Automated Induction for Complex Data Structures

We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, ordering and also membership in a fixed tree language. Constrained equational axioms between constructor terms are supported and can be used in order to specify complex data structures like sets, sorted lists, trees, powerlists… Our procedure is based on tree grammars with constraints, a formalism which can describe exactly the initial model of the given specification (when it is sufficiently complete and terminating). They are used in the inductive proofs first as an induction scheme for the generation of subgoals at induction steps, second for checking validity and redundancy criteria by reduction to an emptiness problem, and third for defining and solving membership constraints. We show that the procedure is sound and refutationally complete. It generalizes former test set induction techniques and yields natural proofs for several non-trivial examples presented in the paper, these examples are difficult to specify and carry on automatically with related induction procedures.

💡 Research Summary

The paper addresses the long‑standing difficulty of automatically proving inductive theorems about specifications that involve complex data structures such as sets, sorted lists, power‑lists, or binary trees. Traditional implicit‑induction tools assume a “free” constructor signature, sufficient completeness, and global termination of the rewrite system. Under those assumptions the set of constructor normal forms is simply the set of all ground constructor terms, making the generation of an induction scheme trivial. However, many realistic specifications require non‑free constructors, conditional or constrained rewrite rules, and even non‑linear left‑hand sides. In such settings the usual test‑set or cover‑set induction techniques become over‑approximations and often lead to “don’t know” outcomes or loss of refutational completeness.

To overcome these limitations the authors introduce constrained tree grammars (CTGs), a formalism that extends regular tree automata with arbitrary constraints on variables (equality, disequality, ordering, membership in a fixed regular tree language, etc.). They prove that, provided the constructor subsystem is terminating and the whole specification is sufficiently complete, a CTG can describe exactly the initial Herbrand model of the specification – i.e., the set of all ground constructor normal forms. This precise description is the cornerstone of their automated induction procedure.

The procedure consists of three main phases:

1. Induction‑scheme construction – From the given equational specification (R) the tool automatically builds a CTG (G) that generates all constructor normal forms. Production rules of (G) are annotated with the original constraints, so that each generated term respects the semantics of the specification.

2. Goal generation and reduction – A conjecture (C) is instantiated by traversing the production rules of (G). Each traversal yields a sub‑goal (a concrete instance of (C)). For every sub‑goal the system applies three decision criteria:

   • Deletion – If the sub‑goal does not belong to the language of (G) (checked by an emptiness test on a derived CTG), it is discarded.
   • Reduction – If the sub‑goal can be rewritten by the defined‑function rules (R_D) or by already proved induction hypotheses to a strictly smaller term (according to a well‑founded ordering), it is reduced.
   • Propagation – Reduced sub‑goals that are not yet proved become new induction hypotheses, extending the set of available lemmas.

3. Constraint solving – Throughout the process, membership constraints (e.g., “(x) belongs to the regular language (L)”, “(x) is in normal form”, “(x \succ y)”) are solved by the underlying CTG machinery. This provides a decidable, uniform way to handle all kinds of side‑conditions that appear in modern specifications.

The authors prove soundness (every proved conjecture holds in the initial model) and refutational completeness (any conjecture false in the initial model will eventually be refuted) under the mild assumptions of sufficient completeness and termination of the constructor subsystem. Notably, they do not require termination of the whole rule set, only separate termination of the constructor and defined‑function parts. Moreover, by employing constrained completion techniques they can transform non‑terminating theories into terminating ones without altering the core of the induction algorithm.

The paper presents several substantial case studies:

• Sorted non‑stuttering lists – Constructors ∅ and ins are equipped with a rule eliminating consecutive duplicates and a conditional rule enforcing a strict order (x₁ ≻ x₂). Membership predicates (⋐) are defined using constraints that reference the sorted‑list language. The CTG automatically captures the set of sorted, duplicate‑free lists, and the prover derives properties such as “insertion preserves sortedness” without any user‑supplied lemmas.

• Trace verification for security protocols – System traces are modeled as constructor terms; a regular tree language Bad describes illegal traces. The conjecture trace(y) ≠ true ∧ y : Bad is proved automatically, demonstrating that no bad trace exists. The CTG handles the language membership constraint seamlessly, enabling a fully automated security‑property proof.

• Power‑lists – A more intricate data structure involving nested list constructions and non‑linear rewrite rules. Again, the CTG precisely characterizes the normal forms, and the induction procedure succeeds where traditional test‑set methods fail or require extensive manual lemmas.

In each example the authors compare their approach with existing systems such as ACL2, SPIKE, RRL, and INKA, highlighting that those tools either need explicit lemmas, cannot handle constrained constructors, or lack refutational completeness. Their method, by contrast, delivers natural, readable proofs with minimal user interaction and guarantees that a failure indicates a genuine non‑inductive theorem (provided the specification satisfies the stated conditions).

In summary, the paper makes a significant contribution by integrating constrained tree grammars into implicit induction, thereby extending automated theorem proving to a wide class of specifications that involve rich, constrained data structures. The approach is theoretically robust (sound, refutationally complete) and practically effective, as demonstrated on non‑trivial examples that were previously out of reach for fully automatic inductive provers.