Consistency and Completeness of Rewriting in the Calculus of Constructions

Logical Methods in Computer Science V ol. 4 (3:8) 2008, pp. 1–20 www .lmcs-online.org Submitted Feb . 1, 2007 Published Sep. 13, 2008 CONSISTEN C Y AND C OMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS ∗ DARIA W ALUKIEWICZ-CHRZĄ SZCZ AND JAC EK CHRZĄSZCZ Institute of Informatics, W arsaw Universit y , ul. Banac ha 2, 02-097 W arsaw, Poland e-mail addr ess : { daria,c hrzaszcz } @mimu w.edu.pl Abstra ct. Adding rewriting to a pro of assistant based on the Curry-H o w ard isomor- phism, suc h as Co q, may greatly improv e usability of the tool. Unfortunately adding an arbitrary set o f rewrite rules ma y render the underlying formal system undecidable and inconsisten t. Wh ile w a ys to ensure termination and confluence, and h ence decidabilit y of type-chec king, hav e already b een studied to some extent, logical consis tency has got little attenti on so far. In this pap er we show that consistency is a consequence of canonicity , which in turn follo ws from th e assumption th at all functions defin ed by rewrite rules are complete. W e pro vide a so und and terminating, but necessarily incomplete algorithm to verify this prop- erty . The a lgorithm accepts all definitions that follo w depen dent pattern ma tching sc hemes presented by Co quand and studied by McBride in his PhD thesis. It also accepts many definitions by rewriting including rules whic h depart from standard p attern matching. 1. Introduction Equalit y is ubiquitous in mathematics. Y et it turns out that pro of assistan ts based on the Curry-Ho w ard isomorphism, such as Co q [11], are n ot v ery goo d at handling equalit y . While pro vin g an equalit y is not a problem in itself, using already established equalities is quite p roblematic. Apart f rom equalities resulting from inte rnal reductions (namely , b eta and iota reductions), wh ic h can b e used via the conv ersion r ule of the calculus of ind uctiv e constructions w ithout b eing recorded in the pro o f term, an y other use of an equalit y requires giving all details ab out the con text explicitly in the pro of. As a result, pr o of terms may b ecome extremely large, taking up memory and making t yp e-c h ec king time consuming: w orking w ith equations in Co q is not v ery con v enien t. A straightfo rwa rd idea for redu cing the size of pro of terms is to allo w other equalitie s in the con v ersion, making their use transparent. Th is can b e done by using us er-d efined r e write rules . Ho w ev er, adding arbitrary ru les ma y easily lead to logical inconsistency , making the 1998 ACM Subje ct Classific ation: F.4.1, I.2.3, F.4. 2, I.1.1, I.1.3, D.3.1. Key wor ds and phr ases: term rewriting, calculus of constructions, logical consistency , higher-order rewrit- ing, higher-order logic, typ e theory , lam b da calculus. ∗ The extended abstract of this paper app eared earlier as [23]. This w ork was partly supp orted by Polis h go vernmen t gran t 3 T11C 002 27. LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-4 (3:8) 2008 c  D. W alukiewicz-Chrz ˛ aszcz and J. Chrz ˛ aszcz CC  Cre ative Commons 2 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ pro of environmen t useless. It is of course p ossible to put the resp onsibilit y on the user, but it is contra ry to the current Co q p olicy to guarante e consistency of dev elopmen ts without axioms. T herefore it is desirable to retain this guaran tee when rewriting is added to Co q. Since consistency is und ecidable in the presence of rewriting in general, one has to fi nd some decidable criteria satisfied only by r ewriting systems whic h do n ot violate consistency . The synta ctical pro of of consistency of the calculus of constructions, wh ic h is th e basis of the f ormalism implemen ted in Co q, requir es every term to hav e a normal form [2]. The same pro of is also v alid for the calculus of inductiv e constructions [24], w h ic h is ev en closer to the formalism implemente d in Co q. There exist sev eral tec hniques to pro v e (strong) norm alization of the calculus of con- structions with rewriting [1, 7, 6, 21, 22], follo w ing numerous works ab out rewriting in the simply-t yp ed lam b d a calculus. Practical criteria for ensuring other fundamen tal prop erties, lik e confluence, sub ject reduction and decidabilit y of t yp e-c h ec king are addr essed e.g. in [6]. Logical consistency is also studied in [6]. It is shown u nder th e assumption that for ev ery symb ol f defin ed by r ewriting, f ( t 1 , . . . , t n ) is redu cible if t 1 . . . t n are terms in normal form in the en vironmen t consisting of one type v ariable. Apart from a p ro of sketc h that this is the case for the tw o rules defining the indu ction pr edicate for natural num b ers and a remark that this prop ert y resem b les the completeness of definitions, p ractical wa ys to satisfy the assumption of the consistency lemma are not d iscussed. T ec hniques for chec king completeness of definitions are known for almost 30 ye ars for the first-order algebraic setting [14, 20, 15]. More recen tly , their adaptations to t yp e theory app eared in [12, 16] and [18]. In this pap er w e sh o w h o w the latter algorithm can b e tailored to the calc ulus of constructions extended with rewriting. W e study a system where the set of a v ailable function symbols and rewrite rules are not known fr om the b eginnin g b ut ma y gro w as the pro of dev elopmen t adv ances, as it is the case with concrete implemen tatio ns of mo dern pr o of assistan ts. W e sho w that logical consistency is an easy consequence of canonicit y , which in turn can b e pr ov ed from completeness of defi n itions by rewriting, provided that termination and conflu ence are pr o ved firs t. Ou r completeness c hec king algorithm closes the list of necessary p ro cedures needed to guarantee logical consistency of dev elopmen ts in a pro of assistan t based on the calculus of constructions with rewriting. In fact, in this pap er w e wo rk in a fr amew ork whic h is slightl y more general than the calculus of constructions, namely that of pure type systems, of whic h the calculus of constructions is an instance. How ev er, since termination and conflu en ce are u s ed b oth in our algorithm and in the pro of of its correctness, our results are useful only if a termination and confluence criteria exist for a giv en pu re t yp e system extended with rewriting. Some w ork in this d irection has b een done, e.g. , in [4 ]. 2. Rewriting in th e Calculus of Constructions Let us briefly discuss ho w we imagine int ro ducing rewriting in Co q and what problems w e encounter on the wa y to a usable system. F rom the user’s p ers p ectiv e definitions b y rewriting could b e en tered jus t as all other definitions: 1 1 The syntax of the definition by rewriting is inspired b y the exp erimental “recriture” branch of Coq develo p ed by Blanqui. F or the sak e of clarit y we omit certain d etails, like environments of rule vari ables and allo w the infix + in the definition. CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 3 Inductiv e nat : Set := O : nat | S : nat → n at. Symbol + : nat → n at → na t Rules O + y − → y x + O − → x (S x) + y − → S (x + y) x + (S y) − → S (x + y) x + (y + z) − → (x + y) + z. Paramete r n : nat . The ab o ve fragment can b e inte rpreted as an environmen t consisting of the inductiv e defini- tion of natural num b ers , sym metric definition by r ewr iting of add ition and the declaratio n of a v ariable n of type nat . In this envi ronment all rules for + con trib u te to conv ersion. F or in- stance b oth ∀ x : nat . x + 0 = x and ∀ x : nat . 0 + x = x can b e pro v ed b y λx : nat . r efl nat x , where r efl is the only constructor of the Leibn iz equalit y inductiv e predicate. Note that the definition of + is termin ating and confluen t. The latter can b e c hec k ed by an (automatic) examination of its critical pairs. Rewrite rules can also b e used to define higher-order and p olymorphic functions, lik e the map function on p olymorphic lists. In this example, the first t w o r ules corresp ond to the usual defin ition of ma p by pattern matc h in g and s tru ctural recursion and the third rule can b e used to quic kly get rid of the map function in case one kno ws that f is the identit y function. Symbol map : forall (A :Set), (A → A ) → list A → lis t A Rules map A f (nil A) − → nil A map A f (con s A a l) − → cons A (f a) (map A f l) map A (fun x ⇒ x) l − → l Ev en though we consider higher-order r ewriting, we choose the s imp le matc hing mo d ulo α -con version. Higher-order matc hing is us efu l for example to encod e logic al languages by higher-order abstract syn tax, bu t it is seldom us ed in C o q where mo d eling relies r ather on inductiv e t yp es. Instead of higher-order matc h ing, one needs a p ossibilit y not to sp ecify certain arguments in left-hand s ides, and hence to work with r ewrite rules built from terms that may b e not typable . Consider, for example the t yp e tree of trees with s ize, holding some Bo olean v alues in the no des, and the function rotr p erforming a righ t rotation in the ro ot of the tree. Inductiv e t ree : nat → Set := Leaf : tre e O | Node : for all n1: nat, tree n1 → b ool → forall n2:nat, tree n2 → t ree (S(n1+n2 )). Symbol rotr : forall n:nat , (tree n ) → (tree n) Rules rotr 0 t − → t rotr ? (Node O t1 a n2 t2) − → Nod e O t1 a n2 t2 rotr ?1 (Node ?2 (N ode ?3 A b ?4 C) d ?5 E) − → No de ?3 A b (S (?4 + ? 5))(Node ?4 C d ?5 E) 4 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ The first argument of rotr is the size of the tree and the second is the tree itself. The first t wo rules co ve r the trees whic h cannot b e rotated and the third one p erforms the rotat ion. The ? marks ab o v e should b e treated as differen t v ariables. The information they h ide is redun dan t for t ypable terms: if we tak e th e third r ule f or example, the v alues of ?3, ?4 and ?5 must corresp ond to the sizes of the trees A, C and E resp ect iv ely , ?2 m ust b e equal to S(?3+?4) and ?1 to S(?2+?5). Note that by n ot writing th ese su bterms we mak e the rule left-linear (and therefore easier to matc h ) and a v oid critical p airs w ith +, h ereb y helping the confl u ence pro of. This w a y of wr iting left- hand sides of rules wa s already used b y W erner in [24] to define elimination r ules for ind uctiv e t yp es, m aking them orthogonal (the left-hand sides are of the f orm I elim P ~ f ~ w ( c ~ x ) , where P , ~ f , ~ w , ~ x are distinct v ariables and c is a constructor of I ). In [6], Blanqui gives a precise accoun t of these omissions u sing them to mak e more rewriting rules left- linear. Later, the authors of [8] show that these redundant s u bterms can b e completely remo v ed from terms (in a calc ulus without r ewriting h o wev er). In [3 ], a new optimized conv ertibilit y test algorithm is pr esen ted for Co q, whic h ignores testing equalit y of th ese redund an t arguments. In our p ap er we d o not explicitly sp eci fy which argum en ts should/could b e replaced b y ? and do n ot restrict left-hand sides to b e left-linear. In s tead, w e rely on an acceptance condition to suitably r estrict the form of acceptable d efinitions by r ewriting to guaran tee the n eeded metatheoretica l pr op erties listed in the next section. It is also in teresting to note that when the first argument of rotr is ?1 then we ma y understand it as S(?2+?5) matc hed to terms mo dulo the conv ertibilit y relation and not just syn tactica lly (i.e., mod ulo α -con v ersion). 3. Pure Type Systems with Genera tive Definitions Ev en though most pap ers motiv ate d by the dev elopmen t of Co q concen trate on the calculus of constructions, w e present here a sligh tly more general f orm aliza tion of a pure t yp e system with inductiv e definitions and definitions by rewriting. The p resen tation, tak en from [9, 10], is quite close to the wa y these elemen ts could b e implemente d in Co q. The formalism is built up on a set of PT S sorts S , a b inary relation A and a ternary relatio n R o ver S go v ern ing the typing rules (T erm/Ax) and (T erm/Pro d) resp ect iv ely (Figure 1). The syntact ic class of pseudoterms is defined as follo w s : t ::= v | s | t 1 t 2 | λv : t 1 .t 2 | ( v : t 1 ) t 2 A pseud oterm can b e a v ariable v ∈ V ar , a sort s ∈ S , an applicatio n, an abstractio n or a pro duct. W e write | t | to denote the size of the ps eu d oterm t , with | v | = | s | = 1 . W e us e Greek letters γ , δ to denote substitutions whic h are finite partial maps from v ari- ables to pseudoterms. The p ostfix notation is used for the applicati on of subs titutions to pseudoterms. Inductiv e d efinitions and definitions by rewriting are gener ative , i.e. th ey are stored in the envi ronment and are u sed in terms only through names they “generate ”. An en viron- men t is a sequence of declarations, eac h of th em is a v ariable declaration v : t , an ind u ctiv e definition Ind (Γ I := Γ C ) , where Γ I and Γ C are envi ronment s pr o vidin g names and t yp es of (p ossibly mutually defined) inductiv e t yp es and their constructors, or a definition b y rewriting Rew (Γ , R ) , w h ere Γ is an environmen t providing n ames and t yp es of (p ossibly m utually defined) fu nction symbols and R is a set of rewrite rules defining them. Typ es of CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 5 inductiv e t yp es, constructors and f unction sym b ols determine their arit y: give n v : t in an inductiv e definition or a definition b y rewriting, if t is of the form ( x 1 : t 1 ) . . . ( x n : t n ) ˆ t where ˆ t is not a pro du ct, then n is the arit y of v . A rewrite rule is a triple denoted by ∆ ⊢ l − → r , where l and r are pseud oterms and ∆ is an en vironmen t, pro viding names and t yp es of v ariables o ccurrin g in the left- and righ t-hand sides l and r . Giv en an environmen t E , inductiv e types, constructors and function sym b ols declared in E are called constan ts (ev en though synta cticall y they are v ariables). W e often write h ( e 1 , . . . , e n ) to denote the applicati on of a constant h to pseudoterms e 1 , . . . , e n , when n is the arit y of h . General en vironmen ts are denoted by E and en vironmen ts conta ining only v ariable declaratio ns are denoted by Γ , ∆ , G , D . W e assume that names of all declarations in environmen ts are pairwise disjoin t. A pair consisting of an en vironmen t E and a term e is called a sequ ent and d enoted by E ⊢ e . A sequent is wel l-t yp ed if E ⊢ e : t for some t . Definition 3.1. A pur e typ e system with g e ner ative definitions is defined by the t yping rules in Figure 1, where: • PO S is a p osit ivit y condition for indu ctiv e definitions (see assumptions b elo w). • ACC is an acceptance condition for definitions by rewriting ( idem ). • T he relation ≈ used in the rule (T erm/Con v) is the smallest congruence on w ell t yp ed terms, generated b y − → whic h is the su m of b eta and rewrite reductions, denoted by − → β and − → R resp ectiv ely (for exact defin ition see [10], Section 2.8). • T he notation δ : Γ → E means that δ is a wel l- typ e d substitution , i.e. E ⊢ v δ : tδ for all v : t ∈ Γ . As in [22, 6], recur s ors and their reduction rules h a ve no sp e cial status and they are supp osed to b e expressed by rewriting. Assumptions. W e assume that we are giv en a p ositivit y condition POS for indu ctiv e d ef- initions and an acceptance condition A C C for definitions by rewriting. T ogether with the righ t choic e of the PTS th ey m ust imp ly the follo wing pr op erti es: P1 su b ject r eduction, i.e. E ⊢ e : t , E ⊢ e − → e ′ implies E ⊢ e ′ : t P2 u n iqueness of t yp es, i.e. E ⊢ e : t , E ⊢ e : t ′ implies E ⊢ t ≈ t ′ . P3 strong normalization, i.e. E ⊢ ok implies that r eductions of all w ell-t yp ed terms in E are fi nite P4 conflu ence, i.e. E ⊢ e : t , E ⊢ e − → ∗ e ′ , E ⊢ e − → ∗ e ′′ implies E ⊢ e ′ − → ∗ ˆ e and E ⊢ e ′′ − → ∗ ˆ e for some ˆ e . These prop erties are usually true in all w ell-b eha ved t yp e theories. They are for example all pro v ed for the calculus of algebraic constructions [6], an extension of the calculus of con- structions with ind uctiv e types and rewriting, where POS is the strict p ositivit y condition as d efined in [17], and A C C is the General S c h ema. F rom no w on, w e u se the n otatio n t ↓ for the u nique norm al form of t . 4. Consistency and Completene ss Consistency of the calculus of constructions (resp. calculus of inductiv e constru ctions) can b e shown by rejecting all cases of a hypothetical normalized pro of e of ( x : ∗ ) x in a close d en vironm en t, i.e. empt y en vironmen t (resp. an environmen t conta ining only ind uctiv e definitions and n o axioms). Ou r goal is to extend the definition of closed environmen ts to the 6 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ Let Γ I = I 1 : t I 1 . . . I n : t I n and Γ C = c 1 : t C 1 . . . c m : t C m E ⊢ t I j : s j t I j = − − − − → ( z : Z j ) s ′ j for j = 1 . . . n E ; Γ I ⊢ t C i : ˆ s i t C i = − − − − → ( z : Z ′ i ) I j i ~ w for i = 1 . . . m E ⊢ Ind (Γ I := Γ C ) : correct if POS E (Γ I := Γ C ) Let Γ = f 1 : t 1 . . . f n : t n and R = { Γ i : l i − → r i } i =1 ...m , w here Γ i = x i 1 : t i 1 ; . . . ; x i n i : t i n i E ⊢ t k : s k for k = 1 . . . n E ; Γ i ⊢ ok FV ( l i , r i ) ⊆ Γ i for i = 1 . . . m E ⊢ Rew (Γ , R ) : correct if A CC E (Γ , R ) ǫ ⊢ ok E ⊢ ok E ⊢ t : s E ; v : t ⊢ ok E ⊢ ok E ⊢ Ind (Γ I := Γ C ) : correct E ; Ind (Γ I := Γ C ) ⊢ o k E ⊢ ok E ⊢ Rew (Γ , R ) : correct E ; Rew (Γ , R ) ⊢ ok E 1 ; v : t ; E 2 ⊢ ok E 1 ; v : t ; E 2 ⊢ v : t E ⊢ ok E ⊢ I i : t I i E ⊢ ok E ⊢ c i : t C i where    E = E 1 ; Ind (Γ I := Γ C ); E 2 Γ I = I 1 : t I 1 . . . I n : t I n Γ C = c 1 : t C 1 . . . c m : t C m E ⊢ ok E ⊢ f i : t i E ⊢ ok δ : Γ i → E E ⊢ l i δ − → R r i δ where    E = E 1 ; Rew (Γ , R ); E 2 Γ = f 1 : t 1 . . . f n : t n R = { Γ i : l i − → r i } i =1 ...m (T erm/Pro d) E ⊢ t 1 : s 1 E ; v : t 1 ⊢ t 2 : s 2 E ⊢ ( v : t 1 ) t 2 : s 3 where s 1 , s 2 , s 3 ∈ S (T erm/Abs) E ; v : t 1 ⊢ e : t 2 E ⊢ ( v : t 1 ) t 2 : s E ⊢ λv : t 1 .e : ( v : t 1 ) t 2 (T erm/Ax) E ⊢ ok E ⊢ s 1 : s 2 where ( s 1 , s 2 ) ∈ A (T erm/App) E ⊢ e : ( v : t 1 ) t 2 E ⊢ e ′ : t 1 E ⊢ e e ′ : t 2 { v 7→ e ′ } (T erm/Con v) E ⊢ e : t E ⊢ t ′ : s E ⊢ t ≈ t ′ E ⊢ e : t ′ Figure 1: Definitio n correctness, en vironment correctness and lo okup, PTS rules calculus of constructions with rewriting, allo win g it to include a certain class of defin itions b y rewriting. Let us try to iden tify that class. If w e reanalyze e in the new setting, the only n ew p ossible normal f orm of e is an application f ( ~ e ) of a fun ction symb ol f , coming from a rewrite definition R ew (Γ , R ) , to some argument s in normal form . There is no obvio us argumen t w h y suc h terms cannot b e p r o ofs of ( x : ∗ ) x . On the other h and if w e knew that suc h terms were alw a ys redu cible, w e could complete the consistency pro of. Let us call COMP (Γ , R ) the condition on rewrite definitions w e are looking for (i.e. f ( ~ e ) is alw a ys reducible), whic h can also b e read as: the fun ction symbols from Γ are completely defin ed b y the set of rules R . CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 7 Note that the completeness of f has to b e chec k ed m uc h earlier than it is used: we use it in a giv en closed en vironmen t E = E 1 ; Rew (Γ , R ); E 2 but it has to b e c hec ked when f is added to the en vironmen t, i.e. in the environmen t E 1 . It imp lies that completeness c h ec king has to accoun t f or environmen t extension and can b e p erform ed only with r esp ect to argumen ts of suc h t yp es, of wh ic h the set of normal forms could not c hange in the futur e. This is the case for arguments of in ductiv e t yp es. The requirement that functions defined b y rewriting are complete ly defined could v ery w ell b e included in the condition ACC. On the other hand , the separation b et w een A CC and COMP is motiv ated by the id ea of w orking with abstract function sym b ols, equipp ed with some rewr ite rules not d efining them completely . F or example if + from Sectio n 2 w ere declared using only the third rewr ite rule, one could dev elop a theory of an asso ciativ e function ov er natural num b ers. The in tuition b ehind the definitions giv en b elo w is the follo wing. A rewrite defin ition Rew (Γ , R ) is c omplete (satisfies COMP (Γ , R ) ) if for all f in Γ , the goal f ( x 1 , . . . , x n ) is c over e d by R . A goal is co vered if all its instances are imme diately c over e d , i.e. head- reducible b y R . F ollo wing the discussion ab ov e we limit ourselv es to normalize d c anonic al instanc es , i.e. built f rom constructors wherev er p ossible . Definition 4.1 (Canonical form and canonical substitution) . Giv en a judgment E ⊢ e : t w e say that the term e is in c anonic al form if and only if: • if t ↓ is an ind uctiv e t yp e then e = c ( e 1 , . . . , e n ) f or some constructor c and terms e 1 , . . . , e n in canonical form • otherwise e is arbitrary Let ∆ b e a v ariable enviro nment and E a correct environmen t. W e call δ : ∆ → E c anonic al if for ev ery v ariable x ∈ ∆ , the term xδ is canonical. F rom no w on, let E b e a global environmen t and let Rew (Γ , R ) b e a rewrite definition suc h that E ⊢ Rew (Γ , R ) : correct. Let f : ( x 1 : t 1 ) . . . ( x n : t n ) t ∈ Γ b e a function sy mb ol of arity n . Definition 4.2. A go al is a well- t yp ed sequen t E ; Γ; ∆ ⊢ f ( e 1 , . . . , e n ) . A normal ize d c anonic al instanc e of the goal E ; Γ; ∆ ⊢ f ( e 1 , . . . , e n ) is a w ell-t yp ed sequen t E ; Rew (Γ , R ); E ′ ⊢ f ( e 1 δ ↓ , . . . , e n δ ↓ ) for any canonical substitution δ : ∆ → E ; Rew (Γ , R ); E ′ . A term e is imme diately c over e d by R if there is a rule G ⊢ l − → r in R and a substitution γ suc h that lγ = e . By obvious extension we can also write that a goal or a normalized canonical instance is immediately co v ered b y R . A goal is c over e d b y R if all its normalized canonical instances are immediatel y co ve red b y R . Note that, formally , a n ormalized canonical instance is not a goal. The d ifference is that the conv ersion corresp onding to the environmen t of an instance con tains reductions defined by R , while the one of a goal do es n ot. Definition 4.3 (Complete definition) . A r ewr ite defin ition Rew (Γ; R ) is c omplete in the en vironmen t E , wh ic h is denoted b y C O MP E (Γ; R ) , if and only if for all function sym b ols f : ( x 1 : t 1 ) . . . ( x n : t n ) t ∈ Γ the goal E ; Γ; x 1 : t 1 ; . . . ; x n : t n ⊢ f ( x 1 , . . . , x n ) is co vered b y R . 8 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ Example 4.4. The terms (S O) , λ x:nat.x and ( Node O Leaf true O Leaf) are canoni- cal, while (O + O) and (Node nA A b O Leaf) are not. Giv en the definition of rotr from Section 2 consider the follo wing terms: t 1 = rotr (S (nA + nC)) (Node nA A b nC C) t 2 = rotr (S O) (Node O Leaf true O Leaf) Both (with their r esp ectiv e environmen ts) are goals f or rotr , and t 2 (with a sligh tly d ifferen t en vironmen t) is also a normalized canonical instance of t 1 . The goal t 1 is not imm ediately co vered, but its instance t 2 is, as it is head-redu cible by the second rule defining rotr . S ince other in stances of t 1 are also immediately co v ered, the goal is cov ered (see Examp le 5.20). It follo ws that completeness of d efinitions by rewriting guaran tees canonicit y and logical consistency . Definition 4.5. An en vironmen t E is close d if and only if it cont ains only ind uctiv e d efini- tions and complete defin itions by rewriting, i.e. for eac h p artitio n of E in to E 1 ; Rew (Γ , R ); E 2 the cond ition COMP E 1 (Γ , R ) is satisfied. Lemma 4.6 (Canonicit y) . L et E b e a close d envir onment. If E ⊢ e : t and e is in normal form then e is c anonic al. Pr o of. By induction on the size of e . If t ↓ is not an inductiv e t yp e then an y e is canonical. Otherwise, let us analyze the structure of e . I t cannot b e a pro du ct, an abstraction or a sort b ecause t ↓ is an inductiv e type. Since E is closed, it is not a v ariable either. Hence e is of the form e ′ e 1 . . . e m (with m p ossibly equal 0), where e ′ is n ot an application. T he term e ′ can b e neither a pro d uct, nor a sort (they cannot b e app lied), n or a v ariable ( E is closed). It is not an abstractio n, since e is in n ormal form. The only p ossibilit y left is that e ′ is a constan t h of arit y n ≤ m , and we get e = h ( e 1 , . . . , e n ) e n +1 . . . e m . Since t ↓ is an in ductiv e type, h cannot b e an ind uctiv e t yp e. If it is a construc- tor then n = m and b y induction hypothesis e 1 , . . . , e n are in canonical form and so is h ( e 1 , . . . , e n ) . If h is a fun ction sym b ol th en E = E 1 ; Rew (Γ , R ); E 2 for some E 1 , E 2 and h : ( x 1 : t 1 ) . . . ( x n : t n ) ˆ t ∈ Γ of arit y n ≤ m . Since E is closed, Rew (Γ , R ) is com- plete. Let us sh o w that E ⊢ h ( e 1 , . . . , e n ) is a normalized canonical in stance of E 1 ; Γ; ∆ ⊢ h ( x 1 , . . . , x n ) , where ∆ = x 1 : t 1 ; . . . ; x n : t n . By indu ction h yp othesis, terms e 1 , . . . e n are canonical and consequen tly δ : ∆ → E defined b y δ ( x i ) = e i is canonical. Moreo v er, h ( e 1 , . . . , e n ) = h ( x 1 δ ↓ , . . . , x n δ ↓ ) since e 1 , . . . e n are in normal form. But ev ery normalized canonical instance of a complete defin ition is reducible, whic h cont radicts the assumption that e = h ( e 1 , . . . , e n ) e n +1 . . . e m is in normal form . Theorem 4.7. Every close d envir onment is c onsistent. Pr o of. Let E b e a closed environmen t. Supp ose that E ⊢ e : ( x : ⋆ ) x . Since E ⊢ ok and E ⊢ Ind ( False : ⋆ :=) : correct we h a ve E ′ ⊢ ok w here E ′ = E ; Ind ( False : ⋆ :=) . Moreo ve r E ′ is a closed environmen t. Hence, w e h a ve E ′ ⊢ e False : Fals e . By Lemma 4.6, the n ormal form of e False is canonical. Since False has no constructors, this is imp ossible. CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 9 5. Checking Completeness The ob jectiv e of this section is to p ro vide an algorithm for chec king completeness of definitions by rewriting. The algorithm presen ted in Sub sectio n 5.2 chec ks that a goal is co vered usin g successiv e splitting (Definition 5.3), i.e., r eplacemen t of v ariables of in d uctiv e t yp es b y constructor patterns. In ord er to kno w whic h constructor terms can replace a giv en v ariable, one has to compare t yp es and hence an algorithm for unification mo d ulo con version is needed (Definition 5.2). Consider for example the fi rst rule of the definition of rotr . It is clear that only Lea f can replace t in rotr O t b ecause other trees ha ve t yp es that d o not u nify with tr ee O . Correctness of the complete ness c hec king algo rithm is pro ved in Lemma 5.19. It is d one using an additional assumption on rewr ite systems called pr eservation of r e duci b ility wh ic h is discussed in S ubsection 5.1. Definition 5.1 (Unification problem) . A quadru p le E , ∆ ⊢ t . = s , where E is an en viron- men t, ∆ a v ariable envi ronment and s , t are terms, is a unific ation e quation in E . A uni- fic ation pr oblem in E is a finite set of unification equ ations. Without loss of generali t y we ma y assum e that the v ariable environmen ts ∆ in all equatio ns are the same. A unifier or a solution of the unification pr oblem U is a substitution γ : ∆ → E ; E ′ suc h that E ; E ′ ⊢ tγ ≈ sγ for every E , ∆ ⊢ t . = s in U . W e sa y that E ′ is th e co-domain of γ , w h ic h is denoted by R an ( γ ) . A unifier γ is the most gener al unifier if Ran ( γ ) is a v ariable en vironmen t ∆ ′ and for ev ery un ifi er δ : ∆ → E ; E ′′ there exist a substitution δ ′ : ∆ ′ → E ; E ′′ , suc h that E ; E ′′ ⊢ δ ≈ γ ; δ ′ . Definition 5.2 (Correct unification alg orithm) . A unific ation algorithm is a pro cedu r e whic h for ev ery un ification problem U = { E , ∆ ⊢ t i . = s i } returns a su bstitution γ , a b ottom ⊥ , or a qu estion mark ? . Th e algorithm is c orr e ct if and only if: if it answers γ , it is the most general unifier γ : ∆ → E ; ∆ ′ suc h that ∆ ′ ⊆ ∆ and for all x ∈ ∆ ′ , γ ( x ) = x ; if it answers ⊥ , U has no unifier. Since unification mo dulo con v ersion is undecidable, ev ery correct unification algorit hm m ust return ? in some cases, whic h ma y b e seen as too difficult for the algorithm. An example of such a p artial un ification algorithm is constructor unification, that is first-order unification with constructors and typ e constructors as rigid symbols, answ ering ? whenev er one compares a non-trivial pair of terms inv olving non-rigid symb ols. F rom no w on w e assume the existence of a correct (partial) unification algorithm Al g . Definition 5.3 (Splitting) . Let E ; Γ; ∆ ⊢ f ( ~ e ) b e a goal. A v ariable x is a splitting variable if x : t ∈ ∆ and t ↓ = I ~ u for some inductiv e t yp e I ∈ E . A splitting op er ation considers all constructors c of the in ductiv e t yp e I and f or eac h of th em constructs the follo w in g unification problem U c : E ; Γ , ∆; ∆ c ⊢ x . = c ( z 1 , . . . z k ) E ; Γ , ∆; ∆ c ⊢ I ~ u . = I ~ w where c : ( z 1 : Z 1 ) . . . ( z k : Z k ) .I ~ w and ∆ c = z 1 : Z 1 , . . . , z k : Z k . If for all constructors c , Al g ( U c ) 6 = ? , the splitting is suc c essful . In that case, let S p ( x ) = { σ c | σ c = Alg ( U c ) ∧ Alg ( U c ) 6 = ⊥ } . The result of sp litting is the set of goals { E ; Γ; Ran ( σ c ) ⊢ f ( ~ e ) σ c } σ c ∈ S p ( x ) . If Al g ( U c ) = ? for some c , the splitting fails . 10 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ Example 5.4. If one sp lits the goal rotr n t along n , one gets tw o goals: rotr O t and rotr (S m) t . The fi rst one is immediately co v ered by the firs t rule for rotr and if w e split the second one along t , the Leaf case is imp ossible, b ecause t ree O do es n ot unify with tre e ( S m ) and th e Node case giv es rotr ( S ( nA + nC)) (Node nA A b n C C ) . The follo win g lemma states the correctness of splitting, i.e. that splitting do es not decrease the set of normalized canonical instances. Note that the lemma w ould also hold if w e had a unification algorithm returning an arb itrary set of most general solutions, but in order for the co ve rage c h ec king algorithm to terminate the set of goals resulting from splitting must b e finite. Lemma 5.5. L et E ; Γ; ∆ ⊢ f ( ~ e ) b e a c over age g o al and let { E ; Γ; Ran ( σ c ) ⊢ f ( ~ e ) σ c } σ c ∈ S p ( x ) b e the r esult of suc c essful splitting along x : I ~ u ∈ ∆ . Then every normalize d c anonic al instanc e of E ; Γ; ∆ ⊢ f ( ~ e ) is a normalize d c anonic al instanc e of E ; Γ; Ran ( σ c ) ⊢ f ( ~ e ) σ c for some σ c ∈ S p ( x ) . Pr o of. Let E ; Rew (Γ , R ); E ′ ⊢ f ( e 1 δ ↓ , . . . , e n δ ↓ ) b e a normalized canonical instance ac- cording to a substitution δ : ∆ → E ; Rew (Γ , R ); E ′ . Since δ is canonical, xδ is a con- structor term c ( s 1 , . . . s k ) for s ome constructor c : ( z 1 : Z 1 ) . . . ( z k : Z k ) .I ~ w of I . Let us show that E ; Rew (Γ , R ); E ′ ⊢ f ( e 1 δ ↓ , . . . , e n δ ↓ ) is a n orm alized canonical instance of E ; Γ; R an ( σ c ) ⊢ f ( e 1 σ c , . . . , e n σ c ) . Let ∆ c = z 1 : Z 1 , . . . , z k : Z k . First note that δ ∪ [ ~ s/~ z ] : ∆; ∆ c → E ; Rew (Γ , R ); E ′ is a solution of the unification problem E ; Γ , ∆ ; ∆ c ⊢ x . = c ( z 1 , . . . z k ) and E ; Γ , ∆; ∆ c ⊢ I ~ u . = I ~ w , from the defin ition of splitting. In deed, xδ = c ( s 1 , . . . s k ) = c ( z 1 , . . . z k )[ ~ s/~ z ] and E ; Rew (Γ , R ); E ′ ⊢ ( I ~ u ) δ ≈ ( I ~ w )[ ~ s/~ z ] since they are b oth types of c ( s 1 , . . . s k ) in E ; Rew (Γ , R ); E ′ . By definition of σ c , whic h is the most general unifier compu ted by a correct u nification algorithm, E ; Γ; Ran ( σ c ) ⊢ δ ∪ [ ~ s/ ~ z ] ≈ σ c ; δ ′ for some δ ′ : R an ( σ c ) → E ; Rew (Γ , R ); E ′ , where Ran ( σ c ) ⊆ ∆; ∆ c . Consequen tly , E ; Γ; Ran ( σ c ) ⊢ δ ′ ( z m ) ≈ s m for z m ∈ ∆ c and E ; Γ; R an ( σ c ) ⊢ δ ′ ( y ) ≈ δ ( y ) for y ∈ ∆ . Since ~ s are canonical terms δ ′ ↓ is a canonical substitution. Let us lo ok closely at E ; Rew (Γ , R ); E ′ ⊢ f (( e 1 σ c )( δ ′ ↓ ) ↓ , . . . , ( e n σ c )( δ ′ ↓ ) ↓ ) whic h is a normalized δ ′ ↓ -instance of E ; Γ; Ran ( σ c ) ⊢ f ( e 1 σ c , . . . , e n σ c ) . Since E ; Γ; R an ( σ c ) ⊢ δ ∪ [ ~ s/~ z ] ≈ σ c ; δ ′ , we hav e ( e m σ c )( δ ′ ↓ ) ↓ = ( e m σ c δ ′ ) ↓ = ( e m δ ) ↓ for ev ery m . Consequen tly , E ; Rew (Γ , R ); E ′ ⊢ f ( e 1 δ ↓ , . . . , e n δ ↓ ) is a normalized canonical instance of E ; Γ; R an ( σ c ) ⊢ f ( e 1 σ c , . . . , e n σ c ) . 5.1. Preserv ation of Reducibilit y. Although one would exp ect that an immediately co vered goal is also co ve red, it is not alw a ys true, ev en for confluen t systems. It turns out that w e need a prop ert y of critical p airs that is s tronger than ju st j oinabilit y . Let us supp ose that or : bool → bool → bool is defin ed b y four rules by cases o v er true and false and that if : bool → bool → bool → boo l is defined by t w o rules by cases on the fi rst argumen t. Inductiv e I : boo l → Se t := C : for all b:bool, I (or b b) . Symbol f: forall b:bool, I b → bool Rules f (or b b) (C b) − → if b (f tru e (C t rue)) ( f f alse (C fa lse)) CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 11 In the example pr esen ted ab o v e all expressions used in t yp es and ru les are in normal form, all critical pairs are joinable, the system is terminating, and s plitting of f b i along i results in the only reducible goal f (or b b) (C b) . In spite of that f is not completely defined, as f true (C true) is a normalized canonical instance of f (or b b) (C b) and it is not r educible. In order to kn o w that an immed iately co v ered goal is alw a ys cov ered we need one more condition on rewrite rules, called preserv ation of reducibilit y . Definition 5.6. Definition by rewr iting Rew (Γ , R ) pr eserves r e ducibility in an envi ronment E if for ev ery critical pair h f ( ~ u ) , r δ i of a ru le G 1 ⊢ f ( ~ e ) − → r in R with a rule G 2 ⊢ g − → d coming from R or from some other rewrite defin ition in E , the term f ( ~ u ↓ ) is head-reducible b y R . Note th at by using ? v ariables in r ewrite ru les one can get rid of (some) critical pairs and hence mak e a definition by r ewriting s atisfy this p r op ert y . In the example ab o v e one could write f ? (C b) as the left-hand side. This w ould also mak e the system non-terminating, and sh o w that f is not really we ll-defined. Of course all orthogonal rewrite systems, in particular inductiv e elimination sc hemes, as d efined in [24], preserve r educibilit y . Lemma 5.7. L et E ⊢ e : t and e = f ( e 1 , . . . e n ) , wher e f of arity n c omes fr om Rew (Γ , R ) which pr eserves r e ducibility. If e is he ad-r e ducib le b y R then f ( e 1 ↓ , . . . e n ↓ ) is also he ad- r e ducible by R . Pr o of. By induction on − → . If e 1 , . . . e n are in normal forms then the conclusion is ob vious. Otherwise, let G 1 ⊢ f ( ~ l ) − → r b e a rule from R and γ a subs titution suc h that f ( ~ e ) = f ( ~ l ) γ and let us m ake one reduction step e i − → e ′ i , u sing the rule G 2 ⊢ g − → d . There are tw o p ossibilities: the redu ction in e i happ ens either in substitution γ , i.e. in the term γ ( x ) , where x is a free v ariable of f ( ~ l ) , or it happ ens on a p osition p that b elongs to f ( ~ l ) . In the form er case, let us do ident ical reduction in all other instances of x . Ob viously , we get a term f ( e ′ 1 , . . . e ′ n ) that is smaller than e in − → and is still an instance of f ( ~ l ) . Hence b y induction hypothesis w e get the desired conclusion. Otherwise, f ( ~ l ) and g sup erp ose at some n on v ariable p osition and we h a ve f ( ~ l ) | p γ = g ξ for some p osit ion p and subs titution ξ . Since we ma y supp ose that free v ariables of f ( ~ l ) and g are different , we get f ( ~ l ) | p ( γ ∪ ξ ) = g ( γ ∪ ξ ) . Let δ b e the most general u nifier of f ( ~ l ) | p and g and let h f ( ~ u ) , r δ i b e the corresp onding critical pair. Since δ is the most general unifier, there exists σ suc h that ( γ ∪ ξ ) = δ ; σ and f ( ~ e ) = f ( ~ l ) γ = f ( ~ l )( γ ∪ ξ ) = f ( ~ l ) δ σ with f ( ~ l ) δ σ → R f ( ~ u ) σ = f ( e 1 , . . . e ′ i . . . e n ) . By pr eserv ation of reducibilit y f ( ~ u ↓ ) is h ead- reducible by R . Hence f ( ~ u ↓ ) σ is also head-reducible by R . Lik e ab ov e we can apply induction hyp othesis and deduce that f ( ~ e ↓ ) is h ead-reducible by R . Lemma 5.8. L et Rew (Γ , R ) pr eserve r e ducibility in an envir onment E , let f ∈ Γ and let E ; Γ; ∆ ⊢ f ( ~ e ) b e a go al. If it is imme diately c over e d then it is c over e d. Pr o of. Let E ; Γ; ∆ ⊢ f ( ~ e ) b e a goal immediately co v ered by R and δ : ∆ → E ; Rew (Γ , R ); E ′ b e a canonical substitution. Obviously , E ; Rew (Γ , R ); E ′ ⊢ f ( ~ eδ ) is immediately co v ered b y R . Hence, b y Lemma 5.7 E ; Rew (Γ , R ); E ′ ⊢ f ( ~ eδ ↓ ) is also immediately cov ered by R , i.e. E ; Γ; ∆ ⊢ f ( ~ e ) is co ve red. 12 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ t 1 < p · 1 t ′ 1 ⇒ S 1 t 2 < p · 2 t ′ 2 ⇒ S 2 ( x : t 1 ) t 2 < p ( x : t ′ 1 ) t ′ 2 ⇒ S 1 ∪ S 2 t 1 < p · 1 t ′ 1 ⇒ S 1 t 2 < p · 2 t ′ 2 ⇒ S 2 λx : t 1 .t 2 < p λx : t ′ 1 .t ′ 2 ⇒ S 1 ∪ S 2 t 1 < p · 1 t ′ 1 ⇒ S 1 t 2 < p · 2 t ′ 2 ⇒ S 2 t 1 t 2 < p t ′ 1 t ′ 2 ⇒ S 1 ∪ S 2 t 1 < p · 1 t ′ 1 ⇒ S 1 . . . t n < p · n t ′ n ⇒ S n h ( t 1 , . . . , t n ) < p h ( t ′ 1 , . . . , t ′ n ) ⇒ S 1 ∪ · · · ∪ S n h is a constant t 1 , t 2 6∈ V ar head( t 1 ) 6 = h ead( t 2 ) t 1 < p t 2 ⇒ {⊥} t 1 ∈ ∆ 1 t 2 6∈ ( V ar \ ∆ 2 ) t 1 < p t 2 ⇒ { p } ( t 1 ∈ ( V ar \ ∆ 1 ) ∧ t 1 = t 2 ) ∨ ( t 1 6∈ V ar ∧ t 2 ∈ ∆ 2 ) t 1 < p t 2 ⇒ ∅ ( t 1 ∈ ( V ar \ ∆ 1 ) ∧ t 1 6 = t 2 ) ∨ ( t 2 ∈ ( V ar \ ∆ 2 ) ∧ t 1 6 = t 2 ) t 1 < p t 2 ⇒ {⊥} Figure 2: Splitting matc hing ru les, parametrized b y ∆ 1 , ∆ 2 5.2. Co v erage Chec king Algorithm. In this section we p resen t an algorithm c hec king whether a set of goals is co vered by the giv en s et of rewrite rules. The algorithm is correct only for d efi n itions that preserve redu cibilit y . The algorithm, in a lo op, pic ks a goal, c h ec ks whether it is immediately co v ered, and if not, sp lits the goal replacing it b y the subgoals resulting from splitting. In order to ensu re termination, splitting is limited to safe splitting variables . In tuitiv ely , a sp litting v ariable is safe if it lies within the con tour of the left-hand side of some r ule w hen w e sup erp ose the tree representa tion of the left-hand side with the tree represen tatio n of the goal. The num b er of no des that ha ve to b e added to the goal in order to fi ll the tree of the left-hand side is called a distance, and a sum of distances o ve r all rules is called a measure. Since the measures of goals resulting from splitting are smaller than the measure of the original goal, th e co ve rage chec king algorithm terminates. This s u bsection is organized as follo ws. W e start b y defining the sp litting matc hin g algorithm whic h is used to d efi n e safe splitting v ariables. Next, we pr o vide definitions and lemmas n eeded to prov e termination of th e co verag e c h ec king algorithm and then w e giv e the algorithm itself and the pro of of its correctness. W e conclude this subsection with some p ositiv e and n egativ e examples leading to an exte nsion of the alg orithm allo wing us to accept d efinitions by case analysis ev en if the unification algo rithm is not strong enough. Let us start with the splitting matc hing algorithm wh ic h finds v ariables in t 1 that lie within the con tour of t 2 . Definition 5.9 (S p litting matc hing) . The splitting matching algorithm is defined in Fig- ure 2. Gi v en t w o sequents ∆ 1 ⊢ t 1 and ∆ 2 ⊢ t 2 , it returns the unique set S , suc h th at t 1 < Λ t 2 ⇒ S is d eriv able. The set S is a sub set of {⊥} ∪ { p ∈ P os ( t 1 ) | t 1 | p ∈ ∆ 1 } . Definition 5.10 (Safe splitting v ariable) . Let ∆ 1 ⊢ t 1 and ∆ 2 ⊢ t 2 b e sequent s suc h that t 2 is a left-hand side of a rule f rom R and let S b e a set s u c h that t 1 < Λ t 2 ⇒ S and ⊥ 6∈ S . A v ariable x ∈ ∆ 1 is a safe splitting variable for ∆ 1 ⊢ t 1 along ∆ 2 ⊢ t 2 if it is a splitting v ariable and there exists p ∈ S su c h that t 1 | p = x and either t 2 | p is a v ariable declared in ∆ 2 or t 2 | p = c ( ~ e ) for some constructor c and some terms ~ e . CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 13 The set of safe sp litting v ariables for the sequent ∆ 1 ⊢ t 1 along ∆ 2 ⊢ t 2 is denoted by S V (∆ 1 ⊢ t 1 , ∆ 2 ⊢ t 2 ) or S V ( t 1 , t 2 ) f or short. S V ( t, R ) is the s et of safe splitting v ariables for t along left-hand sides of rules f rom R . Example 5.11. In the goal rotr (S (S nC) ) (Node O Le af b ( S n C) C ) there are tw o safe sp litting v ariables b and C along the left-hand sides of the rules defining r otr . Definition 5.12 (Distance) . Let ∆ 1 ⊢ t 1 and ∆ 2 ⊢ t 2 b e sequent s and S b e a set such that t 1 < Λ t 2 ⇒ S . If ⊥ 6∈ S then the distanc e of ∆ 1 ⊢ t 1 from ∆ 2 ⊢ t 2 , denoted b y dist (∆ 1 ⊢ t 1 , ∆ 2 ⊢ t 2 ) or dist ( t 1 , t 2 ) , equals P p ∈ S | t 2 | p | ; otherwise it is equal to 0 . The follo wing t wo lemmas state that the distance of a term decreases when w e apply a substitution, and it d ecreases strictly if it is a su bstitution resulting from splitting. Lemma 5.13 (Distance of a substituted sequen t) . L et ∆ 1 ⊢ t 1 and ∆ 2 ⊢ t 2 b e se quents and let S b e a set suc h that t 1 < Λ t 2 ⇒ S . Then for every substitution γ : ∆ 1 → ∆ ′ we have dist (∆ ′ ⊢ t 1 γ , ∆ 2 ⊢ t 2 ) ≤ dist (∆ 1 ⊢ t 1 , ∆ 2 ⊢ t 2 ) . Mor e over, if ⊥ ∈ S then dist (∆ ′ ⊢ t 1 γ , ∆ 2 ⊢ t 2 ) = dist (∆ 1 ⊢ t 1 , ∆ 2 ⊢ t 2 ) = 0 . Pr o of. Let S γ b e a set suc h that t 1 γ < Λ t 2 ⇒ S γ and let u s denote dist (∆ 1 ⊢ t 1 , ∆ 2 ⊢ t 2 ) b y d and dist (∆ ′ ⊢ t 1 γ , ∆ 2 ⊢ t 2 ) by d γ . If ⊥ ∈ S then d = 0 . Note that ⊥ ∈ S if and only if there is a p osit ion p su c h that subterms o ccurrin g at p in t 1 and t 2 either h a ve different head sym b ols, or t 2 | p (resp. t 1 | p ) is a b oun d v ariable in t 2 (resp. t 1 ) and t 1 | p 6 = t 2 | p . Of course, if w e compare t 1 γ | p and t 2 | p then either they still ha v e differen t head-sym b ols or t 2 | p (resp. t 1 | p ) is a b ound v ariable and t 1 γ | p 6 = t 2 | p . Hence d γ = 0 . If ⊥ 6∈ S then d = P p ∈ S | t 2 | p | ≥ 0 . If ⊥ ∈ S γ then ob viously 0 = d γ ≤ d . O therwise, let us tak e p ∈ S and the set Q p = { q ∈ S γ | p  q } , where  is the prefix ordering. Sin ce all p ositions from Q p are indep end en t (as t 1 γ | q ∈ V ar f or ev ery q ∈ S γ ) w e ha ve P q ∈ Q p | t 2 | q | ≤ | t 2 | p | and the equ alit y holds only if Q p = { p } . Let us sh o w that ∀ q ∈ S γ ∃ p ∈ S p  q . Indeed, assu ming that ⊥ 6∈ S γ , q ∈ S γ either b ecause q ∈ S and ( t 1 | q ) γ ∈ ∆ ′ or b ec ause there is a p osition p ∈ S suc h that q = p · q ′ for some q ′ and ( t 1 | p γ ) | q ′ ∈ ∆ ′ . Of course, since p ositions in S are indep endent , the sets Q p are d isjoin t for differen t p . Hence S γ = S p ∈ S Q p and d γ = P q ∈ S γ | t 2 | q | = P p ∈ S P q ∈ Q p | t 2 | q | ≤ P p ∈ S | t 2 | p | = d . Lemma 5.14 (Distance after splitting strictly decreases) . L et E ; Γ; ∆ ⊢ f ( e 1 , . . . , e n ) b e a go al, t = f ( e 1 , . . . , e n ) , let G ⊢ l − → r b e one of the r ewrite rules for f in R and let S b e a set suc h that t < Λ l ⇒ S and ⊥ 6∈ S . If x : I ~ u ∈ S V ( t, l ) is a safe splitting variable and splitting t along x is suc c essful then dist ( Ran ( σ c ) ⊢ tσ c , G ⊢ l ) < dist (∆ ⊢ t, G ⊢ l ) for every σ c ∈ S p ( x ) . Pr o of. Let σ c ∈ S p ( x ) and let S c b e a set su c h that tσ c < Λ l ⇒ S c . By Lemma 5.13 w e ha v e dist ( tσ c , l ) ≤ dist ( t, l ) . Let us analyze the pro of of that lemma and sh o w that in case of a substitution resu lting from sp litting there is a strict inequalit y b et w een dist ( tσ c , l ) and dist ( t, l ) . I n the pro of it w as noticed that f or ev ery p ∈ S , P q ∈ Q p | l | q | ≤ | l | p | , where Q p = { q ∈ S c | p  q } and that P q ∈ Q p | l | q | = | l | p | only if Q p = { p } . Consequent ly , if w e sho w that there exists a p osition p suc h that p 6∈ Q p , we immediately get dist ( tσ c , l ) < dist ( t, l ) . Since x : I ~ u is a safe splitting v ariable for t along l , there exists a p osition p ∈ S suc h that t | p = x and l | p ∈ G or l | p = c ′ ( ~ a ) f or some constructor c ′ . Since σ c results from successful splitting, xσ c = c ( ~ b ) f or s ome ~ b . No w, there are three cases. If l | p ∈ G then 14 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ tσ c < Λ l ⇒ ∅ , Q p = ∅ (and h ence p 6∈ Q p ). Otherwise, if c ′ 6 = c then w e fall in to an easy case when ⊥ ∈ S c and dist ( tσ c , l ) = 0 < | c ′ ( ~ a ) | ≤ dist ( t, l ) . F inally , if c ′ = c , the computation of S c passes through the step c ( ~ b ) < p c ( ~ a ) ⇒ . This means that all p ositi ons in Q p come from ~ b and that they are longer than p or that Q p = ∅ . Th us p 6∈ Q p and dist ( tσ c , l ) < dist ( t, l ) . Definition 5.15 (Measure of a goal) . Let E ; Γ; ∆ ⊢ f ( e 1 , . . . , e n ) b e a goal and let R f = { G i ⊢ l i − → r i } i =1 ...m b e the set of r u les for f . The me asur e of E ; Γ; ∆ ⊢ f ( e 1 , . . . , e n ) equals P i =1 ...m dist (∆ ⊢ f ( e 1 , . . . , e n ) , G i ⊢ l i ) . It follo w s directly from Lemmas 5.13 and 5.14 th at the measure of a goal strictly decreases after applying a substitution resu lting from splitting. Lemma 5.16 (Mea sure after splitting strictly decreases) . L et E ; Γ; ∆ ⊢ f ( e 1 , . . . , e n ) b e a go al, t = f ( e 1 , ..., e n ) , R f = { G i ⊢ l i − → r i } i =1 ...m b e the set of rules for f and S b e a set such that t < Λ l j ⇒ S for some j ∈ { 1 , . . . , m } and ⊥ 6∈ S . If x : I ~ u ∈ S V ( t, R ) is a safe splitting variable and { φ 1 , . . . , φ n } is the r esult of suc c essful splitting of t along x then the me asur e of every φ i is strictly smal ler than the me asur e of t . Pr o of. F or ev ery σ c ∈ S p ( x ) , w e hav e to sh ow that P i =1 ..m dist ( tσ c , l i ) < P i =1 ..m dist ( t, l i ) . This follo ws from dist ( tσ c , l j ) < dist ( t, l j ) , whic h is the consequence of Lemma 5.14 and dist ( tσ c , l i ) ≤ dist ( t, l i ) f or all i = 1 . . . m , i 6 = j , wh ic h follo ws from Lemma 5.13. Definition 5.17 (Co v erage c h ec king algo rithm) . Let W b e a set of pairs consisting of a goal and a set of safe v ariables of that goal along left-hand sides of rules from R and let C E b e a set of goals. The co ve rage c hec king algorit hm w orks as follo ws: Initialize W = { ( E ; Γ; x 1 : t 1 ; . . . ; x n : t n ⊢ f ( x 1 , . . . , x n ) , S V ( f ( x 1 , . . . , x n ) , R )) } C E = ∅ Rep eat (1) c ho ose a p air ( φ, X ) from W , (2) if φ is immediately co v ered b y one of the rules f rom R then W := W \ { ( φ, X ) } (3) otherwise (a) if X = ∅ then W := W \ { ( φ, X ) } , C E := C E ∪ { φ } (b) otherwise c h o ose x ∈ X ; split φ along x (i) if splitting is successful and returns { φ 1 , . . . , φ n } then W := W \ { ( φ, X ) } ∪ { ( φ i , S V ( φ i , R )) } i =1 ...n , (ii) otherwise W := W \ { ( φ, X ) } ∪ { ( φ, X \ { x } ) } unt il W = ∅ Lemma 5.18. The c over che cking algorithm terminates. Pr o of. Let us consider the f ollo wing measure M ( W ) : the multiset of lexicographicall y or- dered p airs consisting of the measure of φ and the size of X , for all ( φ, X ) ∈ W . W e will sho w that eve ry lo op of the algorithm strictly d ecreases M ( W ) . Consider ( φ, X ) ∈ W . If φ is immediately cov ered then obvio usly the measure of W \ { ( φ, X ) } is strictly s maller than the measure of W . O therwise, we split φ along some x ∈ X . If splitting fails then ( φ, X ) is replaced b y ( φ, X \ { x } ) and the size of the second comp onen t s trictly decreases. If splitting is s u ccessful and returns { φ 1 , . . . , φ n } then ( φ, X ) is replaced by { ( φ i , S V ( φ i , R )) } i =1 ... n . By CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 15 Lemma 5.1 6 the m easures of goals fr om { φ 1 , . . . , φ n } are strictly smaller than the measur e of φ and consequently M ( W ) strictly decreases. Lemma 5.19. If Rew (Γ , R ) pr eserves r e ducibility and the algorithm stops with C E = ∅ then the initial go al is c over e d. Pr o of. Let us consider a su ccessful run of the algo rithm, p erforming a fi nite num b er of times the b od y of the Rep eat lo op and r esulting in C E = ∅ . By induction on n , th e num b er of Rep eat steps until the end of th e algorithm, we pro v e that the goals app earing in W are co vered. The b ase case, for n = 0 , is trivial since W 0 is empt y . No w supp ose that n steps b efore the end of the algorithm all goals in W n are co ve red and let us chec k that this was true n + 1 steps b efore the end, i.e. one step of the algorithm earlier. In case 2 , W n +1 con tains all goa ls from W n and one goa l φ whic h is immediately co vered b y a rule in R . By preserv ation of reducibilit y (Lemma 5.8) ev ery normalized canonical instance of φ is also imm ediately co vered and consequen tly all goals of W n +1 are co v ered. Case 3( a ) is imp ossible since it mak es the set C E non-empt y . In case 3( b ) i , W n +1 con tains some of the goals f rom W n and one goal φ whose s u bgoals resulting from su ccessful sp litting are already in W n . By Lemma 5.5 the set of normalized canonical instances of these subgoals con tains the set of normalized canonical instances of φ . Hence W n +1 is co v ered. In case 3( b ) ii the set of goals in W n +1 and W n are equal. Hence the initial goal in W is also co v ered. Example 5.20. The b eginning of a p ossible run of the algorithm for the fu nction rotr is presen ted already in Example 5.4. Both splitting op erations are p erformed on safe v ari- ables, as required. W e are left with the goal rotr (S (nA + nC) ) ( Node nA A b nC C) . Splitting along A results in: rotr (S (O + nC)) (No de O L eaf b nC C) rotr (S((S( nX+nZ))+n C)) (Node (S(nX+ xZ)) (Node nX X y nZ Z) b nC C) immediately cov ered by th e second and the third rule resp ectiv ely . Since w e started w ith the initial goal rotr n t and since the d efi n ition of rotr pr eserves reducibilit y , it is complet e. When the co verage chec king algorithm s tops with C E 6 = ∅ , w e cannot deduce that R is complete. The set C E con tains p oten tial coun terexamples. They can b e true coun terexam- ples, false counterexa mples, or goals for whic h splitting failed along all safe v ariables, due to incompleteness of the unification algorithm. In some cases fu rther splitting of a false coun - terexample m a y result in r educible goals or in the elimination of the goal as un inhabited, but it ma y also lo op. Some solutions prev en ting lo oping (fi n itary s p litting) can b e found in [18]. Unfortunately splitting failure due to in completeness of the u nification ma y happ en while c hec king co ve rage of a definition by case analysis o ver complex d ep endent indu ctiv e t yp es (for example trees of s ize 2), ev en if rules for all constructors are giv en. Therefore, it is advisable to add a second p hase to our algorit hm, which wo uld treat undefin ed output of unification as su ccess. Using this second phase of th e algorithm, one can acc ept all definitions by case analysis that can b e written in C o q. 16 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ Example 5.21. Let g b e a fu nction d efined by case analysis and let g’ b e its version defined by rewriting (without the imp ossible Leaf case): Definiti on g (t : tree (S (S O) )) : b ool := match t with Leaf ⇒ fal se | Node _ Lea f _ _ _ ⇒ true | Node _ (No de _ _ _ _ _) _ _ _ ⇒ false end. Symbol g’ : tree (S ( S O )) → bo ol Rules g’ (Nod e ?1 Leaf b ?2 t’ ) − → t rue g’ (Nod e ?1 (Node ? 2 t b ?3 t’) b’ ? 4 t’ ’) − → fal se Our algorithm starts with the goal g’ x , sp lits it alo ng x , easily detects that Leaf case is not p ossible but is s tu ck on N ode n t b m t’ , b eca use this requires deciding that S (n+m) is unifiable with S (S O) , which may b e to o hard for a unification algorithm 2 . In that case the initial goal g’ x b ecomes a p oten tial counte rexample. Accepting all definitions b y case analysis. T he second phase of our algorithm would start only f or the goals with safe splitting v ariables, i.e. wh ere regular sp litting failed b eca use the u nification was to o w eak. In this ph ase, the splitting w ould b ecome lax b y treating ? unification result as successful and returning simple substitutions σ c = { x 7→ c ( ~ z ) } for suc h cases (see Definition 5.3). As a result the goa ls w ould n ot b e w ell-t yp ed sequ ents an ymore, whic h has to b e tak en in to accoun t by the unification algorithm. O n the other hand t ypabilit y is not required for splitting matc hing and the rest of the algo rithm whic h w ould work just lik e d escrib ed in Definition 5.17. Both argument s of termination and correctness of the algorithm w ould h old. Going bac k to our example. Redoing the lax splitting on x in the goal g’ x , one gets again that Le af is imp ossible, but Node is n o w acce pted and leads to an (unt yp ed) goal g’ (Node n t b m t’) . S plitting on t is now successful f or b o th constructors and b oth resulting goals get r educed. 6. More example s 6.1. Heterogeneous e quality. Consider th e inductiv e predicate JM eq of h eteroge neous equalit y with its non-standard eliminatio n rule: Inductiv e J Meq (A:Set)( a:A): forall B:Set, B → Set := JMr efl: JM eq A a A a. Symbol JMelim : fora ll (A:S et)(a:A)( P: forall b:A, JMeq A a A b - > S et), P a (JMref l A a) → fo rall (b : A) ( e: J Meq A a A b ), ( P b e ) Rules JMelim A a P h a (JMrefl A a) − → h 2 Note that a better u n ification algo rithm could fin d the tw o most general solutions n=O , m=(S O) and n=(S O) , m=O . Then splitting wo uld result in t w o goals immediately cov ered by ru les for g’ . CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 17 One sp litting of JM elim A a P h b c o v er c results in JMeli m A a P h a (JMre fl A a ) whic h is equal to the left-hand side of th e rule. Hence this rule completely defines JM elim . 6.2. Uniqueness of Iden tit y Pro ofs and Streic her’s axiom K. Consider the t yp e e q and the definition of function UIP , provi ng that iden tit y pr o ofs are u nique: Inductiv e eq (A:Set)( a:A): A → Set := refl: e q A a a. Symbol UIP : forall (A :Set)(a b:A )(p q: eq A a b), (eq ( eq A a b) p q) Rules UIP A a a ( refl A a) (re fl A a ) − → refl (e q A a a) (refl A a). The function U IP is completely defin ed since t wo subsequen t s p littings of UIP A a b p q , along p and along q , result in UI P A a a (refl A a ) ( refl A a) whic h is exactly the left-hand side of the only ru le for UIP . The r u le for S treic her’s axiom K can also easily b e p r o ved complete: Symbol K : foral l (A:Se t) (a:A ) (P:eq A a a → Se t), P (refl A a) → for all p: eq A a a , P p Rules K A a P h (ref l A a) − → h Note that b oth ru les for UI P and K can also b e written in a left-linear form: UIP A a ?1 (ref l ? 2 ? 3) ( refl ?4 ? 5) − → refl ( eq A a a) (r efl A a) K A a P h (ref l ? 1 ? 2) − → h 6.3. Non pattern matching rules. These are tw o examples of complete definitions wh ic h do not follo w the pattern matc hing sc h emes as defined in [12] and [16]. Symbol or’ : bool → bo ol → b ool Rules or’ x x − → x or’ true y − → true or’ x true − → true Symbol lt, diff : nat → nat → bool Rules lt O y − → diff O y lt x O − → false lt (S x) (S y) − → lt x y diff x x − → false diff O (S y) − → true diff (S x) O − → true diff (S x) (S y) − → diff x y 18 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ 7. Conclusions and Rela ted Work In this pap er we study consistency of the calculus of constructio ns with rewriting. More precisely , we prop ose a formal s ys tem extending an arbitrary PTS with indu ctiv e d efi n itions and d efinitions b y rewriting. Assuming that s u itable p ositivit y and acce ptance conditions guaran tee termination and confluence, w e formalize the notion of a complete definition b y rewriting. W e sh o w that in ev ery en vironmen t consisting only of inductiv e definitions and complete definitions by rewriting there is no pr o of of ( x : ∗ ) x . Moreo ver, we present a sound and terminating algorithm for c hec kin g completeness of defin itions. It is necessarily incomplete, since in presence of dep enden t t yp es emp tiness of t yp es trivial ly reduces to completeness and the form er is undecidable. Our co verage c hec kin g algorithm r esem bles the one prop osed b y Co quand in [12] for Martin-L¨ of t yp e theory and used by McBride for his OLEG calculus [16]. In these works the pro cedure consisting in successiv e case-splittings is used to in teractiv ely built pattern matc hing equations, or to chec k that a giv en s et of equatio ns can b e b uilt this wa y . Unlike in our pap er, Coqu and and McBride d o not ha v e to worry whether all in stances of a red u cible subgoal are reducible. Ind eed, in [12] pattern matc hing equations are mean t to b e ap p lied to terms mo d ulo con version, and in [16] equations (or rather the order of splittings in the successful run of the co verag e c hec kin g pro cedure) serv e as a guideline to construct an OLEG term v erifying the equations. Equations themselv es are never u sed for r eduction and the constructed term reduces according to existing rules. In our pap er rewrite rules are matc h ed against terms mo du lo α -con v ersion. Rewriting has to b e confluen t, strongly normalizing and has to preserv e reducibilit y . Und er these assumptions we can pr o ve complete ness for all examples from [12] and for th e class of pattern matc hing equ ations considered in [16]. In particular w e can deal with elimination rules for inductiv e types and with S treic her’s axiom K. Moreo v er, we can accept definitions whic h depart from standard pattern matc hing, lik e ro tr and + . The formal presen tation of our algorithm is directly insp ired b y the work of Pfenning and Sch¨ ur mann [18 ]. A motiv ation f or th at pap er wa s to v erify that a logic pr ogram in the T welf pro v er co v ers all p ossible cases. In LF, the base calculus of Twelf, there is no p olymorphism, n o rewriting and conv ersion is mo dulo β η -con v ersion. The authors use higher-order matc h ing mo d ulo β η -con v ersion, whic h is d ecidable f or patterns a la Miller and strict patterns. Moreo v er, since all t yp es and fu nction sym b ols are kn o wn in adv ance, the co verag e is c hec k ed with r esp ect to all a v ailable function symbols. In our pap er, con v ersion con tains rewriting and it cannot b e used for matc hing; instead we use matc hing mo du lo α . T h is simplifies the algorithm searc hin g for safe splitting v ariables, but on the other hand it do es not fit w ell with instanti ation and normalizatio n. T o o v ercome this problem w e in tro duce the n otions of normalized canonical instance and preserv ation of r educibilit y whic h w ere not present in previously men tioned pap ers. Finally , since the sets of fu nction sym b ols and rewrite rules gro w as th e environmen t extends, co ve rage is chec k ed with resp ec t to constructors only . Ev en though the w orst-case complexit y of the co verag e c h ec king is clearly exp onent ial, for practical examples the algorithm s h ould b e quite efficien t. It is ve ry s imilar in spirit to the algo rithms chec king exhaustive ness of definitions by pattern matc hing in functional programming languages and these are kn own to w ork effectiv ely in practice. An imp ortant issu e whic h is not addressed in this p ap er is to kno w ho w muc h we extend con v ersion. O f course it dep ends on the c hoice of conditions A CC and POS and on CONSISTENCY AND COMPLETENESS OF REWRITING IN THE CALCULUS OF CONSTRUCTIONS 19 the u nification algorithm used for cov erage chec king. In particular, some of the definitions b y pattern matc hing can b e enco ded by recursors [13], so if A CC is strict, w e ma y ha v e no extension at all. In general there seems to b e at least t w o kin ds of extensions. The fi r st are non-standard elimination ru les for inductiv e t yp es, b ut the w ork of McBride shows that the axiom K is s ufficien t to enco de all other definitions by pattern matc hing considered by Co quand. The second are add itional rules w hic h extend a d efinition by pattern matc hing (lik e asso ciativit y for + ). It is kno wn that for first-order rewriting, these rules are inductiv e consequences of the pattern matc hing ones, i.e. all their canonical ins tances are satisfied as equations (see e.g. Theorem 7.6.5 in [19]). Unfortunately , this is no longer true for h igher- order rules o v er indu ctiv e t yp es w ith functional argument s. Nev erth eless it seems that such rules are inductiv e consequences of the patte rn matc hing r ules if the corresp onding equalit y is extensional. Finally , our completeness condition COMP verifies closure prop erties d efined in [9, 10]. Hence, it is adequate for a smo oth in tegratio n of rewriting with the mo dule system pr esen t in Co q since its v ers ion 7.4. A cknowledgement The authors wish to thank Pa we ł Urzyczyn and anon ymous referees for their helpf u l commen ts and suggestions. Referenc es [1] F ranco Barbanera, Maribel F ern´ andez, and Herman Geuvers. Modularity of strong n ormaliza tion in the algebraic- λ -cube. Journal of F unctional Pr o gr amm i ng , 7(6):613 –660, 1997. [2] Henk Barendregt. Lam b da calculi with typ es. In S. Ab ramsk y , D. M. Gabba y , and T. S. E. Maibaum, editors, Handb o ok of Lo gic in Computer Scienc e , v olume 2, chapter 2, pages 117–309. O xford Universit y Press, 1992 . [3] Bruno Barras and Benjamin Gr´ egoire. On the role of type decorations in t h e calculus of inductive constructions. In L. Ong, editor, Pr o c e e dings of the 19th Annual Confer enc e of the Eur op e an Asso ciation for Computer Scienc e L o gic , volume 3634 of L e ctur e Notes in Computer Scienc e , pages 151–166, Oxford, UK, 2005 . Sp ringer. [4] Gilles Barthe and F emke v an Raamsdonk. T ermination of algebraic type systems: t h e syntacti c ap- proac h. In M. H an us, J. Heering, and K. Meinke, editors, Pr o c e e dings of Algebr aic and L o gic Pr o- gr amming, 6th Interna tional Joint Confer enc e, ALP ’97 - HO A ’97 , volume 1298 of L e ctur e Notes in Computer Scienc e , pages 174–193. Sp ringer, 1997. [5] Stefano Berardi, Mario Copp o, and F erruccio Damiani, editors. T yp es for Pr o ofs and Pr o gr ams, In- ternational Workshop, TYPES 2003, T orino, Italy, April 30 - M ay 4, 2003, R evise d Sele cte d Pap ers , vol ume 3085 of L e ctur e Notes in Computer Scienc e . Springer, 2004. [6] F r ´ ed´ eric Blanqui. D efinitions by rewriting in th e Calculus of Constructions. Mathemat ic al Structur es i n Computer Scienc e , 15(1):3 7–92, 2005. [7] F r ´ ed´ eric Blanqui, Jean-Pierre Jouannaud, and Mitsuhiro Ok ada. The Calculus of Algebraic Construc- tions. In P . Narendran and M. Rusinow itc h, editors, 10th International Confer enc e on R ewriting T e ch- niques and Applic ations , volume 1631 of L e ctur e Notes in Computer Scienc e , T ren to, Italy , July 1999. Springer. [8] Edwin Brady , Connor McBri de, and James McKinna. Inductive families need n ot store their indices. In Berardi et al. [5], pages 115– 129. [9] Jacek Chrząszcz. Mod ules in Coq are and will be correct. In Berardi et al. [5], pages 130–146 . [10] Jacek Chrząszcz. Mo dules in T yp e The ory with Gener ative Definitions . PhD thesis, W arsaw Univerit y and Unive rsit y of Paris-Sud, Jan 2004. [11] The Co q pro of assista nt. http:// coq.inria.f r/ . 20 D. W ALUKIEWICZ-CHRZĄSZCZ AND J. CHRZĄSZCZ [12] Thierry Co quand. P attern matc hing with dep endent typ es. In Pr o c e e dings of the W orkshop on T yp es for Pr o ofs and Pr o gr ams , pages 71–83, B ˚ astad, Sw eden, 1992 . [13] Cristina Cornes. Conc eption d’un langage de haut nive au de r ´ epr esentation de pr euves . PhD thesis, Universit ´ e Paris VII , 1997. [14] John V. Guttag and James J. H orning. The algebraic sp ecification of abstract data types. A cta Infor- matic a , 10:27–5 2, 1978. [15] Emmanuel Kounalis. Completeness in data t yp e sp ecifications. In B. F. Ca viness, editor, EUROCAL’85, Eur op e an Conf er enc e on Computer Algebr a, Linz, Austria, April 1-3, 1985, Pr o c e e dings V olume 2: R ese ar ch Contributions , v olume 204 of L e ctur e Notes in Computer Scienc e , p ages 348–362. Springer, 1985. [16] Conor McBri de. Dep endently T yp e d F unctional Pr o gr ams and Their Pr o ofs . PhD thesis, Universit y of Edinburgh, 1999. [17] Christine P aulin-Mohring. Indu ctiv e definitions in th e system Co q: Rules and properties. In M. Bezem and J. F. Groote, editors, Pr o c e e dings of the 1st Internat ional Confer enc e on T yp e d L amb da Calculi and Applic ations , vo lume 664 of L e ctur e Notes in C om puter Scienc e , pages 328–345, U trec ht, The Netherlands, Marc h 1993. S p ringer. [18] Carsten Sch¨ u rmann and F rank Pfenning. A co verag e chec k ing algorithm for LF. In D. Basin and B. W olff, editors, Pr o c e e dings of the The or em Pr oving in Higher Or der L o gics 16th International Con- fer enc e , volume 2758 of L e ctur e Notes in Computer Scienc e , pages 120–135, Rome, Italy , September 2003. Springer. [19] T erese, editor. T erm Re writing Systems , vo lume 55 of Cambridge T r acts in The or etic al Computer Sci- enc e . Cambridge Universit y Press, 2003. [20] Jean-Jacques Thiel. St op lo osing sleep ov er incomplete data typ e sp ecifications. In Confer enc e R e c or d of the 11th Annual ACM Symp osium on Principles of Pr o gr amming L anguages, Salt L ake City, Utah. , pages 76– 82. ACM Press, 1984. [21] D aria W alukiewicz-Chrząszcz . T ermination of rewriting in the calculus of constructions. Journal of F unctional Pr o gr amming , 13(2):339–4 14, 2003. [22] D aria W alukiewicz-Chrząszcz. T ermination of R ewriting in the Calculus of Constructions . PhD thesis, W arsa w Universit y and Universit y P aris XI, 2003. [23] D aria W alukiewic z-Chrząszcz and Jacek Chrząszcz. Consis tency and completeness of rewriting in the calculus of constructions. In Automat e d R e asoning, Thir d International Joint Confer enc e, IJCAR 2006, Se attle, W A, USA, Augus t 17-20, 2006, Pr o c e e dings , volume 4130 of L e ctur e Notes in Art ificial I ntel li- genc e , pages 619–631 . Sp ringer, 2006. [24] Benjamin W erner. M ´ eta-th ´ eorie du Calcul des Constr uctions Inductives . PhD thesis, U niversi t´ e P aris VI I, 199 4. This work is licensed under the Creative Co mmons Attr ibution-NoDer ivs Lice nse. T o view a copy of this license, v isit http://reative o mm on s. org /l i en se s/b y- nd /2 .0 / or send a letter to Creative Commons , 559 Nathan Abbott Wa y , Stanford, Califor nia 94305, USA .