Closure Indution in a Z-like Language
DavidA. Duy 1
andJurgenGiesl 2
1
DepartmentofComputerSiene,UniversityofYork,
Heslington,York,YO105DD,UK,dads.york.a.uk
2
ComputerSieneDepartment,UniversityofNewMexio,
Albuquerque,NM87131,USA,giesls.unm.edu
Abstrat. Simply-typedset-theoreti languages suhas Z and B are
widelyusedforprogramandsystemspeiations.Themaintehnique
forreasoningaboutsuhspeiationsisindution.However,whilepar-
tiality is animportant onept inthese languages, manystandard ap-
proahes to automating indutionproofs relyonthe totality of all o-
urringfuntions.Reinterpretingtheseondauthor'sreentlyproposed
indutiontehniqueforpartialfuntionalprograms,weintrodueinthis
paperthe newprinipleof \losure indution"for reasoningaboutthe
indutive properties of partial funtions in simply-typed set-theoreti
languages. In partiular, losure indution allows us to prove partial
orretness, that is, to prove those instanes of onjetures for whih
designatedpartialfuntionsareexpliitlydened.
1 Motivation
PartialfuntionsareendemiinspeiationswritteninlanguagessuhasZand
B.Toreasonabouttheirindutivepropertiesamethodamenabletomehanial
support by automated theorem provers is inevitable. In [13℄, Giesl has shown
that, under ertain onditions, many of the reasoningproesses used to prove
indutive properties of total funtions (e.g., those in [5,9,19,25,27℄) may be
transposed topartial funtions.Theinferenerules proposed byGieslallowus
toproveonjeturesinvolvingpartialfuntionsforallinstanesoftheonjeture
forwhihdesignatedpartialfuntionsareexpliitlydened.
However,Giesl'stehniquehasbeendesignedforarst-orderfuntionallan-
guagewithaneager(all-by-value)evaluationstrategy.Inthispaper,weexam-
ine thoroughly whih interpretation of partialityand whih restritions onthe
allowedtheoriesarerequiredin ordertoextendGiesl'sindutionpriniplefrom
theoriginalfuntional programmingframeworktoasimply-typedset-theoreti
languageloselyrelatedtoZand B.
Werefertoournewprinipleas\losureindution",sineinstanesofitmay
bedesribedwithinourset-theoretilanguageitself,andtheseinstanesmaybe
viewedas\losureaxioms"forafuntiondenition,assertingthatthefuntion
?
Proeedings oftheInternationalConferene ofZandBUsers (ZB2000),York,UK,
LetureNotesinComputerSiene1878,pages471-490,Springer-Verlag,2000.
??
D. Duywassupportedbythe EPSRC undergrant no.GR/L31104, J.Giesl was
supportedbytheDFGundergrantno.GI274/4-1.
indutionwemustmakeertainassumptionsaboutthesemantisoftypes(i.e.,
the arrierof a type must inlude \undened" valuesthat an be used asthe
valueofapartial funtionwhenapplied outsideofitsdomain).Wedesribean
appropriatesemantisforourlanguagein Setion2.
OurapproahtoindutionisappliabletolanguagessuhasZandBifthey
tooassumeoursemantis.This semantis is,welaim,notveryrestritive;we
wouldarguethatitimposestheminimalrequirementsneededinordertodistin-
guishbetweendenedandundenedexpressions.Aommonplaeinterpretation
of partial-funtion appliation in the Z ommunity [1,24℄ is that any suh ap-
pliationalwaysreturnsavalueinthefuntion'srangetype;werefertothis as
the \lassial"semantis.In suh a framework weannot distinguish between
denedandundenedfuntionappliations.However,thereissomedebateasto
whether this is theappropriateinterpretation of funtion appliation [17℄,and
ouralternativesemantishasalreadygainedsomeinterestwithintheZommu-
nityviaits earlierpresentationin amoregeneralset-theoretiframework [11℄.
Apparently,nopartiularsemantis isxedbythestandarddenition ofZ[20,
21℄.Moreover,oursemantismaybesimulatedwithin thelassialsemantisin
astraightforwardway[11℄;thisallowsustosimulateourapproahto indution
in the CADiZ system [22℄, a tool for reasoning about Z speiations, whih
urrentlysupportsthelassialsemantis.
InSetion 3weformalizeouroneptofindutivevalidityin theontextof
partialfuntionsandinSetion4weintroduethetehniqueoflosureindution
in orderto performindution proofsautomatially.Wethendisussonditions
under whihlosure indutionissound. Weformalizetheseonditionsinterms
of rewriting, and it may thus ome as no surprise that a onuene property
formspartoftheonditions.Inpartiular,weshowthattheappliabilityoflo-
sureindution extendsbeyond the\orthogonal"equationaltheoriesonsidered
previouslybyGiesl[13℄.Finally,inSetion5wepresentsomefurtherrulesthat
areneededinadditiontolosureindutiontoverifydenednessonditionsthat
arisein mostproofsaboutpartialfuntions.
Thelosure-indutionapproah desribed in thispaperhasbeensimulated
within the CADiZ system [22℄; simulations of the di and quot examples we
desribemaybefoundonthewebatftp://ftp.s.york.a.uk/pub/aig/examples.
2 A Typed Language and its Semantis
Elsewhere[11℄,Duyhasdesribedaquitegeneralset-theoretilanguage(essen-
tiallyasubsetofZ)anditsassoiatedsemantis.Sine,inthepresentpaper,we
areonernedwithindutivereasoningintheontextoffreetypesandequational
theories, weare able to onsider amuh restrited subset of this higher-order
language,whihwewill refertoasF (signifying\freetypes").
2.1 The Syntax of Expressions
Werefer toallallowedsyntatiobjetsas\expressions".Weseparate expres-
forsimpliity,sinewedonotallowtypesassubterms.
Type::=TypeNamejPTypejTypeType
Here, TypeName denotes given sets [20℄ whih are introdued in a so-alled
delarationpartof speiations.Intuitively,P isthepowersetoperatorand
denotesrossprodut.
Term::=ConstjVarj TuplejAppliation
Constisused forfuntion names|asforTypeNamestheyareintroduedin
delaration parts of speiations. Variable names Var are introdued by the
quantiationofaformula(asin,e.g.,8x:NP).
Tuple::=(Term;:::;Term)
An n-tuple of terms(t
1
;:::;t
n
),where n1, isoften abbreviatedt; thetype
of(t
1
;:::;t
n )isT
1
T
n
,whereT
i
isthetypeoft
i .
Appliation::=TermTerm
where therstTerm isof typeP(T
1 T
2
)and theseond TermhastypeT
1
;
thetypeoftheappliationis T
2
.Weoftenwritef(t)insteadof\ft".
Form::=Term=TermjTerm2TypejTerm2Termj
:Form jForm^FormjForm_FormjForm)Formj
QVar:TypeForm
where Q2f8;9;9
1 g(9
1
denotinguniqueexistene).Wealsoallowtheformula
Qx
1 :T
1
;:::;x
n :T
n
P asanabbreviationforQx
1 :T
1
:::Qx
n :T
n
P,and
if T
1
=::: =T
n
=T, wealso write Qx
1
;:::;x
n
:T P. Moreover,wealways
demandthat alltermsandallformulaemustbewelltyped.Soforexample,for
anyformulat
1
=t
2
,bothtermst
1 andt
2
musthavethesametype.
Aspeiation onsistsofadelarationandanaxiompart,wherethedela-
ration partintrodues allgivensets (i.e., allTypeNames)and onstants used,
andtheaxiompartisaset offormulae.
2.2 The Semantisof Expressions
Inthe\lassialsemantis"desribedbyArthan[1℄,everyexpressionisamem-
berofitstype.Inoursemantis,weinlude\undened"expressionsthatarenot
membersof theirtype,thus allowingfuntion appliations to \return avalue"
not a member of the funtion's range type. For this purpose, we distinguish
\havingtypeT"from\beingamemberof T".Weformalizethisasfollows.
Let be aspeiationinvolvingatype T. Inan interpretation for we
assignasetT
toT,onstrutedaordingtotheformofT:
{ IfT isagivenset,thenT istheunionoftwodisjointsetsT [T ,where
T +
isassumedtobenon-empty.
{ If T is a produt T
1
T
n
, then T +
== T +
1
T +
n
and T
==
T
1
T
n .
{ IfT ==P(T
1
),thenT +
==P(T +
1
)andT
==P(T
1 ).
Informally,T +
maybeinterpretedasthedenedvaluesoftypeT.Theassump-
tionthat T +
is non-empty ensuresthat there is atleast one possiblevaluefor
any appliation, and allows us to avoid treating the speial ase of an empty
type.InthelanguageofourmodelsweusethesamesymbolsP;,et.asin F,
sinenoonfusionshouldarise.Thesymbol==isourmetalogialequality.
We now dene the total funtion App, whih will be assigned to funtion
appliations.LetrbeasubsetofP(T
1 T
2
),andx beanelementofT
1 .
App(r;x)==
theuniqueysuhthat (x;y)2r ifsuhay exists
somey inT
2
otherwise
App is dened sothat itis onsistentwiththe usualZ interpretation ofappli-
ation[20℄.Note thatApp(r;x)=y6)(x;y)2r.
WearenowabletodenethemeaningofF expressionsinaninterpretation
I,underanassignmentatoanyourringfreevariables.Inthefollowing,letT
denote atype,P;Qdenote formulae,x denote avariable, denoteaonstant,
s;t;t
i
denote terms,andf denoteatermoftypeP(TT 0
)forsomeT;T 0
. As
the relationshipbetween thesymbol2 of F and membership in the models is
notstraightforward,weuse formembershipinthemodellanguage.
Theinterpretation of a termof type T is somevalue of T
. Only funtion
appliationisgivenspeialtreatment;themeaningofothertermsisstandard.
I()[a℄==
I
,anelementofT
,whereT isthetypeof
I(x)[a℄==a(x),thevalueassignedto xbythefuntiona
I((t
1
;:::;t
n
))[a℄==(I(t
1
)[a℄;:::;I(t
n )[a℄)
I(f t)[a℄==App(I(f)[a℄;I(t)[a℄)
For a formula P, we always have I(P)[a℄ == True orI(P)[a℄ == False. The
interpretation of equality and the propositional onnetives is standard; only
membershipandquantiationaregivenspeialtreatment.
I(s=t)[a℄==True i I(s)[a℄==I(t)[a℄
I(s2t)[a℄==True i I(s)[a℄I(t)[a℄
I(t2T)[a℄==True i I(t)[a℄T +
I(:P)[a℄==True i I(P)[a℄==False
I(P ^Q)[a℄==True i I(P)[a℄==TrueandI(Q)[a℄==True
I(P _Q)[a℄==True i I(P)[a℄==TrueorI(Q)[a℄==True
I(P )Q)[a℄==False i I(P)[a℄==TrueandI(Q)[a℄==False
I(8x:T P)[a℄==True i I(P)[a e=x
℄==TrueforalleT +
I(9x:T P)[a℄==True i I(P)[a e=x
℄==TrueforsomeeT +
I(9
1
x:TP)[a℄==Truei I(P)[a e=x
℄==TrueforoneuniqueeT +
a e=x
(x)=eanda e=x
(y)=a(y)forally6=x).
Note, in partiular, that, under our semantis, the symbol \2" does not
representtrue membership, but onlymembership of the\dened part" of any
type.Similarly,thequantiersonlyrangeoverthedenedpartsoftherespetive
types.
Example 1. If o is aonstantof atypenats, andf isa funtion from nats to
nats,then
I(f(o)2nats)==App(f
I
;o
I
)nats +
:
u t
We may simulate our semantis in the lassial semantis in the following
way[11℄.Let be aspeiationwith exatlythe givensets T
1
;:::;T
n . Then
thedelarationofeahT
i
isreplaed by thedelarationofanewgivenset T
i .
Subsequently, adelaration for eah T
i
is added asserting it to be asubset of
T
i
.Therestofremainsunhanged.Now,underthelassialsemantis,every
expression will return a value of its type T
i
; the \undened" expressions are
thosethat donotreturnavalueofthesubsetT
i
oftheirtype.
Wemaynowdenemodelsin theusualway.
Denition1 (Model).An interpretation I isamodelof aspeiation if
all axiomsin are satised byI under allvariable assignments a.
Forexample,letbeaspeiationinvolvingthetypenats,amemberoof
nats,twofuntionssandf from natstonats,andtheaxioms
f8x:nats:x=s(x); f(o)=s(f(o))g:
Then f(o)is oftypenats, but thevalueof App(f
I
;o
I
)in anymodel of will
notbeinnats +
inordertoavoidviolatingtherstaxiom.Havingdenedwhih
interpretationsaremodelsofaspeiation,weannowdeneonsequene.
Denition2 (Consequene).AformulaP isaonsequeneofaspeiation
(or\valid"),denotedj=P,ifeverymodelofsatisesP underallvariable
assignments.
Inthispaper,weareonernednotsomuhwith theonsequenesaswith
the\indutiveonsequenes"ofspeiations|thoughthesetwotermsbeome
synonymousifweinlude theappropriate \indutionformulae" within aspe-
iation.Our goalis to present anindution priniple that allowsus to prove
suhindutiveonsequenes.First,welarifywhatwemeanbythisterminthe
ontextofspeiationsthat mayinvolvepartialfuntions.
3 Indutive Reasoning
Forourpurposes,afreetype isagiven set whoseelementsarefreelygenerated
by aset of onstrutors [20℄.For example,the elements of atypenats, repre-
sentingthe naturalnumbers, anbe generated from the nullary onstrutor o
aspeiationbytheabbreviation
nats::=ojshhnatsii:
Suh a statement would then be expanded into a delarationand aset of
axioms. The delarationintrodues the given set nats and the onstantso of
type nats and s of type P(natsnats). The axioms assert that s is a total
injetion, thatfog andtherange ofsare disjoint,and thatanysubsetof nats
that inludes o and is losed under s is the whole of nats. The latter axiom
orresponds to a strutural indution priniple for nats. SuÆient onditions
for the onsisteny of an arbitrary free type are outlined by Spivey [20℄; the
presentationofnats abovesatisestheseonditions.
The details of the expansion for any free type may be found in [23℄. For
illustration,theaxiomsfornatsare(equivalentto)thefollowingformulae:
1.Membership o2nats, s2P(natsnats)
2.TotalFuntion 8x:nats9
1
y:nats(x;y)2s
3.Injetivity 8x;y:natss(x)=s(y))x=y
4.Disjointness 8x:nats:o=s(x)
5.Indution 8nats
0
:Pnatso2nats
0
^
(8x:natsx2nats
0
)s(x)2nats
0 ) )
8x:natsx2nats
0
Underoursemantis,themeaningofthedelarationandaxiomsassoiated
withnatsisthat,ineverymodelofthespeiation,nats +
mustbeisomorphi
to theonstrutorgroundterm algebragenerated bytheonstrutors oand s.
Inotherwords,nats +
mayontainonlyobjetswhih ourasinterpretations
of onstrutorgroundtermsand, moreover,dierentonstrutorgroundterms
mustbeinterpretedasdierentobjets.Thisorrespondstothenotionofinitial
algebrasusually appliedinindutivetheoremproving,f. e.g.[4,13,15,25{27℄.
The strutural indution priniple assoiated with any free type allows us
toproveonjeturesthatholdforeveryelementofthetype.However,typially
wewish to prove properties of a partial funtion on its dened ases only, as
illustratedbythefollowingexamplefrom[13℄.
Example 2.
nats::=ojshhnatsii
di;quot:natsnats !nats
8x:natsdi(x;o)=x
8x;y:natsdi(s(x);s(y))=di(x;y)
8y:natsquot(o;y)=o
8x;y:natsquot(s(x);y)=s(quot(di(s(x);y);y))
WeusetheusualZbarnotationtoseparatethedelarationpartofaspei-
ationfromtheaxiompart.FortypesTandT 0
,weusetheexpressionf :T !T 0
tointrodueanewonstantf inthedelarationofaspeiationandtodenote
theassumptionthat f isa\partialfuntion"from T toT .Morepreisely,the
expansionoff 2T !T 0
is
f 2P(TT 0
) ^ 8x:T;y;z:T 0
(x;y)2f^(x;z)2f )y=z:
Clearly,di is expliitlydened only for x y and quot(x;y)is expliitly
denedonlyifyisadivisorofx.Notethatinthe\lassial"semantisthereisno
model of the quot speiation respeting thesemantisof freetypes, beause
quot(s(o);o) must be equal to s(quot(s(o);o)). However, our semantis solves
thisproblem,beausetheinterpretationofquot(s(o);o)isnowamemberofthe
arriersetnats
nnats +
. ut
Notethat wehavenotexpliitlyspeiedthedomainsof thefuntionsdi
andquotintheaboveexample.Ourapproahtopartialitythusdiersfromthe
more onventional one in whih the equations dening a funtion are usually
onditional onprediatesthat ensurethatthefuntion is assignedexpliitval-
ues only for argumentswithin its domain. In this onventional approah, the
valueofafuntion appliationisalwaysamemberofitstype,thisvaluesimply
beingleftunspeiedforargumentsoutsideof thefuntion'sdomain. Thisap-
proahthusmodelsunderspeiedratherthanpartial funtions.Inontrast,our
approahallowsafuntion appliationtobeundened forargumentsoutsideof
the funtion'sdomain. This makesourapproahsigniantlymoreexpressive,
allowingamoregenerallassof onsistentspeiations,andproviding several
otheradvantagesforspeiationandreasoning.
Inpartiular,therearemanyimportantandpratiallyrelevantalgorithms
with undeidable domains. Typialexamples are interpretersfor programming
languagesand sound and omplete alulifor rst-order logi. Forthese algo-
rithms, there donot exist any (reursive) prediates desribingtheir domains.
The onventional approah for modelling partial funtions annot handle suh
\real" partialfuntions.In ourframework,ontheother hand,suh algorithms
anbeexpressedwithoutdiÆulty,and,moreover,theprooftehniquedesribed
in thispapersupports theirveriation[12,13℄.Moregenerally,ourframework
hastheadvantagethatspeiationsanbeformulatedmuhmoreeasily,sine
onedoesnothavetodeterminethedomainsoffuntions.Consequently,ourap-
proahiswell-suitedtotheearly\loose"stagesofspeiationwhenthefuntion
domains maybestill unknown.Finally,our representationallowsproofswhih
donothavetodealwithdenednessonditions,whih makes(automated) rea-
soningmuh moreeÆient,f. [18℄.
Forthose aseswheredi and quotare(expliitly) denedit anbeshown
thatthefollowingonjeturesfollowfromtheabovespeiation(ifthespei-
ationisextendedbyappropriatedenitionsfor+and):
8x;y:natsdi(x;y)+y =x (1)
8x;y:natsquot(x;y)y=x (2)
Theproblem in trying to provethese onjetures is that the equations for
di and quot provide us with only suÆient onditionsfor these funtions to
overomethisproblem by addingsuitable\losureaxioms".Wheneverthere is
a model of the speiation where a funtion appliation is undened, these
losure axiomseliminate all models where this funtion appliation would be
dened.Examplesofsuhlosureaxiomsarethefollowing:
8x;y:natsdi(x;y)2nats ) y=o_9u;v:natsx=s(u)^y=s(v)
8x;y:natsquot(x;y)2nats )(x=o_9u:nats x=s(u)^
quot(di(s(u);y);y)2nats^
di(s(u);y)2nats).
Theselosureaxioms,theequationsfordi andquot,andthefreetypeaxioms
implyform;n2natsthatdi(m;n)isnotinnatsifmis\smaller"thann,and
that quot(m;n) is notin nats if m is not \divisible"by n. Most importantly,
nowtheaxiomsimplyouroriginalonjeturesintheforms
8x;y:natsdi(x;y)2nats)di(x;y)+y=x (3)
8x;y:natsquot(x;y)2nats)quot(x;y)y=x: (4)
Werefertospeiationsthatonsistonlyoffreetypes,funtiondelarations,
andequationsasequational.Forsuhspeiations,thedesiredpropertiesof
losureaxiomsaregivenbythefollowingdenition.
Denition3 (Closure Axioms). A set of losure axioms for an equational
speiation isasetof formulaeC onsistent with suhthat
6j=f(q
1
;:::;q
n
)2T implies [Cj=:(f(q
1
;:::;q
n )2T);
for eah n-ary funtion f (whose appliation has type T) and eah n-tuple of
appropriately-typed onstrutor groundterms(q
1
;:::;q
n
). Theadditionof aset
of losureaxioms toaspeiation isreferredtoas the losureof the speia-
tion.Inthoseaseswhereweassumethataspeiationinludesalltherelevant
losureaxioms,we will saythat the speiationisalosedsystem.
Fordi andquot, theirabovelosureaxiomsmaybederivedautomatially
fromtheirequations,butthisisnotsostraightforwardingeneral.Forexample,
onsiderafuntionf :nats!nats\dened"byonlytheequation
8x:natsf(x)=f(x):
Sine this equation tells us nothing about the values returned by f, we infer
thatf isundenedforallminnats,andtheorrespondinglosureaxiommust
supportthis inferene.Anappropriatelosureaxiomisthus
8x:nats:f(x)2nats:
However,itisnotobvioushowwemayderivethislosureaxiomautomatially
fromthegivenequation.Giesletal. [6,7,14℄havedevelopedtehniques forter-
minationanalysisofpartialfuntions,whihwouldeasilyndoutthedomainsof
thisis anundeidableproblem. Infat,wewillonlyusethe(non-onstrutive)
losureaxiomstodene ournotionof partialvalidity.Toprovepartialvalidity
in pratie, we will introdue the proof tehnique of losure indution, whih
allowsustoverifypropertiesofpartialfuntionswithoutknowingtheirdomains
andwithouthavingtoomputelosureaxiomsexpliitly.
Denition4 (Partial Validity). For an equational speiation we say
that aonjetureP ispartially valid if[Cj=P holds for any setof losure
axioms C.
Inpratie,theveriationofpartialvalidityofaonjetureisaomplished
in two separate steps.The rst is aproof of the f(x)-validityof a onjeture,
whihmeansthat theonjetureisvalid forallthoseinstantiationsofx where
f(x)isdened.Theseproofsaresupportedbytheprinipleoflosureindution.
Denition5 (f(x )-Validity).Letbeaspeiationinvolvingthe freetypes
T
1
;:::;T
n
;T and the funtion f : T
1
T
n
! T. Let x
1
;:::;x
n
be vari-
ables of types T
1
;:::;T
n
, respetively, and let P be a quantier-free formula.
1
Wesay that the onjeture8x
1 :T
1
;:::;x
n :T
n
P isf(x)-valid,where x rep-
resents x
1
;:::;x
n ,if
2
j=P(q
1
;:::;q
n
)holds for every sequene q
1
;:::;q
n of
onstrutor groundtermssuhthat j=f(q
1
;:::;q
n )2T.
Theonjetures(1)-(4)arerespetivelydi(x;y)-valid andquot(x;y)-valid.
Foralosedsystem,P isf(x)-validi
j=8x
1 :T
1
;:::;x
n :T
n
(f(x)2T )P):
It is lear that this notion of f(x )-validity does not make any sense for the
lassial semantis of \2": f(q
1
;:::;q
n
)2 T holds automatially in that ase,
andthusf(x)-validityollapsestogeneral(indutive)validity.
Theseondstepin provingpartialvalidityofaonjetureP isaproofof
j=8x
1 :T
1
;:::;x
n :T
n
:f(x )2T )P: (5)
If(5)anbeveried,thenf(x)-validityofP impliesthatP isaonsequeneof
eahlosureof,andthuspartiallyvalid.Toseethis,letI beaninterpretation
thatisamodelof[Candletq
1
;:::;q
n
bearbitraryonstrutorgroundterms.
Wehave toshowthat I is amodel of P(q
1
;:::;q
n
).If j=f(q
1
;:::;q
n )2T,
thenthelaimfollowsfromf(x)-validityofP.Otherwise,6j=f(q
1
;:::;q
n )2T
andhene,[Cj=:(f(q
1
;:::;q
n
)2T).AsI isamodelof[C,I satises
:(f(q
1
;:::;q
n
)2T)andby(5)wehavethatI isamodelofP(q
1
;:::;q
n ).
WerefertoRequirement(5)asthepermissibility ondition [13℄.Notethatif
isnotalosedsystem,thenproving(5)is,ofourse,notthesameasproving
forallonstrutorgroundtermsq
1
;:::;q
n
6j=f(q
1
;:::;q
n
)2T implies j=P(q
1
;:::;q
n
): (6)
1
Itdoesnotmatterifthexi donotourinP,orifothervariablesdoourinP.
2
WedenotebyP(q
1
;:::;q
n
)theformulaP witheahvariablex
i
replaedbyq
i .
would onstitutea proof of theindutive validity ofP (instead of just partial
validity). Proving the permissibility ondition beomes trivial if suitable hy-
potheses are inludedin the onjeture, asin theonjetures (3) and (4) and
theonjetureofthefollowingexample.
Example 3. SupposewehavethefreetypeA::=ajb,thefuntion f :A !A,
andthesingleaxiomf(a)=a.Toprovethat
8x:Af(x)2A)f(x)=x (7)
is partially valid werst prove its f(x)-validity. Sine f is (expliitly) dened
onlyfora,wehaveto showf(a)2A)f(a)=a, whih islearlyvalidbythe
givenaxiom.Wenowprovethepermissibilityondition
8x:A:f(x)2A)(f(x)2A)f(x)=x);
whihisalsolearlyvalid.Thisompletestheproofof(7)'spartial validity. ut
Note that our logi is non-monotoni w.r.t. extensions of thespeiation.
Forexample,f(b)2A)f(b)=bisaninstaneof(7)andhene,itispartially
valid.Butaddingf(b)=asubsequentlytoourspeiationwouldmakef(b)2
A)f(b)=band(7)false.(Butnotealsothatthenon-monotoniityofourlogi
hastheadvantagethatweneverneedanyonsistenyheks,whiharerequired
in monotoni frameworks forpartialityand whihare diÆultto automatefor
non-terminatingfuntions.)Wedisussthisproblemfurtherinthenextsetion.
4 Closure Indution
Inpriniple,forf(x)-validitywehavetoonsiderinnitelymanyinstantiations.
To perform suh proofs (automatially), we introdue the priniple of losure
indution.Werestritourselvestoequationalspeiationswhose equationsE
areuniversally quantiedoverthe(dened parts)oftherespetivetypes|we
willfrequentlyomittheirquantiersintherestofthisdisussion.
Denition6 (EquationsDeningFuntions).AsubsetE 0
ofEdenesthe
funtion f if E 0
onsistsof all equationsfrom E ofthe formf(t
1
;:::;t
n )=r.
Denition7 (Closure Indution). Supposethat f :T
1
T
n
!T (for
free types T
1
;:::;T
n
and T) is a delared funtion symbol dened by a set of
equations ofthe form
f(t
11
;:::;t
1n )=r
1
; :::; f(t
m1
;:::;t
mn )=r
m
suhthateahr
i
hasa(possiblyempty)setofsubtermsofthe formff(s
i1 );:::;
f(s
iki
)g.Let P be aquantier-freeformula, let
i
bethe (possibly empty)on-
juntionoftheformulaeP(s
ij
)forj=1:::k
i
,andlet8F denotetheuniversal
\fromthe f(x)-validity of
8(
1 )P(t
11
;:::;t
1n
)) ^ ::: ^ 8(
m )P(t
m1
;:::;t
mn ))
inferthe f(x )-validity of8x
1 :T
1
;:::;x
n :T
n P."
Notethatlosureindutiondiretlyorrespondstothetehniquesommonly
used in indutive theorem proving (suh as over set indution or reursion
analysis), f. e.g. [5,9,19,25,27℄. However,the important dierenes are that
our indution priniple also works for non-terminating partial funtions (like
the indution priniple of [13℄) and that it anbe used in the framework of a
simply-typedset-theoretilanguage(unlike theindutionprinipleof[13℄).
Aslosureindution provesonlyf(x)-validity(anditanalsobeappliedif
f ispartial), toverifythatP is partiallyvalidw.r.t.thespeiation,wemust
alsoprovethepermissibilityondition(5).Ifweonsideraspeifuntion,say
quot, wemayexpress the indution prinipleand theassoiatedpermissibility
onditioninthelanguageF itself:
8p:P(natsnats)(8y:nats(o;y)2p
^8x;y:nats((di(s(x);y);y)2p)(s(x);y)2p)
^8x;y:nats(:quot(x;y)2nats)(x;y)2p))
)(8m:natsnatsm2p):
Thus,weshowthataonjeturepholdsifquotisexpliitlydened,andthatp
alsoholdswhenquotisnotdened.Sinewehaveexpressedtheprinipleasan
F formula,wemayadditasanaxiomtothespeiation.
Thispossibilityofstatingtheindutionruleontheobjetlevelisduetothe
expressiveness of ourset-theoreti language(this was notpossiblein the rst-
order languageof [13℄).Not onlydoes thisdemonstrate that losure indution
may be simulated within F, thus allowing a quite straightforward simulation
of losure indution in CADiZ, without the need to implement the inferene
rule (at least for initial experimental purposes), but it also provides a partial
solutionto theproblem of non-monotoniity. Theproblem isthat while anew
axiommaybeonsistentwiththeinitiallygivenaxioms,itmaynotbeonsistent
with someprovenonjetures. Representinglosure indution asanadditional
axiom eliminates this possibility, and makesmore transparent to the speier
what propertiesarebeingassignedtoeahfuntion.
WenowdesribesuÆientonditionsunderwhihlosureindutionissound.
Firstly,theargumentstoeahfuntiondenition mustbe\onstrutorterms",
and, seondly, if f(q
1
;:::;q
n
) is equal to a type element q, then it must be
\reduible"toq.Fortheformalexpressionofthese onditions,wereinterpreta
setofFequationsasasetofrewriterules.Thenextthreedenitionsrestatethe
requirednotionsfromthetheoryof termrewriting.Foradetailedintrodution
totermrewritingseee.g.[2,10℄.
Denition8 (Cbv-Rewriting). A rewrite rule has the form l !r, where l
is a non-variable term, r is a term, and every variable in r also ours in l.
evaluation strategy. For a set of rules R , let )
R
be the smallest relation suh
that s)
R
t holds if there isa rulel!r in R suh that some subterm s 0
of s
isan instane l of l,for eah variable x in lthereissome onstrutor ground
term q suh that x )
R
q,and t iss with (some ourrene of) s 0
replaed by
r.Inthis ase, wesaythat theterm s bv-rewritesinonesteptoaterm t via
asetofrulesR .Atermsbv-rewrites(or\bv-redues")inzeroormoresteps
tot if s)
R
t, the notation )
R
denoting the reexive andtransitivelosure of
)
R .
Denition9 (Construtor System). Let E be the equations dening a set
of funtionsF.Providedthat orientingE fromleft torightyields rewrite rules,
weall these rulesthe rewritesystemorrespondingtoE.A setof rulesR isa
onstrutor system if the proper subterms of the left-hand sides of R -rules are
builtfromfree-typefuntionsymbols(thatis,\onstrutors")andvariablesonly.
Nowweintroduealoalizedonuene(andtermination)propertydepend-
ingonE.
Denition10 (Type Convergene). Supposethat aspeiation onsists
of asetof freetypes, asetof funtion delarations F,andaset ofequations E
dening the funtionsinF.If R isthe set of rewrite rules orresponding toE,
thenwesaythatR istypeonvergentforthefuntionf :T
1
T
n
!T if,
wheneverj=f(q
1
;:::;q
n
)=q for any onstrutorgroundtermsq
1
;:::;q
n
;q,
then we have f(q
1
;:::;q
n ))
R
q; if this holds for all funtions in F, then we
saythat R istypeonvergent.
Finally,weareableto presentourmain result.
Theorem1 (Soundness of Closure Indution). Let R andf be asabove.
Then losureindution proves f(x)-validity ifR isaonstrutor systemthatis
typeonvergentfor f.
AproofmaybefoundintheAppendix.Informally,theargumentisasfollows.
If R is a typeonvergentonstrutor system for f, then, for eah appliation
f(q) that is equal to a onstrutor ground term, we an nd a rule l ! r
suh that lmathes f(q) and the orresponding instanes of any appliations
of f in r are smaller than f(q ) with respet to some partiular well-founded
ordering.Consequently, in theappliationof losureindution to aformulaP,
wegeneratealltheasesforwhihfisdened,and,foreahsuhase,weassume
instanesofP thataresmalleraordingtothiswell-foundedordering.Thus,if
thehypothesesoflosureindutionaref(x)-valid,thenso istheonlusion.
Thatlosureindutionisunsoundwhentheassoiatedrewritesystemisnot
typeonvergentisillustratedbythefollowing.
Example 4. LetE be
ff(o)=o; 8x:natsf(x)=f(s(x))g:
E. However, by losure indution we are also able to prove the learly false
onjeture 8x : natsf(x) x (for the usual denition of ), givingus 8x :
natsox.Theproofproeedsasfollows.The\basease"isf(o)o,whih
isobviouslyvalid.Inthe\stepase"weprove
8x:natsf(s(x))s(x) ) f(x)x:
Thismaybereduedto
8x:natsf(x)s(x))f(x)x
by the seond dening equation of f. But this is learly valid by the usual
propertiesof(sine8x:natsf(x)=oand thus,8x:natsf(x)2nats).
Weareleftto provethepermissibilityondition,whihinthis aseis
8x:nats:f(x)2nats)f(x)x:
But we know that 8x : natsf(x) = o holds, whih is inonsistent with the
hypothesis of this permissibility ondition; thus, the ondition holds trivially,
andtheonjetureis\proven". ut
Theproblemin this exampleis that, foreahn>0,f(s n
(o)) is equaltoa
onstrutorgroundterm,butnotreduibletooneviatherewritesystemorre-
spondingto thegiven axioms;thisrewrite systemisthus nottypeonvergent.
Forthe sound appliation of losure indution, wheneverf(q) is dened, the
attemptedproofthattheonjetureholdsforqmustrelyonindutionhypothe-
sesthataresmallerw.r.t.awell-foundedrelation;foraonstrutorsystem,type
onvergeneensuresthat thisonditionis satised.
ThattypeonvergenealoneisinsuÆientforthesoundnessoflosureindu-
tionisillustratedbythenextexample.Thus,onereallyneedsbothonditions,
i.e.,beingaonstrutorsystemandtypeonvergene.
Example 5. LetE be
f8x:natsf(x)=g(f(x)); 8x:natsg(f(x))=o; 8x:natsg(x)=xg:
Obviously,therewritesystemRorrespondingtoEistypeonvergent,butitis
notaonstrutorsystem.Bylosureindution,weanprovethefalseonjeture
8x:natsf(x)2nats)f(x)=s(o):
Theindutionformulaistrivial(theindution hypothesisisequaltotheindu-
tiononlusion)andthepermissibilityonjetureisalsoatautology. ut
Theprobleminthisexampleisthatwhilef(q)reduestooforeahonstru-
torgroundtermq,theonlypossiblesuhredutioninthegivensystemisviaan
\expansion"step. Consequently, we againannot onstrut a well-founded or-
deringthatjustiestheassumedindutionhypothesisintheproposedproof,and
wearenotsavedbyaseparateindutionaseforwhihtheindutionhypothesis
anbesojustied.
Finally,wegiveanexampleofthesuessfulappliationoflosureindution.
validityof
8x;y:natsdi(x;y)2nats)di(x;y)+y=x: (3)
Therulesrepresentaonstrutor systemthat is type onvergent;wemaythus
applylosureindution.Thisinvolvesproving
8x:natsdi(x;o)2nats)di(x;o)+o=x;
whihreduestothereexivityaxiom8x:natsx=x,andproving
8x;y:natsP(x;y))P(s(x);s(y));
where P(r;t) denotes di(r;t) 2 nats ) di(r;t)+t = r. The proof of this
seondsubgoalisalsostraightforward.Toprovethepartialvalidityoftheoriginal
onjeture(3),wealsoneedtoprovethepermissibilityonjeture
8x;y:nats:di(x;y)2nats)(di(x;y)2nats)di(x;y)+y=x);
butthis isatautology.
If we were to add the axiom 8x;y : natsdi(x;y) = di(x;y) to our
speiation,thentheassoiatedrewritesystemwouldstillbeatypeonvergent
onstrutor system, and thus losure indution would still be appliable. Now
an extra ase would be inluded in whih we assume the onjeture holds for
(x;y)in theproofthat itholds for(x;y);thislearlydoesnotorrespondtoa
well-foundedordering,butthedi(x;y)-validityoftheonjeturewillhavebeen
provenalreadybytheotherasesintheappliationofthelosureindution.
Thus, ompared to the indution priniple of [13℄, the present priniple of
losureindutionhastheadvantagethatitanalsodealwithoverlappingequa-
tions.(Anotheradvantageoverthatpreviousprinipleisthattherequirementof
typeonvergeneisloalizedtothefuntion underonsideration,i.e.,therules
neednotbetypeonvergentforother funtions.) ut
Thisexampleillustratesthefatthat losureindution doesnotinvolvethe
onstrutionofmerelya\overset"ofasesinthesense ofBronsardetal. [8℄.
Insteaditonstrutsallasessuggestedby afuntion denition.Utilizingonly
suÆientrulesto overallaseswould,infat,beunsound.Forexample,using
just theruledi(x;y)!di(x;y)togeneratetheindution aseswouldallow
usto proveanyonjeture,as(x;y)oversallpossiblepairsoftypeelements.
5 Denedness Rules
In general, losure indution is not alwayssuÆient to provef(x)-validity. In
ourexample,to provethequot(x;y)-validityof
8x;y:natsquot(x;y)2nats)quot(x;y)y=x (4)
ations.Forthis,Giesl[13℄ hasproposed denednessrulesforfuntions;in the
presentontextthese taketheform
fromf(t)2T infert
1 2T
1
and ::: andt
n 2T
n
foranytupleof termstandeahn-ary funtionsymbol.
The ondition that a set of rules is both a onstrutor system and type
onvergentis not suÆientto ensurethat the abovedenedness rules may be
applied soundly.Forexample,onsiderthetypeonvergentonstrutorsystem
ff(o)!o; f(o)!f(g(o))g;
where o 2nats is given and f and g are partial funtions from nats to nats.
Theformulaf(g(o))2nats followsfrom thissystem,butg(o)2natsdoesnot.
Toharaterizealassofrewritesystemswherethedenednessrulesaresound,
weproposeastrengtheningofthenotionoftypeonvergene.
Denition11 (Complete Type Convergene). Let be a speiation
whih onsists of asetof free types, aset offuntion delarations F,andaset
ofequations Edeningthe funtionsinF.If Risthesetofrewriterulesorre-
sponding toE,thenwe saythat R isompletelytypeonvergentij=t=q
impliest)
R
qfor all groundtermst andallonstrutor groundtermsq.
For example, the speiation of di and quot is ompletely type onver-
gent.Notethatherethesemantisoftheuniversalquantier8 isruial.Sine
it quanties over only the objets of nats +
, the speiation does not imply
equationslikequot(o;quot(s(o);o))=o.
Thedenednessrulesarejustiedforompletelytypeonvergentonstrutor
systems; the argument is as follows. Let C be a set of losure axioms for ,
let x be the variables in t (of type T
x
), let q be a onstrutor ground term
tuple, and let [q =x℄denote thesubstitution of x by q. If j= f(t)[q =x℄2 T,
then we have j= f(t)[q =x℄ = q for some onstrutor ground term q and
thus,f(t)[q=x℄)
R
qduetotheomplete typeonvergeneofR .Consequently,
thetermst
1
[q=x℄;:::;t
n
[q=x℄alsobv-rewritetoonstrutorgroundterms(see
Lemma1intheAppendix).Itfollowsthatj=t
i
[q=x℄2T
i
foreahi,andthus
[C j= f(t)[q =x℄2T ) t
1
[q=x℄2T
1
^ ::: ^ t
n
[q =x℄2T
n (8)
holds. If, on the other hand, 6j= f(t)[q =x℄ 2 T, then (8) holds again, sine
[C j= :f(t)[q =x℄ 2 T by the denition of losure axioms. As (8) holds
for all onstrutor ground term tuples q , we nally obtain the desired result
[Cj=8x:T
x
f(t)2T )t
1 2T
1
^::: ^t
n 2T
n .
Wemay \simulate" these denedness rulestoo in F, in the following way.
Foreverydeningequationf(t)=rweaddtoourspeiationtheimpliation
8x:T
x
f(t)2T ) r 0
2T 0
foreverysubterm r 0
ofr(oftypeT 0
).
8x;y:natsquot(s(x);y)2nats)quot(di(s(x);y);y)2nats
8x;y:natsquot(s(x);y)2nats)di(s(x);y)2nats:
Now,usingthese denedness formulae,we anindeed provetheonjeture (4)
by losure indution. For instane, the rst impliation above is used in the
followingway.Theproofofquot(x;y)-validityof(4)involvestheproofof
:::)(quot(s(x);y)2nats)quot(s(x);y)y=s(x)):
Bythedenition ofquot,thismaybereduedto
:::)(quot(s(x);y)2nats)s(quot(di(s(x);y);y))y=s(x)):
We now wish to apply thedenition of \"to the left-hand side of theequal-
ity; but forthis to bepossible,the property quot(di(s(x);y);y)2 nats must
hold.Fortunately,sinewehavethehypothesisquot(s(x);y)2nats,thedesired
propertydoesholdbythedenednessformulaeforquot. ut
Of ourse, we need amethod to ensure (omplete)type onvergene auto-
matially. Let R bethe set of rewrite rulesorrespondingto the equations E,
where R is aonstrutor system. Moreover,letR 0
=fl !rjl! r 2 R ;
replaesallvariablesoflbyonstrutorgroundtermsg.ThenonueneofR 0
impliesompletetypeonvergeneofR .Thereasonisthat
j=t=q
iE 0
j=t=qwhereE 0
=fs
1 =s
2
j8xs
1
=s
2
2E; replaesxby
onstrutorgroundtermsg
it,
R 0
q byBirkho'stheorem [3℄
it)
R 0
q duetoR 0
'sonueneandasR 0
isaonstrutorsystem.
Finally,t)
R 0
q ofourseimpliest)
R q.
AsuÆientonditionforonueneofR 0
istherequirementthattherulesin
R(i.e.,thedeningequationsE ofthespeiation)shouldbenon-overlapping.
In other words,for two dierent equations s
1
=t
1 and s
2
= t
2
, theterms s
1
and s
2
must not unify. For example, the equationsfor di and quot are non-
overlapping. This suÆient riterion an easily be heked automatially. The
reason for this requirement being suÆient for R 0
's onuene is that )
R 0
is
equaltotheinnermostrewriterelation) i
R 0
forgroundonstrutor systemsR 0
andhavingnon-overlappingrulesimpliesonueneofinnermostredutions[16℄.
Soomparedto [13℄,therequirementoforthogonalityis notneededdue tothe
denition ofbv-rewriting.
6 Conlusion
Wehaveintroduedanew\losureindution"prinipleinordertoreasonabout
speiationsin asimply-typedZ-likeset-theoretilanguagethat inludespar-
tialfuntions.Forthispurpose,weadaptedGiesl'sindutionprinipleforpartial
grams withaneagerevaluationstrategy,in thepresentpaperweadaptedit to
equational speiations of ourset-theoreti language,and exhibited suÆient
onditionsinordertorenderthisindutionprinipleorret.
Inthis proess, we relaxed someof theassumptions Gieslmade about his
programs, showing that a suÆient ondition for the soundness of ourprini-
ple is that the rewritesystem orresponding to theequations is a onstrutor
systemthat istypeonvergentforthefuntionunderonsideration.Inorderto
employ thefrequently neessaryfurther rules for reasoning about denedness,
wealso haveto demand omplete type onvergene.A suÆientsyntatiri-
terion for omplete type onvergene (and thus type onvergene) is that the
rewriterulesorrespondingtotheequationaldenitions ofaspeiationarea
non-overlappingonstrutorsystem.
Note that the use of a muh more powerful language than Giesl's partial
funtional programs enables us to express the indution priniple within the
language itself. This allows for an easy implementation of our priniple and
solvesthenon-monotoniityproblemw.r.t.extensionsofspeiations.
For future work, we intend to nd riteria for allowing non-equations in
speiations, and we aim at relaxing the restrition to onstrutor systems.
Moreover,whilewedonotimposetheonstraintthatourequationsareleft-linear
asin [13℄,at themomentwestill haveto restritourselvesto non-overlapping
equations to ensure omplete type onvergene;weaker riteria are needed to
inreasetheappliabilityofourapproahtoawiderlassof speiations.We
plan also to onsider extensions to overonditional equations and to develop
morespei tehniquesfornestedormutually reursivedenitions.
A Proof of the Soundness Theorem for Closure Indution
Lemma1. Let R beaonstrutor system. For allgroundtermst andallon-
strutorgroundtermsq,ift)
R
qtheneahsubtermoftanalsobebv-redued
toaonstrutor groundterm.
Proof. Suppose t )
R
q.Weproeed by indution onthe struture of t.If t is
a onstant then the lemma is obvious. Otherwise, t has the form f(t). If f is
a onstrutor, then the lemma diretly follows from the indution hypothesis.
Otherwise,theredutionoft isasfollows:
f(t))
f(s))r)
q;
where t
i )
s
i
for all i and f(s) = l for a rule l ! r. Here, l has theform
f(u). By the denition of bv-rewriting, x redues to a onstrutor ground
termforallvariablesxinu.AsRisaonstrutorsystem,allu
i
areonstrutor
terms and hene, eah u
i
also redues to a onstrutor ground term. Thus,
as t
i )
s
i
= u
i
, eah t
i
redues to a onstrutor ground term. For proper
subterms of the t
i
, reduibility to aonstrutor ground term follows from the
indution hypothesis. ut
rewriting).Forexample,viatheonstrutorsystemf(x)!o thetermf(g(o))
rewritestoo,thoughg(o)isirreduible.Butwhenusingbv-rewriting,g(o)must
bereduibleto aonstrutorgroundterminordertoredue f(g(o)) too.
Denition12 (Full Redution in n Steps). Let R beaset ofrewrite rules
andlet s,t be terms. Wesay that sbv-reduesto t in nstepsviaR , denoted
s)
R;n
t,ifthereisarulel!rinRsuhthattisswiththesubtermlreplaed
by r andif,for eah variable x
i
(1ij)ourring inl,x
i
\fully redues"
tosome onstrutorgroundterm q
i ink
i
stepsvia R ,andif k
1
++k
j
=n.
We say that s fully redues to t in n steps viaR , denoted s ) n
R
t, if there is
somet 0
suhthat s)
R;i t
0
) j
R
t, andi+j+1=n.
Thus,\fullredution"ountsalltheruleappliationsinvolvedintherewriting.
Lemma2. Let R be a onstrutor system involving the funtion f : T
1 :::
T
n
!T.Wedenetherelation>
f
overn-tuplesofgroundtermsasfollows:s
>
f
tithereexistsa onstrutorgroundterm qsuhthat fs) i
R
C[ft℄) j
R q
(where C denotes some ontext), i > 0, and there is no k < i+j and no
onstrutor groundterm psuhthatfs) k
R
p.Then >
f
iswellfounded.
Proof. Suppose s
1
>
f s
2
>
f s
3
>
f
:::; then
fs
1 )
i
1
R C
1 [fs
2
℄;fs
2 )
i
2
R C
2 [fs
3
℄;:::;
andC
1 [fs
2
℄;C
2 [fs
3
℄;:::allreduetoonstrutorgroundterms.Sinefs
1 fully
reduestoaonstrutorgroundterminaminimumofi
1 +j
1
steps,theminimum
numberofstepsforthefullredutionofC
1 [fs
2
℄isj
1
.Butinthatasefs
2 fully
redues to someonstrutor ground term pin at mostj
1
steps, by Lemma 1.
Thus,wehave
i
1 +j
1
>j
1 i
2 +j
2
>j
2 i
3 +j
3
>j
3 :::
Butthisisimpossible. ut
As a simple ounterexample for the well-foundedness of the same relation
withoutthe minimality ondition(i.e.,withoutthe requirementthat fs) k
R p
doesnotholdfork<i+j),onsiderR=ff(o)!o;f(o)!f(o)g.Thissetisa
onstrutorsystemandf(o)) 1
R
f(o)) 1
R
o,but>
f
wouldnotbewellfounded,
as wewouldhaveo>
f o.
Theorem1 (Soundness of Closure Indution). Let be a speiation
with free types and a set of (universally quantied)equations and let R be the
orrespondingrewrite system. Then losureindutionproves f(x)-validity in
if Risaonstrutorsystemthat istypeonvergent for f.
Proof. We wish to show that if the hypotheses of losure indution are f(x)-
valid then sois the onlusion. Note that due to Lemma 1,a onjeture P is
1 n
onstrutor ground)termsssuhthat j=f(s)2T. IfR is typeonvergent,
then j=f(s)2T is equivalentto theexisteneofaonstrutorgroundterm
qwithf(s))
R q.
Nowsupposethattheonlusionisfalse,thatis,thereisatermf(s
1
;:::;s
n ),
where f(s
1
;:::;s
n ) )
R
q for some ground onstrutor term q, suh that the
formula P(s
1
;:::;s
n
) is false,and that (s
1
;:::;s
n
) is minimal with respet to
>
f
among suh n-tuples. Without lossofgenerality, letf(s
1
;:::;s
n ))
R q be
theminimalredutionof f(s
1
;:::;s
n
)toaonstrutorgroundterm.
Sinef isnotaonstrutor, theredutionf(s
1
;:::;s
n ))
R
qmust involve
theappliation of arulel!r2R suh that f(s 0
1
;:::;s 0
n
) isan instanel of
l,wheres
i )
R s
0
i
foreahs
i
.Consequently,foranysubtermf(t
1
;:::;t
n )ofr,
wehavethat
(s
1
;:::;s
n )>
f (t
1
;:::;t
n ):
But if all theP(t
1
;:::;t
n
) were valid, then sowould be P(s 0
1
;:::;s 0
n
), by the
hypothesesoflosureindution,andheneP(s
1
;:::;s
n
)wouldbevalidaswell,
sine s
i )
R s
0
i
. Thus, ifl !r is anon-reursiverule,then wediretly obtain
a ontradition. Otherwise, one of the P(t
1
;:::;t
n
) must also be false, whih
ontraditsthe>
f
-minimalityof(s
1
;:::;s
n
). ut
Aknowledgement.Wewouldliketothanktheanonymousrefereesformany
helpfulomments.
Referenes
1. R.D.Arthan. UndenednessinZ:Issuesforspeiationandproof. InCADE-13
Workshop on Mehanisation of Partial Funtions. New Brunswik, New Jersey,
USA,1996.
2. F. Baader and T. Nipkow. Term rewriting and all that. Cambridge University
Press, 1998.
3. G.Birkho. Onthestrutureofabstratalgebras. Pro.CambridgePhilos.So.,
31:433{454, 1934.
4. A.BouhoulaandM.Rusinowith.Impliitindutioninonditionaltheories.Jour-
nal ofAutomatedReasoning,14:189{235,1995.
5. R.S.BoyerandJS.Moore. A ComputationalLogi. AademiPress,1979.
6. J.BrauburgerandJ.Giesl.Terminationanalysisbyindutiveevaluation.InPro.
CADE-15,LNAI1421,pages254{269.Springer,1998.
7. J.BrauburgerandJ.Giesl. Approximatingthedomainsoffuntionalandimper-
ativeprograms. Siene ofComputerProgramming,35:113{136,1999.
8. F.Bronsard,U.S.Reddy,andR.W.Hasker.Indutionusingtermorders.Journal
of AutomatedReasoning,16:3{37,1996.
9. A. Bundy,A. Stevens,F.vanHarmelen,A. Ireland, andA. Smaill. Rippling:A
heuristifor guidingindutiveproofs. ArtiialIntelligene,62:185{253,1993.
10. N.DershowitzandJ.-P.Jouannaud. Rewritesystems.InHandbook ofTheoretial
Computer Siene,volumeB,pages243{320.North-Holland,1990.
Workshop, Ilkley,UK,1998.Springer. http://www.ewi.org.uk/ewi/.
12. J. Giesl. The ritial pair lemma: A ase study for indution proofs with par-
tial funtions. TehnialReportIBN 98/49, TUDarmstadt, 1998. http://www.
inferenzsysteme.informatik.tu-darmstadt.de/reports/notes/ibn-98-49.ps.
13. J.Giesl.Indutionproofswithpartialfuntions.JournalofAutomatedReasoning,
2000.Toappear.PreliminaryversionappearedasTehnialReportIBN98/48,TU
Darmstadt, Germany. Availablefrom http://www.inferenzsysteme.informatik.tu-
darmstadt.de/giesl/ibn-98-48.ps.
14. J.Giesl,C.Walther,andJ.Brauburger. Terminationanalysisforfuntionalpro-
grams. InW. BibelandP.Shmitt,editors,AutomatedDedution { ABasis for
Appliations,Vol.III,AppliedLogiSeries10,pages135{164.Kluwer,1998.
15. J.A.Goguen,J.W.Thather,andE.G.Wagner. Aninitialalgebraapproahto
thespeiation,orretness,andimplementationofabstratdatatypes.InR.T.
Yeh,editor,CurrentTrendsinProgrammingMethodology,volume4.Prentie-Hall,
1978.
16. B. Gramlih. Abstrat relations between restrited termination and onuene
propertiesofrewritesystems. FundamentaInformatiae,34:3{23,1995.
17. C. B. Jones. Partial funtions and logis: A warning. Information Proessing
Letters,54:65{67, 1995.
18. D. Kapur. Construtors an be partial, too. In R. Vero, editor, Automated
Reasoning andits Appliations{ Essaysin Honorof Larry Wos,pages 177{210.
MITPress,1997.
19. D. Kapur and M. Subramaniam. New uses of linear arithmeti in automated
theoremprovingbyindution. JournalofAutomated Reasoning,16:39{78, 1996.
20. J.M.Spivey.TheZNotation:ARefereneManual,SeondEdition.PrentieHall,
1992.
21. I.Toyn.Zstandard(draft). AvailablefromtheDepartmentofComputerSiene,
UniversityofYorkathttp://www.s.york.a.uk/
ian/zstan,1999.
22. I.Toyn.CADiZ.AvailablefromtheDepartmentofComputerSiene,Universityof
Yorkatthewebaddresshttp://www.s.york.a.uk/
ian/adiz/home.html,2000.
23. I.Toyn,S.H.Valentine,andD.A.Duy.OnmutuallyreursivefreetypesinZ.In
ProeedingsInternationalConfereneofZandBUsers,ZB2000,LNCS.Springer,
2000. Toappear.
24. S.Valentine. Inonsistenyand undenedness inZ { apratial guide. InPro-
eedings 11th International Conferene of Z Users, ZUM'98, LNCS1493, pages
233{249.Springer,1998.
25. C.Walther. Mathematial indution. InD.M. Gabbay,C.J.Hogger,and J.A.
Robinson,editors,HandbookofLogiinArtiialIntelligeneandLogiProgram-
ming,volume2.OxfordUniversityPress,1994.
26. C.-P. Wirth and B. Gramlih. On notions of indutive validity for rst-order
equationallauses. InPro.CADE-12,LNAI814.Springer,1994.
27. H. Zhang, D. Kapur, and M. S. Krishnamoorthy. A mehanizable priniple of
indutionfor equational speiations. InPro.CADE-9,LNAI310, pages162{
181. Springer,1988.
