On Ground Convergence and Completeness of Conditional Equational Program Hierarchies

Abstract

Both complete definition of functions by equations and determinism (i.e., evaluation to a unique result), are fundamental correctness properties of equational programs. But for expressive functional languages supporting conditional equations, types and subtypes and rewriting modulo axioms, proof methods for verifying such properties under general conditions are currently quite limited. This work proposes a hierarchical proof methodology where both properties are simultaneously verified in a hierarchical manner under termination assumptions.

A Proofs

Proof of the Soundness Theorem 2

Proof

For each inference rule we must show that if the premises of the rule hold, then the conclusion follows. We do so for each inference rule. Recall that in all applications, i.e., to prove either a ground joinability or a ground reducibility property in \(\vec {\mathcal {E}}^{\varDelta }\), the meaning of \(p \mid \varphi \) holding is that it does so for all its ground constructor substitutions \(\rho \) such that \(\varphi \rho \) holds in \(\vec {\mathcal {E}}_{0}\).

Shared Inference Rules. Except for rule GN, all these rules correspond to equivalences. That is, the premises hold iff the conclusion does. Let us consider each inference rule.

• NA. For any ground constructor substitution \(\rho \), at position p in \(\varphi \) the term \(f(\vec {v} \rho )\) has constructor term arguments. Therefore, by sufficient completeness of \(\vec {\mathcal {E}}_{0}\), there is a rewrite rule in \(\vec {E}_{0_{f}}\), say rule [i] whose lefthand side \(f(\vec {u}_{i})\) is B-matched by \(f(\vec {v} \rho )\) with a ground constructor substitution \(\gamma \), i.e., \(f(\vec {v}) \rho =_{B} f(u_{i})\gamma \), and whose condition instance \(\varGamma _{i} \gamma \) holds in \(\vec {\mathcal {E}}_{0}\). Therefore, we can rewrite \(f(\vec {v} \rho )\) to the instance \(r_{i} \gamma \) of its righthand side. Therefore, there is a B-unifier \(\alpha _{i,j}\) of the equation \(f(\vec {v}) = f(u_{i})\) and a ground constructor substitution \(\delta \) such that \(\rho \uplus \gamma = \alpha _{i,j} \delta \). Therefore \(\varphi \rho \) holds in \(\vec {\mathcal {E}}_{0}\) iff \((\varGamma _{i} \cup \varphi [r_{i}]_{p}) \alpha _{i,j} \delta \) does, and of course \(u \rho =_{B} u \alpha _{i,j} \delta \). In brief, the equivalence summarizes symbolically (by narrowing) all the possible ways in which all ground constructor instances of condition \(\varphi \) can be rewritten in one step at position p.

• UN. If \((\varphi \wedge \psi ) \rho \) holds in \(\vec {\mathcal {E}}_{0}\), then \(\psi \rho \) does, i.e., \(\rho \) is a \(U \cup E_{0} \cup B_{0}\)-unifier of \(\psi \). Therefore, there must be a \(U \cup E_{0} \cup B_{0}\)-unifier \(\theta \) of \(\psi \) and a ground constructor substitution \(\gamma \) such that \(\rho =_{U \cup E_{0} \cup B_{0}} \theta \gamma \). The equivalence follows naturally from this fact.

• ES. The main result about equality predicates in [21] is that for any Boolean formula \(\varphi \) and ground constructor substitution \(\rho \), \(\varphi \rho \) holds in ground convergent \(\vec {\mathcal {E}}_{0}\) iff \(\varphi !_{\mathcal {E}_{0}^{=}} \rho \) does. In particular, this equivalence holds when \(\varphi \) is a conjunction of equalities.

• CA. The equivalence follows from the definition of a generating set for the sort s of x, since for any ground constructor substitution \(\rho \), \(\rho (x)\) must be such that \(\rho (x) =_{B} v_{i} \gamma \) for some \(v_{i}\) in such a set and ground constructor substitution \(\gamma \).

• SP. The equivalence between the premises and the conclusion follows from the semantic equivalence \(T_{\varSigma _{0}/E_{0} \cup B_{0}} \models \varphi \Leftrightarrow \bigvee _{i \in I} \psi _{i} \wedge \varphi \), plus the Boolean equivalence \((A \vee B) \Rightarrow C \equiv (A \Rightarrow C) \wedge (B \Rightarrow C)\).

• GN. This is the only shared rule tat is not an equivalence, i.e., where the premise implies the consequence but need not be equivalent to it. The property \(p' \rho \) must hold (i.e., \(p' \rho \)’s ground reducibility, or \(p' \rho \)’s ground joinability, depending on p) whenever \(\psi \rho \) does. In particular, if \(\varphi \gamma \) holds, then \(\psi \theta \gamma \) does, and therefore \(p' \theta \gamma \) does. That is, \(p' \theta \mid \varphi \) holds. But \(p' \theta =_{B} p\). The result then follows from the fact that for either ground reducibility or ground joinability properties \(q,q'\) such that \(q =_{B} q'\), \(q \mid \varphi \) holds iff \(q' \mid \varphi \) does. This follows in either case from the assumption that the rules \(\vec {U} \cup \vec {E}\) are strictly B-coherent.

• \(\emptyset \). Since no ground substitution can satisfy \(\bot \), \(u \mid \bot \) holds trivially.

Ground Joinability Inference System. The proof of the constrained version of the ground confluence inference rules in [12] follows easily from that of the unconstrained inference rules in [12]. The soundness of rule JN holds trivially from the very notion of joinability. A proof of soundness for the CR inference rule can be found in [11].

Ground Reducibility Inference System. The only inference rule is RW. Suppose that \(\psi \rho \) holds in \(\vec {\mathcal {E}}_{0}\). Then, \(\varGamma \theta \rho \) does; and by the rule’s assumptions \(f(\vec {v}) \rho \) is reducible, as desired.

This finishes the proof of the Soundness Theorem.\(\Box \)

Proof of Theorem 1

Proof

First of all, note that, considering \(T_{\varSigma }(X)\) and \(T_{\varSigma ^{\varDelta }}(X)\) as sets, i.e., disregarding sorts, we have an inclusion \(T_{\varSigma }(X) \subseteq T_{\varSigma ^{\varDelta }}(X)\). Also, for each \(s \in S\) we have a set equality \(T_{\varSigma _{0},s}(X) = T_{\varSigma ^{\varDelta },s}(X)\). In particular, \(T_{\varSigma } \subseteq T_{\varSigma ^{\varDelta }}\), and \(T_{\varSigma _{0},s} = T_{\varSigma ^{\varDelta },s}\) for each \(s \in S\).

Second, \(\vec {\mathcal {E}}\) and \(\vec {\mathcal {E}}^{\varDelta }\) have the exact same CCP’s. To begin with, in both cases the rules not in \(\vec {\mathcal {E}}_{0}\) are the same, namely \(\vec {E}_{\varDelta }\). Furthermore, in both cases, the only CCP’s that do not come from \(\vec {\mathcal {E}}_{0}\) can be of only two kinds: (i) between a unit rule in \(\vec {U}\) and a rule in \(\vec {E}_{f}\) for some \(f \in \varDelta \), where the unit rule’s lefthand side unifies with a constructor subterm of the lefthand side of one of f’s constructor arguments; or (ii) between two, not necessarily different, rules in \(\vec {E}_{f}\) for some \(f \in \varDelta \). In case (i), the unifier generating the CCP must be a constructor unifier so that the resulting CCP is the same in both \(\vec {\mathcal {E}}\) and \(\vec {\mathcal {E}}^{\varDelta }\), and its condition is a \(\varSigma _{0}\)-condition. In case (ii), the CCP comes from two—not necessarily different, but variable-renamed if \(i = j\) to ensure disjoint variables—rules \([i]: f(\vec {u_{i}}) \rightarrow r_{i} \;\; if \;\; \varGamma _{i}\) and \([j]: f(\vec {u_{j}}) \rightarrow r_{j} \;\; if \;\; \varGamma _{j}\) and its associated order-sorted unifier (in either \(\vec {\mathcal {E}}\) or \(\vec {\mathcal {E}}^{\varDelta }\)) solves the equation \(f(\vec {u_{i}})=f(\vec {u_{j}})\). We claim that the order-sorted unifiers of the equation \(f(\vec {u_{i}})=f(\vec {u_{j}})\) are the same in \(\vec {\mathcal {E}}\) and in \(\vec {\mathcal {E}}^{\varDelta }\). Recall that, by assumption, \(B_{f}\) is either empty or a commutativity axiom. If \(B_{f} = \emptyset \), then \(\alpha \) is a unifier of \(f(\vec {u_{i}})=f(\vec {u_{j}})\) iff it is a unifier of the system of equations \(u_{i,1}=u_{j,1} \wedge \ldots \wedge u_{i,k}=u_{j,k}\), where k is the number of arguments of f. If f is commutative, the only difference is that in \(\vec {\mathcal {E}}\) the axiom \(f(x_{1},x_{2})=f(x_{2},x_{1})\) is such that \(x_{1},x_{2}\) have sort s for \(f: s \; s \rightarrow s_{0}\) the maximal typing of f, whereas in \(\vec {\mathcal {E}}^{\varDelta }\) \(x_{1},x_{2}\) have kind [s]. This, however, makes no difference, since, by the Decomposition inference rule for a commutative symbol of order-sorted unification (see [31] and [7] §15.1), \(\alpha \) is a unifier of \(f(u_{i,1},u_{i,2})=f(u_{j,1},u_{j,2})\) iff it is a unifier of the disjunction of systems of equations \((u_{i,1}=u_{j,1} \wedge u_{i,2}=u_{j,2}) \vee (u_{i,1}=u_{j,2} \wedge u_{i,2}=u_{j,1})\). Therefore, the CCPs are the same and the unifiers are constructor unifiers, so that the CCP’s condition is a \(\varSigma _{0}\)-condition.

Third, for ground terms we have proper inclusions of rewrite relations,

$$\rightarrow _{\vec {\mathcal {E}}_{0}} \; \subset \; \rightarrow _{\vec {\mathcal {E}}^{\varDelta }} \; \subset \; \rightarrow _{\vec {\mathcal {E}}} \; \subset \; T_{\varSigma }^{\varDelta } \times T_{\varSigma }^{\varDelta }. $$

The first inclusion is proper because there are terms in \( T_{\varSigma }{\setminus } T_{\varSigma _{0}}\) that can be rewritten with \(\rightarrow _{\vec {\mathcal {E}}^{\varDelta }}\). The second inclusion is proper because, by the definition of \(\varSigma ^{\varDelta }\), a rule in the theory \(\vec {\mathcal {E}}_{\varDelta }\), say, \([i]: f(\vec {u_{i}}) \rightarrow r_{i} \;\; if \;\; \varGamma _{i}\), can, only be enabled to rewrite a term \(f(\vec {v})\) if the terms \(\vec {v}\) are \(\varSigma _{0}\)-terms. That is, \(\rightarrow _{\vec {\mathcal {E}}^{\varDelta }}\) performs rewritings exactly like \(\rightarrow _{\vec {\mathcal {E}}}\), but only in a “weakly innermost” manner (“weakly” because the \(\varSigma _{0}\)-terms \(\vec {v}\) need not be constructors).

Fourth, for any \(t \in T_{\varSigma }\), \(t !_{\vec {\mathcal {E}}^{\varDelta }}\) is a constructor term. Suppose not, i.e., there is a \(t \in T_{\varSigma }\) such that \(t!_{\vec {\mathcal {E}}^{\varDelta }}\) is not a constructor term. But since we have an inclusion of rewrite relations \(\rightarrow _{\vec {\mathcal {E}}_{0}} \; \subset \; \rightarrow _{\vec {\mathcal {E}}^{\varDelta }}\) and \(\vec {\mathcal {E}}_{0}\) is sufficiently complete, this means that \(t!_{\vec {\mathcal {E}}^{\varDelta }}\) must contain a subterm of minimal size of the form \(f(\vec {v})\) with \(f \in \varDelta \) and the terms \(\vec {v}\) constructor terms. But this is impossible, since all such terms have been proved \(\vec {\mathcal {E}}^{\varDelta }\)-reducible.

Fifth, for any \(t \in T_{\varSigma }\), if \(t \rightarrow ^{*}_{\vec {\mathcal {E}}}v\) and v is in \(\vec {\mathcal {E}}\)-canonical form, then v is a constructor term. This follows from the containments of rewrite relations \(\rightarrow _{\vec {\mathcal {E}}_{0}} \; \subset \; \rightarrow _{\vec {\mathcal {E}}^{\varDelta }} \; \subset \; \rightarrow _{\vec {\mathcal {E}}}\), the fourth property above, and the sufficient completeness of \(\vec {\mathcal {E}}_{0}\).

Finally, we are now ready to prove that \(\vec {\mathcal {E}}\) is ground convergent. Note that, by the fifth property above, \(\vec {\mathcal {E}}\) is then also sufficiently complete with respect to \(\varOmega \). Since we have the containment of ground rewrite relations \(\rightarrow _{\vec {\mathcal {E}}^{\varDelta }} \; \subset \; \rightarrow _{\vec {\mathcal {E}}}\), the ground convergence of \(\vec {\mathcal {E}}\) will follow from the fourth and fifth properties above if we can prove that for each \(t \in T_{\varSigma }\) and each ground constructor term v such that \(t \rightarrow ^{*}_{\vec {\mathcal {E}}}v\) we have \(v =_{B} t!_{\vec {\mathcal {E}}^{\varDelta }}\).

Lemma 1

For each \(t \in T_{\varSigma }\), if \(t \rightarrow ^{*}_{\vec {\mathcal {E}}}u\) and u is a constructor term, then \(u =_{B_{\varOmega }} t !_{\vec {\mathcal {E}}^{\varDelta }}\).

Proof

Suppose not. Let us choose a term \(t \in T_{\varSigma }\) such that: (i) \(t \rightarrow ^{*}_{\vec {\mathcal {E}}} u\), u is a constructor term, and \(u \not =_{B_{\varOmega }} t !_{\vec {\mathcal {E}}^{\varDelta }}\), and (ii) for \(\succ \) the RPO order modulo proving \(\vec {\mathcal {E}}\) operationally terminating, t is a minimal element among the set of terms in \(T_{\varSigma }\) such that (i) holds. This can only happen if t is not a constructor term. Therefore, we have \(t \rightarrow _{\vec {\mathcal {E}}} t' \rightarrow ^{*}_{\vec {\mathcal {E}}} u\). Note that \(t \succ t'\). Therefore, by the minimality assumption for t, we must have \(u =_{B_{\varOmega }} t' !_{\vec {\mathcal {E}}^{\varDelta }}\). Let us now consider the one-step rewrite \(t \rightarrow _{\vec {\mathcal {E}}} t'\). This means that there is a rule \(f(\vec {u}) \rightarrow r \;\; if \;\; \varGamma \) in \(\vec {U} \cup \vec {E}\) with the \(\vec {u}\) constructor terms (rules in \(\vec {U}\), though unconditional, also have this form), a ground substitution \(\alpha \) and a term position p such that \(t|_{p} =_{B} f(\vec {u}) \alpha \), \(\varGamma \alpha \) holds in \(\vec {\mathcal {E}}\), and \(t' = t[r \alpha ]_{p}\). Since \(\succ \) is a B-compatible RPO order and all rules are assumed \(\succ \)-operationally-terminating, for each equality \(w = w'\) in \(\varGamma \) we must have \(t \succ w \alpha , w' \alpha \). Therefore, by the minimality hypothesis on t, we must have \((w \alpha )!_{\vec {\mathcal {E}}^{\varDelta }} =_{B_{\varOmega }} (w \alpha )!_{\vec {\mathcal {E}}} =_{B_{\varOmega }} (w' \alpha )!_{\vec {\mathcal {E}}} =_{B_{\varOmega }} (w' \alpha ) !_{\vec {\mathcal {E}}^{\varDelta }}\), so that \(\varGamma \alpha \) also holds in \(\vec {\mathcal {E}}^{\varDelta }\) and, for the same reason, \(\varGamma \rho \) holds in \(\vec {\mathcal {E}}^{\varDelta }\) for the constructor substitution \(\rho = \alpha !_{\vec {\mathcal {E}}^{\varDelta }}\) obtained by normalizing each \(\alpha (x)\) with x in the domain of \(\alpha \). Therefore, we have a rewrite \( t[f(\vec {u}) \rho ]_{p} \rightarrow _{\vec {\mathcal {E}}^{\varDelta }} t[r \rho ]_{p}\). Furthermore, \(t =_{B} t[f(\vec {u}) \alpha ]_{p}\), and we have rewrite sequences \(t[f(\vec {u}) \alpha ]_{p}\rightarrow ^{*}_{\vec {\mathcal {E}}^{\varDelta }} t[f(\vec {u}) \rho ]_{p}\), and \(t[r \alpha ]_{p}\rightarrow ^{*}_{\vec {\mathcal {E}}^{\varDelta }} t[r \rho ]_{p}\), and since \(t \succ t' = t[r \alpha ]_{p}\), we must have \(u =_{B_{\varOmega }} t[r \rho ]_{p}!_{\vec {\mathcal {E}}^{\varDelta }}\). In summary, we have the sequence of rewrites in \(\vec {\mathcal {E}}^{\varDelta }\),

$$ t[f(\vec {u}) \alpha ]_{p}\rightarrow ^{*}_{\vec {\mathcal {E}}^{\varDelta }} t[f(\vec {u}) \rho ]_{p} \rightarrow _{\vec {\mathcal {E}}^{\varDelta }} t[r \rho ]_{p} \rightarrow ^{*}_{\vec {\mathcal {E}}^{\varDelta }} t[r \rho ]_{p}!_{\vec {\mathcal {E}}^{\varDelta }} $$

with \(u =_{B_{\varOmega }} t[r \rho ]_{p}!_{\vec {\mathcal {E}}^{\varDelta }}\). But by \(t =_{B} t[f(\vec {u}) \alpha ]_{p}\) and the convergence of \(\vec {\mathcal {E}}^{\varDelta }\) we also must have \(t !_{\vec {\mathcal {E}}^{\varDelta }} =_{B_{\varOmega }} t[r \rho ]_{p}!_{\vec {\mathcal {E}}^{\varDelta }} =_{B_{\varOmega }} u\), contradicting the assumption \(u \not =_{B_{\varOmega }} t !_{\vec {\mathcal {E}}^{\varDelta }}\), as desired.\(\Box \)

This finishes the proof of Theorem 1.\(\Box \)