TRAKHTENBROT’S THEOREM IN COQ: FINITE MODEL THEORY THROUGH THE CONSTRUCTIVE LENS

. We study ﬁnite ﬁrst-order satisﬁability (FSAT) in the constructive setting of dependent type theory. Employing synthetic accounts of enumerability and decidability, we give a full classiﬁcation of FSAT depending on the ﬁrst-order signature of non-logical symbols. On the one hand, our development focuses on Trakhtenbrot’s theorem, stating that FSAT is undecidable as soon as the signature contains an at least binary relation symbol. Our proof proceeds by a many-one reduction chain starting from the Post correspondence problem. On the other hand, we establish the decidability of FSAT for monadic ﬁrst-order logic, i.e. where the signature only contains at most unary function and relation symbols, as well as the enumerability of FSAT for arbitrary enumerable signatures. To showcase an application of Trakhtenbrot’s theorem, we continue our reduction chain with a many-one reduction from FSAT to separation logic. All our results are mechanised in the framework of a growing Coq library of synthetic undecidability proofs.


Introduction
In the wake of the seminal discoveries concerning the undecidability of first-order logic by Turing and Church in the 1930s, a broad line of work has been pursued to characterise the border between decidable and undecidable fragments of the original decision problem.These fragments can be grouped either by syntactic restrictions controlling the allowed function and relation symbols or the quantifier prefix, or by semantic restrictions on the admitted models (see [BGG97] for a comprehensive description).
Concerning signature restrictions, already predating the undecidability results, Löwenheim had shown in 1915 that monadic first-order logic, admitting only signatures with at most unary symbols, is decidable [Lö15].Therefore, the successive negative results usually presuppose non-trivial signatures containing an at least binary symbol.
Turning to semantic restrictions, Trakhtenbrot proved in 1950 that, if only admitting finite models, the satisfiability problem over non-trivial signatures is still undecidable [Tra50].Moreover, the situation is somewhat dual to the unrestricted case, since finite satisfiability (FSAT) is still enumerable while, in the unrestricted case, validity is enumerable.As a consequence, finite validity cannot be characterised by a complete finitary deduction system and, resting on finite model theory, various natural problems in database theory and separation logic are undecidable.The latter will be subject of a case study in Section 7.
Conventionally, Trakhtenbrot's theorem is proved by (many-one) reduction from the halting problem for Turing machines (see e.g.[BGG97,Lib10]).An encoding of a given Turing machine M can be given as a formula ϕ M such that the models of ϕ M correspond to the runs of M .Specifically, the finite models of ϕ M correspond to terminating runs of M and so a decision procedure for FSAT of ϕ M would be enough to decide whether M terminates or not.
Although this proof strategy is in principle explainable on paper, already the formal definition of Turing machines, not to mention their encoding in first-order logic, is not ideal for mechanisation in a proof assistant.So for our Coq mechanisation of Trakhtenbrot's theorem, we follow a different strategy by starting from the Post correspondence problem (PCP), a simple matching problem on strings.Similar to the conventional proof, we proceed by encoding every instance R of PCP as a formula ϕ R such that R admits a solution iff ϕ R has a finite model.Employing the framework of synthetic undecidability [FKS19, FLWD + 20], the computability of ϕ R from R is guaranteed since all functions definable in constructive type theory are computable without reference to a concrete model of computation.
Both the conventional proof relying on Turing machines and our elaboration starting from PCP actually produce formulas in a custom signature well-suited for the encoding of the seed decision problems.The sharper version of Trakhtenbrot's theorem, stating that a signature with at least one binary relation (or one binary function and one unary relation) is enough to turn FSAT undecidable, is in fact left as an exercise in e.g.Libkin's book [Lib10].However, at least in a constructive setting, this generalisation is non-trivial and led us to mechanising a chain of signature transformations eliminating and compressing function and relation symbols step by step.
The constructive and type-theoretic setting introduces subtleties that remain hidden from view in a classical approach to (finite) model theory.Among these subtleties, quotients are critical for signature reductions but not generally constructively available.With suitable notions of finiteness (here defined as listability) and discreteness (decidable equality), however, we are able to build finite and decidable quotients (Theorem 2.9) sufficient for our purposes.Moreover, the usual set-theoretic constructions in model theory can be simulated in type theory just to some extend, with the prominent lack of a (computable) power set.Fortunately, it is possible to use the notion of weak power set (Lemma 2.11) for these constructions.Relatedly, finiteness does not entail computability in the constructive setting, so the Tarski semantics has to be refined.In a critically useful result, we establish that finite satisfiability is not impacted by the further requirement of the discreteness of the model (Theorem 4.7).
Complementing the undecidability result, we further formalise that FSAT is enumerable for enumerable signatures and decidable for monadic signatures.Again, both of these standard results come with their subtleties when explored in a constructive approach to finite model theory.
In summary, the main contributions of this paper are the following: • we provide an axiom-free Coq mechanisation comprising a full classification of finite satisfiability with regards to the signatures allowed; • we present a streamlined proof strategy for Trakhtenbrot's theorem well-suited for mechanisation and simple to explain informally, basing on PCP; • we give a constructive account of signature transformations and the treatment of interpreted equality typically neglected in a classical development; • compared to the conference version of this paper [KLW20], we contribute a refined analysis of the conditions allowing for decidable FSAT in the case of monadic signatures, introducing the notion of discernability of symbols (e.g.Theorem 6.2); • additionally to [KLW20] also, we mechanise a many-one reduction from FSAT to the satisfiability problem of separation logic following [CYO01] (e.g.Theorem 7.4); • finally, we point out that some of the involved proofs that were just sketched in [KLW20] have been expanded (e.g.Theorem 4.7), and reworked for better readability (e.g.Theorem 4.13 and Lemma 5.5).The paper is structured as follows.We first describe the type-theoretical framework for undecidability proofs and the representation of first-order logic in Section 2. We then outline our variant of Trakhtenbrot's theorem for a custom signature in Section 3.This is followed in Section 4 by a development of enough constructive finite model theory to reach the stronger form of Trakhtenbrot's theorem where the signature is only assumed to contain one at least binary symbol.In Section 5 we switch to decidability results for FSAT over monadic signatures, first assuming that symbols enjoy decidable equality, then maximally strengthening the decidability results to the case of (the weaker notion of) decidable Boolean discernability.In Section 6, we conclude with the precise decidability/undecidability classification of FSAT.Section 7 comprises the case study on the undecidability of separation logic and we end with a brief discussion of the Coq development and future work in Section 8.

First-Order Satisfiability in Constructive Type Theory
In order to make this paper accessible to readers unfamiliar with constructive type theory, we outline the required features of Coq's underlying type theory, the synthetic treatment of computability available in constructive mathematics, some properties of finite types, as well as our representation of first-order logic.
2.1.Basics of Constructive Type Theory.We work in the framework of a constructive type theory such as the one implemented in Coq, providing a predicative hierarchy of type universes T above a single impredicative universe P of propositions.On type level, we have the unit type 1 with a single element * : 1, the void type 0, function spaces X → Y , products X × Y , sums X + Y , dependent products ∀x : X. F x, and dependent sums {x : X | F x}. On propositional level, these types are denoted using the usual logical notation ( , ⊥, →, ∧, ∨, ∀, and ∃).
We employ the basic inductive types of Booleans (B ::= tt | ff), of Peano natural numbers (n : N ::= 0 | 1+n), the option type (O X ::= x | ∅), and lists (l : L X ::= [ ] | x :: l).We write |l| for the length of a list, l + + m for the concatenation of l and m, x ∈ l for membership, and simply f [x 1 ; . . .; x n ] := [f x 1 ; . . .; f x n ] for the map function.We denote by X n the type of vectors of length n : N and by F n the finite types understood as indices {0, . . ., n − 1}.The definitions/notations for lists are shared with vectors v : X n .Moreover, when i : F n and x : X, we denote by v i the i-th component of v and by v [x/i] the vector v with i-th component updated to value x.
2.2.Synthetic (Un-)decidability.We review the main ingredients of our synthetic approach to decidability and undecidability [FHS18, FKS19, FLW19, FLWD + 20, LWF19, SF20], based on the computability of all functions definable in constructive type theory2 or other constructive foundations of mathematics.We first introduce standard notions of computability theory without referring to a formal model of computation, e.g.Turing machines.
Definition 2.1.A problem or predicate p : These notions generalise to predicates of higher arity.Moreover, a type X is • discrete if equality on X (i.e.λxy : X. x = y) is decidable.
• a data type if it is both enumerable and discrete.
Using the expressiveness of dependent types, we equivalently tend to establish the decidability of a predicate p : X → P by giving a function ∀x : X. p x + ¬p x.Note that it is common to mechanise decidability results in this synthetic sense (e.g.[BP10, MS15, SST15]).Next, decidability and enumerability transport along reductions: Definition 2.2.A problem p : X → P (many-one) reduces to q : Y → P, written p q, if there is a function f : X → Y such that p x ↔ q (f x) for all x : X. 3Fact 2.3.Assume p : X → P, q : Y → P and p q: (1) if q is decidable, then so is p and (2) if X and Y are data types and q is enumerable, then so is p.
Item (1) implies that we can justify the undecidability of a target problem by reduction from a seed problem known to be undecidable, such as the halting problem for Turing machines.This is in fact the closest rendering of undecidability available in a synthetic setting, since the underlying type theory is consistent with the assumption that every problem is decidable. 4Nevertheless, we believe that in the intended effective interpretation for synthetic computability, a typical seed problem is indeed undecidable and so are the problems reached by verified reductions.More specifically, since the usual seed problems are not co-enumerable, (2) implies that the reached problems are not co-enumerable either.
Given its simple inductive characterisation involving only basic types of lists and Booleans, the (binary) Post correspondence problem (BPCP) is a well-suited seed problem for compact encoding into first-order logic.Definition 2.4.Given a list R : L(L B × L B) of pairs s/t of Boolean strings, 5 we define derivability of a pair s/t from R (denoted by R s/t) and solvability (denoted by BPCP R): It might at first appear surprising that derivability λs t.R s/t is decidable while BPCP is reducible from the halting problem (and hence undecidable).This simply illustrates that undecidability is rooted in the unbounded existential quantifier in the equivalence BPCP R ↔ ∃s.R s/s.
In summary, the approach to undecidability used in this and other papers [FKS19, FHS18, FLW19, LWF19, SF20, Dud20, KH21] contributing to the Coq Library of Undecidability Proofs [FLWD + 20] is to verify (synthetic) many-one reductions from a problem known to be undecidable, rooted by the halting problem for Turing machines.In our case, we start from BPCP as well-suited seed for finite first-order satisfiability, backed by the reduction from Turing machine halting to BPCP verified in [FHS18].Therefore, our mechanised undecidability results as reported in Sections 6 and 7 are statements of the form BPCP P for problems P expressing finite first-order satisfiability and satisfiability in separation logic, respectively.Given the constructive setting, these reductions expressed in Coq's type theory may then be interpreted as computable functions, transporting the undecidability (specifically, non-co-enumerability) of BPCP to said problems, along the lines of Fact 2.3.This improves on the ubiquitous pen-and-paper practice to sketch an algorithm and leave its computability implicit in that, by formally defining the algorithm as a Coq term, its computability is guaranteed by its very construction.
The even more explicit alternative would be to resort to a concrete model of computation, e.g. by implementing high-level reduction functions operating on abstract data structures as Turing machines operating over textual or binary encodings of those data-structures.Then the notion of undecidability could be formally bootstrapped by showing that there is no Turing machine deciding the (textually encoded) halting problem, and other problems could be shown undecidable by verifying reductions computable by a Turing machine.However, this approach would require low-level coding in such a model, which in principle can be supported by tools to a certain extent [FK19], but still introduces enormous overhead unnecessary to cope with in a setting providing its own implicit notion of computability.
2.3.Constructive Finiteness.We present four tools for manipulating finite types: the finite pigeon hole principle (PHP) here established without assuming discreteness, the wellfoundedness of strict orders over finite types, quotients over strongly decidable equivalences that map onto F n = {0, . . ., n − 1}, and the weak powerset finitely enumerating every weakly decidable predicate over a finite type.But first, let us fix a definition of finiteness.Definition 2.6.A type X is finite if there is a list l X s.t.∀x : X. x ∈ l X , and a predicate p : X → P is finite if there is a list l p s.t.∀x.p x ↔ x ∈ l p .
Note that in constructive settings there are various alternative characterisations of finiteness 6 (bijection with F n for some n; negated infinitude for some definition of infiniteness; etc) and we opted for the above since it is easy to work with while transparently capturing the expected meaning.One can distinguish strong finiteness in T (i.e.{l X : L X | ∀x.x ∈ l X }) from weak finiteness in P (i.e.∃l X : L X. ∀x.x ∈ l X ), the list l X being required computable in the strong case.Strong finiteness implies weak finiteness but the converse holds only in restricted contexts, e.g.inside proofs of propositions in P.
For the finite PHP, the typical classical proof requires the discreteness of X to design transpositions/permutations.Here we avoid discreteness completely, the existence of a duplicate being established without actually computing one.
Theorem 2.7 (Finite PHP).Let R : X → Y → P be a binary relation and l : L X and m : L Y be two lists where m is shorter than l (|m| < |l|).If R is total from l to m (∀x.x ∈ l → ∃y.y ∈ m ∧ R x y) then the values at two distinct positions in l are related to the same y in m, i.e. there exist x 1 , x 2 ∈ l and y ∈ m such that l has shape Proof.We start with the case where R is the identity relation = X on X, hence we want to establish that l contains a duplicate.We first prove the following generalised statement: if |m| ≤ |l| and l ⊆ m (i.e.∀x.x ∈ l → x ∈ m) then either l contains a duplicate or l and m are permutable.We establish the generalised statement by structural induction on m.
In particular, when |m| < |l| then l and m cannot be permutable (because permutations preserve length), hence l must contain a duplicate.Generalizing from = X to an arbitrary relation R : X → Y → P is then a simple exercise.
Using the PHP, given a strict order7 over a finite type X, any descending chain has length bounded by the size of X as measured by the length of the list enumerating X. Fact 2.8.Every strict order on a finite type is well-founded.
Proof.For a constructive proof, one can for instance show that descending chains cannot contain a duplicate (otherwise this would give an impossible cycle in a strict order), hence by the PHP, the length of descending chains is bounded by the length of the enumerating list of the finite type.
Coq's type theory does not provide quotients in general (see e.g.[Coh13]) but one can build computable quotients in certain conditions, here for a decidable equivalence relation of which representatives of equivalence classes are listable.Theorem 2.9 (Finite decidable quotient).Let ∼ : X → X → P be a decidable equivalence with {l r : L X | ∀x∃y.y ∈ l r ∧ x ∼ y}, i.e. finitely many equivalence classes.8Then one can compute the quotient X/∼ onto F n for some n, i.e. n : N, c : X → F n and r : F n → X s.t.∀p.c (r p) = p and ∀xy.x ∼ y ↔ c x = c y.
Proof.From the list l r of representatives of equivalence classes, remove duplicate representatives using the strong decidability of ∼.This gives a list l r which now contains exactly one representative for each equivalence class.Convert l r to a vector v.The function r (representative) is defined by r := λp.v p .The function c (for class) is simple search: c x is the first (and unique) p such that v p ∼ x.
Using Theorem 2.9 with identity over X as equivalence, we get bijections between finite, discrete types and the type family (F n ) n:N . 9Corollary 2.10.If X is a finite and discrete type then one can compute n : N and a bijection from X to F n .
We conclude this section with the question of the finiteness of powersets.There is no notion of finite powerset in type theory: even for the unit/singleton type 1, there is no list enumerating the predicates in 1 → P, even up to extensional equivalence. 10However, there is a notion of weak powerset.Recall that a predicate p : X → P is weakly decidable if it satisfies ∀x.p x ∨ ¬p x, its specialized instance of the Law of Excluded Middle (LEM). 11Assuming X is finite, one can compute a list containing all the weakly decidable predicates in X → P.
Lemma 2.11 (Weak powerset).For every finite type X, one can compute a list ll : L(X → P) which contains every weakly decidable predicate in X → P up to extensional equivalence, i.e. ll satisfies ∀p : Proof.The list ll is built by induction on the list l X : L X enumerating X.If l X is [ ] then X is a void type and thus ll := (λz. ) :: [ ] fits.If l X is x :: l then we apply the induction hypothesis to l and get ll for the finite sub-type composed of the elements of l and we define ll := (λp z. x = z ∧ p z) ll + + (λp z. x = z ∨ p z) ll.We check that ll contains every weakly decidable predicate over x :: l.Notice that |ll | = 2|ll| in the induction step, hence one could easily show that |ll| = 2 |l X | , recovering the cardinality of the (classical) powerset.
Notice that while the weak powerset contains all weakly decidable predicates, it may contain predicates which are not weakly decidable (unless X is moreover weakly discrete).
In the chosen de Bruijn representation [dB72], a bound variable is encoded as the number of quantifiers shadowing its binder, e.g.∀x.∃y.P x u → P y v may be represented by ∀ ∃ P 1 4 → P 0 5.The variables 2 = 4 − 2 and 3 = 5 − 2 in this example are the free variables, and variables that do not occur freely are called fresh, e.g.0 and 1 are fresh.For the sake of legibility, we write concrete formulas with named binders and defer de Bruijn representations to the Coq development.For a formula ϕ over a signature Σ, we define the list FV(ϕ) : L N of free variables, the list F ϕ : L F Σ of function symbols and the list P ϕ : L P Σ of relation symbols that actually occur in ϕ, all by recursion on ϕ.We say that ϕ is closed if it is void of free variables, i.e.FV(ϕ) = [ ].
Turning to semantics, we employ the standard (Tarski-style) model-theoretic semantics, evaluating terms in a given domain and embedding the logical connectives into the constructive meta-logic (cf.[VW96]): 10 As there is no list extensionally enumerating P itself. 11The general LEM (∀P : P. P ∨ ¬P ) cannot be established constructively.
where each logical connective ˙ / ∇ is mapped to its meta-level counterpart /∇ and where we denote by a•ρ the de Bruijn extension of ρ by a, defined by (a•ρ) 0:=a and (a•ρ) (1+x):=ρ x.12A Σ-model is thus a dependent triple (D, M, ρ) composed of a domain D, a model M for Σ over D and an assignment ρ : N → D. It is finite if D is finite, and decidable if P M : D |P | → P is decidable for all P : P Σ .Fact 2.13.Satisfaction λϕ.M ρ ϕ is decidable for finite, decidable Σ-models.
In this paper, we are mostly concerned with finite satisfiability of formulas.However, since some of the compound reductions hold for more general or more specific notions, we introduce the following variants: Definition 2.14 (Satisfiability).For a formula ϕ over a signature Σ, we write Notice that in a classical treatment of finite model theory, models are supposed to be given in extension, i.e. understood as tables providing computational access to functions and relations values.To enable this view in our constructive setting, we restrict to decidable relations in the definition of FSAT, and from now on, finite satisfiability is always meant to encompass a decidable model.One could further require the domain D to be discrete to conform more closely with the classical view; discreteness is in fact enforced by FSATEQ.However, we refrain from this requirement and instead show in Section 4.1 that FSAT and FSAT over discrete models are constructively equivalent.

Trakhtenbrot's Theorem for a Custom Signature
In this section, we show that BPCP reduces to FSATEQ(Σ BPCP ; ≡) for the special purpose signature Σ BPCP := ({ 0 , e 0 , f 1 tt , f 1 ff }; {P 2 , ≺ 2 , ≡ 2 }). 13 To this end, we fix an instance R : L (L B × L B) of BPCP (to be understood as a finite set of pairs of Boolean strings) and we construct a formula ϕ R such that ϕ R is finitely satisfiable if and only if R has a solution.
Informally, we axiomatise a family B n of models over the domain of Boolean strings of length bounded by n and let ϕ R express that R has a solution in B n .The axioms express enough equations and inversions of the constructions included in the definition of BPCP such that a solution for R can be recovered.Expected properties of the intended interpretation can be captured formally as first-order formulas.First, we ensure that P is proper (only subject to defined values) and that ≺ is a strict order (irreflexive and transitive): Next, the image of f b is forced disjoint from e and injective, as long as is not reached.We also ensure that the images of f tt and f ff intersect only at : Furthermore, we enforce that P simulates R •/•, encoding its inversion principle ϕ := ∀xy.P x y → .
is the conjunction of all axioms plus the existence of a solution: where we left out some explicit constructors and the edge cases of the relations for better readability, see the Coq code for full detail.As required, B n interprets ≡ by equality = Dn .
Considering the desired properties of B n , first note that D n can be shown finite by induction on n.This however crucially relies on the proof irrelevance of the λx.x ≤ n predicate. 14The atoms s ≺ Bn t and s ≡ Bn t are decidable by straightforward computations 14 i.e. that for every x : N and H, H : x ≤ n we have H = H .In general, it is not always possible to establish finiteness of {x | P x} if P is not proof irrelevant.
on Boolean strings.Decidability of P Bn s t (i.e.R s/t) was established in Fact 2.5.Finally, since ϕ R is a closed formula, any variable assignment ρ can be chosen to establish that B n satisfies ϕ R , for instance ρ := λx.∅.Then showing B n ρ ϕ R consists of verifying simple properties of the chosen functions and relations, with mostly straightforward proofs.
Proof.Suppose that M ρ ϕ R holds for some finite Σ BPCP -model (D, M, ρ) interpreting ≡ as equality and providing operations f M b , e M , M , P M and ≺ M .Again, the concrete assignment ρ is irrelevant and M ρ ϕ R ensures that the functions/relations behave as specified and that P M x x holds for some x : D.
Instead of trying to show that M is isomorphic to some B n , we directly reconstruct a solution for R, i.e. we find some s with R s/s from the assumption that M ρ ϕ R holds.
To this end, we first observe that the relation u/v ≺ M x/y as defined above is a strict order and thus well-founded as an instance of Fact 2.8.Now we can show that for all x/y with P M x y there are strings s and t with x = s, y = t and R s/t, by induction on the pair x/y using the well-foundedness of ≺ M .So let us assume P M x y.Since M satisfies ϕ there are two cases: • there is s/t ∈ R such that x = s and y = t.The claim follows by R s/t; • there are u, v : D with P M u v and s/t ∈ R such that x = s + + + u, y = t + + + v, and u/v ≺ M x/y.The latter makes the inductive hypothesis applicable for P M u v, hence yielding R s /t for some strings s and t corresponding to the encodings u and v.This is enough to conclude x = s + + s , y = t + + t and R (s + + s )/(t + + t ) as wished.Applying this fact to the assumed match P M x x yields a solution R s/s.

Constructive Finite Model Theory
Combined with Fact 2.5, Theorem 3.1 entails the undecidability (and non-co-enumerability) of FSATEQ over a custom (both finite and discrete) signature Σ BPCP .By a series of signature reductions, we generalise these results to any signature containing an at least binary relation symbol.In particular, we explain how to reduce FSAT(Σ) to FSAT(0; {∈ 2 }) for any discrete signature Σ, hence including Σ BPCP .We also provide a reduction from FSAT(0; {∈ 2 }) to FSAT({f n }; {P 1 }) for n ≥ 2, which entails the undecidability of FSAT for signatures with one unary relation and an at least binary function.But first, let us show that FSAT is unaltered when further assuming discreteness of the domain.

4.1.
Converting Models to Discrete Ones.We consider the case of models over a discrete domain D, i.e.where the equality relation = D := λx y : D. x = y is decidable.The question is the following: is FSAT altered when adding this further requirement on models.
Of course, in the case of FSATEQ(Σ; ≡) the requirement that ≡ is interpreted as a decidable binary relation which is equivalent to = D imposes the discreteness of D. But in the case of FSAT(Σ) nothing imposes such a restriction on D. However as we argue below, using Theorem 2.9, we can always quotient D along a suitable decidable congruence, making the quotient a discrete finite type while preserving first-order satisfaction, from which we deduce that FSAT is unaltered by the discreteness requirement; see Section 4.2.
Let us consider a fixed signature Σ = (F Σ ; P Σ ).In addition, let us fix a finite type D and a (decidable) model M of Σ over D. Critically, we do not assume the discreteness of D. We can conceive an equivalence over D which is a congruence for all the interpretations of the symbols by M, namely first-order indistinguishability x Σ y := ∀ϕ ρ.M x•ρ ϕ ↔ M y•ρ ϕ, i.e. first-order semantics in M is not impacted when switching x with y.
The facts that Σ is both an equivalence and a congruence are easy to prove but, with this definition, there is little hope of establishing decidability of Σ .The main reason for this is that the signature may contain symbols of infinitely many arities.So we further fix two lists l F : L F Σ and l P : L P Σ of function and relation symbols respectively and restrict the congruence requirement to the symbols in these lists only.
Definition 4.1 (Bounded first-order indistinguishability).We say that x and y are firstorder indistinguishable up to l F /l P , and we write x y, if no first-order formula built from the symbols in l F and l P only can distinguish x from y. Formally, this gives: To remain simple, we avoid displaying the dependency on l F , l P , D and M in the notation as they remain fixed in this section anyway.
We claim that first-order indistinguishability up to l F /l P is a strongly decidable equivalence and a congruence for all the symbols in l F /l P .Remember that congruence (limited to l F /l P ) means commutation with the interpretation of symbols in M: We establish the validity of our claim in the following discussion, ending with Theorem 4.5.Equivalence and congruence of are easy.However, Definition 4.1 of hints at no clue for its decidability.We therefore switch to an alternate definition of as a bisimulation.15Using Kleene's fixpoint theorem, we would get as n<ω F n (λuv. ) for some below defined ω-continuous operator F. Hopefully, we could ensure that only finitely many (as opposed to ω) iterations of the operator F are needed for the fixpoint to be reached, hence preserving finitary properties such as decidability.
So let us define the operators F F , Fact 4.2.The following results hold for the operator F F (resp.F P ). 1.
Hence the combination F(R) := F F (R) ∩ F P (R) also preserves these properties.
Proof.The proofs of items (1)-( 5) are easy, even without assuming boundedness by l F /l P .However, to ensure the preservation of decidability (6), that bound is essential for the quantification over f in l F (resp.P in l P ) in the above definition of F F (resp.F P ) to stay finite.We observe that since D is finite then so is D |f | and the remaining quantifications over v : D |f | and i : F |f | are finite quantifications again.Hence, all these quantifications behave as finitary conjunctions and thus preserve decidability.Notice that compared to F F , the case of F P is degenerated because it does not depend in R, hence is constant.
As a side remark, notice that one can also show that F preserves first-order definability where a relation R : D → D → P is first-order definable if there is a formula ϕ R built only from l F /l P such that ∀ρ.R (ρ x 0 ) (ρ x 1 ) ↔ M ρ ϕ R .
Theorem 4.3.First-order indistinguishability up to l F /l P is extensionally equivalent to ≡ F (Kleene's greatest fixpoint of F), i.e. for any x, y : D we have x y ↔ x ≡ F y where x ≡ F y := ∀n : N. F n (λuv. ) x y.
Proof.For the → implication, it is enough to show that is a pre-fixpoint of F, i.e. ⊆ F( ), and we get this result using suitable substitutions.The converse implication ← follows from the fact that ≡ F is a fixpoint of F, hence it is a congruence for every symbol in l F /l P , so x ≡ F y entails that formulas built from l F /l P cannot distinguish x from y.
With ≡ F , we now have a more workable characterization of but still no decidability result for it since the quantification over n in ∀n : N. F n (λuv. ) x y ranges over the infinite domain N. We now establish that the greatest fixpoint is reached after finitely many iterations of F. Classically one would argue that F operates over the finite domain of binary relations over D and since the sequence λn.F n (λuv. ) cannot decrease strictly forever (by the PHP), it must stay constant after at most n 0 := 2 d×d iterations where d := card D. Such reasoning is not constructively acceptable as is, due to the impossibility to build the finite powerset.Fortunately by Fact 4.2 item 6, the iterated values F n (λuv. ) are all decidable, hence belong to the weak powerset.As a consequence, we can apply the finite PHP on the weak powerset.
Theorem 4.4.One can compute n : N such that ≡ F is equivalent to F n (λuv.).
Proof.By a variant of Lemma 2.11, we compute the weak powerset of D → D → P,16 i.e. a list ll containing every weakly decidable binary relation over D, up to extensional equivalence.Since λuv.: D → D → P is strongly decidable and F preserves (both weak and) strong decidability, the sequence λn.F n (λuv. ) is contained in the list ll, up to extensional equivalence.Hence by Theorem 2.7 (PHP), 17 after |ll| steps, there must have been a duplicate, i.e. there exists a < b ≤ |ll| such that F a (λuv. ) and F b (λuv. ) are extensionally equivalent.However the values of a and b are not computed by the PHP but we can still deduce that F n (λuv. ) must be stalled after n = a, hence a fortiori after n = |ll|.It follows that F |ll| (λuv. ) is extensionally equivalent to ≡ F .We conclude our construction with the main result: is a strongly decidable congruence than can be used to quotient M onto a discrete one.
Theorem 4.5.First-order indistinguishability up to l F /l P is a strongly decidable equivalence and a congruence for all the symbols in l F /l P .

Vol. 18:2 TRAKHTENBROT'S THEOREM IN COQ 17:13
Proof.Remember that the real difficulty was strong decidability.By Theorem 4.4, the operator F reaches its fixpoint ≡ F after finitely many steps, and by Fact 4.2 item 6, F preserves decidability, hence by an obvious induction, ≡ F is decidable.By Theorem 4.3, the equivalent indistinguishability relation is decidable.
Back to our side discussion about first-order definability, by Theorems 4.3 and 4.4, there is thus a first-order formula ξ which characterises first-order indistinguishability up to l F /l P in M, i.e. ∀ρ.ρ x 0 ρ x 1 ↔ M ρ ξ.Since its semantics does not depend on variables other that x 0 and x 1 , one can remap all other variables to e.g.x 0 hence we can even ensure that the first-order formula characterising contains only two free variables, namely x 0 and x 1 .

4.2.
Removing Model Discreteness and Interpreted Equality.We use the strongly decidable congruence to quotient models onto discrete ones (in fact F n for some n) while preserving first-order satisfaction.
Proof.FSAT(Σ) ϕ entails FSAT (Σ) ϕ is the non-trivial implication.Hence we consider a finite Σ-model (D, M, ρ) of ϕ and we build a new finite Σ-model of ϕ which is furthermore discrete.We collect the symbols occurring in ϕ as the lists l F := F ϕ (for functions) and l P := P ϕ (for relations).By Theorem 4.5, first-order indistinguishability : D → D → P up to F ϕ /P ϕ is a strongly decidable equivalence over D and a congruence for the semantics of the symbols occurring in ϕ.Using Theorem 2.9, we build the quotient D/ on a F n for some n : N. We transport the model M along this quotient and because is a congruence for the symbols in ϕ, its semantics is preserved along the quotient.Hence, ϕ has a finite model over the domain F n which is both finite and discrete.
Proof.Given a list l F (resp.l P ) of function (resp.relation) symbols such that ≡ belongs to l P , we construct a formula ψ(l F , l P , ≡) over the function symbols in l F and relation symbols in l P expressing the requirement that ≡ is an equivalence and a congruence for the symbols in l F /l P .Then we show that λϕ.ϕ ∧ ψ(F ϕ , ≡ :: P ϕ , ≡) is a correct reduction, where F ϕ and P ϕ list the symbols occurring in ϕ.

4.3.
From Discrete Signatures to Singleton Signatures.Let us start by converting a discrete signature to a finite and discrete signature.Lemma 4.9.For any formula ϕ over a discrete signature Σ, one can compute a signature Σ n,m = (F n ; F m ), arity preserving maps F n → F Σ and F m → P Σ , and an equi-satisfiable formula ψ over Σ n,m , i.e.FSAT(Σ) ϕ ↔ FSAT(Σ n,m ) ψ.
Proof.We use the discreteness of Σ and bijectively map the lists of symbols F ϕ and P ϕ onto F n and F m respectively, using Corollary 2.10.We structurally map ϕ to ψ over Σ n,m along this bijection, which preserves finite satisfiability.
Notice that n and m in the signature Σ n,m depend on ϕ, hence the above statement cannot be presented as a reduction between (fixed) signatures.
We now erase all function symbols by encoding them with relation symbols.To this end, let Σ = (F Σ ; P Σ ) be a signature, we set Σ := (0; {≡ 2 } + F +1 Σ + P Σ ) where ≡ is a new interpreted relation symbol of arity two and in the conversion, function symbols have arity lifted by one, hence the F +1 Σ notation.
Lemma 4.10.For any finite 18 type of function symbols F Σ , one can construct a reduction FSAT (F Σ ; P Σ ) FSATEQ(0; Proof.The idea is to recursively replace a term t over Σ by a formula which is "equivalent" to x ≡ t (where x is a fresh variable not occurring in t) and then an atomic formula like e.g.
We complete the encoding with a formula stating that every function symbol f : F Σ is encoded into a total functional relation P f : F +1 Σ of arity augmented by 1.Notice that constructively recovering actual functions from total functional relations is made possible by the finiteness/discreteness of the domain, combined with the decidability of the semantic interpretation of the corresponding relation symbols.In particular, this would fail in the case of SAT with potentially infinite models.
Next, assuming that the function symbols have already been erased, we explain how to merge the relation symbols in a signature Σ = (0; P Σ ) into a single relation symbol, provided that there is an upper bound for the arities in P Σ .
Lemma 4.11.The reduction FSAT(0; P Σ ) FSAT 0; {Q 1+n } holds when P Σ is a finite and discrete type of relation symbols and |P | ≤ n holds for all P : P Σ .
Proof.This comprises three independent reductions, see Fact 4.12 below.
In the following, we denote by F n Σ (resp.P n Σ ) the same type of function (resp.relation) symbols but where the arity is uniformly converted to n. Fact 4.12.Let Σ = (F Σ ; P Σ ) be a signature: Proof.For the first reduction, every atomic formula of the form P v with | v | = |P | ≤ n is converted to P w with w := v + + [x 0 ; . . .; x 0 ] and | w | = n for an arbitrary term variable x 0 .The rest of the structure of formulas is unchanged.
For the second reduction, we convert every atomic formula P v with | v | = n into Q(P :: v) where P now represents a constant symbol (Q is fixed).
For the last reduction, we replace every constant symbol by a corresponding fresh variable chosen above all the free variables of the transformed formula.4.4.Compressing n-ary Relations to Binary Membership.Let Σ n = (0; {P n }) be a singleton signature where P is of arity n.We now show that P can be compressed to a binary relation modelling set membership via a construction using hereditarily finite sets [SS16] (useful only when n ≥ 3).
Technically, this reduction is one of the most involved in this work, although in most presentations of Trakhtenbrot's theorem, this is left as an "easy exercise, " see e.g.[Lib10].Maybe it is perceived so because it relies on the encoding of tuples in classical set theory, which is somehow natural for mathematicians, but properly building the finite set model in constructive type theory was not that easy.
Here we only give an overview of the main tools.We encode an arbitrary n-ary relation R : X n → P over a finite and discrete type X in the theory of membership over the signature Σ 2 = (0; { ∈2 }).Membership is much weaker than set theory because the only required set-theoretic axiom is extensionality: it suffices to prove the properties of the below described encoding of pairs, ordered pairs and n-tuples.Two sets are extensionally equal if their members are the same, and we define identity as: Extensionality states that two extensionally equal sets belong to the same sets: As a consequence of the extensionality axiom (4.1), no first-order formula over Σ 2 can distinguish two extensionally equal sets 19 because identity ≈ is a congruence for membership ∈.Moreover, establishing the identity x ≈ y of two sets reduces to proving that they have the same elements.
Notice that the language of membership theory (and set theory) does not contain any function symbol, hence, contrary to usual mathematical practices, there is no other way to handle a set than via a characterising formula which makes it a very cumbersome language to work with formally.However, this is how we have to proceed in the Coq development but here, we also use to meta-level terms in the prose for simplicity.
Following Kuratowski, the ordered pair of two sets x and y is encoded as (x, y) = {x}, {x, y} .In the first-order theory of membership as implemented in Coq, with terms limited to variables, this means we encode the sentences "p ≡ {x, y}" and "p ≡ (x, y)" by: 20 while the n-tuple/vector (x 1 , . . ., x n ) is encoded as x 1 , (x 2 , . . ., x n ) recursively.Hence we encode the sentence "t ≡ v " recursively on v by: Finally we encode "tuple v belongs to r" as v ∈ r := ∃t.t ≡ v ∧ t ∈ r.
19 Even if x and y have the same elements, this does not imply their identity in every model.However they are identical in the quotient model of Section 4.1, because then x and y are first-order indistinguishable. 20where the ≡ notation reads as "represents." We can now describe the reduction function which maps formulas over Σ n to formulas over Σ 2 .We reserve two first-order variables d (for the domain D) and r (for the relation R).We describe the recursive part of the reduction Σ n 2 : ignoring the de Bruijn syntax (which would imply adding d and r as extra parameters of Σ n 2 ).Notice that we have to prevent d and r from occurring freely in ϕ.In addition, for given ϕ we set: This gives us the reduction function Σ n 2 (ϕ The completeness of the reduction Σ n 2 is the easy part.Given a finite model of Σ n 2 (ϕ) over Σ 2 , we recover a model of ϕ over Σ n by selecting as the new domain the members of d,21 and the interpretation of P v is given by testing whether the n-tuple v belongs to r.
The soundness of the reduction Σ n 2 is the formally involved part, with Theorem 4.14 below containing the key construction.
Theorem 4.14.Given a decidable n-ary relation R : X n → P over a finite, discrete and inhabited type X, one can compute a finite type Y equipped with a decidable relation ∈ : Y → Y → P, two distinguished elements d, r : Y and a pair of maps i : X → Y and s : Y → X such that: 1. for any x : X, i x ∈ d holds; 2. for any y ∈ d, there exists x such that y = i x; 3. for any v : X n , R v holds iff "tuple i( v ) belongs to r. " Proof.We give a brief outline of this proof, referring to the Coq code for details.The type Y is built from the type of hereditarily finite sets based on [SS16], and when we use the word "set" below, it means hereditarily finite set.There, sets are finitely branching ordered trees (encoded as binary trees in the standard way), considered up to permutation and contraction equivalence.By totally ordering those trees, a normal form can be computed to give an effective representative for every equivalence class, implementing the quotient on this infinite type of trees in Coq, which gives us hereditarily finite sets.
Basing on (hereditarily finite) sets, the idea behind the construction of Y is first to construct d as a transitive set 22 of which the elements are in bijection i/s with the type X, hence d is the cardinal of X in the set-theoretic meaning.Then the iterated powersets P(d), P 2 (d), . . ., P k (d) are all transitive sets as well and contain d both as a member and as a subset.Considering P 2n (d) which contains all the n-tuples built from the members of d, we define r as the set of n-tuples collecting the encodings i( v ) of vectors v : X n such that R v. We show r ∈ p for p defined as p := P 2n+1 (d).Using the Boolean counterpart of (•) ∈ p for unicity of proofs, we then define Y := {z | z ∈ p}, restrict membership ∈ to Y and this gives the finite type equipped with all the required properties.Notice that the decidability requirement for ∈ holds constructively because we work with hereditarily finite sets, and would not hold with arbitrary sets.Notice that while the axiom of extensionality for membership (4.1) is absent from the reduction function Σ n 2 , it is however satisfied in the model of hereditary finite sets we build to prove Theorem 4.14, and instrumental in the set-theoretic encoding of the n-ary relation implemented there.4.5.Summary: From Discrete Signatures to the Binary Signature.Combining all of the previous results, we give a reduction from any discrete signature to the binary singleton signature.
Proof.Let us first consider the case of Σ n,m = (F n ; F m ), a signature over the finite and discrete types F n and F m .Then we have a reduction FSAT(F n ; F m ) FSAT(0; {P 2 }) by combining Theorems 4.7, 4.8, and 4.13 and Lemmas 4.10 and 4.11.
Let us denote by f n,m the reduction FSAT(F n ; F m ) FSAT(0; {P 2 }).Let us now consider a fixed discrete signature Σ.For a formula ϕ over Σ, using Lemma 4.9, we compute a signature Σ n,m and formula The binary signature can be further reduced to a signature with a non-monadic function.
Lemma 4.16.FSAT(0; Proof.We encode the binary relation λx y.P [x; y] with λx y.Q f [x; y; . . .] , using the first two parameters of f to encode pairing.But since we need to change the domain of the model, we also use a fresh variable d to encode the domain as λx.Q(f [d; x; . . .]) and we restrict all quantifications to the domain similarly to the encoding Σ n 2 of Section 4.4.
We finish the reduction chains with the weakest possible signature constraints.The following reductions have straightforward proofs.Fact 4.17.One has reductions for the three statements below (for n ≥ 2): ary function and a unary relation.

Decidability Results
Complementing the previously studied negative results, we now examine the conditions allowing for decidable satisfiability problems.Since any binary symbol renders finite satisfiability undecidable (see upcoming Theorem 6.3), we only need to consider monadic signatures where all arities are below one.First we consider the case of discrete mononadic signatures, and then give the most general characterisation of decidability of finite satisfiability, by showing (in the monadic case) that it is equivalent to the decidability of the Boolean discernability of function and relation symbols.In the first step, we assume an upper bound m over the number q of successive applications to be found in an atomic formula, e.g.P (f 1 (. . .f q (x) . ..)).This number m is computed globally from the start formula to be converted, e.g. by choosing the maximum depth of nesting of function symbols occurring in it.For disambiguation, we denote the relation symbols of the target signature either by P r with r : P Σ (those that originate in P Σ ) or newly the introduced ones by Q w,r with (w, r) : L F n × P Σ .
To the atom P r (f 1 (. . .f q (x) . ..)) we associate the new atom Q [fq;...;f 1 ],r (x).To ensure the correctness of this encoding, we add the equivalences and all universally quantified over x.When satisfied, these equivalences uniquely characterise the interpretation of the predicates Q w,r and ensure that the replacing atom Q [fq;...;f 1 ],r (x) has the same interpretation as the original P r (f 1 (. . .f q (x) . ..)).
Notice however that there are infinitely many words w in L F n (as soon as n > 0), and as a consequence, infinitely many instances of Q f ::w,r (x) ↔ Q w,r (f (x)).As these would not all be embeddable a single first-order formula, we use the bound m to limit the equivalences to the instances where |w| < m, of which there are indeed only finitely many.
In the second step (skolemisation), we simply convert the equivalences where the x f are n new skolem variables (as many as in the type F n ).To preserve FSAT, we need to existentially quantify over the skolem variables x 0 , . . ., x n−1 , these existential quantifications ∃x 0 . . .∃x n−1 occurring above the conjunction of all the equations Q f ::w,r (x) ↔ Q w,r (x f ).On top of this, we keep universal quantification over x.
If functions or relations have arity 0, one can always lift them to arity 1 by filling the hole with an arbitrary term, like in Fact 4.12, item (1).
Theorem 5.8.FSAT(Σ) is decidable if Σ is discrete with arities less or equal than 1, or if all relation symbols have arity 0.
Proof.If all arities are at most 1, then by Fact 5.6, we can assume Σ of uniform arity 1.Therefore, for a formula ϕ over Σ with uniform arity 1, we need to decide FSAT for ϕ.By Theorem 4.9, we can compute a signature Σ n,m = (F n ; F m ) and a formula ψ over Σ n,m equi-satisfiable with ϕ.Using the reduction of Lemma 5.5, we compute a formula γ, equisatisfiable with ψ, over a discrete signature of uniform arity 1, void of functions.We decide the satisfiability of γ by Lemma 5.4.
On the other hand, if all relation symbols have arity 0, we use the reduction FSAT(Σ) FSAT(0, P 0 Σ ) of Fact 5.7 and we are back to the previous case.
5.2.Discernability and Finite Satisfiability.We say that two members x and y of a type X (of e.g.symbols) are Boolean discernable if there is a Boolean valued map δ : X → B giving them two different values, i.e. δ x = δ y.In the sequel, we simply say discernable or undiscernable for conciseness.We however recall the reader not to confuse (Boolean) undiscernability with Leibniz's understanding of undiscernability 24 which agrees with "equality" in the case of Coq.Formally this gives the definition: Definition 5.9 (Discernability).Given a type X and two terms x, y : X, we say that x and y are discernable and write x ≡ d y if ∃δ : X → B. δ x = δ y.On the other hand, we say that x and y are undiscernable and we write x ≡ d y if ∀δ : X → B. δ x = δ y.
Equivalently, x and y are discernable if they can be mapped to two different values of a discrete type.Hence δ discerns x from y and the decision algorithm for identity between δ x and δ y eventually produces a proof of discernability.Because B is discrete, undiscernability is the negation of discernability, i.e. ∀xy : X. x ≡ d y ↔ ¬(x ≡ d y).
Undiscernability is an equivalence relation generally weaker than equality but the two notions match on discrete types.As we explain below, it is the proper notion to capture when two symbols of a first-order signature cannot be interpreted differently by any finite first-order model.The reason is that those models are inherently discrete: by Theorem 4.7, the interpretation of function symbols can be restricted to discrete models; and relation symbols are always interpreted by decidable relations.
Fact 5.10.Let Σ = (F Σ ; P Σ ) be a signature such that FSAT(Σ) is decidable.Then for any two relation symbols P and Q in P Σ , it is decidable whether P and Q are discernable.Fact 5.11.Let Σ = (F Σ ; P Σ ) be a signature with P : P Σ , a relation symbol of arity 1.If FSAT(Σ) is decidable, then for any two function symbols f and g in F Σ , it is decidable whether f and g are discernable.
Proof.The formula P f ( We restrict the discussion that follows to monadic signatures only because otherwise FSAT is undecidable (see upcoming Theorem 6.3).Hence function and relation symbols have arity either 0 or 1.If a monadic signature contains a unary relation symbol, then decidability of FSAT entails decidability of discernability of both function symbols and relation symbols.On the other hand, if a monadic signature contains no unary relation (degenerate case), then all relations are constant (zero-ary) and in this case we can only obtain an algorithm for discerning relation symbols.
Lemma 5.12.Let Σ 1 = (F 1 Σ ; P 1 Σ ) be a signature with uniform arity 1 such that both F Σ and P Σ have decidable discernability.For any formula ϕ over Σ 1 one can compute a discrete signature Σ 1 d of uniform arity 1 and a formula ψ over Σ 1 d such that ϕ and ψ are equi-satisfiable, i.e.FSAT(Σ 1 ) ϕ ↔ FSAT(Σ Proof.Let S be a type of symbols that has decidable discernability (either F Σ or P Σ ).Consequently, undiscernability is also decidable.Since undiscernable symbols cannot be distinguished by first-order models, we would like to quotient along undiscernability but it is not always possible to do so constructively.25However, using a variant of Theorem 2.9, given a list l S : LS of symbols, we compute a discrete type 26 D and a map δ : S → D such that In a way, δ is able to discern symbols simultaneously, but only those in l S .We can now use δ to project the symbols of S on a discrete type while preserving FSAT for formulas that contain symbols in l S only.Given a start formula ϕ in the signature Σ 1 (of uniform arity 1) with decidable discernability of symbols, we compute the function and relation symbols occurring in ϕ and use those two lists to compute two discrete types F d , P d and two maps δ F : F Σ → F d , δ P : P Σ → P d identifying the undiscernable symbols occurring in ϕ.Using δ F and δ P , we map the formula ϕ on a formula ψ in the discrete signature Σ 1 d = (P 1 d ; F 1 d ) (of uniform arity 1 also) while preserving FSAT, i.e.FSAT(Σ 1 ) ϕ ↔ FSAT(Σ 1 d ) ψ. Notice that the target signature depends on (the symbols occurring in) ϕ.

Final Signature Classification
We conclude with the exact classification of FSAT regarding enumerability, decidability, and undecidability depending on the properties of the signature.2. Given a closed formula ϕ over the binary signature (0; {P 2 }), we define ϕ : MSL by ϕ := ( ∃ ( 0 → ∅, ∅)) ∧ ϕ and show that ϕ has a finite and discrete model iff ϕ is MSL-satisfiable.
First, if M ρ ϕ over a finite and discrete domain D, we can apply Lemma 7.2 to obtain h sρ ϕ since over discrete types any list can be turned duplicate-free.Moreover, D at least contains the element d := ρ 0 and hence by construction of h we have (n d , (∅, ∅)) ∈ h, establishing the guard ∃ ( 0 → ∅, ∅).So in total h sρ ϕ .
Proof.By composing the three parts of Theorem 7.4 with Theorems 6.3 and 4.7.
As in the case of FSAT and backed by the explanation in Section 2.2, we may interpret this reduction as an undecidability result: Observation 7.6.SLSAT is undecidable and, more specifically, not co-enumerable.
In comparison to [CYO01], our reduction is formulated for satisfiability problems instead of the dual validity problems.However, this change is inessential since the models are transformed pointwise as visible in Lemma 7.2 and Lemma 7.3 and so the only consequence is a flipped quantifier in the proof of (2) of Theorem 7.4.More importantly, the formal setting forced us to be more explicit about the handling of addresses, in particular the encoding of a given finite first-order interpretation.For instance, the way chosen in Lemma 7.2 to start with an abstract domain D and encode both elements and pairs over D as numbers is not the only alternative but allowed us to maintain the explicit representation of the address space as N.Moreover, our syntax fragments differ slightly since we don't need equality in MSL as it is not a primitive in Form but on the other hand keep all logical connectives and not just the classically sufficient base →, ∀, ⊥ as this is (in the general case) constructively insufficient.
We end this section with the remark that the reduction given in [CYO01] and adapted here of course crucially relies on the binary pointers (t → t 1 , t 2 ) as a language primitive.As discussed in [BDL12], with a less explicit memory structure, the considered fragment of separation logic is decidable and only turns undecidable on addition of separating implication.

Discussion
8.1.Code overview, implementation, and design choices.The main part of our Coq development directly concerned with the classification of finite satisfiability consists of a bit more than 10k loc, in addition to 3k loc of (partly reused) utility libraries.Most of the code comprises the signature transformations, with more than 4k loc for reducing discrete signatures to membership.Comparatively, the initial reduction from BPCP to FSATEQ(Σ BPCP ) takes less than 500 loc.The application to the undecidability of separation logic also amounts to roughly 500 loc.
Our mechanisation of first-order logic in principle follows previous developments [FKS19, FKW20, FKW21] but also differs in a few aspects that were picked up by follow-up work [KH21].Notably, we had to separate function from relation signatures to be able to express distinct signatures that agree on one sort of symbols computationally.This mostly avoids wandering in "setoid hell, " i.e. the painful manipulation of cumbersome type castings on formulae, of which the type depends on signatures.Moreover, we found it favorable to abstract over the logical connectives in form of ˙ and ∇ to shorten purely structural definitions and proofs.Most of the signature reductions proceed in such structural approaches so this is a real relief for propositional connectives.For existential quantifiers ∃ and universal quantifiers ∀, it is however less frequent that they can be managed in a unified way.
The quantifiers ∃ and ∀ are also binders, and to deal with these binders, we used standard unscoped de Bruijn syntax.Notice that it is much easier to implement de Bruijn for first-order logic than it is for higher-order logics or even just lambda calculus, the reason being that (first-order) terms used for substitutions do not contain binders.It could have been possible to use the Autosubst 2 [SSK19] support for de Bruijn syntax, but we refrained from this choice because of its current (technical but not fundamental) dependency on the axiom of functional extensionality.We remind the reader that in the context of synthetic undecidability, axioms cannot be freely added without risking breaking the requisite of computability of the terms constructed in the underlying type theory.
So far, we discussed technical implementation choices that have little or no impact on the meaning or provability of the reduction results that we implement in this paper.Other choices are clearly possible, but some could lead to considerably more complicated proofs, e.g.setoid hell if dependent types are managed too naively.
At the other end are choices that could/would impact the provability of our reduction results, and paramount to them, the notions involved in the definition of what is a finite model of first-order logic.In classical settings, there is usually no discussion on how to interpret function symbols: as set-theoretic functions in the model, i.e. total and functional binary relations.However in a constructive setting, already the notion of finiteness has several non-equivalent implementations.We choose to define finiteness by basing on the inductive type of lists, used to enumerate members of finite types.Hence finiteness of D just requires that the terms of type D can be collected into a list, i.e. there is l : LD such that ∀x : D. x ∈ l.
We could have required the domain D of the model to also be discrete (i.e.equipped with a computable way to discriminate elements which are not identical), but we devoted Section 4.1 to establish that this requirement is not necessary and does not impact the reduction results (see Theorem 4.7).While finiteness implies discreteness in a purely predicative setting like the one of Agda where ∈ : D → LD → T, it does not imply discreteness when the membership predicate ∈ : D → LD → P is typed in the impredicative sort P. 27  This illustrates that finiteness alone does not imply computability in the impredicative constructive setting of Coq.Even on the finite type F n = {0, . . ., n − 1}, relations F n → P are not necessarily decidable.We choose to assume that the intended meaning of a finite

Definition 2 .
12. A model M over a domain D : T is described by a pair of functions ∀f.D |f | → D and ∀P.D |P | → P denoted by f M and P M .Given a variable assignment ρ : N → D, we recursively extend it to a term evaluation ρ : Term → D with ρ x := ρ x and ρ (f v) := f M (ρ v), and to the satisfaction relation M ρ ϕ by the signature contains a distinguished binary relation symbol ≡ interpreted as equality, i.e. x ≡ M y ↔ x = y for all x, y : D.
Formally, the symbols in Σ BPCP are used as follows: the functions f b and the constant e represent b :: (•) and [ ] for the encoding of strings s as terms s (before a term τ , possibly e): [ ] + + + τ := τ b :: s + + + τ := f b (s + + + τ ) s := s + + + e The constant represents an undefined value for strings too long to be encoded in the finite model B n .The relation P represents derivability from R (denoted R •/• here) while ≺ and ≡ represent strict suffixes and equality, respectively.

Proof.
The formula P (• • •) ∧ ¬Q(• • •) is finitely satisfiable if and only if P ≡ d Q.The dots (• • •) are arbitrary terms filling the mandatory arguments of P and Q.
(a) : Σ is monadic and has decidable discernability for both function and relation symbols; (b) : relation symbols in Σ have all arity 0 together with decidable discernability.
3. We embed MSL into SL by the map sending the sole deviating assertion (t → t 1 , t 2 ) to (t → t 1 , t 2 ) * ˙ where ˙ := ⊥ → ⊥.To verify this reduction, it suffices to establish that h s (t → t 1 , t 2 ) iff h s (t → t 1 , t 2 ) * ˙ , which follows by straightforward list manipulation.