The Computability Path Ordering

. This paper aims at carrying out termination proofs for simply typed higher-order calculi automatically by using ordering comparisons. To this end, we introduce the computability path ordering (CPO), a recursive relation on terms obtained by lifting a precedence on function symbols. A ﬁrst version, core CPO, is essentially obtained from the higher-order recursive path ordering (HORPO) by eliminating type checks from some recursive calls and by incorporating the treatment of bound variables as in the so-called computability closure. The well-foundedness proof shows that core CPO captures the essence of computability arguments à la Tait and Girard, therefore explaining its name. We further show that no more type check can be eliminated from its recursive calls without loosing well-foundedness, but one for which we found no counter-example yet. Two extensions of core CPO are then introduced which allow one to consider: the ﬁrst, higher-order inductive types; the second, a precedence in which some function symbols are smaller than application and abstraction.


Introduction
This paper addresses the problem of automating termination proofs for typed higher-order calculi by reducing them to ordering comparisons between lefthand and righthand sides of rules.
It also addresses another, more fundamental problem of mathematical importance.Consider the set of terms generated by a denumerable set of variables, application, abstraction and some set of function symbols with arities, our version of the pure λ-calculus.We shall use a (possibly infinite) set R of pairs of λ-terms called rewrite rules used as our computing device.Given a term as input, whether our computing device will eventually terminate and return an answer is in general undecidable, even if R is a singleton set [32].It may even be undecidable for specific rewrite systems, such as the well-known β-reduction rule (formally defined here as the infinite set of its instances).A major question is the following: can we approximate the set of β-terminating terms by some meaningful subset?An important partial answer was given by Turing: the set of simply-typed λ-terms, where the word simply refers to a specific typing discipline introduced by Church in the λ-calculus [25], is terminating when a specific strategy is employed [89].The complete answer, the fact that the very same set is indeed terminatin under any strategy, is due to Sanchis [81].Tait and Girard gave later proofs [84,45] which have been the basis of many further generalizations, by considering more rules (η-reduction, recursors, general schema), and more terms characterized by more elaborate type disciplines (polymorphic, dependent, inductive type systems).When considering β-reduction alone, the obtained approximations of the set of terminating λ-terms are quite satisfactory.But proving the corresponding statement that computations terminate when given a typed λ-term as input, requires using an extremely powerful technique called reducibility 1 , introduced by Tait for simply typed terms, and further developed by Girard for the richer type disciplines.Given a set of terms and a set of rewrite rules R, a reducibility predicate is defined by axioms that it should satisfy, mainly closure under term constructions, closure under rewriting with R, and containment in the set of terminating terms.Girard exhibited a particular predicate for β-reduction which can be easily adapted for other sets of rules, but there are sets of rules for which some typable terms originate an infinite computation.We therefore turn to a new undecidable question: which sets of rules admit a computability predicate?
The question we answer in this paper is whether this set S (of sets R of rules) admits some non-trivial decidable subset: our approximation of S is the set of sets R of rules such that pairs in R are ordered by (some instance of) the computability path ordering CPO.
The work itself takes its roots in early attempts by Breazu-Tannen and Gallier [24] and independently Okada [77] to consider mixed typed λ-calculi with algebraic rewriting.Both works used Girard's computability predicates method to show that the strong normalization property of algebraic rewriting was preserved in the union.These results grew into a whole new area, by extending the type discipline on the one hand, and the kind of rules that could be taken care of on the other hand.The type discipline was extended independently by Barbanera and Dougherty in order to cover the whole calculus of constructions [3,38], while the rule format was extended as described next.
Higher-order rewrite rules satisfying the general schema, a generalization of Gödel's primitive recursion rules for higher types, were introduced by Jouannaud and Okada in the case of a polymorphic type discipline [56,57].The latter work was then extended first by Barbanera and Fernández [5,4] and finally by Barbanera, Fernández and Geuvers to cover the whole calculus of constructions [6].Recursors for basic inductive types, which constructors admit arguments of a non-functional type only, could be taken care of by the general schema, but arbitrary strictly positive inductive types could not, prompting for an extension of the schema, which was reformulated for that purpose by Blanqui, Jouannaud and Okada [15].This new formulation was based on the notion of computability closure of a term f( ⃗ t), defined as a set of terms containing ⃗ t and closed under computability preserving operations in the sense of Tait and Girard.Membership to the general schema was then defined for an arbitrary rewrite rule as membership of its righthand side to the computability closure of its lefthand side.This elegant, flexible and powerful definition of the general schema was finally extended by Blanqui in a series of papers, until it covered the entire calculus of inductive constructions including strong elimination rules [10,11], rewriting modulo some equational theories and rewriting with higher-order pattern-matching [14].
Introduced by Jouannaud and Rubio, HORPO was the next step, the very first order on simply typed λ-terms defined by induction on the term structure, as does Dershowitz recursive path ordering for first-order terms [34].Comparing two terms with HORPO starts by comparing their types in a given well-founded ordering on types before to proceed recursively on the structure of the compared terms, in a way which depends on a comparison of the roots of both terms in a given well-founded order on the algebraic signature called the precedence [58].HORPO was extended to the calculus of constructions by Walukiewicz [91], and to use semantic interpretations of terms instead of a precedence on function symbols by Borralleras and Rubio [22].An axiomatic presentation of the rules underlying HORPO can be found in [47].A more recent work in the same direction is [35].A more general version of HORPO appears in [59], which uses the computability closure to strengthen its expressivity.Blanqui proved that the first version of HORPO is contained in an order defined as a fixpoint of the computability closure definition [12].Indeed, HORPO and the computability closure share many similar constructs, raising expectations for a simpler and yet more expressive definition, instead of a pair of mutually inductive definitions for the computability closure and the ordering itself.On the positive side, the computability closure makes little use of type comparisons, hence may succeed when HORPO fails for type reason.Unfortunately, its fixpoint is not a syntax-oriented definition, hence has a more limited practical usage.
Originally formulated in [16], the question of finding a syntax oriented recursive definition of HORPO that would inherit the advantages of the computability closure paved the way to CPO, the computability path ordering.The first definition was given in [17], later improved as CPO in [18].A major improvement of CPO is that type comparisons are no more systematic, but occur in very specific cases.This does not only speed up computations, but also boosts the ordering capabilities in an essential way.Further, bound variables are handled explicitly by CPO, allowing for arbitrary abstractions in the righthand sides together with a more uniform definition.
In this paper, we present an in-depth study of an improved version of CPO for a simple extension of Church's simple type discipline [25], before we extend it to inductive types along the lines suggested in [18] following a technique dating back to Mendler [73,74] and extended to rewriting by Blanqui [10].In particular, we first show that many improvements of CPO cannot be well-founded: type comparisons are necessary when recursive calls deconstruct the lefthand side, but are not otherwise.While this all came out of the well-foundedness proof, it indeed shows a strong relationship between the recursive structure of CPO and the computability predicates method of Tait and Girard that is used to carry out the proof, which explains the name CPO.It further shows that CPO is indeed a sharp approximation of the set of sets of rules which admit a computability predicate.We then address the treatment of inductive types which remained ad hoc so far, thanks to the use of accessibility, a relationship introduced by Blanqui which generalizes the notion of inductive type [11].We finally introduce another novelty: small symbols.In all previous definitions, function symbols were bigger in the precedence than application and abstraction.Such symbols are now called big, while small symbols behave differently, being possibly smaller than both.Small symbols were suggested by Li to carry out a generalization of CPO to dependent types [55].
The paper is organized as follows.First, we define the sets of types and terms that we consider (simply typed λ-terms with function symbols of fixed arity), and the class of orderings on types that can be used in CPO.We then give a first definition of our ordering (core CPO), and show that it can hardly be improved while keeping the same recursive structure and well-foundedness.We then show how to prove its well-foundedness by extending Tait and Girard's technique of computability predicates.In the following sections, we consider two extensions of core CPO.In the first one, core CPO is extended by using accessible subterms which allows to handle strictly inductive types.In the second, application or abstraction are allowed to be bigger than a function call.Concluding remarks are given in Section 9.

Types and admissible type orderings
CPO is a relation on well typed terms but, instead of allowing the comparison of terms of the same type only, it allows the type to decrease in some well-founded ordering.However, not any type ordering is admissible.
In this section, we first recall the definition of (simple) types and some basic functions on types.Then, we define what are the (strict) orderings on types that can be used in CPO, study some of their properties and give an example based on a well-founded precedence on type constants.Definition 2.1 (Types).Let S be a set of sorts.The set T of types, the arity α(_) and the order o(_) of a type are inductively defined as follows: • a sort A ∈ S is a type of arity α(A) = 0 and order o(A) = 0.
• if T and U are types, then T → U is a type of arity α(T → U ) = 1 + α(U ) and order We use capital letters for types and a different font for sorts (e.g.T and A), and ⃗ T for a (possibly empty) sequence of types T 1 , . . ., T n , of length ⃗ T = n.As usual, → associates to the right so that A → A → A and A → (A → A) are the same.Given a relation R, let R + (resp.R * ) denote the transitive (resp.transitive and reflexive) closure of R. Definition 2.2 (Admissible type orderings).Let ⊳ l and ⊳ r be the relations on types such that T → U ⊳ l T and T → U ⊳ r U respectively, and ⊳ be the transitive closure of their union.A (strict) ordering > on types is admissible if: (typ-arrow) where ≥ is the reflexive closure of >.We say that a type T is compatible (resp.strictly compatible) with a sort A, written Sort A (T ) (resp.Sort ⋖A (T )) if B A (resp.B ⋖ A) for every sort B occurring in T .
Admissible type orderings originate from [59].Note that a sort can be bigger than an arrow type.If A is a sort occurring in T , then T A. Finally, note that the relation ⋗ is a simplification ordering [34].We now give an example of admissible ordering based on a well-founded precedence on sorts.For a concrete use case, see Example 5.2 below.Lemma 2.3.Given a well-founded ordering > S on sorts, let > be the smallest ordering > on types containing > S and ⊳ r and such that, for all U, V, V ′ , it holds that Proof.
The proof is by induction on the definition of >. ( By induction hypothesis applied to T → U > W , there are two cases: -U ≥ W .Then, by transitivity, U > V .
-W = T → U ′ for some U ′ < U .By induction hypothesis on T → U ′ > V , there are two cases: By transitivity, U > V ′ and we are done.
In the following, we prove some properties of admissible type orderings: Proof.By (typ-arrow), either T = T ′ and U > U ′ or U ≥ T ′ → U ′ , in which case we conclude by (typ-right-subterm) and transitivity.
Lemma 2.5.Let > be an admissible type ordering.If A > U , then Sort ⋖A (U ).
Proof.Let B be a sort occurring in U .Then, U B. Hence, by transitivity, A ⋗ B.
Lemma 2.6.Let > be an admissible type ordering.If T > U and Sort A (T ), then Sort A (U ).
Proof.Let C be a sort occurring in U .We proceed by induction on T .

Terms
In this section, we define the set of terms on which CPO operates.We consider simply-typed λ-terms [25,7] with function symbols of fixed arity, that is, a function symbol of arity n always comes with n arguments.We assume that every variable or function symbol comes equipped with a fixed type and that α-equivalence replaces a variable by another variable of the same type.
Definition 3.1 (Terms).Let X be an infinite set of variables, each variable x being equipped with a type τ (x) ∈ T so that there is an infinite number of variables of each type.Let also F be a (finite or infinite) set of function symbols disjoint from X , each function symbol f being equipped with a type τ (f) ∈ T and an arity α(f) ≤ α(τ (f)).The declaration f n ∶ T indicates the arity n and type T of f.The set L of terms is defined inductively as follows: • a variable x is a term of type τ (x); • if x is a variable and t is a term of type T , then λxt is a term of type τ (x) → T .We denote by τ (t) the type of a term t, and write t ∶ T when τ (t) = T .
We usually write f ∶ T for the declaration f 0 ∶ T , omitting the arity n = 0, and f for f().Note that a term f( ⃗ t) may have a functional type, hence can be applied.Application associates to the left so that tuv is the same as (tu)v.
We denote by FV(t) the set of free variables in t, by ⊲ the strict subterm relationship on terms, and by ⊴ its reflexive closure.The height of a term t, written t , is the height of its tree representation:

Definition 3.2 (Substitution).
• A substitution is a function σ ∶ X → L such that dom(σ) = {x ∈ X σ(x) ≠ x} is finite and, for every x, τ (σ(x)) = τ (x).As usual, the application of a substitution σ to a term t, written tσ, is defined so as to avoid free-variable captures when renaming some bound variables of t by new variables of the same type [31].
where FV(σ) = ⋃ {FV(σ(x)) x ∈ dom(σ)}.• A relation > on terms (or sequences of terms) is stable by substitution away from X if aσ > bσ whenever a > b and σ is away from X.A relation is stable by substitution if it is stable by substitution away from ∅.
We will use the letters σ, θ, . . .for substitutions, and denote the substitution mapping the variables ⃗ x of its domain to the terms in ⃗ t x ).Note that stability by substitution reduces to the standard definition: > is stable by substitution if aσ > bσ whenever a > b (because any substitution is away from ∅).
The equivalence relation identifying terms up to type-preserving renaming of their bound variables is called α-equivalence and written = α as usual [31].
Given a relation R, let SN T (R) be the set of terms of type T from which there is no infinite sequence of R-steps, and SN(R) = ⋃{SNT (R) T ∈ T }.

Relations
One ingredient of CPO is a well-founded quasi-ordering on function symbols and, for each equivalence class generated by the corresponding equivalence relation, a status stat ∈ {mul}∪ {lex(n) n > 2} prescribing how to compare the arguments of two equivalent symbols, by either its multiset [37] or lexicographic extension.We hereafter recall the necessary definitions and state some simple but important properties of these operations.The product extension is introduced here for technical reasons.
Given a relation ≻ on terms, let: u and there is j ∈ {1, . . ., ⃗ u } s.t.t j ≻ u j and, for all i ≠ j, t i = u i .
if, for all i, x ≻ y i (+ being the multiset union); . ., n} such that t j ≻ u j and, for all i < j, t i = u i .Note that both ≻ mul and ≻ lex(n) may compare all the arguments whatever their types are (from left to right for ≻ lex(n) ).In [14], the first author describes a more general version of these statuses that take types into account and allow reordering and filtering of the arguments [2].We could also consider statuses combining both lexicographic and multiset comparisons [39].
In the following, we will omit n in ≻ lex(n) and simply write ≻ lex .
Here are the properties of statuses we will rely on: Proposition 4.1.Given a relation ≻ on terms: • ≻ stat preserves termination: if ≻ is well-founded, then ≻ stat is well-founded.
• ≻ stat preserves stability: if ≻ is stable by substitution away from X, then so is ≻ stat .

Computability path ordering
In this section, we give the core definition of the computability path ordering (CPO) before to explore its limits by means of examples and compare it with its father definition, HORPO.
5.1.Definition of core CPO.We assume given: • an admissible ordering on types >; • a quasi-ordering ≥ F on F, called precedence, whose equivalence F is written > F and assumed well-founded; • for every f ∈ F, a status stat(f) ∈ {mul} ∪ {lex(n) n ≥ 2} such that symbols equivalent in ≃ F have the same status.
Definition 5.1 (Core computability path relation).The core computability path relation is the relation ≻ ∅ τ (≻ τ for short) where: • for any given finite set X of variables, ≻ X is inductively defined in Figure 1 is the reflexive closure of ≻ X (resp.≻ X τ ).The parameter X serves as a meta-level binder to keep track of the variables that were previously bound in the righthand side but have become free when destructuring a righthand side abstraction.We shall say that a variable x is fresh with respect to a comparison u ≻ Note that the parameter X is carried along computations without change, except in rule (F b λ).Hence, any comparison u ≻ X v generated from an initial comparison s ≻ ∅ t implies X ∩ FV(u) = ∅.
Explicit variable renamings and the associated freshness conditions are used to make the relation invariant by α-equivalence, the smallest congruence generated by the equation λxt = λyt y x if τ (x) = τ (y) and y ∉ FV(λxt) [31], and by appropriate renaming of the variables in X, as we shall prove later.
Note the seemingly complex behaviour of application in rule (@=), which allows to search the lefthand side for appropriate arguments bigger than those of the righthand side.This enhancement of CPO intends to mimic the corresponding rule of HORPO without flattening lefthand sides.
Having function symbols equipped with an arity is more general than having uncurried function symbols (i.e. of null arity) only: any uncurried system can be dealt with as it is.However, in this case, the (F b _) rules are very limited: (F b ⊳) is not applicable, (F b =) and (F b >) reduce to the precedence itself.Moreover, applications of the form f ⃗ t with ⃗ t > 0 can only be compared by using the (@_) rules which are more constrained than the corresponding (F b _) rules, especially (@λ) and (@=).Considering function symbols with non-null arities provides more structure to the terms, and this structure can be used for proving termination [51].Lemma 6.4 below will show that FV(v) ⊆ FV(u) ∪ X whenever u ≻ X v. Hence, an alternative formulation of rules (@λ) and (λ≠) could therefore be given by replacing the condition "z fresh" by y ∉ FV(v).
Another, perhaps surprising fact is that the definition of core CPO can be simplified by replacing ≻ X by ≻ everywhere but in (F b λ).This is true at the start since we are interested in ≻ τ .This is then an invariant of the computation, for two reasons: X is never increased, except in (F b λ); X is reset to the empty set by (F b ⊳) and (F b =), which are the only rules which may move from a (F b ) comparison to a (@) or (λ) comparison.We could therefore simplify our definition by removing the superfluous X subscripts.This will however no more be true of the extension of core CPO to inductive types, and we prefer to have a uniform definition over the various sections.Further, the present definition will allow us to study a relaxation of (@λ) in the next section.
Surprisingly, core CPO is powerful enough already to prove termination of examples that usually require techniques like the ones developed in Section 7.
Example 5.2.Consider the breadth-first search of labeled trees using continuations [52], using the sorts L for lists of labels and C for continuations, the abbreviation ¬T = T → L, and the symbols d ∶ C and c 1 ∶ ¬¬C → C for building continuations.Let now e ∶ ¬C defined by the rule: e c(x) → x e Its termination can be checked by core CPO by taking C ≥ L and c > F e. Indeed, e c(x) ≻ τ x e holds by (@⊳) since c(x) ≻ τ x e for τ (c(x)) = C ≥ τ (x e) = L and, by (F b @), c(x) ≻ x by (F b ⊳), and c(x) ≻ e by (F b >).5.2.Transitivity.As HORPO, core CPO is not transitive (both include β-reduction which is not transitive).Adding transitivity as a rule yields non-termination as shown by the following counter-example: Example 5.3.In the premises of (F b @), replace ≻ X by (≻ X ) + .Then, in the system S1 described at the beginning of next section, we have: Similar counter-examples can be built as well for (F b >) and (F b =), since the key point is that, by using (≻ X ) + , we can apply case (F b ⊳) without requiring type decreasingness.
Useful implemented heuristics for under-approximating ≻ + τ are discussed in [59].The introduction of small symbols in Section 8 will reduce the need for such heuristics, although not completely.On the other hand, we will show soon that core CPO is a well-founded relation on terms.So is therefore its transitive closure.5.3.Tightness of core CPO.In this section, we show that almost all possible relaxations (by replacing ≻ τ by ≻, and ≻ by ≻ X ) of the above definition lead to non-termination by providing appropriate examples that are also meant to help understanding how CPO works.To this end, we will consider three different systems, using o ∶ * to declare a sort o: For each rule, we now consider all its natural relaxations.
Then, in S1, we have: -Replace ⪰ τ by ⪰.Then, in S1, we have: ( -Replace ≻ τ by ≻.We found no counter-example for this case, but this is due to the condition f( ⃗ t) ≻ X ⃗ u.If we consider (F b =mul) and (F b =lex) instead, then simple counter-examples like the following one in S3 come up.
(1) h(a, a) and by (@β).Note that this counter-example can be also applied on case (F b =lex) if we take stat(h) = stat(k) = lex.Unfortunately it does not work on (F b =) since we cannot prove h(a, a) ≻ λxh(x, x).
-We found no counter-example yet for the other cases.

Comparison with HORPO.
In [59], the last two authors define a relation on simplytyped polymorphic λ-terms, > horpo , and its extension > chorpo using the notion of computability closure introduced in [15].In this section, we explain the differences between CPO and > horpo .We will compare CPO with > chorpo in Section 7.3.
• Type discipline.> horpo and > chorpo are relations on simply-typed polymorphic λterms, where types may contain type variables that have to be instantiated when forming function calls, while CPO is a relation on simply-typed monomorphic λterms.In the following, we will therefore compare CPO with the monomorphic versions of > horpo and > chorpo .Extending CPO to polymorphic types along the lines of [59] is routine.• Relation on types.In [59], the relation ≥ on types must be a quasi-ordering satisfying the following conditions 3 , where > = ≥ ∖ ≥ −1 is its strict part and ≃ = ≥ ∩ ≥ −1 its associated equivalence relation: ( It turns out that these conditions are inconsistent: if T > U then, by (4), T → V > U → V and, by (3), V ≥ U → V , which is impossible by (1) [61].However, the 3 Condition ( 2) is actually stated there as an equivalence, but its converse follows from (4).
results of [59] are still true since property ( 4) is only used to build the simplification ordering ⋗4 used for defining the interpretation of types.Instead, now, we distinguish between > which must contain ⊳ r and satisfy (3)/(typ-arrow) (( 2) is always satisfied when ≤ is an ordering instead of a quasi-ordering), and ⋗ which must contain > ∪ ⊳ l and be well-founded.The monotony property (4) is not required anymore.
In [59], > horpo and > chorpo are proved well-founded not only on well-typed terms but on a larger set of terms called candidate terms, obtained by identifying equivalent types.Since, by ( 2), the arrow structure of equivalent types is invariant, the quotient of the set of types by ≃ can be obtained by simply identifying sorts equivalent in ≃, and the quasi-order becomes then an order in the quotient structure.Since rewriting on candidate terms coincides with rewriting in the quotient, an order on types suffices, which removes the need for candidate terms and their technicalities.
• Relation on terms.One important difference between HORPO and CPO is that, in all sub-derivations of > horpo , types must decrease (t while, in CPO, this is not the case: types must be checked only in case the recursive call takes a subterm of the lefthand side term (except in (@⊳) for the left argument of an application).Indeed, CPO is an optimized version of > horpo in this respect.> horpo is defined by a set of 12 rules and each rule but ( 9) is implied by a rule of CPO: 5) by (@⊳), ( 6) by (λ⊳), ( 7) by (F b @), ( 8) by (F b λ) (HORPO requires the strong condition x ∉ FV(v) since it does not manage bound variables; this is however done by the computability closure in CHORPO), ( 10) by (λ=), ( 11) by (@β) and ( 12) by (λη).
Rule (9) compares st and u 1 . . .u n with n ≥ 2 by comparing the multisets { s, t } and { u 1 , . . ., u n }.It is implied by (@=).Indeed, in this case, for all i, either s ⪰ τ u i or t ⪰ τ u i .If there is no i such that s = u i then, for all i, s ≻ τ u i or t ⪰ τ u i , in which case one can prove that st ≻ τ u 1 . . .u k by induction on k.If s = u 1 then, for all i ≥ 2, t ≻ τ u i , in which case one can also prove that st ≻ τ u 1 . . .u k by induction on k.Otherwise, there is i > 1 such that s = u i and t ≻ τ u 1 .But, then, τ (s) ⋗ τ (t) ≥ τ (u 1 ) ⋗ τ (s), which is not possible by (typ-sn).

Implementation.
All examples given in the paper have been checked by our implementation, which is available from the web at http://www.lsi.upc.edu/~albert/cpo.zip.In this implementation the precedence and the status should be provided by the user.The implemented prototype includes core CPO as well as the extended versions of the ordering defined in Section 7 and 8. Several more examples are also included together with the implementation showing the power of the developed orderings.However, like RPO, CPO cannot be compared with transformation techniques based on, for instance, the computation of dependency pairs [2,42], but its power shows that it should be the path ordering of choice for solving the (monotonic) ordering comparisons which are generated by these transformation techniques.
Given a precedence and a status for every function symbol, deciding if a term s is smaller than a term t in core CPO can be made in quadratic time (using a dynamic programming algorithm) if (@β) is not used.The proof is basically the same as for RPO [66].Our prototype implementation written in Prolog does not use dynamic programming.Still, some standard optimizations over the given presentation are made, which mainly affect case (F b =).Let us split this case in two new cases, one for multiset status (F b =mul) and one for lexicographic status (F b =lex), and show that even after removing all or part of the condition f( ⃗ t) ≻ X ⃗ u, the conjunction of both cases is equivalent to the original one.
u and hence case (F b =) can be applied as well.As said, our implementation assumes that the precedence on function symbols and the status is given.Generating the precedence and the status automatically is a harder problem, and closely relates to the decision problem of solving ordering constraints, which is already NP-complete for RPO [76,75], but which is nowadays efficiently done in practice by encoding the problem into SAT [26].These kind of encodings can be easily adapted to CPO, as done for HORPO in termination tools like WANDA [63] and THOR [23].

Well-foundedness of core CPO
We now move to a technical analysis of the most important properties of core CPO.
Proof.By an easy induction on a ≻ X b.We detail a selection of cases: separately by induction on a ≻ X b.We only detail some cases: x ⪰ X τ v ′ .Now, z is fresh for λxt, X and v ′ since FV(v ′ ) = FV(v) and z is fresh for λxt, X and v. Therefore, by (λ⊳), λxt ≻ X v ′ .
(i) Assume now that λxt = α a ′ .Then, there are x ′ and t ′ such that a x ′ and, by the induction hypothesis, t ′ z x ′ ⪰ X τ v. Now, z is fresh for λx ′ t ′ , X and v since FV(λx ′ t ′ ) = FV(λxt) and z is fresh for λxt, X and v. Therefore, by (λ⊳ and, by the induction hypothesis, t z x ≻ X v ′ z y ′ .Now, z is fresh for λxt, X and λy ′ v ′ since FV(λy ′ v ′ ) = FV(λyv) and z is fresh for λxt, X and λyv.Therefore, by (λ=), λxt Hence, if t ≻ X u and V is a finite set of variables, then one can always assume without lost of generality that the bounding variables of t and u do not belong to V .
Invariance by variable renaming can also be extended to X: Lemma 6.6.Assume that t ≻ X u.
6.2.Tait and Girard's computability.We now turn to the proof that ≻ τ is well-founded.This proof is based on the meticulous analysis of the technique of computability predicates of Tait and Girard for proving the termination of β-reduction in typed λ-calculi [83,45,84,46].This technique consists in the following three steps: (1) interpret each type T by a set T of so-called computable terms; (2) prove that, for every type T , T satisfies some properties among which termination, i.e.T ⊆ SN(≻ τ ); (3) prove that every (well typed) term is computable.For arrow types, we will use the standard interpretation but, for sorts, we a priori have some freedom and we will indeed use this freedom to extend CPO to inductive types later in Section 7. Definition 6.7 (Computability).A base type interpretation is a map I ∶ S → P(L) such that, for all sorts A, I(A) is a set of terms of type A. A base type interpretation naturally extends to types as follows: • Our first lemma has a straightforward proof: Lemma 6.8.Let I 1 and I 2 be two base type interpretations, and T be a type.Then, T I 1 = T I 2 if I 1 and I 2 agree on every sort occurring in T .
We then consider the following properties: Definition 6.9 (Sets of neutral terms).A set N is a set of neutral terms if it satisfies the following properties: • X ⊆ N (neutral-var) • for all x, t, u, (λxt)u ∈ N (neutral-beta) • if t ∈ N then, for all u, tu ∈ N (neutral-app) • for all x and t, λxt ∉ N (neutral-not-lam) Definition 6.10 (Computability properties).Given a base type interpretation I and a set N of neutral terms, a set S of terms of type T is an I-computability predicate if it satisfies the following properties: x is I-computable (comp-lam) We can then prove that every term is strongly normalizing if the sets T I satisfy some of these properties and function symbols are I-computable, whatever the base type interpretation I and the set N of neutral terms are: Theorem 6.11.Given a base type interpretation I and a set N of neutral terms, ≻ τ is well-founded if: • for every type T , T I satisfies (comp-sn), (comp-neutral) and (comp-lam); • every function symbol f ∈ F is I-computable.
Proof.Because, for every T , T I satisfies (comp-sn), it suffices to prove that every term is I-computable.By (neutral-var), variables belongs to N .Because, for every T , T I satisfies (comp-neutral), variables are computable.Hence, the identity substitution is computable.
We then prove that, for all t ∶ T and computable σ, tσ ∈ T I , by induction on t.
We are therefore left to find a set of neutral terms N and a base type interpretation I so that type interpretations are computability predicates and function symbols are computable.
First, we are going to study under which conditions the interpretation of an arrow type U → V , U → V I , satisfies the above computability properties, whatever the base type interpretation I and the set of neutral terms N are.
Second, we will define a set of neutral terms N and a base type interpretation I so that, for every type T , T I satisfies all the computability properties.Finally, we will prove that function symbols are computable by induction on (> F , (≻ τ ) stat ) lex , which is well-founded when the following conditions are satisfied: Lemma 6.12.Given a base type interpretation I and a well-founded relation on By assumption, ⃗ T I ⊆ SN(R).Hence, by Lemma 4.1, ⃗ t ∈ SN(R stat(g) ) whatever g is.Assume now that there is an infinite (> F , R stat ) lex -decreasing sequence (f i , ⃗ t i ) i≥0 .Then, (f i ) i≥0 is an infinite ≥ F -decreasing sequence.Since > F is wellfounded by assumption, there must be some j such that, for all i ≥ j, f i ≃ F f j .Since symbols equivalent in ≃ F have the same status by assumption, ( ⃗ t i ) i≥j is an infinite R stat(f j ) -decreasing sequence, a contradiction.6.3.Computability properties of arrow types.In this sub-section, the results hold for any base type interpretation I and any set of neutral terms N .For the sake of simplicity, we drop the index I in T I and simply write T .Lemma 6.13.U → V satisfies (comp-sn) if: Proof.Assume that there is an infinite reduction sequence By definition of U → V , we have t 0 u ∈ V .We now prove that there is an infinite reduction sequence starting from t 0 u.Since V is assumed to satisfy (comp-sn), this is not possible.Therefore, U → V satisfies (comp-sn) too.By (typ-arrow) there are only two cases: • For all i, T i = U → B i for some B i .By monotony (Lemma 6.3), t 0 u ≻ τ t 1 u ≻ τ . . .• There is i such that T i+1 is a sort or T i+1 = A i+1 → B i+1 with A i+1 ≠ U .Let k be the smallest i satisfying this condition.Hence, for all i ≤ k, there is B i such that T i = U → B i .By monotony (Lemma 6.3), t 0 u ≻ τ . . .t k u.By (typ-arrow), we have B k ≥ T k+1 .Hence, by (@⊳), t k u ≻ τ t k+1 .
• (@⊳) t ⪰ w.By (typ-right-subterm), U → V > V .Hence, by transitivity, U → V > W and t ≻ τ w.Therefore, w is computable by assumption.-u ⪰ τ w.Then, w is computable since, by assumption, u is computable and U satisfies (comp-red).• (@=) w = t ′ u ′ and either: t = t ′ and u ≻ u ′ , in which case t ′ u is computable by assumption since u ≻ τ u ′ ; -or tu ≻ @ t ′ and tu ≻ @ u ′ .We prove that, for v ∈ {t ′ , u ′ }, if tu ≻ @ v then v is computable.There are three cases: Then, either u = v and v is computable by assumption, or u ≻ τ v and v is computable since u is computable and U satisfies (comp-red).* tu ≻ τ v.Then, since v ∈ {t ′ , u ′ }, v is computable by induction hypothesis.
• (@λ) w = λyv, tu ≻ v and y ∉ FV(v) by Lemma 6.4.Then, there are A and B such that W = A → B. By (typ-right-subterm), W > B. Hence, by transitivity, V > B and tu ≻ τ v. Thus, by induction hypothesis, v is computable.Since W satisfies (comp-lam), w is computable if, for all computable term a ∶ A, v a y is computable.Since y ∉ FV(v), v a y = v.Therefore, w is computable.
x is computable and V satisfies (comp-red).Lemma 6.16.Let t ∶ U → V and u ∶ U .Then, tu is computable if: • every ≻ τ -reduct of t is computable; • u is computable; • U satisfies (comp-red) and (comp-sn); • V satisfies (comp-red) and (comp-neutral); Proof.We prove that tu is computable by induction on u with ≻ τ as well-founded relation ( U satisfies (comp-sn) by assumption).So, by induction hypothesis, for all u ′ such that u ≻ τ u ′ , tu ′ is computable.Hence, by Lemma 6.15, every ≻ τ -reduct of tu is computable.Now, tu is neutral because, either t is neutral and tu is neutral by (neutral-app), or t = λxv and tu is neutral by (neutral-beta).Therefore, tu is computable since V satisfies (compneutral).Corollary 6.17.U → V satisfies (comp-neutral) if: • U satisfies (comp-red) and (comp-sn); • V satisfies (comp-red) and (comp-neutral); Proof.Let t be a neutral term of type U → V such that every ≻ τ -reduct of t is computable.By definition, t ∈ U → V if, for all computable u ∶ U , tu is computable.Since t is neutral, by (neutral-not-lam), t is not of the form λxv. Therefore, by Lemma 6.16, tu is computable since all the required properties are satisfied.
Lemma 6.18.Let x ∶ U and v ∶ V .Then, λxv is computable if: • for all computable u ∶ U , v u x is computable; • U satisfies (comp-sn) and (comp-red) and contains a variable, which is the case if it satisfies (comp-neutral) too; • V satisfies (comp-sn), (comp-red) and (comp-neutral); Proof.By definition, λxv is computable if, for all computable u ∶ U , (λxv)u is computable.By Lemma 6.16, (λxv)u is computable if every ≻ τ -reduct of λxv is computable, the other conditions being satisfied.Since U contains a variable, we can wlog assume that this is x.So, v x x = v is computable.Since V satisfies (comp-sn), v ∈ SN(≻ τ ).We now prove that every ≻ τ -reduct w ∶ W of λxv is computable, by induction on (v, w ) with (≻ τ , > N ) lex as well-founded relation.By definition of ≻ τ , we have U → V ≥ W .
• (λ⊳) v ⪰ τ w.Since v is computable and V satisfies (comp-red), we have w computable.u ∶ U computable.We have au = v u x computable by assumption.Therefore, a is computable.By Lemma 6.14, U → V satisfies (comp-red) since U ≠ ∅ and V satisfies (comp-red).Therefore, w is computable too.Corollary 6.19.U → V satisfies (comp-lam) if: • U satisfies (comp-sn), (comp-red) and (comp-neutral); • V satisfies (comp-sn), (comp-red) and (comp-neutral); In conclusion, we can see that U → V I is a computability predicate if so are U I and V ′ I for all V ′ ≤ V .Therefore, if we can define a base type interpretation I so that, for every sort A, I(A) is a computability predicate then, for all type T , T I will be a computability predicate.
6.4.Well-foundedness of core CPO.We now define a set of neutral terms N and a base type interpretation I for proving the well-foundedness of core CPO.Definition 6.20 (Neutral terms for core CPO).Let N be the smallest set of terms containing the terms of the form f( ⃗ t) and closed by (neutral-var), (neutral-beta) and (neutral-app).
One can easily check that N satisfies all the properties of Definition 6.10.
In contrast with the usual practice, but as in [59], our interpretation of sorts is not the set of strongly normalizing terms of that sort.To define the base type interpretation I, we proceed by induction on ⋗ which is well-founded by (typ-sn).So, let A be a sort and assume that I is defined for all sorts B ⋖ A. Then, let I(A) be the least fixpoint of the monotone function F A defined as follows: We now prove that F A is indeed well-defined and monotone.Then, by Knaster and Tarski's fixpoint theorem [85], F A admits a (least) fixpoint.Lemma 6.21.F A is well-defined.
Proof.The recursive call to U I∪{(A,S)} is well-defined because, by definition of ≻ τ , we have A ≥ U .Hence, by Lemma 2.5, Sort A (U ).Lemma 6.22.F A is monotone.1) and ( 2) with S replaced by S ′ .Indeed, assume that t ≻ τ u and u ∶ U .By (2) Otherwise, by Lemma 2.5, Sort ⋖A (U ).Therefore, by Lemma 6.8, U J = U J ′ and u ∈ U J ′ .Note that the least fixpoint of F A can be reached by transfinite iteration of F A from ∅ [67,30], that is, there is an ordinal a, such that I(A) = F a A (∅) where: if a is a limit ordinal We now check that type interpretations are computability predicates.Lemma 6.23.Given a sort A, A satisfies (comp-red), (comp-neutral) and (comp-lam).
Proof.We show each property in turn.
• (comp-red) Let t ∈ A and assume that t ≻ τ u and u ∶ U .Since A = F A ( A ), we have u ∈ U by definition of F A .• (comp-neutral) Let t ∶ A be a neutral term whose ≻ τ -reducts are all computable.
Since A = F A ( A ), we have t ∈ A by definition of F A .• (comp-lam) Trivial for typing reasons.Lemma 6.24.Given a sort A, A satisfies (comp-sn) if, for all type U < A, U satisfies (comp-sn).

Proof. As already mentioned, A = F a
A (∅) for some ordinal a.Since ∅ satisfies (comp-sn), it therefore suffices to check that F A preserves termination: if S ⊆ SN(≻ τ ), then F A (S) ⊆ SN(≻ τ ).So, let S ⊆ SN(≻ τ ) and let t ∈ F A (S).By definition of F A , we have t ∶ A and, if t ≻ τ u and u ∶ U , then u ∈ U J where by assumption.Theorem 6.25.For all type T , T is a computability predicates, i.e. satisfies (comp-sn), (comp-red), (comp-neutral) and (comp-lam).
Proof.We proceed by induction on ⋗ which is well-founded by assumption (typ-sn).If T is a sort, then we can conclude by Lemma 6.23, Lemma 6.24 and induction hypothesis.Otherwise, T = U → V .Since T ⊳ l U , by induction hypothesis, U is a computability predicate.Let now V ′ be a type such that V ≥ V ′ .By (typ-right-subterm) and transitivity, T > V ′ .Hence, by induction hypothesis, V ′ is a computability predicate.Therefore, U → V satisfies (comp-sn) by Lemma 6.13, (comp-red) by Lemma 6.14, (comp-neutral) by Corollary 6.17 and (comp-lam) by Corollary 6.19.Now, we are left to prove that every function symbol is computable.
First, we check that t = f( ⃗ t) is computable if all its ≻ τ -reducts so are.This follows from the facts that, by definition of N , t is neutral and, by Theorem 6.25, U satisfies (comp-neutral).
We now prove that, for all finite sets of variables X, for all substitutions σ such that dom(σ) ∩ FV( ⃗ t) = ∅ and σ is computable on X, and for all terms w such that f( ⃗ t) ≻ X w, we have wσ computable, by induction on the size of w (2).Note that By stability by substitution of ⪰ τ (Lemma 1), we have t i σ ⪰ τ wσ.
We can therefore conclude that ≻ + τ is a monotone, stable, well-founded order.The well-foundedness proof of core CPO is actually similar to that of HORPO, although the proof here is presented in a quite different style from HORPO's monolithic proof [59].This similarity fades away with the two coming extensions, to inductive types and to small symbols.The reason why we have split the proof into small pieces is indeed to factor out its structure and those parts which are common to core CPO and its extensions.

Accessibility
In this section, we introduce an extension of the core definition that will allow us to handle rewrite rules like the ones defining recursors for strictly positive inductive types as used in the Coq proof assistant [29,54].Given a type A, the recursor (of arity 4) at type A A can be defined by the following rewrite rules: To capture such a relation, we need the following two comparisons to succeed: O (lim(y), u, v, w) ≻ y and lim(y) ≻ τ y n.The second comparison cannot succeed unless we allow non empty sets X of variables in (F b =) in order to have lim(y) ≻ {n} τ y n, but we have seen in Section 5.3 that this may lead to non-termination.Instead, we will use a specific ordering: the structural ordering introduced by Coquand for dealing with such kind of definitions in the calculus of constructions [28].
For the first comparison to succeed, since the type of y is bigger than the type of lim(y), we must not check types in (F b ⊳), but we have seen in Section 5.3 that this may lead to non-termination.To solve this problem, we will compare in (F b ⊳) the right-hand side with possibly deep subterms of the left-hand side.
We cannot take any deep subterm however, as shown by the following example: assuming the signature c 1 ∶ (A → B) → A and f 1 ∶ A → (A → B), the deep subterm comparison f(c(x)) ≻ τ x leads to non-termination, since, taking t = λx f(x) x, we have f(c(t)) c(t) ≻ τ t c(t) ≻ τ f(c(t)) c(t) by monotony and (@β).There are two cases where deep subterms can be used: as for the first, deep subterms whose type is a (sufficiently small) sort [59]; as for the second, Mendler showed that pattern-matching on constructors of a sort A having an argument whose type has a negative occurrence of A wrt the arrow type constructor (see Definition 7.2 just after), leads to non-termination, while, on the contrary, β-reduction combined with recursion combinators for positive inductive types terminates [73,74].7.1.Accessible subterms.In this sub-section, we first define the sets of positive and negative positions of a type, and the notions of accessible and structurally smaller term, before we prove some properties of these notions.Definition 7.2 (Positive and negative positions in a type).The sets Pos(T ), Pos(A, T ), Pos + (T ) and Pos − (T ) of positions, positions of A, positive positions and negative positions in a type T are inductively defined as follows: • Note that, if α(f) < ⃗ T , the output type of f is functional.Let us consider Example 7.1 and assume that O > N.Then, O occurs only positively in the type of the first argument of suc, and we can take Acc(suc) = {1}.Similarly, we can take Acc(lim) = {1}.
We can now introduce those sorts A which are not bigger than any arrow type and will be interpreted by SN A (≻ τ ) later: Definition 7.4 (Basic sorts).A sort A is basic if, for all type T < A, T is a basic sort and, for all f α(f) ∶ ⃗ T → A and i ∈ Acc(f), T i = A or T i is a basic sort.
In particular, are basic all first-order data types like unary natural numbers, lists, trees, etc. whose constructors do not take a function as argument.
Accessibility blends accessible arguments and subterms of basic sort: Definition 7.5 (Accessibility).A term u is said to be accessible in a term t if: • u is a subterm of basic sort of t such that FV(u) ⊆ FV(t), written t ⊳ s b u, or and t i ⊵ a u, written t ⊳ a u, where ⊵ s b and ⊵ a are the reflexive closures of ⊳ s b and ⊳ a respectively.Coming back to Example 7.1, we have x accessible in suc(x) since suc(x) ⊳ a x, and y accessible in lim(y) since lim(y) ⊳ a y.Lemma 7.6.If t ⊳ a u ∶ U , then there are two sorts A and B such that t ∶ A, B A, Sort B (U ) and Pos(B, U ) ⊆ Pos + (U ).
Proof.By induction on ⊳ a , which is clearly well-founded.Assume that there are Proof.By Lemma 7.6, there is a sort B A such that Sort B (U ) and Pos(B, U ) ⊆ Pos + (U ).Since A occurs in U , A B. Therefore, B = A and we are done.Definition 7.8 ([28]).Given a finite set X of variables, we say that u is structurally smaller than t wrt X, written t ⊳ X @ u, if there are A, v and ⃗ One can easily check: Lemma 7.9.⊳ s b and ⊳ a (resp.⊳ X @ ) are stable by substitution (resp.away from X).
The rules of Example 7.1 are now easily oriented by CPO.Take for instance the third rule.It is included in CPO since, by (F b @): • l = rec A O (lim(y), u, v, w) ≻ w x by (F b @)since: Following [12], we could strengthen CPO further by defining ⊳ X @ and ≻ X simultaneously, by replacing in ( 7.3.Comparison with CHORPO.CHORPO is a variant of HORPO which was also aiming at ordering recursors of inductive types like Brouwer's ordinals.In rules (1), ( 3), ( 4) and ( 7) of the 12 rules of HORPO as recalled in Section 5.4, one has to show recursively that every direct subterm of the left-hand side f( ⃗ t) is bigger than (or equal to) the right-hand side.In CHORPO, one can also use in addition to the direct subterms, any term of the computability closure CC(f( ⃗ t), ∅) of the left-hand side, a set inductively defined by 6 rules (CC1) to (CC6) that, for most of them, correspond to CPO rules as follows.
On the other hand, (CC6) says that CC(f( ⃗ t), ∅) is closed by > horpo .Capturing such a rule in CPO requires to consider the transitive closure of ≻ τ in (F b =) which would most presumably turn CPO into an undecidable relation, as it is probably already the case of CHORPO for the same reason.
In conclusion, while CHORPO and CPO look incomparable, the restriction of CHORPO to (CC1), (CC2), (CC3), (CC4), (CC5) is included in CPO.In fact, CPO can be seen as a decidable reformulation of CHORPO integrating in a simple, uniform and more powerful way both HORPO and the notion of computability closure.Note finally that HORPO and the computability closure are themselves already related, as shown in [12].More precisely, the first version of HORPO [58] is included in the fixpoint of the monotone function mapping > to the relation > ∅ CC such that t > X CC u if u ∈ CC(t, X), RPO being equal to this fixpoint when restricted to first-order terms.• ≻ X is well-defined.
• ≻ X is stable by substitution away from X.
In order to extend the well-founded proof of core CPO to accessible subterms, we need to define a set of neutral terms and a base type interpretation so that accessible arguments of a computable term f( ⃗ t) are computable.Hence, the following definitions: Definition 7.12 (Neutral terms for CPO with accessible subterms).Let N be the smallest set of terms containing the terms of the form f( ⃗ t) with Acc(f) = ∅, and closed by (neutralvar), (neutral-beta) and (neutral-app).
One can easily check that N satisfies all the properties of Definition 6.10.Note that, now, a term is neutral if and only if it is of the form To define the base type interpretation I, we proceed as for core CPO by well-founded induction on ⋗.So, let A be a sort and assume that I is defined for all sorts B ⋖ A. Then, let I(A) be the least fixpoint of the monotone function F A defined as follows: Note that, by this definition, a term f(t 1 , . . ., t α(f) )t α(f)+1 . . .t n ∶ A is computable if all its ≻ τ -reducts and all its accessible arguments t i with i ∈ Acc(f) are computable.This makes the terms of this form behave like neutral terms when ⃗ t are computable.We now prove that F A is indeed well-defined and monotone.Lemma 7.13.F A is well-defined.
Proof.The calls to U I∪{(A,S)} and T i I∪{(A,S)} with i ∈ Acc(f) are well-defined because every sort occurring in U or T i is to A. Indeed, by definition of ≻ τ , we have A ≥ U .Hence, by Lemma 2.5, Sort A (U ).As for T i , it follows by definition of Acc(f).
Lemma 7.14.Let T be a type such that Sort A (T ).Then, the function Proof.Let S ⊆ S ′ , J = I ∪ {(A, S)} and J ′ = I ∪ {(A, S ′ )}.We proceed by induction on T .
(2) Assume that t ≻ τ u and u ∶ U .By (2), u Otherwise, by Lemma 2.5, Sort ⋖A (U ).Therefore, by Lemma 6.8, . By definition of Acc, Sort A (T i ), Pos(A, T i ) ⊆ Pos + (T i ) and, by Lemma 7.14, T i J ⊆ T i J ′ .Therefore, t i ∈ T i J ′ since t i ∈ T i J by (3).7.5.Well-foundedness of the structural term ordering.Lemma 7.16.The function a ↦ F a A (∅) is monotone.Proof.Let J a = F a A (∅).We prove by induction on b that, for all a < b, J a ⊆ J b .
).If a = c, then J a ⊆ J b by definition of F A .Otherwise, a < c and, by induction hypothesis, J a ⊆ J c .By Lemma 7.15, J a+1 ⊆ J c+1 .Since J a ⊆ J a+1 by definition of F A , we have J a ⊆ J b .• b is a limit ordinal.Then, J a ⊆ J b by definition of J b .

The functions F a
A provide us with a well-founded relation that is the basis of the wellfoundedness of the structural term ordering when it is instantiated by computable terms: Definition 7.17 (Rank ordering).Let the rank of a term t ∈ A , rk A (t), be the smallest ordinal a such that t ∈ F a A (∅).Then, let t ⊐ u if there is a sort A such that t ∈ A , u ∈ A and rk A (t) > rk A (u).
We now prove that ≻ τ is included in ⊐ and that their union is strongly normalizing on computable terms.Lemma 7.18.If t ∈ A , u ∈ A and t ≻ τ u, then t ⊐ u.
Proof.By definition, we have t ∈ F a A (∅) where a = rk A (t).We can neither have a = 0 nor a be a limit ordinal.So, there is b such that a = b + 1.Hence, Proof.Assume that there is an infinite (≻ τ ∪ ⊐)-decreasing sequence (t i ) i≥0 such that t 0 ∈ T and t i ∶ T i .Then, (T i ) i≥0 is an infinite ≥-decreasing sequence.Since > is well-founded by (typ-sn), there must be some j such that, for all i ≥ j, T i = T j .If T j is a sort then, by Lemma 7.18, (t i ) i≥j is an infinite ⊐-decreasing sequence, which is not possible since ⊐ is well-founded.If T j is not a sort, then (t i ) i≥j is an infinite ≻ τ -decreasing sequence since ⊐ only compares terms of base type.But this is not possible since T ≥ T j and, by assumption, T j satisfies (comp-sn).
We now show that ⊳ a preserves computability, and that the structural term ordering ⊳ X @ is stable by computable substitutions of domain X.Lemma 7.20.If t is computable and t ⊵ a u, then u is computable.
Proof.By induction on the definition of ⊵ a .If t = u, this is immediate.Otherwise, there are f α(f) ∶ ⃗ T → A, ⃗ t ∶ ⃗ T and i ∈ Acc(f) such that t = f(t 1 , . . ., t α(f) )t α(f)+1 . . .t ⃗ T and t i ⊵ a u.Since t is computable, by definition of A , t i is computable.Therefore, by induction hypothesis, u is computable.
Proof.First note that, by Corollary 7.7, Sort A (U ) and Pos(A, U ) ⊆ Pos + (U ).We now proceed by induction on the definition of ⊳ a .Assume that there are T and t i ⊵ a u.By definition, rk A (t) can be neither 0 nor a limit ordinal.Therefore, there must be b such that rk A (t) = b + 1 and t i ∈ T i J .If t i = u, then we are done.Assume now that t i ⊳ a u.Then, there is B such that t i ∶ B. By definition of Acc, B A. By Corollary 7.7, Sort B .Since A occurs in U , we have A B and thus B = A because ⋗ is well-founded by (typ-sn).Hence, by induction hypothesis, there is c such that rk A (t i ) = c + 1 and u ∈ U K , where K(A) = F c A (∅) and K(B) = I(A) if B ≠ A. Therefore, u ∈ U J by Lemma 7.14 since c ≤ b, Sort A (U ) and Pos(A, U ) ⊆ Pos + (U ).Lemma 7.22.If t ⊳ X @ u, σ is computable on X and tσ is computable, then uσ is computable and tσ ⊐ uσ.
7.6.Well-foundedness of CPO with accessible subterms.We now check that type interpretations are computability predicates, and that function symbols are computable.
One can easily check that all the lemmas of Section 6.3 are still valid, as well as the lemmas 6.23 and 6.24 (since they do not depend on (F b _) rules).Therefore, following the proof of Theorem 6.25, we get: Theorem 7.23.For all type T , T is a computability predicate, i.e. satisfies (comp-sn), (comp-red), (comp-neutral) and (comp-lam).
Lemma 7.24.If A is a basic sort, then A = SN A (≻ τ ).
We first prove that every ≻ τ -reduct u of t is computable.Since t ∈ SN A (≻ τ ), we have u ∈ SN U (≻ τ ).By definition of ≻ τ , A ≥ U .Therefore, U is a basic sort and, by induction hypothesis, u ∈ U since A ⋗ U or else A = U and t ≻ τ u.
Hence, if t is neutral, then t ∈ A since A satisfies (comp-neutral).Otherwise, t = f(t 1 , . . ., t α(f) )t α(f)+1 . . .t ⃗ T with f α(f) ∶ ⃗ T → A and Acc(f) ≠ ∅.Let i ∈ Acc(f).Then, Sort A (T i ).Since A is basic, T i = A or T i is a basic sort.In both cases, T i A and T i is a basic sort.Therefore, t i ∈ T i since t i ∈ SN T i (≻ τ ) and A ⋗ T i or else A = T i and t ⊳ t i .
Proof.There are ⃗ U and A such that T ⊆ SN(≻ τ ∪ ⊐).Therefore, by Lemma 6.12, (> F , (≻ τ ∪ ⊐) stat ) lex is wellfounded.We can therefore prove that, for all Since f( ⃗ t)⃗ u is of base type and all its accessible arguments are computable by assumption, it suffices to prove that all its ≻ τ -reducts are computable.To this end, we prove that, for all k ≤ n = ⃗ u , every ≻ τ -reduct of f( ⃗ t)u 1 . . .u k is computable, by induction on k (1).• k = 0.The proof is the same as for Lemma 6.26 except for the new cases: -(F b ⊳) There are i, u ∶ U and v ∶ V such that t i ⊵ s b u ⊵ a v ⪰ τ w.By stability by substitution of ⊵ s b , ⊵ a and ⪰ τ (Lemma 7.9 and 7.11), we have t i = t i σ ⊵ s b uσ ⊵ a vσ ⪰ τ wσ.Since ⃗ t are computable and ⃗ T satisfies (comp-sn), we have ⃗ t ∈ SN(≻ τ ).Since ≻ τ is monotone (Lemma 7.11), we have uσ ∈ SN(≻ τ ).Hence, by Lemma 7.24, uσ is computable and, by Lemma 7.20, vσ is computable.Therefore, wσ is computable since, by Theorem 7.23, V satisfies (comp-red).
The problem is that we do not have c(x) ⊳ {y,z} @ z. Indeed, C is non-strictly positive and the structural term ordering can only handle strictly positive types.
To handle such rules, we know two solutions.The first one is to define the interpretation of C so that rec A C is computable by definition [92,71,11], which is possible since positivity conditions are satisfied.However, this solution lacks flexibility for the user who is forced to define all other functions on C via the recursor.
The second, flexible solution consists in considering types with size annotations (to be interpreted by ordinals) and, in (F b =), compare terms by their size annotations, an approach initiated independently in [53,43] and later developed in various works, e.g.[1,8,9,19].Indeed, assuming that c(x) has type C α+1 , then x has type ¬¬C α and, thus, the bound variable z gets the type C α which size annotation is smaller than the one of c(x).
Including semantics in RPO was pioneered by Kamin and Lévy [60], and extended to HORPO in [22].In both cases, semantics was added by replacing the precedence by a semantic order on terms.The use of size annotations is a different way to include semantics in these orders.These two different ways of including semantics in recursive path orders are however related: both can be seen as an instance of the more general semantic labeling schema [93,48,20].

Small symbols
In this section, we consider a further extension of CPO that originated from some draft version of [55] and try to answer the following general question: can we relax the constraints on the precedence?More precisely, to which extent can a function symbol be smaller than an application or an abstraction?We are going to show that this is indeed possible if the rules governing these small symbols are more restrictive than the ones for big symbols.
We first define the extension of CPO to small symbols, and then show the computability properties including a specific one for small symbols.Unlike before, this will reveal a circularity among the dependencies between the different computability properties, hence strong normalization does not follow.Breaking this circularity will require assumptions on the types of small symbols that are then investigated for practical purposes.It will appear that, for instance, any constructor of a strictly-positive inductive type can be considered a small symbol.
8.1.CPO with small symbols.Definition 8.1 (CPO with small symbols).We assume that the set of function symbols is partitioned into a set F b of big symbols and a set F s of small symbols so that: • no small symbol is greater or equivalent to a big symbol (small-lt-big) • small symbols with arrow output type have no accessible argument (small-acc) We then extend ≻ X by adding the rules of Figure 3.
We will add conditions on the types of small symbols after Definition 8.9 (see Figure 4).
Because of the rules (@F s ) and (F s @), one may think that the relation is not terminating anymore, but this is not the case for typing reasons.Indeed, in contrast with rules for big symbols, rules for small symbols require type checking the recursive calls systematically.
For instance, assume that f ∶ o → o and g 2 ∶ o → o → o.Then, although we have f a ≻ τ g(a, a) by (@F s ) since f a ≻ τ a by (@⊳), we do not hopefully have g(a, a) ≻ τ f a by (F s @) because we do not have g(a, a) ≻ τ f for typing reasons.
On the other hand, there is no rule (F s λ) such that f( ⃗ t) ≻ X λyv if f( ⃗ t) ≻ X v and y ∉ FV(v) because, together with the rule (λF s ), it would lead to non-termination as shown by the following example: given small symbols a ∶ o → o > F b ∶ o, λxb ≻ τ a by (λF s ), and a ≻ τ λxb by (F s λ) since a ≻ τ b by (F s >).It is however possible to have (F s λ) if one removes (λF s ).We choose to present the case of (F s λ) because it seems more useful, but the termination proof can be easily adapted if (F s λ) is replaced by (λF s ).Note however that this does not lead to the same definition for the sets SPos, LPos, . . .(Definition 8.9) studied in Section 8.4.
Two potential improvements are left.First, take a rule (F s ⊳) similar to the rule (F b ⊳) of Figure 2. Second, get rid of the assumption (small-acc), if possible.8.2.Computability properties.Lemma 8.2 (Basic properties).
• ≻ X is stable by substitution away from X.
• If e, e ′ ∈ X , τ (e) = τ (e ′ ), t ≻ X u and e ′ ∉ FV(λeu), then t ≻ X−{e}∪{e ′ } u e ′ e .Keeping the same definitions for neutral terms and the base type interpretation as in Section 6, it is easy to check that Lemma 6.13 and Lemma 6.14 still hold.However, because of the new rules (@F s ) and (λF s ), Corollary 6.17 and Corollary 6.19, hence Lemma 6.16 and Lemma 6.18 reveal new dependencies that require introducing the following new computability property for a set S of terms of type T : Note that big symbols do not need any computability property because they are bigger than everybody else, and therefore other computability properties do not depend upon the computability of big symbols.It follows that they cannot be implied in any circularity.
Proof.The proof is the same as for Lemma 6.15 except for the new case: • (@F s ) w = f(⃗ v), f ∈ F s and (∀i) tu ≻ τ v i .By induction hypothesis, ⃗ v are computable.Since W satisfies (comp-small) by assumption, w is computable.
Proof.As for Corollary 6.17 but using Lemma 8.4 instead.
Lemma 8.6.Let x ∶ U and v ∶ V .Then, λxv is computable if: • for all computable u ∶ U , v u x is computable; • U satisfies (comp-sn) and (comp-red) and contains a variable, which is the case if it satisfies (comp-neutral) too; • V satisfies (comp-sn), (comp-red) and (comp-neutral); Proof.The proof is the same as for Lemma 6.18 except for the new case: By induction hypothesis, ⃗ v are computable.Thus, w is computable since, by assumption, W satisfies (comp-small).
Proof.Assume that f α(f) ∶ ⃗ T → U is small.By assumption, ⃗ T satisfies (comp-sn) and, by Lemma 7.19, ⃗ T ⊆ SN(≻ τ ∪ ⊐).Therefore, by Lemma 6.12, (> F ,(≻ τ ∪ ⊐) stat ) lex is wellfounded when restricted to small symbols.We can therefore prove that, for all (f, ⃗ . We first prove that f( ⃗ t) is computable if all its ≻ τ -reducts so are.If U is a sort, then the result holds since ⃗ t are computable.Otherwise, by (small-acc), Acc(f) = ∅ and f( ⃗ t) is neutral.Therefore, the result holds since U satisfies (comp-neutral) by assumption.
We now prove that every ≻ τ -reduct w ∶ W of f( ⃗ t) is computable by induction on w (2).By definition of ≻ τ , we have U ≥ W .
-U = W .If t i ⊳ ∅ @ v ⪰ τ u j then, by Lemma 7.22, t i ⊐ v and, by Lemma 7.18, v ⊒ u j .Therefore, by transitivity, t i ⊐ u j .Hence, ⃗ t (≻ τ ∪ ⊐) stat(f) ⃗ u and, by induction hypothesis (1), g(⃗ u) is computable.• (F s >) There are g ∶ ⃗ U → W and ⃗ u ∶ ⃗ U such that w = g(⃗ u), (∀i) f( ⃗ t) ≻ τ u i and f > F g.By (small-lt-big), g is small.Since f( ⃗ t) ≻ τ ⃗ u, by induction hypothesis (2), ⃗ u are computable.We distinguish two cases: Can therefore be declared as small, any symbol whose type is of order less than or equal to 2 since its arguments have then a type of order less than or equal to 1.This is in particular the case of the constructors of first-order data types.
More generally, can be declared as small every constructor of a strictly-positive inductive type, whatever its order is, which is the class of inductive types allowed in the Coq proof assistant [54]: Lemma 8.16.Given types ⃗ T and a sort A, SPos A ( ⃗ Proof.By induction on T .
• T = U → V .Then, Sort ⋖A (U ) and V is of the form ⃗ T → A with Sort ⋖A ( ⃗ T ).By Lemma 8.10, NPos A (U ) = ∅.By induction hypothesis, SPos A (V ) = ∅.Therefore, SPos A (T ) = ∅.positive types are not available in Coq because strong elimination rules may cause non-terminating computations in Coq's richer type system [29].Nothing such that can happen in our simple type system in which constructors of non-strictly positive inductive types of order ≤ 2 can be declared as small: Lemma 8.17   But positivity is not always sufficient as shown by the following example.Assume that f ∶ T → A with T = (B → N ) → A, N = (B → A) → B and B < A. The sort A occurs negatively in N and positively in T , which is a 3rd order type.We cannot declare f as small since we do not know how to prove that T satisfies (comp-sn) by using our lemmas.Indeed, to prove that T satisfies (comp-sn), we need to prove that B → N satisfies (comp-neutral) (Lemma 6.13).To prove that B → N satisfies (comp-neutral), we need to prove that N satisfies (comp-lam) (Corollary 8.5).To prove that N satisfies (comp-lam), we need to prove that B → A satisfies (comp-neutral) (Corollary 8.7).To prove that B → A satisfies (comp-neutral), we need to prove that A satisfies (comp-small) (Corollary 8.The higher-order rewrite system plus(0) x → x plus(s(y)) x → s(plus(y) x) times(0) x → 0 times(s(y)) x → plus(times(y) x) x map(F ) nil → nil map(F ) cons(x, v) → cons(F x, map(F ) v)) inc → map(plus(s(0))) double → map(times(s(s(0)))) can be proved terminating with CPO by taking a = b in the type ordering, cons and s as small symbols, the precedence times > F plus, inc > F {map, plus, 0}, double > F {map, times, 0}, and status multiset for all symbols.
We consider the 4th rule, for which we shall use the transitive closure of CPO, and the 6th rule, for which small symbols are needed (for the second rule too).
For the 4th rule, we exhibit the middle term (λz plus(times(y) z) z) x which is smaller than the lefthand side and β-reduces to the righthand side of the rule.
To prove that times(s(y)) x is greater than this middle term, we apply (@=), and since the second arguments are equal, we have to show that times(s(y)) ≻ τ (λz plus(times(y) z) z).Since, both terms have the same type, by (F b λ) and then (F b @), we are left to show times(s(y)) ≻ {z} plus(times(y) z), since times(s(y)) ≻ {z} z holds by (F b X ).For this last check, we apply first (F b >) and then (F b @), since times(s(y)) ≻ {z} times(y) holds by (F b =) and then (F s ⊳), and times(s(y)) ≻ {z} z holds by (F b X ).
For the 6th rule, we apply first (@F s ), which requires to check map(F ) cons(x, v) ≻ τ F x and map(F ) cons(x, v) ≻ τ map(F ) v. Since the types of both sides are equivalent, the first one holds by applying (@=) and then (F b ⊳) to the first argument and (F s ⊳) to the second one.Finally, for map(F ) cons(x, v) ≻ τ map(F ) v, we apply (@=) and then (F s ⊳) to the second argument.

Conclusion
We have defined in this paper a well-founded relation on algebraic lambda-terms following a type discipline accepting simple types in the sense of Church, and inductive types in the sense of Martin-Löf.Further, we could easily cope with (implicitly) universally quantified type variables as in [59], a type discipline called weak polymorphism.
We want to stress that core CPO has reached a point where we cannot expect any major improvement, as indicated by the counter-examples found to our own attempts to improve it.We are in great debt with Cynthia Kop and Femke van Raamsdonk for igniting this quest, by providing us with an example that removing the type check in the rule (F b =) results in losing the well-foundedness property [61].The very existence of these counter-examples supports our conviction that CPO defines an extremely sharp decidable approximation of sets of rules for which there exists a computability predicate.
Of course, all these counter-examples still hold when adding inductive types and small symbols.We did our best to exploit the idea of small symbols as much as possible within our proof frame, but cannot argue that the conditions on the signature of small symbols are all necessary and that the corresponding recursive calls cannot be improved: we did not extend our quest for counter-examples to this question.We finally believe that there is also some room left for improving the accessibility relationship, which is restricted so far to terms headed by a function symbol, possibly applied to extra arguments.
A more challenging problem to be investigated now is the generalization of this new definition to the calculus of constructions along the lines of [91] and the suggestions made in [59], where an RPO-like ordering on types was proposed which allowed to give a single definition for terms and types.Generalizing CPO to dependent types appears to follow the classical route initiated in [49], albeit non-trivial [55].We therefore believe that this work should be applicable to Dedukti [21,79] with limited effort.On the other hand, we have failed so far to generalize CPO to truly polymorphic types: its use in the proof assistant Coq [54] will require much more effort.
Finally, note that HORPO [65] on the one hand, and the notion of computability closure on the other hand [13], have already been formalized in the proof assistant Coq [54].These works could serve as a basis for formalizing the results presented in this paper and develop a termination certificate verifier for CPO.

Example 7 . 1 .
Consider the inductive type O of "Brouwer ordinals" whose constructors are zero ∶ O for zero, suc 1 ∶ O → O for successor, and lim 1 ∶ (N → O) → O for limit, where N is the inductive type of Peano (unary) natural numbers with constructors 0 ∶ N and s 1 ∶ N → N.
For instance, for T = (A → B) → B with A ≠ B, we have Pos(T ) = {ε, 1, 2, 11, 12}, Pos + (T ) = {11, 2}, Pos − (T ) = {12}, Pos(A, T ) = {11} and Pos(B, T ) = {12, 2}.Hence, A occurs only positively in T , but B has both positive and negative occurrences in T .Definition 7.3 (Accessible arguments).For every and we are done with B = A. Assume now that t i ⊳ a u.Then, by induction hypothesis, there are two sorts B and C such that t i ∶ B, C B, Sort C (U ) and Pos(C, U ) ⊆ Pos + (U ).Since Sort A (T i ) and T i = B, we have B A. By transitivity, we get C A. Corollary 7.7.If t ∶ A, t ⊳ a u ∶ U and A occurs in U , then Sort A (U ) and Pos(A, U ) ⊆ Pos + (U ).

7. 2 .
CPO with accessible subterms.Definition 7.10 (CPO with accessible subterms).The relation ≻ X is extended by replacing the rules (F b ⊳) and (F b =) of Figure 1 by the ones of Figure 2.

Theorem 7 . 26 .
The relation ≻ τ of Definition 7.10 is well-founded.Proof.After Theorem 6.11, Theorem 7.23 and Lemma 7.25.7.7.Using semantic comparisons.The extension of CPO described here is still not able to orient the terminating rules defining the recursor of the type C in Example 5.2: Example 7.27.Given an arbitrary type A, the recursor (of arity 3) at type A of the type C of continuations of Example 5.2 has type rec A C ∶ C → A → (¬¬C → ¬¬A → A) → A. Its rewrite rules are the following: rec

Figure 3 :
Figure 3: Additional CPO rules for small symbols(@F s ) tu ≻ X f(⃗ v) if f ∈ F s and (∀i) tu ≻ X τ v i (λF s ) λxt ≻ X f(⃗ v) if f ∈ F s and (∀i) λxt ≻ X τ v i (F s ⊳) f( ⃗ t) ≻ X v if f ∈ F s and (∃i) t i ⪰ τ v (F s =) f( ⃗ t) ≻ X g(⃗ u) if f ∈ F s , f ≃ F g, (∀i) f( ⃗ t) ≻ X τ u i and ⃗ t (≻ τ ∪ ⊳ X @ ⪰ τ ) stat(f) ⃗ u (F s >) f( ⃗ t) ≻ X g(⃗ u) if f ∈ F s , f > F g and (∀i) f( ⃗ t) ≻ X τ u i (F s @) f( ⃗ t) ≻ X u v if f ∈ F s , f( ⃗ t) ≻ X τ u and f( ⃗ t) ≻ X τ v (F s X ) f( ⃗ t) ≻ X x if f ∈ F s and x ∈ X
and t 1 , . . ., t n are terms of type T 1 , . . ., T n respectively, then f(t 1 , . . ., t n ) is a term of type U ; • if t and u are terms of types U → V and U respectively, then tu is a term of type V ;