Scholarly article on topic 'Termination and normalisation under strategy Proofs in ELAN'

Termination and normalisation under strategy Proofs in ELAN Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Keywords
{}

Abstract of research paper on Computer and information sciences, author of scientific article — Hélène Kirchner, Isabelle Gnaedig

Abstract In this paper, we review several methods for proving termination of rewrite programs or answer questions about normal forms. We concentrate on the methods that have been designed in ELAN and which are useful for studying termination and normal forms of ELAN programs. We address several problems: general termination of a rewrite program, innermost termination on sets of ground terms, computation or approximation of the set of normal forms, modular termination of the union of rewrite systems, estimation of the number of normal forms for a non-deterministic rewrite program with strategies. For each point we briefly present one method, explain its scope and give references to other methods concerning the same problem, before describing the implementation in ELAN. We conclude with some open questions.

Academic research paper on topic "Termination and normalisation under strategy Proofs in ELAN"

Electronic Notes in Theoretical Computer Science 36 (2000)

URL: http://www.elsevier.nl/locate/entcs/volume36.html 28 pages

Termination and normalisation under strategy

Proofs in ELAN

Hélène Kirchner and Isabelle Gnaedig

LORIA-CNRS and INRIA-Lorraine BP 239

54506 Vandœuvre-lès-Nancy Cedex, France Email: Helene.Kirchner@loria.fr,gnaedig@loria.fr

Abstract

In this paper, we review several methods for proving termination of rewrite programs or answer questions about normal forms. We concentrate on the methods that have been designed in ELAN and which are useful for studying termination and normal forms of ELAN programs. We address several problems: general termination of a rewrite program, innermost termination on sets of ground terms, computation or approximation of the set of normal forms, modular termination of the union of rewrite systems, estimation of the number of normal forms for a non-deterministic rewrite program with strategies. For each point we briefly present one method, explain its scope and give references to other methods concerning the same problem, before describing the implementation in ELAN. We conclude with some open questions.

1 Introduction

The general context of the study of termination and normalisation problems presented here is given by the rule-based programming language ELAN [BKK+96,BKK+98], which provides an environment for specifying and prototyping deduction systems in a language based on rewrite rules controlled by strategies. ELAN is a framework for designing proof tools, supports the design of theorem provers, logic programming languages, constraint solvers and decision procedures, and offers a modular framework for studying their combination. So it is not surprising that most of the methods presented in this paper for proving termination of rewrite programs or answer questions about normal forms have been developed in ELAN itself. The reflection power of rewriting logic [CM96] gives the potentiality of applying them to ELAN programs. However the methods and techniques presented here go beyond ELAN and are applicable to rule-based languages such as ASF+SDF [Kli93], Cafe-OBJ [FN97] or Maude [CELM96]. The ELAN system is presented in Section 2 that also introduces the preliminary notions and notations on rewrite systems and termination.

©2000 Published by Elsevier Science B. V.

In rule-based programming languages, a program is a set of rules, a query is an input expression, and computations are reduction of expressions to their normal forms. The result may be unique or not, and some computations may not terminate. In some cases, for instance for functional evaluation, termination is quite important since at least one result is expected. Termination is also important for checking that a computation has a unique result, via the local confluence property. Section 3 recalls how to prove termination with syntactic well-founded orderings. The implementation of a simplification ordering is described. With such orderings, it is sufficient to prove that every left-hand side of rules is greater than the right-hand side, to ensure the termination of the rewrite program.

Most functional languages have an implicit evaluation strategy, often built in its compiler or interpreter. This is the case for instance in ASF+SDF [Kli93] or in ELAN for unlabelled rules, where an innermost strategy is applied for reduction. Then, of course, there exist programs that terminate with this innermost evaluation strategy, but would not terminate in general. Innermost termination of systems which are not terminating in general is addressed in Section 4.

Moreover, proving termination on all terms is not always needed. In practice, a rewrite systems is often designed to rewrite terms from a subset E, for example logical formulas in disjunctive normal form, flattened lists, or well-typed terms. Again, some rewrite systems may terminate only on such subsets E. The automaton-based techniques presented is Section 5 are well-suited to this restriction. They allow to study descendants of terms in E, i.e. all intermediate results of the program at every step of its execution, and the set of R-normal forms of E, i.e. all possible results obtained by executing the program R on the set of possible given inputs E, when the program stops. Under the left-linearity hypothesis of the rules, each of these two sets is contained in a regular tree language described by an approximation automaton. Once built, this automaton may be used for ckecking properties of rewrite programs. For example, one can prove that some values representing a deadlock or an error are actually unreachable.

Putting together terminating rewrite programs does not ensure termination of their union. However, a hierarchical structure of rewrite programs can help and an interesting question is to study modular normalisation strategies consisting for instance in normalising first with one set of rules, and then by another one, and to prove termination of this process. This so-called sequential reduction strategy is useful for proving termination of programs combining different methods of termination proof. Modular termination of union of rewrite system is studied in Section 6.

In ELAN, a program is composed of a set of unlabelled rules which are applied with an innermost reduction strategy, and a set of labelled rules whose application is defined thanks to strategies, that are built from the rule labels and from strategy constructors available in the language (don't care, don't know, first, repeat, then). The termination of programs under these user-defined strategies is an open problem. However it is possible to perform a static analysis of the programs to detect whether it has no result, just one, or many. This technique is also useful to detect some cases of non-termination. The normal form analysis of programs with strategies is

explained in Section 7. Finally, open questions are stated in Section 8.

Most results presented in this paper have been obtained in collaboration with other members of the Protheo group, namely Olivier Fissore, Thomas Genet and Pierre-Etienne Moreau.

2 Preliminary notions and notations

Comprehensive surveys can be found in [DJ90,BN98,Kir99,KK99] for rewrite systems. Definitions and notations used in this paper are recalled in Section 2.1, and a brief survey on termination is presented in Section 2.2. Then the ELAN system is introduced in Section 2.3 and gives the general context for motivating this study.

2.1 Terms, substitutions, rewrite systems

Let F be a finite set of symbols associated with an arity function denoted by ar : F — N, X be a countable set of variables, T(F, X) the set of terms, and T(F) the set of ground terms (terms without variables). A context is a term of T(F U {□}, X) with only one occurrence of □, where □ is a special constant not occurring in F. For any term t E T(F, X), C[t] denotes the term obtained after replacement of □ by t in the context C[]. Positions in a term are represented as sequences of integers. The set of positions in a term t, denoted by Pos(t), is ordered by the lexicographic ordering on integers. The empty sequence e denotes the top-most position. Root(t) denotes the symbol at position e in t. If p E Pos(t), then t\p denotes the subterm of t at position p and t[s]p denotes the term obtained by replacement of the subterm t\p at position p by the term s. For any term s E T(F, X), we denote by PosF(s) the set of functional positions in s, i.e. {p E Pos(s) \ p = e and Root(s\p) E F}.

The set of variables of a term t is denoted by Var(t). A set of variables {x1;..., xn} is also denoted by x. A term is linear if any variable of Var(t) has exactly one occurrence in t. A substitution is a mapping a from X into T(F, X), which can uniquely be extended to an endomorphism of T(F, X). Its domain Dom(a) is {x E X \ xa = x}.

A rewrite system R is a set of rewrite rules l — r, where l,r E T(F, X), l EX, and Var(l) D Var(r). A rewrite rule l — r is left-linear (resp. right-linear) if the left-hand side (resp. right-hand side) of the rule is linear. A rule is linear if it is both left and right-linear. A TRS R is linear (resp. left-linear, right-linear) if every rewrite rule l — r of R is linear (resp. left-linear, right-linear).

The set of function symbols F occurring in a TRS R can be partitioned into the set of defined symbols D = {Root(l) \ l — r E R} and the set of constructors C = F\D. A constructor term is a ground term with no defined symbol. The set of constructor terms is denoted by T(C).

The relation induced by R is defined as follows: for any s,t E T(F, X), s t if there exist a rule l — r in R, a position p E Pos(s) and a substitution a such that la = s\p and t = s[ra]p. The subterm s\p is called a redex. The transitive (resp. reflexive transitive) closure of is denoted by —+ (resp. —^). A term s

is reducible by R if there exists t such that s —>R t.

A term s is in R-normal form (or is R-irreducible) if s is not reducible by R. A term s has a normal form if there exists a term t in R-normal form such that s — n t. The term t is also denoted by s j. The set of all ground terms in R-normal form is denoted by IRR(R), and s —R t with t E IRR(R) is denoted by s —n t. The set of R-descendants of a set of ground terms E is denoted by R*(E) and R*(E) = {t E T(F) | 3s E E s.t. s —R t}. The set of ground R-normal forms of E is denoted by R!(e) and R!(E) = {t eT(F) | 3s E E s.t. s —R t}. Moreover, R!(E) = R*(E) n IRR(R).

In general we consider conditional rewrite rules of the form l — r if c where c is a boolean term called the condition, written as a conjunction of the form s — t. The rule applies if the condition, instantiated by the match from l to the term to be reduced, is satisfiable. The termination property of a conditional rewrite system can be reduced to the termination of an unconditional one, using the following transformation.

Every rule l — r if c with n conditions in c is transformed into n+1 unconditional rewrite rules using the following transformation U described in [OCM00]:

U(l — r if c) = {l — r} if c is empty

{l — u(s,x)} u U(u(t,x) — r if c') if c = s — t A C

where u is a fresh function symbol and

x = Var(l) n (var(t) u Var(c') u var(r))

2.2 Termination

A rewrite system R is (1) terminating or strongly normalising if there exists no infinite derivation s1 —R s2 —R ... where s1;s2)... E T(F, X), (2) weakly normalising (WN for short) if every s of T(F, X) has a normal form, (3) weakly normalising on E C T(F, X) (WN on E) if every s E E has a normal form, (4) (strongly) innermost terminating if there exists no infinite innermost derivation (i.e. a derivation in which redexes that are selected do not properly contain other redexes).

Existing methods for proving termination of rewrite systems (TRS in short) are essentially based on well-founded orderings containing the rewriting relation induced by the TRS. Among these methods, handling termination on free term algebras, we find syntactic and semantic methods, which provide a noetherian ordering ^ via an analysis of the term structure in the TRS and ensure that, for all terms s and t, s —* t implies s ^ t. Examples are the Path of Subterm Ordering [Pla78], the Lexicographic Path Ordering (LPO) [KL80], the Recursive Path Ordering (RPO) [Der82], polynomial interpretations [Lan79] [BCL87] and the General Path Ordering (GPO) [DH95,GG97], that generalizes previous ones.

Another approach consists in transforming the termination problem of a TRS R into the termination problem of another TRS R, provable with techniques of the previous category, and such that, for all terms s and t, s —*R t implies s —R t.

Examples are transformation techniques [BL90] or semantic labelling [Zan95].

Another powerful method for proving termination of rewrite systems is described in [AG00]. Looking at rewrite systems as programs, the idea is that infinite reductions originate from the fact that defined symbols are introduced by the right-hand sides of rules. By tracing the introduction of these defined symbols, information can be obtained about termination of R. This is the idea behind the dependency pairs criterion. If f (t1,...,tn) — t[g(s^..., sm)] is a rule in R, where f and g are defined symbols, and t is some context term, then the pair (f (t1;... ,tn),g(s1,... ,sm)) is a dependency pair of R. The technique proposed in [AG97a,Art97] is the following: a dependency graph is built, whose vertices are labelled with the dependency pairs. There is an edge from (s,t) to (u,v) if there exists a substitution a such that ta R ua. Since this last property is in general undecidable, the dependency graph has to be approximated by a super-graph with the same cycles. Dependency pairs are then used to generate a set of inequalities. If these equalities can be satisfied by a suitable well-founded ordering, R is terminating. More precisely, if there exists a quasi-ordering >, well-founded, closed under context and substitution, such that l > r for each rule l — r in R, s > t for each dependency pair (s,t) on a cycle of the dependency graph, and s > t for at least one dependency pair (s,t) on every cycle of the dependency graph, then R is terminating. This method can prove innermost termination of R too.

2.3 ELAN

ELAN is an environment for specifying and prototyping deduction systems in a language based on rewrite rules controlled by strategies. It offers a natural and simple logical framework for the combination of computation and deduction paradigms. ELAN has a clear operational semantics based on rewriting logic [BKKR01] and on the rewriting calculus [CK99]. Its implementation involves compiled matching and reduction techniques integrating associative and commutative functions. Non deterministic computations return several results whose enumeration is handled thanks to a few constructors of choice strategies. A strategy language is available to control rewriting. Evaluation of strategies and strategy application is again based on rewriting.

The language is close to the algebraic specification formalism but provides additional specificities that are worth being emphasized.

• First, the language allows rules to be non-terminating and non-confluent, but then their application has to be controlled. So, there are rules for computations, which are required to be confluent and terminating, in order to give a unique result, and rules for deductions, for which neither confluence nor termination is required.

• Rules and strategies are first-class objects in the language. A strategy language is provided to express control and derivation tree exploration. A few strategy constructors are offered and efficiently implemented, to allow the user to design his own strategies.

• Application of rule or a strategy on a term may give 0, 1, or several results.

This non-determinism related to the production of sets of results is operationaly handled by backtracking.

As a consequence of these features, the language allows different programming styles. Functional programs are naturally expressed with confluent and terminating rules, while the backtracking mechanism, used to handle the search process, gives a flavour of logic programming and allows to program non-deterministic computations. The main originality is the capability of strategy programming to express the control of programs in a declarative way. The language provides the following strategy constructors.

• A labelled rule is a primal strategy. The result of applying a rule labelled lab on a term t returns a multiset of terms. This primal strategy fails if the multiset of resulting terms is empty.

• Two strategies can be concatenated by the symbol ";", which means that the second strategy is applied on all results of the first one. S1; S2 denotes the sequential composition of the two strategies. It fails if either S1 fails or S2 fails. Its results are all results of S1 on which S2 is applied and gives some results.

• dc(S1;..., Sn) chooses in the list one strategy Si that does not fail, and returns all its results. This strategy may return more than one result, or fails if all sub-strategies Si fail.

• first(S1,...,Sn) chooses in the list the first strategy Si that does not fail, and returns all its results. Again, this strategy may return more than one result, or fails when all sub-strategies Si fail.

• dc-one^,..., Sn) chooses in the list one strategy Si that does not fail, and returns its first result. This strategy returns at most one result or fails if all sub-strategies fail.

• firs^one(S1,..., Sn) chooses in the list the first strategy Si that does not fail, and returns its first result. This strategy returns at most one result or fails if all sub-strategies fail.

• dk(S1,..., Sn) chooses all strategies given in the list of arguments and for each of them returns all its results. This multiset of results may be empty, in which case the strategy fails.

• The strategy id is the identity that does nothing but never fails.

• fail is the strategy that always fails and never gives any result.

• repeat(S) applies repeatedly the strategy S until it fails and returns the results of the last unfailing application. This strategy may return more than one result but can never fail because zero applications of S is possible: in this case the initial term is returned.

• The strategy iterate(S) is similar to repeat(S) but returns all intermediate results of repeated applications.

Some strategy constructors introduced here are quite close to other tactics languages used on proof systems designed in the LCF style [Plo77,GMW79], such as

for instance Isabelle [Pau94]. They have been chosen to express main control constructions: concatenation, iteration and search. All these constructors are part of the ELAN language, and have been useful to design in ELAN theorem proving and constraint solving tools.

From now on, let us consider that not only rules but also strategies can be applied on terms. (S)t denotes the application of the strategy S on the term t that produces a multiset of results. The general form of ELAN rules is actually as follows:

[i] l — r where pi := (S'i)ci ... where pn := (Sn)cn

• l,r,pi,... ,pn,ci, ...,cn E T(F, X),

• Var(pi) n (var(l) u Var(p1) u- • -u Var(pi-1)) = 0,

• Var(r) C Var(l) u Var(p1) u- • -u Var(pn) and

• Var(ci) C Var(l) u Var(p1) u- • -u Var(pi-1).

In such expressions, where true := c is usually written if c. The pattern pi is often reduced to a variable x. Si may be the identity strategy, which is written ()ci or simply ci. An expression where p := (S)c may also be considered as if (S)c — p where p is an irreducible term.

An additional construction choose try allows factorizing common parts of rules with the same left-hand side. For instance the two rules

[i] l — r where y1 := ()m1

if c'2(ly) [i] l — r where y1 := ()u1 if di(l,y{)

are factorized into one rule:

[i] l ^ r where y1 := ()u1 choose

try if c2(l,y1) try if c2'(l,y1) end

In this factorized form, the term u1 is normalized only once and the assignement to y1 is performed also only once. Examples of ELAN rules are given in the next section.

The study of ELAN programs motivate a wide range of termination and normalisation problems. For unlabelled rewrite rules, innermost termination is relevant. Since the language is modular, modularity of termination is also a problem. It may be interesting to find modular evaluation strategies whose termination is relatively easy to check in a modular way with different termination methods. For labelled rules controlled by strategies, the question of termination is widely open. A first step in this direction is to help the programmer to detect some non-terminating

programs. Another question to address is the analysis of determinism of rewrite programs with strategies. In the following sections, we consider these questions and propose some answers. Since ELAN is also a framework for designing proof tools, most of these methods have been developed in ELAN itself. Thanks to the reflection power of rewriting logic, we expect to apply them in a near future to ELAN programs.

3 Proving termination with syntactic well-founded order-ings

Syntactic orderings, recalled in Section 2.2, are the easiest but also most fundamental tools to prove termination of rewrite systems.

Let us consider a simple syntactic method to prove termination of a rewrite system, based on a simplification ordering, that is an irreflexive transitive relation > on terms, closed under context and substitution, that contains the subterm ordering. A rewrite system R is simply terminating if there exists a simplification ordering > such that for any rule l — r in R, l > r. When the set F of operator symbols is finite, a rewrite system R is terminating if R is simply terminating [Der82]. Simplification orderings can be built from a well-founded ordering on the function symbols F called a precedence. An example is the following lexicographic path ordering.

Definition 3.1 Let >F be a precedence on F. The lexicographic path ordering >lpo is defined on terms by s = f (s1,.., sn) >lpo t = g(t1,... ,tm) if one at least of the following condition holds:

(i) f = g and (s1, . ..,sn) >lepx0 (t1, . ..,tm) and Vj ^J-^.. ,m}, s >lpo tj

(ii) f >F g and Vj e{1,..., m}, s >ipo tj

(iii) 3i E {1,..., n} such that either si >lpo t or si = t.

The lexicographic path ordering is a simplification ordering [KL80]. This ordering can be used to show the termination of the rewrite system defining Ackermann's function. Assuming the precedence ack >F succ, it amounts to show that for each rule, the left-hand side is greater than the right-hand side, i.e.:

ack(0, y) >ipo succ(y) ack(succ(x), 0) >lpo ack(x, succ(0)) ack(succ(x), succ(y)) >lpo ack(x, ack(succ(x),y)).

In order to illustrate in the same time the ELAN syntax, let us show a few rules from the program implementing the ordering.

//-------------lpo--------------------------------------------------------------------

lpo(@,@) : (term term) bool; @ >lex @ : (list[term] list[term]) bool; lpo(@,@) : (list[term] term) bool; lpo(@,@) : (term list[term]) bool; lpo1(@,@) : (term term) bool; lpo2(@,@) : (term term) bool;

lpo3(@,@) : (term term) bool; //--------------------------------------------------------------------------------------

// Case : f(s1,...,sn) >lpo f(t1,...,tn)

// if s >lpo t1,...,tn et s1,...,sn >lex t1,...,tn //

[] lpo(s,t) => true

if not(isvar(s)) and not(isvar(t))

choose

if head(s) ==sig head(t) where b:= () lpo3(s,t) if b

if head(s) >sig head(t) where b:= () lpo2(s,t) if b

[] lpo3(s,t) => b choose try

if list_subterm(s) >lex list_subterm(t) where b := () lpo(s,list_subterm(t))

where b := () false

// Case : f(s1,...,sn) >lpo g(t1,...,tn) if f >sig g and s >lpo t1,...,tn //

[] lpo2(s,t) => lpo(s,list_subterm(t)) end

// Case : si >lpo t //

[] lpo(s,t) => lpo1(s,t) end

[] lpo1(s,t) => lpo(list_subterm(s),t) end

This program is used in ELAN applications, such as completion processes or the most complex program for proving termination presented in the next section. Other syntactic orderings (RPO,GPO) have been similarly implemented in ELAN.

4 Proving innermost termination

Until now, the problem of proving innermost termination, for possibly non terminating systems, has only been addressed with the dependency pairs method [AG97b] mentioned above. In [GKF00], another approach is proposed and uses an explicit induction based on a well-founded ordering on ground terms, which is closed under context and contains the subterm ordering. The ordering relation is incrementally constrained during the proof by adding restrictions corresponding to ground terms that have to be compared. The proof method works as follows: assuming that yt' < t, t' is innermost terminating, we prove that t is innermost terminating. This technique is used either to prove termination on ground terms or to determine which ground instances of generic patterns f (x1, ...,xm), where f is a defined symbol, are innermost terminating.

The method is based on the development of a finite number of trees, each of them analysing a pattern tref = g(x1,... ,xn) where g is a defined function symbol

of the signature and x 1, ...xn are distinct variables. The trees are built by applying three different mechanisms.

• The first one abstracts the current term f(ul,...um) at the top-most position, while possibly setting some constraints. First, constraints tref > uil,...,uip are put in a set of constraints C, where the uij are those among the ui that are not already ground terms in normal form. Assuming by induction hypothesis, the existence of irreducible forms for uil,...,uip, these subterms are abstracted by so-called NF-variables Xil, ...Xip, that are fresh variables in a set N, and can only be instantiated by ground terms in normal forms. This is expressed by stating constraints Xil = uil l...Xip = uip I in a set A. We call that step the abstraction step. If the abstraction step cannot be applied because the constraints t > uil, ...,uip cannot be proved to be satisfiable, the process stops with failure.

• The second step narrows the resulting term f (Ul, ...Um) at position e in all possible ways in one step, with all possible rewrite rules of the rewrite system R, and all possible substitutions, into terms v, provided that the narrowing substitution is compatible with all constraints. This is the narrowing step. If the current term u is not narrowable, any of its ground instantiations is in normal form. Then u terminates, and the process stops with success in that branch.

• Before the previous steps, we can test for the current term u and the current set of ordering constraints C, whether A and C imply tref > u. In this case, by induction hypothesis, u terminates, and the process stops with success in that branch. This is the stop step.

These different steps are performed by rules that transform 3-tuples (T, A, C) where

• T is a set of terms of T(F, X U N), containing the current term whose innermost termination has to be proved. This is either a singleton or the empty set.

• A is a conjunction of abstraction constraints of the form u 1= X,u E T(F, X) ,X E N. A ground substitution 9 satisfies u [= X if XO = (uO)

• C is a conjunction of ordering constraints. A ground substitution 9 and an ordering y on T(F) satisfy t > t' if tO y t'O. Note that t > t' is a kind of higher-order constraint here since the relation > is unknown.

Applying the stop and the abstraction steps requires to prove some property. More precisely, given t,u E T(F, X U N), we say that (A, C) implies t > u, denoted (A,C) ^ t > u, if for any yl and any set of ground substitutions 6 satisfying (A,C), there exists y2 such that y2 and the same set of ground substitutions 6 satisfy (A, C A t > u). In general such a property is undecidable, but in practice, the proof developper can often find a proof by scrutining the constraints. The termination proof procedure is described by a set of rules, given in Table 1.

These rules must be applied with a specific strategy, implemented in ELAN as follows :

Table 1

Inference rules for tref-termination

Stop: A ^

ß, A, C A tref > u if (A, C) ^ tref > u

{f(u\,...,um)}, A, C

Abstract:

{f (U1,...,Um)}, A A Uii |= Xh A ...a Uip |= Xip, C a (tref >Uii ,...,Uip )

where f (u1,..., um) is abstracted by f (U1,..., Um) at the positions i1,...,, ip if (A, C) ^ tref > Ui1, ..., Uip

StopA: {f (uurum)},cA, C

if (A,C) ^ tref > u1, ...,um cannot be proved

Narrow: {f (u1, ...,um)}, A C Narrow: w, aA, c

if f (u1, ...,um) v and (aA, C) satisfiable StopN: {u}, A, C

StopN: 0, A, C

if u is not narrowable or u is narrowable with a and (aA, C) unsatisfiable

repeat*( first(Abstract,StopA) ;

first(dk(Narrow), StopN) ;

first one(dc(test_narrow), StopN) ;

first(Stop, id) )

where test_narrow just checks whether narrowing on top is possible, but does not apply it.

There are three cases for the behavior of this process. The strategy, applied to the initial state ({tref}, T, T), where T is the empty conjunction of constraints, may not terminate if there is an infinite number of applications of Abstract and Narrow. If all rules fail, and the process stops with a state of the form (T = 0,A,C), it is impossible to conclude anything. The good case is when the strategy terminates because the rules do not apply anymore and all states are of the form (0, A, C). We write SUCCESS(g, y) if application of the inference rules on ({g(x1, ...xm)}, T, T), whose conditions are satisfied by y, gives a state of the form (0, A, C) on any branch of the derivation tree.

Theorem 4.1 [GKF00] Let R be a TRS on a set F of symbols. Let y be an ordering on T(F), closed under context and containing the subterm ordering, .such that for any defined symbol g E DefR, SUCCESS(g, y). If the constants of F terminate innermost, then any term of T(F) terminates innermost.

A refinement of this method consists in determining a priori a partial ordering

on symbols of the signature: f depends of g (noted f >d g) if g occurs in the right-hand side of a rule defining f (i.e. f is the top symbol of the left-hand side). Then smaller symbols are handled first and partial conclusions may be used in checking conditions of Abstract or Stop.

The method has been implemented in ELAN. The program interacts with the user when it is not possible to automatically prove the conditions of Abstract or Stop. Let us illustrate on a small example the input given to ELAN, which is a specification file with the rewrite rules, whose termination has to be proved. Note that the rewrite system is not terminating but is innermost terminating.

specification example Vars

f:3 g:1 Rules

f(g(x),x,y) -> f(y,y,g(y))

g(g(x)) -> g(x)

end of specification

The output is represented both as a derivation tree with the names of the applied rules, and a trace of the derivation.

f(g(x),x,y) -> f(y,y,g(y)) g(g(x)) -> g(x)

--- Hanling symbol [g] ---

* DERIVATION TREE *

+- Abstract +- Narrow +- StopN

* DERIVATION * [Init]

t_ref = g(x_1) A = true C = true

1 -- > [Abstract] t = g(var(1)) A = x_1|=var(1) C = g(x_1)>x_1

1.1 —> [Narrow] t = g(var(2)) A = x_1|=g(var(2)) C = g(x_1)>x_1

1.1.1 --> [StopN] t = vide

A = x_1|=g(var(2)) C = g(x_1)>x_1

--- End of handling symbol [g] ---

--- Handling symbol [f] ---

* DERIVATION TREE * +- Abstract

+- Narrow

+- Abstract

- StopN

* DERIVATION * [Init]

t_ref = f(x_1,x_2,x_3) A = true C = true

1 -- > [Abstract] t = f(var(1),var(2),var(3))

A = x_3|=var(3) /\ x_2|=var(2) /\ x_1|=var(1) C = f(x_1,x_2,x_3)>x_1,x_2,x_3

1.1 —> [Narrow] t = f(var(5),var(5),g(var(5)))

A = x_3|=var(5) /\ x_2|=var(4) /\ x_1|=g(var(4)) C = f(x_1,x_2,x_3)>x_1,x_2,x_3

1.1.1 --> [Abstract] t = f(var(5),var(5),var(6))

A = g(var(5))|=var(6) /\ x_3|=var(5) /\ x_2|=var(4) /\ x_1|=g(var(4)) C = f(x_1,x_2,x_3)>x_1,x_2,x_3

1.1.1.1 --> [StopN] t = vide

A = g(var(5))|=var(6) /\ x_3|=var(5) /\ x_2|=var(4) /\ x_1|=g(var(4)) C = f(x_1,x_2,x_3)>x_1,x_2,x_3 --- End of handling symbol [f] --In this work, ELAN has been used to prototype the inference rules for the innermost termination proof method, to run examples and to experiment with different strategies. Thanks to the library of functions on terms already available in the system, the development of such rules has been done easily. This is also an example where user interaction is really important and can be implemented easily with the input-outpout functionalities of ELAN.

5 Computation or approximation of the set of normal forms

The previous section studies normalisation of ground terms under a specific strategy (the innermost one), but another kind of restriction is also interesting to consider: actually proving termination or weak normalisation on T(F, X) or on T(F) is not always needed. In practice, a TRS is often designed to rewrite terms from a subset E C T(F). Moreover, some TRSs are weakly normalising on a strict subset E of T(F), but not on T(F). For such cases, automaton-based techniques are quite convenient.

Several authors have proposed to use tree automata techniques for proving various properties on TRSs. For a given TRS R and a set of terms E, these proofs are based on the computation of the set of R-descendants of E and of the set of R-normal forms of E. Unfortunately, except on very few and specific cases, these computations do not terminate and are not regular sets. The idea proposed in [Gen98] is to use an approximation automaton that recognises a superset of the set of R-descendants of E and an automaton that recognises the set of R-normal forms of terms. Thanks to this method, it is shown in [Gen98] how to prove sufficient completeness of a

program on a set of possible initial inputs, or how to achieve reachability tests on a program.

Before giving a more precise description of how to build approximations of R-descendants and R-normal forms of E, some definitions and notations are needed.

5.1 Automata, Regular Tree Languages

Comprehensive surveys can be found in [GS84,CDG+97] for tree automata and tree language theory, and in [GT95] for connections between regular tree languages and rewrite systems.

Let Q be a finite set of symbols, with arity 0, called states. T(F U Q) is called the set of configurations. A transition is a rewrite rule c ^ q, where c E T(F U Q) and q eQ. A normalised transition is a transition c ^ q where c = f (q1,. ..,qn), f eF, ar(f) = n, and q1,...,qn E Q. For every transition, there exists an equivalent set of normalised transitions. Normalisation consists in decomposing a transition s ^ q, into a set Norm(s ^ q) of flat transitions f (u1,..., un) ^ q' where u1,..., un, and q' are states, by abstracting subterms s' E Q of s by states of Q.

A bottom-up finite tree automaton (tree automaton for short) is a quadruple A = (F, Q, Qf, A), where Qf C Q is the set of final states, and A is a set of normalised transitions. The rewriting relation induced by A is denoted by

The tree language recognised by A is L(A) = {t E T(F) \3q EQf s.t. t ^A q}. For a given q E Q, the tree language recognised by A and q is L(A, q) = {t E T(F) \ t ^A q}. A tree language (or a set of terms) E is regular if there exists a bottom-up tree automaton A such that L(A) = E. The class of regular tree language is closed under boolean operations U, fi, \, and inclusion is decidable.

A Q-substitution is a substitution a such that Wx E Dom(a), xa E Q. Let £(Q, X) be the set of Q-substitutions.

5.2 Approximating R*(E) and R'(E)

The set of all ground terms in R-normal form IRR(R) is a regular tree language if R is left-linear [GB85], and a procedure for building a regular tree grammar (resp. a tree automaton) producing (resp. recognising) IRR(R) can be found in [CR87]. However, the set of R-descendants of a set of ground terms E, denoted by R*(E), is not necessarily a regular tree language, even if E is. The language R*(E) is regular if E is regular and if R is either a ground TRS [DT90], a right-linear and monadic TRS [Sal88], a linear and semi-monadic TRS [CDGV91] or an "inversely-growing" TRS [Jac96] 1. On the other hand, for a given regular language E, R*(E) is not necessarily regular, even if R is a confluent and terminating linear TRS [GT95]. If R is not "inversely-growing", then R*(E) is not necessarily regular [Jac96].

In order to study the set of ground R-normal forms of E, denoted by R!(E) and

1 "Inversely-growing" means that every right-hand side is either a variable, or a term f (t1,...,tn) where f E F, ar(f) = n, and Wi = l,...,n, ti is a variable, a ground term, or a term whose variables do not occur in the left-hand side.

defined as R*(E) if IRR(R), for a reasonably expressive class of rewrite programs, the idea is to build an approximation of R* (E), i.e. a regular superset of R*(E) for left-linear TRSs and regular sets E. Then, since regular langages are closed by intersection, the intersection between the regular superset of R*(E) and IRR(R) gives a regular superset of R!(E).

Let A be the tree automaton that recognizes the set of terms E. For building the approximation automaton TR (A) that recognizes a regular superset of R! (E), the algorithm proposed in [Gen98] starts from the tree automaton A and incrementally adds to A new transitions by computing critical peaks between rules of R and rules of A. This amounts to compute substitutions a such that ra r— la q. If ra q, then the transition ra ^ q is added to A and normalised if needed. The choice of new states used to normalise ra ^ q is guided by an approximation function y that, given the rule l ^ r, the state q and the substitution a, computes a sequence of new states, one for each subterm under the root of r. The next two definitions are borrowed from [Gen98].

Definition 5.1 (Approximation function) Let Q be a set of states, Qnew be a set of new states such that Q f Qnew — 0, and Q*new the set of sequences ql • • • qk of states in Qnew. An approximation function is a mapping y : R x (QU Qnew) x E(QU Qnew, X) ^ Q*new, such that y(l ^ r,q,a) — ql • • • qk, where k — Card(PosF(r)).

In the following, for any sequence S — ql • • • qk E Q*new, and for all i such that 1 < i < k, ni(S) denotes the i-th element of the sequence S, i.e. qi.

Definition 5.2 (Approximation Automaton) Let A — (F, Q, Qf, A) be a tree automaton, R a left-linear TRS, Qnew a set of new states such that Q f Qnew — 0, and y an approximation function. An approximation automaton TR (A) is a tree automaton (F, Q', Qf, A') such that

(1) Q' = QU Qnew, and

(2) A C A', and

(3)il r E R, Wq E Q', Wa E E(Q', X), la q implies

Norm(ra ^ q) C A'.

The normalisation introduces new states according to the approximation function Y. The precise definition can be found in [Gen98].

By choosing specific approximation functions y, we obtain different approximations. However, every approximation used with the previous construction provides a regular superset of R*(L(A)):

Theorem 5.3 [Gen98] Given a tree automaton A and a left-linear TRS R, every approximation automaton satisfies: for any approximation function y,

L(TR (A)) D R*(L(A))

In order to have a finite automaton approximating the set R* (L(A)), the intuition is to fold recursive calls into a unique new state. This is one of the basic idea of the ancestor approximation: informally, every state q E Q' — QU Qnew has a unique

ancestor qa E Q. The ancestor of any state q E Q is q itself, and the ancestor of every new state q' E Qnew occuring in the sequence 7(l ^ r, q, a) (used to normalise a new transition ra ^ q), is the ancestor of q. It is easy to see that in the ancestor approximation, the 7 function does not depend on the a parameter and moreover for any new state q' E Qnew, 7(l ^ r, q', a) = 7(l ^ r, q, a), where q eQ is the ancestor of q'. This property is crucial to make the construction of TR (A) terminating.

Theorem 5.4 [Gen98] Approximation automata built using ancestor approximation are finite automata.

A library of algorithms on tree automata is available in ELAN. Usual algorithms on tree automata are implemented: union, intersection, cleaning, inclusion test, as well as algorithms for building the tree automata TR (A), and AIRR(R), which is the automaton recognising the set IRR(R) for a given automaton A and a given left-linear TRS R. Let us illustrate on a small example the functionalities available in this library.

A specification file contains the description of the signature (variables and operators) the set of rules defining the program, and an automaton describing the regular set of input terms for the program.

specification ex_nf_automaton Vars x y z

a:0 b:0 cons:2 append:2 null:0 R1

append(null, x) -> x

append(cons(x, y), z) -> cons(x, append(y, z)) nil

Automata

// Terms of the form append(l1, 12) where 11 et 12 are // any flat lists of a and b.

Description of A(0)

states q|0.q|1.q|2ni1

final states q|0.ni1

transitions append(q|1, q|1) -> q|0.

cons(q|2, q|1) -> q|1.

null -> q|1.

a -> q|2.

b -> q|2.

End of Description nil

end of specification

To compute the approximation automaton of R1 on A(0), i.e. a superset of the Rl-descendants of L(A(0)), the user gives the query T_up(R1)on(!A(0)).

enter query term finished by the key word 'end': T_up(R1) on(!A(0)) end

[] start with term : T_up(R1)on(!A(0))

[] result term:

Description of A(0)

states q|4.q|0.q|1.q|2.nil

final states q|0.nil

transitions cons(q|1,q|4)->q|4.append(q|1,q|1)->q|4.cons(q|1,q|4)->q|0.

append(q|1,q|1)->q|0.cons(q|2,q|1)->q|1.cons(q|2,q|1)->q|4. cons(q|2,q|1)->q|0.null->q|1.null->q|4.null->q|0.a->q|2.b->q|2.nil End of Description

To build the automaton recognising the set of Rl-irreducible terms, the user gives the query build_nf(R1).

enter query term finished by the key word 'end': build_nf(R1) end

[] start with term : build_nf(R1)

[] result term:

Description of A(1)

states q|0.q|1.nil final states q|1.nil

transitions a->q|1.b->q|1.cons(q|1,q|1)->q|1.append(q|0,q|1)->q|1. null->q|1.a->q|0.b->q|0.append(q|0,q|1)->q|0.nil End of Description

To compute the approximation of Rl-normal forms of L(A(0)), i.e. a regular superset of R1!(L(A(0)), the user gives the query

simplify(T_up(R1) on(!A(0)) inter build_nf(R1)).

enter query term finished by the key word 'end': simplify(T_up(R1) on(!A(0)) inter build_nf(R1)) end

[] start with term :

simplify((T_up(R1)on(!A(0))inter build_nf(R1)))

[] result term:

Description of A(1)

states q|0.q|1.q|2.q|3.nil final states q|3.nil

transitions b->q|0.a->q|0.null->q|3.null->q|2.null->q|1.cons(q|0,q|1)->q|3. cons(q|0,q|1)->q|2.cons(q|0,q|1)->q|1.cons(q|1,q|2)->q|3. cons(q|1,q|2)->q|2.nil End of Description

This construction of approximation automata and the ELAN library of algorithms on tree automata have been used for verification of properties on telecommunication protocols [GK00].

6 Modular termination of union of rewrite systems

For proving termination of a program with a large number of rewrite rules, it is obviously important to partition it into smaller systems whose termination is easier to prove. Unfortunately there is no hope to apply this divide and conquer approach in general for the termination property. Consider for instance Rl — {a ^ b} and R2 — {b ^ a} where a, b are constants. Each of these systems is terminating, but Rl U R2 is not. In this example however, function symbols are shared and a natural idea is to eliminate this case. The research on modularity for disjoint rewrite systems was initiated by [Toy87,Rus87]. The disjointness assumption was relaxed in the case of constructor systems that are allowed to share constructors,

while preserving the termination property [MT91,Gra94]. A survey of properties of rewrite systems preserved under (disjoint) unions can be found in [Mid90] and for CTRS in [Gra96]. In [Gra97], some syntactic criteria on the rewrite systems are studied in connection with modular aspects of rule based programs.

Following [KK90], we concentrate here on hierarchical TRSs defined as follows. Let R1 and R2 be TRSs with respective sets of symbols F1 and F2, respective sets of defined symbols D1 and D2, and respective sets of constructors C1 and C2. TRSs R1 and R2 are hierarchical if F2 fD1 — 0 and R1 C T(F1 \D2, X) x T(F1, X). Termination of hierarchical TRSs has been addressed in [Der94,KR95].

The strategy studied here is called the Sequential Reduction Strategy (SRS for short) and consists in separating a TRS R into several TRSs R1,...,Rn such that R — R1 U ... U Rn and in normalising terms successively w.r.t. R1,..., Rn. This rewriting relation under SRS, denoted by —Rl;...;Rn, and called modular reduction

relation in [KK90], is defined as follows:

Let R — R1 U ... U Rn be TRSs. For s,t E T(F, X), s —Rl;...;Rn t if s is reducible

by R and 3s1,..., sn-1 E T(F, X) such that s s1 and s1 —r2 s2 and ... and ! t

This kind of strategy is of great interest when normalising terms w.r.t. a TRS splitted into several hierarchical TRSs R1 ,...,Rn. In this situation, interleaving rewriting steps from R1,...,Rn is often not needed. If rewrite systems R1,...,Rn are WN and share only constructors, then —Ri;...;nn is terminating [Gen97], as a

corollary of results of [KO91,Ohl94].

Now let us give an intuition on how to prove termination of —ni;...;Rn for WN

TRSs R1,... ,Rn sharing function symbols. Let R — R1 U R2, for example. For proving termination of —RV;R2 on a set of initial terms E C T(F), we need to prove

that for any term s E E, there is no possible infinite derivation s si —R

s1 —R s'2 —R2 s2 —R ... In that case, a criterion for proving termination of —ni;n2 on E is the following: construct the sets G1 — R2(R1(E)), G2 — R'(Ri(G1)),

.. .until getting a fixpoint Gm such that Gm — R'(Ri(Gm)). Then if R1 is WN on E, G1, G2,..., and R2 is WN on R-(E),R!1(G1),... and if Gm C IRR(R1 UR2), then R is WN on E and R is terminating on E under the Sequential Reduction Strategy.

Proposition 6.1 If R1,...,Rn are WN resp. on subsets E1,...,En of T (F), the rewriting relation under the Sequential Reduction Strategy —ni;...;Rn is terminating

on E if the iterated sequence of sets Gk+1 — Rn(... R\(Gk)...), starting from G0 — E, has a fixpoint which is a subset of IRR(R1 U ... U Rn), and for all k > 0, Gk C Ei, R (Gk) C E',..., and Rn--i(... R (Gk)...) C En.

In order to illustrate a termination proof in ELAN using this proof technique, let us consider two simple rewrite systems R1 and R2 defined in the following specification file.

specification extermination Vars none

f:1 g:1 a:0 b:0 R1

f (a) -> b nil

a -> b

g(b) -> g(f(a)) nil

Automata

Description of A(0) states q|0.q|1.q|2 nil final states q|0.nil transitions f(q|0) -> q|0. a -> q|0. g(ql1) -> q|0. g(ql1) -> ql1 -a -> q| 1. nil

End of Description nil

end of specification

To prove the termination of the sequential reduction relation on T(F), the user gives the query start.

enter query term finished by the key word 'end': start end

[] start with term : start

[] result term: [true,

Description of A(1)

states q|0.q|1.q|2.q|3.q|4.q|5.q|6.nil final states q|6.nil

transitions f(q|3)->q|4.f(q|3)->q|6.g(q|4)->q|4.g(q|4)->q|6.b->q|6.f(q|3)->q|3. g(q|4)->q|3.b->q|3.g(q|2)->q|3.f(q|1)->q|2.b->q|1.g(q|5)->q|4. g(q|5)->q|6.f(q|0)->q|5.b->q|0.nil End of Description]

To prove the termination of sequential reduction relation on L(A(0)), the user gives the query start(!A(0)).

enter query term finished by the key word 'end': start(!A(0)) end

[] start with term : start(!A(0))

[] result term: [true,

Description of A(2)

states q|0.q|1.q|2.q|3.q|4.q|5.q|6.q|7.q|8.nil final states q|8.nil

transitions b->q|5.b->q|8.f(q|5)->q|5.f(q|5)->q|8.g(q|6)->q|5.g(q|6)->q|8.

g(q|6)->q|6.g(q|4)->q|6.f(q|3)->q|4.b->q|3.g(q|7)->q|8.f(q|2)->q|7. b->q|2.g(q|1)->q|5.f(q|0)->q|1.b->q|0.nil End of Description]

The sequential reduction strategy is interesting for proving termination of programs combining different methods of termination proof. The following specification

defines a function fact-list (i,j), that constructs a list of naturals (i!, (i + 1)!,. ..,(j — 1)!, j!). The rewrite program R1 constructs the list and the rewrite program R2 achieves the computation of the factorial function.

specification fact_list Vars x y z

o:0 p:1 s:1 fact:1 plus:2 mult:2 cons:2 int:2 intlist:1 null:0 fact_list:2 appfact:1

fact_list(x, y) -> appfact(int(x, y)) appfact(null) -> null

appfact(cons(x,y)) -> cons(fact(x),appfact(y)) intlist( null) -> null

intlist(cons(x, y)) -> cons(s(x), intlist(y)) int(o,o) -> cons(o,null) int(o,s(y)) -> cons(o, int(s(o), s(y))) int(s(x),o) -> null

int(s(x), s(y)) -> intlist(int(x, y)) nil

p(s(x)) -> x

mult(o, x) -> x

mult(s(x), y) -> plus(mult(x, y), y)

plus(x, o) -> x

plus(x, s(y)) -> s(plus(x, y))

fact(s(x)) -> mult(s(x), fact(p(s(x))))

fact(o) -> s(o)

Automata

Description of Aut(0) states q|0.q|1.nil final states q|0.nil transitions

fact_list(q|1,q|1) -> q|0 o -> q|1 s(q|1) -> q|1 nil

End of Description nil

Note that neither termination of R1 nor termination of R2 can be proved by a simplification ordering. However, termination of R1 can be proved by the dependency pair method [AG97b], and on the other hand, termination of R2 can be proved by GPO [DH95]. Instead of reconsidering the termination of the whole TRS R1 U R2, we can automatically verify that the (hierarchical) combination of those two systems is terminating under the sequential reduction strategy, for every initial term from the regular set L(Aut(0)) = L(Aut(0),q0) = {factJist(n,p) | n,p E L(Aut(0),q1)} where L(Aut(0), q1) = {0, s(0),...} = Nat. The query start(Aut(0)) iterates the process described above and implemented with the T_up and build_nf operations, until getting a fixpoint. The result of the proof, performed in ELAN, is the following:

[] result term:

[true,Description of nil states q|0.q|1.q|2.q|3.q|4.nil final

states q|4.nil transitions cons(q|2,q|3)->q|3.null->q|4.null->q|3.cons(q|2,q|3)->q|4.

s(q|0)->q|1.o->q|0.s(q|1)->q|1.s(q|1)->q|2.s(q|0)->q|2.nil End of Description]

where the first field is true — the combination is terminating under the sequential reduction strategy — and the second field contains the automaton recognising the superset of the normal forms: lists (possibly empty) of strictly positive natural numbers, which is what was expected by definition of function fact-list, and which also proves sufficient completeness of R1 U R2 under sequential reduction strategy on L(Aut(0)).

7 Normal form analysis of programs with strategies

Let us now consider programs in ELAN, given by a set of labelled rules whose application is defined thanks to strategies, expressed with the rule labels and with strategy constructors available in the language. In this section, we show how it is possible to perform a static analysis of the program to detect whether it has no

result, just one or many, when it terminates. This is done in particular by the ELAN compiler, whose performance has been improved by this analysis [KM98,KM00]. This technique is also useful to detect some cases of non-termination.

In order to facilitate the determinism analysis, we introduce five primitive operators that allow us to classify the cases according to two different levels of control. For controlling the number of results: given a rewrite rule or a strategy,

- the one operator builds a strategy that returns at most one result;

- the all operator builds a strategy that returns all possible results of the strategy or the rule.

For controlling the choice mechanism: given a list of strategies (possibly reduced to a singleton),

- the select_one operator chooses and returns a non-failing strategy among the list of strategies;

- the select_first operator chooses and returns the first (from left to right) non-failing strategy among the list of strategies;

- the select_all operator returns all unfailing strategies.

In the current version of ELAN, these five primitives are hidden to the user but are internally used to perform the determinism analysis. However, all strategy constructors dk, dc, first, dc_one and first_one can be expressed using these primitives, using the following axioms, where Si stands for a rule or a strategy:

For each strategy, a determinism information is inferred according to the maximum number of results it can produce (one or more than one) and whether or not it can fail. We adopt the same terminology for determinism as in Mercury [HCS96,HSC96]:

• if the strategy has exactly one result, its determinism is det(deterministic).

• if the strategy can fail and has at most one result, its determinism is semi(semi-deterministic).

• if the strategy cannot fail and has more than one result, its determinism is multi(multi-result).

• if the strategy can fail and may have more than one result, its determinism is nondet(non-

deterministic).

• if the strategy always fail, i.e. has no result, its determinism is fail(failure).

The algorithm for inferring the determinism of strategies uses two operators And and Or that intuitively correspond to the composition and the union of two strategies (the union of two strategies is defined by the union of their results). For instance, a conjunction of two strategies is semi-deterministic if any one can fail and none of them can return more than one result (And(det,semi) = And(semi, det) = And(semi, semi) = semi).

The algorithm for inferring the determinism is presented here in three steps: for a

dk(Si,...,S„) dc(Si,..., Sn) first(Si,...,Sn)

select _all(all(S1),...,all(Sn)) select_one(all(£;L),..., all(Sn)) select_first(all(S1),...,all(Sn))

dc_one(Si, ...,Sn) first_one(Si,..., Sn)

select_one(one(Si),..., one(Sn)) select_first(one(Si),..., one(Sn))

strategy, it uses the decomposed form of the strategy into the primitives introduced above. For a rule, it analyses the determinism of the matching conditions. Finally it deals with the recursion problem due to the fact that strategies are built from rules and that rules call strategies in their matching conditions.

Strategy detism inference. The detism of a strategy is inferred from its expression using one, all, select_one and select_all.

• detism(one(S)) = semi if S is a rewrite rule, since application of a rewrite rule may fail; otherwise,

{det if detism(S) is det or multi

semi if detism(S) is semi or nondet

• detism(all(S)) = And(semi, detism(S)) if S is a rewrite rule, since application of a rewrite rule may fail; otherwise, detism(all(S)) = detism(S).

{det if detism(S) is det or semi

multi if detism(S) is multi or nondet The repeat operator cannot fail because zero application of the strategy is allowed. Note that if S cannot fail, the repeat construction cannot terminate.

• detism(iterate(S)) = multi. The iterate operator cannot fail either. In general, it returns more than one result because all intermediate steps are considered as results. If S cannot fail, the iterate construction cannot terminate, but this is quite useful to represent infinite data structures, like infinite lists.

• detism(S1; S2) = And(detism(S1), detism(S2)).

• detism(selec^one(S1?..., Sn)) = And(detism(S1),..., detism(Sn))

• detism(select_all(S;[,..., Sn)) = Or(detism(S1),..., detism(Sn))

Rule detism inference. Inferring the determinism of a rewrite rule R consists of

analysing the determinism of its matching conditions.

• Let us first consider a matching condition where p :— c where c does not involve any strategy. The normalisation of c (with unlabelled rules) cannot fail. If p does not match the normalised term, the current rule cannot be applied, but this does not modify the detism of the rule. Such a condition is usually said to be deterministic (det is a neutral element for the And operator).

The only different situation is when a variable of c occurs in the left-hand side of the rule or in a pattern of a previous matching condition with AC function symbols: if this variable is involved in an AC matching problem, it may have several possible instances, thus, an application of the rule may return more than one result. The matching condition is said to be multi.

• Let us now consider a matching condition where p :— (S)t involving a strategy call. Then the matching condition has in general the determinism of the strategy S, except as before when a variable of t occurs in the left-hand side of the rule or in a pattern of a previous matching condition with AC function symbols: the detism of the matching condition is multi or nondet, and is computed as And(multi, detism(S)).

The determinism of the rewrite rule R is the conjunction (And operation) of

the inferred determinisms of all its matching conditions.

Recursion problem. In general, strategy definitions may be (mutually) recursive. So the detism of a strategy may depend on itself. A similar problem arises in logic programming for finding the determinism of a predicate [ST85]. To avoid non-termination of the determinism analysis algorithm, when the detism of a strategy depends on itself, a default determinism is given. On the strategy constructors, this default is semi for one, nondet for all, multi for repeat and iterate, nondet for ;. In order to refine this brute force approximation, fixpoint analysis should be explored.

Finally the determinism analysis is also useful to detect some non-terminating strategies, such as a strategy repeat(S), where S never fails. Detecting this non-termination problem at compile time allows the system to give a warning to the programmer and can help him to improve his strategy design.

It is relatively easy to write a non-terminating strategy in ELAN. For example the strategy repeat(first(S,id)) where S is any strategy will never terminate since first(S,id) never fails: if S fails, id applies! The determinism analysis presented above is able to detect this non-termination case.

In order to improve this capability, it should be possible to consider other pathological cases. For instance, when the program contains a rule like [r] x => x+x whose left-hand side matches any expression of type integer, repeat(r) does not terminate.

Termination can be recognized too in some cases : assume that the program contains a definition of a function f by case analysis (an ML-like program) and that f is completely defined with respect to the constructors with rules labelled rl to rm. After a finite number of reductions by (r1,...,rm), the reduced term does not contain f anymore. Then the strategy first(r1,...,rm) fails and repeat(first(r1,...,rm)) terminates.

8 Conclusion

To conclude, let us mention some open problems that need further research. First modular termination criteria are yet very limited if the programs are not restricted to left-linear rules.

Termination under strategies, even with leftmost innermost strategies, has been very little studied. Lazy, outermost and needed strategies are also worth exploring, especially when we are interested in the size of rewriting derivations. In an on-going project where we use ELAN to compute rewrite proofs for the proof assistant Coq and where ELAN returns not only the normal form but also the proof term (i.e. the trace) of the derivation, it is crucial to generate shorter derivations [AN00].

Using strategy constructors, like in ELAN or Stratego [VB98], leads to consider other techniques for proving properties of strategies, possibly using temporal logic.

A last difficulty not yet mentioned is termination modulo an equational theory (like associative-commutative theories) or modulo a set of unlabelled rules.

References

[AG97a] T. Arts and J. Giesl. Automatically proving termination where simplification orderings fail. In M. Bidoit and M. Dauchet, editors, TAPSOFT'97: Theory and Practice of Software Development, Proceedings of 7th International Joint Conference CAAP/FASE, volume 1214 of Lecture Notes in Computer Science, pages 261-272. Springer-Verlag, 1997.

[AG97b] T. Arts and J. Giesl. Proving innermost termination automatically. In Proceedings 8th Conference on Rewriting Techniques and Applications, Sitges (Spain), volume 1232 of Lecture Notes in Computer Science, pages 157-171. Springer-Verlag, 1997.

[AG00] T. Arts and J. Giesl. Termination of term rewriting using dependency pairs. Theoretical Computer Science, 236:133-178, 2000.

[AN00] C. Alvarado and Quang-Huy Nguyen. Elan for equational reasoning in Coq. In J. Despeyroux, editor, Proceedings of the Workshop on Logical Frameworks and Meta-languages, Santa Barbara (California), June 2000.

[Art97] T. Arts. Automatically proving termination and innermost normalisation of term rewriting systems. PhD thesis, Utrecht University, The Netherlands, 1997.

[BCL87] A. Ben Cherifa and P. Lescanne. Termination of rewriting systems by polynomial interpretations and its implementation. Science of Computer Programming, 9(2):137-160, October 1987.

[BKK+96] P. Borovansky, C. Kirchner, H. Kirchner, P-E. Moreau, and M. Vittek. ELAN: A logical framework based on computational systems. In Jose Meseguer, editor, Proceedings of the first international workshop on rewriting logic, volume 4 of Electronic Notes in TCS, Asilomar (California), September 1996.

[BKK+98] P. Borovansky, C. Kirchner, H. Kirchner, P-E. Moreau, and C. Ringeissen. An overview of ELAN. In C. and H. Kirchner, editors, Proceedings of the second International Workshop on Rewriting Logic and Applications, Pont-a-Mousson (France), September 1998. Electronic Notes in Theoretical Computer Science, volume 15.

http://www.elsevier.nl/locate/entcs/volume15.html.

[BKKR01] P. Borovansky, C. Kirchner, H. Kirchner, and C. Ringeissen. Rewriting with strategies in ELAN: a functional semantics. International Journal of Foundations of Computer Science, 2001.

[BL90] F. Bellegarde and P. Lescanne. Termination by completion. Applicable Algebra in Engineering, Communication and Computation, 1(2):79-96, 1990.

[BN98] Franz Baader and Tobias Nipkow. Term Rewriting and all That. Cambridge University Press, 1998.

[CDG+97] H. Comon, M. Dauchet, R. Gilleron, D. Lugiez, S. Tison, and Tommasi. Tree automata techniques and applications, 1997. http://l3ux02.univ-lille3.fr/tata/.

[CDGV91] J.L. Coquide, M. Dauchet, R. Gilleron, and S. Vagvölgyi. Bottom-up tree pushdown automata and rewrite systems. In R. V. Book, editor, Proceedings 4th Conference on Rewriting Techniques and Applications, Como (Italy), volume 488 of Lecture Notes in Computer Science, pages 287-298. Springer-Verlag, 1991.

[CELM96] M. Clavel, S. Eker, P. Lincoln, and J. Meseguer. Principles of Maude. In J. Meseguer, editor, Proceedings of the 1st International Workshop on Rewriting Logic and its Applications, (Asilomar, Pacific Grove, CA, USA), volume 5 of Electronic Notes in Theoretical Computer Science. North Holland, September 1996.

[CK99] H. Cirstea and C. Kirchner. Combining higher-order and first-order computation using p-calculus: Towards a semantics of ELAN. In Dov Gabbay and Maarten de Rijke, editors, Frontiers of Combining Systems 2, Research Studies, ISBN 0863802524, pages 95-120. Wiley, 1999.

[CM96] M. Clavel and J. Meseguer. Reflection and Strategies in Rewriting Logic. In J. Meseguer, editor, Proceedings of the 1st International Workshop on Rewriting Logic and its Applications, (Asilomar, Pacific Grove, CA, USA), volume 5 of Electronic Notes in Theoretical Computer Science. North Holland, September 1996.

[CR87] H. Comon and J-L. Remy. How to characterize the language of ground normal forms. Technical Report 676, INRIA-Lorraine, 1987.

[Der82] N. Dershowitz. Orderings for term rewriting systems. Theoretical Computer Science, 17:279-301, 1982.

[Der94] N. Dershowitz. Hierarchical termination. In Proceedings 4th International Workshop on Conditional Term Rewriting Systems, Jerusalem (Israel), volume 968 of Lecture Notes in Computer Science, pages 89-105. Springer-Verlag, 1994.

[DH95] N. Dershowitz and C. Hoot. Natural termination. Theoretical Computer Science, 142(2):179-207, May 1995.

[DJ90] N. Dershowitz and J.-P. Jouannaud. Handbook of Theoretical Computer Science, volume B, chapter 6: Rewrite Systems, pages 244-320. Elsevier Science Publishers B. V. (North-Holland), 1990. Also as: Research report 478, LRI.

[DT90] M. Dauchet and S. Tison. The theory of ground rewrite systems is decidable. In Proceedings 5th IEEE Symposium on Logic in Computer Science, Philadelphia (Pa., USA), pages 242-248, June 1990.

[FN97] K. Futatsugi and A. Nakagawa. An overview of CAFE specification environment - an algebraic approach for creating, verifying, and maintaining formal specifications over networks. In Proceedings of the 1st IEEE Int. Conference on Formal Engineering Methods, 1997.

[GB85] J. H. Gallier and R. V. Book. Reductions in tree replacement systems. Theoretical Computer Science, 37:123-150, 1985.

[Gen97] T. Genet. Proving termination of sequential reduction relation using tree automata. Technical Report 97-R-091, Centre de Recherche en Informatique de Nancy, 1997.

[Gen98] T. Genet. Decidable approximations of sets of descendants and sets of normal forms. In Proceedings 9th Conference on Rewriting Techniques and Applications, Tsukuba (Japan), volume 1379 of Lecture Notes in Computer Science, pages 151-165. Springer-Verlag, 1998.

[GG97] T. Genet and I. Gnaedig. Termination proofs using gpo ordering constraints. In M. Dauchet, editor, Proceedings 22nd International Colloquium on Trees in Algebra and Programming, Lille (France), volume 1214 of Lecture Notes in Computer Science, pages 249-260. Springer-Verlag, 1997.

[GK00] T. Genet and F. Klay. Rewriting for cryptographic protocol verification. In Proceedings International Conference on Automated Deduction, CADE-17. Springer-Verlag, LNAI, 2000.

[GKF00] I. Gnaedig, H. Kirchner, and O. Fissore. Induction for termination, 2000. Research report.

[GMW79] M. Gordon, A. Milner, and C. Wadsworth. Edinburgh LCF: A Mechanized Logic of Computation, volume 78 of Lecture Notes in Computer Science. SpringerVerlag, New York (NY, USA), 1979.

[Gra94] B. Gramlich. Generalized sufficient conditions for modular termination of rewriting. Applicable Algebra in Engineering, Communication and Computation, 5:131-158, 1994.

[Gra96] B. Gramlich. On termination and confluence properties of disjoint and constructor-sharing conditional rewrite systems. Theoretical Computer Science, 165(1):97-131, September 1996.

[Gra97] B. Gramlich. Modular aspects of rewrite-based specifications. In Proc. 12th Int. Workshop on Algebraic Development Techniques, WADT'97 (Abstracts), Tarquinia, Italy, June 1997.

[GS84] F. Gecseg and M. Steinby. Tree automata. Akademiai Kiado, Budapest, Hungary, 1984.

[GT95] R. Gilleron and S. Tison. Regular tree languages and rewrite systems. Fundamenta Informaticae, 24:157-175, 1995.

[HCS96] F. Henderson, T. Conway, and Z. Somogyi. The execution algorithm of Mercury, an efficient purely declarative logic programming language. Journal of Logic Programming, 29:17-54, October-December 1996.

[HSC96] F. Henderson, Z. Somogyi, and T. Conway. Determinism analysis in the Mercury compiler. In Proceedings of the Nineteenth Australian Computer Science Conference, pages 337-346, Melbourne, Australia, January 1996.

[Jac96] F. Jacquemard. Decidable approximations of term rewriting systems. In H. Ganzinger, editor, Proceedings 7th Conference on Rewriting Techniques and Applications, New Brunswick (New Jersey, USA), pages 362-376. SpringerVerlag, 1996.

[Kir99] H. Kirchner. Term Rewriting, chapter 9, pages 273-320. IFIP State-of-the-Art Reports. Springer, 1999. Report LORIA 99-R-098.

[KK90] M. Kurihara and I. Kaji. Modular term rewriting systems and the termination. Information Processing Letters, 34:1-4, February 1990.

[KK99] C. Kirchner and H. Kirchner. Rewriting, solving, proving. A preliminary version of a book available at www.loria.fr/~ckirchne/rsp.ps.gz, 1999.

[KL80] S. Kamin and J.-J. Levy. Attempts for generalizing the recursive path ordering. Unpublished manuscript, 1980.

[Kli93] P. Klint. A meta-environment for generating programming environments. ACM Transactions on Software Engineering and Methodology, 2:176-201, 1993.

[KM98] H. Kirchner and P-E Moreau. Non-deterministic computations in ELAN. In J.L. Fiadeiro, editor, Recent Developements in Algebraic Specification Techniques, Proc. 13th WADT'98, Selected Papers, number 1548 in Lecture Notes in Computer Science, pages 168-182. Springer-Verlag, 1998. Report LORIA 98-R-278.

[KM00] H. Kirchner and P-E Moreau. Promoting rewriting to a programming language: A compiler for non-deterministic rewrite programs in associative-commutative theories. Journal of Functional Programming, 2000. To appear.

[KO91] M. Kurihara and A. Ohuchi. Modular term rewriting systems with shared constructors. Journal of Information Processing of Japan, 14(3):357-358, 1991.

[KR95] M. Krishna Rao. Modular proofs for completeness of herarchical term rewriting systems. Theoretical Computer Science, 151(2):487-512, 1995.

[Lan79] D. S. Lankford. On proving term rewriting systems are noetherian. Technical report, Louisiana Tech. University, Mathematics Dept., Ruston LA, 1979.

[Mid90] A. Middeldorp. Modular Properties of Term Rewriting Systems. PhD thesis, Vrije Universiteit, Amsterdam, 1990.

[MT91] A. Middeldorp and Y. Toyama. Completeness of combinations of constructor systems. In Proceedings 4th Conference on Rewriting Techniques and Applications, Como (Italy), 1991. also Report CS-R9058, CWI, 1990.

[OCM00] E. Ohlebusch, C. Claves, and C. Marche. TALP: a tool for the termination analysis of logic programs. In Proceedings 11th Conference on Rewriting Techniques and Applications, Norwich (UK), volume 1833 of Lecture Notes in Computer Science, pages 270-273. Springer-Verlag, 2000.

[Ohl94] E. Ohlebusch. Modular Properties of Composable Term Rewriting Systems. PhD thesis, Universitat Bielefeld, Bielefeld, 1994.

[Pau94] L.C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, 1994.

[Pla78] D. Plaisted. A recursively defined ordering for proving termination of term rewriting systems. Technical Report R-78-943, U. of Illinois, Dept of Computer Science, 1978.

[Plo77] G. Plotkin. LCF considered as a programming language. Theoretical Computer Science, 5:223-255, 1977.

[Rus87] M. Rusinowitch. On termination of the direct sum of term rewriting systems. Information Processing Letters, 26(2):65-70, 1987.

[Sal88] K. Salomaa. Deterministic Tree Pushdown Automata and Monadic Tree Rewriting Systems. Journal of Computer and System Sciences, 37:367-394, 1988.

[ST85] H. Sawamura and T. Takeshima. Recursive unsolvability of determinacy, solvable cases of determinacy and their applications to Prolog optimization. In Proceedings of the Second International Logic Programming Conference, pages 200-207, Boston, Massachusetts, 1985.

[Toy87] Y. Toyama. On the church-rosser property for the direct sum of term rewritig systens. Journal of the ACM, 34(1):128-143, January 1987.

[VB98] E. Visser and Z. Benaissa. A core language for rewriting. In Claude Kirchner and Helene Kirchner, editors, Proceedings of the second International Workshop on Rewriting Logic and Applications, volume 15, Pont-a-Mousson (France), September 1998. Electronic Notes in Theoretical Computer Science. http://www.elsevier.nl/locate/entcs/volume15.html

[Zan95] H. Zantema. Termination of term rewriting by semantic labelling. Fundamenta Informaticae, 24:89-105, 1995.