Higher-Order Program Verification via HFL Model Checking

There are two kinds of higher-order extensions of model checking: HORS model checking and HFL model checking. Whilst the former has been applied to automated verification of higher-order functional programs, applications of the latter have not been well studied. In the present paper, we show that various verification problems for functional programs, including may/must-reachability, trace properties, and linear-time temporal properties (and their negations), can be naturally reduced to (extended) HFL model checking. The reductions yield a sound and complete logical characterization of those program properties. Compared with the previous approaches based on HORS model checking, our approach provides a more uniform, streamlined method for higher-order program verification.


Introduction
There are two kinds of higher-order extensions of model checking in the literature: HORS model checking [19,35] and HFL model checking [48]. The former is concerned about whether the tree generated by a given higher-order tree grammar called a higher-order recursion scheme (HORS) satisfies the property expressed by a given modal µ-calculus formula (or a tree automaton), and the latter is concerned about whether a given finite state system satisfies the property expressed by a given formula of higher-order modal fixpoint logic (HFL), a higher-order extension of the modal µ-calculus. Whilst HORS model checking has been applied to automated verification of higher-order functional programs [20,21,26,29,36,47,49], there have been few studies on applications of HFL model checking to program/system verification. Despite that HFL has been introduced more than 10 years ago, we are only aware of applications to assume-guarantee reasoning [48] and process equivalence checking [31].
In the present paper, we show that various verification problems for higherorder functional programs can actually be reduced to (extended) HFL model checking in a rather natural manner. We briefly explain the idea of our reduction below. 1 We translate a program to an HFL formula that says "the program has a valid behavior" (where the validity of a behavior depends on each verification problem). Thus, a program is actually mapped to a property, and a program property is mapped to a system to be verified; this has been partially inspired by the recent work of Kobayashi et al. [22], where HORS model checking problems have been translated to HFL model checking problems by switching the roles of models and properties. For example, consider a simple program fragment read(x); close(x) that reads and then closes a file (pointer) x. The transition system in Figure 1 shows a valid access protocol to read-only files. Then, the property that a read operation is allowed in the current state can be expressed by a formula of the form read ϕ, which says that the current state has a read-transition, after which ϕ is satisfied. Thus, the program read(x); close(x) being valid is expressed as read close true, 2 which is indeed satisfied by the initial state q 0 of the transition system in Figure 1. Here, we have just replaced the operations read and close of the program with the corresponding modal operators read and close . We can also naturally deal with branches and recursions. For example, consider the program close(x) (read(x); close(x)), where e 1 e 2 represents a non-deterministic choice between e 1 and e 2 . Then the property that the program always accesses x in a valid manner can be expressed by ( close true) ∧ ( read close true). Note that we have just replaced the non-deterministic branch with the logical conjunction, as we wish here to require that the program's behavior is valid in both branches. We can also deal with conditional branches if HFL is extended with predicates; if b then close(x) else (read(x); close(x)) can be translated to (b ⇒ close true) ∧ (¬b ⇒ read close true). Let us also consider the recursive function f defined by: Then, the program f x being valid can be represented by using a (greatest) fixpoint formula: νF.( close true) ∧ ( read read F).
If the state q 0 satisfies this formula (which is indeed the case), then we know that all the file accesses made by f x are valid. So far, we have used only the modal µ-calculus formulas. If we wish to express the validity of higher-order programs, we need HFL formulas; such examples are given later.
We generalize the above idea and formalize reductions from various classes of verification problems for simply-typed higher-order functional programs with recursion, integers and non-determinism -including verification of may/must-reachability, trace properties, and linear-time temporal properties (and their negations) -to (extended) HFL model checking where HFL is extended with integer predicates, and prove soundness and completeness of the reductions. Extended HFL model checking problems obtained by the reductions are (necessarily) undecidable in general, but for finite-data programs (i.e., programs that consist of only functions and data from finite data domains such as Booleans), the reductions yield pure HFL model checking problems, which are decidable [48].
Our reductions provide sound and complete logical characterizations of a wide range of program properties mentioned above. Nice properties of the logical characterizations include: (i) (like verification conditions for Hoare triples,) once the logical characterization is obtained as an HFL formula, purely logical reasoning can be used to prove or disprove it (without further referring to the program semantics); for that purpose, one may use theorem provers with various degrees of automation, ranging from interactive ones like Coq, semiautomated ones requiring some annotations, to fully automated ones (though the latter two are yet to be implemented), (ii) (unlike the standard verification condition generation for Hoare triples using invariant annotations) the logical characterization can automatically be computed, without any annotations, (iii) standard logical reasoning can be applied based on the semantics of formulas; for example, co-induction and induction can be used for proving νand µ-formulas respectively, and (iv) thanks to the completeness, the set of program properties characterizable by HFL formula is closed under negations; for example, from a formula characterizing may-reachability, one can obtain a formula characterizing non-reachability by just taking the De Morgan dual.
Compared with previous approaches based on HORS model checking [21,26,29,36,43], our approach based on (extended) HFL model checking provides more uniform, streamlined methods for higher-order program verification. HORS model checking provides sound and complete verification methods for finite-data programs [20,21], but for infinite-data programs, other techniques such as predicate abstraction [26] and program transformation [30,34] had to be combined to obtain sound (but incomplete) reductions to HORS model checking. Furthermore, the techniques were different for each of program properties, such as reachability [26], termination [30], non-termination [29], fair termination [34], and fair non-termination [49]. In contrast, our reductions are sound and complete even for infinite-data programs. Although the obtained HFL model checking problems are undecidable in general, the reductions allow us to treat various program properties uniformly; all the verifications are boiled down to the issue of how to prove µand ν-formulas (and as remarked above, we can use induction and co-induction to deal with them). Technically, our reduction to HFL model checking may actually be considered an extension of HORS model checking to infinite data programs, as discussed in Appendix H.
The rest of this paper is structured as follows. Section 2 introduces HFL extended with integer predicates and defines the HFL model checking problem. Section 3 informally demonstrates some examples of reductions from program verification problems to HFL model checking. Section 4 introduces a functional language used to formally discuss the reductions in later sections. Sections 5, 6, and 7 consider may/must-reachability, trace properties, and temporal properties respectively, and present (sound and complete) reductions from verification of those properties to HFL model checking. Section 8 discusses related work, and Section 9 concludes the paper. Proofs are found in Appendices.

(Extended) HFL
In this section, we introduce an extension of higher-order fixpoint logic (HFL) [48] with integer predicates (which we call HFL Z ; we often drop the subscript and just write HFL, as in Section 1), and define the HFL Z model checking problem. The set of integers can actually be replaced by another infinite set X of data (like the set of natural numbers or the set of finite trees) to yield HFL X .

Syntax
For a map f , we write dom( f ) and codom( f ) for the domain and codomain of f respectively. We write Z for the set of integers, ranged over by the meta-variable n below. We assume a set Pred of primitive predicates on integers, ranged over by p. We write arity(p) for the arity of p. We assume that Pred contains standard integer predicates such as = and <, and also assume that, for each predicate p ∈ Pred, there also exists a predicate ¬p ∈ Pred such that, for any integers n 1 , . . . , n k , p(n 1 , . . . , n k ) holds if and only if ¬p(n 1 , . . . , n k ) does not hold; thus, ¬p(n 1 , . . . , n k ) should be parsed as (¬p)(n 1 , . . . , n k ), but can semantically be interpreted as ¬(p(n 1 , . . . , n k )).
The syntax of HFL Z formulas is given by: ϕ (formulas) ::= n | ϕ 1 op ϕ 2 | true | false | p(ϕ 1 , . . . , ϕ k ) | X | ϕ 1 ∨ ϕ 2 | ϕ 1 ∧ ϕ 2 | a ϕ | [a]ϕ | µX τ .ϕ | νX τ .ϕ | λX : σ.ϕ | ϕ 1 ϕ 2 τ (types) ::= • | σ → τ σ (extended types) ::= τ | int Here, op ranges over a set of binary operations on integers, such as +, and X ranges over a denumerable set of variables. We have extended the original HFL [48] with integer expressions (n and ϕ 1 op ϕ 2 ), and atomic formulas p(ϕ 1 , . . . , ϕ k ) on integers (here, the arguments of integer operations or predicates will be restricted to integer expressions by the type system introduced below). Following [22], we have omitted negations, as any formula can be transformed to an equivalent negation-free formula [33]. We explain the meaning of each formula informally; the formal semantics is given in Section 2.2. Like modal µ-calculus [12,28], each formula expresses a property of a labeled transition system. The first line of the syntax of formulas consists of the standard constructs of predicate logics. On the second line, as in the standard modal µ-calculus, a ϕ means that there exists an a-labeled transition to a state that satisfies ϕ. The formula [a]ϕ means that after any alabeled transition, ϕ is satisfied. The formulas µX τ .ϕ and νX τ .ϕ represent the least and greatest fixpoint formulas (the least and greatest formulas such that X = ϕ) respectively; unlike the modal µ-calculus, X may range over not only propositional variables but also higher-order predicate variables (of type τ). The λ-abstractions λX : σ.ϕ and applications ϕ 1 ϕ 2 are used to manipulate higherorder predicates. We often omit type annotations in µX τ .ϕ, νX τ .ϕ and λX : σ.ϕ, and just write µX.ϕ, νX.ϕ and λX.ϕ. Example 1. Consider the formula ϕ ab ϕ where ϕ ab = µX •→• .λY : •.Y ∨ a (X( b Y)). We can expand the formula as follows: and obtain ϕ ∨ ( a b ϕ) ∨ ( a a b b ϕ) ∨ · · ·. Thus, the formula means that there is a transition sequence of the form a n b n for some n ≥ 0 that leads to a state satisfying ϕ.
Following [22], we exclude out unmeaningful formulas such as ( a true) + 1 by using a simple type system. 3 The types •, int, and σ → τ describe propositions, integers, and (monotonic) functions from σ to τ, respectively. Note that the integer type int may occur only in an argument position; this restriction is required to ensure that least and greatest fixpoints are well-defined. The typing rules for formulas are given in Figure 2. In the figure, ∆ denotes a type environment, which is a finite map from variables to (extended) types. Below we consider only well-typed formulas, i.e., formulas ϕ such that ∆ ⊢ H ϕ : τ for some ∆ and τ.

Semantics and HFL Z Model Checking
We now define the formal semantics of HFL Z formulas. A labeled transition system (LTS) is a quadruple L = (U, A, −→, s init ), where U is a finite set of states, A is a finite set of actions, −→ ⊆ U × A× U is a labeled transition relation, and s init ∈ U is the initial state. We write s 1 The HFL Z model checking problem is undecidable, due to the presence of integers; in fact, the semantic domain D L,σ is not finite for σ that contains int. The undecidability is obtained as a corollary of the soundness and completeness of the reduction from the may-reachability problem to HFL model checking discussed in Section 5. For the fragment of pure HFL (i.e., HFL Z without integers, which we write HFL ∅ below), the model checking problem is decidable [48].
The order of an HFL Z model checking problem L ? | = ϕ is the highest order of types of subformulas of ϕ, where the order of a type is defined by: order(•) = order(int) = 0 and order(σ → τ) = max(order(σ)+1, order(τ)). The complexity of order-k HFL ∅ model checking is k-EXPTIME complete [1], but polynomial time in the size of HFL formulas under the assumption that the other parameters (the size of LTS and the largest size of types used in formulas) are fixed [22]. Remark 1. Though we do not have quantifiers on integers as primitives, we can encode them using fixpoint operators. Given a formula ϕ : int → •, we can express ∃x:int.ϕ(x) and ∀x:int.ϕ(x) by (µX int→• .λx:int.ϕ(x)∨X(x−1)∨X(x+1))0 and (νX int→• .λx : int.ϕ(x) ∧ X(x − 1) ∧ X(x + 1))0 respectively.

HES
As in [22], we often write an HFL Z formula as a sequence of fixpoint equations, called a hierarchical equation system (HES).

Warming Up
To help readers get more familiar with HFL Z and the idea of reductions, we give here some variations of the examples of verification of file-accessing programs in Section 1, which are instances of the "resource usage verification problem" [17]. General reductions will be discussed in Sections 5-7, after the target language is set up in Section 4.
Consider the following OCaml-like program, which uses exceptions.
let readex x = read x; (if * then () else raise Eof) in let rec f x = readex x; f x in let d = open_in "foo" in try f d with Eof -> close d Here, * represents a non-deterministic boolean value. The function readex reads the file pointer x, and then non-deterministically raises an end-of-file (Eof) exception. The main expression (on the third line) first opens file "foo", calls f to read the file repeatedly, and closes the file upon an end-of-file exception. Suppose, as in the example of Section 1, we wish to verify that the file "foo" is accessed following the protocol in Figure 1. First, we can remove exceptions by representing an exception handler as a special continuation [6]: let readex x h k = read x; (if * then k() else h()) in let rec f x h k = readex x h (fun _ -> f x h k) in let d = open_in "foo" in f d (fun _ -> close d) (fun _ -> ()) Here, we have added to each function two parameters h and k, which represent an exception handler and a (normal) continuation respectively.
Let Φ be (E, F true (λr. close true) (λr.true)) where E is: Here, we have just replaced read/close operations with the modal operators read and close , non-deterministic choice with a logical conjunction, and the unit value ( ) with true. Then, L file | = Φ if and only if the program performs only valid accesses to the file (e.g., it does not access the file after a close operation), where L file is the LTS shown in Figure 1. The correctness of the reduction can be informally understood by observing that there is a close correspondence between reductions of the program and those of the HFL formula above, and when the program reaches a read command read x, the corresponding formula is of the form read · · ·, meaning that the read operation is valid in the current state; a similar condition holds also for close operations. We will present a formal proof of the general translation of this in Section 6. Let us consider another example, which uses integers: let rec f y x k = if y=0 then (close x; k()) else (read x; f (y-1) x k) in let d = open_in "foo" in f n d (fun _ -> ()) Here, n is an integer constant. The function f reads x y times, and then calls the continuation k. Let L ′ file be the LTS obtained by adding to L file a new state q 2 and the transition q 1 end −→ q 2 (which intuitively means that a program is allowed to terminate in the state q 1 ), and let Φ ′ be (E ′ , F n true (λr. end true)) where E ′ is: Here, p(ϕ 1 , . . . , ϕ k ) ⇒ ϕ is an abbreviation of ¬p(ϕ 1 , . . . , ϕ k ) ∨ ϕ. Then, L ′ file | = Φ ′ if and only if (i) the program performs only valid accesses to the file, (ii) it eventually terminates, and (iii) the file is closed when the program terminates. Notice the use of µ instead of ν above; by using µ, we can express liveness properties. The property L ′ file | = Φ ′ indeed holds for n ≥ 0, but not for n < 0. In fact, F n x k is equivalent to false for n < 0, and read n close (k true) for n ≥ 0.

Target Language
This section sets up, as the target of program verification, a call-by-name 5 higherorder functional language extended with events. The language is essentially the same as the one used by [49] for discussing fair non-termination.

Syntax and Typing
We assume a finite set Ev of names called events, ranged over by a, and a denumerable set of variables, ranged over by x, y, . . .. Events are used to express temporal properties of programs. We write x ( t, resp.) for a sequence of variables (terms, resp.), and write | x| for the length of the sequence.
A program is a pair (D, t) consisting of a set D of function definitions { f 1 x 1 = t 1 , . . . , f n x n = t n } and a term t. The set of terms, ranged over by t, is defined by: Here, n and p range over the sets of integers and integer predicates as in HFL formulas. The expression event a; t raises an event a, and then evaluates t. Events are used to encode program properties of interest. For example, an assertion assert(b) can be expressed as if b then ( ) else (event fail; Ω), where fail is an event that expresses an assertion failure and Ω is a non-terminating term. If program termination is of interest, one can insert "event end" to every program termination point and check whether an end event occurs. The expression t 1 t 2 evaluates t 1 or t 2 in a non-deterministic manner; it can be used to model, e.g., unknown inputs from an environment. We use the meta-variable P for programs. When P = (D, t) with D = { f 1 x 1 = t 1 , . . . , f n x n = t n }, we write funs(P) for { f 1 , . . . , f n } (i.e., the set of function names defined in P). Using λ-abstractions, we sometimes write f = λ x.t for the function definition f x = t. We also regard D as a map from function names to terms, and write dom(D) for { f 1 , . . . , f n } and Any program (D, t) can be normalized to (D ∪ {main = t}, main) where main is a name for the "main" function. We sometimes write just D for a program (D, main), with the understanding that D contains a definition of main.
We restrict the syntax of expressions using a type system. The set of simple types, ranged over by κ, is defined by: The types ⋆, int, and η → κ describe the unit value, integers, and functions from η to κ respectively. Note that int is allowed to occur only in argument positions. We defer typing rules to Appendix A, as they are standard, except that we require that the righthand side of each function definition must have type ⋆; this restriction, as well as the restriction that int occurs only in argument positions, do not lose generality, as those conditions can be ensured by applying CPS transformation. We consider below only well-typed programs.

Operational Semantics
We define the labeled transition relation t ℓ −→ D t ′ , where ℓ is either ǫ or an event name, as the least relation closed under the rules in Figure 3. We implicitly assume that the program (D, t) is well-typed, and this assumption is maintained throughout reductions by the standard type preservation property (which we omit to prove). In the rules for if-expressions, t ′ i represents the integer value denoted by t ′ i ; note that the well-typedness of (D, t) guarantees that t ′ i must be arithmetic expressions consisting of integers and integer operations; thus, t ′ i is well defined. We often omit the subscript D when it is clear from the context.
Here, ǫ is treated as an empty sequence; thus, for example, we write t

May/Must-Reachability Verification
Here we consider the following problems: -May-reachability: "Given a program P and an event a, may P raise a?" -Must-reachability: "Given a program P and an event a, must P raise a?" Since we are interested in a particular event a, we restrict here the event set Ev to a singleton set of the form {a}. Then, the may-reachability is formalized as ∈ Traces(P), whereas the must-reachability is formalized as "does every trace in FullTraces(P) contain a?" We encode both problems into the validity of HFL Z formulas (without any modal operators a or [a]), or the HFL Z model checking of those formulas against a trivial model (which consists of a single state without any transitions). Since our reductions are sound and complete, the characterizations of their negations -non-reachability and may-non-reachability-can also be obtained immediately. Although these are the simplest classes of properties among those discussed in Sections 5-7, they are already large enough to accommodate many program properties discussed in the literature, including lack of assertion failures/uncaught exceptions [26] (which can be characterized as nonreachability; recall the encoding of assertions in Section 4), termination [30, 32] (characterized as must-reachability), and non-termination [29] (characterized as may-non-reachability).

May-Reachability
As in the examples in Section 3, we translate a program to a formula that says "the program may raise an event a" in a compositional manner. For example, event a; t can be translated to true (since the event will surely be raised immediately), and t 1 t 2 can be translated to t † 1 ∨t † 2 where t † i is the result of the translation of t i (since only one of t 1 and t 2 needs to raise an event). Definition 3. Let P = (D, t) be a program. Φ P,may is the HES (D † may , t † may ), where D † may and t † may are defined by: Note that, in the definition of D † may , the order of function definitions in D does not matter (i.e., the resulting HES is unique up to the semantic equality), since all the fixpoint variables are bound by µ.
Example 5. Consider the program P loop = ({loop x = loop x}, loop(event a; ( ))). It is translated to the HES Φ loop = (loop x = µ loop x, loop(true)). Since loop ≡ µloop.λx.loop x is equivalent to λx.false, Φ loop is equivalent to false. In fact, P loop never raises an event a (recall that our language is call-by-name).
Example 6. Consider the program P sum = (D sum , main) where D sum is: Here, n is some integer constant, and assert(b) is the macro introduced in Section 4. We have used λ-abstractions for the sake of readability. The function sum is a CPS version of a function that computes the summation of integers from 1 to x. The main function computes the sum r = 1 + · · · + n, and asserts r ≥ n. It is translated to the HES Φ P 2 ,path = (E sum , main) where E sum is: Here, n is treated as a constant. Since the shape of the formula does not depend on the value of n, however, the property "an assertion failure may occur for some n" can be expressed by ∃n.Φ P 2 ,path . Thanks to the completeness of the encoding (Theorem 1 below), the lack of assertion failures can be characterized by ∀n.Φ, where Φ is the De Morgan dual of the above HES:

⊓ ⊔
The following theorem states that Φ P,may is a complete characterization of the may-reachability of P. Theorem 1. Let P be a program. Then, a ∈ Traces(P) if and only if L 0 | = Φ P,may for L 0 = ({s ⋆ }, ∅, ∅, s ⋆ ).
To prove the theorem, we first show the theorem for recursion-free programs and then lift it to arbitrary programs by using the continuity of functions represented in the fixpoint-free fragment of HFL Z formulas. See Appendix B.1 for a concrete proof.

Must-Reachability
The characterization of must-reachability can be obtained by an easy modification of the characterization of may-reachability: we just need to replace branches with logical conjunction.
We write Must a (P) if every π ∈ FullTraces(P) contains a.
Here, the event end is used to signal the termination of the program. The function loop non-deterministically updates the values of x and y until either x or y becomes non-positive. The must-termination of the program is characterized by Φ P loop,must = (E, loop m n) where E is: The following theorem guarantees that Φ P,must is indeed a sound and complete characterization of the must-reachability.

Theorem 2. Let P be a program. Then, Must a (P) if and only if
The proof is similar to that of Theorem 1; see Appendix B.2.

Trace Properties
Here we consider the verification problem: "Given a (non-ω) regular language L and a program P, does every finite event sequence of P belong to L? (i.e.

FinTraces(P)
? ⊆ L)" and reduce it to an HFL Z model checking problem. The verification of file-accessing programs considered in Section 3 may be considered an instance of the problem. 6 Here we assume that the language L is closed under the prefix operation; this does not lose generality because FinTraces(P) is also closed under the prefix operation. We write A L = (Q, Σ, δ, q 0 ) for the minimal, deterministic automaton with no dead states (hence the transition function δ may be partial). Since L is prefix-closed, w ∈ L if and only ifδ(q 0 , w) is defined (whereδ is defined by:δ(q, ǫ) = q andδ(q, aw) =δ(δ(q, a), w)). We use the corresponding LTS L L = (Q, Σ, {(q, a, q ′ ) | δ(q, a) = q ′ }, q 0 ) as the model of the reduced HFL Z model checking problem.
Given the LTS L L above, whether an event sequence a 1 · · · a k belongs to L can be expressed as L L ? | = a 1 · · · a k true. Whether all the event sequences in {a j,1 · · · a j,k j | j ∈ {1, . . . , n}} belong to L can be expressed as ..,n} a j,1 · · · a j,k j true. We can lift these translations for event sequences to the translation from a program (which can be considered a description of a set of event sequences) to an HFL Z formula, as follows.
Example 8. The last program discussed in Section 3 is modeled as P 2 = (D 2 , f m g), where m is an integer constant and D 2 consists of: Here, we have modeled accesses to the file, and termination as events. Then, Let L be the prefix-closure of read * · close · end. Then L L is L ′ file in Section 3, and FinTraces(P 2 )⊆L can be verified by checking L L | =Φ P 2 ,path . ⊓ ⊔ Theorem 3. Let P be a program and L be a regular, prefix-closed language. Then, FinTraces(P) ⊆ L if and only if L L | = Φ P,path .
As in Section 5, we first prove the theorem for programs in normal form, and then lift it to recursion-free programs by using the preservation of the semantics of HFL Z formulas by reductions, and further to arbitrary programs by using the (co-)continuity of the functions represented by fixpoint-free HFL Z formulas. The proof is given in Appendix C.

Linear-Time Temporal Properties
This section considers the following problem: "Given a program P and an ωregular word language L, does InfTraces(P)∩L = ∅ hold?" From the viewpoint of program verification, L represents the set of "bad" behaviors. This can be considered an extension of the problems considered in the previous sections. 8 The reduction to HFL model checking is more involved than those in the previous sections. To see the difficulty, consider the program P 0 : where c is some boolean expression. Let L be the complement of (a * b) ω , i.e., the set of infinite sequences that contain only finitely many b's. Following Section 6 (and noting that InfTraces(P)∩L = ∅ is equivalent to InfTraces(P) ⊆ (a * b) ω in this case), one may be tempted to prepare an LTS like the one in Figure 4 (which corresponds to the transition function of a (parity) word automaton accepting (a * b) ω ), and translate the program to an HES Φ P 0 of the form: where α is µ or ν. However, such a translation would not work. If c = true, then InfTraces(P 0 ) = a ω , hence InfTraces(P 0 ) ∩ L ∅; thus, α should be µ for Φ P 0 to be unsatisfied. If c = false, however, InfTraces(P 0 ) = b ω , hence InfTraces(P 0 ) ∩ L = ∅; thus, α must be ν for Φ P 0 to be satisfied.
The example above suggests that we actually need to distinguish between the two occurrences of f in the body of f 's definition. Note that in the then-and else-clauses respectively, f is called after different events a and b. This difference is important, since we are interested in whether b occurs infinitely often. We thus duplicate f , and replace the program with the following program P dup : For checking InfTraces(P 0 ) ∩ L = ∅, it is now sufficient to check that f b is recursively called infinitely often. We can thus obtain the following HES: Note that f b and f a are bound by ν and µ respectively, reflecting the fact that b should occur infinitely often, but a need not. If c = true, the formula is equivalent to ν f b . a µ f a . a f a , which is false. If c = false, then the formula is equivalent to ν f b . b f b , which is satisfied by by the LTS in Figure 4. The general translation is more involved due to the presence of higher-order functions, but, as in the example above, the overall translation consists of two steps. We first replicate functions according to what events may occur between two recursive calls, and reduce the problem InfTraces(P) ∩ L ? = ∅ to a problem of analyzing which functions are recursively called infinitely often, which we call a call-sequence analysis. We can then reduce the call-sequence analysis to HFL model checking in a rather straightforward manner. 9 The resulting HFL formula actually does not contain modal operators. 10 So, as in Section 5, the resulting problem is the validity checking of HFL formulas without modal operators.
In the rest of this section, we first introduce the call-sequence analysis problem and its reduction to HFL model checking in Section 7.1. We then show how to reduce the temporal verification problem InfTraces(P) ∩ L ? = ∅ to an instance of the call-sequence analysis problem in Section 7.2.

Call-sequence analysis
We define the call-sequence analysis and reduce it to an HFL model-checking problem. As mentioned above, in the call-sequence analysis, we are interested in analyzing which functions are recursively called infinitely often. Here, we say where f x = t f ∈ D and g "originates from" t f (a more formal definition will be given in Definition 6 below). For example, consider the following program P app , which is a twisted version of P dup above.
Then f a is "recursively called" from −→ * D f a 4 (and so is app). We are interested in infinite chains of recursive calls f 0 f 1 f 2 · · ·, and which functions may occur infinitely often in each chain. For instance, the program above has the unique infinite chain ( f b f 5 a ) ω , in which both f a and f b occur infinitely often. (Besides the infinite chain, the program has finite chains like f b app; note that the chain cannot be extended further, as the body of app does not have any occurrence of recursive functions: app, f a and f b .) We define the notion of "recursive calls" and call-sequences more formally below.
Definition 6 (recursive call relation, call sequences). Let P = (D, f 1 s) be a pro- . . , f ♯ n are fresh symbols. Thus, D ♯ has two copies of each function symbol, one of which is marked by ♯. For the terms t i and t j that do not contain marked symbols, we write

and (ii) t j is obtained by erasing all the marks in t ′
j . We write Callseq(P) for the set of (possibly infinite) sequences of function symbols: We write InfCallseq(P) for the subset of Callseq(P) consisting of infinite sequences, i.e., Callseq(P) ∩ { f 1 , . . . , f n } ω .
For example, for P app above, Callseq(P) is the prefix closure of Definition 7 (Call-sequence analysis). A priority assignment for a program P is a function Ω : funs(P) → N from the set of function symbols of P to the set N of natural numbers. We write | = csa (P, Ω) if every infinite call-sequence g 0 g 1 g 2 · · · ∈ InfCallseq(P) satisfies the parity condition w.r.t. Ω, i.e., the largest number occurring infinitely often in Ω(g 0 )Ω(g 1 )Ω(g 2 ) . . . is even. Call-sequence analysis is the problem of, given a program P with a priority assignment Ω, deciding whether | = csa (P, Ω) holds.
For example, for P app and the priority assignment The call-sequence analysis can naturally be reduced to the HFL model checking against the trivial LTS L 0 = ({s ⋆ }, ∅, ∅, s ⋆ ) (or the validity checking).
For the sake of simplicity, we assume, without loss of generality, 11 that every program P = (D, t) in this section is non-terminating and every infinite reduction sequence produces infinite events, so that FullTraces(P) = InfTraces(P) holds. We also assume that the ω-regular language L for the temporal verification problem is specified by using a non-deterministic, parity word automaton [12]. We recall the definition of non-deterministic, parity word automata below.

Definition 9 (Parity automaton).
A non-deterministic parity word automaton (NPW) 12 is a quintuple A = (Q, Σ, δ, q I , Ω) where (i) Q is a finite set of states; (ii) Σ is a finite alphabet; (iii) δ, called a transition function, is a total map from Q × Σ to 2 Q ; (iv) q I ∈ Q is the initial state; and (v) Ω : Q → {0, . . . , p − 1} is the priority function. A run of A on an ω-word a 0 a 1 · · · ∈ Σ ω is an infinite sequence of states ρ = ρ(0)ρ(1) · · · ∈ Q ω such that (i) ρ(0) = q I , and (ii) ρ(i + 1) ∈ δ(ρ(i), a i ) for each i ∈ ω. An ω-word w ∈ Σ ω is accepted by A if, there exists a run ρ of A on w such that max{Ω(q) | q ∈ Inf(ρ)}is even, where Inf(ρ) is the set of states that occur infinitely often in ρ. We write L(A) for the set of ω-words accepted by A.
For technical convenience, we assume below that δ(q, a) ∅ for every q ∈ Q and a ∈ Σ; this does not lose generality since if δ(q, a) = ∅, we can introduce a new "dead" state q dead (with priority 1) and change δ(q, a) to {q dead }.
Example 10. Consider the automaton A ab = ({q a , q b }, {a, b}, δ, q a , Ω), where δ is as given in Figure 4, Ω(q a ) = 0, and Ω( The goal of this subsection is, given a program P and a parity word automaton A, to construct another program P ′ and a priority assignment Ω for P ′ , such that InfTraces(P) ∩ L(A) = ∅ if and only if | = csa (P ′ , Ω).
Note that a necessary and sufficient condition for InfTraces(P) ∩ L(A) = ∅ is that no trace in InfTraces(P) has a run whose priority sequence satisfies the parity condition; in other words, for every sequence in InfTraces(P), and for every run for the sequence, the largest priority that occurs in the associated priority sequence is odd. As explained at the beginning of this section, we reduce this condition to a call sequence analysis problem by appropriately duplicating functions in a given program. For example, recall the program P 0 ; 11 As noted at the beginning of this section, every finite trace can be turned into an infinite trace by inserting (fresh) dummy events. Then, InfTraces(P) ∩ L = ∅ holds if and only if InfTraces(P ′ )∩L ′ = ∅, where P ′ is the program obtained from P by inserting dummy events, and L ′ is the set of all event sequences obtained by inserting dummy events into a sequence in L. 12 Note that non-deterministic Büchi automata may be viewed as instances of nondeterministic parity word automata, where there are only two priorities 1 and 2, and accepting and non-accepting states have priorities 2 and 1 respectively. We also note that the classes of deterministic parity, non-deteterministic parity, and non-deteterministic Büchi word automata accept the same class of ω-regular languages; here we opt for non-deteterministic parity word automata, because the translations from the others to NPW are trivial but the other directions may blow up the size of automata.
It is translated to P ′ 0 : where c is some (closed) boolean expression. Since the largest priorities encountered before calling f a and f b (since the last recursive call) respectively are 0 and 1, we assign those priorities plus 1 (to flip odd/even-ness) to f a and f b respectively. Then, the problem of InfTraces(P 0 ) ∩ L(A) = ∅ is reduced to . Note here that the priorities of f a and f b represent summaries of the priorities (plus one) that occur in the run of the automaton until f a and f b are respectively called since the last recursive call; thus, the largest priority of states that occur infinitely often in the run for an infinite trace is equivalent to the largest priority that occurs infinitely often in the sequence of summaries (Ω( Due to the presence of higher-order functions, the general reduction is more complicated than the example above. First, we need to replicate not only function symbols, but also arguments. For example, consider the following variation P 1 of P 0 above: Here, we have just made the calls to f indirect, by preparing the function g. Obviously, the two calls to k in the body of g must be distinguished from each other, since different priorities are encountered before the calls. Thus, we duplicate the argument k, and obtain the following program P ′ 1 : Then, for the priority assignment Ω = { f a → 1, f b → 2, g → 1}, InfTraces(P 1 ) ∩ L(A ab ) = ∅ if and only if | = csa (P ′ 1 , Ω). Secondly, we need to take into account not only the priorities of states visited by A, but also the states themselves. For example, if we have a function definition f h = h(event a; f h), the largest priority encountered before f is recursively called in the body of f depends on the priorities encountered inside h, and also the state of A when h uses the argument event a; f (because the state after the a event depends on the previous state in general). We, therefore, use intersection types (a la Kobayashi and Ong's intersection types for HORS model checking [24]) to represent summary information on how each function traverses states of the automaton, and replicate each function and its arguments for each type. We thus formalize the translation as an intersection-type-based program transformation; related transformation techniques are found in [9,13,14,23,44]. Definition 10. Let A = (Q, Σ, δ, q I , Ω) be a non-deterministic parity word automaton. Let q and m range over Q and the set codom(Ω) of priorities respectively. The set Types A of intersection types, ranged over by θ, is defined by: We assume a certain total order < on Types A × N, and require that in 1≤i≤k (θ i , m i ), We often write (θ 1 , m 1 ) ∧ · · · (θ k , m k ) for 1≤i≤k (θ i , m i ), and ⊤ when k = 0. Intuitively, the type q describes expressions of simple type ⋆, which may be evaluated when the automaton A is in the state q (here, we have in mind an execution of the product of a program and the automaton, where the latter takes events produced by the program and changes its states). The type ( 1≤i≤k (θ i , m i )) → θ describes functions that take an argument, use it according to types θ 1 , . . . , θ k , and return a value of type θ. Furthermore, the part m i describes that the argument may be used as a value of type θ i only when the largest priority visited since the function is called is m i . For example, given the automaton in Example 10, the function λx.(event a; x) may have types (q a , 0) → q a and (q a , 0) → q b , because the body may be executed from state q a or q b (thus, the return type may be any of them), but x is used only when the automaton is in state q a and the largest priority visited is 1. In contrast, λx.
Using the intersection types above, we shall define a type-based transformation relation of the form Γ ⊢ A t : θ ⇒ t ′ , where t and t ′ are the source and target terms of the transformation, and Γ, called an intersection type environment, is a finite set of type bindings of the form x : int or x : (θ, m, m ′ ). We allow multiple type bindings for a variable x except for x : int (i.e. if x : int ∈ Γ, then this must be the unique type binding for x in Γ). The binding x : (θ, m, m ′ ) means that x should be used as a value of type θ when the largest priority visited is m; m ′ is auxiliary information used to record the largest priority encountered so far.
The transformation relation Γ ⊢ A t : θ ⇒ t ′ is inductively defined by the rules in Figure 5. (For technical convenience, we have extended terms with λ-abstractions; they may occur only at top-level function definitions.) The operation Γ ↑ m used in the figure is defined by: The operation is applied when the priority m is encountered, in which case the largest priority encountered is updated accordingly. The key rules are IT-Var, IT-Event, IT-App, and IT-Abs. In IT-Var, the variable x is replicated for each type; in the target of the translation, x θ,m and x θ ′ ,m ′ are treated as different variables if (θ, m) (θ ′ , m ′ ). The rule IT-Event reflects the state change cause by the event a to the type and the type environment. Since the state change may be nondeterministic, we transform t for each of the next states q 1 , . . . , q n , and combine the resulting terms with non-deterministic choice. The rule IT-App and IT-Abs replicates function arguments for each type. In addition, in IT-App, the operation Γ ↑ m i reflects the fact that t 2 is used as a value of type θ i after the priority m i is encountered. The other rules just transform terms in a compositional manner. If target terms are ignored, the entire rules are close to those of Kobayashi and Ong's type system for HORS model checking [24].
We now define the transformation for programs. A top-level type environment Ξ is a finite set of type bindings of the form x : (θ, m). Like intersection type

Fig. 5.
Type-based Transformation Rules for Terms environments, Ξ may have more than one binding for each variable. We write with Example 11. Consider the automaton A ab in Example 10, and the program P 2 = (D 2 , f 5) where D 2 consists of the following function definitions: Let Ξ be: Appendix F shows how t g and t f are derived. Notice that f , g, and the arguments of g have been duplicated. Furthermore, whenever f θ,m is called, the largest priority that has been encountered since the last recursive call is m. For example, in the then-clause of f int→q a ,0 , f int→q b ,1 (x−1) may be called through g (q a ,0)∧(q b ,1)→q a ,0 . Since g (q a ,0)∧(q b ,1)→q a ,0 uses the second argument only after an event b, the largest priority encountered is 1. This property is important for the correctness of our reduction.
The following theorem claims the soundness and completeness of our reduction. See Appendix E for a proof. Furthermore, one can effectively find an appropriate transformation. See Appendix E.5 for a proof sketch. Theorem 6. For every P and A, one can effectively construct Ξ, P ′ and Ω such that For an order-k program P, the size of P ′ is polynomial in the size of P if the other parameters, i.e., the size of A and the largest arity of functions in P are fixed, but the worst-case size of P ′ can be k-fold exponential in those parameters. As in HORS model checking [7,21,37], however, we expect that the worst-case is not so often encountered in realistic verification problems.
Combined with the reduction from call-sequence analysis to HFL model checking, we have thus obtained an effective reduction from the temporal verification problem InfTraces(P) ? ⊆ L(A) to HFL model checking.

Related Work
As mentioned in Section 1, our reduction from program verification problems to HFL model checking has been partially inspired by the translation of Kobayashi et al. [22] from HORS model checking to HFL model checking. As in their translation (and unlike in previous applications of HFL model checking [31, 48]), our translation switches the roles of properties and models (or programs) to be verified. Although a combination of their translation with Kobayashi's reduction from program verification to HORS model checking [20,21] yields an (indirect) translation from finite-data programs to pure HFL model checking problems, the combination does not work for infinite-data programs. In contrast, our translation is sound and complete even for infinite-data programs. Among the translations in Sections 5-7, the translation in Section 7.2 shares some similarity to their translation, in that functions and their arguments are replicated for each priority. The actual translations are however quite different; ours is typedirected and optimized for a given automaton, whereas their translation is not. This difference comes from the difference of the goals: the goal of [22] was to clarify the relationship between HORS and HFL, hence their translation was designed to be independent of an automaton. The proof of the correctness of our translation in Section 7 is much more involved (cf. Appendix D and E), due to the need for dealing with integers. Whilst the proof of [22] could reuse the type-based characterization of HORS model checking [24], we had to generalize arguments in both [24] and [22] to work on infinite-data programs.
Lange et al. [31] have shown that various process equivalence checking problems (such as bisimulation and trace equivalence) can be reduced to (pure) HFL model checking problems. The idea of their reduction is quite different from ours. They reduce processes to LTSs, whereas we reduce programs to HFL formulas.
Major approaches to automated or semi-automated higher-order program verification have been HORS model checking [20,21,26,30,34,36,49], (refinement) type systems [16,27,38,41,42,45,47,52], Horn clause solving [2,8], and their combinations. As already discussed in Section 1, compared with the HORS model checking approach, our new approach provides more uniform, streamlined methods. Whilst the HORS model checking approach is for fully automated verification, our approach enables various degrees of automation: after verification problems are automatically translated to HFL Z formulas, one can prove them (i) interactively using a proof assistant like Coq (see Appendix G), (ii) semi-automatically, by letting users provide hints for induction/co-induction and discharging the rest of proof obligations by (some extension of) an SMT solver, or (iii) fully automatically by recasting the techniques used in the HORSbased approach; for example, to deal with the ν-only fragment of HFL Z , we can reuse the technique of predicate abstraction [26]. For a more technical comparison between the HORS-based approach and our HFL-based approach, see Appendix H.
As for type-based approaches [16,27,38,41,42,45,47,52], most of the refinement type systems are (i) restricted to safety properties, and/or (ii) incomplete. A notable exception is the recent work of Unno et al. [46], which provides a relatively complete type system for the classes of properties discussed in Section 5. Our approach deals with a wider class of properties (cf. Sections 6 and 7). Their "relative completeness" property relies on Godel coding of functions, which cannot be exploited in practice.
The reductions from program verification to Horn clause solving have recently been advocated [2][3][4] or used [38, 45] (via refinement type inference problems) by a number of researchers. Since Horn clauses can be expressed in a fragment of HFL without modal operators, fixpoint alternations (between ν and µ), and higher-order predicates, our reductions to HFL model checking may be viewed as extensions of those approaches. Higher-order predicates and fixpoints over them allowed us to provide sound and complete characterizations of properties of higher-order programs for a wider class of properties. Bjørner et al. [4] proposes an alternative approach to obtaining a complete characterization of safety properties, which defunctionalizes higher-order programs by using algebraic data types and then reduces the problems to (first-order) Horn clauses. A disadvantage of that approach is that control flow information of higher-order programs is also encoded into algebraic data types; hence even for finite-data higher-order programs, the Horn clauses obtained by the reduction belong to an undecidable fragment. In contrast, our reductions yield pure HFL model checking problems for finite-data programs. Burn et al. [8] have recently advocated the use of higher-order (constrained) Horn clauses for verification of safety properties (i.e., which correspond to the negation of may-reachability properties discussed in Section 5.1 of the present paper) of higher-order programs. They interpret recursion using the least fixpoint semantics, so their higher-order Horn clauses roughly corresponds to a fragment of the HFL Z without modal operators and fixpoint alternations. They have not shown a general, concrete reduction from safety property verification to higher-order Horn clause solving (see the last paragraph of the conclusion of [8]).
The characterization of the reachability problems in Section 5 in terms of formulas without modal operators is a reminiscent of predicate transformers [10,15] used for computing the weakest preconditions of imperative programs. In particular, [5] and [15] respectively used least fixpoints to express weakest preconditions for while-loops and recursions.

Conclusion
We have shown that various verification problems for higher-order functional programs can be naturally reduced to (extended) HFL model checking problems. In all the reductions, a program is mapped to an HFL formula expressing the property that the behavior of the program is correct. For developing verification tools for higher-order functional programs, our reductions allow us to focus on the development of (automated or semi-automated) HFL Z model checking tools (or, even more simply, theorem provers for HFL Z without modal operators, as the reductions of Section 5 and 7 yield HFL formulas without modal operators). To this end, we have developed a prototype model checker for pure HFL (without integers), which will be reported in a separate paper. Work is under way to develop HFL Z model checkers by recasting the techniques [26, 29, 30, 49] developed for the HORS-based approach, which, together with the reductions presented in this paper, would yield fully automated verification tools. We have also started building a Coq library for interactively proving HFL Z formulas, as briefly discussed in Appendix G. As a final remark, although one may fear that our reductions may map program verification problems to "harder" problems due to the expressive power of HFL Z , it is actually not the case at least for the classes of problems in Section 5 and 6, which use the only alternation-free fragment of HFL Z . The model checking problems for µ-only or ν-only HFL Z are semi-decidable and co-semi-decidable respectively, like the source verification problems of may/must-reachability and their negations of closed programs.  To prove the theorem, we define the reduction relation t −→ D t ′ as given in Figure 7. It differs from the labeled transition semantics in that and event a; · · · are not eliminated; this semantics is more convenient for establishing the relationship between a program and a corresponding HFL Z formula. It should be clear that a ∈ Traces(D, t) if and only if t −→ * D E[event a; t ′ ] for some t ′ . We shall first prove the theorem for recursion-free programs. Here, a To this end, we prepare a few lemmas.
The following lemma says that the semantics of HFL Z formulas is preserved by reductions of the corresponding programs.
. . , f n x n = t n }, and (F 1 , . . . , F n ) be the least fixpoint of We show it by case analysis on the rule used for deriving We have thus t † may (ρ) = t ′ †may (ρ) as required.
-Case R-IfF: Similar to the above case.
⊓ ⊔ The following lemma says that Theorem 1 holds for programs in normal form. Proof. The proof proceeds by induction on the structure of t. By the condition t −→ D and the (implicit) assumption that ⊢ (D, t), t is generated by the following grammar: t ::= ( ) | event a; t ′ | t 1 t 2 .
-Case t = ( ): The result follows immediately, as t is not of the form E[event a; t ′ ], and t † may = false. -Case t = event a; t ′ : The result follows immediately, as t is of the form E[event a; t ′ ], and t † may = true.
By the induction hypothesis, the latter is equivalent to the property that The following lemma says that Theorem 1 holds for recursion-free programs; this is an immediate corollary of Lemmas 1 and 2, and the strong normalization property of the simply-typed λ-calculus.

Lemma 3. Let P be a recursion-free program. Then, a ∈ Traces(P) if and only if
We show the required property by induction on the length n of this reduction sequence. ⊓ ⊔ To prove Theorem 1 for arbitrary programs, we use the fact that the semantics of P † may may be approximated by P (i) † may , where P (i) is the recursion-free program obtained by unfolding recursion functions i times (a more formal definition will be given later). To guarantee the correctness of this finite approximation, we need to introduce a slightly non-standard notion of (ω-)continuous functions below.
Definition 11. For an LTS L = (U, A, −→, s init ) and a type σ, the set of continuous elements Cont L,σ ⊆ D L,σ and the equivalence relation = cont,L,σ ⊆ Cont L,σ × Cont L,σ are defined by induction on σ as follows.
Here, Cont L,σ (↑ω) denotes the set of increasing infinite sequences a 0 ⊑ a 1 ⊑ a 2 ⊑ · · · consisting of elements of Cont L,σ . We just write = cont for = cont,L,σ when L and σ are clear from the context. Remark 2. Note that we require that a continuous function returns a continuous element only if its argument is. To see the need for this requirement, consider an LTS with a singleton state set {s}, and the function: f = λx : ((int → •) → •).λy : (int → •).x y. One may expect that f is continuous in the usual sense (i.e., f preserves the limit), but for the function g defined by Proof. The proof proceeds by induction on σ. The base case, where σ = • or σ = int, is trivial, as Cont L,σ = D L,σ and = cont,L,σ is the identity relation. Let us consider the induction step, where σ = σ 1 → τ. We first check that i∈ω x i ∈ Cont L,σ . To this end, suppose z 1 = cont,L,σ 1 z 2 . By the continuity of x i and the assumption z 1 = cont,L,σ 1 z 2 , we have x i z 1 = cont,L,τ x i z 2 for each i. By the induction hypothesis, we have i∈ω (x i z 1 ) = cont,L,τ i∈ω (x i z 2 ). Therefore, we have: as required. To check the second condition for i∈ω x i ∈ Cont L,σ , suppose that {z i } i∈ω ∈ Cont L,σ 1 (↑ω) . We need to show ( i∈ω x i )( j∈ω z j ) = cont,L,τ j∈ω (( i∈ω x i )z j ). By the continuity of x i and the induction hypothesis, we have indeed: Thus, we have proved i∈ω x i ∈ Cont L,σ . The proof of i∈ω y i ∈ Cont L,σ is the same.
It remains to check that z = cont,L,σ 1 w implies ( i∈ω x i )z = cont,L,τ ( i∈ω y i )w. Suppose z = cont,L,σ 1 w. Then we have: as required. Note that x i z = cont,L,τ y i w follows from the assumptions x i = cont,L,σ y i and z = cont,L,σ 1 w, and then we have applied the induction hypothesis to obtain i∈ω (x i z) = cont,L,τ i∈ω (y i w). This completes the proof for the induction step. ⊓ ⊔ The following lemma guarantees the continuity of the functions expressed by fixpoint-free HFL Z formulas.

Lemma 5 (continuity of fixpoint-free unctions).
Let L be an LTS. If ϕ is a closed, fixpoint-free HFL Z formula of type τ, then ϕ ∈ Cont L,τ .
Proof. We write ∆ cont for the set of valuations: {ρ ∈ ∆ | ρ( f ) ∈ Cont L,σ for each f : σ ∈ ∆}, and = cont,L,∆ for: We show the following property by induction on the derivation of ∆ ⊢ ϕ : σ: Then, the lemma would follow as a special case, where ∆ = ∅. We perform case analysis on the last rule used for deriving ∆ ⊢ ϕ : σ. We discuss only the main cases; the other cases are similar or straightforward.

Lemma 6 (fixpoint of continuous functions). Let L be an LTS
, we have the required result. The detail of the transfinite induction is given as follows. For a given ordinal number β, let us define f β (⊥ L,τ ) by transfinite induction.
-Assume that β is a limit ordinal and τ = σ 1 → · · · → σ k → •. Assume also Since the limit of a function is defined pointwise, Since We are now ready to prove Theorem 1. Below we extend continuous functions to those on tuples, and make use of Bekić property between a simultaneous recursive definition of multiple functions and a sequence of recursive definitions; see, e.g., [50], Chapter 10.

Proof (of Theorem 1). Given a program
. . , n}}. Then, we obtain the required result as follows.

B.2 Proofs for Section 5.2
We first prepare lemmas corresponding to Lemmas 1-3.
Proof. Almost the same as the proof of Lemma 1. Proof. The proof proceeds by induction on the structure of t. By the condition t −→ D , t is generated by the following grammar: t ::= ( ) | event a; t ′ | t 1 t 2 .  1 and k = 1) and t † must = true. Proof (Theorem 2). Let P (i) be the the recursion-free program defined in the proof of Theorem 1. Then, we obtain the required result as follows.
(by the definition of P (i) ) ⇔ Must a (P (i) ) for some i (Lemma 9) ⇔ Must a (P).

C Proofs for Section 6
We first modify the reduction semantics in Figure 7 by adding the following rule for distributing events with respect to : We write −→ D,dist for this modified version of the reduction relation. We call an evaluation context event-free if it is generated only by the following syntax: Proof. Since t −→ D,dist , t must be of the form: i∈{1,...,m} (event a i,1 ; · · · event a i,n i ; ( )) (where i∈{1,...,m} t i denotes a combination of t 1 , . . . , t m with ). Thus, (by the definition of Φ P,path ).
⊓ ⊔ Lemma 11. Let (D, t) be a program, and L be a prefix-closed regular language. If . . , f n x n = t n }, and (F 1 , . . . , F n ) be the greatest fixpoint of . . , f n → X n })).
By the Bekić property, (D, t) † path . . , f n → F n }. We show it by case analysis on the rule used for deriving t −→ D,dist t ′ .
-Case R-Fun: In this case, Since (F 1 , . . . , F n ) is a fixpoint, we have: Thus, we have t † path L L (ρ) = t ′ †path L L (ρ) as required.
-Case R-IfT: In this case, -Case R-IfF: Similar to the above case.
Here, Cocont L,σ (↓ω) denotes the set of decreasing infinite sequences a 0 ⊒ a 1 ⊒ a 2 ⊒ · · · consisting of elements of Cocont L,σ . We just write = cocont for = cocont,L,σ when L and σ are clear from the context.
The following lemma is analogous to Lemma 5.
Proof. The proof is almost the same as that of Lemma 5. We write ∆ cocont for the set of valuations: {ρ ∈ ∆ L | ρ( f ) ∈ Cocont L,σ for each f : σ ∈ ∆}. We show the following property by induction on the derivation of ∆ ⊢ ϕ : σ: If ϕ is fixpoint-free and ∆ ⊢ ϕ : σ, then (i) ∆ ⊢ ϕ : σ L (ρ) ∈ Cocont L,σ for every ρ ∈ ∆ cocont ; and (ii) For any decreasing sequence of interpretations Then, the lemma will follow as a special case, where ∆ = ∅. We perform case analysis on the last rule used for deriving ∆ ⊢ ϕ : σ. We discuss only two cases below, as the proof is almost the same as the corresponding proof for Lemma 5.
-Case HT-Some: In this case, ϕ = a ϕ ′ with ∆ ⊢ ϕ : • and σ = •. The condition (i) is trivial since Cocont L,• = D L,• . We also have the condition (ii) by: The step (*) is obtained as follows. Suppose ∃s ′ ∈ i∈ω . ∆ ⊢ H ϕ ′ : Conversely, suppose Since the set {s ′ | s a −→ s ′ } is finite, and S i decreases monotonically, i∈ω S i must be non-empty. Thus, we have as required.
-Case HT-All: In this case, ϕ = [a]ϕ ′ with ∆ ⊢ ϕ : • and σ = •. The condition (i) is trivial. The condition (ii) follows by: The following lemma states a standard property of cocontinuous functions [40], which can be proved in the same manner as Lemma 6.

D Game-based characterization of HES
Fix an LTS L and let E = (X τ 1 1 = α 1 ϕ 1 ; · · · ; X τ n n = α n ϕ n ). The goal of this section is to construct a parity game G L,E characterizing the semantic interpretation of the HES E (or equivalently (E, X 1 )) over the LTS L. The game-based characterization will be used to prove some results in Section 7.

D.1 Preliminary: Parity Game
A parity game G is a tuple (V P , V O , E, Ω) where -V P and V O are disjoint sets of Proponent and Opponent nodes, respectively, is the set of edges, and -Ω : (V P ∪ V O ) → N is a priority function whose image is bounded.
A play of a parity game is a (finite or infinite) sequence v 1 v 2 . . . of nodes in V such that (v i , v i+1 ) ∈ E for every i. We write · for the concatenation operation. An infinite play v 1 v 2 . . . is said to satisfy the parity condition if max Inf(Ω(v 1 )Ω(v 2 ) . . . ) is even, where Inf(m 1 m 2 · · · ) is the set of numbers that occur infinitely often in m 1 m 2 · · ·. A play is maximal if either it is a finite sequence v 1 · · · v n and the last node v n has no successor (i.e., A maximal play is P-winning (or simply winning) if either it is finite and the last node is of Opponent, or it is infinite and satisfies the parity condition.
An infinite play conforms with S if so does every finite prefix of the play. The partial function S is a P-strategy on V 0 ⊆ V (or simply a strategy on V 0 ) if it is defined on every play that conforms with S, starts from a node in V 0 and ends with a node in V P . A strategy is P-winning on V 0 ⊆ V (or simply winning on V 0 ) if every maximal play that conforms with the strategy and starts from V 0 is P-winning. We say that Proponent wins the game G on V 0 ⊆ V if there exists a P-winning strategy of G on V 0 . An O-strategy and an O-winning strategy is defined similarly.
We shall consider only games of limited shape, which we call bipartite games.
Let G be a bipartite parity game and S be a strategy of G on V 0 . Let n be the maximum priority in G. A (partial) mapping ̟ : V O ⇀ γ n is a parity progress measure of S on V 0 if it satisfies the following condition:

Lemma 15 ([18]).
Let G be a bipartite parity game and S be a strategy of G on V 0 ⊆ V. If there exists a parity progress measure of S on V 0 , then S is a winning strategy on V 0 .
Proof. Let ̟ be a parity progress measure of S on V 0 . We prove by contradiction. Assume an infinite play v 1 v 2 . . . that conforms S, starts from V 0 and violates the parity condition. Assume that v 1 ∈ V O ; the other case can be proved similarly.
Let ℓ = max Inf(Ω(v 1 )Ω(v 2 ) . . . ). Then there exists an even number k such that, for every even number i ≥ k, we have Ω(v i ) ≤ ℓ. By definition, The following is a basic property about complete-prime algebraic lattices, which will be used later.
Then a γ is the least fixed point of f . We shall write a β as f β (⊥ A ).

Lemma 17. Let (A, ≤) be a complete lattice and f : A → A be a monotone function.
For every complete prime p ∈ A, the minimum ordinal β such that p ≤ f β (⊥) is a successor ordinal.
Proof. If τ = •, then D L,τ = 2 U is ordered by the set inclusion and the complete primes are singleton sets { q } (q ∈ U). For function types, D L,σ→τ is the set of monotone functions ordered by the pointwise ordering. Given an element d ∈ D L,σ and a complete prime p ∈ D L,τ , consider the function f d,p defined by These functions are complete primes of D L,σ→τ . It is not difficult to see that every element is the least upper bound of a subset of complete primes. ⊓ ⊔

Definition 15 (Parity game for HES).
The parity game G L,E is defined by the following data: The priority of the opponent node is 0; the priority of node (p, The parity game defined above is analogous to the typability game for HES defined by [22]. A position (p, X i ) ∈ V P represents the state where Proponent tries to show that p ⊑ (E, X i ) . To show p ⊑ (E, X i ) , Proponent picks a valuation ρ = [X 1 → x 1 , . . . , X n → x n ] such that p ⊑ ϕ i (ρ) indeed holds. A position (x 1 , . . . , x n ) ∈ V O represents such a valuation, and Opponent challenges Proponent's assumption that ρ = [X 1 → x 1 , . . . , X n → x n ] is a valid valuation, i.e., x i ⊑ (E, X i ) holds for each i. To this end, Opponent chooses i, picks a complete prime p such that p ⊑ x i , and asks why p ⊑ (E, X i ) holds, as represented by the edge ((x 1 , . . . , x n ), (p, X i )). (Note that Lemma 18 implies that x i ⊑ (E, X i ) if and only if p ⊑ (E, X i ) for every complete prime such that p ⊑ x i ; therefore, it is sufficient for Opponent to consider only complete primes.) As in the typability game for HES defined by [22], a play may continue indefinitely, in which case, the winner is determined by the largest priority of (p, X i ) visited infinitely often.
The goal of this section is to show that p ⊑ E L if and only if Proponent wins G L,E on (p, X 1 ) (Theorem 7 given at the end of this subsection).
We start from an alternative description of the interpretation of an HES. Let us define the family {ϑ i } i=1,...,n of substitutions by induction on n − i as follows: The family {ψ i } i=1,...,n of formulas is defined by Then The substitution ϑ i maps X i+1 , . . . , X n to closed formulas and thus ϑ i ϕ j ( j ≤ i) is a formula with free variables X 1 , . . . , X i . The formula ψ i has free variables X 1 , . . . , X i−1 . In particular, ψ 1 = toHFL(E, X 1 ).

Lemma 19.
We have Proof. By induction on n − i. For each i, the claim is proved by induction on the structure of formulas ϕ i . The last claim follows from the fact that ψ 1 = toHFL(E, X 1 ) and:

⊓ ⊔
We first prove the following lemma, which implies that the game-based characterization is complete, i.e., that p ⊑ E L only if Proponent wins G L,E on (p, X 1 ).
Let us first define a strategy S of G L,E on V 0 . It is defined for plays of the form v · (d 1 , . . . , d n ) · (p, X i ) where (d 1 , . . . , d n ) ∈ V 0 . The next node is determined by the last two nodes as follows.
-Case α i = ν: Then the next node is . . . , d i−1 , c i , c i+1 , . . . , c n ) where c j = g j (d 1 , . . . , d i−1 , c i , c i+1 , . . . , c j−1 ) for j ≥ i. By the assumption d i ⊑ g i (d 1 , . . . , d i−1 ) and Lemma 19, -Case α i = µ: Then the next node is for some β. Consider the minimum ordinal among those satisfying this condition; let β 0 be this ordinal. Since p is complete prime, β 0 is a successor ordinal by Lemma 17, i.e. β 0 = β ′ 0 + 1 for some β ′ 0 . Then we define e = (λy. f i,i (x 1 , . . . , x i−1 , y)) β ′ (⊥). Now we have It is not difficult to see that S is indeed a strategy on V 0 . We prove that S is winning by giving a parity progress measure of S on V 0 . Let γ be an ordinal greater than the cardinality of D L,τ ℓ for every ℓ ∈ {1, . . . , n}. The (partial) mapping V O ∋ (d 1 , . . . , d n ) → (β 1 , . . . , β n ) ∈ γ n is defined by: This is well-defined on V 0 . It is not difficult to see that this mapping is a parity progress measure of the strategy S. ⊓ ⊔ Next, we prepare lemmas used for proving that the game-based characterization is sound, i.e., that existence of a winning strategy of G L,E on (p, X 1 ) implies p ⊑ E L . We first prove this result for a specific class of strategies, which we call stable strategies. Then we show that every winning strategy can be transformed to a stable one.

Definition 16 (Stable strategy). A strategy
An important property of a stable winning strategy is as follows. Proof. By induction on the order P n < Q n < P n−1 < Q n−1 < · · · < P 1 < Q 1 . Let S be a stable winning strategy of G L,E on V 0 ⊆ V. (P n ) By the definition of the game G L,E and Lemma 19, we have (P j with j < n) We first show that d j+1 ⊑ g j+1 (d 1 , . . . , d j ). Since D L,τ j+1 is complete-prime algebraic, it suffices to show q ⊑ g j+1 (d 1 , . . . , d j ) for every complete prime q ⊑ d j+1 . Given a complete prime is a valid play that conforms with S. Let (c 1 , . . . , c n ) = S(ṽ · (p, X i ) · (d 1 , . . . , d n ) · (q, X j+1 ) ).
Then by Lemma 19, we have where the first inequality follows from the induction hypothesis and the second from d j+1 ⊑ g j+1 (d 1 , . . . , d j ) and monotonicity of f i, j+1 .
Since the complete prime q ⊑ d j is arbitrary and D L,E is complete-prime algebraic, we have Hence d j is a prefixed point of λy. f j, j (d 1 , . . . , d j−1 , y). So d j ⊑ νy. f j, j (d 1 , . . . , d j−1 , y). By the induction hypothesis and Lemma 19, we have (Q j with α j = µ) Letṽ · (p, X j ) · (d 1 , . . . , d n ) be a play that conforms with S and starts from V 0 . Given opponent nodes that conforms with S such that every proponent node in v 1 or v 2 is of the form (q, X j ). Every play of the form v · (p, X j ) · (d 1 , . . . , d n ) · (p 1 , X j ) · (c 1,1 , . . . , c 1,n ) · (p 2 , X j ) · (c 2,1 , . . . , c 2,n ) . . . that conforms with S eventually terminates because S is a winning strategy and the priority of (p i , X j ) is odd (recall that opponent node O i has priority 0). Hence the relation ≻ defined above is well-founded. We prove the following claim by induction on the well-founded relation ≻: Letṽ · (p, X j ) · (d 1 , . . . , d n ) ·ṽ 1 · (c 1 , . . . , c n ) be a play that conforms with S and starts from V 0 . Suppose that every proponent node inṽ 1 is of the form (q, X j ). Then c j ⊑ µy. f j, j (d 1 , . . . , d j−1 , y).
that conforms with S and starts from V 0 . Because S is stable andṽ 1 does not contain a node of the form (r, By the induction hypothesis of the above claim, c ′ j ⊑ µy. f j, j (d 1 , . . . , d j−1 , y). By the induction hypothesis of the lemma, So q ⊑ µy. f j, j (d 1 , . . . , d j−1 , y) for every complete prime q ⊑ c j and thus c j ⊑ µy. f j, j (d 1 , . . . , d j−1 , y)). By the same argument, we have d j ⊑ µy. f j, j (d 1 , . . . , d j−1 , y). This completes the proof of the above claim.
By the induction hypothesis, the above claim and Lemma 19, we have Proof. Let S be a winning strategy on the node (d 1 , . . . , d n ). Since G L,E is a parity game, we can assume without loss of generality that S is memoryless. Given nodes v and v ′ of the game and j ∈ { 1, . . . , n }, we say v ′ is reachable from v following S if there exists a play vv 1 . . . v ℓ v ′ that conforms with S. We say that v ′ is j-reachable from v following S if furthermore, for every proponent node (p, . . . , e n ) is reachable from (d 1 , . . . , d n ) following S }. Obviously is a play that conforms with S ′ and ends with an opponent node v ℓ ∈ V O (hence ℓ > 0 is even). Let v ℓ = (c 1 , . . . , c n ). We first prove that for every k = 1, . . . n, • If ℓ = 2, then Let v 0 · v 1 · · · · · v ℓ · (p, X i ) be a play that conforms with S ′ and starts from v 0 = (d ′ 1 , . . . , d ′ n ). Let (c 1 , . . . , c n ) = S ′ (v 0 · v 1 · · · · · v ℓ · (p, X i )) and (e 1 , . . . , e n ) = S( (p, X i ) ). Since (e 1 , . . . , e n ) is reachable from (p, X i ) following S, the above claim shows that e m ⊑ c m for every 1 ≤ m ≤ n. Since p ⊑ ϕ i ([X 1 → e 1 , . . . , X n → e n ]), we have p ⊑ ϕ i ([X 1 → c 1 , . . . , X n → c n ]). Hence S ′ is indeed a strategy.
By definition and the above claim, it is easy to see that S ′ is a stable strategy. We show that the strategy S ′ is winning on (d ′ 1 , . . . , d ′ n ). Assume that v 0 v 1 . . . be an infinite play that conforms with S ′ and starts from (d ′ 1 , . . . , d ′ n ). Let j be the minimum index of variables appearing infinitely often in the play. Then the play can be split into (c 1,1 , . . . , c 1,n ) · (p 2 , X j ) · w 2 · (c 2,1 , . . . , c 2,n ) · (p 3 , X j ) · . . . wherew k is a (possible empty) sequence of nodes, which furthermore consists . . , e n ) is j-reachable from (p m , X j ) following S } since j-th component of opponent nodes is unchanged during w m . By the definition of edges of the game, p m+1 ⊑ c m, j . Since p m+1 is a complete prime, there exists (e 1 , . . . , e n ) that is j-reachable from (p m , X j ) following S and such that p m+1 ⊑ e j . By definition of j-reachability, there exists a sequence of nodes w ′ m such that (p m , that conforms with S and starts from v ′ 0 = (d 1 , . . . , d n ). Since S is winning on v ′ 0 , this sequence satisfies the parity condition, i.e. the priority of X j is even. Hence the original play, which conforms with S ′ , also satisfies the parity condition. ⊓ ⊔ We are now ready to prove soundness and completeness of the type-based characterization.

D.4 The Opposite Parity Game
This subsection defines a game in which Proponent tries to disprove p ⊑ E L by giving an upper-bound E L ⊑ q. A similar construction can be found in Salvati and Walukiewicz [39]; our construction can be seen as an infinite variant of them. We first define the notion of complete coprimes, which is the dual of complete primes.

Definition 17 (Complete coprime). Let (A, ≤) be a complete lattice. An element p ∈ A is a complete coprime if (1) p ⊤ and (2) for every U ⊆
Lemma 24. If (A, ≤) is complete-prime algebraic, then for every x ∈ A, is complete-prime algebraic, by Lemma 16, it suffices to show that, for every complete prime q such that q x, we have q { p | x ≤ p, p: complete coprime }, i.e., there exists a complete coprime p ≥ x such that q p. Let q be a complete prime such that q x. We show that is indeed a complete coprime p ≥ x such that q p. We first check q p. If it were the case that q ≤ p, then q ≤ p = { q ′ | q q ′ , q ′ : complete prime }, which would imply q ≤ q ′ for some q ′ with q q ′ (as q is a complete prime), a contradiction. It remains to check that p is a complete coprime. Since q p, we have p ⊤. Suppose that y∈U y ≤ p. If q ≤ y for every y ∈ U, then q ≤ p, a contradiction. Hence q y for some y ∈ U. Now Here the second inequality comes from the fact that q ′′ ≤ y implies q q ′′ ; in fact, if q ′′ ≤ y and q ≤ q ′′ , then q ≤ q ′′ ≤ y, hence a contradiction. ⊓ ⊔ ). The parity game G L,E is defined by the following data:

Definition 18 (Opposite parity game
The priority of the opponent node is 0; the priority of node (p, The game G L,E is obtained by replacing complete primes with complete coprimes and ⊑ with ⊒. Proof. Let S be a P-winning strategy of G L,E on (p, X i ) (where p is a complete coprime). We can assume without loss of generality that S is memoryless. Let p ′ ∈ D L,τ i be a complete prime such that p ′ p. Let (q, X j ) be a Proponent node in G L,E and (q ′ , X j ′ ) be a Proponent node in G L,E . We say that (q, Suppose that our choice satisfies the following property: If (p, X i )·v 1 ·v 2 ·· · ··v k is the chosen play corresponding to (p ′ , X i )·v ′ 1 ·v ′ 2 ·· · ·· v ′ k , then (p, X i ) ·v 1 ·v 2 ·· · ··v k−1 is the chosen play for (p ′ , X i ) ·v ′ 1 ·v ′ 2 ·· · ··v ′ k−1 .
(A way to achieve this is to introduce a well-ordering on nodes of G L,E and to choose the minimum play w.r.t. the lexicographic ordering from those that satisfy the requirement.) We define an Opponent strategy S for G L,E defined on admissible plays starting from (p ′ , X i ). Let be an admissible play of G L,E . Let be the chosen play of G L,E corresponding to the above play. So v j and v ′ j are inconsistent for every j ∈ {1, . . . , k} and (d 1 , . Hence d ′ ℓ d ℓ implies that there exist a complete prime q ′ ⊑ d ′ ℓ and a complete coprime d ℓ ⊑ q such that q ′ q. The Opponent strategy S chooses (q ′ , X ℓ ) as the next node in G L,E .
We show that S is indeed an O-strategy of G L,E on (p ′ , X i ). It suffices to show that every play (p ′ , X i ) · v ′ 1 · · · · · v ′ k that conforms with the Opponent strategy S is admissible. If k = 0, the play is obviously admissible. Let (p ′ , X i ) · v ′ 1 · · · · · v ′ k be a play that conforms with S and assume that it is admissible. If v ′ k is an Opponent node, the next node v ′ k+1 is determined by S and then (p ′ , is admissible by the definition of S. Consider the case that v ′ k = (p ′ k , X i k ) is an Proponent node. Since this play is admissible, we have the chosen play (p, X i ) · v 1 · v 2 · · · · · v k of G L,E corresponding to the above play. Then v j and v ′ j are inconsistent for every j = 1, . . . , k.
. So S is defined for every play that conforms with S and starts from (p ′ , X i ).
We show that S is O-winning. As S does not get stuck, it suffices to show that every infinite play following S does not satisfy the parity condition. Assume an infinite play following S. By the definition of S, every finite prefix of the play is admissible. Let (p ′ , X i ) · v k,1 · · · · · v k,k be the chosen play for the prefix of the above play of length k. Then, by the assumption on the choice, the choice of each node does not depend on the length of the prefix, i.e. v k,i = v k ′ ,i for every i ≥ 1 and k, k ′ ≥ i. Hence the above infinite play is "admissible" in the sense that there exists an infinite play in G L,E that conforms with S and such that (p ℓ , X i ℓ ) and (p ′ ℓ , X i ′ ℓ ) are inconsistent for every ℓ. Hence i ℓ = i ′ ℓ for every ℓ. Because (priority of (p ℓ , X i ℓ ) in G L,E ) = (priority of (p ′ ℓ , X i ℓ ) in G L,E ) + 1, the latter play satisfies the parity condition if and only if the former play does not satisfy the parity condition. Since S is a winning strategy, we conclude that the former play does not satisfy the parity condition. ⊓ ⊔

E Proof for Section 7 E.1 Some definitions
Here we introduce some notions and notations, which are useful in proofs of results of Section 7.

Definition 19 (Choice sequences).
Let π be an infinite sequence consisting of L and R, called a choice sequence. We define a reduction relation for pairs of terms and choice sequences by We sometimes omit labels and just write (u; π)−→ D (u ′ ; π) for (u; π) ℓ −→ D (u ′ ; π). A choice sequence resolves nondeterminism of a program P; a reduction sequence is completely determined by its initial term, its length and a choice sequence. We write −→ k D for the k-step reduction relation. If (t 0 , π 0 ) −→ D (t 1 , π 1 ) −→ D · · · −→ D (t k , π k ), then we write π 0 t 0 −→ D t 1 −→ D · · · −→ D t k and say that the reduction sequence t 0 −→ D t 1 −→ D · · · −→ D t k follows π 0 .
We introduce a slightly more elaborate notion of the recursive call relation below. Note that the relation f t D g u in Definition 6 coincides with f t D g u redefined below.

Definition 20 (Recursive call relation, call sequences). Let P = (D, main) be a program, with D
. . , f ♯ n are fresh symbols. So D ♯ has two copies of each function symbol, one of which is marked. For the terms t i and t j that do not contain marked symbols, we write (then t j is obtained by erasing all the marks in t ′ j ). If there exists a (finite or infinite) sequence ( fs; π) D · · · and call it a call sequence of fs following π. We often omit the number k j of steps and the choice sequence π. Given a program P = (D, main), the set of call sequences of P is a subset of (finite or infinite) sequences of function symbols defined by Callseq(P) := { main g 1 g 2 · · · | main D g 1 u 1 D g 2 u 2 D · · · }.
Note that by the definition above, ( . We write t ♯ for the term obtained by marking all function symbols in

E.2 Existence of a unique infinite call-sequence
Let P = (D, main) be a program and be the infinite reduction sequence following π. This subsection proves that there exists a unique infinite call-sequence π fũ D g 1ũ1 D g 2ũ2 D · · · of this reduction sequence.
Lemma 26. Let P = (D, main) be a program and π ∈ {L, R} ω be a choice sequence. Suppose we have an infinite reduction sequence

Then there exists an infinite call-sequence
Proof. Kobayashi and Ong [25, Appendix B] have proved a similar result for simply-typed programs without integers. We remove integers from D as follows: -First, replace each conditional branching if p(t ′ 1 , . . . , t ′ k ) then t 1 else t 2 with the nondeterministic branching t 1 t 2 .
-Then replace each integer expression with the unit value.
Let us write D ′ for the resulting function definitions. Then there exists a choice π ′ such that π ′ main −→ D ′ t ′ 1 −→ D ′ t ′ 2 −→ D ′ · · · and, for every i ≥ 1, t ′ i is obtained from t i by the above translation. By the result of Kobayashi and Ong, this sequence has an infinite call-sequence. This call-sequence can be transformed into a call-sequence of the original reduction sequence.
Suppose that ( f u; π) −→ k D (g v; π ′ ). Given an occurrence of g in f u, we write f ′ u ′ for the term obtained by replacing the occurrence of g with g ♯ . We say that the head-occurrence g in g v is a copy of the occurrence of g in f u if where ℓ ≥ 1, k = ℓ j=0 k j and h 1 is a copy of the occurrence of h in f u (hence h 1 = h as function symbols). It is not difficult to see that, given a reduction sequence ( f u; π) −→ k D (g v; π ′ ), there exists a unique ancestor of g in f u.
Lemma 27. For every term t and choice sequence π ∈ {L, R} ω , there exists at most one infinite call-sequence of t following π.
Proof. Let π t 0 −→ D t 1 −→ D t 2 −→ D · · · be the infinite reduction sequence following π. In this proof, we shall consider only sequences following π and hence we shall omit π . Assume that there exist difference infinite call-sequences, say, where h 1 and k 1 are different. Since both call sequences are infinite, the reduction sequence has infinite switching of the sequence, i.e. the reduction sequence must be of the following form: Since h i 1 is not an ancestor of k j 1 , an ancestor of k j 1 must appear inṽ i 1 , say, in the ℓ 1 -th argument v i 1 ,ℓ 1 . Since k j 1 appears in the reduction sequence, v i 1 ,ℓ 1 must have a head occurrence and the reduction sequence is of the form So an ancestor of h i 2 must appear ins 1 , say, s 1,ℓ 2 , and the reduction sequence is of the form Since an ancestor of k j 2 appears in v i 1 ,ℓ 1 , there is no ancestor ins 1 , in particular, in s 1,ℓ 2 . Hence there is an ancestor of k j 2 ins 2 , say, s 2,ℓ 3 , and the reduction sequence is By repeatedly applying the above argument, we have the following decomposition of the reduction sequence: Then the order of s m,ℓ m is greater than s m+1,ℓ m+1 for every m since s m+1,ℓ m+1 is an argument of s m,ℓ m . This contradicts the assumption that the program D is simply typed.

Corollary 1. Let P = (D, main) be a program and
be the infinite reduction sequence following π. Then there exists a unique infinite call-sequence of this reduction sequence, i.e.

E.3 Proof of Theorem 4
Let L 0 = ({s ⋆ }, ∅, ∅, s ⋆ ) be the transition system with one state and no transition. This section shows that given a program P = (D, main) with priority Ω, | = csa (P, Ω) holds if and only if L 0 | = Φ (P,Ω),csa . Without loss of generality, we assume below that P is of the form (D, main); note that, if P = (D, t), then we can replace it with (D ∪ {main = t}, main). Fix a program P = (D, main) with priority Ω. Suppose that D = { f 1x1 = t 1 , . . . , f nxn = t n } and let κ i be the simple type of f i . We can assume without loss of generality that main = f 1 and that Ω( Let The priority assignments Ω and Ω ′ are equivalent in the sense that an infinite sequence g 1 g 2 . . . of function symbols satisfies the parity condition with respect to Ω if and only if so does to Ω ′ . Hence we can assume without loss of generality Given a type κ (resp. η) of the target language, we define a type κ † csa (resp. η † csa ) for HFLs as follows: We often write just t for K ⊢ t : η (on the assumption that the simple type environment for t is implicitly determined).
Proof. By induction on the structure of t. ⊓ ⊔

Definition 22 (Parity
The priority of (d 1 , . . . , d n ) is 0 and that of (p, f i ) is the priority Ω( f i ) of f i .

there exists a bijection of nodes that preserves the owner and the priority of each node.
Proof. The bijection on nodes is given by (d 1 , . . . , d n ) ↔ (d 1 , . . . , d n ) and (p, f i ) ↔ (p, f i ). This bijection preserves edges because of Lemma 28.

⊓ ⊔
We define a strategy of G L 0 ,(P,Ω) on ({s ⋆ }, f 1 ) by inspecting the reduction sequences of P. The technique used here is the same as [24]. In this construction, we need to track occurrences of a function symbol or a term in a reduction sequence. This can be achieved by marking symbols and terms if needed as in Definition 6. In the sequel, we shall not introduce explicit marking and use the convention that, if the same metavariable appears in a reduction sequence (e.g. f u −→ * u v), then the first one is the origin of all others.
The occurrence of t in t u 1 . . . u k (k ≥ 0) is called a head occurrence. Given a head occurrence of t of a term reachable from main (i.e. main −→ * D tũ for somẽ u), we assign an element d t,ũ ∈ D L 0 ,κ where κ is the simple type of t by induction on the order of κ.
-Case u is empty: Then t : ⋆ and we define d t,ǫ = {s ⋆ }.
-Case tũ = t u 1 . . . u k : Note that the order of u j (1 ≤ j ≤ k) is less than that of t. For every 1 ≤ j ≤ k, we define e j as follows.
• Case u j : int: Then e j = u j . (Note that u j has no free variable and no function symbol.) • Case u j : κ: Let e j be the element defined by Then d t,ũ is the function defined by Note that d t,ũ is the minimum function such that d t,ũ (e 1 , . . . , e k ) = {s ⋆ }.
Let θ = [s 1 /x 1 , . . . , s k /x k ] and assume main −→ * D (θt 0 )ũ. We define a mapping from function symbols and variables to elements of their semantics domain as follows.
Proof. By induction on v.
Proof. By induction on the structure of t 0 .
Since this occurrence of f i originates from t 0 , we have d f i ,ũ = ρ t 0 ,ũ,θ ( f i ). -Case t 0 = n or t 0 = t 1 op t 2 : Never occurs because the type of t 0 must be of the form η 1 → · · · → η ℓ → ⋆.

⊓ ⊔
The strategy S P of G L 0 ,P on ({s ⋆ }, main) is defined as follows. Each play in the domain of S P ({s ⋆ }, main) · O 1 · (p 1 , g 1 ) · O 2 · · · · · O n · (p k , g k ) is associated with a call-sequence The canonical associated call-sequence of the play is the minimum one ordered by the lexicographic ordering on (m 1 , ξ 1 , m 2 , ξ 2 , . . . , m k , ξ k ).
Assume that the above call-sequence is canonical. The next step of this reduction sequence is In this situation, the strategy S P chooses (ρ t,ǫ,ϑ ( f 1 ), . . . , ρ t,ǫ,ϑ ( f n )) as the next node. This is a valid choice, i.e.: Proof. By Lemma 30, we have: ǫ,ϑ ( x k )).
By definition, d g k ,ũ k is the least element such that d g k ,ũ k (ρ t,ǫ,ϑ ( x k )) = {s ⋆ }. Therefore Since p k ⊑ d g k ,ũ k , we have associated with the call-sequence Let (p k+1 , g k+1 ) be the next opponent move. By definition of the game, This can be more simply written as Since p k+1 is a complete prime, p k+1 ⊑ d g k+1 ,ṽ for someṽ with g k u k g k+1 v. Then we have an associated call-sequence Lemma 32. S P is a winning strategy of G L 0 ,(P,Ω) on ({s ⋆ }, main) if every infinite call-sequence of P satisfies the parity condition.
Proof. The above argument shows that S P is a strategy of G L 0 ,(P,Ω) on ({s ⋆ }, main). We prove that it is winning. Assume an infinite play ({s ⋆ }, main) · v 1 · (p 1 , g 1 ) · v 2 · (p 2 , g 2 ) · . . . that conforms with S P and starts from ({s ⋆ }, main). Then each odd-length prefix is associated with the canonical call-sequence Let ξ k,i be the sequence of {L, R} describing the choice made during g i−1 u k,i−1 m k,i D g i u i . By the definitions of S P and canonical call-sequence (which is the minimum with respect to the lexicographic ordering on (m k,1 , ξ k,1 , . . . , m k,k , ξ k,k )), a prefix of the canonical call-sequence is the canonical call-sequence of the prefix. In other words, k k,i = k k ′ ,i and ξ k,i = ξ k ′ ,i for every i ≥ 1 and k, k ′ ≤ i. Let us write k i for k i,i = k i+1,i = · · · and u i for u i,i = u i+1,i = · · ·. Let π = ξ 1,1 ξ 2,2 ξ 3,3 . . .. Then we have π main Since every infinite call-sequence satisfies the parity condition, the infinite play is P-winning. ⊓ ⊔

Soundness
The proof of soundness (i.e. L 0 | = Φ (P,Ω),csa implies | = csa (P, Ω)) can be given in a manner similar to the proof of completeness. To show the contraposition, assume that there exists an infinite call-sequence that violates the parity condition. Let π be the choice of this call-sequence. We construct a strategy S P,π of the opposite game G L 0 ,Φ (P,Ω),csa by inspecting the reduction sequence. Then, by Lemma 25, there is no winning strategy for G L 0 ,Φ (P,Ω),csa , which implies L 0 | = Φ (P,Ω),csa by Theorem 7. parity game for a program). The parity game G L,(P,Ω) is defined as follows:

Definition 23 (Opposite
The priority of (d 1 , . . . , d n ) is 0 and that of (p, f i ) is Ω( f i ) + 1. Let π 0 ∈ {L, R} ω . Given a head occurrence of t of a term reachable from main following π 0 (i.e. (main; π 0 ) −→ * D (tũ; π) for someũ), we assign an element d t,ũ,π ∈ D L 0 ,κ where κ is the simple type of t by induction on the order of κ.
-Case u = u 1 . . . u k : Then tũ = t u 1 . . . u k . Note that the order of u j (1 ≤ j ≤ k) is less than that of t. For every 1 ≤ j ≤ k, we defineē j as follows.
Proof. Similar to the proof of Lemma 29.
Proof. By induction on the structure of t 0 .
-Case t 0 = event a; t: Then t 0 has type ⋆ andũ is the empty sequence.
Lemma 36. If the (unique) call sequence following π 0 does not satisfy the parity condition, then S P,π 0 is an winning strategy of G L 0 ,(P,Ω) on ({}, main).
Proof. The above argument shows that S P,π 0 is a strategy of G L 0 ,(P,Ω) on ({}, main).
We prove that this is winning. Assume an infinite play By the definitions of S P,π 0 and canonical call-sequence (which is the minimum with respect to the lexicographic ordering on (k m,1 , . . . , k m,m )), a prefix of the canonical call-sequence is the canonical call-sequence of the prefix. In other words, k m,i = k m ′ ,i for every i ≥ 1 and m, m ′ ≥ i. Since the reduction sequence is completely determined by a choice π 0 , the initial term main and the number of steps, we have π m,i = π m ′ ,i for every i ≥ 1 and m, m ′ ≥ i. Let us write k i for k i,i = k i+1,i = · · ·, u i for u i,i = u i+1,i = · · · and π i for π i,i = π i+1,i = · · ·. Now we have an infinite call-sequence following π 0 . By Corollary 1, this is the unique call-sequence following π 0 . Hence, by the assumption, this infinite call-sequence does not satisfy the parity condition. This means that this play is P-winning (recall the definition of the priorities of G L 0 ,(P,Ω) ).

E.4 Proof of Theorem 5
Assume a total order on the set of states of the automaton A, fixed in the sequel. Recall (IT-Event) rule in Fig. 5: Since the order of t ′ 1 , . . . , t ′ n is not important, we can assume without loss of generality that q 1 < q 2 < · · · < q n holds for every instance of the above rule used in a derivation.
Here we prove Theorem 5 for the translation using the following rule IT-Event' instead of IT-Event.
Given an intersection type environment Γ, we write For an intersection type environment Γ and a top-level environment Ξ, Modified type-based translation Given programs P and P ′ with Ξ ⊢ A P ⇒ (P ′ , Ω), the first step to prove Theorem 5 is to compare reduction sequences of P and P ′ . There is a little gap between reduction sequences of P and P ′ since a reduction sequence of P ′ expresses a reduction sequence of P together with a run of A over the events generated by the reduction sequence of P. In particular a nondeterministic branch in t ′ comes from either a non-deterministic branch t 1 t 2 in P, or non-determinism of the transition rule of the automaton A.
To fill the gap, we shall distinguish between the two kinds of non-deterministic branches, by using • for the latter.
Formally let us introduce a new binary construct • to the syntax of terms. Here we use the convention that and • are right associative, i.e. t 1 t 2 t 3 (resp. t 1 • t 2 • t 3 ) means t 1 (t 2 t 3 ) (resp. t 1 • (t 2 • t 3 )). The operational behavior of • is the same as that of , i.e., where π ∈ {L, R} ω is a choice sequence. Hence we have Definition 24 (Modified type-based transformation). The modified type-based transformation judgment Γ ⊢ A t : θ ⇛ t ′ is a quadruple where t is a term without • and t ′ is a term possibly having •. The modified type-based transformation relation is defined by the rules in Fig. 8. The translation ⊢ A P ⇛ (P ′ , Ω) of programs is defined in the same way as ⊢ A P ⇒ (P ′ , Ω).
The next lemma establishes the connection between the original and modified transformations. Given a program P ′ with •, we write [ /•]P ′ for the program obtained by replacing • with .

⊓ ⊔
Suppose that Ξ ⊢ A P ⇛ (P ′ , Ω). Since P ′ simulates both P and the automaton A, an infinite reduction sequence of P ′ induces a pair of an infinite event sequence ℓ and a run R of A over ℓ.

Definition 25 (Induced event sequence and run). Let D ′ be a function definition
possibly containing •. The reduction relation (s, π, q) ℓ,R −→ N D ′ (s ′ , π ′ , q ′ ), meaning that the N-step reduction following π from s to s ′ generates events ℓ associated with a run qR ending with q ′ , is defined by the following rules.
δ(q, a) = {q 1 , . . . , q n } (q 1 < q 2 < · · · < q n ) (s n , π, q n ) If (s 0 , π 0 , q 0 ) . ., we write π 0 (s 0 , q 0 ) . If the number of steps (resp. π) is not important, we write as π (s, q) . Other notations such as (s, q) It is easy to show that, if (s, q) As proved later in Lemma 41, the converse also holds: Given state q and s ℓ −→ * D ′ s ′ (with a mild condition), there exist R and q ′ such that (s, q) Basic properties of the type system and transformation We prove Weakening Lemma and Substitution Lemma.
Proof. Straightforward induction on structure of the derivations. We discuss only one case below.

⊓ ⊔
In order to simplify the statement of the substitution lemma, we introduce the following abbreviation. For ρ = 1≤i≤l (θ i , m i ), we write where s = s 1 s 2 . . . s l . If ρ = int, the judgment Γ ⊢ A t : ρ ⇛ s has the obvious meaning (in this case, s is of length 1). By using this notation, the application rule can be simply written as Lemma 39 (Substitution). Assume that Then Proof. The proof proceeds by induction on the derivation of ((Γ ∪ [x : ρ]) ↑ n) ∪ Γ ′ ⊢ A t : θ ⇛ t ′ , with case analysis on the last rule used.
-Case for IT-Var: The case where t x is trivial. Assume that t = x. The type ρ is either int or 1≤i≤l (θ i , m i ). The former case is easy; we prove the latter case.
By Weakening (Lemma 38), we have as required. -Case for IT-Event-Alt: Then t = event a; t 1 and we have For each j ∈ {1, . . . , k}, we have Thus, one can apply the induction hypotheses, obtaining By using IT-Event-Alt, we have the following as required: ).
-Case for IT-App: Then t = t 1 t 2 and we have By the induction hypothesis, we have By using IT-App, we obtain: as required. -Case for IT-Abs: Then t = λy.s and we have By the induction hypothesis, we have By using IT-Abs, we obtain:

Simulations in both directions
Given Ξ ⊢ A P ⇛ (P ′ , Ω), we show that the following two data are equivalent: 1. A reduction sequence of P together with a run of A over the generated event sequence. 2. A reduction sequence of P ′ .

Lemma 40. Assume
Let qR be an arbitrary run of A over ℓ and q ′ be the last state of qR. Then there exist a term s ′ and a type environment Γ ′ ⊳ Ξ such that and Proof. By induction on the length of the reduction sequence t ℓ −→ * D t ′ . The claim trivially holds if the length is 0; we assume that the length is not 0. The proof proceeds by case analysis on the shape of t.
Since qR is a run over ℓ = a ℓ ′ , it must be of the form qR = qq i R ′ for some 1 ≤ i ≤ k, where q i R ′ is a run over ℓ ′ . By applying the induction hypothesis -Case t = t 1 t 2 : Suppose that the reduction sequence is t D t ′ can be proved similarly. Since the last rule used to derive Γ ⊢ A t : q ⇛ s is IT-NonDet, we have: By applying the induction hypothesis to t 1 ℓ −→ * D t ′ , we have s ′ such that -Case t = if p(t 1 , . . . , t n ) then t n+1 else t n+2 : Suppose ( t 1 , . . . , t n ) ∈ p .
Then the reduction sequence is t Since the last rule used to derive Γ ⊢ A t : q ⇛ s is IT-IF, we have: By the well-typedness of the program, for every i ∈ {1, . . . , n}, t i consists of only integers and integer operations. Thus, we have t i = s i for each i ∈ {1, . . . , n} and s By applying the induction hypothesis to t n+1 for some Γ ′ ⊳ Ξ and s ′ . Then The case where ( t 1 , . . . , t n ) p is similar.
By using Weakening (Lemma 38), we have by using Substitution Lemma 39 repeatedly, we have Since ([Ξ] ∪ Γ) ⊳ Ξ, we can apply the induction hypothesis to for some Γ ′ ⊳ Ξ and s ′ , where We have (s, q) An infinite analogue of this lemma can be obtained as a corollary.

Corollary 4. Assume
and an infinite reduction sequence generating an infinite event sequence ℓ = ℓ 1 ℓ 2 · · ·. Let q 0 R be an infinite run of A over the infinite sequence ℓ. Then there exist {(q i , R i , s i )} i∈ω such that Proof. By using Lemma 40, one can construct by induction on i > 0 a family Since the length of R 1 R 2 . . . R i is equivalent to that of ℓ 1 ℓ 2 . . . ℓ i , the sequence R 1 R 2 . . . is indeed an infinite sequence and thus equivalent to R. ⊓ ⊔ We show the converse in a bit stronger form.

Lemma 41. Assume
where t does not contain λ-abstraction and s ′ is not of the form s ′ 1 • s ′ 2 . Then there exist a run qR over ℓ and a state q ′ such that (s, π, q) ℓ,R −→ N D ′♯ (s ′ , π ′ , q ′ ) Furthermore there exist a term t ′ and a type environment Γ ′ 1 such that Proof. By induction on the length of the reduction sequence. The claim trivially holds if the length is 0. Assume that the length is greater than 0.
The proof proceeds by case analysis on the shape of s. By the assumption s ℓ −→ * D ′♯ s ′ , it suffices to consider only the cases where the shape of s matches the lefthand side of a transition rule.
-Case s = event a; s 0 : By the shape of s, the last rule used on the derivation of Γ ∪ Γ ′ ⊢ A t : q ⇛ s is either IT-Event-Alt or IT-App (IT-Abs is not applicable since t is assumed to have no abstraction). By induction on the derivation, one can prove that t = (event a; t 0 ) t 1 . . . t k for some k. By the simple-type system, one cannot apply event a; t 0 to a term; hence k = 0 (i.e. t = event a; t 0 ) and the last rule used on the derivation is IT-Event-Alt. Then we have: δ(q, a) = {q 1 , . . . , q n } (q 1 < q 2 < · · · < q n ) Recall that s ′ is not of the form s ′ 1 • s ′ 2 ; hence the reduction sequence (s, π) ℓ −→ N D ′♯ (s ′ , π ′ ) must be of the form By the induction hypothesis, there exist a run q i R ′ over ℓ ′ , a term t ′ and a type environment . By construction, qq i R ′ is a run over a ℓ ′ .
-Case s = s 1 s 2 : As with the previous case, the last rule used on the derivation is IT-NonDet. Then we have Suppose π = Lπ ′′ ; the other case can be proved by a similar way. Then the reduction sequence (s, π) ℓ −→ N D ′♯ (s ′ , π ′ ) must be of the form . Hence, by applying the induction hypothesis to Γ 1 ∪ Γ 2 ⊢ A t 1 : q ⇛ s 1 , we obtain the desired result.
-Case s = if p(s 1 , . . . , s n ) then s n+1 else s n+2 : As with the previous cases, the last rule used on the derivation is IT-If. Hence we have Recall that the result type of a function cannot be the integer type in our language. This implies that t i (1 ≤ i ≤ n) consists only of constants and numerical operations, and thus t i = s i for every 1 ≤ i ≤ n. Suppose that ( s 1 , . . . , s n ) = ( t 1 , . . . , t n ) ∈ p . Then the reduction . We obtain the desired result by applying the induction hypothesis to Γ 1 ∪ Γ 2 ⊢ A t n+1 : q ⇛ s n+1 ; the corresponding reduction sequence is t The case that ( s 1 , . . . , s n ) p can be proved similarly. -Case s = g s 1 . . . s n with g ∈ dom(D ′ ): By the shape of s, the last rule used on the derivation is IT-App or IT-AppInt. By induction on the derivation, we have t = f t 1 . . . t k for some k. Then s = f θ,m s ′ 1 . . . s ′ k and Hence y 1 . . . y n = dup(x 1 , ρ 1 ) . . . dup(x k , ρ k ) and [Ξ] ∪ [x 1 : ρ 1 ] ∪ · · · ∪ [x k : ρ k ] ⊢ A t body : q ⇛ s body .
By using Weakening (Lemma 38) and Substitution Lemma (Lemma 39) repeatedly, we have The reduction sequence (s, π) ℓ −→ N D ′♯ (s ′ , π ′ ) must be of the form . By applying the induction hypothesis to the above judgment, we complete the proof; the corresponding reduction sequence is t where t ′ is the term obtained by the induction hypothesis.
-Case s = g ♯ s 1 . . . s n with g ∈ dom(D ′ ): Similar to the above case.

Corollary 5.
Assume and an infinite reduction sequence Suppose that, for every i, s i is not of the form s i1 • s i2 . Then there exist {(q i , R i , t i )} i∈ω such that (s 0 , π 0 , q 0 ) −→ * D · · · . Furthermore q 0 R 1 R 2 . . . is an infinite run of A over ℓ 1 ℓ 2 . . ..
Proof. By using Lemma 41, one can define a family {(q i , R i , t i , Γ i )} i∈ω that satisfies (s i−1 , π i−1 , q i−1 ) Since t 0 and s 0 do not contain marked symbols as well as the bodies of function definitions in D and D ′ , t i and s i dose not have marked symbols for every i. Hence (s i−1 , π i−1 , q i−1 ) ℓ i ,R i −→ N i D ′ (s i , π i , q i ) and t i−1 ℓ −→ * D t i for every i > 0. Furthermore q 0 R 1 . . . R i is a run over ℓ 1 . . . ℓ i for every i. Hence the infinite sequence q 0 R 1 R 2 . . . is an infinite run over ℓ 1 ℓ 2 . . .. So {(q i , R i , t i )} i∈ω satisfies the requirements.
By easy induction on the structure of the derivation, we have and for some s ′′ (which is equivalent to h θ,m u except for marks). Comparing this reduction sequence with given above, we conclude that s ′′ = h ♯ θ,m u ′ and R = R ′ . Thus Let P = (D, t) be a program such that K ⊢ P. Here, we assume without loss of generality that t is a function symbol f 1 . Let Ξ max = { f : (θ, m) | f : κ ∈ K , θ :: κ}, i.e., the largest type environment that refines K . We define the function F on top type environments by: As in [21], F just filters out invalid type assumptions. To show Theorem 6, it is sufficient to prove the existence of a fixpoint Ξ of F such that f 1 : q I ∈ Ξ (which serves as a witness of Theorem 6).
To this end, we prepare a restriction of Theorem 6 for recursion-free programs: Lemma 45. Let P = (D, f ) be a recursion-free program such that K ⊢ P, and A be a non-deterministic parity automaton. Then, there exists Ξ, P ′ and Ω such that Ξ ⊢ A P ⇒ (P ′ , Ω).
Proof (Sketch). Consider a non-standard reduction relation t −→ ns,D t ′ , where conditionals, non-deterministic branches, and events are just considered tree constructors. Thus, the reduction rule just consists of: where E ranges over the set of evaluation contexts defined by: Since P is recursion-free and simply-typed, there must be a non-standard reduction sequence f −→ * ns,D t −→ ns,D . Since the term t does not contain any function symbol, we have ∅ ⊢ A (D, t) ⇒ (P ′′ , ∅). By the subject expansion property (i.e., the preservation of the transformation relation by the inverse of reductions, which we omit to prove, as it is standard), we have Ξ ⊢ A P ⇒ (P ′ , Ω) for some Ξ such that Ξ :: K , as required.
The witness type environment Ξ (n) is too large in general. In practice, one can find a smaller witness type environment by using a practical HORS model checking algorithm [7,21,37]; by regarding conditionals, non-determinism, and events as tree constructors, we can see the problem of finding a witness type environment as that of finding a witness type environment for HORS model checking.

F An Example of the Translation of Section 7
Here we show derivation trees for the translation in Example 11.

G Proving HFL Z formulas in Coq
Given program verification problems, the reductions presented in Sections 5-7 yield HFL Z model checking problems, which may be thought as a kind of "verification conditions" (like those for Hoare triples). Though we plan to develop automated/semi-automated tools for discharging the "verification conditions", we demonstrate here that it is also possible to use an interactive theorem prover to do so.
Here we use Coq proof assistant, and consider HFL Nat (HFL extended with natural numbers) instead of HFL Z . Let us consider the termination of the following program: let sum n k = if n<=0 then k 0 else sum (n-1) (fun r -> k(n+r)) in sum m (fun r->()) Here, we assume m ranges over the set natural numbers.
The translation in Section 5.2 yields the following HFL Nat formulas.
The goal is to prove that for every m, the formula is satisfied by the trivial model L 0 = ({s ⋆ }, ∅, ∅, s ⋆ ).
In order to avoid the clumsy issue of representing variable bindings in Coq, we represent the semantics of the above formula in Coq. The following definitions correspond to those of D L,τ in Section 2.

Qed.
Here, sumgen is the semantics of the argument of the µ-operator (i.e., λsum.λn.λk.(n ≤ 0 ⇒ k 0) ∧ (n > 0 ⇒ sum (n − 1) λr.k(n + r))), and the first three "forall ..." assumes that sum is the least fixpoint of it, and the last line says that sum m λx.True is equivalent to True for every m.
Note that except the proof (the part "..."), all the above script can be automatically generated based on the development in the paper (like Why3 [11], but without any invariant annotations).
The following is a proof of the above theorem.

Qed.
More examples are found at http://www-kb.is.s.u-tokyo.ac.jp/˜koba/ papers/hfl_in_coq.zip. The Coq proofs for some of those examples are much longer. For each example, however, there are only a few places where human insights are required (like "induction m" above). We, therefore, expect that the proofs can be significantly shortened by preparing appropriate libraries.

H HORS-vs HFL-based Approaches to Program Verification
In this section, we provide a more detailed comparison between our new HFLbased approach and HORS-based approaches [20,21,26,30,34,36, 49] to pro-gram verification. Some familiarity with HORS-based approaches may be required to fully understand the comparison.
HORS model checking algorithms [24, 35] usually consist of two phases, one for computing a kind of higher-order "procedure summaries" in the form of variable profiles [35] or intersection types [24] (that summarize which states are visited between two function calls), and the other for solving games, which consists in nested least/greatest fixpoint computations. In the case of finite-data programs, the combination of the two phases provides a sound and complete verification algorithm [24,35]. To deal with infinite-data programs, however, the HORS-based approaches [20,21,26,30,34,36,49] had to apply various transformations to map verification problems to HORS model checking problems in a sound but incomplete manner (incompleteness is inevitable because, in the presence of values from infinite data domains, the former is undecidable whereas the latter is decidable), as illustrated on the lefthand side of Figure 9. A problem about this approach is that the second phase of HORS model checking -nested least/greatest fixpoint computations -actually does not help much to solve the original problem, because least fixpoint computations are required for proving liveness (such as termination), but the liveness of infinite-data programs usually depends on properties about infinite data domains such as "there is no infinite decreasing sequence of natural numbers," which are not available after the transformations to HORS. For this reason, the previous techniques for proving termination [30] and fair termination [34] used HORS model checking only as a backend of a safety property checker, where only greatest fixpoint computations are performed in the second phase; reasoning about liveness was performed during the transformation to HORS model checking.
As shown on the righthand side of Figure 9, in our new HFL-based approach, we have extended the first phase of HORS model checking -the computation of higher-order procedure summaries -to deal with infinite data programs, and moved it up front; we then formalized the remaining problems as HFL model checking problems. That can be viewed as the essence of the reduction in Section 7, and the reductions in Sections 5 and 6 are those for degenerate cases. Advantages of the new approach include: (i) necessary information on infinite data is available in the second phase of least/greatest computations (cf. the discussion above on the HORS-based approach), and (ii) various verification problems boil down to the issue of how to prove least/greatest fixpoint formulas; thus we can reuse and share the techniques developed for different verification problems. The price to pay is that the first phase (especially a proof of its correctness) is technically more involved, because now we need to deal with infinite-data programs instead of HORS's (which are essentially finitedata functional programs). That explains long proofs in Appendices (especially Appendix D and E).   9. Comparison between HORS-and HFL-based approaches. In the HORS-based approaches (shown on the lefthand side), there are actually some feedback loops (due to counterexample-guided abstraction refinement, etc.), which are omitted. The right hand side shows the approach based on the reduction in Section 7. In the reductions in Section 5 and 6, the first phase is optimized for degenerate cases.