Analyzing Program Termination and Complexity Automatically with AProVE

Abstract

In this system description, we present the tool AProVE for automatic termination and complexity proofs of Java, C, Haskell, Prolog, and rewrite systems. In addition to classical term rewrite systems (TRSs), AProVE also supports rewrite systems containing built-in integers (int-TRSs). To analyze programs in high-level languages, AProVE automatically converts them to (int-)TRSs. Then, a wide range of techniques is employed to prove termination and to infer complexity bounds for the resulting rewrite systems. The generated proofs can be exported to check their correctness using automatic certifiers. To use AProVE in software construction, we present a corresponding plug-in for the popular Eclipse software development environment.

Appendix: Proofs

To define the removal of arguments formally, we use a suitable argument filter.

Definition 13

(Argument Filter [37]) An argument filter \(\pi \) for a signature \({\varSigma }\) maps every n-ary function symbol to a (possibly empty) list \([i_1, \ldots , i_k]\) with \(1 \le i_1< \ldots < i_k \le n\). The signature \({\varSigma }_\pi \) consists of all function symbols \(f \in {\varSigma }\), but for \(\pi (f) = [i_1, \ldots , i_k]\), the arity of f in \({\varSigma }_\pi \) is k. Every argument filter \(\pi \) induces a mapping from \({{\mathrm{\mathcal {T}}}}({\varSigma }, {{\mathrm{\mathcal {V}}}})\) to \({{\mathrm{\mathcal {T}}}}({\varSigma }_\pi , {{\mathrm{\mathcal {V}}}})\) as follows.

$$\begin{aligned} \pi (t) = \left\{ \begin{array}{l@{\quad }l} t &{} \text{ if } t \text{ is } \text{ a } \text{ variable }\\ f(\pi (t_{i_1}), \ldots , \pi (t_{i_k})) &{} \text{ if } t=f(t_1, \ldots , t_n) \text{ and } \pi (f) = [i_1, \ldots , i_k]. \end{array}\right. \end{aligned}$$

For every int-TRS \({{\mathrm{\mathcal {R}}}}\), we define \(\pi ({{\mathrm{\mathcal {R}}}}) = \{ \pi (\ell ) \rightarrow \pi (r) \,\llbracket \varphi \rrbracket \mid \ell \rightarrow r \,\llbracket \varphi \rrbracket \in {{\mathrm{\mathcal {R}}}}\}\).

Let N be the set of needed argument positions of Definition 2. Then we define the needless argument filter \(\pi _N\) as \(\pi _N(f) = [\,]\) for \(f \in \mathbb {Z}\) and \(\pi _N(f) = [i_1, \ldots , i_k]\) for any \(f \in {\varSigma }_c \cup {\varSigma }_d\), where \(\{ i_1,\ldots ,i_k \} = \{ i \mid (f,i) \in N \}\) and \(i_j < i_{j + 1}\) for all j.

Theorem 3

(Soundness of Slicing) Let \({{\mathrm{\mathcal {R}}}}\) be an int-TRS and let \({{\mathrm{\mathcal {R}}}}'\) result from filtering away all argument positions that are not needed according to Definition 2, i.e., \({{\mathrm{\mathcal {R}}}}' = \pi _N({{\mathrm{\mathcal {R}}}})\). Then \({{\mathrm{\mathcal {R}}}}\) terminates iff \({{\mathrm{\mathcal {R}}}}'\) terminates.

Proof

In the following, we often write \(s {{\mathrm{\hookrightarrow }}}^\sigma _\rho t\) to denote the rule \(\rho \) and the substitution \(\sigma \) used in the rewrite step.

Soundness: For any argument filter \(\pi \), non-termination of \({{\mathrm{\mathcal {R}}}}\) implies non-termination of \(\pi ({{\mathrm{\mathcal {R}}}})\), since every (root) rewrite step \(s \, {{\mathrm{\hookrightarrow }}}_{\ell \rightarrow r \,\llbracket \varphi \rrbracket } \, t\) implies that we have \(\pi (s) \, {{\mathrm{\hookrightarrow }}}_{\pi (\ell ) \rightarrow \pi (r) \,\llbracket \varphi \rrbracket } \, \pi (t)\).

Completeness: For readability, in the following we write “\(\pi \)” instead of “\(\pi _N\)”.

Let \(\overline{s}_1 \, {{\mathrm{\hookrightarrow }}}_{\pi (\ell _1) \rightarrow \pi (r_1) \,\llbracket \varphi _1 \rrbracket }^{\overline{\sigma }_1} \, \overline{s}_2 \, {{\mathrm{\hookrightarrow }}}_{\pi (\ell _2) \rightarrow \pi (r_2) \,\llbracket \varphi _2 \rrbracket }^{\overline{\sigma }_2} \, \cdots \) be an infinite reduction w.r.t. \(\pi ({{\mathrm{\mathcal {R}}}})\). Our goal is to construct an infinite reduction w.r.t. \({{\mathrm{\mathcal {R}}}}\).

W.l.o.g., we can assume that the left-hand sides \(\ell _i\) of the rules in \({{\mathrm{\mathcal {R}}}}\) only contain function symbols that also occur on right-hand sides of \({{\mathrm{\mathcal {R}}}}\). The reason is that all other rules can be used only a finite number of times at the beginning of a reduction and thus, any infinite reduction has a suffix that satisfies our assumption.

Note that if there are subterms \(f(t_1,\ldots ,t_n)\) and \(f(t_1',\ldots ,t_n')\) on left-hand sides where \((f, i) \notin N\), then there exists a term \(u_i\) such that both \(t_i\) and \(t_i'\) match \(u_i\). The reason is that some right-hand side must contain a subterm \(f(u_1,\ldots ,u_i,\ldots , u_n)\) and by the “matching” condition in Definition 2, \(u_i\) has the desired property. In other words, one can always find a term u which is matched by all ith arguments of f on left-hand sides. We say that such a term u is (f, i)-compatible. A term s has the lhs matching property iff the following holds: if \((f, i) \notin N\), then any f-subterm of s has some (f, i)-compatible term on its ith argument. Here, an “f-subterm” is a term with f on its root position.

We now construct a term \(s_1\) with \(\pi (s_1) = \overline{s}_1\) that starts an infinite reduction w.r.t. \({{\mathrm{\mathcal {R}}}}\). To this end, we define a function \( unfilter :{{\mathrm{\mathcal {T}}}}({\varSigma }_\pi , {{\mathrm{\mathcal {V}}}}) \rightarrow {{\mathrm{\mathcal {T}}}}({\varSigma },{{\mathrm{\mathcal {V}}}})\) with \( unfilter (x) = x\) for \(x \in {{\mathrm{\mathcal {V}}}}\) and \( unfilter (f(t_{i_1},\ldots ,t_{i_k})) = f(t_1',\ldots ,t_n')\) if the arity of f in \({\varSigma }\) is n. Here, we have \(t_i' = unfilter (t_i)\) if \(i \in \pi (f)\) and \(t_i'\) is some (f, i)-compatible term if \(i \notin \pi (f)\). Then we choose \(s_1 = unfilter (\overline{s}_1)\). By construction, we then have \(\pi (s_1) = \overline{s}_1\) and \(s_1\) has the lhs matching property.

Any matcher \(\overline{\sigma }_1\) for the filtered reduction can now be extended to a matcher for the non-filtered case. So from \(\pi (\ell _1)\overline{\sigma }_1 = \overline{s}_1\), our construction of \(s_1\), and the “non-linearity” condition in Definition 2, we can conclude that there is a substitution \(\sigma _1\) with \(\ell _1\sigma _1 = s_1\) such that \(\pi (\ell _1\sigma _1) = \overline{s}_1 = \pi (\ell _1)\overline{\sigma }_1\). By the condition “constraint” in Definition 2, we can define \(\sigma _1\) to coincide with \(\overline{\sigma }_1\) on all variables from \(\widehat{\varphi }_1\). By the condition “propagation”, \(\sigma _1\) can be extended to \(\varphi _1\)’s remaining variables such that \(\varphi _1\sigma _1 = \varphi _1\overline{\sigma }_1\) is valid, and hence, \(s_1 \, {{\mathrm{\hookrightarrow }}}_{\ell _1 \rightarrow r_1 \llbracket \varphi _1\rrbracket }^{\sigma _1} \, s_2\), where \(s_2 = r_1\sigma _1\). Due to the condition “propagation” in Definition 2, the root symbols of needed subterms in \(s_2= r_1\sigma _1\) coincide with the corresponding ones in \(\overline{s}_2 = \pi (r_1)\overline{\sigma }_1\). Thus, we obtain \(\pi (s_2) = \overline{s}_2\). By construction, \(s_2\) also has the lhs matching property. Hence, by repeating the above construction, one finally obtains an infinite reduction \(s_1 \, {{\mathrm{\hookrightarrow }}}_{\ell _1 \rightarrow r_1 \,\llbracket \varphi _1 \rrbracket }^{\sigma _1} \, s_2 \, {{\mathrm{\hookrightarrow }}}_{\ell _2 \rightarrow r_2 \,\llbracket \varphi _2 \rrbracket }^{\sigma _2} \, \cdots \) \(\square \)

The idea of the chaining simplification is to combine rules by narrowing. Narrowing of a term (or rule) is similar to performing a standard rewrite step. However, whereas in rewriting we apply a rule \(\ell \rightarrow r\) to a term t by finding a matcher \(\sigma \) such that \(\ell \sigma = t\), in narrowing, we search for a unifier \(\mu \) such that \(\ell \mu = t \mu \) holds.

Definition 14

(Narrowing) A term \(t'\) is a narrowing of the term t with the int-rule \(\ell \rightarrow r \,\llbracket \varphi \rrbracket \) using the unifier \(\mu \) (written \(t \rightsquigarrow ^\mu _{\ell \rightarrow r \,\llbracket \varphi \rrbracket } t'\)) if \(\mu \) is the most general unifier of \(\ell \) and t and \(t' = r\mu \). Here we always assume that \(\ell \) and t are variable disjoint (otherwise the variables in the rule are renamed).

Note that our form of narrowing differs from the narrowing of dependency pairs in [37], where narrowing steps take place only below the root position, whereas here we narrow only at the root position.

As mentioned, \({{\mathrm{\mathcal {R}}}}_{\rightarrow f} = \{ \ell \rightarrow r \,\llbracket \varphi \rrbracket \in {{\mathrm{\mathcal {R}}}}\mid {{\mathrm{\mathsf {root}}}}(r) = f \}\) consists of all rules where f is the root symbol of the right-hand side and \({{\mathrm{\mathcal {R}}}}_{f\rightarrow } = \{ \ell \rightarrow r \,\llbracket \varphi \rrbracket \in {{\mathrm{\mathcal {R}}}}\mid {{\mathrm{\mathsf {root}}}}(\ell ) = f \}\) are all rules where f is the root of the left-hand side.

Definition 15

(f -chained System \({{\mathrm{\mathcal {R}}}}^{-\!f}\)) Let \({{\mathrm{\mathcal {R}}}}\) be an int-TRS and let \(f \in {\varSigma }_d\) such that \({{\mathrm{\mathcal {R}}}}_{\rightarrow f} \cap {{\mathrm{\mathcal {R}}}}_{f\rightarrow } = \varnothing \). Then we define the f-chained system as \({{\mathrm{\mathcal {R}}}}^{-\!f} = ({{\mathrm{\mathcal {R}}}}{\setminus } ({{\mathrm{\mathcal {R}}}}_{\rightarrow f} \cup {{\mathrm{\mathcal {R}}}}_{f\rightarrow })) \cup {{\mathrm{\mathcal {R}}}}'\), where \({{\mathrm{\mathcal {R}}}}' = \{ \ell \mu \rightarrow r' \; \,\llbracket (\varphi \wedge \overline{\varphi })\mu \rrbracket \mid \ell \rightarrow r \,\llbracket \varphi \rrbracket \in {{\mathrm{\mathcal {R}}}}_{\rightarrow f}, \; \overline{\ell } \rightarrow \overline{r} \,\llbracket \overline{\varphi } \rrbracket \in {{\mathrm{\mathcal {R}}}}_{f\rightarrow },\; r \rightsquigarrow ^\mu _{\overline{\ell } \rightarrow \overline{r} \,\llbracket \overline{\varphi } \rrbracket } r' \}\).

Theorem 5

(Soundness of Chaining) Let \({{\mathrm{\mathcal {R}}}}\) be an int-TRS and f be as in Definition 15. Then \({{\mathrm{\mathcal {R}}}}\) terminates iff \({{\mathrm{\mathcal {R}}}}^{-\!f}\) terminates.

Proof

Soundness: Let \(t_1 \, {{\mathrm{\hookrightarrow }}}_{\ell _1 \rightarrow r_1 \,\llbracket \varphi _1 \rrbracket }^{\sigma _1} \, t_2 \, {{\mathrm{\hookrightarrow }}}_{\ell _2 \rightarrow r_2 \,\llbracket \varphi _2 \rrbracket }^{\sigma _2} \, \cdots \) be an infinite \({{\mathrm{\mathcal {R}}}}\)-reduction where we assume that \(\ell _i \rightarrow r_i \,\llbracket \varphi _i \rrbracket \) and \(\ell _j \rightarrow r_j \,\llbracket \varphi _j \rrbracket \) are variable disjoint whenever \(i \ne j\).

W.l.o.g. let \(\ell _1\rightarrow r_1 \,\llbracket \varphi _1 \rrbracket \notin {{\mathrm{\mathcal {R}}}}_{f\rightarrow }\). For every i where \(\ell _i \rightarrow r_i \,\llbracket \varphi _i \rrbracket \in {{\mathrm{\mathcal {R}}}}_{\rightarrow f}\) we have \(\ell _{i+1} \rightarrow r_{i+1} \,\llbracket \varphi _{i+1} \rrbracket \in {{\mathrm{\mathcal {R}}}}_{f\rightarrow }\), since \({{\mathrm{\mathsf {root}}}}(r_i) = f\).

Moreover, \(t_i = \ell _i\sigma _i\), \(t_{i+1} = r_i\sigma _i = \ell _{i+1}\sigma _{i+1}\), and both \(\varphi _i\sigma _i\) and \(\varphi _{i+1}\sigma _{i+1}\) are valid. So there is a \(\mu = {{\mathrm{\mathsf {mgu}}}}(r_i, \ell _{i+1})\) such that \(r_i \rightsquigarrow ^{\mu }_{\ell _{i+1} \rightarrow r_{i+1} \,\llbracket \varphi _{i+1} \rrbracket } r_{i+1}\mu \) and \(\ell _i\mu \rightarrow r_{i+1}\mu \,\llbracket (\varphi _i \wedge \varphi _{i+1})\mu \rrbracket \in {{\mathrm{\mathcal {R}}}}' \subseteq {{\mathrm{\mathcal {R}}}}^{-\!f}\), with \({{\mathrm{\mathcal {R}}}}'\) as in Definition 15.

As \(\ell _i \rightarrow r_i \,\llbracket \varphi _i \rrbracket \) and \(\ell _{i+1} \rightarrow r_{i+1} \,\llbracket \varphi _{i+1} \rrbracket \) are variable disjoint, there exists a substitution \(\gamma \) such that \(\mu \gamma \) is like \(\sigma _i\) for all variables in \(\ell _i \rightarrow r_i \,\llbracket \varphi _i \rrbracket \) and like \(\sigma _{i+1}\) for all variables in \(\ell _{i+1} \rightarrow r_{i+1} \,\llbracket \varphi _{i+1} \rrbracket \). Hence, \(\ell _i\mu \gamma = \ell _i\sigma _i = t_i\), \(r_{i+1}\mu \gamma = r_{i+1}\sigma _{i+1} = t_{i+2}\), and both \(\varphi _i\mu \gamma = \varphi _i\sigma _i\) and \(\varphi _{i+1}\mu \gamma = \varphi _{i+1}\sigma _{i+1}\) are valid. Thus, \(t_i \, {{\mathrm{\hookrightarrow }}}^\gamma _{\ell _i\mu \rightarrow r_{i+1}\mu \llbracket (\varphi _i \wedge \varphi _{i+1})\mu \rrbracket } \, t_{i+2}\). By iterating this replacement of rule applications from \({{\mathrm{\mathcal {R}}}}_{\rightarrow f}\), we also eliminate all applications of rules from \({{\mathrm{\mathcal {R}}}}_{f\rightarrow }\), since they are always preceded by a rule from \({{\mathrm{\mathcal {R}}}}_{\rightarrow f}\). In this way, we obtain an infinite reduction w.r.t. \({{\mathrm{\mathcal {R}}}}^{-\!f}\).

Completeness: Every infinite reduction w.r.t. \({{\mathrm{\mathcal {R}}}}^{-\!f}\) can be transformed into an infinite reduction w.r.t. \({{\mathrm{\mathcal {R}}}}\). The reason is that whenever t rewrites to \(t'\) with a rule from \({{\mathrm{\mathcal {R}}}}' \subseteq {{\mathrm{\mathcal {R}}}}^{-\!f}\), then t also rewrites to \(t'\) in 2 steps with \({{\mathrm{\mathcal {R}}}}\). To see this, let \(t \, {{\mathrm{\hookrightarrow }}}^\sigma _{\ell \mu \rightarrow r' \,\llbracket (\varphi \wedge \overline{\varphi })\mu \rrbracket } \, t'\). Hence, \(\varphi \mu \sigma \) and \(\overline{\varphi }\mu \sigma \) are valid. Here, both \(\ell \rightarrow r \,\llbracket \varphi \rrbracket \) and \(\overline{\ell } \rightarrow \overline{r} \,\llbracket \overline{\varphi } \rrbracket \) are from \({{\mathrm{\mathcal {R}}}}\) and \(r\rightsquigarrow ^\mu _{\overline{\ell } \rightarrow \overline{r} \,\llbracket \overline{\varphi } \rrbracket } r'\) (i.e., \(r\mu = \overline{\ell }\mu \) and \(r' = \overline{r}\mu \)). Thus, \(t = \ell \mu \sigma \, {{\mathrm{\hookrightarrow }}}^{\mu \sigma }_{\ell \rightarrow r \,\llbracket \varphi \rrbracket } \, r\mu \sigma = \overline{\ell }\mu \sigma \, {{\mathrm{\hookrightarrow }}}^{\mu \sigma }_{\overline{\ell } \rightarrow \overline{r} \,\llbracket \overline{\varphi } \rrbracket } \, \overline{r}\mu \sigma = r'\sigma = t'\). \(\square \)

For any term t, we can define \(\mathcal {I\!A}(t)\) and \(\mathcal {T\!A}(t)\) formally using argument filters. We define the integer argument projection that removes all term arguments as \(\pi _\mathcal {I\!A}(f) = [\,]\) for \(f \in \mathbb {Z}\) and \(\pi _\mathcal {I\!A}(f) = [i_1, \ldots , i_k]\) for any \(f \in {\varSigma }_c \cup {\varSigma }_d\), where \(\{ i_1, \ldots , i_k \} = \{ i \mid (f,i) \in \mathcal {I\!A}\}\) and \(i_j < i_{j + 1}\) for all j. The term argument projection \(\pi _\mathcal {T\!A}\) is defined analogously, retaining only term arguments. Then we have \(\mathcal {I\!A}(t) = \pi _\mathcal {I\!A}(t)\) and \(\mathcal {T\!A}(t) = \pi _\mathcal {T\!A}(t)\).

Before proving Theorem 8, we recapitulate the definition of reduction pairs.

Definition 16

(Reduction Pairs [37]) We call \((\succsim , \succ )\) a reduction pair iff \(\succsim \) is reflexive, transitive, and closed under substitutions (i.e., \(s \succsim t\) implies \(s\sigma \succsim t\sigma \)), \(\succ \) is closed under substitutions and well founded, and \(\succ \) and \(\succsim \) are compatible (i.e., \({\succ \circ \succsim } \subseteq { \succ }\) or \({ \succsim \circ \succ } \subseteq { \succ }\)). For a reduction pair and an int-TRS \({{\mathrm{\mathcal {R}}}}\), we define the sets \({{\mathrm{\mathcal {R}}}}_\succ = \{ \ell \rightarrow r \,\llbracket \varphi \rrbracket \mid \varphi \implies \ell \succ r \}\) and \({{\mathrm{\mathcal {R}}}}_\succsim = \{ \ell \rightarrow r \,\llbracket \varphi \rrbracket \mid \varphi \implies \ell \succsim r \}\).

Note that in contrast to the standard definition of reduction pairs [37], here \(\succsim \) does not have to be closed under contexts since we only regard rewrite steps at the root position.

Theorem 8

(Reduction Pairs From Projections) Let \({{\mathrm{\mathcal {R}}}}\) be an int-TRS. If \((\succsim _\mathcal {I\!A}, \succ _\mathcal {I\!A})\) is a reduction pair for \(\mathcal {I\!A}({{\mathrm{\mathcal {R}}}})\), then \((\succsim , \succ )\) is a reduction pair for \({{\mathrm{\mathcal {R}}}}\) where \(t_1 \succ t_2\) holds iff \(\mathcal {I\!A}(t_1) \succ _\mathcal {I\!A}\mathcal {I\!A}(t_2)\) and \(t_1 \succsim t_2\) holds iff \(\mathcal {I\!A}(t_1) \succsim _\mathcal {I\!A}\mathcal {I\!A}(t_2)\). The same holds for the restriction \(\mathcal {T\!A}\).

Proof

We show that transitivity of \(\succsim _\mathcal {I\!A}\) implies transitivity of \(\succsim \). Note that \(t_1 \succsim t_2\) and \(t_2 \succsim t_3\) implies \(\mathcal {I\!A}(t_1) \succsim _\mathcal {I\!A}\mathcal {I\!A}(t_2)\) and \(\mathcal {I\!A}(t_2) \succsim _\mathcal {I\!A}\mathcal {I\!A}(t_3)\) by definition. By transitivity of \(\succsim _\mathcal {I\!A}\), we have \(\mathcal {I\!A}(t_1) \succsim _\mathcal {I\!A}\mathcal {I\!A}(t_3)\) which implies \(t_1 \succsim t_3\). For all other properties, the proof is completely analogous. \(\square \)

To prove Theorem 11, we need a few intermediate lemmas. First, we show that \(\mathsf {th}\) is “monotonic” w.r.t. data substitutions, i.e., for any term t, its term height \(\mathsf {th}(t)\) is not greater than the term height of any instantiation \(t\sigma \).

Lemma 17

(Term Height is Monotonic w.r.t. Substitutions) Let \(t \in {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \, \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\) and \(\sigma : {{\mathrm{\mathcal {V}}}}\rightarrow {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\). Then \(\mathsf {th}(t) \le \mathsf {th}(t\sigma )\).

Proof

The proof is by induction on the term structure. In the base case, we either have \(t \in \mathbb {Z}\) and then \(t = t\sigma \) and thus \(\mathsf {th}(t) = \mathsf {th}(t\sigma )\), or \(t \in {{\mathrm{\mathcal {V}}}}\) and then \(\mathsf {th}(t) = 0 \le \mathsf {th}(t\sigma )\). In the induction step, let \(t = f(t_1, \ldots , t_n)\). Then we have

\(\square \)

We also need the following lemma about the relation between the term height of a variable occurring at a term position of t and the term height of t.

Lemma 18

(Lower Bounds for Term Height) Let \(t \in {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\), \(x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(t)\), and \(\sigma : {{\mathrm{\mathcal {V}}}}\rightarrow {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\). Then \(\mathsf {th}(x\sigma ) + \mathsf {nl}(t, x) \le \mathsf {th}(t\sigma )\).

Proof

We prove the lemma by induction. In the base case, \(x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(t)\) implies \(t = x\). Then \(\mathsf {th}(x\sigma ) + \mathsf {nl}(x, x) = \mathsf {th}(x\sigma )\). In the induction step, let \(t = f(t_1, \ldots , t_n)\). Then we have

\(\square \)

Finally, we also prove the following lemma about the relation between the term height of an instantiated term \(t\sigma \) and the term heights \(\mathsf {th}(x\sigma )\) of the variables x occurring in t. In this way, we obtain an upper bound for the term height \(\mathsf {th}(t\sigma )\).

Lemma 19

(Upper Bounds for Term Height) Let \(t \in {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\) and \(\sigma : {{\mathrm{\mathcal {V}}}}\rightarrow {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\). Then \(\mathsf {th}(t\sigma ) \le \max \{ \mathsf {th}(t), \max \{ \mathsf {th}(x\sigma ) + \mathsf {nl}(t, x) \mid x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(t) \} \}\).

Proof

Again, we prove the lemma by induction. In the base case, we consider three cases. For \(t = x \in {{\mathrm{\mathcal {V}}}}\), we have \(\mathsf {th}(x\sigma ) = \max \{ \mathsf {th}(x), \mathsf {th}(x\sigma ) + \mathsf {nl}(x,x) \}\), since \(\mathsf {th}(x) = \mathsf {nl}(x,x) = 0\). For \(t \in {\varSigma }_c\), we have \(\mathsf {th}(t\sigma ) = \mathsf {th}(t) = 1 = \max \{ \mathsf {th}(t) \}\). Finally, for \(t \in \mathbb {Z}\), we have \(\mathsf {th}(t\sigma ) = 0\), which is a lower bound for any term height. In the induction step, let \(t = f(t_1, \ldots , t_n)\).

\(\square \)

For the proof of Theorem 11, we define the replacement of non-integer subterms by their height formally.

Definition 20

(Term Height Projection \(\pi _\mathsf {th}\)) Let \(t = f(t_1, \ldots , t_n)\) for some \(f \in {\varSigma }_d\), \(t_1, \ldots , t_n \in {{\mathrm{\mathcal {T}}}}(\mathbb {Z} \cup {\varSigma }_c, {{\mathrm{\mathcal {V}}}})\). Then \(\pi _\mathsf {th}(t) = f(\hat{t}_1, \ldots , \hat{t}_n)\) with

$$\begin{aligned} \hat{t}_i = {\left\{ \begin{array}{ll} t_i &{} \text {if } (f, i) \not \in \mathcal {T\!A}\\ \mathsf {th}(t_i) &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

We can now prove the soundness of termination proving by the term height projection.

Theorem 11

(Soundness of Term Height Projection) Let \({{\mathrm{\mathcal {R}}}}\) be an int-TRS. If \({\varPi }_\mathsf {th}({{\mathrm{\mathcal {R}}}})\) terminates, then \({{\mathrm{\mathcal {R}}}}\) also terminates.

Proof

We show that if \({{\mathrm{\mathcal {R}}}}\) has an infinite reduction \(t_1 \, {{\mathrm{\hookrightarrow }}}_{{{\mathrm{\mathcal {R}}}}} \, t_2 \, {{\mathrm{\hookrightarrow }}}_{{{\mathrm{\mathcal {R}}}}} \, \cdots \), then there is also the infinite reduction \(\pi _\mathsf {th}(t_1) \, {{\mathrm{\hookrightarrow }}}_{{\varPi }_\mathsf {th}({{\mathrm{\mathcal {R}}}})} \, \pi _\mathsf {th}(t_2) \, {{\mathrm{\hookrightarrow }}}_{{\varPi }_\mathsf {th}({{\mathrm{\mathcal {R}}}})} \, \cdots \) To this end, we prove that

for a suitable substitution \(\sigma '\). Let \(\ell = f(\ell _1,\ldots ,\ell _n)\) and \(r = g(r_1,\ldots ,r_m)\). Then according to Definition 10, we have \({\varPi }_\mathsf {th}(\ell \rightarrow r \,\llbracket \varphi \rrbracket ) = f(\ell _1',\ldots ,\ell _n') \rightarrow g(r_1', \ldots , r_m') \,\llbracket \varphi \wedge \psi \rrbracket \), where \(\ell _i'\) is a fresh variable \(h_i\) if \((f, i) \in \mathcal {T\!A}\), and otherwise \(\ell _i' = \ell _i\). Similarly, \(r_i'\) is a fresh variable \(h_i'\) if \((g, i) \in \mathcal {T\!A}\) and otherwise \(r_i' = r_i\). We now define \(\sigma '\) as follows.

$$\begin{aligned} \sigma '(x) = {\left\{ \begin{array}{ll} \mathsf {th}(\sigma (x)) &{} \text {if } x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(\ell ) \cup {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(r)\\ \mathsf {th}(s_i) &{} \text {if } x = h_i\\ \mathsf {th}(t_i) &{} \text {if } x = h'_i\\ \sigma (x) &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

Now we show that \(f(\hat{s}_1,\ldots ,\hat{s}_n) \, {{\mathrm{\hookrightarrow }}}^{\sigma '}_{f(\ell _1',\ldots ,\ell _n') \rightarrow g(r_1', \ldots , r_m') \,\llbracket \varphi \wedge \psi \rrbracket } \, g(\hat{t}_1,\ldots ,\hat{t}_m)\).

First note that the left-hand side of the rule matches \(f(\hat{s}_1,\ldots ,\hat{s}_n)\) using the matcher \(\sigma '\). In other words, we have \(\ell _i' \sigma ' = \hat{s}_i\) for all \(1 \le i \le n\). The reason is that if \((f, i) \in \mathcal {T\!A}\), then \(\ell _i' \sigma ' = h_i \sigma ' = \mathsf {th}(s_i) = \hat{s}_i\). If \((f, i) \notin \mathcal {T\!A}\), then \(\ell _i' \sigma ' = \ell _i \sigma ' = \ell _i \sigma = s_i = \hat{s}_i\). For a similar reason, we have \(g(r_1', \ldots , r_m') \sigma ' = g(\hat{t}_1,\ldots ,\hat{t}_m)\).

It remains to prove that the constraint \((\varphi \wedge \psi )\sigma '\) is valid. As \(\sigma '\) behaves like \(\sigma \) on integer variables, we have \(\varphi \sigma ' = \varphi \sigma \), and thus validity of \(\varphi \sigma '\) follows from validity of \(\varphi \sigma \). So we need to consider only the additional conjuncts in \(\psi \).

Conjuncts of the form \(h_i \ge \mathsf {th}(\ell _i)\) for \((f,i) \in \mathcal {T\!A}\) are valid when instantiated with \(\sigma '\) because \((h_i \ge \mathsf {th}(\ell _i))\sigma '\) iff \(h_i\sigma '\ge \mathsf {th}(\ell _i)\) iff \(\mathsf {th}(s_i)\ge \mathsf {th}(\ell _i)\) iff \(\mathsf {th}(\ell _i\sigma )\ge \mathsf {th}(\ell _i)\). The validity of \(\mathsf {th}(\ell _i\sigma )\ge \mathsf {th}(\ell _i)\) follows from Lemma 17.

For conjuncts of the form \(x + \mathsf {nl}(\ell _i, x) \le h_i\) with \((f,i) \in \mathcal {T\!A}\) and \(x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(\ell _i)\), we have \((x + \mathsf {nl}(\ell _i, x) \le h_i)\sigma '\) iff \(x\sigma ' + \mathsf {nl}(\ell _i, x) \le h_i\sigma '\) iff \(\mathsf {th}(x\sigma ) + \mathsf {nl}(\ell _i, x) \le \mathsf {th}(s_i)\) iff \(\mathsf {th}(x\sigma ) + \mathsf {nl}(\ell _i, x) \le \mathsf {th}(\ell _i\sigma )\). This is a consequence of Lemma 18.

Now we consider conjuncts of the form \(x \ge 0\) for \((f,i) \in \mathcal {T\!A}\) and \(x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(\ell _i)\). Here we have \((x \ge 0)\sigma '\) iff \(x\sigma ' \ge 0\) iff \(\mathsf {th}(x\sigma ) \ge 0\). This is clearly valid as \(\mathsf {th}\) always yields a non-negative number. The validity of the corresponding conjuncts for the height variables \(h_i'\) on the right-hand side can be shown in an analogous way.

Finally, we consider the conjunct \(h'_i \le \max \{ \mathsf {th}(r_i) , \max \{ x + \mathsf {nl}(r_i, x) \mid x \in {{\mathrm{\mathcal {V}}}}_{\mathcal {T\!A}}(r_i) \}\}\) where \((g,i) \in \mathcal {T\!A}\) and \(x \in {{\mathrm{\mathcal {V}}}}_\mathcal {T\!A}(r_i)\). We have \((h'_i \le \max \{ \mathsf {th}(r_i) , \max \{ x + \mathsf {nl}(r_i, x) \mid x \in {{\mathrm{\mathcal {V}}}}_{\mathcal {T\!A}}(r_i) \}\}) \sigma '\) iff \(h'_i\sigma ' \le \max \{ \mathsf {th}(r_i) , \max \{ x\sigma ' + \mathsf {nl}(r_i, x) \mid x \in {{\mathrm{\mathcal {V}}}}_{\mathcal {T\!A}}(r_i) \}\}\) iff \(\mathsf {th}(t_i) \le \max \{ \mathsf {th}(r_i) , \max \{ \mathsf {th}(x\sigma ) + \mathsf {nl}(r_i, x) \mid x \in {{\mathrm{\mathcal {V}}}}_{\mathcal {T\!A}}(r_i) \}\}\) iff \(\mathsf {th}(r_i\sigma ) \le \max \{ \mathsf {th}(r_i) , \max \{ \mathsf {th}(x\sigma ) + \mathsf {nl}(r_i, x) \mid x \in {{\mathrm{\mathcal {V}}}}_{\mathcal {T\!A}}(r_i) \}\}\). This is a consequence of Lemma 19. \(\square \)