Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 A few words explaining the title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Some examples of the problem we are considering . . . . . . . . . . . . . . . . . . . 3 1.3 Outline of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Formal background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Terms and clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Equational deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3 Inductive theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 Constructors and sufficient completeness . . . . . . . . . . . . . . . . . . . . . . . . 8 2.5 Term Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.6 Standar

We explore the notion of alternating two-way tree automata modulo the theory of finitely many associative-commutative (AC) symbols, some of them with a unit (AC1). This was prompted by questions arising in cryptographic protocol verification, where the emptiness question for intersections of such automata is fundamental. We show that the use of conditional push clauses, or of alternation, leads to undecidability, already in the case of one AC or AC1 symbol, with only functions of arity zero. On the other hand, emptiness is decidable in the general case of many function symbols, including many AC or AC1 symbols, provided push clauses are unconditional and intersection clauses are final. To this end, extensive use of refinements of resolution is made.

Abstract. Tree automata with one memory have been introduced in 2001. They generalize both pushdown (word) automata and the tree automata with constraints of equality between brothers of Bogaert and Tison. Though it has a decidable emptiness problem, the main weakness of this model is its lack of good closure properties. We propose a generalization of the visibly pushdown automata of Alur and Madhusudan to a family of tree recognizers which carry along their (bottom-up) computation an auxiliary unbounded memory with a tree structure (instead of a symbol stack). In other words, these recognizers, called visibly Tree Automata with Memory (VTAM) define a subclass of tree automata with one memory enjoying Boolean closure properties. We show in particular that they can be determinized and the problems like emptiness, inclusion and universality are decidable for VTAM. Moreover, we propose an extension of VTAM whose transitions may be constrained by structural equality and disequality tests between memories, and show that this extension preserves the good closure and decidability properties. 1

Abstract. We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, ordering and also membership in a fixed tree language. Constrained equational axioms between constructor terms are supported and can be used in order to specify complex data structures like sets, sorted lists, trees, powerlists... Our procedure is based on tree grammars with constraints, a formalism which can describe exactly the initial model of the given specification (when it is sufficiently complete and terminating). They are used in the inductive proofs first as an induction scheme for the generation of subgoals at induction steps, second for checking validity and redundancy criteria by reduction to an emptiness problem, and third for defining and solving membership constraints. We show that the procedure is sound and refutationally complete. It generalizes former test set induction techniques and yields natural proofs for several non-trivial examples presented in the paper, these examples are difficult (if not impossible) to specify and carry on automatically with other induction procedures. 1

Computation with a term rewrite system (TRS) consists in the application of its rules from a given starting term until a normal form is reached, which is considered the result of the computation. The unique normalization (UN) property for a TRS R states that any starting term can reach at most one normal form when R is used, i.e. that the computation with R is unique. We study the decidability of this property for classes of TRS defined by syntactic restrictions such as linearity (variables can occur only once in each side of the rules), flatness (sides of the rules have depth at most one) and shallowness (variables occur at depth at most one in the rules). We prove that UN is decidable in polynomial time for shallow and linear TRS, using tree automata techniques. This result is very near to the limits of decidability, since this property is known undecidable even for very restricted classes like right-ground TRS, flat TRS and also right-flat and linear TRS. We also show that that UN is even undecidable for flat and right-linear TRS. The latter result is in contrast with the fact that many other natural properties like reachability, termination, confluence, weak normalization... are decidable for this class of TRS.

Superposition is an established decision procedure for a variety of first-order logic theories represented by sets of clauses. A satisfiable theory, saturated by superposition, implicitly defines a minimal term-generated model for the theory. Proving universal properties with respect to a saturated theory directly leads to a modification of the minimal model’s term-generated domain, as new Skolem functions are introduced. For many applications, this is not desired. Therefore, we propose the first superposition calculus that can explicitly represent existentially quantified variables and can thus compute with respect to a given domain. This calculus is sound and refutationally complete in the limit for a first-order fixed domain semantics. For saturated Horn theories and classes of positive formulas, we can even employ the calculus to prove properties of the minimal model itself, going beyond the scope of known superposition-based approaches.

In this paper, we develop a new approach for mechanizing induction on complex data structures (like bags, sorted lists, trees, powerlists. . . ) by adapting and generalizing works in tree automata with constraints. The key idea of our approach is to compute a tree grammar with constraints which describes the initial model of the given specification. This grammar

We close affirmatively a question which has been open for long time: decidability of the HOM problem. The HOM problem consists in determining, given a tree, homomorphism and a regular tree language- represented by a tree automaton, whether,/.0-21 is regular. In order to decide the HOM problem, we develop new constructions and techniques which are interesting by themselves, and provide several significant intermediate results. For example, we prove that the universality problem is decidable for languages represented by tree automata with equality constraints, and that the equivalence and inclusion problems are decidable for images of regular languages through tree homomorphisms. Our contributions are based on the following new constructions. We describe a simple transformation for converting a tree automaton with equality constraints into a tree automaton with disequality constraints recognizing the complementary language. We also define a new class of automata with arbitrary disequality constraints and a particular kind of equality constraints. An automaton of this new class essentially recognizes the intersection of a tree automaton with disequality constraints and the image of a regular language through a tree homomorphism. We prove decidability of emptiness and finiteness for this class by a pumping mechanism. We combine the above constructions adequately to provide an algorithm deciding the HOM problem.

Abstract not found

We present a new method for automatic implicit induction theorem proving, and its application for the verification of cryptographic protocols. The method is based on constrained tree grammars and handles non-confluent rewrite systems which are required in the context of the verification of security protocols because of the non-deterministic behavior of attackers. It also handles axioms between constructor terms which allows us to specify explicit destructors representing cryptographic operators. Constrained tree grammars are used in our procedure both as induction schemes and as oracles for checking validity and redundancy by reduction to an emptiness problem. They also permit to characterize security failure of cryptographic protocols as sets of execution traces corresponding to an attack. This way, we obtain a generic framework for the verification of protocols, in which we can verify reachability properties like confidentiality, but also more complex properties like authentication. We present three case studies which gave very promising results.