Deciding Quantifier-Free Presburger Formulas using Finite Instantiation based on Parameterized Solution Bounds

Given a formula $ in quantifier-free Presburger arithmetic, it is well known that, if there is a satisfying solution to 3>, there is one whose size, measured in bits, is polynomially bounded in the size of $. In this paper, we consider a special class of quantifier-free Presburger formulas in which most linear constraints are separation (difference-bound) constraints, and the non-separation constraints are sparse. This class has been observed to commonly occur in software verification problems. We derive a new solution bound in terms of parameters characterizing the sparseness of linear constraints and the number of non-separation constraints, in addition to traditional measures of formula size. In particular, the number of bits needed per integer variable is linear in the number of non-separation constraints and logarithmic in the number and size of non-zero coefficients in them, but is otherwise independent of the total number of linear constraints in the formula. The derived bound can be used in a decision procedure based on instantiating integer variables over a finite domain and translating the input quantifier-free Presburger formula to an equi-satisfiable Boolean formula, which is then checked using a Boolean satisfiability solver. We present empirical evidence indicating that this method can greatly outperform other decision procedures.


Introduction
Presburger arithmetic [27] is defined as the first-order theory of the structure (N, 0,1, <, +), where N denotes the set of natural numbers. The satisfiability problem for Presburger arithmetic is decidable, but of super-exponential worst-case complexity [13]. Fortunately, for many applications, such as in program analysis (e.g., [28]) and hardware verification (e.g., [8]), the quantifier-free fragment suffices.
A formula $ in quantifier-free Presburger arithmetic (QFP) is constructed by combining linear constraints with Boolean operators (A, V, -•). Formally, the ith constraint is of the form S?=i a i,j x j ^ &tj where the coefficients and the constant terms are integer constants and the variables xi,X2,... ,# n are integer-valued 1 . In this paper, we are concerned with the satisfiability problem for QFP, viz., that of finding a valuation of the variables such that $ evaluates to true. That this problem is in NP, and hence NP-complete, can be concluded from the result that integer linear programming is in NP [6,30,17,23]. 2 Thus, if there is a satisfying solution to a QFP formula, there is one whose size, measured in bits, is polynomially bounded in the problem size. Problem size is traditionally measured in terms of the parameters TO, n, log /x^, and log //&, where m is the total number of constraints in the formula, n is the number of variables, and /JLA = max (ij) \ a ij\ an d f^b = max; \b{\ are upper bounds on the absolute values of coefficients and constant terms respectively.
The above result suggests the following approach to checking the satisfiability of a QFP formula $: 1. Compute the polynomial bound S on solution size. This approach has been successfully applied to highly restricted sub-classes of QFP, such as equality logic [25] and separation logic [9], and is termed as finite instantiation. The basic idea is to translate $ to a Boolean formula by encoding each integer variable as a vector of Boolean variables (a "symbolic bit-vector") of length 5. The resulting Boolean formula is checked using a Boolean satisfiability (SAT) solver. This approach leverages the dramatic advances in SAT solving made in recent years (e.g., [20,15]). It is straightforward to extend the approach to additionally handle the theory of uninterpreted functions and equality, by using, e.g., Ackermann's technique of eliminating function applications [1].
However, a naive implementation of a decision procedure based on finite instantiation fails for QFP formulas encountered in practice. The problem is that the bound on solution size, 5, is O(log ra + log /ib + m[log 77i + log /JLA])-I n particular, the presence of the 771 log 771 term means that for practical problems involving hundreds of linear constraints, the Boolean formulas generated are likely to be too large to be decided by present-day SAT solvers.
In this paper, we explore the above finite instantiation-based approach to deciding QFP formulas, but with a focus on formulas generated in software verification. It has been observed, by us and others, that QFP formulas from this domain have:  For each software verification project, the maximum fraction of non-separation constraints is shown, as well as the maximum width of a non-separation constraint, where the maximum is taken over all formulas in the set. The Blast formulas were generated from device drivers written in C, the Magic formulas from an implementation of openssl written in C, the MIT formulas from Java programs, and the WiSA formulas were generated in the checking of format string vulnerabilities. 2. Sparse Structure: The k non-separation constraints are sparse, with at most w variables per constraint, where w is "small". We will refer to w as the width of the constraint.
Pratt [26] observed that most inequalities generated in program verification are separation constraints. More recently, the authors of the theorem prover Simplify observed in the context of the Extended Static Checker for Java (ESC/Java) project that "the inequalities that occur in program checking rarely involve more than two or three terms" [12]. We have performed a study of formulas selected from various recent software verification projects: the Blast project at Berkeley [16], the Magic project at CMU [10], the Wisconsin Safety Analyzer (WiSA) project 3 , and the software upgrade checking project at MIT [19]. The results of this study, indicated in Table 1, support the afore-mentioned observations regarding the "sparse, mostly separation" nature of constraints in QFP formulas. To our knowledge, no previous decision procedure for QFP has attempted to exploit this problem structure.
We make the following novel contributions in this paper: • We derive bounds on solutions for QFP formulas, not only in terms of the traditional parameters m, n, HA, and n^ but also in terms of k and w. In particular, we show that the worst-case number of bits required per integer variable is linear in fc, but only logarithmic in w. Unlike previously derived bounds, ours is independent of the total number of constraints m.
• We use the derived bounds in a sound and complete decision procedure for QFP based on finite instantiation, and present empirical evidence that our method can greatly outperform other decision procedures.

Related Work.
There has been much work on deciding quantifier-free Presburger arithmetic; we present a brief discussion here and refer the reader to a recent survey [14] for more details. Recent techniques fall into three categories: • The first class comprises procedures targeted towards solving conjunctions of constraints, with disjunctions handled by enumerating terms in a disjunctive normal form (DNF). Examples include the Omega test [28] and solvers based on other integer linear programming techniques. The drawback of these methods is the need to enumerate the potentially exponentially many terms in the DNF representation.
• The second set of methods attempt to remedy this problem by instead relying on modern SAT solving strategies. The approach works as follows. A Boolean abstraction of the QFP formula <& is generated by replacing each linear constraint with a corresponding Boolean variable. If the abstraction is unsatisfiable, then so is <£. If not, the satisfying assignment (model) is checked for consistency with the theory of quantifier-free Presburger arithmetic, using a ground decision procedure for conjunctions of linear constraints. Assignments that are inconsistent are excluded from later consideration by adding a "lemma" to the Boolean abstraction. The process continues until either a consistent assignment is found, or all (exponentially many) assignments have been explored. Examples of decision procedures in this class that have some support for QFP include CVC [2,3] and ICS [11]. These provers employ the Nelson-Oppen architecture for cooperating decision procedures [22], or some variant of it. Note that the original Nelson-Oppen framework was only defined for disjoint theories.
In order to exploit the mostly-separation structure of a formula, one approach could be to combine a decision procedure for a theory of separation constraints with one for a theory of non-separation constraints, but this needs an extension of the Nelson-Oppen framework to apply to these non-disjoint theories.
• The final class of methods are based on finite automata theory (e.g., [31,14]). The basic idea is to construct a finite automaton corresponding to the input QFP formula <fr, such that language accepted by the automaton consists of the binary encodings of satisfying solutions of <I>. According to a recent experimental evaluation with other methods [14], these techniques are better than others at solving formulas with very large coefficients, but do not scale well with the number of variables and constraints. 4 The approach we present in this paper is distinct from the categories mentioned above. In particular, the following unique features differentiate it from previous methods: • It is the first finite instantiation method, translating a QFP formula to SAT in a single step. The clear separation between the translation and the SAT solving allows us to leverage future advances in SAT solving far more easily than other SAT-based procedures.
• It is the first technique, to the best of our knowledge, that exploits the structure of formulas commonly encountered in software verification.
Outline of the paper. The rest of this paper is organized as follows. In Section 2, we discuss background material on bounds on satisfying solutions of integer linear programs. An integer linear program (ILP) is a conjunction of linear constraints, and hence is a special kind of QFP formula. The bounds for QFP follow directly from those for ILPs. Our main theoretical results are presented in Sections 3-5. Section 3 gives bounds for ILPs for the case of k = 0, when all constraints are separation constraints. In Section 4, we compute a bound for ILPs for arbitrary k. In Section 5, we show how our results extend to arbitrary QFP formulas. We report on experimental results in Section 6, and conclude in Section 7.

Background
In this section, we define the integer linear programming problem formally and state the previous results on bounding satisfying solutions of ILPs. A more detailed discussion on the steps outlined in Section 2.1 can be found in reference books on ILP (e.g. [29,24]). Useful results on determinants used in the paper are reviewed in Appendix B.

Preliminaries
Consider a system of m linear constraints in n integer-valued variables: Here A is an m x n matrix with integral entries, b is a m x 1 vector of integral entries, and x is a n x 1 vector of integer-valued variables. A satisfying solution to system (1) is an evaluation of x that satisfies (1).
In system (1), the entries in x can be negative. We can constrain the variables to be non-negative by adding a dummy variable XQ that refers to the "zero value," replacing each original variable X{ by x\ -#o, and then adjusting the coefficients in the matrix A to get a new constraint matrix A' and the following system: 5 Here the system has n f = n + 1 variables, and .. , n and a\ n+1 = -X)?=i a ij-Note that the last column of A 1 is a linear combination of the previous n columns. As shown in Proposition 1 in Appendix A, system (1) has a solution if and only if system (2) has one.
Finally, adding surplus variables to the system, we can rewrite system (2) as follows: where A n = [A\ -I m ] is an m x (n ; + m) integer matrix formed by concatenating A with the negation of the m x m identity matrix I m .
For convenience we will drop the primes, referring to A" and x" simply as A and x. Rewriting system (3) thus, we get^x Hereafter we will use the definition in (4). Let \JLA -max (i,j) \ a i,j\ an d /^b = max* |6^| be upper bounds on the absolute values of entries of A and b respectively. 5 Note that this procedure can increase the width of a constraint by 1. The statistics in Table 1 shows the width before this procedure is applied, computed from constraints as they appear in the original formulas.

r 2.2 Previous Results
The results of this paper build on results obtained by Borosh, Treybig, and Flahive [6,5] on bounding the solution of systems of the form (4). We state their result in the following theorem: Theorem 1 Consider the augmented matrix [A\b] of dimension m x (n ; + m+l). Let A be the maximum of the absolute values of all minors of this augmented matrix. Then, the system (4) has a satisfying solution if and only if it has one with all entries bounded by (n + 2)A.
However, note that the determinant of a matrix can be more than exponential in the dimension of the matrix [7]. In the case of the Borosh-Flahive-Treybig result, it means that A can be as large Papadimitriou [23,24] also gives a bound of similar size, stated in the following theorem: (4)

Bounds for a System of Separation Constraints
Let us first consider computing solution bounds for an ILP for the case where k = 0, i.e., system (4) comprises only of separation constraints.
In this case, the left-hand side of each equation comprises exactly three variables: two variables X{ and Xj where 0 < i, j < n and one surplus variable x\ where n + l<Z<n + m. The t equation in the system is of the form X{ -Xj -x\ = bt.
As we noted in Section 2.1, the matrix A can be written as where A o comprises the first n f = n + 1 columns, and I m is the m x m identity matrix.
The important property of A o is that each row has exactly one +1 entry and exactly one -1 entry, with all other entries 0. Thus, A^ can be interpreted as the node-arc incidence matrix of a directed graph. Therefore, A^ is totally unimodular (TUM), i.e., every square submatrix of A^ has determinant in {0, -1, +1} [24]. Therefore, If the minor is obtained by deleting the last column (corresponding to b), then it is a minor of A, and its value is in {0, -1,+1} since A is TUM. Thus, the bound of s/i& is attained for any non-trivial minor with s > 1 and //& > 1.
Suppose the b column is not deleted.
where the rank of A o is at most s' = min (n, ra). This is because A o has dimensions m x n + 1, and the last column of A o , corresponding to the variable XQ, is a linear combination of the previous n columns. 6 Next, suppose the sub-matrix corresponding to M comprises p columns from the -I m part, r-p -1 columns from the A o part, and the one column corresponding to b. Since permuting the rows and columns of M does not change its absolute value, we can permute the rows of M and the columns corresponding to the -I m part to get the corresponding sub-matrix in the following form: Expanding M along the last column, we get where each Mi is a minor corresponding to a submatrix of A. However, notice that Mi = 0 for all 1 < i < p, since each of those minors have an entire column (from the -I m part) equal to 0. Therefore, we can reduce the right-hand side to the sum of r -p terms:  6 Refer to the construction of system (2) from system (1). 7 We use s' + 1 and not s' to account for the case where p = 0. The minimum with m is taken because s' + 1 can exceed m but b has only m elements.
Formulas generated from verification problems tend to be over constrained, so we assume n < m. Thus, s = n + 1, and the bound reduces to O(logn + log ^5) bits per variable. Remark. The only property of the A matrix that the proof of Theorem 3 relies on is the totally unimodular (TUM) property. Thus, Theorem 3 would also apply to any system of linear constraints whose coefficient matrix is TUM. Examples of such matrices include interval matrices, or more generally network matrices. Note that the TUM property can be tested for in polynomial time [29].

Bounds for a Sparse System of Mainly Separation Constraints
We now consider the general case for ILPs, where we have k non-separation constraints, each referring to at most w variables. Without loss of generality, we can reorder the rows of matrix A so that the k non-separation constraints are the top k rows, and the separation constraints are the bottom m-k rows. Reordering the rows of A can only change the sign of any minor of [A|6], not the absolute value. Thus, the matrix [A\b] can be put into the following form: Here, Ai is a k x n + 1 dimensional matrix corresponding to the non-separation constraints, A2 isam-fcxn + 1 dimensional matrix with the separation constraints, I m is the m x m identity corresponding to the surplus variables, and the last column is the vector b. The matrix comprised of A\ and A2 will be referred to, as before, as A o . Note that each row of A\ has at most w non-zero entries, and each row of A<i has exactly one +1 and one -1 with the remaining entries 0. Thus, A^ is TUM.
We prove the following theorem: Consider any minor M of [A16], and let r be its order.

As in Theorem 3, if M includes p columns from the -I m part of ^4, then we can infer that r-p<s. (Our proof of this property in Theorem 3 made no assumptions on the form of A o .)
If M includes the last column 6, then as in the proof of Theorem 3, we can conclude that

\M\ < (r-(5)
where Mj is a minor of A o .
If M does not include 6, then it is a minor of A. Without loss of generality, we can assume that M does not include a column from the -I m part of A, since such columns only contribute to the sign of the determinant.
So, let us consider bounding a minor Mj of A o of order r (or r -1, if M includes the b column).
Since A o = rf^ , consider expanding Mj, using the standard determinant expansion by minors along the top k rows corresponding to non-separation constraints (see Equation 8 in Appendix B). Each term in the expansion is (up to a sign) the product of at most k entries from the A\ portion, one from each row, and a minor from ^2-Since A2 is TUM, each product term is bounded in absolute value by fi\. Furthermore, there can be at most w k non-zero terms in the expansion, since each non-zero product term is obtained by choosing one non-zero element from each of the rows of the A\ portion of M^, and this can be done in at most w k ways.
Therefore, \Mj\ is bounded by ({iAw) k . Combining this with the inequality (5), and since r-p < s, we get which is what we set out to prove. • Thus, we conclude that A < s/j,b(/u,Aw) k , where s = min(n + l,ra). Prom Theorems 1 and 4, the solution bound is (n + 2)A. Thus, S is [log(n + 2) + log s + log /j, b + k(log fx A + log w)] We make the following observations about the bound derived above, assuming as before, that n < ra, and so s = n + 1: • Dependence on Parameters: We observe that the bound is linear in fc, logarithmic in /a A, W, n, and (ji b . In particular, the bound is independent of the total number of linear constraints, ra. • Worst-case Asymptotic Growth In the worst case, k = ra, w = n+ 1, and n = O(ra), and we get the O(log ra + log ^ + ra[log ra + log /JLA}) bound of Papadimitriou.
• Typical-case Asymptotic Growth: As observed in Section 1, w is typically a small constant, so the number of bits needed per variable is O(logn + log^& + fclog^ + k). In many cases, HA is also a small constant, simplifying the bound to O(logn + log/u^ + k) bits per variable.
• Representing Non-separation Constraints: There are many ways to represent non-separation constraints and these have an impact on the bound we derive. In particular, it is possible to transform a system of non-separation constraints to one with at most three variables per constraint. For example, the linear constraint x\ + X2 + x% + X4 -x § can be rewritten as:

= 4
For the original representation, k = 1 and w = 5, while for the new representation k = 3 and w = 3. Since our bound is linear in k and logarithmic in w, the original representation would yield a tighter bound. Similarly, one can eliminate variables with coefficients greater than 1 in absolute value by a similar process of adding new non-separation constraints. Again, since the bound is logarithmic in fiA, it would be preferable to avoid adding new non-separation constraints.

T"
The derived bound only yields benefits in the case when the system has few non-separation constraints which themselves are sparse. In this case, we can instantiate variables over a finite domain that is much smaller than that obtained without making any assumptions on the structure of the system.

Bounds for Arbitrary Quantifier-Free Presburger Formulas
We now return to the original goal of this paper, that of finding a solution bound for an arbitrary QFP formula $. Suppose that $ has m linear constraints </>i, 02,... , </ >m> of which m -k are separation constraints, and n variables #i, #2,... , x n . As before, we assume that each non-separation constraint has at most w variables, JJLA is the maximum over the absolute values of coefficients dij of variables, and fi^ is the maximum over the absolute values of constants bi appearing in the constraints.
We prove the following theorem. Also, if the system (6) has a satisfying solution then $ is satisfied by that solution. Thus, $ and the system (6) are equi-satisfiable, for every possible system (6) we construct in the manner described above.

Theorem 5 If $ is satisfiable, there is a solution to 3> that is bounded by (n + 2) A where
By Theorems 1 and 4, we can conclude that if system (6) has a satisfying solution, it has one bounded by (n + 2) A where A = s(fi h + 1) (HA w) k and s = min(n + l,ra). Moreover, this bound works for every possible system (6).
Therefore, if 3> has a satisfying solution, it has one bounded by (n + 2)A. • Thus, to generate the Boolean encoding of the starting QFP formula, we must encode each integer variable as a symbolic bit-vector of length S = \log[(n + 2) A]] = [log(n + 2) + log s + log(^^ + 1) +

Remark.
In the preceding discussion, we have used a single bit-vector length for all integer variables appearing in the formula <E>. This is conservative. In general, we can partition the set of variables into classes such that two variables are placed in the same class if there is a constraint in which they both appear with non-zero coefficients. For each class, we separately compute parameters n, fc, //&, ^, and w, resulting in a separately computed bit-vector length for each class. The correctness of this partitioning optimization follows from a reduction to ILP as performed in the proof of Theorem 5, and the observation that a satisfying solution to a system of ILPs, no two of which share a variable, can be obtained by solving them independently and concatenating the solutions.

Implementation and Experimental Results
We used the bound derived in the previous section to implement a decision procedure based on finite instantiation. Integer variables in the QFP formula are encoded as symbolic bit-vectors large enough to express any integer value within the bound. Arithmetic operators are implemented as arbitrary-precision bit-vector arithmetic operations. Equalities and inequalities over integer expressions are translated to corresponding relations over bit-vector expressions. The resulting Boolean formula is passed as input to a SAT solver.
We implemented our procedure as part of UCLID 8 , which is written in Moscow ML 9 . In our implementation we used the zChaff SAT solver 10 , version 2003.7.22. We compared UCLID's performance with that of the SAT-based prover ICS (the latest version 2.0) n and the automata-based procedure LASH 12 . While LASH is sound and complete for QFP, ICS 2.0 is incomplete; i.e., it can report a formula to be satisfiable when it is not. The ground decision procedure ICS uses is the Simplex linear programming algorithm with some additional heuristics to deal with integer variables. However, in our experiments, both UCLID and ICS returned the same answer whenever they both terminated within the timeout. 13 http://www.cs.emu.edu/~uclid 9 http://www.dina.dk/~sestoft/mosml.html 10 http://ee.princeton.edu/~chaff/zchaff.php l:L http: //www. icansolve. com 12 http://www.montef iore.ulg.ac.be/~boigelot/research/lash 13 We also attempted comparisons with CVC-Lite (the new version of CVC which includes a ground decision procedure for QFP [3]). However, the implementation was too unstable to be able to make useful comparisons. We intend to perform a comparative evaluation when a stable implementation become available.
For benchmarks, we used several formulas from the Wisconsin Safety Analyzer project on checking format string vulnerabilities. The benchmarks include both satisfiable and unsatisfiable formulas in an extension of QFP with uninterpreted functions. Uninterpreted functions were first eliminated using Ackermann's technique [1], and the decision procedures were run on the resulting QFP formula. Some characteristics of the formulas are displayed in Table 2. For each formula, we indicate whether it is satisfiable or not, and also give the values of parameters n, ra, k, w, HA and Hb corresponding to the variable class for which 5 = [log[(n+2)A]] is largest, i.e, for which we need the largest number of bits per variable. Note that the total numbers of variables and constraints, for all variable classes, are larger: For example, for the benchmark xs-30-40, the formula has 115 variables and 2610 constraints in all. The formulas involve the combination of linear constraints by arbitrary Boolean operators (A, V, ->). The key characteristics of formulas generated in this class of problems is that they vary in n, ra, and //&, but the values of fc, w, and HA are fixed at a small value. Experiments were performed on a Pentium-IV 2 GHz machine with 1 GB of RAM running Linux. A timeout of 900 seconds was imposed on each run.   Table 2: Benchmark characteristics and experimental results. For UCLID, we list the time taken to decide the formula including a breakup into the encoding time ("Enc") and the time taken by the SAT solver ("SAT"). For ICS, we give the total time, the number of inconsistent Boolean assignments analyzed by the ground decision procedure ("#(Inc. assn.)"), as well as the overall time taken by the ground decision procedure ("Gnd."). A "*" indicates that the decision procedure timed out after 900 sec. LASH was unable to complete within the timeout on any formula.
A comparison of UCLID versus ICS is displayed in Table 2. LASH was unable to complete on any benchmark within the timeout; we attribute this to the relatively large number of variables and constraints in our formulas, and note that Ganesh et al. obtained similar results in their study [14]. From Table 2, we observe that UCLID outperforms ICS on all benchmarks, terminating within the timeout on several benchmarks on which ICS does not. The reason for UCLID's superior performance is the formula structure, where fc, w, and HA remain fixed at a low value while m, n, and Hb increase. Thus, the maximum number of bits per variable is only moderately large (about 40), even as m increases substantially, and the resulting SAT problem is within the capacity of zChaff. Also, we note that UCLID's run-time is dominated by the SAT time, since the time to compute the parameter values and generate the SAT-encoding is polynomial in the input size. For ICS, we note that the run-time is dominated by the time taken by the ground decision procedure.
We observe that the number of inconsistent Boolean assignments alone is not a precise indicator of total run-time, which also depends on the time taken by the ground decision procedure in ruling out a single Boolean assignment.

Conclusions and Future Work
In this paper, we have presented a formal approach to exploiting the "sparse, mainly separation constraint" nature of quantifier-free Presburger formulas encountered in software verification. Our approach is based on deriving a new parameterized bound on satisfying solutions to QFP formulas. Experimental results show the benefits of using the derived bound in a SAT-based decision procedure based on finite instantiation.
Note that the bounds we have derived and used in our experiments are conservative. First, the size of minors in a particular problem instance might be far smaller than the bounds we have computed. It is unclear how this can be exploited, since there are exponentially many minors in the dimensions of the input matrix. Second, for certain special cases, one can improve the (n + 2) A bound. For example, if all the constraints are originally equalities and the system of constraints has full rank, a bound of A suffices [4]. Thirdly, in cases where the value of fib is very large due to the presence of a single large constant, one might want to use a less conservative analysis than is performed in the proof of Theorem 4.
In our implementation, we translate a QFP formula to a Boolean formula in a single step. An alternative approach is to perform this transformation lazily, increasing the bit-vector size "on demand". This lazy encoding approach works, in brief, as follows. (Details can be found in [18].) We start with an encoding size for each integer variable that is smaller than that prescribed by the bound. If the resulting Boolean formula is satisfiable, so is the original QFP formula. If not, the proof of unsatisfiability generated by the SAT solver is used to generate a sound abstraction of the original formula, which can be checked with a sound and complete decision procedure for QFP (such as the one proposed in this paper). If this decision procedure concludes that the abstraction is unsatisfiable, so is the original formula, but if not, it provides a counterexample which indicates the necessary increase in the encoding size, and the procedure repeats. The advantage of this lazy approach is twofold: (1) It avoids using the conservative bounds we have derived in this paper, and (2) if the generated abstractions are small, the sound and complete decision procedure used by this approach will run much faster than if it were fed the original formula. The bound S that we derive in this paper implies an upper bound nS on the number of iterations of this lazy encoding procedure; thus the lazy encoding procedure needs only polynomially many iterations before it terminates with the correct answer. Using the decision procedure proposed in this paper with the above lazy encoding approach is an interesting avenue for future work.
Finally, it would also be interesting to explore applications other than software verification that share the "sparse, mainly separation constraints" property.
A Proof of Transformation to System 2

Proposition 1 System (1) has a solution if and only if system (2) has one.
Proof: For the "if part", suppose we have a solution x' to (2). Construct a candidate solution vector x by setting Xj = x'j -XQ. Then, consider the ith constraint in A', for any i. The following sequence of equalities holds: Thus, we can conclude that the ith constraint of A is satisfied by x for all i. Thus, we have found a solution to system (1).
Now consider the "only if" part, where we start with a solution to system (1). Clearly, any value of x' that sets x^ = Xj + xo for all j will satisfy A'x.' > b. But we also need to satisfy x ; > 0. If none of the Xj are negative, then simply set x'j = Xj and xo = 0 and we are done. Otherwise, set XQ = -mmk, Xk

B Some Background on Determinants
We review some useful results from the theory of determinants. All these results can be found in standard textbooks (e.g., [21,24]).
Consider adxd matrix P, where the (i, j)th entry is denoted pij in the usual way. Then, the full product expansion of its determinant \P\ can be written as ()(2)...P^(d) (7) permutations TT of {1,2,... , d} where t(n) is the number of permutation inversions (swaps) in n.
The (i,j)th minor of a matrix P is the determinant of the submatrix obtained by deleting the ith row and the jth column of P. A minor of P of order r is the determinant of a square submatrix of P of order r.
If we only fully expand \P\ along the first k rows, we get the equation where P^^ is the minor of P obtained by excluding the first k rows of P and the k columns corresponding to TT(1), TT(2), ... , 7r(k).
The determinant of a matrix equals that of its transpose, i.e., \P\ = |P T |.
For an arbitrary d x d matrix P with integral entries, we have the following bound on \P\ [7]: where jip = max^j) \pij\-Equality is attained in certain cases. A square, integer matrix P is called unimodular (UM) if |JP| 6 {0,+1,-1}. P is called totally unimodular (TUM) if every square submatrix of P is UM.
The node-arc incidence matrix of a directed graph is TUM. This matrix has entries in {0, +1, -1} and every column has exactly one +1 entry and one -1 entry. If P is TUM, then so is P T , [P|7], and [P| -/].