Conclusions and future work

In this chapter, we have presented several contributions advancing methods for proving sufficient completeness to handle conditional specifications involving partial functions and where deduction is performed modulo axioms. Our main contributions include:

• We have studied the sufficient completeness of such specifications and their associated rewriting systems in greater generality than previous work, and arrived at a novel definition of sufficient completeness.

• We have extended the Maude Inductive Theorem Prover with a sufficient completeness checker for conditional specifications. This checker is not a decision procedure, but nevertheless we have been able to discharge sufficient completeness automatically for nontrivial examples by using the heuristics built into the ITP.

• Finally, we presented a sufficient completeness checker based on equational tree automata techniques that supports sufficient completeness checking with rewriting modulo any combination of associativity, commutativity, and identity.

Our work in developing sufficient completeness checkers for more complex equational specifications has already led to two complementary approaches, each able to handle specifications outside classes that could be handled by previous

Maude> in natlist.maude

========================================== fmod NAT-LIST

========================================== fmod NAT-LIST-ERROR

Maude> load scc.maude Maude> loop init-scc .

Starting the Maude Sufficient Completeness Checker. Maude> (scc NAT-LIST .)

Checking sufficient completeness of NAT-LIST ...

Success: NAT-LIST is sufficiently complete under the assumption that it is weakly-normalizing, ground confluent, and sort-preserving. Maude> (scc NAT-LIST-ERROR .)

Checking sufficient completeness of NAT-LIST-ERROR ... Failure: The term head(nil) is a counterexample as it is an

irreducible term with sort Nat in NAT-LIST-ERROR that does not have sort Nat in the constructor subsignature.

Figure 5.2: Example SCC session

approaches. Although significant progress has been made, there is a great deal of opportunity both to develop new techniques and to improve the performance of existing techniques.

A number of further extensions of this work seem worth investigating. A first extension is to continue to push our characterization to consider checking specifi- cations with context-sensitive rewriting (see the next chapter) and parametrized specifications. A second important topic is the generation of counterexamples to show lack of sufficient completeness: ground term counterexamples are prac- tical and easy to generate, but investigating ways of symbolically describing sets of counterexamples may be quite useful for other purposes, such as generating induction schemes for theorem provers.

A third topic worth investigating is what we called the “second prong” in the introduction, namely, integrating sufficient completeness checking and in- ductive theorem proving in order to handle specifications outside the decidable subclasses. One recent approach [18] attempts to combine the tree automata and narrowing approaches with integration to a theorem prover to handle con- ditional, constrained rewrite specifications. This work is able to check the suf- ficient completeness of many-sorted rewrite specifications for which there may be conditional rules involving defined symbols and constrained rules involving constructor symbols. It accomplishes this by first constructing a constrained tree grammar to recognize irreducible constructor terms, and using the tree grammar during narrowing. Like the work in [73], this work targets the case of syntactic rewriting, but does not address specifications with rewriting modulo axioms.

A fourth topic that is important for scalability purposes is that of modularity techniques so that the sufficient completeness of a large equational specification

is not checked as a single monolithic module, but is ensured by checking a col- lection of submodules in which the specification is decomposed. This is quite natural in Maude, since large specifications are almost always obtained by com- posing many different modules together, and sufficient completeness techniques should be extended to exploit this additional composition information.

Further advances in these four areas should provide both foundations and algorithms in which to build a next-generation TA-based sufficient completeness tool for MEL specifications modulo axioms. This would make sufficient com- pleteness checking available for a very wide class of specifications in Maude and other equational languages for specification and programming with advanced features.

Chapter 6

Completeness in

context-sensitive rewriting

In previous chapters, we have discussed partiality and rewriting modulo axioms as important extensions that increase the expressitivity of rewrite specifications. Another important extension is that of user-programmable evaluation strategies based on context-sensitive (CS) rewriting (see, for example [101, 103, 145]). They allow very fine-grained control at the level of each individual function symbol on how the rewriting evaluation is performed. Their value and practical importance has been recognized in many equational languages. OBJ2 [52] was the first such language supporting them; and they are supported in all languages in the OBJ family, including CafeOBJ [51] and Maude [28]. In practice, CS rewriting can be used for two somewhat different purposes:

1. to increase the efficiency of a standard equational program without chang- ing its meaning: for example, by restricting the evaluation of an if-then- else symbol to its first, Boolean argument to avoid wasteful or even non- terminating computations; and

2. as a way to compute with infinite data structures such as the infinite stream of all prime numbers, in a lazy way; in this second case, CS rewrit- ing provides an elegant, finitary way of computing with infinite objects. Expressiveness is substantially increased in both of these ways, since the user can both control the efficiency of program execution and support new applications involving infinite data structures.

This is all very well. However, there are a number of open research ques- tions about how to reason formally about equational programs supporting CS rewriting for verification purposes. Two areas where important progress has been made are in methods for proving termination, e.g., [60, 102, 145] and con- fluence [103] of CS equational programs. But other important questions remain unexplored.

Imagine that you want to use an inductive theorem prover to verify some property about a CS equational program. No inductive theorem prover that we are aware of allows reasoning about CS programs. Is it ok to ignore the CS information and just reason about the underlying equational theory? We think that, in general, the answer is: definitely not! Why not? Because the model

on which the inductive reasoning principles are sound and the model of a CS program may be quite different.

What models are we talking about? Well, that is, one of the interesting re- search questions. For an inductive theorem prover, the model of interest is the initial algebra TE of a specification E . In fact, this initial algebra semantics is

the standard mathematical semantics of equational programs in languages such as OBJ, CafeOBJ, and Maude. Furthermore, provided that the equational pro- gram is weakly normalizing and ground confluent, the initial algebra semantics fully agrees with the operational semantics, in the precise, mathematical sense that the initial algebra TE and the canonical term algebra CanR/Aof the rewrite

system R/A associated to E are isomorphic. For CS rewriting the matter is less obvious, since we only have an operational semantics provided by the CS rewrit- ing relation, but no mathematical models in the form of algebras have been put forward prior to our work. Therefore, the first contribution in this chapter is to put forward such an algebra, namely, the algebra Canµ_R/Aof µ-canonical forms, for µ the replacement map of the given CS program. We do so not just for vanilla-flavored, untyped CS programs, but for the more general and expressive CS programs with other features such as order-sorting and rewriting modulo axioms that one encounters in actual equational programming languages.

The importance of the algebra Canµ_R/Ais that it makes possible articulating and providing proof methods for three important CS completeness problems, namely:

1. µ-canonical completeness, which means satisfying the set-theoretic equal- ity Canµ_R/A,s= CanR/A,s for each sort s in the specification;

2. µ-semantic completeness, which model-theoretically corresponds to the case where the surjective Σ-homomorphism q : Canµ_R/A → TE, which we

show always exists under minimal assumptions, is an isomorphism. Proof- theoretically this means that the sound way of proving ground E-equalities by CS rewriting is also complete, and that the Maude ITP is a suitable tool for reasoning about the context-sensitive specification;

3. µ-sufficient completeness, which is a new notion generalizing to the CS case the usual sufficient completeness of equational function definitions with respect to a signature of constructors. The subtlety here is that in general it would be too strong to require that constructors appear in all positions of a term t in µ-canonical form: we only make such a requirement for replacing positions in t.

We not only articulate these notions, but we also provide proof methods for them in the form of decision procedures under mild assumptions about the given CS program. Given that the CS programs we consider perform rewrit- ing modulo axioms and are order-sorted, our methods are also based on equa- tional tree automata described in Chapter 3 that can take into account both

sort information and reasoning modulo axioms. These decision procedures have been implemented in an extension of the tree automata-based Maude Sufficient Completeness Checker (SCC) discussed in Section 5.4, and we have used sev- eral Maude programs to illustrate both the basic ideas and the use of SCC in verifying CS completeness properties.

The chapter is organized as follows. In Section 6.1, we introduce the precise class of CS term rewrite systems we are considering. In Section 6.2, we define the canonical term algebra for a CS specification. In Section 6.3, we define the three notions of CS completeness, and in Section 6.4 we show how one can use equational tree automata techniques to check these completeness notions under appropriate assumptions. Finally, we discuss related work and suggest future avenues of research in Section 6.5. Much of this work has appeared previously in [70].