A Coinductive Approach to Proving Reachability Properties in Logically Constrained Term Rewriting Systems
Abstract
We introduce a sound and complete coinductive proof system for reachability properties in transition systems generated by logically constrained term rewriting rules over an ordersorted signature modulo builtins. A key feature of the calculus is a circularity proof rule, which allows to obtain finite representations of the infinite coinductive proofs.
1 Introduction
We propose a framework for specifying and proving reachability
properties of systems whose behaviour is modelled using transition
systems described by logically constrained term rewriting systems
(LCTRSs). By reachability properties we mean that a set of target
states are reached in all terminating system computations starting
from a given set of initial states. We assume transition systems are
generated by constrained term rewriting rules of the form
where and are terms and is a logical constraint. The terms may contain both uninterpreted function symbols and function symbols interpreted in a builtin model, e.g., the model of booleans and integers. The constraint is a firstorder formula that limits the application of the rule and which may contain predicate symbols interpreted in the builtin model. The intuitive meaning of a constrained rule is that any instance of that satisfies transitions in one step into a corresponding instance of .
Example 1
The following set of constrained rewrite rules specifies a procedure
for compositeness:
If is not composite, the computation of the procedure is infinite.
Given a LCTRS, which serves as a specification for a transition system, it is natural to define the notion of constrained term , where is an ordinary term (with variables) and is a logical constraint. The intuitive meaning of such a term is the set of ground instances of that satisfy .
Example 2
The constrained term defines exactly the instances of where is composite.
A reachability formula is a pair of constrained terms The intuitive meaning of a reachability formula is that any instance of reaches, along all terminating paths of the transition system, an instance of that agrees with on the set of shared variables.
Example 3
The reachability formula
captures a functional specification for the algorithm described in Example 1: each terminating computation starting from a state in which is composite reaches the state comp. Computations that start with a negative number (composite or not) are infinite and therefore vacuously covered by the specification above.
We propose an effective proof system that, given a LCTRS, proves valid reachability formulas such as the one above, assuming an oracle that solves logical constraints. In practice, we use an SMT solver instead of the oracle.
Contributions
{enumerate*}As computations can be finite or infinite, an inductive approach for reachability is not practically possible. In Section 2, we propose a coinductive approach for specifying transition systems, which is an elegant way to look at reachability, but also essential in handling both finite and infinite executions. We formalize the semantics of LCTRSs as a reduction relation over a particular model that combines ordersorted terms with builtin elements such as integers, booleans, arrays, etc. The new approach, introduced in Section 3, is simpler than the usual semantics for constrained term rewriting systems [18, 20, 19, 13], but it also lifts several technical restrictions that are important for our case studies. We introduce a sound and complete coinductive proof system for deriving valid reachability formulas for transition systems specified by a LCTRS. We present our proof system in two steps: in the first step, we provide a threerule proof system (Figure 1) for symbolic execution of constrained terms. When interpreting the proof system coinductively, its proof trees can be finite or infinite. The finite proof trees correspond to reachability formulas where there is a bounded number of symbolic steps between and . The infinite proof trees correspond to proofs of reachability formulas that hold for an unbounded number of symbolic steps between and (obtained, e.g., by unrolling loops). Symbolic execution has similarities to narrowing, but unlike narrowing, where each step computes a possible successor, symbolic execution must consider all successors of a state at the same time. The infinite proof trees above cannot be obtained in finite time in practice. In order to derive reachability formulas that require an unbounded number of symbolic steps in finite time, we introduce a fourth proof rule to the system that we call circularity. The circularity proof rule can be used to compress infinite proof trees into finite proof trees. The intuition is to use as axioms the goals that are to be proven, when they satisfy a guardedness condition. This compression of infinite coinductive trees into finite proof trees via the guardedness condition nicely complements our coinductive approach. This separation between symbolic execution and circularity answers an open question in [21]. We introduce the RMT tool, an implementation of the proof system that validates our approach on a number of examples. RMT uses an SMT solver to discharge logical constraints. The tool is expressive enough for specifying various transition systems, including operational semantics of programming languages, and proving reachability properties of practical interest and is intended to be the starting point of a library for rewriting modulo builtins, which could have more applications.
Related Work
A number of approaches [1, 2, 13, 25, 30] to combining rewriting and SMT solving have appeared lately. The rewrite tool Maude [11] has been extended with SMT solving in [25] in order to enable the analysis of open systems. A method for proving invariants based on an encoding into reachability properties is presented in [30]. Both approaches above are restricted to topmost rewrite theories. While almost any theory can be written as a topmost theory [22], the encoding can significantly increase the number of transitions, which raises performance concerns. Our definition for constrained term is a generalization of that of constructor constrained pattern used in [30]. In particular [30] does not allow for quantifiers in constraints, but quantifiers are critical to obtaining a complete proof system, as witnessed by their use in the subsumption rule in our proof system ([subs], Figure 1). The approach without quantifiers is therefore not sufficient to prove reachabilities in a general setting.
A calculus for reachability properties in a formalism similar to LCTRSs is given in [1]. However, the notion of reachability in [1] is different from ours: while we show reachability along all terminating paths of the computation, [1] solves reachability properties of the form (i.e. does there exists an instance of that reaches, along some path, an instance of ).
Work on constrained term rewriting systems appeared in [20, 19, 18, 13]. In contrast to this approach to constrained rewriting, our semantics is simpler (it does not require two reduction relations), it does not have restrictions on the terms in a rule and the constraint is an arbitrary firstorder formula , possibly with quantifiers, which are crucial to obtain symbolic execution in its full generality. Constrained terms are generalized to guarded terms in [2], in order to reduce the state space.
Reachability in rewriting is explored in depth in [12]. The work by Kirchner and others [17] is the first to propose the use of rewriting with symbolic constraints for deduction. Subsequent work [25, 20, 13] extends and unifies previous approaches to rewriting with constraints. The related work section in [25] includes a comprehensive account of literature related to rewriting modulo constraints.
Our previous work [9, 21] on proving program correctness was in the context of the K framework [27]. K, developed by Roşu and others, implements semanticsbased program verifiers [10] for any language that can be specified by a rewritingbased operational semantics, such as C [15], Java [4] and JavaScript [23]. Our formalism is not more expressive than that of reachability logic [9] for proving partial correctness of programs in a languageindependent manner, but it does have several advantages. Firstly, we make a clear separation between rewrite rules (used to define transition systems), for which it makes no sense to have constraints on both the lhs and the rhs, and reachability formulas (used to specify reachability properties), for which there can be constraints on both the lhs and the rhs. We provide clear semantics of both syntactic constructs above, which makes it unnecessary to check welldefinedness of the underlying rewrite system, as required in [9]. Additionally, this separation, which we see as a contribution, makes it easy to get rid of the topmost restriction in previous approaches. Another advantage is that the proposed proof system is very easy to automate, while being sufficiently expressive to specify realworld applications. Additionally, we work in the more general setting of LCTRSs, not just language semantics, which enlarges the possible set of applications of the technique. We also have several major technical improvements compared to [21], where the proof system is restricted to the cases where unification can be reduced to matching and topmost rewriting. The totality property required for languages specifications, which was quite restrictive, was replaced by a local property in proof rules and all restrictions needed to reduce unification to matching were removed.
In contrast to the work on partial correctness in [10], the approach on reachability discussed here is meant for any LCTRS, not just operational semantics. The algorithm in [10] contains a small source of incompleteness, as when proving a reachability property it is either discharged completely through implication or through circularities/rewrite rules. We allow a reachability rule to be discharged partially by subsumption and partially by other means. Constrained terms are a fragment of Matching Logic (see [26]), where no distinction is made between terms and constraints. Coinduction and circular or cyclic proofs have been proposed in other contexts. For example, circular proof systems have been proposed for firstorder logic with inductive predicates in [6] and for separation logic in [5]. In the context of interactive theorem provers, circular coinduction has been proposed as an incremental proof method for bisimulation in process calculi (see [24]). A compositional and incremental approach to coinduction that uses a semantic guardedness check instead of a syntactic check is given in [16].
Paper Structure
We present coinductive definitions for execution paths and reachability predicates in Section 2. In Section 3, we introduce logically constrained term rewriting with builtins in an ordersorted setting. In Section 4, we propose a sound and complete coinductive calculus for reachability and a circularity rule for compressing infinite proof trees into finite proof trees. Section 6 discusses the implementation before concluding. The proofs and a discussion of coinduction and ordersorted algebras can be found in the Appendix.
2 Reachability Properties: Coinductive Definition
In this section we introduce a class of reachability properties, defined coinductively. A state predicate is a subset of states. A reachability property is a pair of state predicates. Such a reachability property is demonically valid iff each execution path starting from a state in eventually reaches a state in , or if it is infinite. Since the set of finite and infinite executions is coinductively defined, the set of valid predicates can be defined coinductively as well. Formally, consider a transition system , with . We write for . An element is irreducible if for any .
Definition 1 (Execution Path)
The set of (complete)
execution paths is coinductively defined by the following rules:
where the function is defined by and .
The above definition includes both the finite execution paths ending in a irreducible state and the infinite execution paths, defined as the greatest fixed point of the associated functional (see Appendix A.2).
Definition 2 (State and Reachability Predicates)
A state predicate is a subset . A reachability predicate is a pair of state predicates . The predicate is runnable if and for all there is s.t. .
A derivative measures the sensitivity to change of a quantity. For the case of transition systems, the change of states is determined by the transition relation.
Definition 3 (Derivative of a State Predicate)
The derivative of a state predicate is the state predicate .
As a reachability predicate specifies reachability property of execution paths, we define when a particular execution path satisfies a reachability predicate.
Definition 4 (Satisfaction of a Reachability Predicate)
An
execution path satisfies a reachability predicate
, written , iff
,
where EPSRP consists of the following rules:
The notation stands for the functional of EPSRP and stands for its greatest fixed point (see Appendix A.2). We coinductively define the set of demonically valid reachability predicates over . This allows to use coinductive proof techniques to prove validity of reachability predicates.
Definition 5 (Valid Reachability Predicates, Coinductively)
We say that is
demonically valid, and we write
iff
, where DVP consists
of the following rules:
The condition runnable in the second rule is essential to avoid the cases where execution is stuck. These blocking states have no successor in and, in the absense of the condition, we would wrongly conclude that they satisfy . The terminating executions are captured by .
The following proposition justifies our definition of demonically valid reachability predicates. {restatable}propositiondemonicvalidsoundness Let be a reachability predicate. We have iff any execution path starting from () satisfies .
3 Logically Constrained Term Rewriting Systems
In this section we introduce our formalism for LCTRSs. We interpret LCTRSs in a model combining ordersorted terms with builtins such as integers, booleans, etc. Logical constraints are firstorder formulas interpreted over the fixed model.
We assume a builtin model for a manysorted builtin signature , where is a set of builtin sorts that includes at least the sort and is the sorted set of builtin function symbols. We assume that the set interpreting the sort in the model is . We use the standard notation for the interpretation of the sort/symbol in the model . The set , defined as the set of (manysorted) firstorder formulas with equality over the signature , is the set of builtin constraint formulas. Functions returning play the role of predicates and terms of sort are atomic formulas. We will assume that the builtin constraint formulas can be decided by an oracle (implemented as an SMT solver).
A signature modulo builtins is an ordersorted signature that includes as a subsignature and such that the only builtin constants in are elements of the builtin model () – therefore the signature might be infinite. By we denoted the set of function symbols of arity and result sort . is called the builtin subsignature of and the constructor subsignature of . We let be an sorted set of variables.
We extend the builtin model to an model defined as follows: , for each ( is the set of ground constructor terms of sort , i.e. terms built from constructors applied to builtin elements); for each builtin function symbol ; is the term constructor , for each nonbuiltin function symbol . By fixing the interpretation of the nonbuiltin function symbols, we can reduce constraint formulas to builtin constraint formulas by relying on an unification algorithm described in detail in [7]. We also make the standard assumption that for any .
Example 4
Let , where and include the usual operators over eans () and over the egers (). The builtin model interprets the above sorts and operations as expected.
We consider the signature modulo builtins , where the set of sorts consists of the builtin sorts and an additional sort , where the subsorting relation is empty, and where the set of function symbols includes, in addition to the builtin symbols in , the following function symbols: . We have that .
The set of constraint formulas is the set of firstorder formulas with equality over the signature . The subset of the builtin constraint formulas is denoted by . Let denote the set of variables freely occurring in . We write when the formula is satisfied by the model with a valuation .
Example 5
The constraint formula is satisfied by the model defined in Example 4 and any valuation such that is a composite number.
Definition 6 (Constrained Terms)
A constrained term of sort is a pair , where and .
Example 6
Continuing the previous example, the following is a constrained term:
We consistently use for constrained terms and for constraint formulas.
Definition 7 (Valuation Semantics of Constraints)
The valuation semantics of a constraint is the set .
Example 7
Continuing the previous example, we have that
Definition 8 (State Predicate Semantics of Constrained Terms)
The state predicate semantics of a constrained term
is the set
Example 8
Continuing the previous example, we have that
We now introduce our formalism for logically constrained term rewriting systems. Syntactically, a rewrite rule consists of two terms (the left hand side and respectively the right hand side), together with a constraint formula. As the two terms could share some variables, these shared variables should be instantiated consistently in the semantics:
Definition 9 (Lctrs)
A logically constrained rewrite rule is a tuple , often written as , where are terms in having the same sort, and . A logically constrained term rewriting system is a set of logically constrained rewrite rules. defines an ordersorted transition relation on as follows: iff there exist a rule in , a context , and a valuation such that , and .
Example 9
We recall the LCTRS given in the introduction:
A LCTRS defines a sortindexed transition system . As each constrained term defines a state predicate , it is natural to specify reachability predicates as pairs of constrained terms sharing a subset of variables. The shared variables must be instantiated in the same way by the execution paths connecting states specified by the two constrained terms.
Definition 10 (Reachability Properties of LCTRSs)
A reachability formula is a pair
of constrained terms, which may share variables. We say that a LCTRS
demonically satisfies ,
written
iff for each .
Since the carriers sets of consist of ground terms, is both a substitution and a valuation in the definition above. Its role is critical: to ensure that the shared variables of and are instantiated by the same values.
Example 10
Continuing the previous example, we have that the reachability
formula
is demonically satisfied by the constrained rule system defined
in Example 9:
We have checked the above reachability formula against mechanically, using an implementation of the approach described in this paper.
4 Proving Reachability Properties of LCTRSs
We introduce two proof systems for proving reachability properties in transition systems specified by LCTRSs. The first proof system formalizes symbolic execution in a LCTRS, in the following sense: a reachability formula can be proven if either the lefthand side can be derived infinitely many times (and therefore all execution paths starting with are infinite), or if some derivative is an instance of the righthand side , i.e. all the execution paths starting with reach a state that is an instance of . Note that this intuition holds when the proof system is interpreted coinductively, where infinite proof trees are allowed. Unfortunately, these infinite proof trees have a limited practical use because they cannot be obtained in finite time.
In order to solve this limitation, we introduce a second proof system, which contains an additional inference rule, called circularity. The circularity rule allows to use the reachability formula to be proved as an axiom. This allows to fold infinite proof trees into finite proof trees, which can be obtained in finite time. Adding the reachability formulas that are to be proved as axioms seems at first to be unsound, but it corresponds to a natural intuition: when reaching a proof obligation that we have handled before, there is no need to prove it again, because the previous reasoning can be reused (possibly leading to an infinite proof branch). However, the circularity rule must be used in a guarded fashion in order to preserve soundness. We introduce a simple criterion to select the sound proof trees.
4.1 Derivatives of Constrained Terms
Our proof system relies on the notion of derivative at the syntactic level:
Definition 11 (Derivatives of Constrained Terms)
The set of derivatives of a constrained term w.r.t. a rule is
(1) 
where the variables in are renamed such that and are disjoint. If is a set of rules, then A constrained term is derivable if .
Example 11
Continuing the previous examples, we have that
In the above case, includes only the derivative computed w.r.t. the first rule in , because the constraints of the ones computed w.r.t. the other rules are unsatisfiable. Intuitively, the derivatives of a constrained term denote all its possible successor configurations in the transition system generated by .
The symbolic derivatives and the concrete ones are related as expected: {restatable}theoremdeltacommutes Let be a constrained term, a constrained rule system, and the transition system defined by . Then .
Our proof systems allows to replace any reachability formula by an
equivalent one. Two reachability formulas,
and ,
are equivalent, written
,
if, for all LCTRSs ,
iff
We write iff for each , we have . The next result, used in our proof system, shows that inclusion of the state predicate semantics of two constrained terms can be expressed as a constraint formula, when the shared variables are instantiated consistently. {restatable}propositionsemanticinclusion The inclusion holds if and only if , where .
4.2 Proof System for Symbolic Execution
The first proof system, , derives sequents of the form . The proof system consists of three proof rules presented in Figure 1 and an implicit structural rule that allows to replace reachability formulas by equivalent reachability formulas. The instances of this implicit structural rule are not included in the proof trees. We explain the three rules in the proof system.
The [axiom] rule discharges goals where the left hand
side of the goal does not match any state. As our structural rule
identifies equivalent reachability formulas, this rule can be applied
to any lefthand side where the constraint is unsatisfiable
(equivalent to ). This rule discharges reachability formulas
where there are no execution paths starting from the lefthand side,
and therefore no need to continue the proof process.
The [subs] rule discharges the cases where the
lefthand side is an instance of the righthand side. The constraint
is true exactly when
the lefthand side is an instance of the righthand side, which is
ensured by Proposition 11. The proof of the current goal continues
only for the cases where the negation of this constraint holds (i.e., the cases where the lefthand
side is not included in the righthand side).
The [der] rule allows to take a symbolic
step in the lefthand side of the current goal. It computes all
derivatives of the lefthand side; the proof process must continue
with each such derivative. Let
be the logical constraint
that occurs in the condition of [der]. The formula
is valid iff there is at least one rule of that can be
applied to any instance of , meaning that is
total for . Summarising, the condition of
[der] says that must have at
least one successor and furthermore that any instance
has a successor.
The following result shows that is sound and complete.
theoremdstepsound
Let be a LCTRS. For any reachability formula
, we have
iff .
Example 12
Consider the LCTRS defined in
Example 9. The proof tree for the
reachability formula
where
denotes the fact that is composite and
, is infinite:
{prooftree}\AxiomC
\RightLabel[axiom]
\UnaryInfC
\RightLabel[subs]
\UnaryInfC
\AxiomC
\RightLabel[axiom]
\UnaryInfC
\RightLabel[subs]
\UnaryInfC
\AxiomC⋮
\RightLabel[]
\BinaryInfC
\RightLabel[]
\BinaryInfC
\RightLabel[]
\UnaryInfC
The right branch of the
above proof tree is infinite, and:
Note that in the presentation of the tree above, we used the structural rule to replace reachability formulas by equivalent reachability formulas as follows:
where
. The ticks appear in the
formulas above because, to compute derivatives, we used
the following fresh instance of :
4.3 Extending the Proof System with a Circularity Rule
As we said at the beginning of the section, the use of DSTEP is limited because of the infinite proof trees. The next inference rule is intended to use the initial goals as axioms to fold infinite DSTEPproof trees into sound finite proof trees.
Definition 12 (Demonic circular coinduction)
Let be a finite set reachability formulas. Then the set of rules DCC consists of , together with
where is a rule in whose variables have been renamed with fresh names.
The idea is that should be chosen conveniently so that DCC proves itself. We call such goals (that are used to prove themselves) circularities. The intuition behind the rule is that the formula defined in the rule holds when a circularity can be applied. In that case, it is sufficient to continue the current proof obligation from the rhs of the circularity . The cases when does not hold (the circularity cannot be applied) are captured by the proof obligation .
Of course, not all proof trees under are sound. The next two definitions identify a class of sound proof trees (cf. Theorem 14).
Definition 13
Let be a proof tree of under . A [circ] node in is guarded iff it has as ancestor a node. is guarded iff all its [circ] nodes are guarded.
Definition 14
We write iff there is a proof tree of under that is guarded. If is a set of reachability formulas, we write iff for all .
The criterion stated by Definition 13 can be easily checked in practice. The following theorem states that the guarded proof trees under DCC are sound.
[Circularity Principle]theoremcircularityprinciple Let be a constrained rule system and a set of goals. If then .
Theorem 14 can be used by finding a set of circularities and using them in a guarded fashion to prove themselves. Then the circularity principle states that such circularities hold.
Example 13
In order to prove
,
we choose the following set of circularities
The second circularity is inspired by the infinite branch of the proof tree under DSTEP. We will show that , and by Theorem 14, it follows that all reachability formulas in hold in .
First circularity.
To obtain a proof of the first circularity, , we replace the infinite subtree rooted at in Example 12 by the following finite proof tree (that uses [circ]): {prooftree}\AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[subs] \UnaryInfC \AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[circ] \BinaryInfC where .
Second circularity.
To complete the proof of , we have
to find a finite proof tree for
as well.
This is also obtained using [circ] as follows:
{prooftree}\AxiomC
\RightLabel[axiom]
\UnaryInfC
\RightLabel[subs]
\UnaryInfC
\AxiomC
\RightLabel[]
\UnaryInfC
\RightLabel[]
\BinaryInfC
where
The subtree
{prooftree}\AxiomC
\RightLabel[]
\UnaryInfC
is:
{prooftree}\AxiomC
\RightLabel[axiom]
\UnaryInfC
\RightLabel[subs]
\UnaryInfC
\AxiomC
\RightLabel[axiom]
\UnaryInfC
\RightLabel[circ]
\BinaryInfC
where
The constraint holds when the circularity can be applied and
therefore this branch is discharged immediately by subs and axiom. The other branch, when the circularity cannot be applied, is
discharged directly by axiom, as
is unsatisfiable (
says that has a divisor between and , says that
is not a divisor of , and that has a divisor
between and ).
Note that in both proof trees of the two circularities in , in
order to apply the [circ] rule, we used the following fresh
instance of the second circularity:
The proof trees for both goals (circularities) in are guarded. We
have shown therefore that . By the Circularity
Principle (Theorem 14), we obtain that and
therefore
which includes what we wanted to show of our transition system defined in the running example.
5 Implementation
We have implemented the proof system for reachability in a tool called RMT (for rewriting modulo theories). RMT is open source and can be obtained from
To prove a reachability property, the RMT tool performs a bounded search in the proof system given above. The bounds can be set by the user. We have also tested the tool on reachability problems where we do not use strong enough circularities. In these cases, the tool will not find proofs. A difficulty that appears when a proof fails, difficulty shared by all deductive approaches to correctness, is that it is not known is the specification is wrong or if the circularities are not strong enough. Often, analysing the failing proof tree, the user may have the chance to find a hint for the missing circularities, if any. In addition, proofs might also fail because of the incompleteness of the SMT solver. In addition to the running example, we have used RMT on a number of examples, summarized in the table below:
LCTRS Reachability Property 
Computation of Result is 
Comp. of by rptd. subtractions Result matches builtin gcd function 
Comp. of by rptd. divisions Result matches builtin gcd function 
Mult. of two naturals by rptd. additions Result matches builtin function 
Comp. of Result is 
Comp. of w/out multiplications Result is 
Semantics of an IMPerative language Program computing is correct 
Semantics of a FUNctional language Program computing is correct 
Semantics of a FUNctional language Program computing is correct 

Implementation details.
RMT contains roughly 5000 lines of code, including comments and blank lines. RMT depends only on the standard C++ libraries and it can be compiled by any relatively modern C++ compiler out of the box. At the heart of RMT is a hierarchy of classes for representing variables, function symbols and terms. Terms are stored in DAG format, with maximum structure sharing. The RMT tool relies on an external SMT solver to check satisfiability of constraints. By default, the only dependency is the Z3 SMT solver, which should be installed and its binary should be in the system path. A compile time switch allows to use any other SMT solver that supports the SMTLIB interface, such as CVC4 [3]. In order to reduce constraints over the full signature to constraints over the builtin signature, RMT uses a unification modulo builtins algorithm (see [7]), which transforms any predicate (where the terms can possibly contain constructor symbols) into a set of builtin constraints.
6 Conclusion and Future Work
We introduced a coinduction based method for proving reachability properties of logically constrained term rewriting systems. We use a coinductive definition of transition systems that unifies the handling of finite and infinite executions. We propose two proof systems for the problem above. The first one formalizes symbolic execution in LCTRSs coinductively, with possibly infinite proof trees. This proof system is complete, but its infinite proof trees cannot be used in practice as proofs. In the second proof system we add to symbolic execution a circularity proof rule, which allows to transform infinite proof trees into finite trees. It is not always possible to find finite proof trees, and we conjecture that establishing a given reachability property is higher up in the arithmetic hierarchy.
We also proposed a semantics for logically constrained term rewriting systems as transition systems over a model combining ordersorted terms with builtin elements such as booleans, integers, etc. The proposed semantics has the advantage of being simpler than the usual semantics of LCTRSs defined in [20], which requires two reduction relations (one for rewriting and one for computing). The approach proposed here also removes some technical constraints such as variable inclusion of the rhs in the lhs, which is important in modelling open systems, where the result of a transition is nondeterministically chosen by the environment. In addition, working in an ordersorted setting is indispensable in order to model easily the semantics of programming languages.
In fact, proving program properties, like correctness and equivalence, is one application of our method. A tool such as C2LCTRS (http://www.trs.cm.is.nagoyau.ac.jp/c2lctrs/) can be used to convert the semantics of a C program into a LCTRS and then RMT can prove reachability properties of the C program. Additionally, the operational semantics of any language can be encoded as a LCTRS [29] and then program correctness is reducible to a particular reachability formula. But our approach is not limited to programs, as any system that can be modelled as a LCTRS is also amenable to our approach. We define reachability in the sense of partial correctness (infinite execution paths are not considered). Therefore termination should be established in some other way [18], as it is an orthogonal concern. Our approach to reachability and LCTRSs extends to working modulo AC (or more generally, modulo any set of equations E), but we have not formally presented this to preserve brevity and simplicity. For future work, we would like to test our approach on other interesting problems that arrise in various domains. In particular, it would be interesting to extend our approach to reachability in the context of program equivalence [8]. An interesting challenge is to add defined operations to the algebra underlying the constrained term rewriting systems, which would allow a user to define their own functions, which are not necessarily builtin.
Acknowledgements. We thank the anonymous reviewers for their valuable suggestions. This work was supported by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS/CCCDI  UEFISICDI, project number PNIIIP22.1BG20160394, within PNCDI III.
Appendix A Preliminaries
a.1 OrderSorted Algebra.
In this subsection we recall the main definitions and notations from ordersorted algebra we use in this paper. More details can be found, e.g., in [14].
An ordersorted signature consists of:

A set of sorts,

An indexed family of sets whose elements are called operation symbols, and

A partial order ,
such that the following monotonicity condition is satisfied:
We often write for with . We write for the empty sequence of sorts. A connected component of is an equivalence class, where is the smallest equivalence relation containing .
Given an ordersorted signature , a model (algebra) consists of:

An indexed family of carrier sets such that implies ;

A function
^{1} for each operation symbol