Verifying Higher-Order Functions with Tree Automata

. This paper describes a fully automatic technique for verifying safety properties of higher-order functional programs. Tree automata are used to represent sets of reachable states and functional programs are modeled using term rewriting systems. From a tree automaton representing the initial state, a completion algorithm iteratively computes an automaton which over-approximates the output set of the program to verify. We identify a subclass of higher-order functional programs for which the completion is guaranteed to terminate. Precision and termination are obtained conjointly by a careful choice of equations between terms. The veriﬁcation objective can be used to generate sets of equations automatically. Our experiments show that tree automata are suﬃciently expressive to prove intricate safety properties and suﬃciently simple for the veriﬁcation result to be certiﬁed in Coq.


Introduction
Higher-order functions are an integral feature of modern programming languages such as Java, Scala or JavaScript, not to mention Haskell and Caml.Higher-order functions are useful for program structuring but pose a challenge when it comes to reasoning about the correctness of programs that employ them.To this end, the correctness-minded software engineer can opt for proving properties interactively with the help of a proof assistant such as Coq [13] or Isabelle/HOL [30], or write a specification in a formalism such as Liquid Types [31] or Bounded Refinement Types [34,33] and ask an SMT solver whether it can prove the verification conditions generated from this specification.This approach requires expertise of the formal method used, and both the proof construction and the annotation phase can be time consuming.
Another approach is based on fully automated verification tools, where the proof is carried out automatically without annotations or intermediate lemmas.This approach is accessible to a larger class of programmers but applies to a more restricted class of program properties.The flow analysis of higher-order functions was studied by Jones [21] who proposed to model higher-order functions as term rewriting systems and use regular grammars to approximate the result.More recently, the breakthrough results of Ong et al. [29] and Kobayashi [23,24,26] show that combining abstraction with model checking techniques can be used with success to analyse higher-order functions automatically.Their approach relies on abstraction for computing over-approximations of the set of reachable states, on which safety properties can then be verified.
In this paper, we pursue the goals of higher-order functional verification using an approach based on the original term rewriting models of Jones.We present a formal verification technique based on Tree Automata Completion (TAC) [20], capable of checking a class of properties, called regular properties, of higher-order programs in a fully automatic manner.In our approach, a program is represented as a term rewriting system R and the set of (possibly infinite) inputs to this program as a tree automaton A. The TAC algorithm computes a new automaton A * , by completing A with all terms reachable from A by R-rewriting.This automaton representation of the reachable terms contains all intermediate states as well as the final output of the program.Checking correctness properties of the program is then reduced to checking properties of the computed automaton.Moreover, our completion-based approach permits to certify automatically A * in Coq [6], i.e. given A, R and A * , obtain the formal proof that A * recognizes all terms reachable from A by R-rewriting.
We want to check that for all lists l of natural numbers, @(@(filter , odd ), l) filters out all even numbers.One way to do this is to write a higher-order predicate, exists, and check that there exists no even number in the resulting list, i.e. that @(@(exists, even), @(@(filter , odd ), l)) always rewrites to false.Let A be the tree automaton recognising terms of form @(@(exists, even), @(@(filter , odd ), l)) where l is any list of natural numbers.The completion algorithm computes an automaton A * recognising every term reachable from L(A) (the set of terms recognised by A) using R with the definition of the exists function.Formally, To prove the expected property, it suffices to check that true is not reachable, i.e. true does not belong to the regular set L(A * ).We denote by regular properties the family of properties characterised by a regular set.In particular, regular properties do not count symbols in terms, nor relate subterm heights (a property comparing the length of the list before and after filter is not regular) Termination of the tree automata completion algorithm is not ensured in general [19].For instance, if R * (L(A)) is not regular, it cannot be represented as a tree automaton.In this case, the user can provide a set of equations that will force termination by introducing an approximation based on equational abstraction [27]: L(A * ) ⊇ R * (L(A)).Equations make TAC powerful enough to verify first-order functional programs [19].However, state-of-the-art TAC has two short-comings.(i) Equations must be given by the user, which goes against full automation, and (ii) even with equations, termination is not guaranteed in the case of higher-order programs.In this paper we propose a solution to these shortcomings with the following contributions: -We state and prove a general termination theorem for the Tree Automata Completion algorithm (Section 3); -From the conditions of the theorem we characterise a class of higher-order functional programs for which the completion algorithm terminates (Section 4).This class covers common usage of higher-order features in functional programming languages.-We define an algorithm that is able to automatically generate equations for enforcing convergence, thus avoiding any user intervention (Section 5).
All proofs missing in this paper can be found in the accompanying technical report [17].The paper is organised as follow: We describe the completion algorithm and how to use equations to ensure termination in Section 2. The technical contributions as described above are developed in Sections 3 to 5. In Section 6, we present a series of experiments validating our verification technique, and discuss the certification of results in Coq.We present related work in Section 7. Section 8 concludes the paper.

Background
This section introduces basic concepts used throughout the paper.We recall the usual definitions of term rewriting systems and tree automata, and present the completion algorithm which forms the basis of our verification technique.

Term rewriting and tree automata
Terms.An alphabet F is a finite set of symbols, with an arity function ar : F → N. Symbols represent constructors such as nil or cons, or functions such as filter , etc.For simplicity, we also write f ∈ F n when f ∈ F and ar(f ) = n.
For instance, cons ∈ F 2 and nil ∈ F 0 .An alphabet F and finite set of variables X induces a set of terms T (F, X ) such that: A language is a set of terms.A term t is linear if the multiplicity of each variable in t is at most 1, and closed if it contains no variables.The set of closed terms is written T (F).A position in a term t is a word over N pointing to a subterm of t.Pos(t) is the set of positions in t, one for each subterm of t.It is defined by: where λ is the empty word and "." in i.p is the concatenation operator.For p ∈ Pos(t), we write t| p for the subterm of t at position p, and t[s] p for the term t where the subterm at position p has been replaced by s.We write s t if t is a subterm of s and s t if it is a subterm and s = t.If L ⊆ T (F), we write L for the language L and all its subterms.A substitution σ is an application of X → T (F, X ), mapping variables to terms.We tacitly extend it to the endomorphism σ : T (F, X ) → T (F, X ) where tσ is the result of the application of the term t to the substitution σ.Term rewriting systems [1] provide a flexible way of defining functional programs and their semantics.A rewriting system is a pair F, R , where F is an alphabet and R a set of rewriting rules of the form l → r, where l, r ∈ T (F, X ), l ∈ X and Var (r) ⊆ Var (l).A TRS can be seen as a set of rules, each of them defining one step of computation.We write R a rewriting system F, R if there is no ambiguity on F. A rewriting rule l → r is said to be left-linear if the term l is linear.Example 1 shows a TRS representing a functional program, where each rule is left-linear.In that case we say that the TRS R is left-linear.
A rewriting system R induces a rewriting relation → R where for alls s, t ∈ T (F, X ), s → R t if it exists a rule l → r ∈ R, a position p ∈ Pos(s) and a substitution σ such that lσ = s| p and t = s[rσ] p .The reflexive-transitive closure of → R is written → * R .The rewriting system introduced in the previous example also derives a rewriting relation → R where @(@(f ilter, odd), cons(0, cons(s(0), nil))) → * R cons(s(0), nil) The term cons(s(0), nil) is irreducible (no rule applies to it) and hence the result of the function call.We write IRR(R) for the set of irreducible terms of R.
Tree automata [12] are a convenient way to represent regular sets of terms.A tree automaton is a quadruple F, Q, Q f , ∆ where F is an alphabet, Q a finite set of states, Q f the set of final states, and ∆ a rewriting system on F ∪ Q. Rules in ∆, called transitions, are of the form l → q where q ∈ Q and l is either a state (∈ Q), or a configuration of the form f (q 1 , . . ., q n ) with f ∈ F, q 1 . . .q n ∈ Q.A term t is recognised by a state q ∈ Q if t → * ∆ q, which we also write t → * A q. We write L(A, q) for the language of all terms recognised by q.A term t is recognised by A if there exists q ∈ Q f s.t.t ∈ L(A, q).In that case we write t ∈ L(A).E.g., the tree automaton A = F, Q, Q f , ∆ with F = {0 : 0, s : 1}, Q f = {q pair } and ∆ = {0 → q pair , s(q odd ) → q pair , s(q pair ) → q odd , nil → q list , cons(q pair , q list ) → q list } recognises all lists of even natural numbers.
An -transition is a transition q → q where q ∈ Q.A tree automaton A is -free if it contains no -transitions.A is deterministic if for all terms t there is at most one state q such that t → * ∆ q .A is reduced if for all q there is at least one term t such that t → * ∆ q .

Tree Automata Completion algorithm
The verification algorithm is based on tree automata completion.Given a program represented as a rewriting system R, and its input represented as a tree automaton A 0 , the tree automata completion algorithm computes a new tree automaton A * recognising the set of all reachable terms starting from a term in L(A).For a given R, we write this set R * (L(A)) = {t | ∃s ∈ L(A), s → * R t}.It includes all intermediate computations and, in particular, the output of the functional program.The algorithm proceeds by computing iteratively A 1 , A 2 , . . .
Here, C R (A i ) represents one step of completion and is performed by searching and completing the critical pairs of n n q Definition 1 (Critical pair).A critical pair is a triple l → r, σ, q where l → r ∈ R, σ is a substitution, and q ∈ Q such that lσ → * A i q and rσ → * A i q.Completing a critical pair consists in adding the necessary transitions in A i+1 to have rσ → * A i+1 q, and hence rσ ∈ L(A i+1 , q).Example 2. Let A 0 be the previously defined tree automaton recognising all lists of even natural numbers.Let R = {s(s(x)) → s(x)}.A 0 has a critical pair s(s(x)) → s(x), σ, q pair with σ(x) = q pair .To complete the automaton, we need to add transition such that s(q pair ) → * A 1 q pair .Since we already have the state q odd recognising s(q pair ), we only add the transition q odd → q pair .The formal definition of the completion step, including the procedure of choosing which new transition to introduce, can be found in [17].
Every completion step has the following property: However it is in general impossible to compute a tree automaton recognising R * (L(A)) exactly, and this may cause the completion algorithm to diverge.Instead we shall over-approximate it by an automaton A * such that L(A * ) ⊇ R * (L(A)).The approximation is performed by introducing a set E of equations of the form l = r where l, r ∈ T (F, X ).From E we derive the relation = E , the smallest congruence such that for all equation l = r and substitution σ we have lσ = E rσ.In this paper we also write E for the TRS {l → r | l = r ∈ E}.At each completion step, the algorithm simplifies the automaton by merging states together according to E.

Definition 2 (Simplification Relation). Let
∆ be a tree automaton and E be a set of equations.If s = t ∈ E, σ : X → Q, q, q ∈ Q such that sσ → * A q, tσ → * A q and q = q then A can be simplified into A = A{q → q} (where q has been substitued by q), denoted by A E A .
We write S E (A) for the unique automaton (up to renaming) A such that A * E A and A is irreducible by E .One completion step is now defined by m m q Example 3.This example shows how using equations can lead to approximations in tree automata.Let A be the tree automaton defined by the set of transitions ∆ = {0 → q 0 , s(q 0 ) → q 1 }.This automaton recognises the two terms 0 in q 0 and s(0) (also known as 1) in q 1 .Let E = {s(x) = x} containing the equation that equates a number and its successor.For σ = {x → 0} we have s(x)σ → A q 1 , xσ → A q 0 and s(x)σ = E xσ.Then in S E (A), q 0 and q 1 are merged.The resulting automaton has transitions {0 → q 0 , s(q 0 ) → q 0 }, which recognises N in q 0 .The idea behind the simplification is to overapproximate R * (L(A)) when it is not regular.It has been shown in [19] that it is possible to tune the precision of the approximation.For a given TRS R, initial state automaton A and set of equations E, the termination of the completion algorithm is undecidable in general, even with the use of equations.Our contribution in this paper consists in finding a class of TRS/programs and equations E for which the completion algorithm with equations terminates.

Termination of Tree Automata Completion
In this section, we show that termination of the completion algorithm with a set of equations E is ensured under the following conditions: if (i) A k is reduced -free and deterministic (written REFD in the rest of the paper) for all k; (ii) every term of A k can be rewritten into a term of a given language L ⊆ T (F) using R (for instance if R is terminating); (iii) L has a finite number of equivalence classes w.r.t E. Completion is known to preserve -reduceness and -determinism if E ⊇ E r ∪ E R [19] where The contracting equations ensure that the completion algorithm will merge enough states during the simplification steps to terminate.Note that E c L cannot be empty, unless L is finite.To prove termination of completion, we first prove that it is possible to bound the number of states needed in A * to recognise a language L by the number of normal forms of L with respect to E c L .In our case L will be the set of output terms of the program.Since A * does not only recognises the output terms, we need additional states to recognise intermediate computation terms.In the proof of Theorem 1 we show that with E R , the simplification steps will merge the states recognising the intermediate computation with the states recognising the outputs.If the latter set of states is finite then we can show that A * is finite.
Theorem 1.Let A be an REFD tree automaton, R a left-linear TRS, E a set of equations and L a language closed by subterms such that for all k ∈ N and for all s ∈ L (A k ), there exists t

A Class of Analysable Programs
The next step is to identify a class of functional programs and a language L for which Theorem 1 applies.By choosing L = T (F) and providing a set of contracting equations E c T (F ) , the termination theorem above proves that the completion algorithm terminates on any functional program R. If this works in theory, in practice we want to avoid introducing equations over the application symbol (such as @(x, y) = y).Contracting equations on applications makes sense in certain cases, e.g., with idempotent functions (@(sort, @(sort, x)) = @(sort, x)), but in most cases, such equations dramatically lower the precision of the completion algorithm.Hence, we want to identify a language L with no contracting equations over @ in E c L .Since such a language L still has to have a finite number of normal forms w.r.t.E c L (Theorem 1), it cannot include terms containing an un-bounded stack of applications.For instance, L cannot contain all the terms of the form @(f, x), @(f, @(f, x)), @(f, @(f, @(f, x)), etc.The @ stack must be bounded, even if the applications symbols are interleaved with other symbols (e.g.@(f, s(@(f, s(@(f, s(x))))))).To do that we (i) define a set B d of all terms where such stack size is bounded by d ∈ N; (ii) define a set K n and a class of TRS called K-TRS such that for any TRS R in this class, K n is closed by R and K n ∩ IRR(R) ⊆ B φ(n) .This is done by first introducing a type system over the terms; (iii) finally define L = B φ(n) ∩ IRR(R) that can be used to instantiate Theorem 1.
Definition 4. For a given alphabet F = C ∪ {@}, B d is the set of terms where every application depth is bounded by d.It is the smallest set defined by: In Section 5, we show how to produce E c such that B d ∩ IRR(R) has a finite number of normal forms w.r.t.E c with no equations on @.However we don't have for all k, for all term and (ii) a class of TRS, called K-TRS for which L (A k ) ⊆ K n .In K-TRS, the right hand sides of TRS rules are contained in a set K whose purpose is to forbid the construction of unbounded partial applications during rewriting.If the initial automaton satisfies L (A) ⊆ K n then we can instantiate Theorem 1 with L = K n ∩ IRR(R) and prove termination.

Types
In order to define K and K n we require the TRS to be well-typed.Our definition of types is inspired by [1].Let A be a non-empty set of algebraic types.The set of types T is inductively defined as the least set containing A and all function types, i.e.A → B ∈ T ⇐ A, B ∈ T .The function type constructor → is assumed to be right-associative.The arity of a type A is inductively defined on the structure of A by: Instead of using alphabets, in a typed terms environment we use signatures F = C ∪ {@} where C is a set of constructor symbols associated to a unique type and @ the application symbol (with no type).We also assign a type to every variable.We write f : A if the symbol f has type A and t : A a term t ∈ T (F, X ) of type A. We write W(F, X ) for the set of all well typed terms using the usual definition.We extend the definition of term rewriting systems to typed TRS.A TRS is well typed if all rules are of the form l : A → r : A (type is preserved).In the same way, an equation s = t is well typed if both s and t have the same type.In the rest of this paper we only consider well typed equations and TRSs.
Definition 5 (Functional TRS).A higher-order functional TRS is composed of rules of the form @(. . .@(f, t 1 : A 1 ) . . ., t n : ) and r ∈ W(F, X ).A functional TRS is complete if for all term t = @(t 1 , t 2 ) : A such that ar(A) = 0, it is possible to rewrite t using R.In other words, all defined functions are total.
Types provides information about how a term can be rewritten.For instance we expect the term @(f : A → B, x : A) : B to be rewritten by every complete (no partial function) TRS R if ar(A → B) = 1.Furthermore, for certain types, we can guarantee the absence of partial applications in the result of a computation using the type's order.For a given signature F, the order of a type A, written ord(A), is inductively defined on the structure of A by: where ord(f : A 1 → . . .→ A n → A) = max{ord(A 1 ), . . ., ord(A n )} (with, for A i = A, ord(A i ) = 0).For instance ord(int) = 0 and ord(int → int) = 1.
Example 5. Define two different types of lists list and list .The first defines lists of int with the constructor consA : int → list → list ∈ C, while the second defines lists of functions with the constructor consB : (int → int) → list → list ∈ C. The importance of order becomes manifest here: in the first case a fully reduced term of type list cannot contain any @ whereas in the second case it can.ord(list) = 0 and ord(list ) = 1.
Lemma 1.If R is a complete functional TRS and A a type such that ord(A) = 0, then all closed terms t of type A are rewritten into an irreducible term with no partial application:

The class K-TRS
Recall that we want to define (i) a set K n ⊆ T (F) and φ such that K n ∩IRR(R) ⊆ B φ(n) and (ii) a class of TRS K-TRS for which L (A k ) ⊆ K n .Assuming that L (A) ⊆ K n we instantiate Theorem 1 with L = K n ∩ IRR(R) and prove termination.

Definition 6 (K-TRS).
A TRS R is part of K-TRS if for all rules l → r ∈ R, r ∈ K where K is inductively defined by: with Z defined by: By constraining the form of the right hand side of each rule of R, K defines a set of TRS that cannot construct unbounded partial applications during rewriting.The definition of K takes advantage of the type structure and Lemma 1.The rules (1) and (2) ensure that an application @(t 1 , t 2 ) is either: (1) a total application, and the whole term can be rewritten; or (2) a partial application where t 2 can be rewritten into a term of B 0 (Lemma 1).In (1), Z allows partial applications inside the total application of a multi-parameter function.
Example 6.Consider the classical map function.A typical call to this function is @(@(map, f ), l) of type list, where f is a mapping function, and l a list.The whole term belongs to K because of rule (1): list is an algebraic type and its subterm @(map, f ) : list → list belongs to Z.This subterm is a partial application, but there is no risk of stacking partial applications as it is part of a complete call (to the map function).
Example 7. Consider the function stack defined by: @(@(stack, x), 0) → x @(@(stack, x), S(n)) → @(@(stack, @(g, x)), n) Here g is a function of type (A → A) → A → A. The stack function returns a stack of partial applications whose height is equal to the input parameter: @(@(stack, f ), S(S(S . . .S k (0) . . .))) → * R @(g, @(g, @(g, . . .@(g The depth of partial applications stacks in the output language is not bounded.With no equations on the @ symbol, the completion algorithm may not terminate.Notice that x is a function and @(g, x) a partial application.Hence the term @(@(stack, @(g, x)), n) is not in K, so the TRS does not belong to the K-TRS class.
We define K n as {tσ | t ∈ K, σ : X → B n ∩ IRR(R)} and claim that if for all rule l → r of the functional TRS R, r ∈ K and if L(A) ⊆ K n then with Theorem 1 we can prove that the completion of A with R terminates.The idea is the following: -Prove that if A recognises terms of K n , then it is preserved by completion using the notion of bound of the arity of all the types of the program.-Prove that there is a finite number of normal form of -Finally, we use those three properties combined, and instantiate Theorem 1 with L = B n+2B ∩ IRR(R) to prove Theorem 2, defined as follows.
Theorem 2. Let A be a K n -coherent REFD tree automaton, R a terminating functional TRS such that for all rule l → r ∈ R, r ∈ K and E a set of equations.
To prove that after each step of completion, the recognised language stays in K n , we require the considered automaton to be K n -coherent.

By extension we say that a tree-automaton
If K n -coherence is not preserved during completion, then some states in the completed automaton may recognise terms outside of K n .Our goal is to show that it is preserved by C R (•) (Lemma 2) then by S E (•) (Lemma 3).
Lemma 3 (S E (A) preserves K n -coherence).Let A be a REFD tree automaton, R a functional TRS and E a set of equations such that By using Lemma 2 and Lemma 3, we can prove that the completion algorithm, which is a composition of C R (A) and S E (A), preserves K n -coherence.The proofs of these two lemmas are based on a detailed analysis of the completion algorithm itself.The complete proofs are provided in [17].
Lemma 4 (Completion preserves K n -coherence).Let A = F, Q, Q f , ∆ be a tree automaton, R a functional TRS and E a set of equations.
By construction we can prove that the depth of irreducible K n terms is bounded, which correspond to the following lemma.

Proof of Theorem 2
Proof.According to Lemma 4, for all k ∈ N, the completed automaton A k is K n -coherent.By definition this implies that L (A k ) ⊆ K n .Moreover, we know that IRR(R) ∩ K n ⊆ B n+2B (Lemma 5).Let L = B n+2B ∩ IRR(R).R is terminating, so for every term s ∈ L (A k ) there exists t ∈ L such that s → * R t.Since the number of normal form of L is finite w.r.t E, Theorem 1 implies that the completion of A by R and E terminates.
Theorem 2 states a number of hypotheses that must be satisfied in order to guarantee termination of the completion algorithm: -The initial automaton A must be K n -coherent and REFD.
-R must be terminating.
-All left-hand sides of rules of R are in the set of terms K.This is a straightforward syntactic check.If it is not verified, we can reject the TRS before starting the completion.-The set of equations E must be of the form E r ∪ E c L ∪ E R .The equation sets E r and E R are determined directly from the syntactic structure of R.However, there is no unique suitable set of contracting equations E c L .This set must be generated carefully, because a bad choice of contracting equations (i.e., equations that equate too many terms) will have a severe negative impact on the precision of the analysis result.
In this section, we describe a method for generating all possible sets of contracting equations E c L .To simplify the presentation, we only present the case where L = W(C) and IRR(R) ⊆ W(C) (i.e., all results are first-order terms).Our approach looks for contracting equations for the set of closed terms W(C) instead of the set B n+2B mentioned in Theorem 2.More precisely, we generate the set of equations iteratively, as a series of equation sets E k c where the equations only equate terms of depth at most k.Recall that a contracting equation is of the form u = u| p with p = λ, i.e., it equates a term with a strict subterm of the same type.A set of contracting equations over the set W(C) is then generated as follows: (i) generate the set of left-hand side of equations as a covering set of terms [25], so that for each term t ∈ W(C) there exists a left-hand side u of an equation and a substitution σ such that t = uσ.(ii) for each left-hand side, generate all possible equations of the form u = u| p , satisfying that both sides have the same type.(iii) from all those equations, we build all possible E c L (with L is left-linear and L = W(C), this can be decided efficiently [11].
To verify a property ϕ on a program, we use completion and equation generation as follows.The program is represented by a TRS R and function calls are represented by an initial tree automaton A. Both have to respect the hypothesis of Theorem 2. The algorithm searches for a set of contracting equations E c such that verification succeeds, i.e.L(A * ) satisfy ϕ.Starting from k = 1, we apply the following algorithm: 1. We first complete the tree automaton A k recognising the finite subset of L(A) of terms of maximum depth k.Since L(A k ) is finite and R is terminating, the set of reachable terms is finite, completion terminates without equations and computes an automaton A * k recognising exactly the set R * (L(A k )) [20].If there exists a set of equations E c able to verify the program, this algorithm will find it eventually, or find a counter example.However if there is no set of equations that can verify the program, this algorithm does not terminate.

Experiments
The verification technique described above has been integrated in the Timbuk library [16].We implemented the naive equation generation where all possible equation sets E c are enumerated.Despite the evident scalability issues of this simple version of the verification algorithm, we have been able to verify a series of properties of several classical higher-order functions: map, filter , exists, forall , foldRight, foldLeft as well as higher-order sorting functions parameterised by an ordering function.Most examples are taken from or inspired by [28,26] and have corresponding TRSs in the K set defined above.The property ϕ consists in checking that a finite set of forbidden terms is not reachable (Patterns section of Timbuk specifications).
Given A, R and A * , the correctness of the verification, i.e. the fact that L(A * ) ⊇ R * (L(A)), can be checked in a proof assistant embedding a formalisation of rewriting and tree automata.It is enough to prove that (a) L(A * ) ⊇ L(A) and that (b) for all critical pairs l → r, σ, q of A * we have rσ → * A * q.Property (a) can be checked using standard algorithms on tree automata.Property (b) can be checked by enumerating all critical pairs of A * (there are finitely many) and by proving that all of them satisfy rσ → * A * q.Since there exists algorithms for checking properties (a) and (b), the complete proof of correctness can automatically be built in the proof assistant.For instance, the automaton A * can be used as a certificate to build the correctness proof in Coq [6] and in Isabelle/HOL [14].It is also used to build unreachability proofs in Isabelle/HOL [14].Besides, since verifying (a) and (b) is automatic, the correctness proof may be run outside of the proof assistant (in a more efficient way) using a formally verified external checker extracted from the formalisation.All our (successful) completion attempts output a comp.resfile, containing A, R and A * , which has been certified automatically using the external certified checker of [6].Timbuk's site http://people.irisa.fr/Thomas.Genet/ timbuk/funExperiments/ lists those verification experiments.Nine of them are automatically proven.Two other examples show that correct counter-examples are generated when the property is not provable.On one example equation generation times out due to our naïve enumeration of equations.For this last case, by providing the right set of equations in mapTree2NoGen the verification of the function succeeds.

Related Work
When it comes to verifying first-order imperative programs, there exist several successful tools based on abstract interpretation such as ASTREE [3] and SLAM [2].The use of abstract interpretation for verifying higher-order functional programs has comparatively received less attention.The tree automaton completion technique is one analysis technique able to verify first-order Java programs [4].Until now, the completion algorithm was guaranteed to terminate only in the case of first-order functional programs [19].
Liquid Types [31], followed by Bounded Refinement Types [34,33], and also Set-Theoretic Types [9,8], are all attempts to enrich the type system of functional languages to prove non-trivial properties on higher-order programs.However, these methods are not automatic.The user has to express the property he wants to prove using the type system, which can be tedious and/or difficult.In some cases, the user even has to specify straightforward intermediate lemmas to help the type checker.
The first attempt in verifying regular properties came with Jones [21] and Jones and Andersen [22].Their technique computes a grammar over-approximating the set of states reachable by a rewriting systems.However, their approximation is fixed and too rough to prove programs like Example 1 (filter odd).Our program and property models are close to those of Jones and Andersen.However, the approximation in our analysis is not fixed and can be automatically adapted to the verification objective.
Ong et al. proposes one way of addressing the precision issue of Jones and Andersen's approach using a model checking technique on Pattern Matching Recursion Schemes [28] (PMRS).This technique improves the precision but is still not able to verify functions such as Example 1 (see [32] page 85).As shown in our experiments, our technique handles this example.
Kobayashi et al. developed a tree automata-based technique [26] (but not relying on TRS and completion), able to verify regular properties (including safety properties on Example 1).We have verified a selection of examples coming from [26] and observed that we can verify the same regular properties as they can.Our prototype implementation is inferior in terms of execution time, due to the slow generation of equations.A strength of our approach is that our verification results are certifiable and that they can be used as certificates to build unreachability proofs in proof assistants (see Section 6).
Our verification framework is based on regular abstractions and uses a simple abstraction mechanism based on equations.Regular abstractions are less expressive than Higher-Order Recursion Schemes [29,23] or Collapsible Pushdown Au-tomata [7], and equation-based abstractions are a particular case of predicate abstraction [24].However, the two restrictions imposed in this particular framework result in two strong benefits.First, the precision of the approximation is formally defined and precisely controlled using equations: L(A * ) ⊆ (R/E) * (L(A)) [20].This precision property permits us to prove intricate properties with simple (regular) abstractions.Second, using tree automata-based models facilitates the certification of the verification results in a proof assistant.This significantly increases the confidence in the verification result compared e.g., to verdicts obtained by complex CEGAR-based model-checkers.

Conclusion & Future Work
This paper shows that tree automata completion is a simple yet powerful, fully automatic verification technique for higher-order functional programs, expressed as term rewriting systems.We have proved that the completion algorithm terminates on a subset of TRS encompassing common functional programs, and provided experimental evidence of the viability of the approach by verifying properties on fundamental higher-order functions including filtering and sorting.
One remaining question is whether this approach is complete: if there exists a regular approximation of the reachable terms of a functional program, can we build it using equations?We can already answered this question in the positive when L = W(C), i.e., all results are first order terms [15].Extending this result to all kind of results, including higher-order ones, is a promising research topic.
The generation of the approximating equations is automatic but simpleminded, and too simple to turn the prototype into a full verification tool.Further work will look into how sets of contracting equations can be generated in a more efficient manner, notably by taking the structure of the TRS into account and using a CEGAR approach.
The present verification technique is agnostic to the evaluation strategy.An interesting research track would be to experiment completion-based verification techniques with different term rewriting semantics of functional programs such as outlined by Clemente et al. [10].This would permit us to take a particular evaluation strategy into account, and in certain cases, improve the precision of the verification.We already experimented with this in [18].This is in line with our long-term research goal of providing a light-weight verification tool to assist the working OCaml programmer.
Our work focuses on verifying regular properties represented by tree automata.Dealing with non-regular over-approximations of reachable terms would allow us to verify relational properties like comparing the length of the list before and after f ilter.This is one of the objective of techniques like [24].Building non-regular over-approximations of reachable terms for TRS, using a form of completion, is possible [5].However, up to now, adapting automatically the precision of such approximations to a given verification goal is not possible.Extending their approach with equations may provide a powerful verification tool worth pursuing.
is ensured by showing that, in our verification setting, completion preserve REFD.The last condition is ensured by having E ⊇ E cL where E c L is a set of contracting equations.Definition 3 (Contracting Equations).Let L ⊆ T (F).A set of equations is contracting for L, denoted by E c L , if all equations of E c L are of the form u = u| p with u a linear term of T (F, X ), p = λ and if the set of normal forms of L w.r.t the TRS E c L = {u → u| p | u = u| p ∈ E c L } is finite.Example 4. Assume that F = {0 : 0, s : 1}.The set E c L = {s(x) = x} is contracting for L = T (F) because the set of normal forms of T (F) with respect to E c L = {s(x) → x} is the (finite) set {0}.The set E c L = {s(s(x)) = x} is contracting because the normal forms of {s(s(x)) → x} are {0, s(0)}.

2 .
If L(A * k ) does not satisfy ϕ then verification fails: a counterexample is found.3. Otherwise, we search for a suitable set E c .All E c of E k c that introduce a counterexample in the completion of A k with R and E c are filtered out.4.Then for all remaining E c , we try to complete A with R andE = E r ∪E R ∪E cand check ϕ on the completed automaton.If ϕ is true on A * then verification succeeds.Otherwise, we try the next E c . 5. If there remain no E c , we start again with k = k + 1.