Certiﬁcation of Complexity Proofs using CeTA

Nowadays certiﬁcation is widely employed by automated termination tools for term rewriting, where certiﬁers support most available techniques. In complexity analysis, the situation is quite diﬀerent. Although tools support certiﬁcation in principle, current certiﬁers implement only the most basic technique, namely, suitably tamed versions of reduction orders. As a consequence, only a small fraction of the proofs generated by state-of-the-art complexity tools can be certiﬁed. To improve upon this situation, we formalized a framework for the certiﬁcation of modular complexity proofs and incorporated it into CeTA . We report on this extension and present the newly supported techniques (match-bounds, weak dependency pairs, dependency tuples, usable rules, and usable replacement maps), resulting in a signiﬁcant increase in the number of certiﬁable complexity proofs. During our work we detected conﬂicts in theoretical results as well as bugs in existing complexity tools.


Introduction
The last decade saw a wealth of techniques for automated termination tools, closely followed by techniques and tools for automated complexity analysis in recent years.In individual proofs, such tools often apply several techniques in combination, making human inspection ever more unrealistic, due to their sheer size.Moreover, the increasing power of automated tools comes at the cost of amplified complexity, reducing reliability; hence the interest in automatic certification of termination and complexity proofs.Whereas our certifier CeTA [18] is already able to certify most proofs generated by current termination tools for term rewrite systems (TRSs), initial support for complexity proofs was added only recently [17].In this paper we present a significant extension of CeTA towards the certification of complexity proofs.To this end, we formalized several techniques for complexity analysis within the proof assistant Isabelle/HOL [14] as part of our formal library IsaFoR. 1 On top of these general results, we augmented CeTA by corresponding functions, that check whether specific applications of techniques, encountered inside automatically generated complexity proofs, are correct.
As a result, the power of CeTA for certifying complexity proofs has almost tripled in comparison to last year [17], and more than 75 % of all tool-generated proofs can be certified.

Preliminaries
We assume basic familiarity with term rewriting (as for example obtained by reading the textbook by Baader and Nipkow [3]) but shortly recall some basic notions and notations that are used later on.By T (F, V) we denote the set of (first-order) terms w.r.t. a signature F and a set of variables V, and by T (F) the set of ground terms.We write root(t) for the root symbol of a non-variable term t.The size |t| of a term t is defined by |x| = 1 for t = x ∈ V, and |f (t 1 , . . ., t n )| = 1 + n i=1 |t i |, otherwise.A (multihole) context is a term that may contain an arbitrary number of holes, represented by the special symbol .Replacing the holes in a given multihole context C by terms t 1 , . . ., t n is written C[t 1 , . . ., t n ]. (At this point it might be worth mentioning that in our formalization we have to make sure that the number of holes in C corresponds to the number of terms n.For simplicity's sake we do not make this explicit in the remainder).Whenever s = C[t] for some context C ( = ), then t is called a (proper) subterm of s.We write tσ for the application of a substitution σ to a term t.
A TRS R is a set of (rewrite) rules, where a rule → r is a pair of terms such that / ∈ V and only variables already occurring in are allowed in r.The defined symbols of R, written D(R), are those that are roots of left-hand sides of its rules.We use Fun(•) to denote the set of function symbols occurring in a given term, context, or TRS.A TRS is left-linear (non-duplicating) if and only if for all rules → r ∈ R, no variable occurs more than once in (more often in r than in ).
The standard way of uniquely referring to subterms is via positions, denoted by lists of natural numbers.The subterm of a term t at position p is written t| p .We use ≤ for the usual partial order on positions, and denote by p || q that positions p and q are parallel, i.e., incomparable by ≤.The strict part of ≤ is denoted by <.
There is a rewrite step from term s to term t w.r.t. the rewrite relation induced by TRS R, denoted s − → R t, whenever there are C, σ, and → r ∈ R such that s = C[ σ] and t = C [rσ].Equivalently, we say that s rewrites to t at position p, where p is the unique position of in C. The subterm σ above is called an (R-)redex.Terms not containing any R-redexes are called R-normal or normal forms, and we write NF(R) for the set of all R-normal forms.We sometimes use the same notion not only for TRSs but also for sets of terms, since right-hand sides of rules are irrelevant for the existence of redexes anyway.
For termination analysis Q-restricted rewriting (named after the additional parameter, a set of terms, which is usually denoted Q) was introduced in order to cover full rewriting and innermost rewriting (as well as variations that lie somewhere in between) under a single framework [9].Here, a rewrite step whose redex σ additionally satisfies the condition that all its proper subterms are Q-normal, i.e., do not match any term in Q (in that way standard rewriting is Q-restricted rewriting with empty Q and for innermost rewriting we take the left-hand sides of R as Q).This proves convenient also for complexity analysis and its notions of runtime complexity and innermost runtime complexity.Additionally, relative rewriting is important for complexity analysis, since it can be employed to obtain modular proofs.A relative rewrite system consists of two TRSs S and W, and is denoted by S/W.The corresponding relative rewrite relation, written − → S/W , is given by − Note that we fix the same Q for "strict" and "weak" steps, which is sufficient for our purposes. 2iven a binary relation → and a set A, we define →(A) = {b | ∃a ∈ A. a → b}.

A Framework for Modular Complexity Proofs
In complexity analysis of TRSs we are usually interested in the maximal number of steps that are possible when starting from a given set of terms.To this end, the basic ingredient of our formalization is the derivation bound (defined in theory Complexity; see also [17]), where a function g constitutes a derivation bound of relation R w.r.t.starting elements from a family of sets S, written db S R (g), if and only if for every n ∈ N and x ∈ S n , every sequence of R-steps starting at x is of length at most g(n).The intuition is that S n contains "objects" of size n.This, more or less, corresponds to the usual notion of complexity.To be more precise, Avanzini and Moser [2] define cp(n, T, R) = max{dh(t, R) | ∃t ∈ T. |t| ≤ n}, where dh denotes the derivation height of a term, and derivational complexity as well as runtime complexity are obtained by suitably instantiating T and R.However, as argued earlier [17], using the derivation bound g as argument avoids undefined situations that arise with the usual definition, e.g., taking the maximum of a potentially infinite set.Whenever cp(n, T, R) is defined, we have db S R (g) with S n = {t ∈ T | |t| ≤ n} and g(n) = cp(n, T, R), as well as h(n) ≥ cp(n, T, R) for all other derivation bounds h.That is, our bounds are not tight, but arbitrary upper bounds.
Depending on the set of starting elements, we obtain the usual notions of derivational complexity and runtime complexity, respectively.For the former we consider all terms of size n w.r.t. a given signature F, whereas the latter is based on basic terms of size n.Given two sets of function symbols D (defined symbols) and C (constructors), and a set of variables V, the set of basic terms BT(D, C, V) consists of those terms which are rooted by a symbol from D and where all arguments are terms of T (C, V).At this point we would like to mention that there are conflicting notions of basic terms: Hirokawa and Moser [10] and Noschinski et al. [15] use the above definition of basic terms.In contrast, Avanzini [1] additionally restricts basic terms to be ground, intending that constructor ground terms correspond to values, and thus, basic terms correspond to function application on input values.Since IsaFoR does not enforce basic terms to be ground, every (upper) derivation bound that is certified by CeTA also is valid w.r.t.Avanzini's notion of basic terms.However, there might be valid derivation bounds w.r.t. the ground semantics which cannot be certified in the non-ground setting: Then there are only two basic ground terms, f(a) and g(a).Since the longest innermost derivation starting from these terms is of length 3, R has constant innermost runtime complexity w.r.t.ground basic terms.But there is an infinite innermost derivation starting from the non-ground basic term g(x).
We adopt the following notions from Avanzini and Moser [2].A (complexity) problem P = S/W, Q, T consists of two TRSs S, W, and two sets of terms Q, T .We asses the complexity of a problem P by a (complexity) judgment of the form P : g, which is valid whenever g is a bound for Q − → S/W -derivations starting from T .For sets of functions G we define that P : G is valid whenever P : G is valid for some g ∈ G. Often, G is an asymptotic complexity class like O(n 3 ).A (complexity) processor turns a given judgment P : G into a list of judgments P 1 : G 1 , . . ., P n : G n .It is sound whenever the validity of each of P i : G i also implies validity of P : G.A processor is terminal if the returned list of judgments is empty.
The problem P is called a runtime complexity problem if T = BT(D, C, V), with S and W not defining any constructor C, i.e., D(S ∪ W) ∩ C = ∅.The problem P is called an innermost problem if NF(Q) ⊆ NF(S ∪ W).In this case, Q − → S/W is a composition of innermost rewrite steps with respect to S ∪ W.
As a first example processor, we formulate a theorem by Zankl and Korp [20,Thm. 3.6] within our framework which admits modular complexity proofs.
Theorem 2 (Split Processor).Let P = S 1 ∪ S 2 /W, Q, T be a complexity problem and define P 1 = S 1 /S 2 ∪ W, Q, T and P 2 = S 2 /S 1 ∪ W, Q, T .The split processor translates the judgment P : O(g) into the judgments P 1 : O(g) and P 2 : O(g).
The split processor is sound.
Example 3. The split processor is used whenever rules should be shifted from the strict into the weak component, e.g., when applying match-bounds for relative rewriting or when using orderings.As an example, consider a TRS with rules numbered from 1 to 5 where cubic complexity has been proven.In the proof, first rules 2, 3, and 4 have been oriented strictly and rules 1 and 5 are oriented weakly by some ordering o 1 with quadratic complexity.Afterwards rule 1 could be moved into the weak component by match-bounds, and finally rule 5 is oriented strictly by some ordering o 2 with cubic complexity, where the remaining rules 1 to 4 are oriented weakly.This proof is restructured via split as follows.First, the initial complexity judgment {1, 2, 3, 4, 5}/∅, Q, T : O(n 3 ) is splitted into {2, 3, 4}/ {1, 5}, Q, T : O(n 3 ) and {1, 5}/{2, 3, 4}, Q, T : O(n 3 ) by the split processor where the former judgment is validated via o 1 .The latter complexity problem is split again into {1}/ {2, 3, 4, 5}, Q, T : O(n 3 ) and {5}/{1, 2, 3, 4}, Q, T : O(n 3 ) where the former judgment is validated via match-bounds, and the latter one via o 2 .
The example demonstrates that via splitting it suffices to restrict match-bounds and orderings to terminal complexity processors.This is the reason why we present both techniques as terminal processors in Sections 4 and 6.

Match-Bounds
The match-bounds technique was introduced as termination method by Geser et al. [7].We shortly recapitulate the main underlying ideas, before explaining our formalization (theory Matchbounds) and the necessary adaptations to use it for complexity analysis [19,20].
Let F be a signature containing at least one constant.For match-bounds, F is expanded such that symbols are labeled by natural numbers, i.e., F = F × N.Moreover, we define auxiliary functions base : T (F , V) → T (F, V), lift d : T (F, V) → T (F , V), and lab : T (F , V) → 2 N , where base removes all labels of a term, lift d labels all symbols of a term by d, and lab returns the set of labels of a term.For a non-duplicating TRS R over signature F we construct the TRS R = match(R) over F .
Then for left-linear R, every rewrite step s → R t can be simulated by a step s → R t with base(t ) = t, provided base(s ) = s.Hence, every (possibly) infinite derivation (2) gives rise to a step-wise simulation (3) provided base(t 0 ) = t 0 , which is ensured by choosing t 0 = lift 0 (t 0 ).
As the next step, a function mul maps every term t i to the multiset of negated labels, where by construction of match(R) every step with R results in a strict decrease w.r.t. the standard multiset-order > ms on the integers, and thus we can construct (4) from ( 3).Let us assume that the initial term t 0 is ground.Then t 0 = lift 0 (t 0 ) implies that the initial term in (3) is always a member of T (F × {0}).We now try to find some bound b ∈ N, such that → * R (T (F × {0})) ⊆ T (F × {0, . . ., b}).If this succeeds, then the labels in derivation (3) are bounded by b, and hence, all numbers in (4) are in the range −b, . . ., 0. Since > is well-founded on this domain, so is > ms .Hence, (4) cannot be infinite, and therefore, also (3), and (2) cannot be infinite, proving termination of R on ground terms.Moreover, since F contains at least one constant, termination on ground terms implies termination on all terms.
In total, we formalized the following theorem for termination analysis.
Theorem 4. If R is a non-duplicating, left-linear TRS over signature F, and there is some language L satisfying → * R (lift 0 (T (F))) ⊆ L ⊆ T (F × {0, . . ., b}), then R is terminating.Here, non-duplication is essential in the step from (3) to (4), and left-linearity is required to ensure the one-step simulation property (Lemma 5).The language L usually comes in the form of a finite automaton which has been constructed via tree automata completion [6].
and base(s ) = s, then there exists a term t such that s → R t and base(t The lemma is straightforward to prove on paper, and also its formalization posed no difficulties.Actually, it is no longer present, since IsaFoR now includes a full proof of a more general result by Korp and Middeldorp [12,Lemma 12], applying also to non-left-linear TRSs.It is the essential ingredient to obtain (3) from (2).
Concerning the step from (3) to (4), in the formalization we already require the bound b at this point.This allows us to include an index shift in mul, so that each label i is mapped onto b − i ∈ N. Then the parameter > of > ms in ( 4) is the standard order on natural numbers.
In order to certify match-bounds proofs (which are required to contain L in the form of an automaton), CeTA must be able to check left-linearity and non-duplication, as well as that Certification of Complexity Proofs using CeTA the given automaton indeed accepts all terms in → * R (T (F × {0})).For the latter, we make use of earlier work by Felgenhauer and Thiemann [5], and for the former, we rounded off Isabelle/HOL's existing theory on multisets by algorithms for comparing multisets (since a rule is non-duplicating if and only if the multiset of variables of its right-hand side is a subset of the multiset of variables of its left-hand side).
In case F does not contain a constant, e.g., in case of string rewrite systems, CeTA does an automatic preprocessing step, which invents a fresh constant, includes it into the signature, and adjusts the automaton accordingly.
In the remainder of this section, we adapt Theorem 4 and the corresponding formalization towards complexity analysis, following Zankl and Korp [19,20].
The first step is to integrate complexity bounds into (2), (3), and (4), starting from (4).Given a term of size n, the initial value mul(t 0 ) is the multiset containing n times the value b.However, this does not immediately give a nice bound on the length of (4), since > ms does not impose any bound on the length of derivations w.r.t. the initial multiset: {{1}} > ms {{0, . . ., 0}} > ms • • • > ms {{0}} > ms ∅.Thus, we replace > ms by > ms,k in (4), where > ms,k is a bounded version of > ms such that at most k elements may be added in each comparison: Of course, we have to substitute > ms,k (with suitable k) for > ms in all previous proofs.Doing so within the formalization was an easy task: take k ≥ 1 as the maximum size of right-hand sides of R.After this adaptation, it is shown that the length of > ms,k -sequences is linearly bounded, using a result by Dershowitz and Manna [4, page 191].To be more precise, we formalized that X > n ms,k Y implies n ≤ x∈X (k + 1) x , leading to the linear bound: Recall, that mul(t 0 ) = {b, . . ., b} where the number of b's is |t 0 |.Hence, sequence (4) can be of length at most As immediate consequence we conclude that also (3) and (2) are linearly bounded.
In total, we get the following result which is used in CeTA to check complexity proofs via match-bounds, where T gnd is the set of all ground terms in T .The restriction to ground terms is possible at this point (in contrast to Example 1) as Q is ignored in the analysis.Theorem 6.Let P = R/∅, Q, T be a complexity problem.If R is a non-duplicating and left-linear TRS over signature F, and there is some language L satisfying → * R (lift 0 (T gnd )) ⊆ L ⊆ T (F × {0, . . ., b}), then P : O(n).
The next step is to integrate relative rewriting.The main idea to handle weak rules is to use a modified version of match, which only has to ensure a decrease w.r.t. the weak multiset order ≥ ms,k .To this end, Zankl and Korp [19] define match-rt as in (1) except that the value of d in (1) is sometimes reduced.If | | ≥ |r| and all labels in are identical, then d is min(lab( )) instead of 1 + min(lab( )).Hence, for some cases it is not required to increase the labels at all, and thus, it is more likely that a bound on the labels can be obtained.In order to integrate match-rt into IsaFoR we could mostly reuse or slightly generalize the existing proofs.
Zankl and Korp give another optimization of match-rt, integrating the bound b: match-rt b is defined in the same way as match-rt, except that lift d (r) is replaced by lift min(b,d) (r), which results in even smaller labels than match-rt, but which is restricted to non-collapsing strict rules.In total, we have formalized the following theorem.
Theorem 7. Let P = S/W, Q, T be a complexity problem.Let S ∪W be a non-duplicating and left-linear TRS over signature F. Assume that R = match(S) ∪ match-rt(W), or both R = match(S)∪match-rt b (W) and S is non-collapsing.If there is some language L satisfying → * R (lift 0 (T gnd )) ⊆ L ⊆ T (F × {0, . . ., b}), then P : O(n).
Note that Q is completely ignored in Theorem 7, since the whole analysis does not take the strategy into account.In fact, the theorem was first proven for Q = ∅, while the above statement including Q follows from Q − → S/W ⊆ − → S/W .The sole reason for this naive integration of Q was to support match-bounds on innermost problems in the first place.An alternative might be a dedicated processor that transforms S/W, Q, T into S/W, ∅, T .
When integrating match-rt b in the formalization, we encountered two problems.First, we wanted to get rid of the choice in Theorem 7 and always use the better match-rt b variant.The reason for this aim was that -while the non-collapsing condition on S appears inside their proofs -Zankl and Korp [20] did not state that its absence violates the main theorem.This is now shown by a counterexample.
Without the non-collapsing condition within Theorem 7 one would be able to conclude linear derivational complexity of S/W, a contradiction.
Hence, the choices in Theorem 7 are really incomparable, and for certification it would be best to include both.Which brings us to the second problem: we did not want to copy and paste the existing proof for match-rt, and then incorporate all the tiny modifications that are required for match-rt b .Thus, in IsaFoR we defined an auxiliary relation covering all of match, match-rt, and match-rt b , and formalized the main proof step only once.
Currently, CeTA always chooses match-rt b for non-collapsing S, and match-rt, otherwisethe same as in current complexity tools.

Certifying Weak Dependency Pairs and Dependency Tuples
The dependency pair framework [9] is a popular setting for termination analysis.Since dependency pairs (DPs for short) in their original definition are not suitable for ensuring small (i.e., polynomial) derivation bounds [13], two variants have been developed.Hirokawa and Moser [10] introduced weak dependency pairs (WDPs for short).In general however, one cannot concentrate on counting WDP steps alone.Rather, one also has to take the number of interleaved steps w.r.t. the original TRS into account.Overcoming this complication, Noschinski et al. [15] introduced a variation, called dependency tuples (DTs for short).The DT transformation is however only applicable to innermost problems and it is not complete, so that (non-confluent) TRSs with polynomial complexity can be turned into complexity problems of exponential complexity.Both WDPs and DTs enjoy nice properties that enable us to restrict to usable rules and limit the monotonicity requirements for reduction pairs, which we discuss later.Since the two techniques are incomparable but both used in modern complexity tools, we provide a formalization of either in IsaFoR.To be more precise, we have formalized the corresponding complexity processors of Avanzini and Moser [2], which -unlike DPs -allow us to apply WDPs and DTs also to relative problems.
As a case study, we decided to perform two different styles of proof: For DTs, we stuck more to the original paper proof, where parallel positions are used to point to subterms that are potential redexes; while for WDPs, we instead focused on contexts around potential redexes.The former requires us to reason about valid positions, whereas the latter makes it necessary to explicitly manage properties of contexts.Although both paper proofs are of comparable length, in our formalization the theories on WDPs are around 30 % shorter than those on DTs (see also DT_Transformation(_Impl) and WDP_Transformation(_Impl)).We suspect that this is not mere coincidence, but caused by the fact that contexts can be mostly treated via explicit recursive functions, while positions require a different style of proof that is not as amenable to automation.
For the remainder of this section, we fix a runtime complexity problem S/W, Q, T over signature F. For each f ∈ F, let f be a function symbol fresh with respect to F. For a term t we denote sharping its root symbol by (t), where (x) = x and (f (t 1 , . . ., t n )) = f (t 1 , . . ., t n ).Sharping is homomorphically extended to sets and lists of symbols and terms.

Weak Dependency Pairs
We start with our formalization of WDPs as defined by Hirokawa and Moser [10].Definition 9. Let R be a TRS with defined symbols D(R).For every rule → r ∈ R, let WDP( → r) denote the new rule ( ) → COM( (u 1 ), . . ., (u n )), where u 1 , . . ., u n are the maximal subterms of r that are either variables or have a root symbol in D(R).Then the weak dependency pairs of R are defined by WDP(R) = {WDP( → r) | → r ∈ R}.
In the above definition COM denotes a "function" that assigns fresh function symbols of appropriate arity (a common optimization is to omit such symbols in case the argument list is singleton, i.e., COM(t) = t) to a given list of terms.The thusly generated symbols are called compound symbols.Note that Definition 9 implies that for each rule → r there is a unique ground context C such that r = C[u 1 , . . ., u n ].This is captured by the following two functions: where C is a set of symbols -which is supposed to contain the compound symbols and the constructors of S ∪ W -that is disjoint from sharped F-symbols and the defined symbols of S ∪ W, i.e., (D(S ∪ W) ∪ (F)) ∩ C = ∅.Intuitively, max D (t) results in the list of maximal subterms of t that are either variables or have a root not in C (the latter usually implies that the root is a defined symbol; hence the notation), whereas cap D (t) computes the surrounding context.Together these two functions constitute a unique decomposition of a given term t, satisfying the property t = (cap For certification we never actually have to construct the set of WDPs. 3 Instead it suffices to check whether a given pair of terms (p, q) constitutes a WDP for a given rule → r.This is done via the predicate: In preparation for later results, we somewhat ambiguously use WDP(R) for R ⊆ S ∪ W to denote an arbitrary set of rules (to be provided by the certificate) that is obligated to contain a WDP for each rule in R, i.e., The main ingredient for soundness of WDPs is a simulation lemma that states that when two terms are in a certain relation, then every R-rewrite sequence starting from the first term can be simulated by a WDP(R) ∪ R-rewrite sequence starting from the second one.The mentioned relation is crafted to fit the definition of WDPs.Intuitively, it relates terms whose respective maximal defined subterms (computed by max D ) only differ by sharp symbols.We write s 1 , . . ., s n ≤ t 1 , . . ., t n when for each i ≤ n we have that either s i = t i or (s i ) = t i .Then the informal statement from above can be formalized as follows.We borrow the terminology good for from Avanzini [1], although the above definition slightly differs from the original one.As indicated above, its intuition is that two related terms have the same redexes (or rather an over-approximation, namely, subterms with defined root) where in addition those in the left term may be sharped.
Before we state the main lemma, we give some useful properties of max D .
Lemma 11.Let t be a term with max D (t) = t 1 , . . ., t n .Then: In the main simulation lemma below, Q is extended to a set of terms Q taking extensions of the signature F (by sharped and compound symbols) into account.In particular, the assumption on Q ensures that innermost problems are translated to innermost problems, thereby allowing a proof-in-progress to continue with techniques that are specific to the innermost case.The following lemma shows that this does not pose any problems for rewriting, where  5), we obtain a term q and a ground context E with ( ( ), q) ∈ WDP(R) and

Lemma 12. Every term t with
. ., qσ, . . ., u n ] = v together with Lemma 12 (and noting that u is a proper subterm of ( )σ if and only if u is a proper subterm of σ).Moreover, let max D (r) = r 1 , . . ., r k , E j = cap D ( (r j )σ), and Then we can again employ the original rule → r.
and v t in a similar fashion as in the previous case.
At this point, we obtain a simulation property for relative rewriting as an easy corollary.
Theorem 15 (WDP Processor).Let P = S/W, Q, T be a runtime complexity problem.Then the WDP processor transforms P into P = WDP(S) ∪ S/WDP(W) ∪ W, Q , (T ) for an arbitrary Q ⊆ Q ∪ Q ¬F , and P : G implies P : G.
Proof.Assume P : g for some g ∈ G.Moreover, for the sake of a contradiction, assume that there is a term s ∈ T of size n and a rewrite sequence s Q − → m S/W t of length m > g(n).Since s ∈ T , we have (s) ∈ T and trivially (s) s.Moreover, by Corollary 14, we obtain a term v with (s) Q − − → m WDP(S)∪S/WDP(W)∪W v, thereby contradicting the initial complexity judgment.
Remark.Note that when P is an innermost problem, by setting Q = Q ∪ (Q) the WDP processor generates again an innermost problem.In contrast, Avanzini and Moser [1,2] set Q to Q, thereby not retaining the innermost status as claimed.

Dependency Tuples
According to Theorem 15, we cannot focus on applications of weak dependency pairs in WDP(S) alone, but also have to account for applications of rules from S. This may have severe consequences for a proof-in-progress.In the case of reduction pairs for instance, rather strict monotonicity requirements have to be imposed even after the WDP transformation.DTs overcome this weaknesses, but the corresponding transformation is sound only on innermost problems.In contrast to WDPs, which capture outermost calls, a DT captures all calls in a rule.The following definition is due to Noschinski et al. [15].Definition 16.Let R be a TRS with defined symbols D(R).For every rule → r ∈ R, let DT( → r) denote the new rule ( ) → COM( (u 1 ), . . ., (u n )), where u 1 , . . .u n are all subterms of r that have a root symbol in D(R).Then the dependency tuples of R are defined by As for weak dependency pairs, our formalization uses a predicate to decide whether a pair of terms (p, q) constitutes a dependency tuple of a rule → r.For a term t, let Pos D (t) denote the set of positions of subterms rooted by defined symbols of S ∪ W.
In the following, we use the notation DT(R) where R ⊆ S ∪ W, for a set satisfying In the remainder, we provide a simulation lemma akin to Lemma 13 for DTs.For a term s, let RPos(s) denote the restriction of D (s) to redex-positions.More precisely, Closely following the proof by Avanzini [1], we use the following notion of good for.Definition 17.A term t is good for a term s, written t ≫ s, if and only if Fun(s) ⊆ F and there is a context C such that t = C[ (s| q1 ), . . ., (s| q k )] for positions {q 1 , . . ., q k } = RPos(s).
We now show that each of length n can be simulated by a corresponding derivation of DT(R) relative to R, of length n.In the proof of the central simulation lemma, we use the following key observations.
The whole formalization of this theorem via usable symbols, including definitions, occupies only 100 lines, without having to reuse existing results on usable rules in IsaFoR.This is in contrast to IsaFoR's integration of the variant of usable rules used in AProVE, cf. the end of Section 5.1 in [15].Here, usable rules are based on unification and normal form checks, but only work for innermost rewriting.In this part of the formalization, we heavily reused the existing results for termination, and only little had to be added w.r.t.complexity analysis.As an example, for complexity with its relative rewrite relation, it was required to switch between a sequence of S/W-steps and a sequence that explicitly lists every single step in each relative → * W • → S • → * W -step. Since both variants of usable rules are incomparable, CeTA supports both.The certificate just requires the set of usable rules.It is then automatically inferred which of the two variants of usable rules is applicable.
Even less usable rules are obtained when employing argument filters from reduction pairs, a well-known technique from termination analysis.This technique has already been adapted for complexity, but we did not find any details in the literature.Thus, in the remainder of this section, we clarify how usable rules, reduction pairs, argument filters, and usable replacement maps can be combined.The upcoming theorem generalizes and improves existing complexity results on reduction pairs ([1, Thm.14.10], [11,Cor. 20], and [15,Thm. 26]), since usable replacement maps can simulate safe reduction pairs of [11], cf.[1,Lemma 14.34].
Before presenting the main theorem, we first recapitulate the notion of usable replacement maps ([1, Def.14.5] and [11,Def. 8]).These mainly indicate a superset of all positions where redexes may occur within terms of a derivation.To be more precise, for a replacement map µ, two TRSs R and R , and two sets of terms Q and T ; µ is a usable replacement map Sufficient criteria to estimate usable replacement maps have been described in [11] for full and innermost rewriting, and in [1, Lemma 14.34] for WDPs and DTs, where currently CeTA only supports innermost rewriting, WDPs and DTs.
We will first present the main theorem, and then explain its ingredients and how to apply it.Here, a complexity pair ( , ) consists of two partial orders which are both closed under substitutions, which are compatible ( • • ⊆ ) and where is reflexive.A reduction pair is a complexity pair where is closed under contexts and is strongly normalizing.
Theorem 25.Let S/W, Q, T be an innermost runtime complexity problem with T = BT(D, C, V).Define R = S ∪ W. Let µ S , µ W be replacement maps, let π be an argument filter, let U be a set of usable rules, and let ( , ) be a complexity pair.If all of the following conditions are satisfied, then U is closed under right-hand sides of usable rules w.r.t.R for both µ S and π ∩ µ W .

7.
/∅, ∅, T : G In the theorem, we have two replacement maps µ S and µ W for the strict and weak rules as in [1, Thm.14.10], but additionally there is the usual argument filter π indicating ignored argument positions of which is used to reduce the set of usable rules.Let us shortly walk through all conditions of the theorem.
1. π is the standard argument filter as known from termination proofs via reduction pairs, e.g., if [f(x 1 , x 2 , x 3 )] = 2x 2 + 1 2 x 3 , then π(f) = {2, 3}. 2. Both µ S and µ W are estimated usable replacement maps, which can be computed by one of the methods above, where especially [1, Lemma 14.34] is often only applicable to generate µ S .3. The maps µ S and µ W indicate at which positions redexes may occur, and hence the corresponding orders and must be monotone w.r.t.these positions.4.Only usable rules have to be oriented by the complexity pair. 5.In the generation of usable rules, one starts to include all rules which have basic terms on their left-hand sides 6. and then performs the closure of usable rules w.r.t. an argument filter as in [16].7. Finally, one extracts the derivation bound from the strict order , and eventually derives the same bound for the input complexity problem.
We included this theorem into CeTA, where in the certificate just the complexity pair and the usable rules have to be provided, in combination with the strict rules for the split processor of Theorem 2. Since currently IsaFoR only has an interface for reduction pairs the latter condition in 3 does not have to be checked at runtime.All other information will be automatically inferred.To this end, we had to modify our interface of reduction pairs which now has to provide means of querying monotonicity of w.r.t.specific positions.
Using this theorem, CeTA could now certify most combinations of applying a complexity pair with usable rules and/or usable replacement maps in our experiments.Possible improvements at this point are the inclusion of better estimations of usable replacement maps, and better support for the complexity pairs itself, e.g., by removing the restriction to upper triangular matrix interpretations.

Experiments
We have tested our new formalization in combination with the only two complexity tools that apply several of the methods described in this paper: AProVE which was also used for the complexity category of the FLoC Olympic Games of 2014.All tests were conducted on a machine with 8 dual core AMD Opteron ™ 885 processors running at 2.60 GHz on 64 Gb of RAM and within a timeout of 60 seconds per test.Table 1 collects our experimental findings.Here we show totals on estimated upper bounds (from constant to polynomial of unknown degree) on runtime complexities w.r.t.full and innermost rewriting, the former being only supported by T C T. To delineate the extend of our new formalization, we have compared the tools when run in various modes: In certification mode (columns certification new) we restrict tools to those methods that can also be certified by CeTA version 2.19.We contrast this data with results obtained from the version of T C T that ran in certification mode at the recent termination competition (columns certification old).Note that until now, AProVE did not feature certification support, consequently respective results are not present in the table.
In full mode (columns full) we show totals when tools are run in their default setting, i.e., possibly employing methods that cannot be certified by CeTA.Overall, the experiments confirm significant improvements of CeTA's support for complexity analysis.For instance with T C T we certified polynomially bounded innermost runtime complexity of 301 systems.This corresponds to 83 % of the systems that can be handled by T C T when run in full mode.In contrast, relying on our old formalization T C T could handle only 44 % of the systems.The statement remains essentially correct for AProVE and T C T w.r.t.full rewriting.
Even more important might have been our preliminary experiments, where several proofs have been rejected by CeTA.Although the reason have often just been bugs in the proofoutput of the tools, we also revealed and fixed (or at least reported to the developers) some more severe problems: one tool modified the sets D and C in the set of starting terms T = BT(D, C, V) when deleting rules by the usable rules processor in a way that made the tool unnecessarily weak (and unsound for lower complexity bounds); one tool had a bug when computing usable rules which could be exploited to generate linear derivation bounds for non-terminating TRSs; and also some match-bounds certificates have been rejected where the corresponding code had to be disabled.Finally, also the required adaptation of Q to Q ⊆ Q ∪ Q ¬F , as discussed in Section 5, was only detected by earlier versions of CeTA which did not support this possibility.

Conclusion
We presented our formalization of several techniques for complexity analysis that are now part of the formal library IsaFoR: match-bounds, weak dependency pairs, dependency tuples, usable rules, and usable replacement maps.Moreover, we reported on the resulting increase in power of our certifier CeTA, which is now able to certify more than three quarters of all complexity proofs that are generated by state-of-the-art tools.

[ 8 ]
(version 2015.01) and T C T [2] (version 2.2).Both were run on the termination problem data base, version 9.0.2, 4 Definition 10.A term t is good for a term s, written t s, if and only if Fun(s) ⊆ F and there are terms t 1 , . . ., t n and a ground context C with Fun(C) ⊆ C such that max D (s) ≤ t 1 , . . ., t n and t = C[t 1 , . . ., t n ].

Table 1
Experimental Results.