## Certification of automated termination proofs (2007)

Venue: | In Proc. 6th FroCoS |

Citations: | 18 - 4 self |

### BibTeX

@INPROCEEDINGS{Contejean07certificationof,

author = {Evelyne Contejean and Pierre Courtieu and Julien Forest and Olivier Pons and Xavier Urbain},

title = {Certification of automated termination proofs},

booktitle = {In Proc. 6th FroCoS},

year = {2007},

pages = {148--162}

}

### OpenURL

### Abstract

2 CÉDRIC – Conservatoire national des arts et métiers Abstract. Nowadays, formal methods rely on tools of different kinds: proof assistants with which the user interacts to discover a proof step by step; and fully automated tools which make use of (intricate) decision procedures. But while some proof assistants can check the soundness of a proof, they lack automation. Regarding automated tools, one still has to be satisfied with their answers Yes/No/Donotknow, the validity of which can be subject to question, in particular because of the increasing size and complexity of these tools. In the context of rewriting techniques, we aim at bridging the gap between proof assistants that yield formal guarantees of reliability and highly automated tools one has to trust. We present an approach making use of both shallow and deep embeddings. We illustrate this approach with a prototype based on the CiME rewriting toolbox, which can discover involved termination proofs that can be certified by the COQ proof assistant, using the COCCINELLE library for rewriting. 1

### Citations

951 |
Term rewriting and all that
- Baader, Nipkow
- 1998
(Show Context)
Citation Context ...n, it considers cycles: Theorem 1 (Arts and Giesl [1]). A TRS R is terminating iff for each cycle P in its dependency graph there is a reduction pair (�P, ≻P) such that: (1) l �P r for any l → r ∈ R, =-=(2)-=- s �P t for any 〈s, t〉 ∈ P, and (3) s ≻P t for at least one pair in P. In practice, our tool uses a procedure due to Middledorp and Hirokawa [16] which splits recursively the graph into sub-components... |

752 | Rewrite systems
- Dershowitz, Jouannaud
- 1990
(Show Context)
Citation Context ...tal results in Section 5. Eventually we briefly compare with related works and conclude in Section 6. 2 Preliminaries 2.1 Rewriting We assume the reader familiar with basic concepts of term rewriting =-=[2, 11]-=- and termination, in particular with the Dependency Pairs (DP) approach [1]. We recall usual notions, and give our notations. A signature F is a finite set of symbols with arities. Let X be a countabl... |

731 |
Isabelle/HOL: a proof assistant for higher-order logic, volume 2283
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...ication language that can express both logical assertions and programs, hence properties of programs; and secondly a highly reliable procedure that checks the soundness of proofs. COQ or ISABELLE/HOL =-=[23]-=-, for instance, have a small highly reliable kernel. In COQ, type checking of a proof term is performed by the kernel to ensure a proof’s soundness. Certified-programming environments based on these p... |

453 | Termination of rewriting
- Dershowitz
- 1985
(Show Context)
Citation Context ...following, we shall omit signatures, systems and positions that are clear from the context, and we shall restrict to finite systems. Termination is usually proven with the help of reduction orderings =-=[10]-=- or quasiorderings with dependency pairs. We briefly recall what we need. An ordering pair is a pair (�, >) of relations over T (F, X) such that: 1) � is a quasi-ordering, i.e. reflexive and transitiv... |

265 | Orderings for term-rewriting systems
- Dershowitz
- 1982
(Show Context)
Citation Context ...o that purpose, we enable the certification of proofs using involved criteria such as Dependency Pairs [1] with graphs refinement, and mixing orderings based on polynomial interpretations [20] or RPO =-=[9]-=- with AFS [1]. We illustrate our approach with a prototype based on the CiME tool box, the proofs of which can be certified using the COQ proof assistant. We shall adopt the end-user point of view and... |

214 | Termination of term rewriting using dependency pairs
- Arts, Giesl
- 2000
(Show Context)
Citation Context ...g on the addressed criterion (see Section 4). With the help of the COCCINELLE library dedicated to that purpose, we enable the certification of proofs using involved criteria such as Dependency Pairs =-=[1]-=- with graphs refinement, and mixing orderings based on polynomial interpretations [20] or RPO [9] with AFS [1]. We illustrate our approach with a prototype based on the CiME tool box, the proofs of wh... |

114 |
On proving term rewrite systems are noetherian
- Lankford
- 1979
(Show Context)
Citation Context ... dedicated to that purpose, we enable the certification of proofs using involved criteria such as Dependency Pairs [1] with graphs refinement, and mixing orderings based on polynomial interpretations =-=[20]-=- or RPO [9] with AFS [1]. We illustrate our approach with a prototype based on the CiME tool box, the proofs of which can be certified using the COQ proof assistant. We shall adopt the end-user point ... |

109 |
Inductively defined types
- Coquand, Paulin-Mohring
- 1990
(Show Context)
Citation Context ...sists of: – A formal language to express objects, properties and proofs in a unified way; all these are represented as terms of an expressive λ-calculus: the Calculus of Inductive Constructions (CIC) =-=[8]-=-. – A proof checker which checks the validity of proofs written as CIC-terms. Indeed, in this framework, a term is a proof of its type, and checking a proof consists in typing a term. The tool’s corre... |

91 | AProVE 1.2: Automatic termination proofs in the dependency pair framework
- Giesl, Schneider-Kamp, et al.
- 2006
(Show Context)
Citation Context ...ned only if they are proven to be terminating. We restrict here to first order. The last decade has been very fertile w.r.t. automation of termination proofs, and yielded many efficient tools (APROVE =-=[15]-=-, CiME [7], JAMBOX [13], TPA [19], TTT [17] and others) referenced on the Termination Competition’s web site [21], some of which display nice output for human reading. However, there is still a clear ... |

61 | A.: Automating the dependency pair method
- Hirokawa, Middeldorp
- 2005
(Show Context)
Citation Context ... pair (�P, ≻P) such that: (1) l �P r for any l → r ∈ R, (2) s �P t for any 〈s, t〉 ∈ P, and (3) s ≻P t for at least one pair in P. In practice, our tool uses a procedure due to Middledorp and Hirokawa =-=[16]-=- which splits recursively the graph into sub-components using different orders. The proof uses shallow embedding. One reason for this choice is that a generic theorem for a complex graph criterion is ... |

24 | Proving Termination of Rewriting with CiME
- Contejean, Marché, et al.
- 2003
(Show Context)
Citation Context ... they are proven to be terminating. We restrict here to first order. The last decade has been very fertile w.r.t. automation of termination proofs, and yielded many efficient tools (APROVE [15], CiME =-=[7]-=-, JAMBOX [13], TPA [19], TTT [17] and others) referenced on the Termination Competition’s web site [21], some of which display nice output for human reading. However, there is still a clear gap betwee... |

24 | Modular & incremental automated termination proofs
- Urbain
(Show Context)
Citation Context ...n a small example in our prototype, namely CiME 2.99. While being based on the CiME 2 tool box, this prototype does not certify all its predecessor’s termination power. For instance, modular criteria =-=[25]-=- and termination modulo equational theories are not supported yet. In the following, we restrict to (marked/unmarked) Dependency Pairs [1] 6 the transitive closure ofone_step is defined asrwr in COCCI... |

23 |
CoLoR, a Coq library on rewriting and termination
- Blanqui, Delobel, et al.
- 2006
(Show Context)
Citation Context ...hese systems do not tackle the problem of termination proofs. To our knowledge the only other approach to generate termination certificates for rewriting systems relies on the CoLoR/Rainbow libraries =-=[4]-=-. In this approach, term algebras and TRSs are handled via an embedding even deeper than in COCCINELLE, since a TRS is given by a set of pairs of terms. Notice that the RPO in CoLoR is weaker than the... |

21 |
Tyrolean termination tool
- Hirokawa, Middeldorp
- 2005
(Show Context)
Citation Context ...ng. We restrict here to first order. The last decade has been very fertile w.r.t. automation of termination proofs, and yielded many efficient tools (APROVE [15], CiME [7], JAMBOX [13], TPA [19], TTT =-=[17]-=- and others) referenced on the Termination Competition’s web site [21], some of which display nice output for human reading. However, there is still a clear gap between proof assistants that provide f... |

19 | External rewriting for skeptical proof assistants
- Nguyen, Kirchner, et al.
(Show Context)
Citation Context ...n automated provers and COQ. Amongst them, the theorem-prover ZÉNON [12], based on tableaux, produces COQ proof terms as certificates. ELAN enjoys techniques to produce COQ certificates for rewriting =-=[22]-=-. Bezem describes an approach regarding resolution [3]. However, these systems do not tackle the problem of termination proofs. To our knowledge the only other approach to generate termination certifi... |

16 | Nivelle. Automated Proof Construction in Type Theory using Resolution
- Bezem, de
- 2002
(Show Context)
Citation Context ...prover ZÉNON [12], based on tableaux, produces COQ proof terms as certificates. ELAN enjoys techniques to produce COQ certificates for rewriting [22]. Bezem describes an approach regarding resolution =-=[3]-=-. However, these systems do not tackle the problem of termination proofs. To our knowledge the only other approach to generate termination certificates for rewriting systems relies on the CoLoR/Rainbo... |

10 |
A certified AC matching algorithm
- Contejean
- 2004
(Show Context)
Citation Context ...or does not deal with AC nor C symbols, hence in this work all symbols have an arityFree n. However, AC/C symbols are used in other parts of COCCINELLE, in particular the formalisation of AC matching =-=[5]-=-. A term algebra is a module defined from its signatureFand the set of variablesX. Module Type Term. Declare Module Import F : Signature. Declare Module Import X : decidable_set.S. Terms are defined a... |

9 | Reflecting proofs in first-order logic with equality
- Contejean, Corbineau
- 2005
(Show Context)
Citation Context ...g work in the A3PAT group is to define a more general language that can even tackle proofs of various rewriting properties such as termination, confluence (which needs termination), equational proofs =-=[6]-=-, etc. We think that a good candidate could be based on the tree structure we explained on Section 4.1. One particularly interesting follow-up of this work is the possibility to plug automated termina... |

3 | The termination competition 2006
- Marché, Zantema
(Show Context)
Citation Context ...tile w.r.t. automation of termination proofs, and yielded many efficient tools (APROVE [15], CiME [7], JAMBOX [13], TPA [19], TTT [17] and others) referenced on the Termination Competition’s web site =-=[21]-=-, some of which display nice output for human reading. However, there is still a clear gap between proof assistants that provide formal guarantees of reliability and highly automated tools one has to ... |

1 |
Certification des preuves de terminaison en Coq. Rapport de DEA, Université Paris 7
- Hubert
- 2004
(Show Context)
Citation Context ...irs is the following and fits in the general structure we explained on section 4.1: Lemma wfR_if_wfDPR: well_founded DPR -> well_founded (one_step R). The proof follows a general scheme due to Hubert =-=[18]-=-. It involves several nested inductions instantiating the proof of the criterion in the particular setting of DPR and one_step R. Marked symbols A refinement of the DP criterion consists in marking he... |