Certifying Confluence of QuasiDecreasing Strongly Deterministic Conditional Term Rewrite Systems
Abstract
We formalize a confluence criterion for the class of quasidecreasing strongly deterministic conditional term rewrite systems in Isabelle/HOL: confluence follows if all conditional critical pairs are joinable. However, quasidecreasingness, strong determinism, and joinability of conditional critical pairs are all undecidable in general. Therefore, we also formalize sufficient criteria for those properties, which we incorporate into the general purpose certifier CeTA as well as the confluence checker ConCon for conditional term rewrite systems.
1 Introduction
In the area of equational reasoning canonicity—that is, termination together with confluence—plays an important role towards deciding equations with respect to equational theories and for avoiding redundant computations and nondeterminism. In the presence of powerful methods and tools for proving termination [1, 11, 17, 18, 31, 33], the remaining issue is to also establish confluence.
For plain term rewrite systems (TRSs), this issue was settled early on by Newman’s Lemma [22], stating that any terminating relation is confluent iff it is locally confluent. Then, by the Critical Pair Lemma [15, 16], local confluence reduces to joinability of all critical pairs, which in turn, can be decided by exhaustive rewriting, due to termination.
However, for many applications plain TRSs are either inconvenient or not expressible enough, leading to several extensions of the base formalism. The one we are interested in here is conditional term rewriting. Two prominent areas where conditional rewriting is employed are the rewriting engines of modern proof assistants (like Isabelle’s simplifier [23]) and functional(logic) programming with whereclauses (like Haskell [21] and Curry [2]).
Example 1
Issue. Alas, even in the presence of termination, confluence is in general still undecidable for conditional term rewrite systems (CTRSs). While Avenhaus and LoríaSáenz [4] gave a critical pair criterion for quasireductive and strongly deterministic CTRSs: joinability of all conditional critical pairs (CCPs) implies confluence; joinability of CCPs is undecidable in general, due to the inherent complexities of conditional rewriting. This lead to the development of sufficient criteria that are implemented in confluence tools for CTRSs like ConCon [27].
Such tools ultimately aim at automatic (program) verification. But they are programs themselves, and rather complex ones at that. So why should we trust them? This consideration lead to the introduction of certification in the area of term rewriting [8, 9, 30]. Here, the output of an automated tool—the certificate—is checked by a formally verified certifier that is code generated from a formalization inside a proof assistant. This approach was already quite successful for termination and confluence of TRSs, where stateoftheart certifiers cover more than 80% of all generated certificates in the respective tool competitions [3, 13].
For confluence of CTRSs, not so many techniques are known and even less are formalized and certifiable.
Contribution and Summary. In Sect. 3, we formalize the CCP criterion of Avenhaus and LoríaSáenz [4, Theorem 4.2] (AL for short) and, based on our earlier work [28], strengthen it from quasireductivity to quasidecreasingness.
Moreover, to certify confluence of quasidecreasing and strongly deterministic CTRSs, we formalize the variant of AL replacing joinability of all CCPs by the requirement that every CCP is either unfeasible^{1} or contextjoinable (Sect. 4). Both unfeasibility and contextjoinability rely on the notion of contextual rewriting, which we formalize together with the crucial lemma that contextual rewriting implies conditional rewriting for satisfying substitutions, a result that was stated without proof by Avenhaus and LoríaSáenz [4, Lemma 4.2]. Unfeasibility further employs strong irreducibility, which like strong determinism is an undecidable property. Thus, we formalize these two properties together with the two sufficient and decidable criteria of absolute irreducibility and absolute determinism.
Along the way, we identify and fix some problems in proofs and definitions (of absolute irreducibility, contextual rewriting, and unfeasibility) and provide a (not entirely obvious) proof for [4, Lemma 4.2]. We further adapt the original proof of AL to the new definitions and extend it by infeasibility.
In Sect. 5, we point out some challenges concerning certification. Then, in Sect. 6, we give an overview of all the check functions that are new in CeTA. In Sect. 7, we evaluate our contribution through experiments on the confluence problems database (Cops) [10]. Finally, we conclude in Sect. 8.
2 Preliminaries
Example 2
A CCP \(u \approx v \Leftarrow c\) is said to be infeasible if its conditions are not satisfied by any substitution. Moreover, a CCP is joinable if \(u\sigma \downarrow _\mathcal {R} v\sigma \) for all substitutions \(\sigma \) that satisfy c. The topmost part of a term that does not change under rewriting (sometimes called its “cap”) can be approximated for example by the \(\mathsf {tcap}\) function [12]. Informally, \(\mathsf {tcap}(x)\) for a variable x results in a fresh variable, while \(\mathsf {tcap}(t)\) for a nonvariable term \(t = f(t_1,\ldots ,t_n)\) is obtained by recursively computing \(u = f(\mathsf {tcap}(t_1),\ldots ,\mathsf {tcap}(t_n))\) and then asserting \(\mathsf {tcap}(t) = u\) in case u does not unify with any lefthand side of rules in \(\mathcal {R} \), and a fresh variable, otherwise. It is well known that Open image in new window implies nonreachability of t from s. We denote the proper superterm relation by \(\mathrel {\rhd }\) and define \({\succ _\mathsf {st}}={(\succ \cup \mathrel {\rhd })^+}\) for any order \(\succ \). If \(\succ \) is a reduction order, then an SDTRS \(\mathcal {R} \) is quasireductive with respect to \(\succ \) if for every substitution \(\sigma \) and every rule \(\ell \rightarrow r \Leftarrow s_1 \approx t_1, \ldots , s_n \approx t_n\) in \(\mathcal {R} \) we have that \(s_j\sigma \succeq t_j\sigma \) for \(1 \leqslant j < i\) implies \(\ell \sigma \succ _\mathsf {st} s_{i}\sigma \) for all \(1 \leqslant i \leqslant n\), and \(s_j\sigma \succeq t_j\sigma \) for \(1 \leqslant j \leqslant n\) implies \(\ell \sigma \succ r\sigma \). An SDTRS \(\mathcal {R} \) is quasidecreasing if there exists a wellfounded order \(\succ \) such that \({\succ } = {\succ _\mathsf {st}}\), \(\rightarrow _{\mathcal {R}}\ \subseteq {\succ }\), and for all rules \(\ell \rightarrow r\Leftarrow s_1\approx t_1,\ldots ,s_n\approx t_n\) in \(\mathcal {R} \), all substitutions \(\sigma \), and \(1\leqslant i \leqslant n\), if \(s_j\sigma \rightarrow ^*_{\mathcal {R}} t_j \sigma \) for all \(1 \leqslant j < i\) then \(\ell \sigma \succ s_i \sigma \). Quasireductivity implies quasidecreasingness—a fact that is available in IsaFoR.
3 Confluence of QuasiDecreasing SDTRSs
The main result of Avenhaus and LoríaSáenz is the following theorem:
Theorem 1
([4, Theorem 4.1]). Let the SDTRS \(\mathcal {R} \) be quasireductive with respect to \(\succ \). Then \(\mathcal {R} \) is confluent iff all CCPs are joinable.
Below, we give our main theorem and walk through the formalized proof.
Theorem 2
Let the SDTRS \(\mathcal {R} \) be quasidecreasing with respect to \(\succ \). Then \(\mathcal {R} \) is confluent if all CCPs are joinable.
Proof
Assume that all critical pairs are joinable. We consider an arbitrary peak Open image in new window and prove \(t \downarrow _\mathcal {R} u\) by wellfounded induction with respect to \(\succ _\mathsf {st} \).
By induction hypothesis (IH) we have that for all terms \(t_0, t_1, t_2\) such that \({s}\succ _\mathsf {st} {t_0}\) and Open image in new window there exists a join Open image in new window .
If \(s = t\) or \(s = u\) then t and u are trivially joinable and we are done. So we may assume that the peak contains at least one step in each direction: Open image in new window .
 1.
a CCP which is joinable by assumption or we have
 2.a rootoverlap of variants of the same rule. Unlike in the unconditional case this could lead to nonjoinability of the ensuing critical pair because of the extravariables in the righthand sides of conditional rules. We have \(\rho _1\pi = \rho _2\) for some permutation \(\pi \). Moreover, \(s = \ell _1\sigma _1 = \ell _2\sigma _2\) and we haveWe will prove \(x\pi ^\sigma _1\downarrow _\mathcal {R} x\sigma _2\) for all x in \(\mathcal {V} (\rho _2)\). Since \(t' = r_1\sigma _1 = r_2\pi ^\sigma _1\) and \(u' = r_2\sigma _2\) this shows \(t' \downarrow _\mathcal {R} u'\). Because \(\mathcal {R} \) is terminating (by quasidecreasingness) we may define two normalized substitutions \(\sigma '_i\) such that We prove \(x\sigma '_1 = x\sigma '_2\) for \(x \in \mathcal {E} \mathcal {V} (\rho _2)\) by an inner induction on the length of \(c_2 = s_1 \approx t_1, \ldots , s_n \approx t_n\). If \(\rho _2\) has no conditions this holds vacuously because there are no extra variables. In the step case the inner induction hypothesis (IH\(_i\)) is that \(x\sigma '_1 = x\sigma '_2\) for \(x \in \mathcal {V} (s_1,t_1,\ldots ,s_i,t_i)\mathcal {V} (\ell _2)\) and we have to show that \(x\sigma '_1 = x\sigma '_2\) for \(x \in \mathcal {V} (s_1,t_1,\ldots ,s_{i+1},t_{i+1})\mathcal {V} (\ell _2)\). If \(x \in \mathcal {V} (s_1,t_1,\ldots ,s_i,t_i,s_{i+1})\) we are done by the IH\(_i\) and strong determinism of \(\mathcal {R} \). So assume \(x \in \mathcal {V} (t_{i+1})\). From strong determinism of \(\mathcal {R} \), (7) and (8), and the IH\(_i\) we have that \(y\sigma '_1 = y\sigma '_2\) for all \(y\in \mathcal {V} (s_{i+1})\) and thus \(s_{i+1}\sigma '_1 = s_{i+1}\sigma '_2\). With this we can find a join between \(t_{i+1}\sigma '_1\) and \(t_{i+1}\sigma '_2\) by applying the IH twice as shown in Fig. 1b. Since \(t_{i+1}\) is strongly irreducible and \(\sigma '_1\) and \(\sigma '_2\) are normalized, this yields \(t_{i+1}\sigma '_1 = t_{i+1}\sigma '_2\) and thus \(x\sigma '_1 = x\sigma '_2\).$$\begin{aligned} \pi ^\sigma _1= \sigma _2~[\mathcal {V} (\ell _2)] \end{aligned}$$(7)
 3.We are left with the case that there is a variable position \(q'\) in \(\ell _1\) such that \(q = q'r'\) for some position \(r'\). Let x be the variable \(\ell _1_{q'}\). Then \(x\sigma _1_{r'} = \ell _2\sigma _2\), which implies \(x\sigma _1 \rightarrow ^*_{\mathcal {R}} x\sigma _1[r_2\sigma _2]_{r'}\). Now let \(\tau \) be the substitution such that \(\tau (x) = x\sigma _1[r_2\sigma _2]_{r'}\) and \(\tau (y) = \sigma _1(y)\) for all \(y \ne x\), and \(\tau '\) some normalization, that is, \(y\tau \rightarrow ^*_{\mathcal {R}} y\tau '\) for all y. Moreover, note that We have \(u' = \ell _1\sigma _1[r_2\sigma _2]_q = \ell _1\sigma _1[x\tau ]_{q'} \rightarrow ^*_{\mathcal {R}} \ell _1\tau \), and thus \(u' \rightarrow ^*_{\mathcal {R}} \ell _1\tau '\). From (9) we have \(r_1\sigma _1 \rightarrow ^*_{\mathcal {R}} r_1\tau \) and thus \(t' = r_1\sigma _1 \rightarrow ^*_{\mathcal {R}} r_1\tau '\). Finally, we will show that \(\ell _1\tau ' \rightarrow _{\mathcal {R}} r_1\tau '\), concluding the proof of \(t' \downarrow _\mathcal {R} u'\). To this end, let \(s_i \approx t_i \in c_1\). By (9) and the definition of \(\tau '\) we obtain \(s_i\sigma _1 \rightarrow ^*_{\mathcal {R}} t_i\sigma _1 \rightarrow ^*_{\mathcal {R}} t_i\tau '\) and \(s_i\sigma _1 \rightarrow ^*_{\mathcal {R}} s_i\tau '\). Then \(s_i\tau ' \downarrow _\mathcal {R} t_i\tau '\) by IH and also \(s_i\tau ' \rightarrow ^*_{\mathcal {R}} t_i\tau '\), since \(t_i\) is strongly irreducible. \(\square \)
4 Certification
There are some complications for employing Theorem 2 in practice. Quasidecreasingness, strong irreducibility, and joinability of CCPs are all undecidable in general. For quasidecreasingness we fall back to the sufficient criterion that a deterministic 3CTRS is quasidecreasing if its unraveling (a transformation to an unconditional term rewrite system) is terminating. This result was formalized by Winkler and Thiemann [32] and is already available in IsaFoR. A sufficient condition for strong irreducibility is absolute irreducibility:
Definition 1
A term t is absolutely \(\mathcal {R} \)irreducible if none of its nonvariable subterms unify with any variabledisjoint variant of lefthand sides of rules in the CTRS \(\mathcal {R} \). A DTRS is called absolutely deterministic (or ADTRS for short) if for each rule all righthand sides of conditions are absolutely \(\mathcal {R} \)irreducible.
The proof of the following lemma [4, Lemma 4.1(a,b)] is immediate.
Lemma 1

If t is absolutely \(\mathcal {R} \)irreducible, then t is also strongly \(\mathcal {R} \)irreducible.

If \(\mathcal {R} \) is absolutely deterministic, then \(\mathcal {R} \) is also strongly deterministic. \(\square \)
We replace joinability of CCPs by infeasibility [26] (already part of IsaFoR) together with two further criteria which rely on contextual rewriting.
Definition 2
Consider a set C of equations between terms which we will call a context. First we define a function \(\overline{\cdot }\) on terms such that \(\overline{t}\) is the term t where each variable \(x\in \mathcal {V} (C)\) is replaced by a fresh constant \(\overline{x}\). Moreover, let \(\overline{C}\) denote the set C where all variables have been replaced by fresh constants \(\overline{x}\). For a CTRS \(\mathcal {R} \) we can make a contextual rewrite step, denoted by \(s \rightarrow _{{\mathcal {R}},C} t\), if we can make a conditional rewrite step with respect to the CTRS \(\mathcal {R} \cup \overline{C}\) from \(\overline{s}\) to \(\overline{t}\).
We formalized soundness of contextual rewriting [4, Lemma 4.2] as follows:
Lemma 2
If \(s \rightarrow ^*_{{\mathcal {R}},C} t\) then \(s\sigma \rightarrow ^*_{\mathcal {R}} t\sigma \) for all substitutions \(\sigma \) satisfying C.
This lemma is stated as obvious without proof by Avenhaus and LoríaSáenz. However, we deem the strengthened statement \((\star )\) below intricate enough to warrant a full proof (since without this strengthening, as far as we can tell, the outermost induction fails).
Proof
for any \(\sigma \) satisfying C. The base case is trivial. In the inductive step we have a rule \(\ell _{} \rightarrow r_{} \Leftarrow c_{} \in \mathcal {R} \cup \overline{C}\), a position p, and a substitution \(\tau \) such that \(s _p = \ell \tau \), \(t = s[r\tau ]_p\), and Open image in new window for all \(u \approx v \in c\). If \(\ell _{} \rightarrow r_{} \Leftarrow c_{} \in \mathcal {R} \), then we obtain Open image in new window for all \(u \approx v \in c\) by IH. Then Open image in new window can be shown by induction on the context \(s[\cdot ]_p\). Otherwise, \(\ell _{} \rightarrow r_{} \Leftarrow c_{} \in \overline{C}\) and thus c is empty, \(\ell \tau = \ell \), and \(r\tau = r\), since \(\overline{C}\) is an unconditional ground TRS. Moreover, there is a rule \(\ell ' \rightarrow r' \in C\) (thus also \(\mathcal {V} (\ell ', r') \subseteq \mathcal {V} (C)\)) such that \(\overline{\ell '} = \ell \) and \(\overline{r'} = r\). Again, the final result follows by induction on \(s[\cdot ]_p\).
Assume \(s \rightarrow _{{\mathcal {R}},C} t\). Then Open image in new window for some level n. Let \(\widetilde{t}\) denote the extension of \(\overline{t}\) where all variables x in t (that is, not just those in \(\mathcal {V} (C)\)) are replaced by fresh constants \(\overline{x}\). Note that \(\widetilde{t} = (\overline{t})(\lambda x.\, \overline{x})\) for every term t. But then also Open image in new window since conditional rewriting is closed under substitutions. Further note that \([\,\widetilde{t}\,]_{\sigma } = t\sigma \) for all t. Thus taking \(\widetilde{s}\) and \(\widetilde{t}\) for s and t in \((\star )\) we obtain \(s\sigma \rightarrow ^*_{{\mathcal {R}},n} t\sigma \). Since we just established the desired property for single contextual rewrite steps it is straightforward to extend it to rewrite sequences. \(\square \)
The above lemma is the key to overcome the undecidability issues of conditional rewriting. For example, for joinability of CCPs the problem is that a single joining sequence (as is usual in certificates for TRSs) does not prove joinability for all satisfying substitutions. However, contextual rewriting has this property.
Now we are able to define the two promised criteria for CCPs that employ contextual rewriting: contextjoinability and unfeasibility.
Definition 3
Let \(s \approx t \Leftarrow c\) be a CCP induced by an overlap between variabledisjoint variants \(\ell _{1} \rightarrow r_{1} \Leftarrow c_{1}\) and \(\ell _{2} \rightarrow r_{2} \Leftarrow c_{2}\) of rules in \(\mathcal {R} \) with mgu \(\mu \). We say that the CCP is unfeasible if we can find terms u, v, and w such that (1) for all \(\sigma \) that satisfy c we have \(\ell _1\mu \sigma \succ u\sigma \), (2) \(u \rightarrow ^*_{{\mathcal {R}},c} v\), (3) \(u \rightarrow ^*_{{\mathcal {R}},c} w\), and (4) v and w are both strongly irreducible and Open image in new window . Moreover, we call the CCP contextjoinable if there exists some term u such that \(s \rightarrow ^*_{{\mathcal {R}},c} u\) and \(t \rightarrow ^*_{{\mathcal {R}},c} u\).
Example 3
Due to Lemma 2 above, contextjoinability implies joinability of a CCP for arbitrary satisfying substitutions. The rationale for the definition of unfeasibility is a little bit more technical, since it only makes sense inside the proof (by induction) of the theorem below. Basically, unfeasibility is defined in such a way that unfeasible CCPs contradict the confluence of all \(\succ \)smaller terms, which we obtain as induction hypothesis.
In the original paper the definition of quasireductivity requires its order to be closed under substitutions. This property is used in the proof of [4, Theorem 4.2]. By a small change to the definition of unfeasibility we avoid this requirement for our extension to quasidecreasingness.
We are finally ready to state a concrete version of Theorem 2:
Theorem 3
Let the ADTRS \(\mathcal {R} \) be quasidecreasing with respect to \(\succ \). Then \(\mathcal {R} \) is confluent if all CCPs are contextjoinable, unfeasible, or infeasible.
Proof
 1.
If the CCP is contextjoinable, we obtain a join with respect to contextual rewriting which we can easily transform into a join with respect to \(\mathcal {R} \) by an application of Lemma 2 because we have a substitution satisfying the conditions of the CCP.
 2.
If the CCP is unfeasible, we obtain two diverging contextual rewrite sequences. Again since there is a substitution satisfying the conditions of the CCP we may employ Lemma 2 to get two diverging conditional \(\mathcal {R} \)rewrite sequences. Because \({\ell _1\sigma }\succ _\mathsf {st} {t_0}\) we can use the induction hypothesis to get a join between the two end terms. But from the definition of unfeasibility we also know that the end points are not unifiable (and hence are not the same) and cannot be rewritten (because of strong irreducibility), leading to a contradiction.
 3.
Finally, if the CCP is infeasible, then there is no substitution that satisfies its conditions, contradicting the fact that we already have such a substitution. \(\square \)
Example 4
The CTRS \(\mathcal {R} _{\mathsf {min}}\) from Example 1 is actually an ADTRS and also quasidecreasing. To conclude confluence of the system it remains to check its CCPs which are listed in Example 2. The first one, (1,2), is trivially contextjoinable because the left and righthand sides coincide. Unfortunately, the methods used in ConCon are not able to handle either of the CCPs (1,3) and (2,3). So we are not able to conclude confluence of \(\mathcal {R} _{\mathsf {min}}\) at this point.
We give a transformation on CTRSs which is often helpful in practice:
Definition 4
(Inlining of Conditions). Given a conditional rewrite rule \(\rho : \ell \rightarrow r \Leftarrow s_1 \approx t_1, \ldots , s_n \approx t_n\) and an index \(1 \leqslant i \leqslant n\) such that \(t_i = x\) for some variable x, let \(\mathsf {inl}_{i}(\rho )\) denote the rule resulting from inlining the ith condition of \(\rho \), that is, \(\ell \rightarrow r\sigma \Leftarrow s_1\sigma \approx t_1, \ldots ,s_{i1}\sigma \approx t_{i1}, s_{i+1}\sigma \approx t_{i+1},\ldots , s_n\sigma \approx t_n\) with \(\sigma = \{x \mapsto s_i\}\).
Lemma 3
Let \(\rho \in \mathcal {R} \) and \(s \approx x\) be the ith condition of \(\rho \). Whenever we have \(x \not \in \mathcal {V} (\ell ,s,t_1,\ldots ,t_{i1},t_{i+1},\ldots ,t_n)\), then the relations \({\rightarrow ^*_{\mathcal {R}}}\) and \({\rightarrow ^*_{\mathcal {R} '}}\), where \(\mathcal {R} ' = (\mathcal {R} \setminus \{\rho \}) \cup \{\mathsf {inl}_{i}(\rho )\}\), coincide.
Proof
We show \(\rightarrow _{{\mathcal {R}},n} \subseteq \rightarrow ^*_{{\mathcal {R}}',n}\) and \(\rightarrow _{{\mathcal {R}}',n} \subseteq \rightarrow _{{\mathcal {R}},n}\) by induction on the level n. For \(n = 0\) the result is immediate. Consider a step \(s = C[\ell \sigma ] \rightarrow _{{\mathcal {R}},n+1} C[r\sigma ] = t\) employing rule \(\rho \) (for the other rules of \(\mathcal {R} \) the result is trivial). Thus, \(u\sigma \rightarrow ^*_{{\mathcal {R}},n} v\sigma \) for all \(u \approx v \in c\). In particular \(s\sigma \rightarrow ^*_{{\mathcal {R}},n} x\sigma \). Thus, using the IH, for each condition \(u \approx v\) of \(\mathsf {inl}_{i}(\rho )\) we have \(1 \leqslant j \leqslant n\) such that Open image in new window . Hence, Open image in new window and thus \(s \rightarrow ^*_{{\mathcal {R}}',n+1} t\).
Now, consider a step Open image in new window employing rule \(\mathsf {inl}_{i}(\rho )\). Together with the IH this implies that \(u\sigma \rightarrow ^*_{{\mathcal {R}},n} v\sigma \) for all conditions \(u \approx v\) in \(\mathsf {inl}_{i}(\rho )\). Let \(\tau \) be a substitution such that \(\tau (x) = s\sigma \) and \(\tau (y) = \sigma (y)\) for all \(y \ne x\). We have \(s_i\tau = s\tau = x\tau = t_i\tau \) and \(s_j\tau = s_j\{x\mapsto s\}\sigma \rightarrow ^*_{{\mathcal {R}},n} t_j\sigma = t_j\tau \) for all \(1 \leqslant j \leqslant n\) with \(i \ne j\), since x neither occurs in s nor the righthand sides of conditions in \(\mathsf {inl}_{i}(\rho )\). Therefore, \(u \rightarrow ^*_{{\mathcal {R}},n} v\) for all \(u \approx v \in c\). In total, we have Open image in new window , concluding the proof. \(\square \)
We are not aware of any mention of this simple method in the literature, but found that in practice, exhaustive application of inlining increases the applicability of other methods like infeasibility via \(\mathsf {tcap}\) and nonconfluence via plain rewriting: for the former inlining yields more term structure, which may prevent \(\mathsf {tcap}\) from replacing a subterm by a fresh variable and thus makes nonunifiability more likely; while for the latter inlining may yield CCPs without conditions and thereby make them amenable to nonjoinability techniques for plain term rewriting [34].
Example 5
Again, the first CCP (1,\(2'\)) is trivially contextjoinable, (1,\(3'\)) is infeasible since \(\mathsf {tcap}({x< \mathsf {min} (\mathsf {nil})}) = {x < \mathsf {min} (\mathsf {nil})}\) and \(\mathsf {false} \) are not unifiable, and (\(2'\),\(3'\)) is unfeasible because with contextual rewriting we can reach the two nonunifiable normal forms \(\mathsf {true} \) and \(\mathsf {false} \) starting from \(x < \mathsf {min} (\textit{xs})\). Hence, we conclude confluence of the quasidecreasing ADTRS \(\mathcal {R} _{\mathsf {min}}\) by Theorem 3.
Inlining of conditions is implemented in ConCon 1.4.0 as a first preprocessing step and is certifiable by CeTA.
5 Certification Challenges
One of the main challenges towards actual certification is typically disregarded on paper: the definition of critical pairs may yield an infinite set of CCPs even for finite CTRSs. This is because we have to consider arbitrary variabledisjoint variants of rules. However, a hypothetical certificate would only contain those CCPs that were obtained from some specific variabledisjoint variants of rules. Now the argument typically goes as follows: modulo variable renaming there are only finitely many CCPs. Done.
However, this reasoning is valid only for properties that are either closed under substitution or at least invariant under renaming of variables. For joinability of plain critical pairs—arguably the most investigated case—this is indeed easy. But when it comes to contextual rewriting we spent a considerable amount of work on some results about permutations that were not available in IsaFoR.
Now what would a certificate contain and how would we have to check it? Amongst other things, the certificate would contain a finite set of CCPs \(\mathcal {C}'\) that were computed by some automated tool. Internally, our certifier computes its own finite set of CCPs \(\mathcal {C}\) where variabledisjoint variants of rules are created by fixed injective variable renaming functions \(v_x\) and \(v_y\), whose ranges are guaranteed to be disjoint. The former prefixes the character “x” and the latter the character “y” to all variable names, hence the names. At this point we have to check that for each CCP in \(\mathcal {C}\) there is one in \(\mathcal {C}'\) that is its variant, which is not too difficult. More importantly, we have to prove that whenever some desired property P, say contextjoinability, holds for any CCP, then P also holds for all of its variants (including the one that is part of \(\mathcal {C}\)).
To this end, assume that we have a CCP resulting from a critical overlap of the two rules \(\ell _{1} \rightarrow r_{1} \Leftarrow c_{1}\) and \(\ell _{2} \rightarrow r_{2} \Leftarrow c_{2}\) at position p with mgu \(\mu \). This means that there exist permutations \(\pi _1\) and \(\pi _2\) such that \((\ell _{1} \rightarrow r_{1} \Leftarrow c_{1})\pi _1\) and \((\ell _{2} \rightarrow r_{2} \Leftarrow c_{2})\pi _2\) are both in \(\mathcal {R} \). In our certifier, mgus are computed by the function \(\mathrm {mgu}(s, t)\) which either results in \(\textit{None}\), if Open image in new window , or in \(\textit{Some}\ \mu \) such that \(\mu \) is an mgu of s and t, otherwise. Moreover, variabledisjointness of rules is ensured by \(v_x\) and \(v_y\), so that we actually call \(\mathrm {mgu}(\ell _1_p\pi _1v_x, \ell _2\pi _2v_x)\) for computing a concrete CCP corresponding to the one we assumed above. Thus, we need to show that \(\mathrm {mgu}(\ell _1_p, \ell _2) = \textit{Some}\ \mu \) also implies that \(\mathrm {mgu}(\ell _1_p\pi _1v_x, \ell _2\pi _2y_v) = \textit{Some}\ \mu '\) for some mgu \(\mu '\). Moreover, we are interested in the relationship between \(\mu \) and \(\mu '\) with respect to the variables in both rules. Previously—for an earlier formalization of infeasibility [25]—IsaFoR only contained a result that related both unifiers modulo some arbitrary substitution (that is, not necessarily a renaming).
Unfortunately, contextual rewriting is not closed under arbitrary substitutions. Nevertheless, contextual rewriting is closed under permutations, provided the permutation is also applied to C.
Lemma 4
For every permutation \(\pi \) we have that \(s\pi \rightarrow ^*_{R,C\pi } t\pi \) iff \(s \rightarrow ^*_{R,C} t\). \(\square \)
It remains to show that \(\mu \) and \(\mu '\) differ basically only by a renaming (at least on the variables of our two rules), which is covered by the following lemma.
Lemma 5
Let \(\mathrm {mgu}(s, t) = \textit{Some}\ \mu \) and \(\mathcal {V} (s, t) \subseteq {S \cup T}\) for two finite sets of variables S and T with \({S \cap T} = \varnothing \). Then, there exist a substitution \(\mu '\) and a permutation \(\pi \) such that for arbitrary permutations \(\pi _1\) and \(\pi _2\): \(\mathrm {mgu}(s\pi _1v_x, t\pi _2v_y) = \textit{Some}\ \mu '\), \(\mu = \pi _1\mu 'v_x\pi ~[S]\), and \(\mu = \pi _2\mu 'v_y\pi ~[T]\).
Proof
Let \(h(x) = xv_x\pi _1\) if \(x \in S\) and \(h(x) = xv_y\pi _2\), otherwise. Then, since h is bijective between \(S \cup T\) and \(h(S \cup T)\) we can obtain a permutation \(\pi \) for which \(\pi = h~[S \cup T]\). We define \(\mu ' = ^\pi \mu \) and abbreviate \(s\pi _1v_x\) and \(t\pi _2v_y\) to \(s'\) and \(t'\), respectively. Note that \(s' = s\pi \) and \(t' = t\pi \). Since \(\mu \) is an mgu of s and t we have \(s\mu = t\mu \), which further implies \(s' \mu ' = t' \mu '\). But then \(\mu '\) is a unifier of \(s'\) and \(t'\) and thus there exists some \(\mu ''\) for which \(\mathrm {mgu}(s',t') = \textit{Some}~\mu ''\) and \(s'\mu '' = t'\mu ''\).
We now show that \(\mu '\) is also most general. Assume \(s'\tau = t'\tau \) for some \(\tau \). Then \(s \pi \tau = t\pi \tau \) and thus there exists some \(\delta \) such that \(\pi \tau = \mu \delta \) (since \(\mu \) is most general). But then \(\pi ^\pi \tau = \pi ^\mu \delta \) and thus \(\tau = \mu '\delta \). Hence, \(\mu '\) is most general.
Since \(\mu ''\) is most general too, it only differs by a renaming, say \(\pi '\), from \(\mu '\), that is, \(\mu '' = \pi '\mu '\). This yields \(\mu = \pi _1\mu ''v_x\pi '^~[S]\) and \(\mu = \pi _2\mu ''v_y\pi '^[T]\), and thus concludes the proof. \(\square \)
6 Available Check Functions
Before we can actually certify the output of CTRS confluence tools with CeTA, we have to provide an executable check function for each property that is required to apply Theorem 3 and prove its soundness. It is worth mentioning that the return type of these check functions is only “morally” bool. In order to have nice error messages we actually employ a monad. So whenever we need to handle the result of a check function as bool we encapsulate it in a call to \(\textit{isOK}\) which results in \(\textit{False}\) if there was an error and \(\textit{True}\), otherwise.
As mentioned earlier, the check functions for quasidecreasingness and infeasibility are already in place. It remains to provide new check functions for absolute irreducibility, absolute determinism, contextual rewrite sequences, contextjoinability, and unfeasibility together with their corresponding soundness proofs. For absolute irreducibility we provide the check function \(\textit{checkairr}\), employing existing machinery from IsaFoR for renaming and unification, and prove:
Lemma 6
\(\textit{isOK}\ (\textit{checkairr}\ \mathcal {R}\ t)\) iff the term t is absolutely \(\mathcal {R} \)irreducible. \(\square \)
This, in turn, is used to define the check function \(\textit{checkadtrs}\) and the accompanying lemma for ADTRSs.
Lemma 7
\(\textit{isOK}\ (\textit{checkadtrs}\ \mathcal {R})\) iff \(\mathcal {R} \) is an ADTRS. \(\square \)
Concerning contextual rewriting, we provide the check function \(\textit{checkcsteps}\) for conditional rewrite sequences together with the following lemma:
Lemma 8
Given a CTRS \(\mathcal {R} \), a set of conditions C, two terms s and t, and a list of conditional rewrite proofs \(\textit{ps}\), we have that \(\textit{isOK}\ (\textit{checkcsteps}\ (\mathcal {R} \cup \overline{C})\ \overline{s}\ \overline{t}\ \overline{\textit{ps}})\) implies \(s \rightarrow ^*_{{\mathcal {R}},C} t\). \(\square \)
Although conditional rewriting is decidable in our setting (strong determinism and quasidecreasingness), we require a conditional rewrite proof to provide all the necessary information for checking a single conditional rewrite step (the employed rule, position, and substitution; source and target terms; and recursively, a list of rewrite proofs for each condition of the applied rule). That way, we avoid having to formalize a rewriting engine for conditional rewriting in IsaFoR. With a check function for contextual rewrite sequences in place, we can easily give the check function \(\textit{checkcontextjoinable}\) with the corresponding lemma:
Lemma 9
Given a CTRS \(\mathcal {R} \), three terms s, t, and u, a set of conditions C, and two lists of conditional rewrite proofs \(\textit{ps}\) and \(\textit{qs}\), we have that\(\textit{isOK}\ (\textit{checkcontextjoinable}\ u\ ps\ qs\ \mathcal {R}\ s\ t\ C)\) implies that there exists some term \(u'\) such that Open image in new window . \(\square \)
Here \(\textit{checkcontextjoinable}\) is a concrete implementation of the homonymous function from the \(\textit{al94spec}\) locale. We further give the check function \(\textit{checkunfeasible}\) and the accompanying soundness lemma:
Lemma 10
Given a quasidecreasing CTRS \(\mathcal {R} \), two variabledisjoint variants of rules \(\rho _1:\ell _{1} \rightarrow r_{1} \Leftarrow c_{1}\) and \(\rho _2:\ell _{2} \rightarrow r_{2} \Leftarrow c_{2}\) in \(\mathcal {R} \), an mgu \(\mu \) of \(\ell _1_p\) and \(\ell _2\) for some position p, a set of conditions C such that \(C = c_1\mu , c_2\mu \), three terms t, u, and v, and two lists of conditional rewrite proofs \(\textit{ps}\) and \(\textit{qs}\), we have that \(\textit{isOK}\ (\textit{checkunfeasible}\ t\ u\ v\ ps\ qs\ \rho _1\ \rho _2\ \mathcal {R}\ \ell _1\ \mu \ C)\) implies that there exist three terms \(t'\), \(u'\), and \(v'\) such that for all \(\sigma \) we have \(\ell _1\mu \sigma \succ t'\sigma \), whenever \(\sigma \) satisfies C, Open image in new window , \(u'\) and \(v'\) are both strongly irreducible, and Open image in new window . \(\square \)
Again, \(\textit{checkunfeasible}\) is a concrete implementation of the function of the same name from the \(\textit{al94spec}\) locale and it additionally performs various sanity checks.
At this point, interpreting the \(\textit{al94spec}\) locale using the three check functions \(\textit{checkcontextjoinable}\), \(\textit{checkinfeasible}\), and \(\textit{checkunfeasible}\) from above yields the concrete function \(\textit{checkCCPs}\), which is used in the final check \(\textit{checkal94}\).
Lemma 11
Given a quasidecreasing CTRS \(\mathcal {R} \), a list of contextjoinability certificates c, a list of infeasibility certificates i, and a list of unfeasibility certificates u. Then, \(\textit{isOK}\ (\textit{checkal94}\ c\ i\ u\ \mathcal {R})\) implies confluence of \(\mathcal {R} \). \(\square \)
7 Experiments
Comparison on 119 oriented 3CTRSs from Cops.
ConCon  A  A + i  N  N + i  T  T + i 

1.3.2  42 (0) / 7 (0)    26 (0)    82 (38)   
1.4.0  46 (43) / 8 (11)  47(44) / 8 (11)  27 (27)  29 (29)  84 (77)  86 (79) 
In total, ConCon 1.3.2 can decide confluence of 82 systems. Of those, 56 are confluent and 26 are nonconfluent. Using only Theorem 3, 42 systems can be shown confluent. For 7 of these, none of the other methods are successful. Neither Theorem 3 nor the nonconfluence methods are certifiable in ConCon 1.3.2. However, in 38 cases (using other methods) the output of ConCon 1.3.2 is certifiable by CeTA. Also inlining of conditions is absent in ConCon 1.3.2.
The new version of ConCon can decide confluence of 86 systems. Of those, 57 are confluent and 29 are nonconfluent. Seven of the generated confluence proofs cannot be certified by CeTA. This is due to an infeasibility method (using equational reasoning) that is not yet formalized. In contrast, all of the nonconfluence proofs can be certified by CeTA. When we subtract the certifiably nonconfluent systems we are left with 72 potentially confluent ADTRSs. From those 52 are certifiably quasidecreasing. Theorem 3 succeeds on 46 of these quasidecreasing ADTRSs (and can be certified for 43 of them). For three of these systems (288, 292, 326) testing for infeasibility is essential. When using inlining of conditions we gain another (certifiably) confluent system (493). Finally, independent of inlining of conditions, there are 8 systems where only Theorem 3 is successful. In the certifiable case this number increases to 11 systems (because for 3 systems the other methods are not certifiable). The most important message of Table 1 is that with the new versions of ConCon and CeTA the number of certifiably (non)confluent systems has more than doubled from 38 to 79, which means that more than 90% of the (non)confluence proofs for CTRSs are certifiable.
8 Conclusion and Future Work
Even in the presence of a suitable notion of termination (like quasidecreasingness), proving confluence of conditional term rewrite systems is still hard (unlike in the unconditional case, where confluence is decidable.)
We formalized a characterization of confluence of quasidecreasing strongly deterministic CTRSs in Isabelle/HOL. It requires joinability of all conditional critical pairs, which is undecidable in general. Moreover, we formalized a more practical variant of the previous characterization for which each conditional critical pair must be either contextjoinable, unfeasible, or infeasible. These properties, in turn, rely on strong irreducibility, which like strong determinism is undecidable in general. Thus, we further formalized decidable sufficient criteria.
In total, this paper constitutes the necessary work for the actual certification of confluence of quasidecreasing SDTRSs, which complements our existing check functions for certifying confluence of CTRSs [26, 32]. We have extended our confluence tool ConCon and the certifier CeTA accordingly.
Here is a rough impression of the involved effort: our formalization comprises 28 definitions, 14 recursive functions, and 83 lemmas with proofs, on approximately 2500 lines of Isabelle code (in addition to everything that we could reuse from the IsaFoR library). The whole development took about 6 personmonths.
Future Work. Concerning certification, our extension from quasireductive to quasidecreasing CTRSs is at the moment only of theoretical relevance, since the only way of certifying quasidecreasingness with CeTA is via quasireductivity.
In principle it may be useful to use methods for proving operational termination [20]—a notation equivalent to quasidecreasingness [19]—in order to increase the applicability of Theorem 3. However, IsaFoR is currently lacking the proof that operational termination and quasidecreasingness coincide. Also, none of the methods for proving operational termination have been formalized so far. Moreover, when running AProVE [11] and MUTERM [1] on the 72 ADTRSs of Cops which have not already been shown to be nonconfluent, the former can show operational termination of the same 52 systems for which ConCon could show quasireductivity, and the latter can show two additional systems (266, 278), while losing another one (362). Of course, this insignificant difference could be due to our example database.
Open Problem. After having finished our formalization, we realized that it is not known whether quasidecreasingness differs from quasireductivity at all, that is, the question whether there exists a quasidecreasing CTRS that is not quasireductive, is still open. Regardless, we agree with Ohlebusch [24] that quasidecreasingness has two advantages: (1) it does not depend on signature extensions and (2) \(\ell \sigma \succ _\mathsf {st} s_{i}\sigma \) is only required if \(s_j\sigma \rightarrow ^*_{\mathcal {R}} t_j\sigma \) instead of \(s_j\sigma \succeq t_j\sigma \). Point (1) is illustrated by the quasidecreasing CTRS \(\mathcal {R} _{\textsf {qd}}= \{\mathsf {f} (\mathsf {b})\rightarrow \mathsf {f} (\mathsf {a}), \mathsf {b} \rightarrow \mathsf {c}, \mathsf {a} \rightarrow \mathsf {c} \Leftarrow \mathsf {b} \approx \mathsf {c} \}\). Assume that \(\mathcal {R} _{\textsf {qd}}\) is quasireductive with respect to \(\succ \). Then, \(\mathsf {f} (\mathsf {b}) \succ \mathsf {f} (\mathsf {a})\) and \(\mathsf {a} \mathrel {({\succ }\cup {\mathrel {\rhd }})}^+ \mathsf {b} \). If we are not allowed to introduce fresh function symbols, the latter implies \(\mathsf {a} \succ \mathsf {b} \), for otherwise, we would have \(\mathsf {a} \succ \mathsf {f} ^k(\mathsf {b}) \mathrel {\unrhd }\mathsf {b} \) for some \(k \geqslant 0\), which together with closure under contexts and transitivity of \(\succ \) contradicts the wellfoundedness of \(\succ \). But \(\mathsf {a} \succ \mathsf {b} \) also contradicts the wellfoundedness of \(\succ \).
Proof Assistant. We found Sledgehammer [6, 7] to be an indispensable tool for our development. On the one hand, to quickly discharge subgoals that seemed intuitively obvious but turned out tedious to prove, and on the other, as fast “fact finder” for the huge IsaFoR library (especially for the second author, who has not been involved in IsaFoR from the start).
Footnotes
 1.
 2.
For technical reasons, our formalization uses two locales (\(\textit{al94ops}\), \(\textit{al94spec}\)) here.
 3.
Detailed results are available at http://clinformatik.uibk.ac.at/experiments/2017/cade/.
Notes
Acknowledgments
We thank Bertram Felgenhauer and Julian Nagele for fruitful discussions on the subject matter. Moreover, we would like to thank the anonymous reviewers for their constructive and helpful comments.
References
 1.Alarcón, B., Gutiérrez, R., Lucas, S., NavarroMarset, R.: Proving termination properties with muterm. In: Johnson, M., Pavlovic, D. (eds.) AMAST 2010. LNCS, vol. 6486, pp. 201–208. Springer, Heidelberg (2011). doi: 10.1007/9783642177965_12 CrossRefGoogle Scholar
 2.Antoy, S., Hanus, M.: Functional logic programming. Commun. ACM 53(4), 74–85 (2010). doi: 10.1145/1721654.1721675 CrossRefGoogle Scholar
 3.Aoto, T., Hirokawa, N., Nagele, J., Nishida, N., Zankl, H.: Confluence competition 2015. In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 101–104. Springer, Cham (2015). doi: 10.1007/9783319214016_5 CrossRefGoogle Scholar
 4.Avenhaus, J., LoríaSáenz, C.: On conditional rewrite systems with extra variables and deterministic logic programs. In: Pfenning, F. (ed.) LPAR 1994. LNCS, vol. 822, pp. 215–229. Springer, Heidelberg (1994). doi: 10.1007/3540582169_40 CrossRefGoogle Scholar
 5.Baader, F., Nipkow, T.: Term Rewriting and All That. Cambridge University Press, Cambridge (1998)CrossRefzbMATHGoogle Scholar
 6.Blanchette, J., Paulson, L.: Hammering away  a user’s guide to sledgehammer for Isabelle/HOL (2010). https://isabelle.in.tum.de/dist/doc/sledgehammer.pdf
 7.Blanchette, J.C., Kaliszyk, C., Paulson, L.C., Urban, J.: Hammering towards QED. J. Formalized Reasoning 9(1), 101–148 (2016). doi: 10.6092/issn.19725787/4593 MathSciNetGoogle Scholar
 8.Blanqui, F., Koprowski, A.: CoLoR: a Coq library on wellfounded rewrite relations and its application to the automated verification of termination certificates. Math. Struct. Comput. Sci. 21(4), 827–859 (2011). doi: 10.1017/S0960129511000120 MathSciNetCrossRefzbMATHGoogle Scholar
 9.Contejean, É., Courtieu, P., Forest, J., Pons, O., Urbain, X.: Automated certified proofs with C \(i\) ME 3 In: Proceedings of the 22nd International Conference on Rewriting Techniques and Applications (RTA). LIPIcs, vol. 10, pp. 21–30. Schloss Dagstuhl (2011), doi: 10.4230/LIPIcs.RTA.2011.21
 10.Cops: The confluence problems database. http://cops.uibk.ac.at/?q=ctrs
 11.Giesl, J., SchneiderKamp, P., Thiemann, R.: AProVE 1.2: automatic termination proofs in the dependency pair framework. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS, vol. 4130, pp. 281–286. Springer, Heidelberg (2006). doi: 10.1007/11814771_24 CrossRefGoogle Scholar
 12.Giesl, J., Thiemann, R., SchneiderKamp, P.: Proving and disproving termination of higherorder functions. In: Gramlich, B. (ed.) FroCoS 2005. LNCS (LNAI), vol. 3717, pp. 216–231. Springer, Heidelberg (2005). doi: 10.1007/11559306_12 CrossRefGoogle Scholar
 13.Giesl, J., Mesnard, F., Rubio, A., Thiemann, R., Waldmann, J.: Termination competition (termCOMP 2015). In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 105–108. Springer, Cham (2015). doi: 10.1007/9783319214016_6 CrossRefGoogle Scholar
 14.Hirokawa, N., Middeldorp, A., Sternagel, C.: A new and formalized proof of abstract completion. In: Klein, G., Gamboa, R. (eds.) ITP 2014. LNCS, vol. 8558, pp. 292–307. Springer, Cham (2014). doi: 10.1007/9783319089706_19 Google Scholar
 15.Huet, G.: Confluent reductions: abstract properties and applications to term rewriting systems. J. ACM 27(4), 797–821 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Knuth, D., Bendix, P.: Simple word problems in universal algebras. In: Leech, J. (ed.) Computational Problems in Abstract Algebra, pp. 263–297. Pergamon Press (1970)Google Scholar
 17.Kop, C.: Higherorder termination: automatable techniques for proving termination of higherorder term rewriting systems. Ph.D. thesis, VU University Amsterdam (2012). http://hdl.handle.net/1871/39346
 18.Korp, M., Sternagel, C., Zankl, H., Middeldorp, A.: Tyrolean Termination Tool 2. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 295–304. Springer, Heidelberg (2009). doi: 10.1007/9783642023484_21 CrossRefGoogle Scholar
 19.Lucas, S., Marché, C., Meseguer, J.: Operational termination of conditional term rewriting systems. Inf. Process. Lett. 95(4), 446–453 (2005). doi: 10.1016/j.ipl.2005.05.002 MathSciNetCrossRefzbMATHGoogle Scholar
 20.Lucas, S., Meseguer, J.: Dependency pairs for proving termination properties of conditional term rewriting systems. J. Logical Algebraic Methods Program. 86(1), 236–268 (2017). doi: 10.1016/j.jlamp.2016.03.003 MathSciNetCrossRefzbMATHGoogle Scholar
 21.Marlow, S.: Haskell 2010 language report. https://www.haskell.org/definition/haskell2010.pdf
 22.Newman, M.: On theories with a combinatorial definition of equivalence. Ann. Math. 43(2), 223–243 (1942)MathSciNetCrossRefzbMATHGoogle Scholar
 23.Nipkow, T.: Equational reasoning in Isabelle. Sci. Comput. Program. 12(2), 123–149 (1989). doi: 10.1016/01676423(89)900385 MathSciNetCrossRefzbMATHGoogle Scholar
 24.Ohlebusch, E.: Advanced Topics in Term Rewriting. Springer, New York (2002)CrossRefzbMATHGoogle Scholar
 25.Sternagel, C., Sternagel, T.: Levelconfluence of 3CTRSs in Isabelle/HOL. In: Proceedings of the 4th International Workshop on Confluence (IWC), arXiv:1602.07115 (2015)
 26.Sternagel, C., Sternagel, T.: Certifying confluence of almost orthogonal CTRSs via exact tree automata completion. In: Proceedings of the 1st International Conference on Formal Structures for Computation and Deduction (FSCD). LIPIcs, vol. 51, pp. 29:1–29:16 (2016). doi: 10.4230/LIPIcs.FSCD.2016.29
 27.Sternagel, T., Middeldorp, A.: Conditional confluence (system description). In: Dowek, G. (ed.) RTA 2014. LNCS, vol. 8560, pp. 456–465. Springer, Cham (2014). doi: 10.1007/9783319089188_31 Google Scholar
 28.Sternagel, T., Sternagel, C.: Formalized confluence of quasidecreasing, strongly deterministic conditional TRSs. In: Proceedings of the 5th International Workshop on Confluence (IWC), arXiv:1609.03341 (2016)
 29.Stump, A., Sutcliffe, G., Tinelli, C.: StarExec: a crosscommunity infrastructure for logic solving. In: Demri, S., Kapur, D., Weidenbach, C. (eds.) IJCAR 2014. LNCS (LNAI), vol. 8562, pp. 367–373. Springer, Cham (2014). doi: 10.1007/9783319085876_28 Google Scholar
 30.Thiemann, R., Sternagel, C.: Certification of termination proofs using CeTA. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 452–468. Springer, Heidelberg (2009). doi: 10.1007/9783642033599_31 CrossRefGoogle Scholar
 31.Waldmann, J.: Matchbox: a tool for matchbounded string rewriting. In: Oostrom, V. (ed.) RTA 2004. LNCS, vol. 3091, pp. 85–94. Springer, Heidelberg (2004). doi: 10.1007/9783540259794_6 CrossRefGoogle Scholar
 32.Winkler, S., Thiemann, R.: Formalizing soundness and completeness of unravelings. In: Lutz, C., Ranise, S. (eds.) FroCoS 2015. LNCS (LNAI), vol. 9322, pp. 239–255. Springer, Cham (2015). doi: 10.1007/9783319242460_15 CrossRefGoogle Scholar
 33.Yamada, A., Kusakari, K., Sakabe, T.: Nagoya termination tool. In: Dowek, G. (ed.) RTA 2014. LNCS, vol. 8560, pp. 466–475. Springer, Cham (2014). doi: 10.1007/9783319089188_32 Google Scholar
 34.Zankl, H., Felgenhauer, B., Middeldorp, A.: CSI – a confluence tool. In: Bjørner, N., SofronieStokkermans, V. (eds.) CADE 2011. LNCS, vol. 6803, pp. 499–505. Springer, Heidelberg (2011). doi: 10.1007/9783642224386_38 CrossRefGoogle Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.