Path resolution for nested recursive modules

Abstract

The ML module system facilitates the modular development of large programs, through decomposition, abstraction and reuse. To increase its flexibility, a lot of work has been devoted to extending it with recursion, which is currently prohibited. The introduction of recursion adds expressivity to the module system. However it also creates problems that a non-recursive module system does not have.

In this paper, we address one such problem, namely resolution of path references. Paths are how one refers to nested modules in ML. Without recursion, well-typedness guarantees termination of path resolution, in other words, we can statically determine the module that a path refers to. This does not always hold with recursive module extensions, since the module system then can encode a lambda-calculus with recursion, whose termination is undecidable regardless of well-typedness. We formalize this problem of path resolution by means of a rewrite system on paths and prove that the problem is undecidable even without higher-order functors, via an encoding of the Turing machine into a calculus with just recursive modules, first-order functors, and nesting. Motivated by this result, we introduce a further restriction on first-order functors, limiting polymorphism on functor parameters by requiring signatures for functor parameters to be non-recursive, and show that this restriction is decidable and admits terminating path resolution.

Appendix A: Proofs for terminating path evaluation

In this appendix, we give proofs for the properties and theorems of Sect. 6.

1.1 A.1 Safe programs

We first define a notion of safety for termination, which will be needed to prove Proposition 2.

Definition 6

A path p reduces safely for termination to q with respect to a program P when P⊢ _t p↓q is derivable, ⊢ _t being the inference system obtained by adding the rules d-dot  and d-app  of Fig. 11 to the rules in Fig. 8 where ⊢ is replaced by ⊢ _t . A path p is safe for termination for the signature S with respect to P when P⊢ _t p:S is derivable. It is just safe for termination if P⊢ _t p:{}. A substitution θ is safe for termination with respect to P when P⊢ _t θ safe is derivable.

Fig. 11

Safety for termination

Lemma 1

(Typing equivalence)

If P⊢p:S, P⊢p↓q, and P⊢p′↓q, then P⊢p′:S.

Proof

(Coq-checked) By inversion of s-rec. □

Lemma 2

(Substitution)

If P ⊢ p:S and \(P \vdash \theta ~\textsf {safe}\), then P⊢θ(p):S. Moreover, if P⊢p↓q, then P⊢θ(p)↓θ(q) when q is rooted, and otherwise P⊢θ(p)↓r and P⊢θ(q)↓r for the same path r. Both results also hold for ⊢ _t .

Proof

(Coq-checked) We prove these statements by mutual induction on the structure of the derivation of P⊢p:S and the safe reductions and safe substitutions involved. The last rule is necessarily s-rec, with first premise P⊢p↓q. We perform case analysis on q.

Case 1::

q is a rooted path.

We first show that P⊢θ(p)↓θ(q) by induction on the derivation of P⊢p↓q with case analysis on the last rule used.

Case r-src::

We have p=q, P⊢p↦(θ′,e) and P⊢θ′ safe for some θ′ and e. After substitution we have P⊢θ(p)↦(θ(θ′),e). By induction hypothesis, for any x in dom θ′ we have P⊢θ(θ′(x)):sig _P (x), so that P⊢θ(θ′) safe, and we conclude.

Case r-exp::

The hypotheses are P⊢p↦(θ′,p′), P⊢θ safe′ and P⊢θ′(p′)↓q. If θ′(p′) were a variable path, we would have P⊢θ′(p′)↓θ′(p′), and q would be a variable path too, which contradicts our assumption. Therefore we have P⊢θ(p)↦(θ(θ′),p′), P⊢θ(θ′) safe and, by induction hypothesis, P⊢θ(θ′(p′))↓θ(q), and we conclude.

Cases r-dot and r-app: Immediate. Note that p′ and \(p'_{1}\) cannot be variable paths.

Finally, we need to show that P⊢θ(q):S, relying on the second premise of s-rec (P⊢q.m _i :S _i ). By induction hypothesis we have P⊢θ(q.m _i ):S _i , and since θ(q.m _i )=θ(q).m _i we conclude P⊢θ(q):S by s-rec.

Case 2::

q is a variable path.

Suppose q=x.m ₁…m _n . If θ(x) is a variable path, then θ(q) is a variable path, and P⊢θ(q)↓θ(q) by P⊢θ safe and r-vp. We can prove by an easy induction that P⊢θ(p)↓θ(q) (which also gives us the extra result with r=θ(q)), and we obtain P⊢θ(p):S like in Case 1.

If θ(x) is not a variable path, we must be more careful, as new reduction steps may appear, both in the reductions of p and of its submodules for s-rec. For this reason we prove P⊢θ(p):S by induction on the derivation of P⊢p↓q, assuming P⊢p:S as extra hypothesis. We perform case analysis on the last rule used.

Case r-src::

impossible.

Case r-vp::

immediate by P⊢θ safe; we trivially have convergence since p=q.

Case r-exp::

We have P⊢p↦(θ′,p′) and P⊢θ′(p′)↓q. By applying the induction hypothesis to the latter, we obtain P⊢θ(θ′(p′)):S and conclude by r-exp.

Case r-dot::

By hypothesis P⊢p.m:S, so that P⊢p:{m:S}, and by induction hypothesis P⊢θ(p):{m:S}, thus P⊢θ(p.m):S. For convergence, either p′ is rooted, and the new left premise is P⊢θ(p)↓θ(p′), so that we can conclude using the induction hypothesis for the right premise; or p′ is a variable path, and there exists a path r such that P⊢θ(p)↓r and P⊢θ(p′)↓r. We know that P⊢r:{m:S} by typing equivalence, so that there is a r′ such that P⊢r.m↓r′, and as result both P⊢θ(p.m)↓r′ and P⊢θ(p′.m)↓r′ by the uniqueness of safe reductions.

Case r-app::

\(p'_{1}\) cannot be a variable path, since \(p'_{1}(p_{2})\) would not be valid. Thus we have \(P \vdash \theta (p_{1}) \downarrow \theta (p_{1}')\). From the hypothesis P⊢p ₁(p ₂):S, we obtain \(P \vdash p'_{1}(p_{2}) :S\), since they both reduce to the same q. By induction hypothesis we obtain \(P \vdash \theta (p'_{1}(p_{2})) : S\), thus P⊢θ(p ₁(p ₂)):S by r-app. We obtain convergence in the same way.

The same proof applies to ⊢ _t : a dangling path, as in the conclusion of rules d-dot and d-app, is a rooted path such that none of its prefixes refers to an abbreviation, but itself cannot be looked up. This property is preserved by substitution. □

The following lemma relates reduction steps and safety derivations. It is used in the ensuing proof of termination.

Lemma 4

If P is safe, P⊢q:S, and q→q′ by a reduction step of \(\it Rules_{P}\), then P⊢q′:S, and the size of its derivation is strictly smaller than the size of P⊢q:S. This also holds for P safe for termination and ⊢ _t .

Proof

First note that it is sufficient to prove this property for S={}: P⊢q:S is equivalent to ∀ap∈S,P⊢q.ap:{}, and if q→q′ then q.ap→q′.ap.

We prove it by induction on the structure of q.

If the reduction step was on q itself (i.e. not on one of its arguments), then there can be only one such redex, and this reduction corresponds exactly to the first use of r-exp in our derivation. After reduction, this r-exp step disappears, replaced by its third premise, and the derivation is otherwise unchanged, so the size of the derivation is strictly smaller.

If the reduction was done on an argument of q, by inversion of P⊢q:{}, this argument must be safe for a signature S appearing in P. By induction hypothesis, after reduction this proof of safety becomes smaller. Moreover, if this argument is required for reducing q, i.e. if by some use of r-exp it becomes the head of the path we are reducing, then the next step in the derivation was necessarily to reduce it, so that a second occurrence of r-exp disappears. □

Proposition 2

If P is safe (or safe for termination) and q is a ground path, then the evaluation of q (in the sense of Definition 3) with respect to P terminates.

Proof

Note that any safe program is also safe for termination, so we only consider the second case.

We first prove that for any signature S used in P, P⊢ _t q:S can be derived by induction on q. This amounts to proving that there is a path q″ such that P⊢ _t q.ap↓q″, for any access path ap in S. We prove it by induction on q′=q.ap.

• If q′=ϵ, P⊢ _t ϵ↓ϵ by r-src.

• If q′=p.m, then by induction hypothesis P⊢ _t p↓p′, and either p′.m is dangling thus P⊢ _t p.m↓p′.m holds by d-dot, or there exist θ and e such that P⊢p′.m↦(θ,e), and since P⊢ _t p↓p′, the arguments of p′, i.e. θ, are safe for termination. If e is a path, then by the safety of P, P⊢ _t e:{}, and by our substitution lemma, P⊢ _t θ(e):{}. Otherwise P⊢p′.m↓p′.m by r-src.

• If q′=p ₁(p ₂), then by induction hypothesis \(P \vdash _{\mathsf {t}}p_{1} \downarrow p'_{1}\) and P⊢ _t p ₂:S ₂ for any S ₂ in P, and either \(p'_{1}(p_{2})\) is dangling, and \(P \vdash _{\mathsf {t}}p_{1}(p_{2}) \downarrow p'_{1}(p_{2})\) by d-app, or there exist θ and e s.t. \(P \vdash p'_{1}(p_{2}) \mapsto (\theta , e)\), and from our two induction hypotheses, the arguments of \(p'_{1}(p_{2})\), i.e. θ, are safe for termination, which lets us conclude as in the p.m case.

Next we show that the evaluation of q terminates by induction on the size of the derivation of P⊢ _t q:{}. This size is finite, and Lemma 4 provides the induction step. □

1.2 A.2 Correctness of semi-ground normalization

Theorem 1

(Correctness)

For any program P, lock π and path p, if sgnlz(P,π,p) = q then P⊢p↓q. Moreover, for any substitution θ, if \(\mathsf{vp\_subs}(P,\pi ,\theta ) = \rho \), then \(P \vdash \theta ~\textsf {safe}\), and for any x∈dom(θ) and \(ap\in \textsf {sig}(x)\), P⊢θ(x.ap)↓ρ(x.ap).

Proof

(Coq-checked) We prove both properties by functional induction.

If p=x or p=ϵ, then P⊢p↓p.

If p is a variable path x.ap, then sgnlz will call expand, which in turn checks that ap is in the signature of x, and returns p itself, and P⊢p↓p.

If p=p ₁(p ₂), we assume sgnlz(P,π,p ₁)=q ₁. By induction hypothesis on p ₁, P⊢p ₁↓q ₁. We call expand on q ₁(p ₂). First we call lookup to obtain θ and e. Then we call vp_subs to obtain ρ, so that P⊢θ safe by induction hypothesis. If e is not a path, we have P⊢q ₁(p ₂)↓q ₁(p ₂) by r-src, and P⊢p ₁(p ₂)↓q ₁(p ₂) by r-app. Let e be the path q ⁱ. By induction hypothesis, we have P⊢q↓q′ with q′=sgnlz(P,{i}∪π,q). If q′ is a rooted path, by the substitution lemma, we have P⊢θ(q)↓θ(q′), so that P⊢q ₁(p ₂)↓θ(q′) by r-exp. If q′ is a variable path x.ap, by inversion we have ap∈sig _P (x). If x∉dom(θ), by the substitution lemma we have P⊢θ(q)↓x.ap (=ρ(x.ap) since x.ap∉dom(ρ)). Otherwise, by induction hypothesis on vp_subs, we have P⊢θ(x.ap)↓ρ(x.ap), so that P⊢θ(q)↓ρ(x.ap) by the substitution lemma. In both cases we conclude that P⊢q ₁(p ₂)↓ρ(x.ap) by r-exp.

If p=p ₁.m, we prove the property in the same way, replacing occurrences of p ₁(p ₂) and q ₁(p ₂) by p ₁.m and q ₁.m respectively, and r-app by r-dot.

Next we prove the property on vp_subs. This amounts to proving that for each x↦p in θ, if \(\mathsf{sig\_subs}(P,\pi ,x,p,\textsf {sig}(x)) = \rho \), then P⊢p:sig _P (x) and for all ap∈sig _P (x), P⊢p.ap↓ρ(x.ap). Since the latter implies the former, we just need to prove the latter.

If p is a variable path y.ap′, then we just check that y.ap′.ap is valid, and return ρ(x.ap)=y.ap′.ap, so that P⊢y.ap′.ap↓ρ(x.ap) by r-vp.

If p is a rooted path, then sgnlz(P,π,p.ap)=q for some q, P⊢p.ap↓q, and ρ=[x.ap↦q]. As a result, P⊢p.ap↓ρ(x.ap). □

Theorem 2

(Termination)

For any program P, lock π and path p, sgnlz(P,π,p) is terminating.

Proof

Termination is guaranteed since any recursive call sgnlz(P,π,p) is strictly decreasing with respect to a well-founded lexicographic ordering ≺ on pairs (π,p) of a path and a lock, where the two constituent ordering ≺ _π on locks and ≺ _p on paths are respectively defined as follows.

• π ₁≺ _π π ₂ if π ₂⊂π ₁⊂Labels(P).

• p ₁≺ _p p ₁.m for any field name m

• p ₁≺ _p p ₁(p ₂) for any path p ₂

• p ₂.ap≺ _p p ₁(p ₂) for any path p ₁ and access path ap∈S, where S is the union of all access signatures of P.

Since Labels(P) and S are finite, both ≺ _π and ≺ _p are well-founded, thus its lexicographic combination ≺ is well-founded too. □

1.3 A.3 Safe rewriting

Before proving the completeness of semi-ground normalization, we first need to introduce an alternative definition of safety, in terms of termination of a term rewriting system. We will show that the two definitions of safety are equivalent (Proposition 3). Then, we prove that when semi-ground normalization fails for a program, one can build an infinite reduction in this rewriting system, hence the program is unsafe according to the definition in Sect. 6.2. This alternative definition is also interesting for itself, since it gives a more computational view of what safety means, which may be more intuitive.

A way to formalize invalid paths concisely in the framework of path rewriting systems is to transform invalid paths into non-termination. That is, we introduce conditional path rewriting rules Errors _P for a program P that cause non-termination whenever invalid paths appear during reduction:

$$\begin{array}{l@{\quad}l} (1)\ \texttt {x}.ap \rightarrow \texttt {x}.ap & \mbox{for any {\texttt {x}} and $ap$ s.t. $ap \notin \textsf {sig}_{P}(\texttt {x})$} \\[3pt] (2)\ \texttt {x}.ap(x) \rightarrow \texttt {x}.ap(x) & \mbox{for any path variable $\texttt {x}$ and access path $ap$}\\[3pt] (3)\ p.m \rightarrow p.m & \mbox{if $P \vdash p \mapsto (\theta , e)$, $e$ not a path, and $P \vdash p.m \not \mapsto $} \\[3pt] (4)\ p(x) \rightarrow p(x) & \mbox{if $P \vdash p \mapsto (\theta , e)$, and $e$ is a structure} \\ \end{array} $$

Here x indicates a path variable appearing in paths to be rewritten, not to be confused with the x used for rewriting rule variables. The first two rule sets cause non-termination when a variable is either decomposed beyond its access signature or applied; both cases break our syntactic restriction. The third one transforms dangling references to non-termination. The fourth one ensures that only functors are applied; otherwise it causes non-termination.

We also need to enforce the safety check on path arguments. For this we modify rewrite rules generated for functors, using the last rule of Errors _P to let reduction progress.

$$\begin{array}{l} \mathit{Rules}(p,\lambda (x:S)e)\\[3pt] \quad = \mathit{Rules}(p!(x),e) \cup \{p(x) \rightarrow \textrm{snd}(\textrm{chk}(x.ap_1, \dots, x.ap_n),p!(x)) \\[3pt] \quad \mbox{where $ap_{1}\dots ap_{n}$ are the maximal access paths of $S$, i.e. all the}\\[3pt] \quad \mbox{paths s.t. $ap_{i} \in S \land \forall m\ ap_{i}.m \notin S$.} \end{array} $$

The idea is that p(q).p′ is a path where q has not been checked for safety as argument of p yet, and p!(q).p′ is the same path appearing in a context where the safety of q may have been checked. Actual path expansion occurs in two steps. First we rewrite p(q).p′ into snd(chk(q.ap ₁,…,q.ap _n ),p!(q)).p′. Here snd and chk are added to evaluation contexts, with an extra rule for snd,

so that one can reduce any of the q.ap _i , checking the safety of q as argument of p. Note that depending on which submodules of q are actually accessed in p!(q).p′, rewriting q.ap _i may introduce a non-termination behavior that would not appear otherwise. One can then use rule (snd) to discard chk(q.ap ₁,…,q.ap _n ). Then we are just left with p!(q).p′, which can be rewritten according to the definitions in P once all the applications have been converted. We also add the following rule to the lookup predicate, so that rules (3) and (4) of \(\it Errors_{P}\) will work on both forms of applications.

$$\frac{P \vdash p(q) \mapsto (\theta , e)}{ P \vdash p!(q) \mapsto (\theta , e)} $$

Definition 7

A program P is safe for evaluation if for all paths p appearing as right hand side of an abbreviation binding in P, there is no infinite reduction using Rules _P ∪Errors _P .

Proposition 3

For any program P, safety (Definition 5) and safety for evaluation (Definition 7) are equivalent.

Proof

We first show that if a program is safe, then it is safe for evaluation. I.e., for any path q, if P⊢q:{} then there is no infinite reduction starting from q using the rules of \(\it Rules_{P} \cup Errors_{P}\). For a term t of our path rewriting system, containing possibly some snd and chk, we define the pure path of t, noted pp(t), as t where all occurrences of snd were reduced (and, as a result, all occurrences of chk discarded), and all ! were removed. The number of pure applications in t, noted pa(t), is the number of path applications contained in t, after having reduced all the snd, and excluding the !-applications. We define the multiset of implicit paths of t, noted pps(t), by induction on the structure of t:

$$\begin{array}{rcl} \mathrm{pps}(t) & = & \mathrm{pa}(t) \times \Bigl(\bigl\{\mathrm{pp}(t) \bigr\} \cup \bigcup\bigl\{\mathrm{pps}(t') \mid t' \in \mathrm{chks}(t)\bigr\}\Bigr) \\[3pt] \mathrm{chks}(\epsilon ) & = & \emptyset \\[3pt] \mathrm{chks}(\texttt {x}) & = & \emptyset \\[3pt] \mathrm{chks}(t.m) & = & \mathrm{chks}(t) \\[3pt] \mathrm{chks}(t_1(t_2)) & = & \mathrm{chks}(t_1) \cup \mathrm{chks}(t_2) \\[3pt] \multicolumn{3}l{\mathrm{chks}\bigl(\mathrm{snd}\bigl(\mathrm{chk}(\it t_1, \dots, t_n),t\bigr)\bigr) = \{t_1,\dots t_n\} \cup \mathrm{chks}(t)} \end{array} $$

By n×S we mean that we duplicate n times the contents of the multiset S. We define the measure of a term t as the multiset of the sizes of the derivations of P⊢p:{}, for p in pps(t). We prove that any reduction step t→t′ keeps the typability of the paths in pps(t′), and decreases this measure according to the multiset ordering. If the reduction is one of the original ones, then according to lemma 4, each path in pps(t) is either reduced into a corresponding path in pps(t′), with its derivation size reduced, or it remains unchanged, and at least one pure path is reduced. If the new rule p(x)→snd(chk(x.ap ₁,…,x.ap _n ),p!(x)) is applied, then the number of pure applications of p(q) is reduced by 1, and we replace this p(q) by q.ap ₁, …, q.ap _n , which were already contained in the derivation of P⊢p(q):{}, so that they are safe, and the measure decreases. If snd(x,y)→y is applied, then we discard the first argument, which leaves pp(t′) intact, and the measure decreases. Rules (1)–(4) cannot apply, since pp(t) is safe.

Since the multiset ordering is well-founded, this proves that there cannot be infinite reductions.

Conversely, we prove that if there is no infinite reduction using \(\it Rules_{P} \cup Errors_{P}\), then P must be safe. We define the relation p≻q iff p can be rewritten into a path q ₀ such that C[θ(q)]∈pps(q ₀) for some path context C and substitution θ. This relation must be antisymmetric on the paths appearing in P (i.e. we never have both p≻q and q≻p, otherwise we could easily build an infinite reduction.) As a result ≻ can be topologically extended into a total order on the paths appearing as right hand side of abbreviation bindings in P.

We prove that if there is no infinite reduction starting from p, then P⊢p:{}, starting with the smallest paths in this topological order (those with no q in P such that p≻q). We rewrite p using a customized strategy. That is, we basically use a call-by-name strategy (not reducing arguments), with the exception of the arguments of chk which we reduce to normal form before discarding them with snd. Thanks to this strategy, we are able to build our safety derivation straightforwardly. Namely, we obtain the safety of substitutions from the normalization of chk, and then actually apply the original rewriting rule on the non-reduced argument, as does our inference system. Moreover, since we check following a topological order, we can use our substitution lemma to build the third premise of r-exp rule. Other inference rules need just to be inserted as glue, as they perform no actual reduction. □

1.4 A.4 Completeness proof

The following lemmas are used by the completeness proof. The first one proves that postponing substitution is correct.

Lemma 3

(Postponement)

If p is a rooted path, sgnlz(P,π′,p)=q and \(\mathsf{vp\_subs}(P,\pi ,\theta ) = \rho \) with π⊂π′, then sgnlz(P,π,θ(p))=subs(θ,ρ,q).

Proof

(Coq-checked) By functional induction on sgnlz(P,π′,p). □

Lemma 5

(Idempotence)

If sgnlz(P,π,p)=q, then sgnlz(P,π,q)=q.

Proof

By functional induction, using Lemma 3. □

Theorem 3

(Completeness)

For any program P and path p, if P is safe and P⊢p:{}, then \(\mathsf {sgnlz}(P, \emptyset, p) \neq \textsf {error}\).

Proof

By Proposition 3, P⊢p:{} implies that there is no infinite reduction from p using \(\it Rules_{P} \cup Errors_{P}\).

We show by functional induction that sgnlz(P,π,p)=error implies the existence of such an infinite reduction starting from either p or an abbreviation in P, assuming that for each i∈π, there are paths p _i and q _i such that P⊢p _i ↦(id,(q _i )ⁱ), and reductions \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(p)]\). In case of repeated attempts to expand the same abbreviation, we will use them to build an infinite reduction. Since some recursive calls to sgnlz will be on paths that do not appear in P, we also keep a reduction \(q_{0} \stackrel {\ast }{\rightarrow }C_{0}[p]\), q ₀ being either the original p, or the last abbreviation in P we are currently normalizing. This last reduction will be used for errors, producing an infinite reduction with rules of \(\it Errors_{P}\). For the sake of simplicity, we do not distinguish normal applications and !-applications in the paths we reduce. We just assume that where needed we can get the arguments of chk, in order to build an infinite reduction.

We start with π=∅ and q ₀=p, so that our only reduction is the 0-step one from q ₀ to p.

If p=x or p=ϵ, then sgnlz(P,π,p)=p≠error.

If p=p ₁.m or p=p ₁(p ₂), then we first try to evaluate sgnlz(P,π,p ₁). If it results in an error, then we can reuse our reductions \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(p)]\) (i∈π), as C _i [θ _i (p)] contains θ _i (p ₁) (e.g. C _i [θ _i (p)]=C _i [θ _i (p ₁).m] in the first case), and \(q_{0} \stackrel {\ast }{\rightarrow }C_{0}[p]\) since p contains p ₁. Using the induction hypothesis we conclude that there is an infinite reduction.

If \(\mathsf {sgnlz}(P, \pi , p_{1}) = p'_{1}\), then we call expand(P,π,p′), with p′ either \(p'_{1}.m\) or \(p'_{1}(p_{2})\), and since by correctness we have a reduction \(p_{1} \stackrel {\ast }{\rightarrow }p'_{1}\), we also have a reduction \(p \stackrel {\ast }{\rightarrow }p'\), and we can complete all reductions \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(p)]~(i\in \pi )\) into reductions \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(p')]\), and \(q_{0} \stackrel {\ast }{\rightarrow }C_{0}[p']\). If p′=x.ap, then to have an error it must be ap∉sig _P (x), and we can use a reduction (1) of \(\it Errors_{P}\) to create an infinite reduction \(q_{0}\stackrel {\ast }{\rightarrow }C_{0}[p'] \rightarrow C_{0}[p'] \rightarrow \cdots{}\). If p′ is a rooted path, then we first call lookup(P,p′). If this fails we can use either a reduction (3) or (4) of \(\it Errors_{P}\) to create an infinite reduction. Otherwise, we obtain θ and e.

Then we call \(\mathsf{vp\_subs}(P,\pi ,\theta )\). From the reduction point of view, if \(p'_{j}\) is an argument of p′, then there is a prefix \(p_{j}(p'_{j})\) of p′, and we can find a step \(p_{j}(p'_{j}) \rightarrow \mathrm{snd}(\mathrm{chk}(p'_{j}.ap_{j1},\dots,p'_{j}.ap_{jn_{j}}),p_{j}!(p'_{j}))\) inside the reduction leading to p′, allowing us to check all the required subpaths of the argument \(p'_{j}\). This is also what \(\mathsf{sig\_subs}(P,\pi ,x_{j},p'_{j},\allowbreak \textsf {sig}_{P}(x_{j}))\) does. If \(p'_{j}\) is a variable path x.ap, then it checks for each ap′∈sig _P (x _j ) whether ap.ap′∈sig _P (x). Since all those ap′ are prefixes of some of the ap _jk , if we have an error then we can build an infinite reduction starting from \(p'_{j}.ap_{jk}\). If \(p'_{j}\) is a rooted path, then for each ap′∈sig _P (x _j ), we call \(\mathsf {sgnlz}(P, \pi , p'_{j}.ap')\). If one of them fails, we can construct a context C such that \(p' \stackrel {\ast }{\rightarrow }C[p'_{j}.ap_{jk}]\), so that we can complete all our reductions into \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(C[p'_{j}.ap_{jk}])]~(i \in \pi )\) and \(q_{0} \stackrel {\ast }{\rightarrow }C_{0}[C[p'_{j}.ap_{jk}]]\), and by induction hypothesis we have an infinite reduction starting from q ₀.

If \(\mathsf{vp\_subs}(P,\pi ,\theta )\) succeeds, the next step is either to return successfully from expand, which contradicts the presence of an error, or we have e=q ⁱ, and we check whether i∈π. If i∈π, then since p′→θ(q)=θ(q _i ), we have a reduction \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(p')] \rightarrow C_{i}[\theta _{i}(\theta (q_{i}))]\), so that we can build an infinite reduction by repeatedly appending it to itself, i.e. \(q_{i} \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(\theta (q_{i}))] \stackrel {\ast }{\rightarrow }C_{i}[\theta _{i}(\theta (C_{i}[\theta _{i}(\theta (q_{i}))]))] \stackrel {\ast }{\rightarrow }\cdots{}\).

If i∉π, we call sgnlz(P,{i}∪π,q), which must fail. First we need to extend our reductions. We have P⊢p′↦(θ,q), and \(p' \stackrel {\ast }{\rightarrow } \theta (q)\). We can combine this reduction with our other reductions to obtain \(q_{j}\stackrel {\ast }{\rightarrow }C_{j}[\theta _{j}(\theta (q))]~(j\in \pi )\). Since q is an abbreviation in P, we update q ₀ to q, with new reductions \(q_{i} = q \stackrel {\ast }{\rightarrow }q\), and \(q_{0} = q \stackrel {\ast }{\rightarrow }q\). So by induction hypothesis, in case of error we have an infinite reduction starting from one of the q _i or q ₀. □