∪ K of a theory T0 with new sorts and new function symbols (called extension functions) satisfying a set K of (universally quantified) clauses. An extension T0 ⊆ T0 ∪ K is local if satisfiability of a set G of clauses w.r.t. T0 ∪ K only depends on T0 and those instances K[G] of K in which the terms starting with extension functions are in the set st(K, G) of ground terms which already occur in G or K [13]. A weaker locality notion, namely stable locality, exists; it allows to restrict the search to the instances K[G] of K in which the variables below extension functions are instantiated with Σ0 -terms generated from st(K, G). These generalize the notion of local theories introduced by [8,11,9] resp. of locality and stable locality studied in [5]. In such extensions hierarchical reasoning is possible (cf. also Sect. 3.1). Partial and total models. Local and stably local theory extensions can be recognized by proving embeddability of partial into total models [13,16]. Let Π = (S, Σ, Pred) be an S-sorted signature where Σ is a set of function symbols and Pred a set of predicate symbols. In a partial Π-structure the function symbols may be partial (for definitions cf. [2]). If A is a partial structure and β : X → A is a valuation we say that (A, β) |=w (¬)P (t1 , . . ., tn ) iff (a) β(ti ) are all defined and their values are in the relationship (¬)PA ; or (b) at least one of β(ti ) is undefined. On Local Reasoning in Verification 269 This holds in particular for the equality relation. (A, β) weakly satisfies a clause C (notation: (A, β) |=w C) if it satisfies at least one literal in C. A is a weak partial model of a set of clauses K if (A, β) |=w C for every valuation β and every clause C in K. (Evans) partial models are defined similarly, with the following difference: (A, β) |= t ≈ s iff (a) β(t) and β(s) are both defined and equal; or (b) β(s) is defined, t = f (t1 , . . . , tn ) and β(ti ) is undefined for at least one of the direct subterms of t; or (c) both β(s) and β(t) are undefined. 3 Locality As seen in Section 1.2, the axioms occurring in applications may contain alternations of quantifiers. To address this, we study the notion of extended (stable) locality (cf. also [13]). Let T0 be a theory with signature Π0 = (S0 , Σ0 , Pred), where S0 is a set of sorts, Σ0 a set of function symbols, and Pred a set of predicate symbols. We consider extensions T1 of T0 with new sorts and function symbols (i.e. with signature Π = (S0 ∪ S1 , Σ0 ∪ Σ1 , Pred)), satisfying a set K of axioms of the form (Φ(x1 , . . . , xn ) ∨ C(x1 , . . . , xn )), where Φ(x1 , . . . , xn ) is an arbitrary first-order formula in the base signature Π0 with free variables x1 , . . . , xn , and C(x1 , . . . , xn ) is a clause in the signature Π. The free variables x1 , . . . , xn of such an axiom are considered to be universally quantified. We are interested in disproving closed formulae Σ in the extension Π c of Π with new constants Σc . Example 1. Consider the example in Sect. 1.2. In modeling this problem we start from the disjoint combination T0 of integers, reals and Booleans with signature Π0 = (S0 , Σ0 , Pred), where S0 = {int, real, bool} and Σ0 , Pred consist of the (many-sorted) combination of the signatures of the corresponding theories. In a first step, T0 is extended to T1 = T0 ∪ Inj(p), with signature Π1 = (S0 , Σ0 ∪ {a, p}, Pred). Inj(p) is a clause. In a second step, T1 is extended to a theory T2 = T1 ∪Update(a, p, a′ , p′ ) with signature (S0 , Σ0 ∪{a, p}∪{a′, p′ }, Pred). The axioms in Update(a, p, a′ , p′ ) are of the form φ(i) ∨ C(i) and ¬φ(i) ∨ D(i), where φ(i) = ∀j(1 ≤ j ≤ m ∧ j = i → p(i) > p(j)). (Thus it can be seen that the first two axioms in Update(a, p, a′ , p′ ) contain a ∀∃ quantifier alternation.) We can extend the notion of locality accordingly. We study extensions T0 ⊆ T0 ∪K as above satisfying the locality and stable locality conditions (ELoc, ESLoc): For every formula Γ = Γ0 ∪ G, where Γ0 is a Π0c -sentence and G is a finite set of ground Π c -clauses, T1 ∪ Γ |=⊥ iff T0 ∪ K[Γ ] ∪ Γ has no weak partial model in which all terms in st(K, G) are defined. Here K[Γ ] consists of all instances of K in which the terms starting with extension functions are in the set st(K, G) (defined in Sect. 2). (ELoc) (ESLoc) For every formula Γ = Γ0 ∪ G, where Γ0 is a Π0c -sentence and G is a finite set of ground Π c -clauses, T1 ∪ Γ |=⊥ iff T0 ∪ K[Γ ] ∪ Γ has no partial model in which all terms in st(K, G) are defined. Here K[Γ ] consists of all instances of K in which the variables below a Σ1 -symbol are instantiated with Σ0 -terms generated from st(K, G). 270 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans The problem with (ESLoc) is that the number of instances in K[Γ ] is finite only if the number of Σ0 -terms generated from st(K, G) can be guaranteed to be finite, i.e. when Σ0 = ∅ (in which case the size of K[Γ ] is polynomial in the size of st(K, G)) or when only finitely many non-equivalent Σ0 -terms (modulo T0 ) can be generated from a finite set of generators (then the size of K[Γ ] is polynomial in the number of such non-equivalent terms). To overcome these problems, we identify a family of conditions in between locality and stable locality. Let Ψ be a function associating with a set K of axioms and a set of ground terms T a set ΨK (T ) of ground terms such that (i) all ground subterms in K and T are in ΨK (T ); (ii) for all sets of ground terms T, T ′ if T ⊆ T ′ then ΨK (T ) ⊆ ΨK (T ′ ); (iii) Ψ is a closure operation, i.e. for all sets of ground terms T , ΨK (ΨK (T )) ⊆ ΨK (T ); (iv) Ψ is compatible with any map h between constants, i.e. for any map h : C → C, ΨK (h(T )) = h(ΨK (T )), where h is the unique extension of h to terms. Let K[ΨK (G)] be the set of instances of K in which the extension terms are in ΨK (st(K, G)), which here will be denoted by ΨK (G). We say that an extension T0 ⊆ T0 ∪ K is Ψ -local if it satisfies condition (ELocΨ ): (ELocΨ ) for every formula Γ =Γ0 ∪G, where Γ0 is a Π0c -sentence and G a finite set of ground Π c -clauses, T1 ∪ Γ |=⊥ iff T0 ∪ K[ΨK (G)] ∪ Γ has no weak partial model in which all terms in ΨK (G) are defined. If K consists of clauses and only satisfiability of sets G of ground clauses is considered we obtain a condition (LocΨ ) extending the notion (Loc) of locality in [13]. Ψ -stable locality (ESLocΨ ) can be defined replacing K[ΨK (G)] by K[ΨK (G)] . 3.1 Hierarchical Reasoning in Local Theory Extensions Let T0 ⊆ T1 =T0 ∪K be a theory extension satisfying condition (E(S)Loc) or Ψ (E(S)Loc ). To check the satisfiability w.r.t. T1 of a formula Γ = Γ0 ∪ G, where Γ0 is a Π0c -sentence and G is a set of ground Π c -clauses, we proceed as follows: Step 1: By the locality assumption, T1 ∪Γ0 ∪G is satisfiable iff T0 ∪K∗[G]∪Γ0 ∪G has a (weak) partial model with corresponding properties, where, depending on the type of locality, K∗[G] is K[G], K[G] , K[ΨK (G)] or K[ΨK (G)] . Step 2: Purification. We purify K∗[G]∪G by introducing, in a bottom-up manner, new constants ct (from a set Σc of constants) for subterms t = f (g1 , . . . , gn ) with f ∈ Σ1 , gi ground Σ0 ∪ Σc -terms, together with their definitions ct ≈ t. The set of formulae thus obtained has the form K0 ∪ G0 ∪ Γ0 ∪ D, where D consists of definitions of the form f (g1 , . . . , gn )≈c, where f ∈ Σ1 , c is a constant, g1 , . . . , gn are ground Σ0 ∪ Σc -terms, and K0 , G0 , Γ0 are Π0c -formulae. Step 3: Reduction to testing satisfiability in T0 . We reduce the problem to testing satisfiability in T0 by replacing D with the following set of clauses: n  N0 = { ci ≈ di → c = d | f (c1 , . . . , cn ) ≈ c, f (d1 , . . . , dn ) ≈ d ∈ D}. i=1 This yields a sound and complete hierarchical reduction to a satisfiability probΨ lem in the base theory T0 (for (E(S)Loc ) the proof is similar to that in [13]): On Local Reasoning in Verification 271 Theorem 1. Let K and Γ = Γ0 ∧ G be as specified above. Assume that T0 ⊆ Ψ T0 ∪ K satisfies condition (E(S)Loc) or (E(S)Loc ). Let K0 ∪ G0 ∪ Γ0 ∪ D be obtained from K ∗ [G] ∪ Γ0 ∪ G by purification, as explained above. The following are equivalent: (1) T0 ∪K∗[G]∪Γ0 ∪G has a partial model with all terms in st(K, G) defined. (2) T0 ∪K0 ∪G0 ∪Γ0 ∪D has a partial model with all extension terms in D defined. (3) T0 ∪ K0 ∪ G0 ∪ Γ0 ∪ N0 has a (total) model. Alternatively, if K consists only of clauses and all variables occur below an extension function and if Γ is a set of ground clauses then K ∗ [G]∧Γ consists of ground clauses, so locality also allows us to reduce reasoning in T1 to reasoning in an extension of T0 with free function symbols; an SMT procedure can be used. If Γ0 contains quantifiers or K ∗ [G] contains free variables it is problematic to use SMT provers without loss of completeness. 3.2 Decidability, Parameterized Complexity Assume that K consists of axioms of the form C = (ΦC (x) ∨ C(x)), where ΦC (x) is in a fragment (class of formulae) F of T0 and C(x) is a Π-clause, and Γ = Γ0 ∧ G, where Γ0 is a formula in F without free variables, and G is a set of ground Π c -clauses, both containing constants in Σc . Theorem 2. Assume that the theory extension T0 ⊆ T1 satisfies (E(S)Loc), or Ψ (E(S)Loc ). Satisfiability of goals Γ0 ∪ G as above w.r.t. T1 is decidable provided K ∗ [G] is finite and K0 ∪ G0 ∪ Γ0 ∪ N0 belongs to a decidable fragment of T0 . Locality allows us to obtain parameterized decidability and complexity results: Case 1: If for each C = ΦC (x)∨C(x) ∈ K all free variables occur below some extension symbol, then K∗[G] contains only formulae of the form ΦC (g)∨C(g), where g consists of ground Σ0 -terms, so K0 ∪G0 ∪Γ0 ∪N0 ∈ Fg , the class obtained by instantiating all free variables of formulae in F with ground Σ0 -terms. Decidability and complexity: If checking satisfiability for the class Fg w.r.t. T0 is decidable, then checking satisfiability of goals of the form above w.r.t. T1 is decidable. Assume that the complexity of a decision procedure for the fragment Fg of T0 is g(n) for an input of size n. Let m be the size of K0 ∪G0 ∪Γ0 ∪N0 . Then the complexity of proving satisfiability of Γ0 ∪ G w.r.t. T1 is of order g(m). (i) For local extensions, K∗[G] = K[G]; the size m of K0 ∪G0 ∪Γ0 ∪N0 is of order |G|k for some 2 ≤ k ∈ Z for a fixed K (at least quadratic because of N0 ). (ii) For stably local extensions, the size of K ∗ [G] = K[G] is polynomial in the size s of the model of T0 freely generated by |st(K, G)| generators. Similarly for Ψ -(stably) local extensions (with st(K, G) replaced by ΨK (G)). Case 2: If not all free variables in K occur below an extension symbol, then the instances in K∗[G] contain free variables, so K0 ∪G0 ∪Γ0 ∪N0 is in the universal closure ∀F of F . The decidability and complexity remarks above here apply relative to the complexity of checking satisfiability of formulae in the fragment ∀F of T0 with constants in Σc (regarded as existentially quantified variables). 272 3.3 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans Recognizing Generalized Locality Theory extensions T0 ⊆ T1 satisfying (E(S)Loc), (E(S)LocΨ ) can be recognized by showing that certain partial models of T1 can be completed to total models. We consider the following completability conditions: (Compw ) Every weak partial model A of T1 with totally defined Σ0 -functions and extension functions with a finite definition domain weakly embeds into a total model B of T1 s.t. A|Π0 and B|Π0 are isomorphic. (CompΨ w ) Every weak partial model A of T1 with totally defined Σ0 -functions and such that {f (a1 , . . . , an ) | ai ∈ A, f ∈ Σ1 , fA (a1 , . . . , an ) defined} is finite and closed under ΨK weakly embeds into a total model B of T1 s.t. A|Π0 and B|Π0 are elementarily equivalent. Conditions (Comp), (CompΨ ) can be defined by replacing “weak partial model” with “Evans partial model”. Assume Ψ satisfies conditions (i)–(iv) in Sect.3: Theorem 3. (1) If all terms of K starting with a Σ1 -function are flat and linear and the extension T0 ⊆ T1 satisfies (Compw ) (resp. (CompΨ w )) then it satisfies (ELoc) [13] (resp. (ELocΨ )). (2) If T0 is a universal theory and the extension T0 ⊆ T1 satisfies (Comp) (resp. (CompΨ )) then it satisfies (ESLoc) [13] (resp. (ESLocΨ )). Theorem 3 allows us to identify many examples of local extensions (see Sect. 4). A combination of extensions of a theory T0 which satisfy condition Comp (Compw ) also satisfies condition Comp (Compw ) and hence also condition ESLoc (ELoc). Theorem 4 ([15]). Let T0 be a first order theory with signature Π0 = (Σ0 , Pred) and (for i ∈ {1, 2}) Ti = T0 ∪ Ki be an extension of T0 with signature Πi = (Σ0 ∪ Σi , Pred). Assume that both extensions T0 ⊆ T1 and T0 ⊆ T2 satisfy condition (Compw ), and that Σ1 ∩Σ2 = ∅. Then the extension T0 ⊆ T =T0 ∪K1 ∪K2 satisfies condition (Compw ). If, additionally, in Ki all terms starting with a function symbol in Σi are flat and linear, for i = 1, 2, then the extension is local. 4 Examples 4.1 Extensions with Free, (Strictly) Monotone, Injective Functions Any extension T0 ∪ Free(Σ) of a theory T0 with a set Σ of free function symbols satisfies condition (Compw ). We also consider monotonicity/antitonicity conditions3 for an n-ary function f w.r.t. a subset I of its arguments:   xi ≤σi i yi ∧ xi = yi → f (x1 , .., xn ) ≤ f (y1 , .., yn ), Monσ (f ) i∈I i∈I where for i ∈ I, σi ∈{−, +}, and for i ∈ I, σi =0, and ≤+ =≤ and ≤− =≥. 3 If I = {1, . . . , n} we speak of monotonicity in all arguments; we denote MonI (f ) by Mon(f ). If I = ∅, Mon∅ (f ) is equivalent to the congruence axiom for f . On Local Reasoning in Verification 273 We showed [13,16] that the extensions of any (possibly many-sorted) theory whose models are posets with functions satisfying the axioms Monσ (f ) satisfy condition (Compw ) if the codomains of the functions have a bounded semilattice reduct or are totally ordered. In particular, any extension of the theory of reals, rationals or integers with functions satisfying Monσ (f ) into an numeric domain (reals, rationals, integers or a subset thereof) is local, since (Compw ) holds. Example 2. The sortedness property Sorted(a) of the array a can be expressed as a monotonicity axiom: ∀i, j(1 ≤ i ≤ j ≤ m → a(i) ≤ a(j)). An extension of the theory of integers with a function a of arity i → e satisfying Sorted(a) (where e is a new or old sort and the theory of sort e is totally ordered) is local. Consider now the following conditions: SMon(f ) ∀i, j(i < j → f (i) < f (j)) and Inj(f ) ∀i, j(i = j → f (i) = f (j)) Theorem 5. Assume that in all models of T0 the support of sort i has an underlying strict total order relation <. Let T1 = T0 ∪ SMon(f ), where f is a new function of arity i → e (e may be a new or an old sort), in all models of T1 the support of sort e has an underlying strict total order <, and there exist injective order-preserving maps from any interval of the support of sort i to any interval of the support e. Then the extension T0 ⊆ T1 satisfies (Compw ), hence it is local. Example 3. Let T0 be the (many-sorted) combination of T0i (the theory of linear integer arithmetic, sort i) and T0num (the theory of real numbers, sort num). The extension T1 of T0 with a function f of arity i→num satisfying SMon(f ) is local. Theorem 6. A theory extension T0 ⊆ T1 = T0 ∪Inj(f ) with a function f of arity i → e satisfying Inj(f ) is local provided that in all models of T1 the cardinality of the support of sort i is lower or equal to the cardinality of the support of sort e. 4.2 Extensions with Definitions and Boundedness Conditions Let T0 be a theory containing a binary predicate ≤ which is reflexive, and f ∈ Σ0 . Guarded boundedness. Let m ∈ N. For 1 ≤ i ≤ m let ti (x1 , . . . , xn ) and si (x1 , . . . , xn ) be terms in the signature Π0 with variables among x1 , . . . , xn , and let φi (x1 , . . . , xn ), i ∈ {1, . . . , m} be Π0 -formulae with free variables among x1 , . . . , xn , such that (i) for every i = j, φi ∧ φj |=T0 ⊥, and (ii) for every i, m T0 |= ∀x(φi (x) → si (x) ≤ ti (x)). Let GBound(f ) = i=1 GBoundφi (f ), where: GBoundφi (f ) ∀x(φi (x) → si (x) ≤ f (x) ≤ ti (x)). The extension T0 ⊆ T0 ∪ GBound(f ) is local. Boundedness for (strictly) monotone and injective functions. Any extension of a theory for which ≤ is a partial order (or at least reflexive) with functions satisfying Monσ (f ) and boundedness Boundt (f ) conditions is local [14,16]. Boundt (f ) ∀x1 , . . . , xn (f (x1 , . . . , xn ) ≤ t(x1 , . . . , xn )) where t(x1 , . . . , xn ) is a Π0 -term with variables among x1 , . . . , xn whose associated function has the same monotonicity as f in any model. Similar results hold for strictly monotone/injective functions (under the conditions in Thm. 5, 6). 274 4.3 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans Pointer Data Structures à la McPeak and Necula In [12], McPeak and Necula investigate reasoning in pointer data structures. The language used has sorts p (pointer) and s (scalar). Sets Σp and Σs of pointer resp. scalar fields are modeled by functions of sort p → p and p → s, respectively. A constant null of sort p exists. The only predicate of sort p is equality; predicates of sort s can have any arity. The axioms considered in [12] are of the form ∀p E ∨ C (1) where E contains disjunctions of pointer equalities and C contains scalar constraints (sets of both positive and negative literals). It is assumed that for all terms f1 (f2 (. . . fn (p))) occurring in the body of an axiom, the axiom also contains the disjunction p = null∨fn (p) = null∨· · ·∨f2 (. . . fn (p)) = null.4 Examples of axioms (for doubly linked data structures with priorities) considered there are: ∀p p = null ∧ next(p) = null → prev(next(p)) = p ∀p p =  null ∧ prev(p) = null → next(prev(p)) = p ∀p p = null ∧ next(p) = null → priority(p) ≥ priority(next(p)) (2) (3) (4) (the first two axioms state that prev is a left inverse for next, the third axiom is a monotonicity condition on the function priority). Let ΨK (T ) = st(K) ∪ T ∪ {f (t) | t ∈ st(K) ∪ T, f ∈ Σs } for any set of ground terms T . Theorem 7. Let T0 be a Π0 -theory, where S0 = {s}, and T1 = T0 ∪K be the extension of T0 with signature Π = ({p, s}, Σ, Pred) – where Σ=Σp ∪Σs ∪Σ0 , and K is a set of axioms ∀p(E ∨ C) of type (1). Then every partial model A of K with total Σ0 functions such that the definition domain of A is closed under ΨK (i.e. if f ∈Σs and the p-term t is defined in A then f (t) is defined in A) weakly embeds into a total model of K. Hence T0 ⊆ T1 is a Ψ -stably local extension. Ψ -stable locality is not harmful in this case, since all universally quantified variables in the axioms in K are of sort p, and the number of instances of these variables with subterms in ΨK (G) which need to be considered is polynomial in the size of st(K, G) (no operations with output sort s generate such terms). 4.4 The Theory of Arrays à la Bradley, Manna and Sipma In [1] the array property fragment is studied, a fragment of the theory of arrays with Presburger arithmetic as index theory and parametric element theories. Consider the extension of the combination T0 of the index and element theories with functions read, write and axioms: read(write(a, i, e), i) = e j = i → read(write(a, i, e), j) = read(a, j). The array property fragment is defined as follows5 : 4 5 This has the rôle of excluding null pointer errors. The considerations below are for arrays of dimension 1, the general case is similar. On Local Reasoning in Verification 275 An index guard is a positive Boolean combination of atoms of the form t ≤ u or t = u where t and u are either a variable of index sort or a ground term (of index sort) constructed from (Skolem) constants and integer numbers using addition and multiplication with integers. A formula of the form (∀i)(ϕI (i) → ϕV (i)) is an array property if ϕI is an index guard and if any universally quantified variable of index sort i only occurs in a direct array read read(a, x) in ϕV . Array reads may not be nested. The array property fragment consists of all existentially-closed Boolean combinations of array property formulae and quantifier-free formulae. The decision procedure proposed in [1] decides satisfiability of formulae in negation normal form in the array property fragment in the following steps. 1. Replace all existentially quantified array variables with Skolem constants; replace all terms of the form read(a, i) with a(i); eliminate all terms of the form write(a, i, e) by replacing the formula φ(write(a, i, e)) with the conjunction of the formula φ(b) (obtained by introducing a fresh array name b for write(a, i, e)) with (b(i) = e) ∧ ∀j(j ≤ i − 1 ∨ i + 1 ≤ j → b(j) = a(j)).6 2. Existentially quantified index variables are replaced with Skolem constants. 3. Universal quantification over index variables is replaced by conjunction of suitably chosen instances of the variables. For determining the set of ground instances to be used in Step 3, the authors prove that certain partial “minimal” models can be completed to total ones. Theorem 8 (cf. also [1]). Let K be the clause part and G the ground part (after the transformation steps (1)–(3)), and I be the set of index terms defined in [1]. Let ΨK (G) = {f (i1 , . . . , in ) | f array name , i1 , . . . , in ∈ I}. Every partial model of T0 ∪ K[ΨK (G)] ∪ G in which all terms in ΨK (G) are defined can be transformed into a (total) model of T0 ∪ K ∪ G. This criterion entails (ELocΨ ). 5 A General Framework for Obtaining Locality Results In Section 4 we identified a large number of theory extensions which can be proved to be local and arise in a natural way in invariant checking and bounded model checking. We distinguish several aspects: – Programs usually handle complex data structures; it may be necessary to reason about various data types such as lists, arrays, records, etc. We presented classes of such theories for which locality properties hold. Theorem 4 identifies cases in which locality is preserved when combining theories. – The transition constraint systems we consider define updates of the values of variables and functions which are guarded by formulae which describe a partition of the state space, and therefore define local theory extensions. – In invariant checking and bounded model checking, the paths to be verified (consisting of successive updates) can be used to identify chains of extensions to be considered in the deduction process. These extensions are often (combinations) of various extensions with guarded boundedness conditions. 6 Note that, by the definition of array property formulae, if a term write(a, i, e) occurs in the array property fragment then i is an existentially quantified index variable. 276 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans Thus, results in Sect. 4.2 and 3.3 allow us to extend the classes of theories from verification for which instantiation-based complete decision procedures exist. Extensions of the fragment of Necula and McPeak. We are interested in pointer structures which can be changed during execution of a program (a cell of a list can be removed, or a new subtree added into a tree structure). The general remarks above also apply for such situations. Theorem 9. Assume that the update axioms Update(Σ, Σ ′ ) describe how the values of the Σ-functions change, depending on a finite set {φi | i ∈ I} of mutually exclusive conditions, expressed as formulae over the base signature and the Σ-functions (axioms of type (5) below represent precise ways of defining the updated functions, whereas axioms of type (6) represent boundedness properties on the updated scalar fields, assuming the scalar domains are partially ordered): ∀x(φi (x) → fi′ (x)=si (x)) i ∈ I, where φi (x) ∧ φj (x) |=T0 ⊥ for i=j (5) ∀x(φi (x) → ti (x)≤fi′ (x)≤si (x)) i ∈ I, where φi (x) ∧ φj (x) |=T0 ⊥ for i=j (6) where si , ti are terms over the signature Σ such that T0 |= ∀x(φi (x)→ti (x)≤si (x)) for all i ∈ I. They define local theory extensions. This holds for any extensions of disjoint combinations of various pointer structures with such update axioms. Example 4. Consider the following algorithm for inserting an element c with priority field c.prio = x into a doubly-linked list sorted w.r.t. the priority fields. c.prio = x, c.next = null for all p = c do if p.prio ≤ x then if p.prev = null then c.next′ = p, endif; p.next′ = p.next p.prio > x then case p.next = null then p.next′ := c, c.next′ = null p.next = null ∧ p.next > x then p.next′ = p.next p.next = null ∧ p.next ≤ x then p.next′ = c, c.next′ = p.next The update rules Update(next, next′ ) can be read from the program above: ∀p(p=null ∧ p=c ∧ prio(p)≤x ∧ (prev(p) = null) → next ′ (c)=p ∧ next′ (p)=next(p)) ∀p(p=null ∧ p=c ∧ prio(p)≤x ∧ (prev(p) = null) → next ′ (p)=next(p)) ∀p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null → next′ (p)=c ∧ next′ (c)=null) ∀p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null ∧ prio(next(p))>x → next ′ (p)=next(p)) ∀p(p=null∧p=c∧prio(p)>x∧next(p)=null∧prio(next(p))≤x → next ′ (p)=c∧next′ (c)=next(p)) We prove that if the list is sorted, it remains so after insertion, i.e. the formula: d = null ∧ next′ (d) = null ∧ ¬prio(d) ≥ prio(next′ (d)) is unsatisfiable in the extension T1 = T0 ∪ Update(next, next′ ) of the theory T0 of doubly linked lists with a monotone field prio. T0 is axiomatized by the axioms K = {(2), (3), (4)} in Sect. 4. The update rules are guarded boundedness axioms, so the extension T0 ⊆ T1 is local. Hence, the satisfiability task above w.r.t. T1 can be reduced to a satisfiability task w.r.t. T0 as follows: On Local Reasoning in Verification 277 Update0 d=null ∧ d=c ∧ prio(d)≤x ∧ prev(d)=null → c1 =d d=null ∧ d=c ∧ prio(d)≤x ∧ prev(d)=null → d1 =next(d) d=null ∧ d=c ∧ prio(d)≤x ∧ prev(d)=null → d1 =next(d) d=null ∧ d=c ∧ prio(d)>x ∧ next(d)=null → d1 =c ∧ c1 =null d=null ∧ d=c ∧ prio(d)>x ∧ next(d)=null ∧ prio(next(d))<x → d1 =next(d) d=null ∧ d=c ∧ prio(d)>x ∧ next(d)=null ∧ prio(next(d))≤x → d1 =c d=null ∧ d=c ∧ prio(d)>x ∧ next(d)=null ∧ prio(next(d))≤x → c1 =next(d) G0 d = null ∧ next′ (d) = null ∧ ¬prio(d) ≥ priority(next′ (d)) N0 d=c → d1 =c1 (corresponds to Def : next′ (d)=d1 ∧ next′ (c)=c1 ) To check the satisfiability of G′ = Update0 ∧G0 ∧N0 w.r.t. T0 we use the Ψ -stable locality of the theory defined by the axioms K = {(2), (3), (4)} of doubly linked lists with decreasing priorities in Sect. 4 or the instantiation method in [12]. Extending the array property fragment. Let T0 be the array property fragment in [1] (set of arrays Σ0 ). There are several ways of extending T0 : Theorem 10. Let T1 =T0 ∪K be an extension of T0 with new arrays in a set Σ1 . (1) If K consists of guarded boundedness axioms, or guarded definitions (cf. Sect.4.2) for the Σ1 -function symbols, then the extension T0 ⊆ T1 is local. 7 (2) If K consists of injectivity or (strict) monotonicity (and possibly boundedness axioms) for the function symbols in Σ1 then the extension T0 ⊆ T1 is local if the assumptions about the element theory specified in Sect. 4.1 hold. (3) Any combination of extensions of T0 as those mentioned in (1),(2) with disjoint sets of new array constants leads to a local extension of T0 . If the guards φi of the axioms in K are clauses then the result of the hierarchical reasoning method in Thm. 1 is a formula in T0 , hence satisfiability of ground clauses w.r.t. T0 ∪ K is decidable. Similarly for chains of extensions. The same holds for testing satisfiability of goals Γ0 ∪ G where Γ0 and (K[G])0 belong to the array property fragment. For general guards and chains of extensions decidability depends on the form of the formulae obtained by hierarchical reduction(s). Example 5. The example presented in Section 1.2 illustrates the extension of the fragment in [1] we consider. The task is to check the unsatisfiability of the in the formula G = (1 ≤ c ≤ m ∧ 1 ≤ d ≤ m ∧ c = d ∧ p′ (c) = p′ (d)) extension of the many sorted combination T0 of Z, R+ , {0, 1} with the axioms ∀i, j(1 ≤ i ≤ m ∧ 1 ≤ j ≤ m ∧ i = j → p(i) = p(j)) ∧ Update(a, p, a′ , p′ ). The extension can be expressed as a chain: T0 ⊆ T1 = T0 ∪ Inj(p) ⊆ T2 = T1 ∪ Update(a, p, a′ , p′ ). By the locality of the second extension (with guarded boundedness axioms) we obtain the following reduction of the task of proving T2 ∧ G |=⊥ to a satisfiability problem w.r.t. T1 . We take into account only the instances of Update(a, p, a′ , p′ ) which contain ground terms occurring in G. This means that the axioms containing a′ do not need to be considered. After purification and skolemization of the existentially quantified variables we obtain: 7 An example are definitions of new arrays by writing x at a (constant) index c, axiomatized by {∀i(i = c → a′ (i) = a(i)), ∀i(i = c → a′ (i) = x)}. 278 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans Update0 1 ≤ c ≤ m ∧ (1 ≤ kc ≤ m ∧ kc =c → p(c)>p(kc )) → c1 =x 1 ≤ d ≤ m ∧ (1 ≤ kd ≤ m ∧ kd =d → p(d)>p(kd )) → d1 =x ∀j(1 ≤ j ≤ m ∧ j =c → p(c)>p(j)) ∨ (1 ≤ c ≤ m → c1 =p(c)+y) ∀j(1 ≤ j ≤ m ∧ j =d → p(d)>p(j)) ∨ (1 ≤ d ≤ m → d1 =p(d)+y) G0 1 ≤ c ≤ m ∧ 1 ≤ d ≤ m ∧ c = d ∧ c1 = d1 N0 c = d → c1 = d1 (corresponds to Def : p′ (c) = c1 ∧ p′ (d) = d1 ) We reduced the problem to checking satisfiability of G1 = Update0 ∧ G0 ∧ N0 (which contains universal quantifiers) w.r.t. T1 . Let G1 = Gg ∧ G∀ , where Gg is the ground part of G and G∀ the part of G containing universally quantified variables. We now have to check whether T0 ∧ Inj(p) ∧ G∀ ∧ Gg |= ⊥. Note that extensions of injectivity axioms and boundedness are local, and thus T0 ⊆ T0 ∧ Inj ∧ G∀ is a local extension. This makes the following reduction possible: Inj0 1≤i=j≤m → p(i)=p(j) where i, j are instanG∀0 (1≤j≤m ∧ j=c → c2 >p(j)) ∨ (1≤c≤m → c1 =c2 +y) tiated with c, d, kc , kd (1≤j≤m ∧ j=d → d2 >p(j)) ∨ (1 ≤ d ≤ m → d1 =d2 +y) + purification Gg 1≤c≤m ∧ (1≤kc ≤m ∧ kc =c → c2 >c3 ) → c1 =x c=d → c1 =d1 1≤d≤m ∧ (1≤kd ≤m ∧ kd =d → d2 >d3 ) → d1 =x 1≤c≤m ∧ 1≤d≤m ∧ c=d ∧ c1 =d1 N0′ c=d → c2 =d2 , c=kc → c2 =c3 , c=kd → c2 =d3 , d=kc → d2 =c3 , d=kd → d2 =d3 , kc =kd → c3 =d3 (corr. to Def 1 : p(c)=c2 ∧ p(d)=d2 ∧ p(kc )=c3 ∧ p(kd )=d3 ) We can use a prover for a combination of integers and reals to determine whether the conjunction of formulae above is satisfiable or symbolic computation packages performing quantifier elimination over the combined theory to derive constraints between x and y which guarantee injectivity after update. 6 Experiments We have implemented the approach for hierarchical reasoning in local theory extensions described in [13], cf. also Sect. 3.1. The tool we devised allows us to reduce satisfiability problems in an extended theory to a base theory for which we can then use existing solvers. It takes as input the axioms of the theory extension, the ground goal and the list of extension function symbols. Chains of extensions are handled by having a list of axiom sets, and correspondingly a list of lists of extension function symbols. We follow the steps in Sect. 3.1: the input is analyzed for ground subterms with extension symbols at the root. After instantiating the axioms w.r.t. these terms, the instances are purified (so the extension symbols are removed). The resulting formula is either given to a prover for a base theory, or taken as goal for another reduction (if we have a chain of extensions). Currently, we can produce base theory output for Yices, Mathsat, CVC and Redlog, but other solvers can be integrated easily. We ran tests on various examples, including different versions of a train controller example [10,4], an array version of the insertion algorithm, and reasoning in theories of lists. Test results and comparisons can be found in [17] (which contains preliminary versions of some of the results in this paper, in an extended form). Runtimes On Local Reasoning in Verification 279 range from 0.047s to 0.183s for various versions of the train controller example resp. to 0.4s for array examples (including an example from [1]). While Yices can also be used successfully directly for unsatisfiable formulae, this does not hold if we change the input problem to a formula which is satisfiable w.r.t. the extended theory. In this case, Yices returns “unknown” after a 300 second timeout. After the reduction with our tool, Yices (applied to the problem for the base theory) returns “satisfiable” in fractions of a second, and even a model for this problem that can easily be lifted to a model in the extended theory for the initial set of clauses8 . Even more information can be obtained using the quantifier elimination facilities offered e.g. by Redlog for determining constraints between the parameters of the problems which guarantee safety. We are working towards extending the tool support to stable locality, as well as for extensions with clauses containing proper first-order formulae. 7 Conclusions We presented a general framework – based on a general notion of locality – which allows to identify complex theories important in verification for which efficient (hierarchical and modular) reasoning methods exist. We showed that locality considerations allow us to obtain parameterized decidability and complexity results for many (combinations of) theories important in verification (of parametric systems). We showed that many theories of data structures studied in the verification literature are local extensions of a base theory. The list of theories we considered is not exhaustive. (Due to space limitations we did not discuss the theory of arrays studied in [7], whose main ingredient is the existence of undefined values in arrays and properties (e.g. injectivity) are guarded by definedness conditions. The main result in [7] can be seen as a locality result as the arguments used are based on the possibility of completing partial to total models.) The general framework we use allows us to identify situations in which some of the syntactical restrictions imposed in previous papers can be relaxed. The deduction tasks we considered here are typical for invariant checking and bounded model checking. The next step would be to integrate these methods into verification tools based on abstraction/refinement. Our work on hierarchical interpolation in local extensions [14] can be extended to many of the theories of data structures described in this paper. This is the topic of a future paper. Acknowledgments. We thank Aaron Bradley for helpful comments made on a preliminary version of this paper. This work was partly supported by the German Research Council (DFG) as part of the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS). See www.avacs.org for more information. 8 The lifting is straightforward, given the output of our tool, but is not automated at the moment. 280 C. Ihlemann, S. Jacobs, and V. Sofronie-Stokkermans References 1. Bradley, A.R., Manna, Z., Sipma, H.B.: What’s decidable about arrays? In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 427–442. Springer, Heidelberg (2006) 2. Burmeister, P.: A Model Theoretic Oriented Approach to Partial Algebras: Introduction to Theory and Application of Partial Algebras, Part I. In: Mathematical Research, vol. 31, Akademie-Verlag, Berlin (1986) 3. Burris, S.: Polynomial time uniform word problems. Mathematical Logic Quarterly 41, 173–182 (1995) 4. Faber, J., Jacobs, S., Sofronie-Stokkermans, V.: Verifying CSP-OZ-DC specifications with complex data types and timing parameters. In: Davies, J., Gibbons, J. (eds.) IFM 2007. LNCS, vol. 4591, pp. 233–252. Springer, Heidelberg (2007) 5. Ganzinger, H.: Relating semantic and proof-theoretic concepts for polynomial time decidability of uniform word problems. In: Proc. 16th IEEE Symposium on Logic in Computer Science (LICS 2001), pp. 81–92. IEEE Computer Society Press, Los Alamitos (2001) 6. Ganzinger, H., Sofronie-Stokkermans, V., Waldmann, U.: Modular proof systems for partial functions with Evans equality. Information and Computation 204(10), 1453–1492 (2006) 7. Ghilardi, S., Nicolini, E., Ranise, S., Zucchelli, D.: Deciding extensions of the theory of arrays by integrating decision procedures and instantiation strategies. In: Fisher, M., van der Hoek, W., Konev, B., Lisitsa, A. (eds.) JELIA 2006. LNCS (LNAI), vol. 4160, pp. 177–189. Springer, Heidelberg (2006) 8. Givan, R., McAllester, D.: New results on local inference relations. In: Principles of Knowledge Representation and Reasoning: Proceedings of the Third International Conference (KR 1992), pp. 403–412. Morgan Kaufmann, San Francisco (1992) 9. Givan, R., McAllester, D.A.: Polynomial-time computation via local inference relations. ACM Transactions on Computational Logic 3(4), 521–541 (2002) 10. Jacobs, S., Sofronie-Stokkermans, V.: Applications of hierarchical reasoning in the verification of complex systems. Electronic Notes in Theoretical Computer Science 174(8), 39–54 (2007) 11. McAllester, D.: Automatic recognition of tractability in inference relations. Journal of the Association for Computing Machinery 40(2), 284–303 (1993) 12. McPeak, S., Necula, G.C.: Data structure specifications via local equality axioms. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 476–490. Springer, Heidelberg (2005) 13. Sofronie-Stokkermans, V.: Hierarchic reasoning in local theory extensions. In: Nieuwenhuis, R. (ed.) CADE 2005. LNCS (LNAI), vol. 3632, pp. 219–234. Springer, Heidelberg (2005) 14. Sofronie-Stokkermans, V.: Interpolation in local theory extensions. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 235–250. Springer, Heidelberg (2006) 15. Sofronie-Stokkermans, V.: Hierarchical and modular reasoning in complex theories: The case of local theory extensions. In: Konev, B., Wolter, F. (eds.) FroCos 2007. LNCS (LNAI), vol. 4720, pp. 47–71. Springer, Heidelberg (2007) On Local Reasoning in Verification 281 16. Sofronie-Stokkermans, V., Ihlemann, C.: Automated reasoning in some local extensions of ordered structures. In: Proc. of ISMVL-2007, IEEE Computer Society Press, Los Alamitos (2007), http://dx.doi.org/10.1109/ISMVL.2007.10 17. Sofronie-Stokkermans, V., Ihlemann, C., Jacobs, S.: Local theory extensions, hierarchical reasoning and applications to verification. In: Dagstuhl Seminar Proceedings 07401,, http://drops.dagstuhl.de/opus/volltexte/2007/1250