A Preliminaries

A Coinductive Approach to Proving Reachability Properties in Logically Constrained Term Rewriting Systems

Abstract

We introduce a sound and complete coinductive proof system for reachability properties in transition systems generated by logically constrained term rewriting rules over an order-sorted signature modulo builtins. A key feature of the calculus is a circularity proof rule, which allows to obtain finite representations of the infinite coinductive proofs.

1 Introduction

We propose a framework for specifying and proving reachability properties of systems whose behaviour is modelled using transition systems described by logically constrained term rewriting systems (LCTRSs). By reachability properties we mean that a set of target states are reached in all terminating system computations starting from a given set of initial states. We assume transition systems are generated by constrained term rewriting rules of the form


where and are terms and is a logical constraint. The terms may contain both uninterpreted function symbols and function symbols interpreted in a builtin model, e.g., the model of booleans and integers. The constraint is a first-order formula that limits the application of the rule and which may contain predicate symbols interpreted in the builtin model. The intuitive meaning of a constrained rule is that any instance of that satisfies transitions in one step into a corresponding instance of .

Example 1

The following set of constrained rewrite rules specifies a procedure for compositeness:


If is not composite, the computation of the procedure is infinite.

Given a LCTRS, which serves as a specification for a transition system, it is natural to define the notion of constrained term , where is an ordinary term (with variables) and is a logical constraint. The intuitive meaning of such a term is the set of ground instances of that satisfy .

Example 2

The constrained term defines exactly the instances of where is composite.

A reachability formula is a pair of constrained terms The intuitive meaning of a reachability formula is that any instance of reaches, along all terminating paths of the transition system, an instance of that agrees with on the set of shared variables.

Example 3

The reachability formula


captures a functional specification for the algorithm described in Example 1: each terminating computation starting from a state in which is composite reaches the state comp. Computations that start with a negative number (composite or not) are infinite and therefore vacuously covered by the specification above.

We propose an effective proof system that, given a LCTRS, proves valid reachability formulas such as the one above, assuming an oracle that solves logical constraints. In practice, we use an SMT solver instead of the oracle.

Contributions

{enumerate*}
  • As computations can be finite or infinite, an inductive approach for reachability is not practically possible. In Section 2, we propose a coinductive approach for specifying transition systems, which is an elegant way to look at reachability, but also essential in handling both finite and infinite executions. We formalize the semantics of LCTRSs as a reduction relation over a particular model that combines order-sorted terms with builtin elements such as integers, booleans, arrays, etc. The new approach, introduced in Section 3, is simpler than the usual semantics for constrained term rewriting systems [18, 20, 19, 13], but it also lifts several technical restrictions that are important for our case studies. We introduce a sound and complete coinductive proof system for deriving valid reachability formulas for transition systems specified by a LCTRS. We present our proof system in two steps: in the first step, we provide a three-rule proof system (Figure 1) for symbolic execution of constrained terms. When interpreting the proof system coinductively, its proof trees can be finite or infinite. The finite proof trees correspond to reachability formulas where there is a bounded number of symbolic steps between and . The infinite proof trees correspond to proofs of reachability formulas that hold for an unbounded number of symbolic steps between and (obtained, e.g., by unrolling loops). Symbolic execution has similarities to narrowing, but unlike narrowing, where each step computes a possible successor, symbolic execution must consider all successors of a state at the same time. The infinite proof trees above cannot be obtained in finite time in practice. In order to derive reachability formulas that require an unbounded number of symbolic steps in finite time, we introduce a fourth proof rule to the system that we call circularity. The circularity proof rule can be used to compress infinite proof trees into finite proof trees. The intuition is to use as axioms the goals that are to be proven, when they satisfy a guardedness condition. This compression of infinite coinductive trees into finite proof trees via the guardedness condition nicely complements our coinductive approach. This separation between symbolic execution and circularity answers an open question in [21]. We introduce the RMT tool, an implementation of the proof system that validates our approach on a number of examples. RMT uses an SMT solver to discharge logical constraints. The tool is expressive enough for specifying various transition systems, including operational semantics of programming languages, and proving reachability properties of practical interest and is intended to be the starting point of a library for rewriting modulo builtins, which could have more applications.

  • Related Work

    A number of approaches [1, 2, 13, 25, 30] to combining rewriting and SMT solving have appeared lately. The rewrite tool Maude [11] has been extended with SMT solving in [25] in order to enable the analysis of open systems. A method for proving invariants based on an encoding into reachability properties is presented in [30]. Both approaches above are restricted to topmost rewrite theories. While almost any theory can be written as a topmost theory [22], the encoding can significantly increase the number of transitions, which raises performance concerns. Our definition for constrained term is a generalization of that of constructor constrained pattern used in [30]. In particular [30] does not allow for quantifiers in constraints, but quantifiers are critical to obtaining a complete proof system, as witnessed by their use in the subsumption rule in our proof system ([subs], Figure 1). The approach without quantifiers is therefore not sufficient to prove reachabilities in a general setting.

    A calculus for reachability properties in a formalism similar to LCTRSs is given in [1]. However, the notion of reachability in [1] is different from ours: while we show reachability along all terminating paths of the computation[1] solves reachability properties of the form (i.e. does there exists an instance of that reaches, along some path, an instance of ).

    Work on constrained term rewriting systems appeared in [20, 19, 18, 13]. In contrast to this approach to constrained rewriting, our semantics is simpler (it does not require two reduction relations), it does not have restrictions on the terms in a rule and the constraint is an arbitrary first-order formula , possibly with quantifiers, which are crucial to obtain symbolic execution in its full generality. Constrained terms are generalized to guarded terms in [2], in order to reduce the state space.

    Reachability in rewriting is explored in depth in [12]. The work by Kirchner and others [17] is the first to propose the use of rewriting with symbolic constraints for deduction. Subsequent work [25, 20, 13] extends and unifies previous approaches to rewriting with constraints. The related work section in [25] includes a comprehensive account of literature related to rewriting modulo constraints.

    Our previous work [9, 21] on proving program correctness was in the context of the K framework [27]. K, developed by Roşu and others, implements semantics-based program verifiers [10] for any language that can be specified by a rewriting-based operational semantics, such as C [15], Java [4] and JavaScript [23]. Our formalism is not more expressive than that of reachability logic [9] for proving partial correctness of programs in a language-independent manner, but it does have several advantages. Firstly, we make a clear separation between rewrite rules (used to define transition systems), for which it makes no sense to have constraints on both the lhs and the rhs, and reachability formulas (used to specify reachability properties), for which there can be constraints on both the lhs and the rhs. We provide clear semantics of both syntactic constructs above, which makes it unnecessary to check well-definedness of the underlying rewrite system, as required in [9]. Additionally, this separation, which we see as a contribution, makes it easy to get rid of the top-most restriction in previous approaches. Another advantage is that the proposed proof system is very easy to automate, while being sufficiently expressive to specify real-world applications. Additionally, we work in the more general setting of LCTRSs, not just language semantics, which enlarges the possible set of applications of the technique. We also have several major technical improvements compared to [21], where the proof system is restricted to the cases where unification can be reduced to matching and topmost rewriting. The totality property required for languages specifications, which was quite restrictive, was replaced by a local property in proof rules and all restrictions needed to reduce unification to matching were removed.

    In contrast to the work on partial correctness in [10], the approach on reachability discussed here is meant for any LCTRS, not just operational semantics. The algorithm in [10] contains a small source of incompleteness, as when proving a reachability property it is either discharged completely through implication or through circularities/rewrite rules. We allow a reachability rule to be discharged partially by subsumption and partially by other means. Constrained terms are a fragment of Matching Logic (see [26]), where no distinction is made between terms and constraints. Coinduction and circular or cyclic proofs have been proposed in other contexts. For example, circular proof systems have been proposed for first-order logic with inductive predicates in [6] and for separation logic in [5]. In the context of interactive theorem provers, circular coinduction has been proposed as an incremental proof method for bisimulation in process calculi (see [24]). A compositional and incremental approach to coinduction that uses a semantic guardedness check instead of a syntactic check is given in [16].

    Paper Structure

    We present coinductive definitions for execution paths and reachability predicates in Section 2. In Section 3, we introduce logically constrained term rewriting with builtins in an order-sorted setting. In Section 4, we propose a sound and complete coinductive calculus for reachability and a circularity rule for compressing infinite proof trees into finite proof trees. Section 6 discusses the implementation before concluding. The proofs and a discussion of coinduction and order-sorted algebras can be found in the Appendix.

    2 Reachability Properties: Coinductive Definition

    In this section we introduce a class of reachability properties, defined coinductively. A state predicate is a subset of states. A reachability property is a pair of state predicates. Such a reachability property is demonically valid iff each execution path starting from a state in eventually reaches a state in , or if it is infinite. Since the set of finite and infinite executions is coinductively defined, the set of valid predicates can be defined coinductively as well. Formally, consider a transition system , with . We write for . An element is irreducible if for any .

    Definition 1 (Execution Path)

    The set of (complete) execution paths is coinductively defined by the following rules:


    where the function is defined by and .

    The above definition includes both the finite execution paths ending in a irreducible state and the infinite execution paths, defined as the greatest fixed point of the associated functional (see Appendix A.2).

    Definition 2 (State and Reachability Predicates)

    A state predicate is a subset . A reachability predicate is a pair of state predicates . The predicate is runnable if and for all there is s.t. .

    A derivative measures the sensitivity to change of a quantity. For the case of transition systems, the change of states is determined by the transition relation.

    Definition 3 (Derivative of a State Predicate)

    The derivative of a state predicate is the state predicate .

    As a reachability predicate specifies reachability property of execution paths, we define when a particular execution path satisfies a reachability predicate.

    Definition 4 (Satisfaction of a Reachability Predicate)

    An execution path satisfies a reachability predicate , written , iff , where EPSRP consists of the following rules:

    The notation stands for the functional of EPSRP and stands for its greatest fixed point (see Appendix A.2). We coinductively define the set of demonically valid reachability predicates over . This allows to use coinductive proof techniques to prove validity of reachability predicates.

    Definition 5 (Valid Reachability Predicates, Coinductively)

    We say that is demonically valid, and we write

    iff , where DVP consists of the following rules:

    The condition runnable in the second rule is essential to avoid the cases where execution is stuck. These blocking states have no successor in and, in the absense of the condition, we would wrongly conclude that they satisfy . The terminating executions are captured by .

    The following proposition justifies our definition of demonically valid reachability predicates. {restatable}propositiondemonicvalidsoundness Let be a reachability predicate. We have iff any execution path starting from () satisfies .

    3 Logically Constrained Term Rewriting Systems

    In this section we introduce our formalism for LCTRSs. We interpret LCTRSs in a model combining order-sorted terms with builtins such as integers, booleans, etc. Logical constraints are first-order formulas interpreted over the fixed model.

    We assume a builtin model for a many-sorted builtin signature , where is a set of builtin sorts that includes at least the sort and is the -sorted set of builtin function symbols. We assume that the set interpreting the sort in the model is . We use the standard notation for the interpretation of the sort/symbol in the model . The set , defined as the set of (many-sorted) first-order formulas with equality over the signature , is the set of builtin constraint formulas. Functions returning play the role of predicates and terms of sort are atomic formulas. We will assume that the builtin constraint formulas can be decided by an oracle (implemented as an SMT solver).

    A signature modulo builtins is an order-sorted signature that includes as a subsignature and such that the only builtin constants in are elements of the builtin model () – therefore the signature might be infinite. By we denoted the set of function symbols of arity and result sort . is called the builtin subsignature of and the constructor subsignature of . We let be an -sorted set of variables.

    We extend the builtin model to an -model defined as follows: , for each ( is the set of ground constructor terms of sort , i.e. terms built from constructors applied to builtin elements); for each builtin function symbol ; is the term constructor , for each non-builtin function symbol . By fixing the interpretation of the non-builtin function symbols, we can reduce constraint formulas to built-in constraint formulas by relying on an unification algorithm described in detail in [7]. We also make the standard assumption that for any .

    Example 4

    Let , where and include the usual operators over eans () and over the egers (). The builtin model interprets the above sorts and operations as expected.

    We consider the signature modulo builtins , where the set of sorts consists of the builtin sorts and an additional sort , where the subsorting relation is empty, and where the set of function symbols includes, in addition to the builtin symbols in , the following function symbols: . We have that .

    The set of constraint formulas is the set of first-order formulas with equality over the signature . The subset of the builtin constraint formulas is denoted by . Let denote the set of variables freely occurring in . We write when the formula is satisfied by the model with a valuation .

    Example 5

    The constraint formula is satisfied by the model defined in Example 4 and any valuation such that is a composite number.

    Definition 6 (Constrained Terms)

    A constrained term of sort is a pair , where and .

    Example 6

    Continuing the previous example, the following is a constrained term:

    We consistently use for constrained terms and for constraint formulas.

    Definition 7 (Valuation Semantics of Constraints)

    The valuation semantics of a constraint is the set .

    Example 7

    Continuing the previous example, we have that

    Definition 8 (State Predicate Semantics of Constrained Terms)

    The state predicate semantics of a constrained term is the set

    Example 8

    Continuing the previous example, we have that

    We now introduce our formalism for logically constrained term rewriting systems. Syntactically, a rewrite rule consists of two terms (the left hand side and respectively the right hand side), together with a constraint formula. As the two terms could share some variables, these shared variables should be instantiated consistently in the semantics:

    Definition 9 (Lctrs)

    A logically constrained rewrite rule is a tuple , often written as , where are terms in having the same sort, and . A logically constrained term rewriting system is a set of logically constrained rewrite rules. defines an order-sorted transition relation on as follows: iff there exist a rule in , a context , and a valuation such that , and .

    Example 9

    We recall the LCTRS given in the introduction:

    A LCTRS defines a sort-indexed transition system . As each constrained term defines a state predicate , it is natural to specify reachability predicates as pairs of constrained terms sharing a subset of variables. The shared variables must be instantiated in the same way by the execution paths connecting states specified by the two constrained terms.

    Definition 10 (Reachability Properties of LCTRSs)

    A reachability formula is a pair of constrained terms, which may share variables. We say that a LCTRS demonically satisfies , written


    iff for each .

    Since the carriers sets of consist of ground terms, is both a substitution and a valuation in the definition above. Its role is critical: to ensure that the shared variables of and are instantiated by the same values.

    Example 10

    Continuing the previous example, we have that the reachability formula is demonically satisfied by the constrained rule system defined in Example 9:

    We have checked the above reachability formula against mechanically, using an implementation of the approach described in this paper.

    4 Proving Reachability Properties of LCTRSs

    We introduce two proof systems for proving reachability properties in transition systems specified by LCTRSs. The first proof system formalizes symbolic execution in a LCTRS, in the following sense: a reachability formula can be proven if either the left-hand side can be derived infinitely many times (and therefore all execution paths starting with are infinite), or if some derivative is an instance of the right-hand side , i.e. all the execution paths starting with reach a state that is an instance of . Note that this intuition holds when the proof system is interpreted coinductively, where infinite proof trees are allowed. Unfortunately, these infinite proof trees have a limited practical use because they cannot be obtained in finite time.

    In order to solve this limitation, we introduce a second proof system, which contains an additional inference rule, called circularity. The circularity rule allows to use the reachability formula to be proved as an axiom. This allows to fold infinite proof trees into finite proof trees, which can be obtained in finite time. Adding the reachability formulas that are to be proved as axioms seems at first to be unsound, but it corresponds to a natural intuition: when reaching a proof obligation that we have handled before, there is no need to prove it again, because the previous reasoning can be reused (possibly leading to an infinite proof branch). However, the circularity rule must be used in a guarded fashion in order to preserve soundness. We introduce a simple criterion to select the sound proof trees.

    4.1 Derivatives of Constrained Terms

    Our proof system relies on the notion of derivative at the syntactic level:

    Definition 11 (Derivatives of Constrained Terms)

    The set of derivatives of a constrained term w.r.t. a rule is

    (1)

    where the variables in are renamed such that and are disjoint. If is a set of rules, then A constrained term is -derivable if .

    Example 11

    Continuing the previous examples, we have that

    In the above case, includes only the derivative computed w.r.t. the first rule in , because the constraints of the ones computed w.r.t. the other rules are unsatisfiable. Intuitively, the derivatives of a constrained term denote all its possible successor configurations in the transition system generated by .

    The symbolic derivatives and the concrete ones are related as expected: {restatable}theoremdeltacommutes Let be a constrained term, a constrained rule system, and the transition system defined by . Then .

    Our proof systems allows to replace any reachability formula by an equivalent one. Two reachability formulas, and , are equivalent, written , if, for all LCTRSs ,

    iff

    We write iff for each , we have . The next result, used in our proof system, shows that inclusion of the state predicate semantics of two constrained terms can be expressed as a constraint formula, when the shared variables are instantiated consistently. {restatable}propositionsemanticinclusion The inclusion holds if and only if , where .

    4.2 Proof System for Symbolic Execution

    The first proof system, , derives sequents of the form . The proof system consists of three proof rules presented in Figure 1 and an implicit structural rule that allows to replace reachability formulas by equivalent reachability formulas. The instances of this implicit structural rule are not included in the proof trees. We explain the three rules in the proof system.

    Figure 1: The Proof System

    The [axiom] rule discharges goals where the left hand side of the goal does not match any state. As our structural rule identifies equivalent reachability formulas, this rule can be applied to any left-hand side where the constraint is unsatisfiable (equivalent to ). This rule discharges reachability formulas where there are no execution paths starting from the left-hand side, and therefore no need to continue the proof process.
    The [subs] rule discharges the cases where the left-hand side is an instance of the right-hand side. The constraint is true exactly when the left-hand side is an instance of the right-hand side, which is ensured by Proposition 11. The proof of the current goal continues only for the cases where the negation of this constraint holds (i.e., the cases where the left-hand side is not included in the right-hand side).
    The [der] rule allows to take a symbolic step in the left-hand side of the current goal. It computes all derivatives of the left-hand side; the proof process must continue with each such derivative. Let be the logical constraint that occurs in the condition of [der]. The formula is valid iff there is at least one rule of that can be applied to any instance of , meaning that is total for . Summarising, the condition of [der] says that must have at least one successor and furthermore that any instance has a -successor.

    The following result shows that is sound and complete.

    {restatable}

    theoremdstepsound Let be a LCTRS. For any reachability formula , we have

    iff .

    Example 12

    Consider the LCTRS defined in Example 9. The proof tree for the reachability formula where denotes the fact that is composite and , is infinite: {prooftree}\AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[subs] \UnaryInfC \AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[subs] \UnaryInfC \AxiomC\RightLabel[] \BinaryInfC \RightLabel[] \BinaryInfC \RightLabel[] \UnaryInfC The right branch of the above proof tree is infinite, and:


    Note that in the presentation of the tree above, we used the structural rule to replace reachability formulas by equivalent reachability formulas as follows:

    where . The ticks appear in the formulas above because, to compute derivatives, we used the following fresh instance of :

    4.3 Extending the Proof System with a Circularity Rule

    As we said at the beginning of the section, the use of DSTEP is limited because of the infinite proof trees. The next inference rule is intended to use the initial goals as axioms to fold infinite DSTEP-proof trees into sound finite proof trees.

    Definition 12 (Demonic circular coinduction)

    Let be a finite set reachability formulas. Then the set of rules DCC consists of , together with

    where is a rule in whose variables have been renamed with fresh names.

    The idea is that should be chosen conveniently so that DCC proves itself. We call such goals (that are used to prove themselves) circularities. The intuition behind the rule is that the formula defined in the rule holds when a circularity can be applied. In that case, it is sufficient to continue the current proof obligation from the rhs of the circularity . The cases when does not hold (the circularity cannot be applied) are captured by the proof obligation .

    Of course, not all proof trees under are sound. The next two definitions identify a class of sound proof trees (cf. Theorem 14).

    Definition 13

    Let be a proof tree of under . A [circ] node in is guarded iff it has as ancestor a node. is guarded iff all its [circ] nodes are guarded.

    Definition 14

    We write iff there is a proof tree of under that is guarded. If is a set of reachability formulas, we write iff for all .

    The criterion stated by Definition 13 can be easily checked in practice. The following theorem states that the guarded proof trees under DCC are sound.

    {restatable}

    [Circularity Principle]theoremcircularityprinciple Let be a constrained rule system and a set of goals. If then .

    Theorem 14 can be used by finding a set of circularities and using them in a guarded fashion to prove themselves. Then the circularity principle states that such circularities hold.

    Example 13

    In order to prove , we choose the following set of circularities

    The second circularity is inspired by the infinite branch of the proof tree under DSTEP. We will show that , and by Theorem 14, it follows that all reachability formulas in hold in .

    First circularity.

    To obtain a proof of the first circularity, , we replace the infinite subtree rooted at in Example 12 by the following finite proof tree (that uses [circ]): {prooftree}\AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[subs] \UnaryInfC \AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[circ] \BinaryInfC where .

    Second circularity.

    To complete the proof of , we have to find a finite proof tree for


    as well. This is also obtained using [circ] as follows: {prooftree}\AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[subs] \UnaryInfC \AxiomC    \RightLabel[] \UnaryInfC \RightLabel[] \BinaryInfC where


    The subtree {prooftree}\AxiomC    \RightLabel[] \UnaryInfC is: {prooftree}\AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[subs] \UnaryInfC \AxiomC \RightLabel[axiom] \UnaryInfC \RightLabel[circ] \BinaryInfC where


    The constraint holds when the circularity can be applied and therefore this branch is discharged immediately by subs and axiom. The other branch, when the circularity cannot be applied, is discharged directly by axiom, as is unsatisfiable ( says that has a divisor between and , says that is not a divisor of , and that has a divisor between and ).
    Note that in both proof trees of the two circularities in , in order to apply the [circ] rule, we used the following fresh instance of the second circularity:

    The proof trees for both goals (circularities) in are guarded. We have shown therefore that . By the Circularity Principle (Theorem 14), we obtain that and therefore


    which includes what we wanted to show of our transition system defined in the running example.

    5 Implementation

    We have implemented the proof system for reachability in a tool called RMT (for rewriting modulo theories). RMT is open source and can be obtained from

    http://github.com/ciobaca/rmt/.

    To prove a reachability property, the RMT tool performs a bounded search in the proof system given above. The bounds can be set by the user. We have also tested the tool on reachability problems where we do not use strong enough circularities. In these cases, the tool will not find proofs. A difficulty that appears when a proof fails, difficulty shared by all deductive approaches to correctness, is that it is not known is the specification is wrong or if the circularities are not strong enough. Often, analysing the failing proof tree, the user may have the chance to find a hint for the missing circularities, if any. In addition, proofs might also fail because of the incompleteness of the SMT solver. In addition to the running example, we have used RMT on a number of examples, summarized in the table below:


    LCTRS Reachability Property


    Computation of Result is


    Comp. of by rptd. subtractions Result matches builtin gcd function


    Comp. of by rptd. divisions Result matches builtin gcd function


    Mult. of two naturals by rptd. additions Result matches builtin function


    Comp. of Result is


    Comp. of w/out multiplications Result is


    Semantics of an IMPerative language Program computing is correct


    Semantics of a FUNctional language Program computing is correct


    Semantics of a FUNctional language Program computing is correct


    Implementation details.

    RMT contains roughly 5000 lines of code, including comments and blank lines. RMT depends only on the standard C++ libraries and it can be compiled by any relatively modern C++ compiler out of the box. At the heart of RMT is a hierarchy of classes for representing variables, function symbols and terms. Terms are stored in DAG format, with maximum structure sharing. The RMT tool relies on an external SMT solver to check satisfiability of constraints. By default, the only dependency is the Z3 SMT solver, which should be installed and its binary should be in the system path. A compile time switch allows to use any other SMT solver that supports the SMTLIB interface, such as CVC4 [3]. In order to reduce constraints over the full signature to constraints over the builtin signature, RMT uses a unification modulo builtins algorithm (see [7]), which transforms any predicate (where the terms can possibly contain constructor symbols) into a set of builtin constraints.

    6 Conclusion and Future Work

    We introduced a coinduction based method for proving reachability properties of logically constrained term rewriting systems. We use a coinductive definition of transition systems that unifies the handling of finite and infinite executions. We propose two proof systems for the problem above. The first one formalizes symbolic execution in LCTRSs coinductively, with possibly infinite proof trees. This proof system is complete, but its infinite proof trees cannot be used in practice as proofs. In the second proof system we add to symbolic execution a circularity proof rule, which allows to transform infinite proof trees into finite trees. It is not always possible to find finite proof trees, and we conjecture that establishing a given reachability property is higher up in the arithmetic hierarchy.

    We also proposed a semantics for logically constrained term rewriting systems as transition systems over a model combining order-sorted terms with builtin elements such as booleans, integers, etc. The proposed semantics has the advantage of being simpler than the usual semantics of LCTRSs defined in [20], which requires two reduction relations (one for rewriting and one for computing). The approach proposed here also removes some technical constraints such as variable inclusion of the rhs in the lhs, which is important in modelling open systems, where the result of a transition is non-deterministically chosen by the environment. In addition, working in an order-sorted setting is indispensable in order to model easily the semantics of programming languages.

    In fact, proving program properties, like correctness and equivalence, is one application of our method. A tool such as C2LCTRS (http://www.trs.cm.is.nagoya-u.ac.jp/c2lctrs/) can be used to convert the semantics of a C program into a LCTRS and then RMT can prove reachability properties of the C program. Additionally, the operational semantics of any language can be encoded as a LCTRS [29] and then program correctness is reducible to a particular reachability formula. But our approach is not limited to programs, as any system that can be modelled as a LCTRS is also amenable to our approach. We define reachability in the sense of partial correctness (infinite execution paths are not considered). Therefore termination should be established in some other way [18], as it is an orthogonal concern. Our approach to reachability and LCTRSs extends to working modulo AC (or more generally, modulo any set of equations E), but we have not formally presented this to preserve brevity and simplicity. For future work, we would like to test our approach on other interesting problems that arrise in various domains. In particular, it would be interesting to extend our approach to reachability in the context of program equivalence [8]. An interesting challenge is to add defined operations to the algebra underlying the constrained term rewriting systems, which would allow a user to define their own functions, which are not necessarily builtin.

    Acknowledgements. We thank the anonymous reviewers for their valuable suggestions. This work was supported by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS/CCCDI - UEFISICDI, project number PN-III-P2-2.1-BG-2016-0394, within PNCDI III.

    Appendix A Preliminaries

    a.1 Order-Sorted Algebra.

    In this subsection we recall the main definitions and notations from order-sorted algebra we use in this paper. More details can be found, e.g., in [14].

    An order-sorted signature consists of:

    1. A set of sorts,

    2. An -indexed family of sets whose elements are called operation symbols, and

    3. A partial order ,

    such that the following monotonicity condition is satisfied:

    We often write for with . We write for the empty sequence of sorts. A connected component of is an -equivalence class, where is the smallest equivalence relation containing .

    Given an order-sorted signature , a -model (-algebra) consists of:

    • An -indexed family of carrier sets such that implies ;

    • A function1 for each operation symbol