**Christoph Benzmüller Marijn J. H. Heule Renate A. Schmidt (Eds.)**

# **Automated Reasoning**

**12th International Joint Conference, IJCAR 2024 Nancy, France, July 3–6, 2024 Proceedings, Part II**

# Lecture Notes in Computer Science

# **Lecture Notes in Artificial Intelligence 14740**

Founding Editor Jörg Siekmann

Series Editors

Randy Goebel, *University of Alberta, Edmonton, Canada* Wolfgang Wahlster, *DFKI, Berlin, Germany* Zhi-Hua Zhou, *Nanjing University, Nanjing, China*

The series Lecture Notes in Artificial Intelligence (LNAI) was established in 1988 as a topical subseries of LNCS devoted to artificial intelligence.

The series publishes state-of-the-art research results at a high level. As with the LNCS mother series, the mission of the series is to serve the international R & D community by providing an invaluable service, mainly focused on the publication of conference and workshop proceedings and postproceedings.

Christoph Benzmüller · Marijn J. H. Heule · Renate A. Schmidt Editors

# Automated Reasoning

12th International Joint Conference, IJCAR 2024 Nancy, France, July 3–6, 2024 Proceedings, Part II

*Editors* Christoph Benzmüller Otto-Friedrich-Universität Bamberg Bamberg, Germany

Renate A. Schmidt University of Manchester Manchester, UK

Marijn J. H. Heule Computer Science Department Carnegie Mellon University Pittsburgh, PA, USA

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Artificial Intelligence ISBN 978-3-031-63500-7 ISBN 978-3-031-63501-4 (eBook) https://doi.org/10.1007/978-3-031-63501-4

LNCS Sublibrary: SL7 – Artificial Intelligence

© The Editor(s) (if applicable) and The Author(s) 2024. This book is an open access publication.

**Open Access** This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

If disposing of this product, please recycle the paper.

# **Preface**

This volume contains the papers of the 12th International Joint Conference on Automated Reasoning (IJCAR) held in Nancy, France, during July 3–6, 2024. IJCAR is the premier international joint conference on all aspects of automated reasoning, including foundations, implementations, and applications, comprising several leading conferences and workshops. IJCAR 2024 brought together the Conference on Automated Deduction (CADE), the International Symposium on Frontiers of Combining Systems (FroCoS), and the International Conference on Automated Reasoning with Analytic Tableaux and Related Methods (TABLEAUX).

Previous IJCAR conferences were held in Siena, Italy (2001), Cork, Ireland (2004), Seattle, USA (2006), Sydney, Australia (2008), Edinburgh, UK (2010), Manchester, UK (2012), Vienna, Austria (2014), Coimbra, Portugal (2016), Oxford, UK (2018), Paris, France (2020, virtual), and Haifa, Israel (2022).

IJCAR 2024 received 115 submissions (130 abstracts) out of which 45 papers were accepted (with an overall acceptance rate of 39%): 39 regular papers (out of 96 regular papers submitted, resulting in a regular paper acceptance rate of 41%) and 6 short papers (out of 19 short papers submitted, resulting in a short paper acceptance rate of 31%). Each submission was assigned to at least three Program Committee members and was reviewed in single-blind mode. All submissions were evaluated according to the following criteria: relevance, originality, significance, correctness, and readability. The review process included a feedback/rebuttal period, during which authors had the option to respond to reviewer comments.

In addition to the accepted papers, the IJCAR 2024 program included three invited talks:


This year marks the 30th anniversary of the CADE ATP System Competition (CASC), which was conceived in 1994 after CADE-12 in Nancy, France, when Christian Suttner and Geoff Sutcliffe were sitting on a bench under a tree in Parc de la Pépinière. In the 28 competitions since then, CASC has been a catalyst for research and development, providing an inspiring environment for personal interaction between ATP researchers and users. A special event took place to celebrate this anniversary.

In addition to the main programme, IJCAR 2024 hosted ten workshops, which took place on July 1–2, and two systems competitions (CASC and Termination). The SAT/SMT/AR 2024 Summer School was held in Nancy the week prior to IJCAR 2024.

The Best Paper Award of IJCAR 2024 went to Hugo Férée, Iris van der Giessen, Sam van Gool, and Ian Shillito for the paper "Mechanised Uniform Interpolation for Modal Logics K, GL, and iSL". The Best Student Paper Award went to Johannes Niederhauser (with Chad E. Brown and Cezary Kaliszyk) for the paper entitled "Tableaux for Automated Reasoning in Dependently-Typed Higher-Order Logic".

Another highlight of the conference was the presentation of the 2024 Herbrand Award for Distinguished Contributions to Automated Reasoning to Armin Biere (Albert-Ludwigs-University Freiburg, Germany) in recognition of "his outstanding contributions to satisfiability solving, including innovative applications, methods for formula pre- and in-processing and proof generation, and a series of award-winning solvers, with deep impact on model checking and verification."

The 2024 Bill McCune PhD Award was given to Katherine Kosaian for the PhD thesis "Formally Verifying Algorithms for Real Quantifier Elimination", completed at Carnegie Mellon University, USA, in 2023.

The main institutions supporting IJCAR 2024 were the University of Lorraine and the Inria research center at the University of Lorraine. We also thank as sponsors: the research laboratory for computer science in Nancy (LORIA), a joint research unit of the University of Lorraine, CNRS, and Inria, its Formal Methods Department, and Métropole du Grand Nancy. For hosting the conference, we thank IDMC Nancy.

We would also like to acknowledge the generous sponsorship of Springer and Imandra Inc., and the support by EasyChair. Finally, we are indebted to the entire IJCAR 2024 Organizing Team for their assistance with the local organization and general management of the conference, especially Didier Galmiche, Stephan Merz, Christophe Ringeissen (Conference Co-Chairs), Sophie Tourret (Workshop, Tutorial and Competition Chair), Peter Lammich (Publicity Chair) and Anne-Lise Charbonnier and Sabrina Lemaire (main administrative support).

May 2024 Christoph Benzmüller Marijn J. H. Heule Renate A. Schmidt

# **Organization**

# **Conference Chairs**


# **Program Committee Chairs**


# **Workshop, Tutorial and Competition Chair**


## **Publicity Chair**


#### **Local Arrangements**


## **Steering Committee**


#### **Program Committee**

Franz Baader TU Dresden, Germany Nikolaj Bjørner Microsoft, USA Agata Ciabattoni TU Wien, Austria Daniela Kaufmann TU Wien, Austria Xavier Parent TU Wien, Austria

Lawrence Paulson University of Cambridge, UK Elaine Pimentel University College London, UK Christophe Ringeissen Inria, University of Lorraine, France Renate A. Schmidt University of Manchester, UK

Haniel Barbosa Universidade Federal de Minas Gerais, Brazil Christoph Benzmüller Otto-Friedrich-Universität Bamberg and FU Berlin, Germany Armin Biere University of Freiburg, Germany Jasmin Blanchette Ludwig-Maximilians-Universität München, Germany Maria Paola Bonacina Università degli Studi di Verona, Italy Florent Capelli Université d'Artois, France Clare Dixon University of Manchester, UK Pascal Fontaine Université de Liège, Belgium Carsten Fuhs Birkbeck, University of London, UK Didier Galmiche University of Lorraine, France Silvio Ghilardi Università degli Studi di Milano, Italy Jürgen Giesl RWTH Aachen University, Germany Arie Gurfinkel University of Waterloo, Canada Marijn J. H. Heule Carnegie Mellon University, USA Andrzej Indrzejczak University of Lodz, Poland Moa Johansson Chalmers University of Technology, Sweden Patrick Koopmann Vrije Universiteit Amsterdam, The Netherlands Konstantin Korovin University of Manchester, UK Peter Lammich University of Twente, The Netherlands Martin Lange University of Kassel, Germany Tim Lyon Technische Universität Dresden, Germany Kuldeep S. Meel University of Toronto, Canada Stephan Merz Inria, University of Lorraine, France Cláudia Nalon University of Brasília, Brazil Aina Niemetz Stanford University, USA Albert Oliveras Universitat Politècnica de Catalunya, Spain Nicolas Peltier CNRS, Laboratory of Informatics of Grenoble, France

Andrei Popescu University of Sheffield, UK Andrew Reynolds University of Iowa, USA Claudia Schon Hochschule Trier, Germany Stephan Schulz DHBW Stuttgart, Germany Roberto Sebastiani University of Trento, Italy

# Rafael Peñaloza University of Milano-Bicocca, Italy Elaine Pimentel University College London, UK André Platzer Karlsruhe Institute of Technology, Germany Florian Rabe FAU Erlangen-Nürnberg, Germany Giles Reger Amazon Web Services, USA and University of Manchester, UK Giselle Reis Carnegie Mellon University, Qatar Christophe Ringeissen Inria, University of Lorraine, France Philipp Rümmer University of Regensburg, Germany Uli Sattler University of Manchester, UK Tanja Schindler University of Basel, Switzerland Renate A. Schmidt University of Manchester. UK Martina Seidl Johannes Kepler University Linz, Austria Viorica Sofronie-Stokkermans University of Koblenz, Germany Alexander Steen University of Greifswald, Germany Martin Suda Czech Technical University in Prague, Czech Republic Yong Kiam Tan Institute for Infocomm Research, A\*STAR, Singapore Sophie Tourret Inria, France and Max Planck Institute for Informatics, Germany Josef Urban Czech Technical University in Prague, Czech Republic Uwe Waldmann Max Planck Institute for Informatics, Germany Christoph Weidenbach Max Planck Institute for Informatics, Germany

Sarah Winkler Free University of Bozen-Bolzano, Italy

Yoni Zohar Bar-Ilan University, Israel

### **Additional Reviewers**

Noah Abou El Wafa Takahito Aoto Martin Avanzini Philippe Balbiani Lasse Blaauwbroek Frédéric Blanqui Thierry Boy de La Tour Marvin Brieger Martin Bromberger James Brotherston Chad E. Brown Florian Bruse Filip Bártek Julie Cailler

Cameron Calk Christophe Chareton Jiaoyan Chen Karel Chvalovský Tiziano Dalmonte Anupam Das Martin Desharnais Paulius Dilkas Marie Duflot Yotam Dvir Chelsea Edmonds Sólrún Halla Einarsdóttir Clemens Eisenhofer Zafer Esen Camillo Fiorentini Mathias Fleury Stef Frijters Florian Frohn Nikolaos Galatos Alessandro Gianola Matt Griffin Alberto Griggio Liye Guo Raúl Gutiérrez Xavier Généreux Hans-Dieter Hiep Jochen Hoenicke Jonathan Huerta y Munive Ullrich Hustadt Cezary Kaliszyk Jan-Christoph Kassing Michael Kinyon Lydia Kondylidou Boris Konev George Kourtis Francesco Kriegel Falko Kötter Timo Lang Jonathan Laurent Daniel Le Berre Jannis Limperg Xinghan Liu

Anela Lolic Etienne Lozes Salvador Lucas Andreas Lööw Kenji Maillard Sérgio Marcelino Andrew M. Marshall Gabriele Masina Marcel Moosbrugger Barbara Morawska Johannes Oetsch Eugenio Orlandelli Jens Otten Adam Pease Bartosz Piotrowski Enguerrand Prebet Siddharth Priya Long Qian Jakob Rath Colin Rothgang Reuben Rowe Jan Frederik Schaefer Johannes Schoisswohl Marcel Schütz Florian Sextl Ian Shillito Nicholas Smallbone Giuseppe Spallitta Sergei Stepanenko Georg Struth Matteo Tesi Guilherme Toledo Patrick Trentin Hari Govind Vediramana Krishnan Laurent Vigneron Renaud Vilmart Dominik Wehr Tobias Winkler Frank Wolter Akihisa Yamada Michal Zawidzki

# **Contents – Part II**

#### **Intuitionistic Logics and Modal Logics**



# **Contents – Part I**

#### **Invited Contributions**




# **Intuitionistic Logics and Modal Logics**

# **Model Construction for Modal Clauses**

Ullrich Hustadt2(B) , Fabio Papacchini<sup>3</sup> , Cl´audia Nalon<sup>1</sup> , and Clare Dixon<sup>4</sup>

<sup>1</sup> Department of Computer Science, University of Bras´ılia, Bras´ılia, Brazil nalon@unb.br

<sup>2</sup> Department of Computer Science, University of Liverpool, Liverpool, UK U.Hustadt@liverpool.ac.uk

<sup>3</sup> School of Computing and Communications, Lancaster University in Leipzig, Leipzig, Germany

f.papacchini@lancaster.ac.uk

<sup>4</sup> Department of Computer Science, University of Manchester, Manchester, UK clare.dixon@manchester.ac.uk

**Abstract.** We present deterministic model construction algorithms for sets of modal clauses saturated with respect to three refinements of the modal-layered resolution calculus implemented in the prover KSP. The model construction algorithms are inspired by the Bachmair-Ganzinger method for constructing a model for a set of ground first-order clauses saturated with respect to ordered resolution with selection. The challenge is that the inference rules of the modal-layered resolution calculus for modal operators are more restrictive than an adaptation of ordered resolution with selection for these would be. While these model construction algorithms provide an alternative means to proving completeness of the calculus, our main interest is the provision of a 'certificate' for satisfiable modal formulae that can be independently checked to assure a user that the result of KSP is correct. This complements the existing provision of proofs for unsatisfiable modal formulae.

# **1 Introduction**

Propositional modal logics can be applied to formalise and reason about a wide range of applications, including programming languages [22], knowledge representation and reasoning [4,9,23], verification of distributed systems [8,10,11] and terminological reasoning [26]. For such applications, it is expected that the underlying reasoning tool may be able to provide *certification* for their answer with respect to a particular problem. While at least one kind of certificate is expected to be produced, either in the form of a *proof* or a *model*, the production of both not only helps with the task related to the particular application (e.g. the generation of counter-examples in verification problems) but also assures the user that a reasoning tool has produced the right result as those certificates can be independently and automatically checked. Given the complexity of reasoning tools, with most of them implementing sophisticated optimization procedures which are very difficult to check for correctness, it is not surprising that the community in automated reasoning has been encouraging the extraction of both kind of certificates: some tracks in the SAT competition<sup>1</sup> require both proofs and models; the same approach is argued for QBF reasoning tools [29]; and this is also required in some tracks of the CASC competition [32,33], with standards being currently under discussion<sup>2</sup>.

There are several implemented tools for basic propositional modal logic <sup>K</sup>n, the logic considered in this paper. However, and somehow surprisingly, most of state-of-the-art tools do not produce any kind of certificate (e.g. CEGARBOX [6]); produce only partial information on models (e.g. Spartacus [7], InKreSAT [12]; see also discussion in [14]); or, as in our case, produce only proofs (KSP [17]). There are fully certified tools that do produce models and proofs (e.g. [34]), but their performance is usually not comparable to state-of-the-art provers.

In this paper we present the needed theoretical results that will allow us to implement certification for satisfiable problems in KSP [19]. Our prover implements both the resolution calculi presented in [16] as well as the modal layered calculus MLR presented in [17]. Refinements, such as negative, positive, and ordered resolution are also implemented. As with other resolution-based systems, proofs produced by KSP are easily readable and verifiable. However, as mentioned, model extraction has never been implemented. One of the reasons is that although the completeness proofs for the calculi in [16,17] are constructive they do not yield efficient procedures. Very briefly, those proofs are similar to canonical constructions for axiomatic proof systems and rely on the construction of some structures over the subsets of consistent formulae of an input formula (in clausal form), and even in the best case require exponential time and space.

Here we present novel model construction algorithms from saturated sets of clauses produced by the positive, negative or order resolution refinements of MLR. These refinements require different normal forms: SNF<sup>−</sup> ml, SNF<sup>+</sup> ml, and SNF++ ml , respectively. We first show how to obtain models from sets of SNF++ ml clauses saturated with respect to ordered resolution refinement of MLR (Sect. 3). This results in a deterministic procedure inspired by the Bachmair-Ganzinger model construction for ground first-order clauses [2]. For positive resolution, we adapt the procedure for SNF++ ml clauses by constructing separate orderings for each world in a model (Sect. 4). We then obtain a procedure for negative resolution by flipping the polarity of literals in SNF<sup>+</sup> ml clauses and reusing the procedure for positive resolution (Sect. 5). From these procedures we obtain alternative completeness proofs for ordered and negative resolution; and provide the first completeness proof for positive resolution. Moreover, all procedures are deterministic and suitable for implementation.

The paper is structured as follows. In Sect. 2 we give details of the logic, resolution rules and resolution refinements. Sections 3, 4 and 5 provide the model construction algorithms for each refinement. We discuss our approach in relation to the Bachmair-Ganzinger method and consider complexity in Sect. 6. Section 7 presents how to perform model construction for extensions of basic modal logic. Finally, we draw conclusions and discuss future work in Sect. 8.

<sup>1</sup> https://satcompetition.github.io/2022/rules.html.

<sup>2</sup> https://www.tptp.org/TPTP/Proposals/InterpretationsModels.shtml.

# **2 Preliminaries**

Let <sup>P</sup> be a denumerable set of *propositional symbols*. Let <sup>A</sup>n <sup>=</sup> {1,...,n}, with <sup>n</sup> <sup>∈</sup> <sup>N</sup>, be a finite, fixed set of *agents*. The set of modal formulae over <sup>P</sup> and <sup>A</sup>n is then the least set containing the two propositional constants **true** and **false**, all elements of P, and the formulae ¬ϕ, (ϕ ∧ ψ), (ϕ ∨ ψ), (ϕ → ψ), [a]ϕ, and a<sup>ϕ</sup> provided <sup>ϕ</sup> and <sup>ψ</sup> are modal formulae and <sup>a</sup> <sup>∈</sup> <sup>A</sup>n. The set of literals over <sup>P</sup> is <sup>L</sup>P <sup>=</sup> {p,¬<sup>p</sup> <sup>|</sup> <sup>p</sup> <sup>∈</sup> <sup>P</sup>}. For <sup>p</sup> <sup>∈</sup> <sup>P</sup>, a literal <sup>p</sup> is a *positive literal* and a literal <sup>¬</sup><sup>p</sup> is a *negative literal*. A *modal literal* is [a]<sup>l</sup> or al, for <sup>a</sup> <sup>∈</sup> <sup>A</sup>n and <sup>l</sup> <sup>∈</sup> <sup>L</sup>P .

The semantics of modal formulae is provided by Kripke structures. A *Kripke structure* <sup>M</sup> over <sup>P</sup> and <sup>A</sup><sup>n</sup> is a tuple W, {Ra}a∈A*<sup>n</sup>* , V where <sup>W</sup> is a non-empty set of *worlds*, each *accessibility relation* <sup>R</sup>a, <sup>a</sup> <sup>∈</sup> <sup>A</sup>n, is a binary relation on <sup>W</sup>, and the *valuation* V is a function mapping each propositional symbol in P to a subset V (p) of W. If (w, w ) <sup>∈</sup> <sup>R</sup>a, written wRaw , we say w is an a-*successor* of w; we may omit the index a when there is no need to distinguish the relation <sup>R</sup>a and just say <sup>w</sup> is a successor world of <sup>w</sup>.

Satisfaction (or truth) of a formula at a world w of a Kripke structure M = W, {Ra}a∈A*<sup>n</sup>* , V is inductively defined by:

> M,w |= **true**; M,w |= **false**; M,w |= p iff w ∈ V (p), where p ∈ P; M,w |= ¬ϕ iff M,w |= ϕ; M,w |= (ϕ ∧ ψ) iff M,w |= ϕ and M,w |= ψ; M,w |= (ϕ ∨ ψ) iff M,w |= ϕ or M,w |= ψ; M,w |= (ϕ → ψ) iff M,w |= ¬ϕ or M,w |= ψ; M,w |= [a]<sup>ϕ</sup> iff for every <sup>v</sup>, wRa<sup>v</sup> implies M,v |<sup>=</sup> <sup>ϕ</sup>; M,w |<sup>=</sup> a<sup>ϕ</sup> iff there is <sup>v</sup>, wRa<sup>v</sup> and M,v |<sup>=</sup> <sup>ϕ</sup>.

If M,w |= ϕ holds then M is a *model* of ϕ, ϕ is *true at* w *in* M and M *satisfies* ϕ. A modal formula ϕ is *(locally) satisfiable* iff there exists a Kripke structure M and a world w in M such that M,w |= ϕ.

<sup>A</sup> *tree Kripke structure* <sup>M</sup> is an ordered pair W, {Ra}a∈A*<sup>n</sup>* , V , w0 where w<sup>0</sup> ∈ W and - <sup>a</sup>∈A*<sup>n</sup>* <sup>R</sup><sup>a</sup> is a tree, that is, a directed acyclic connected graph where each node has at most one predecessor, with *root* w0. Finally, M is <sup>a</sup> *tree Kripke model* of a modal formula <sup>ϕ</sup> iff W, {Ra}a∈A*<sup>n</sup>* , V , w0 |<sup>=</sup> <sup>ϕ</sup>. To simplify notation, in the following we write W, {Ra}a∈A*<sup>n</sup>* ,V,w0 instead of W, {Ra}a∈A*<sup>n</sup>* , V , w0. In a tree Kripke structure with root <sup>w</sup><sup>0</sup> for every world <sup>w</sup>k <sup>∈</sup> <sup>W</sup> there is exactly one path *<sup>w</sup>* connecting <sup>w</sup><sup>0</sup> and <sup>w</sup>k; the *modal level of* <sup>w</sup>k *(in* <sup>M</sup>*), denoted by* mlM(wk), is given by len(*w*). By <sup>M</sup>[ml] we denote the set of worlds that are at a modal level ml in M, that is, M[ml] = {w ∈ W | mlM(w) = ml}.

In [18], we have introduced the *Separated Normal Form with Modal Levels*, SNFml, for modal formulae. For the local satisfiability problem, clauses in SNFml are in one of the following forms:

– Literal clause ml : r b=1 <sup>l</sup><sup>b</sup>


– Negative a-clause ml : l → al

where ml <sup>∈</sup> <sup>N</sup> and <sup>l</sup>, <sup>l</sup> , <sup>l</sup>b <sup>∈</sup> <sup>L</sup>P , 1 <sup>≤</sup> <sup>b</sup> <sup>≤</sup> <sup>r</sup>, <sup>r</sup> <sup>∈</sup> <sup>N</sup>. We denote by ml : **false** an *empty clause*, that is, a literal clause with r = 0. Positive and negative a-clauses are together known as *modal* a-*clauses*. By a positive (negative) modal clause we mean a positive (negative) <sup>a</sup>-clause for an arbitrary agent <sup>a</sup> <sup>∈</sup> <sup>A</sup>n. We also use ml : l → (a)l to denote a modal a-clause that can either be a positive or a negative a-clause.

A tree Kripke structure <sup>M</sup> satisfies a clause ml : <sup>ψ</sup> in SNFml, written <sup>M</sup> <sup>|</sup><sup>=</sup> ml : ψ iff for every w ∈ M[ml], M,w |= ψ. M satisfies a finite set Φ of clauses in SNFml iff for every ml : <sup>ψ</sup> in <sup>Φ</sup>, <sup>M</sup> satisfies ml : <sup>ψ</sup>. We then call <sup>M</sup> a Kripke model of <sup>Φ</sup>. Finally, a set <sup>Φ</sup> of clauses in SNFml is satisfiable if there exists a tree Kripke structure M that satisfies Φ.

**Theorem 1 (**[17,18]**).** *Let* ϕ *be a modal formula. Then there exists a finite set* <sup>Φ</sup> *of clauses in SNF*ml *such that* <sup>ϕ</sup> *is satisfiable iff* <sup>Φ</sup> *is satisfiable and if a tree Kripke structure* M *is a Kripke model of* Φ *then* M *is also a Kripke model of* ϕ*.*

The transformation of a modal formula ϕ into an equi-satisfiable set Φ of clauses in SNFml proceeds by replacing complex subformulae by new *surrogate propositional symbols* and including into Φ clauses defining those new symbols.

Given a finite set <sup>Φ</sup> of SNFml clauses, by <sup>P</sup><sup>Φ</sup> and <sup>L</sup><sup>Φ</sup> P we denote the set of propositional symbols occurring in Φ and the set of propositional literals over <sup>P</sup>Φ, respectively. For ml <sup>∈</sup> <sup>N</sup>, by <sup>Φ</sup>[ml] we denote {ml : <sup>ψ</sup> <sup>|</sup> ml : <sup>ψ</sup> <sup>∈</sup> <sup>Φ</sup>}. Then by Φlit[ml], Φpos[ml], and Φneg[ml] we denote the set of all literal clauses, all positive modal clauses, and all negative modal clauses in Φ[ml], respectively. The *maximal modal level* max*ML*(Φ) of Φ is max({ml + 1 | ml : ψ ∈ Φ and ml : ψ is a modal clause}) and we assume max(∅) = 0.

In [18] we have also introduced a resolution calculus to reason with SNFml, the modal-layered resolution (MLR) calculus. Table 1 shows the inference rules of this calculus restricted to the labels occurring in the normal form defined above. We require that clauses are kept in simplified form, that is, if ml <sup>∈</sup> <sup>N</sup> and <sup>D</sup> is a (possibly empty) disjunction of literals, and <sup>l</sup> <sup>∈</sup> <sup>L</sup>P , then: ml : <sup>D</sup> <sup>∨</sup> <sup>l</sup> <sup>∨</sup> <sup>l</sup> simplifies to ml : D ∨ l; ml : D ∨ **false** simplifies to ml : D; and ml : D ∨ l ∨ ¬l and ml : D ∨ **true** simplify to ml : **true**.

Let C and D be disjunctions of propositional literals. A clause ml : C *subsumes* a clause ml : D if and only if D is of the form C ∨ C where C is a possibly empty disjunction of propositional literals.

Let <sup>Φ</sup> be a set of clauses in SNFml. A *derivation* by MLR from <sup>Φ</sup> is a sequence of sets <sup>Φ</sup> <sup>=</sup> <sup>Φ</sup>0, Φ1,... where for each i > 0, either (i) <sup>Φ</sup>i+1 <sup>=</sup> <sup>Φ</sup>i∪ {ml : <sup>ψ</sup>} where ml : ψ is the resolvent obtained by an application of one of the rules in Table 1 to premises in <sup>Φ</sup>i, ml : <sup>ψ</sup> is in simplified form, ml : <sup>ψ</sup> is not subsumed by a clause in <sup>Φ</sup>i, and ml : <sup>ψ</sup> is not a tautology, or (ii) <sup>Φ</sup>i+1 <sup>=</sup> <sup>Φ</sup>i − {ml : <sup>ψ</sup>} where ml : <sup>ψ</sup> is subsumed by a clause in <sup>Φ</sup>i − {ml : <sup>ψ</sup>}.

A set of clauses <sup>Φ</sup> in SNFml is *saturated with respect to MLR* if any further application of the inference rules LRES, MRES, GEN1, GEN2 and GEN3 generates LRES : *ml* : *D* ∨ *l ml* : *D*- ∨ ¬*l ml* : *D* ∨ *D*- MRES : *ml* : *l*<sup>1</sup> → [*a*]*l ml* : *l*<sup>2</sup> → *a*¬*l ml* : ¬*l*<sup>1</sup> ∨ ¬*l*<sup>2</sup> GEN2 : *ml* : *l* - <sup>1</sup> → [*a*]*l*<sup>1</sup> *ml* : *l* - <sup>2</sup> → [*a*]¬*l*<sup>1</sup> *ml* : *l* - <sup>3</sup> → *al*<sup>2</sup> *ml* : ¬*l* - <sup>1</sup> ∨ ¬*l* - <sup>2</sup> ∨ ¬*l* - 3 GEN1 : *ml* : *l* - <sup>1</sup> → [*a*]¬*l*<sup>1</sup> . . . *ml* : *l* - *<sup>m</sup>* → [*a*]¬*l<sup>m</sup> ml* : *l* - → *a*¬*l ml* +1: *l*<sup>1</sup> ∨ *...* ∨ *l<sup>m</sup>* ∨ *l ml* : ¬*l* - <sup>1</sup> ∨ *...* ∨ ¬*l* - *<sup>m</sup>* ∨ ¬*l* - GEN3 : *ml* : *l* - <sup>1</sup> → [*a*]¬*l*<sup>1</sup> . . . *ml* : *l* - *<sup>m</sup>* → [*a*]¬*l<sup>m</sup> ml* : *l* - → *al ml* +1: *l*<sup>1</sup> ∨ *...* ∨ *l<sup>m</sup> ml* : ¬*l* - <sup>1</sup> ∨ *...* ∨ ¬*l*- *<sup>m</sup>* ∨ ¬*l*-

**Table 1.** Inference rules of the Modal Layered Resolution (MLR) calculus

a clause already in <sup>Φ</sup> or subsumed by a clause in <sup>Φ</sup>. A set of clauses <sup>Φ</sup> in SNFml is the *saturation* of <sup>Φ</sup> with respect to MLR if there is a derivation <sup>Φ</sup> <sup>=</sup> <sup>Φ</sup>0,...,Φn <sup>=</sup> Φ by MLR from Φ such that Φ is saturated with respect to MLR.

Just as for propositional clausal logic, to improve the efficiency of the MLR calculus it is important to restrict applications of the LRES rule, that is, to use a *refinement* of this rule. However, when doing so it is not enough to ensure that from a set of literal clauses that logically implies a clause of the form ml : **false** we can derive that clause. Instead we have to make sure that all literal clauses that could be used as premises for GEN1 and GEN3 can still be derived. A sufficient, though not necessary, condition for that is to ensure that the refinement of LRES is consequence complete.

In [17] we have considered three refinements of propositional resolution as a basis for refinements of LRES:

– **Negative Resolution** [24] is a special case of semantic resolution [30], which restricts clause selection by using an interpretation as a guide. For the classical case, given an interpretation I, the (binary) *semantic resolution rule* allows to derive D ∨ D from D ∨ l and D ∨ ¬l provided one of the clauses in the premises is an *electron, that is, a clause which evaluates to false under* I. By taking I(p) = *true*, for all propositional symbols p, semantic resolution corresponds to *negative* resolution, that is, the electron is a clause containing only negative literals. Semantic resolution is complete irrespective of the interpretation chosen to guide the search for a proof [30]. Moreover, semantic resolution is also *consequence complete* [31]. The following theorem, which follows directly from the consequence completeness of semantic resolution, holds:

**Theorem 2 (**[31, **Theorem 8]).** *If a clause* C *is a prime consequence of a finite set* Φ *of clauses and contains no negative (positive) literals, then there is a positive (negative) resolution derivation of* C *from* Φ*.*

Theorem 2 ensures that all clauses containing only negative literals and which are consequences of a set of clauses are generated by applications of negative resolution to the clause set.

Our calculus for SNFml can be restricted to negative resolution with a small change in the normal form by allowing only positive literals in the scope of modal operators. Given a set <sup>Φ</sup> of clauses in SNFml, we exhaustively apply the following transformations to <sup>Φ</sup> (where ml <sup>∈</sup> <sup>N</sup>, <sup>t</sup> <sup>∈</sup> <sup>L</sup>P , <sup>p</sup> <sup>∈</sup> <sup>P</sup>, and <sup>t</sup> is a new propositional symbol):

$$\begin{aligned} \Phi' \cup \{ ml : \neg p \to (a)t \} &\Rightarrow \Phi' \cup \{ ml : t' \to (a)t, ml : t' \lor p \} \\ \Phi' \cup \{ ml : t \to (a)\neg p \} &\Rightarrow \Phi' \cup \{ ml : t \to (a)t', ml + 1 : \neg t' \lor \neg p \} \end{aligned}$$

Note that the transformation rules are not mutually exclusive. The first transformation ensures that resolvents of the modal inference rules are negative literal clauses. The second transformation rule ensures that only positive literals are in the scope of modal operators. It can be shown that the resulting set of clauses is satisfiable if, and only if, the original set of clauses is satisfiable. We call the resulting normal form, where there are no negative literals below modal operators, SNF<sup>+</sup> ml.

– **Positive Resolution** is then the analogous special case of semantic resolution for an interpretation in which all propositional symbols are false. Electrons then must be clauses in which all literals are positive.

SNFml can be restricted to positive resolution if we only allow negative literals in the scope of modal operators. Given a set <sup>Φ</sup> of clauses in SNFml, we exhaustively apply the following transformation to <sup>Φ</sup> (where ml <sup>∈</sup> <sup>N</sup>, <sup>t</sup> <sup>∈</sup> <sup>L</sup>P , p ∈ P, and t is a new propositional symbol):

$$\begin{aligned} \Phi' \cup \{ ml : p \to (a)t \} &\Rightarrow \Phi' \cup \{ ml : \neg p \lor \neg t', ml : \neg t' \to (a)t \} \\ \Phi' \cup \{ ml : t \to (a)p \} &\Rightarrow \Phi' \cup \{ ml : t \to (a)\neg t', ml + 1 : t' \lor p \} \end{aligned}$$

These transformation rules are analogous to those for SNF<sup>+</sup> ml. It can be shown that the resulting set of clauses is satisfiable if, and only if, the original set of clauses is satisfiable. We call the resulting normal form SNF<sup>−</sup> ml.

– **Ordered Resolution** is a refinement of resolution where inferences are restricted to maximal literals in a clause, with respect to a well-founded ordering on literals. Formally, let <sup>≺</sup> be a well-founded and total ordering on <sup>P</sup>Φ. This ordering can be extended to literals L<sup>Φ</sup> P occurring in <sup>Φ</sup> by setting <sup>p</sup> ≺ ¬<sup>p</sup> and <sup>¬</sup><sup>q</sup> <sup>≺</sup> <sup>p</sup> whenever <sup>q</sup> <sup>≺</sup> <sup>p</sup>, for all p, q <sup>∈</sup> <sup>P</sup>Φ. A literal <sup>l</sup> is said to be *maximal* with respect to a clause C ∨l if, and only if, there is no l occurring in C such that l ≺ l . In the case of classical binary resolution, the ordering refinement restricts the application to clauses C ∨ l and D ∨ ¬l where l is maximal with respect to C and ¬l is maximal with respect to D.

The key idea for achieving completeness when restricting LRES to ordered resolution is to introduce new literals in the scope of the modal operators

**Fig. 1.** Auxiliary functions isTrue and isProductive used in Fig. 2 and Fig. 4

and set their ordering to be "low enough" so that the relevant literal clauses needed for the modal hyper-resolution rules (i.e., the GEN rules) are generated. Given a set of clauses <sup>Φ</sup> in SNFml and a well-founded and total ordering <sup>≺</sup> on <sup>P</sup>Φ, we exhaustively apply the following transformations to <sup>Φ</sup> (where ml <sup>∈</sup> <sup>N</sup>, t, l <sup>∈</sup> <sup>L</sup><sup>Φ</sup> P and <sup>t</sup> is a new propositional symbol):

$$\begin{array}{l} \Phi' \cup \{ ml : t \to [a]l \} \Rightarrow \Phi' \cup \{ ml : t \to [a]t', ml + 1 : \neg t' \lor l \} \\\Phi' \cup \{ ml : t \to \langle a \rangle l \} \Rightarrow \Phi' \cup \{ ml : t \to \langle a \rangle t', ml + 1 : \neg t' \lor l \} \end{array}$$

and extend the given ordering by setting t ≺ p, for all p occurring in Φ. Recall that Φ already includes surrogate propositional symbols from the transformation of a modal formula <sup>ϕ</sup> to SNFml. We call the resulting normal form SNF++ ml . Note that we only need to apply the rewriting rule to the clauses in Φ, but not to the generated clauses in SNF++ ml . Thus, the rewriting procedure is terminating. Two characteristics of SNF++ ml that we will use in our proofs is that (i) the only positive occurrence of a symbol t introduced by the transformation is below a modal operator, all other occurrences of t are negative; and (ii) there are no two modal clauses with the same propositional symbol below a modal operator.

**Theorem 3.** *Let* ϕ *be a satisfiable modal formula, let* Φ *be the corresponding finite set of clauses in SNF*ml*, SNF*<sup>−</sup> ml*, SNF*<sup>+</sup> ml*, or SNF*++ ml *. If* <sup>M</sup> *is a Kripke model of* Φ *then* M *is a Kripke model of* ϕ*.*

*Proof.* Follows from the proofs of Lemmata 3.6 and 3.9 to 3.13 in [17].

**Theorem 4.** *Let* <sup>Φ</sup> *be a finite set of clauses in SNF*ml*, SNF*<sup>−</sup> ml*, SNF*<sup>+</sup> ml, *or SNF*++ ml *. Let* <sup>Φ</sup> *be the saturation of* <sup>Φ</sup> *with respect to MLR or one of its refinements. If* M *is a Kripke model of* Φ *then* M *is a Kripke model of* Φ*.*

#### **3 Deterministic Model Construction for SNF++** *ml* **Clauses**

We first describe a model construction algorithm for a set of SNF++ ml clauses. Let Φ be a satisfiable set of SNF++ ml clauses. Let <sup>≺</sup> be a total ordering on the propositional symbols in <sup>P</sup>Φ compliant with the conditions set out in Sect. 2. Let Φ be the saturation of Φ wrt the ordered resolution refinement of MLR with ordering <sup>≺</sup>. Let maxlit be the function that maps a propositional clause <sup>C</sup> to the ≺-maximal literal in C.

For our model construction procedure we need to extend ≺ to a well-founded total ordering on SNF++ ml clauses that we will also denote by <sup>≺</sup>. Recall that <sup>p</sup> ≺ ¬<sup>p</sup> for every <sup>p</sup> <sup>∈</sup> <sup>P</sup>Φ and <sup>¬</sup><sup>p</sup> <sup>≺</sup> <sup>q</sup> iff <sup>p</sup> <sup>≺</sup> <sup>q</sup> for every p, q <sup>∈</sup> <sup>P</sup>Φ. We now extend ≺ to propositional clauses (sets of propositional literals) such that C<sup>1</sup> ≺ C<sup>2</sup> iff (i) C<sup>1</sup> = C2, and (ii) whenever l<sup>1</sup> ∈ C<sup>1</sup> but l<sup>1</sup> ∈ C<sup>2</sup> then there exists l<sup>2</sup> with l<sup>1</sup> ≺ l2, <sup>l</sup><sup>2</sup> <sup>∈</sup> <sup>C</sup>2, <sup>l</sup><sup>2</sup> ∈ <sup>C</sup>1. Finally, on SNF++ ml clauses we allow any well-founded total ordering such that ml<sup>1</sup> : ψ<sup>1</sup> ≺ ml<sup>2</sup> : ψ<sup>2</sup> if (i) ml<sup>1</sup> < ml<sup>2</sup> or (ii) ml<sup>1</sup> = ml2, ψ<sup>1</sup> and ψ<sup>2</sup> are propositional clauses, and ψ<sup>1</sup> ≺ ψ2. Strictly, the procedure itself only relies on the ordering on literal clauses but the correctness proof also requires an ordering between literal and modal clauses.

Figure 2 shows our deterministic model construction procedure for saturated sets of SNF++ ml clauses. The procedure uses auxiliary functions isTrue and isProductive that are shown in Fig. 1. The procedure constructs a Kripke structure starting at modal level 0 with a root world and proceeds in much the same way as a classic tableau procedure [13]. The main difference is that the valuation for each world is constructed deterministically using the Bachmair-Ganzinger model construction (Lines 9–12). Once the valuation for a world w at modal level ml has been constructed, first each modal clause ml : l → al is considered (Lines 14–19). If the literal l is true at w, then a new successor world <sup>w</sup> is created, using an auxiliary function newml,a,l(w), and a pair (w, w ) added to the accessibility relation <sup>R</sup>a for agent <sup>a</sup>. If the literal <sup>l</sup> is positive, then it will be added to the valuation for world w After all those negative modal clauses have been considered, all successor worlds of w necessary for a model have been created and each positive modal clause ml : l → [a]l is considered (Lines 20–22). If the literal l is true at w and the literal l is positive, then l is added to the valuation of each successor world <sup>w</sup> of <sup>w</sup> for <sup>R</sup>a. Crucially, for both positive and negative modal clauses in SNF++ ml , the literal <sup>l</sup> below the modal operator is always positive. Since a world is never removed from the valuation V , later modifications of V will not result in a situation where l becomes false at a successor world w .

**Theorem 5.** *Let* ϕ *be a satisfiable modal formula and let* Φ *be the corresponding finite set of SNF*++ ml *clauses. Let* <sup>Φ</sup> *be the saturation of* <sup>Φ</sup> *wrt the ordered refinement of* MLR *with an ordering* ≺*. Let* M *be the Kripke structure constructed by the algorithm in Fig. 2 for* Φ*. Then* M *is a model of* Φ *,* Φ*, and* ϕ*.*

*Example 1.* Consider the satisfiable set <sup>Φ</sup><sup>1</sup> of SNFml clauses consisting of the three clauses 0 : <sup>q</sup>,0: <sup>q</sup> → a¬<sup>r</sup> and 1 : <sup>q</sup> <sup>∨</sup> <sup>r</sup>. The transformation to SNF++ ml

**Fig. 2.** Local Model Construction for SNF++ *ml*

introduces an additional propositional symbol <sup>t</sup><sup>¬</sup>r and the resulting set <sup>Φ</sup>++ <sup>1</sup> of SNF++ ml clauses consists of

(1) 0 : *q* (2) 0 : *q* → *at*¬*<sup>r</sup>* (3) 1 : *q* ∨ *r* (4) 1 : ¬*t*¬*<sup>r</sup>* ∨ ¬*r*

In the ordering on propositional symbol on PΦ++ 1 , <sup>t</sup><sup>¬</sup>r must be smaller than <sup>q</sup> and <sup>r</sup>. We assume <sup>t</sup><sup>¬</sup>r <sup>≺</sup> <sup>q</sup> <sup>≺</sup> <sup>r</sup>. Saturation only derives one additional clause

```
(5) 1 : q ∨ ¬t¬r
```
by application of LRES to Clauses (3) and (4). The order between the three literal clauses at level 1 is 1 : <sup>q</sup> ∨ ¬t<sup>¬</sup>r <sup>≺</sup> 1 : <sup>q</sup> <sup>∨</sup> <sup>r</sup> <sup>≺</sup> 1 : <sup>¬</sup>t<sup>¬</sup>r ∨ ¬r. The model construction process then proceeds as follows.


The constructed Kripke structure is

<sup>W</sup> <sup>=</sup> {w0, w1} <sup>R</sup>a <sup>=</sup> {(w0, w1)} <sup>V</sup> (q) = {w0, w1} <sup>V</sup> (r) = <sup>∅</sup> <sup>V</sup> (t<sup>¬</sup>r) = {w1} which is a model of both Φ++ <sup>1</sup> and Φ1.

#### **4 Deterministic Model Construction for SNF***<sup>−</sup> ml* **Clauses**

The model construction for sets of SNF++ ml clauses saturated with respect to the ordered refinement of MLR used the same ordering ≺ as was used by the calculus. However, the positive resolution refinement of MLR is not based on an ordering and therefore there is no pre-existing ordering that can be used in the model construction for sets of SNF<sup>−</sup> ml clauses saturated with respect to the positive resolution refinement of MLR. So, to adapt the procedure presented in Sect. 3 to sets of SNF<sup>−</sup> ml clauses, we need to construct an ordering. The fact that below operators we now only have negative propositional literals further complicates things as we have to make sure that we do not unnecessarily produce corresponding positive literals from literal clauses.

Suppose we have a world w at modal level ml and we have determined that a¬p1, ..., a¬pm, [a]¬q1, ..., [a]¬qn, 0 < m, 0 <sup>≤</sup> <sup>n</sup> are all the modal literals that have to be true at <sup>w</sup>. For each a¬pi, 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>m</sup>, we have to create a successor world <sup>w</sup>i of <sup>w</sup> at modal level ml + 1. Then we have to make sure that <sup>p</sup>i, <sup>q</sup>1,..., <sup>q</sup>n are smaller than all other propositional symbols for <sup>w</sup>i, 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>m</sup>, in order to ensure that literal clauses ml +1: <sup>ψ</sup> do not unnecessarily produce <sup>p</sup>i or one of the <sup>q</sup>j , 1 <sup>≤</sup> <sup>j</sup> <sup>≤</sup> <sup>n</sup>, when considered for the world <sup>w</sup>i. For this purpose,

**Fig. 3.** Auxiliary function constructOrdering used in Fig. 4

first we use a function-valued variable P S that for each successor world <sup>w</sup>i keeps track of the propositional symbols <sup>p</sup>i, <sup>q</sup>1, ..., <sup>q</sup>n. Second we use a function constructOrdering (Fig. 3) that, given P S(wi) for some world <sup>w</sup>i, constructs an ordering <sup>≺</sup>w*<sup>i</sup>* on propositional symbols specifically for <sup>w</sup><sup>i</sup> that has the desired property.

This ordering is then extended to literals and to literal clauses with the same modal level as in Sect. 3. This is sufficient for the model construction procedure in Fig. 4. Except for the function-valued variable P S and the function constructOrdering the only other difference to the model construction procedure for SNF++ ml in Fig. <sup>2</sup> is that literals below modal operators are always negative and therefore never change the valuation.

However, for our correctness proof we need to combine and extend these orderings into a total ordering. This total ordering will not be on the clauses themselves but on ordered pairs w, ml : ψ consisting of a world w at modal level ml in a Kripke structure M and a clause ml : ψ ∈ Φ. We use H(Φ, M) to denote the set of all such ordered pairs.

Let W be the set of worlds in a Kripke structure M produced by the algorithm in Fig. 4. We can use the order in which the worlds in W were generated to impose a total ordering <sup>≺</sup>W on <sup>W</sup>. Note that mlM(w1) <sup>&</sup>lt; mlM(w2) implies <sup>w</sup><sup>1</sup> <sup>≺</sup>w <sup>w</sup>2. Then on <sup>H</sup>(Φ, M) we allow any well-founded total ordering <sup>≺</sup>H(Φ,M) such that w1, ml<sup>1</sup> : <sup>ψ</sup>1≺w2, ml<sup>2</sup> : <sup>ψ</sup>2 if (i) ml<sup>1</sup> < ml<sup>2</sup> or (ii) ml<sup>1</sup> <sup>=</sup> ml<sup>2</sup> and <sup>w</sup><sup>1</sup> <sup>≺</sup>w <sup>w</sup>2, or (iii) ml<sup>1</sup> <sup>=</sup> ml2, <sup>w</sup><sup>1</sup> <sup>=</sup> <sup>w</sup>2, <sup>ψ</sup><sup>1</sup> and <sup>ψ</sup><sup>2</sup> are propositional clauses, and <sup>ψ</sup><sup>1</sup> <sup>≺</sup>w<sup>1</sup> <sup>ψ</sup>2.

**Theorem 6.** *Let* ϕ *be a satisfiable modal formula and let* Φ *be the corresponding finite set of SNF*<sup>−</sup> ml *clauses. Let* <sup>Φ</sup> *be the saturation of* <sup>Φ</sup> *wrt the positive resolution refinement of* MLR*. Let* M *be the Kripke structure constructed by the algorithm in Fig. 4 for* Φ*. Then* M *is a model of* Φ *,* Φ*, and* ϕ*.*

**Fig. 4.** Local Model Construction for SNF<sup>−</sup> *ml*

*Example 2.* Consider the satisfiable set of clauses Φ<sup>−</sup> <sup>2</sup> in SNF<sup>−</sup> ml:

$$\begin{array}{ccccc}(6) & 0:q & \text{ (7) } & 0: \neg q \to \langle a \rangle \neg q & & \text{ (9) } & 0: \neg p \to [a] \neg t\_1 \\ & & \text{ (8) } & 0: \neg p \to \langle a \rangle \neg r & & \text{ (10) } & 1: t\_1 \lor q \lor r \end{array}$$

where ¬t<sup>1</sup> is a surrogate introduced for (q∨r). This set of clauses is saturated with respect to the positive resolution refinement of MLR. The model construction for Φ<sup>−</sup> <sup>2</sup> proceeds as before:


Before the model construction proceeds to w1, we now determine the ordering <sup>≺</sup>w<sup>1</sup> . The literals <sup>¬</sup><sup>r</sup> and <sup>¬</sup>t<sup>1</sup> 'contribute' to the construction of <sup>w</sup>1, so <sup>r</sup> and <sup>t</sup><sup>1</sup> must be smaller in <sup>≺</sup>w<sup>1</sup> than the other propositional symbols <sup>p</sup> and <sup>q</sup>. Let us assume <sup>t</sup><sup>1</sup> <sup>≺</sup>w<sup>1</sup> <sup>r</sup> <sup>≺</sup>w<sup>1</sup> <sup>p</sup> <sup>≺</sup>w<sup>1</sup> <sup>q</sup>. So, when we proceed to <sup>w</sup><sup>1</sup> and the clause 1 : t<sup>1</sup> ∨ q ∨ r, it will be q that will be made true not r:


The constructed Kripke structure M<sup>2</sup> is

$$\begin{array}{ll} W = \{w\_0, w\_1\} & V(p) = \emptyset & V(q) = \{w\_0, w\_1\} & V(r) = \emptyset \\ R\_a = \{ (w\_0, w\_1) \} & & & \end{array}$$

which is a model of Φ<sup>−</sup> 2 .

#### **5 Deterministic Model Construction for SNF<sup>+</sup>** *ml* **Clauses**

Our model construction for a set Φ of SNF++ ml clauses saturated wrt the ordered resolution refinement of MLR started with a valuation in which every propositional symbol is false at every world and successively makes propositional symbols true at certain worlds in order to ensure all clauses of Φ are true in the constructed model.

For propositional clauses, negative resolution corresponds to semantic resolution wrt the valuation V in which all propositional symbols are true. A model construction for a set Φ of SNF<sup>+</sup> ml clauses saturated wrt the negative resolution refinement of MLR would therefore naturally start with a valuation in which every propositional symbol is true at every world and successively make propositional symbols false at certain worlds to obtain a model of Φ.

However, instead of devising a new model construction procedure that does so, we take advantage of the fact that we can simply reverse the polarity of all literals in Φ, to again start with a valuation in which every propositional symbol is false at every world.

More formally, let ι be a function on propositional literals such that for every propositional symbol p ∈ P, ι -(p) = ¬p and ι -(¬p) = p. The function ι - can be homomorphically extended to clauses and set of clauses as follows:

$$\begin{aligned} \iota^{-}(ml:l\_{1}\vee\cdots\vee l\_{m}) &= ml:\iota^{-}(l\_{1})\vee\cdots\vee\iota^{-}(l\_{m})\\ \iota^{-}(ml:l'\rightarrow[a]l) &= ml:\iota^{-}(l')\rightarrow[a]\iota^{-}(l)\\ \iota^{-}(ml:l'\rightarrow\langle a\rangle l) &= ml:\iota^{-}(l')\rightarrow\langle a\rangle\iota^{-}(l) \end{aligned}$$

and ι -(Φ) = {ι -(ml : <sup>ψ</sup>) <sup>|</sup> ml : <sup>ψ</sup> <sup>∈</sup> <sup>Φ</sup>}. Let <sup>I</sup><sup>+</sup> be a function on Kripke structures such that for <sup>M</sup> <sup>=</sup> W, {Ra}a∈A*<sup>n</sup>* , V , <sup>I</sup><sup>+</sup>(M) = W, {Ra}a∈A*<sup>n</sup>* , V <sup>+</sup>, such that <sup>V</sup> <sup>+</sup>(p) = <sup>W</sup> <sup>−</sup> <sup>V</sup> (p) for every <sup>p</sup> <sup>∈</sup> <sup>P</sup>.

**Lemma 1.** *Let* <sup>Φ</sup> *be a set of clauses in SNF*ml*. Let* <sup>M</sup><sup>f</sup> *be a tree Kripke model of* Φ<sup>f</sup> = ι -(Φ)*. Then* I<sup>+</sup>(M<sup>f</sup> ) *is a tree Kripke model of* Φ*.*

**Lemma 2.** *Let* Φ<sup>+</sup> *be a set of clauses in SNF*<sup>+</sup> ml *that is saturated with respect to the negative resolution refinement of* MLR*. Then* Φ<sup>f</sup> = ι -(Φ<sup>+</sup>) *is (i) a set of clauses in SNF*<sup>−</sup> ml *and (ii) saturated with respect to the positive resolution refinement of* MLR*.*

**Theorem 7.** *Let* ϕ *be a satisfiable modal formula, let* Φ *be the corresponding finite set of clauses in SNF*<sup>+</sup> ml*, and let* <sup>Φ</sup> *be the saturation of* <sup>Φ</sup> *wrt the negative resolution refinement of* MLR*. Let* Φ<sup>f</sup> = ι -(Φ)*, let* M<sup>f</sup> *be the Kripke structure constructed by the algorithm in Fig. 4 for* Φ<sup>f</sup> *, and let* M = I<sup>+</sup>(M<sup>f</sup> )*. Then* M *is a model of* Φ *,* Φ*, and* ϕ*.*

*Example 3.* Consider the satisfiable SNF<sup>+</sup> ml clause set <sup>Φ</sup><sup>+</sup> <sup>3</sup> = {0 : p, 0 : p → ar, 0 : <sup>q</sup> <sup>→</sup> [a]q, 1 : <sup>q</sup> ∨ ¬r}. Reversing the polarity of all literals in <sup>Φ</sup><sup>+</sup> <sup>3</sup> gives us the SNF<sup>−</sup> ml clause set <sup>Φ</sup><sup>f</sup> 3

(11) 0 : ¬*p* (12) 0 : ¬*p* → *a*¬*r* (13) 0 : ¬*q* → [*a*]¬*q* (14) 1 : ¬*q* ∨ *r*

which is saturated with respect to the positive resolution refinement of calculus MLR.


Before the model construction proceeds to <sup>w</sup>1, we now fix the ordering <sup>≺</sup>w<sup>1</sup> . The literals ¬q and ¬r 'contributed' to the construction of w1, so q and r must both be smaller in <sup>≺</sup>w<sup>1</sup> than the only other propositional symbol <sup>p</sup>, while we can impose an arbitrary order between <sup>q</sup> and <sup>r</sup>, e.g., <sup>q</sup> <sup>≺</sup>w<sup>1</sup> <sup>r</sup> <sup>≺</sup>w<sup>1</sup> <sup>p</sup>.


The resulting Kripke structure M<sup>f</sup> <sup>3</sup> is

$$W = \{w\_0, w\_1\} \quad R\_a = \{(w\_0, w\_1)\} \quad V(p) = V(q) = V(r) = \emptyset$$

which is a model of Φ<sup>f</sup> <sup>3</sup> . We obtain M<sup>+</sup> <sup>3</sup> by reversing the valuation in M<sup>f</sup> 3 :

$$\begin{array}{l} W = \{w\_0, w\_1\} \\ R\_a = \{(w\_0, w\_1)\} \end{array} \quad \begin{array}{l} V(p) = V(q) = V(r) = W - \emptyset = \{w\_0, w\_1\} \\ \end{array}$$

It is straightforward to check that M<sup>+</sup> <sup>3</sup> is a model of Φ<sup>+</sup> <sup>3</sup> = {0 : p, 0 : p → ar, 0 : q → [a]q, 1 : q ∨ ¬r}.

# **6 Discussion**

The model construction procedures presented in this paper are inspired by and closely related to the Bachmair-Ganzinger model construction procedure [2,15]. The primary purpose of this model construction procedure is to prove the completeness of resolution and superposition calculi, in particular, ordered resolution with selection for first-order clausal logic. But it can also be used to construct a Herbrand model of a specific saturated set of propositional or ground first-order clauses.

Commonalities and differences between the two approaches are best illustrated by an example. Consider the following set of clauses in SNF++ ml .

$$\begin{array}{ccccc} \text{(15)} & 0: p\_0 & \text{(16)} & 0: p\_0 \to [a]q\_1 & & \text{(18)} & 1: \neg q\_2 \lor \neg q\_1 \lor q\_0\\ & & \text{(17)} & 0: p\_0 \to \langle a \rangle q\_2 & & & \end{array}$$

The corresponding set of first-order clauses, using the relational translation and ignoring the specific modal levels at which each SNF++ ml clause is meant to hold, is as follows.

$$\begin{array}{ccccc}\text{(19)} & p\_0(w\_0) & \text{(20)} & \neg p\_0(x) \lor \neg r(x,y) \lor q\_1(y) & \text{(23)} & \neg q\_2(x) \lor \neg q\_1(x) \lor q\_0(x) \\ & & & \text{(21)} & \neg p\_0(x) \lor q\_2(f(x)) \\ & & & \text{(22)} & \neg p\_0(x) \lor r(x,f(x)) \end{array}$$

Following [28] on resolution-based decision procedures for the relational translation of basic modal logic, we choose an ordering that ensures that ¬r(x, y), q2(f(x)) and r(x, f(x)) are maximal in Clauses (20), (21) and (22), respectively. We are free to impose an arbitrary order on unary literals and we choose an ordering such that p0(x) ≺ q0(x) ≺ q1(x) ≺ q2(x). We can then derive the following additional clauses:

$$\begin{array}{ll} \text{[ORes},20(2),22(2)] & \text{(24)} \quad \neg p\_0(x) \lor \neg p\_0(x) \lor q\_1(f(x))\\ \text{[ORes},21(2),23(1)] & \text{(25)} \quad \neg p\_0(x) \lor \neg q\_1(f(x)) \lor q\_0(f(x))\\ \text{[ORes},24(3),25(2)] & \text{(26)} \quad \neg p\_0(x) \lor \neg p\_0(x) \lor \neg p\_0(x) \lor q\_0(f(x)) \end{array}$$

Here 'ORes' denotes an inference by ordered resolution, followed by the identifying numbers of the clauses that are the premises of the inference. The number in parentheses identifies the literal in each premise on which we resolve. The Bachmair-Ganzinger model construction operates on ground clauses, in particular, all ground instances of the first-order clauses here, and it views clauses as multisets of literals. However, the Herbrand universe for this set of clauses is infinite. Given that a Kripke model for the set of SNF++ ml clauses has at most depth 1, we can restrict ourselves to the terms w<sup>0</sup> and f(w0).

The constructed model consists of p(w0), r(w0, f(w0)), q0(f(w0)), q1(f(w0)) and q2(f(w0)). In particular, q0(f(w0)) is produced by an instance of Clause (26).

For this particular example, our own procedure will arrive at the same model, but the way it does so differs in a number of ways. First, we are more constrained regarding the order we can use. Regarding the propositional symbols q0, q<sup>1</sup> and q<sup>2</sup> we have to ensure that the propositional symbols q<sup>1</sup> and q<sup>2</sup> that appear below modal operators are smaller than the other propositional symbols. So, the ordering p<sup>0</sup> ≺ q<sup>0</sup> ≺ q<sup>1</sup> ≺ q<sup>2</sup> corresponding to the one we used in the first-order setting is not admissible. Instead we have to use, for example, q<sup>1</sup> ≺ q<sup>2</sup> ≺ p<sup>0</sup> ≺ q0.

Second, irrespective of the ordering, no inferences by MLR are possible on Clauses (15) to (18). This also means no equivalent of Clause (26) will be derived. Consequently, our model construction procedure has fewer clauses available and less explicit information about which propositional symbols have to be true.

Third, the order in which clauses are considered by the Bachmair-Ganzinger procedure for ground first-order clauses is solely down to the ordering. In contrast our model construction procedure considers literal clauses according to the ordering, but negative and positive modal clauses are handled separately. This design choice is mainly down to the fact that the effects of existential and universal quantifiers are dealt with at different times. In the first-order setting, existential quantifiers are dealt with by the use of Skolem functions in first-order clauses while universal quantifiers are dealt with by instantiation when ground clauses are computed. In the modal setting, a- and [a]-operators are only dealt with by the model construction procedure.

Regarding the complexity of our approach we can observe the following.

**Theorem 8.** *Let* ϕ *be a satisfiable modal formula, let* Φ *be the corresponding finite set of clauses in one of the three normal forms SNF*++ ml *, SNF*<sup>+</sup> ml *or SNF*<sup>−</sup> ml*, let* Φ *be the saturation of* Φ *wrt to the corresponding refinement of MLR, and let* M *be model generated by the corresponding model construction procedure. Then*


Theorem 8a follows from the fact that the normal form transformation introduces at most two clauses for each occurrence of a logical operator in ϕ. Regarding Theorem 8b, the resolution procedure for propositional clauses runs in deterministic exponential time in the number of literals occurring in the clause set [25]. The refinements we use and the additional modal inference rules in MLR do not change the overall complexity, in particular, no new modal clauses are generated by any of the inference rules. For Theorem 8c, the number of worlds in a tree Kripke model of ϕ is at most exponential in the size of ϕ [9]. For each of the worlds in the model we have to consider exponentially many literal clauses to determine the valuation of the model. The consideration of each clause takes at most linear time in the number of propositional symbols in Φ .

It is worth pointing out that the Bachmair-Ganzinger procedure only takes time O(|Φ|l log(|Φ|)) for a set of ground clauses Φ [15]. In the context of the translation of modal formulae to first-order clausal logic, the size of the set N of non-ground clauses obtained from the translation of ϕ is linear in the size of ϕ. But the size of the set N of ground clauses obtained by instantiation can be exponential in the size of N and therefore in the size of ϕ. So, while the construction of a Herbrand model then only requires polynomial time in the size of N, it takes exponential time in the size of N and of ϕ. This then aligns with Theorem 8.

# **7 Extension to the Modal Cube**

A multitude of extensions of the basic modal logic <sup>K</sup>n can be formed by adding one or more axioms to the axiomatisation of <sup>K</sup>n itself. The most extensively

**Fig. 5.** Model Construction for modal logic *L*

studied axioms are <sup>ψ</sup> <sup>→</sup> [a]a<sup>ψ</sup> (B), [a]<sup>ψ</sup> → a<sup>ψ</sup> (D), [a]<sup>ψ</sup> <sup>→</sup> <sup>ψ</sup> (T), [a]<sup>ψ</sup> <sup>→</sup> [a][a]<sup>ψ</sup> (4), and a<sup>ψ</sup> <sup>→</sup> [a]a<sup>ψ</sup> (5). Model-theoretically, these additional axioms correspond to properties of the accessibility relation <sup>R</sup>a for the agent <sup>a</sup> <sup>∈</sup> <sup>A</sup>n. For the above axioms, the properties are symmetry, seriality, reflexivity, transitivity and Euclideaness, respectively.

In [20] we have presented reductions ρ*sml* L (ϕ) for logics <sup>L</sup> that are extensions of the mono-modal logic K with these axioms and their combinations. We have shown that a formula ϕ in simplified negation normal form is L-satisfiable iff the set ρ*sml* L (ϕ) of clauses in SNFml is satisfiable. In particular, we have shown that given a tree Kripke structure <sup>M</sup> <sup>=</sup> W, R, V, w0 that satisfies <sup>ρ</sup>*sml* L (ϕ) we can obtain a Kripke structure M<sup>L</sup> = W, RL,V,w0 that satisfies ϕ where R<sup>L</sup> is obtained by computing the closure of R corresponding to the additional axioms in L.

Putting these ingredients together gives us the algorithm in Fig. 5 where we are using ordered resolution refinement of MLR together with our model construction algorithm for sets of clauses in SNF++ ml . Here, simplifiedNNF is a function that computes the simplified negation normal form of a modal formula, SNF2SNF++ is a function that transforms a set of clauses in SNFml into a set of clauses in SNFml using additional renaming steps as described in Sect. 2, constructOrderSNF++ constructs an ordering on the propositional symbols in a set of clauses in SNF++ ml compliant with the conditions set out in Sect. 2, and closure is a function that computes the closure of a binary relation R with respect to the relation properties corresponding to the additional axioms in a modal logic L.

The Kripke structure returned by the algorithm in Fig. 5 is then an L-model of the formula ϕ.

# **8 Conclusion and Future Work**

In this paper we have presented deterministic model construction algorithms for satisfiable sets of modal clauses saturated with respect to three refinements of the modal-layered resolution calculus. These algorithms are meant to complement the provision of refutations for unsatisfiable sets of modal clauses that is a standard byproduct of resolution-based calculi.

In future work we intend to implement these algorithms in the prover KSP and to evaluate their effectiveness. For this it will be necessary to define a format in which Kripke models will be provided. Such a format was presented in [14]. Regarding an evaluation, a challenge will be to find other solvers for basic modal logic that can produce models. While there are range of solvers for basic modal logic available, few output models. As found in [14], even where a solver claims to output models, those might be incomplete. The main cause appears to be the use of simplification during pre-processing and reasoning (pure literal elimination, tautology elimination, simplification to true) that may remove propositional symbols without the produced model then indicating a valuation for these symbols even where that valuation is not arbitrary. This kind of interaction between simplification and model generation is also an issue that we will need to pay close attention to when implementing our algorithms.

A potential improvement of the algorithms is to reuse existing worlds during the model construction. In tableau decision procedures this technique is known as blocking [1,3,5,21,27]. What complicates its application in our context is that each SNFml clause only holds at a certain modal level instead of universally.

**Acknowledgments.** C. Dixon was partially supported by the EPSRC funded Prosperity Partnership, CRADLE, EP/X02489X/1.

**Disclosure of Interests.** The authors have no competing interests to declare that are relevant to the content of this article.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# A Terminating Sequent Calculus for Intuitionistic Strong Löb Logic with the Subformula Property

Camillo Fiorentini1(B) and Mauro Ferrari<sup>2</sup>

<sup>1</sup> Department of Computer Science, Università degli Studi di Milano, Milan, Italy fiorentini@di.unimi.it <sup>2</sup> Department of Theoretical and Applied Sciences, Università degli Studi

dell'Insubria, Varese, Italy

mauro.ferrari@uninsubria.it

Abstract. Intuitionistic Strong Löb logic iSL is an intuitionistic modal logic with a provability interpretation. We introduce GbuSL-, a terminating sequent calculus for iSL with the subformula property. GbuSL- modifies the sequent calculus G3iSL for iSL based on G3i, by annotating the sequents to distinguish rule applications into an unblocked phase, where any rule can be backward applied, and a blocked phase where only right rules can be used. We prove that, if proof search for a sequent σ in GbuSLfails, then a Kripke countermodel for σ can be constructed.

## 1 Introduction

Intuitionistic Strong Löb Logic iSL is the intuitionistic modal logic obtained by adding both the Gödel-Löb axiom -(<sup>ϕ</sup> <sup>→</sup> <sup>ϕ</sup>) <sup>→</sup> ϕ and the completeness axiom ϕ → ϕ to **K**-, the --fragment of Intuitionistic Modal Logic. Equivalently, iSL is the extension of **K** with the Strong Löb axiom (<sup>ϕ</sup> <sup>→</sup> <sup>ϕ</sup>) <sup>→</sup> <sup>ϕ</sup>. Logic iSL has prominent relevance in the study of provability of Heyting Arithmetic HA. It is well known that the Gödel-Löb Logic, obtained by extending classical modal logic with Gödel-Löb axiom, is the provability logic of Peano Arithmetic [11]. However, it is an open problem what the provability logic of HA should be; a solution to this problem is claimed in a preprint paper [8]. In [16], it is shown that iSL is the provability logic of an extension of HA with respect to slow provability. Moreover, iSL plays an important role in the Σ1-provability logic of HA [1]. We stress that iSL, as well as other related logics (such as the logics iGL, mHC and KM investigated in [13,14]), only treats the --modality, connected with the provability interpretation; it is not clear what interpretation ♦ should have and which laws it should obey.

In this paper we investigate proof search for iSL. Recently, in [13,15] some sequent calculi for iSL have been introduced, obtained by enhancing the sequent calculus G3i [12] for IPL (Intuitionistic Propositional Logic) with the rule R- to treat right -(actually, four variants of such a rule are proposed). We start by presenting the sequent calculus G3iSL<sup>+</sup> - (see Fig. 1), a polished version of the calculus G3iSL- [13,15] where rule R avoids some redundant duplications of formulas. The calculus G3iSL<sup>+</sup> has the *subformula property*, namely: every formula occurring in a G3iSL<sup>+</sup> --tree is a subformula of a formula in the root sequent. However, G3iSL<sup>+</sup> is not well-suited for proof search. This is mainly due to the rule L → for left implication, which has applications where the sequent α → β,Γ ⇒ α is both the conclusion and the left premise, and this yields loops in backward proof search. We are interested in a sequent calculus C where backward proof search always terminates, that is: given a sequent of C and repeatedly applying the rules of C upwards, proof search eventually halts, no matter which strategy is used. A calculus of this kind is called *(strongly) terminating* and can be characterized as follows: there exists a well-founded relation ≺ on sequents of C such that, for every application ρ of a rule of C, if the sequent σ is the conclusion of ρ and σ is any of the premises, then σ ≺ σ. Clearly, any calculus containing rule L→ is not terminating; in this case, to get a terminating proof search procedure for C some machinery must be introduced (for instance, loopchecking). A calculus C is *weakly terminating* if it admits a terminating proof search strategy. The calculus G3i is weakly terminating. A well-known terminating calculus for IPL is G4i [2]; this is obtained from G3i by replacing the looping rule L→ with more specialized rules: basically, the left rule with main formula α → β is defined according to the structure of α. The same approach is used in [13,15], where the G4-variants of the G3-calculi for iSL are introduced. The obtained calculi are weakly (but not strongly) terminating and the proof search procedure yields a countermodel in case of failure. This means that, if proof search for a sequent <sup>σ</sup> <sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>δ</sup> fails, one gets a Kripke model for <sup>σ</sup> (as defined in [1,7]) certifying that δ is not an iSL-consequence of Γ. These results have been definitely improved in [10], where the G4-style (strongly) terminating calculus G4iSLt for iSL is presented. Notably, the proofs of termination and completeness (via cut-admissibility) have been formalized in the Coq Proof Assistant.

So far, it seems that the only way to design a (weakly or strongly) terminating calculus for iSL is to throw rule L→ away and to comply with G4-style. As a side effect, the obtained calculi lack the subformula property. Now, an intriguing question is: is it possible to get a terminating variant of G3iSL<sup>+</sup> still preserving the subformula property? To address this issue, we follow the approach discussed in [4,5], where (strongly) terminating variants of the intuitionistic calculus G3i are introduced: the crucial expedient is to decorate the sequents with one of the labels b (blocked) and u (unblocked). In backward proof search, if a sequent has label b, the (backward) application of left rules is blocked, so that only right rules can be applied. Accordingly, bottom-up proof search alternates between an unblocked phase, where both left and right rules can be applied, and a blocked phase, where the focus is on the right formula (the application of left rules is forbidden). We call the obtained calculus GbuSL- (see Fig. 2). The subformula property for GbuSL can be easily checked; to ascertain that GbuSL is terminating, we introduce the well-founded relation ≺bu on labelled sequents (Definition 2). We show that a GbuSL--derivation can be translated into a G3iSL<sup>+</sup> --derivation; as a corollary, the calculus G3iSL<sup>+</sup> is weakly terminating. To prove the completeness of GbuSL-, we show that, if proof search for a sequent σ with label u fails, then a countermodel for σ can be built. An implementation of the proof search procedure, based on the Java framework JTabWb [6], is available at https://github.com/ferram/jtabwb\_provers/tree/ master/isl\_gbuSL; the repository also contains the online appendix we refer to henceforth.

# 2 The Logic **iSL**

Formulas, denoted by lowercase Greek letters, are built from an enumerable set of propositional variables V, the constant ⊥ and the connectives ∧, ∨, → and -; ¬α is an abbreviation for α → ⊥. Let α be a formula and Γ a multiset of formulas. By -Γ we denote the multiset {<sup>α</sup> <sup>|</sup> <sup>α</sup> <sup>∈</sup> <sup>Γ</sup>}. By Sf(α) we denote the set of the subformulas of α, including α itself; Sf(Γ) is the union of the sets Sf(α), for every <sup>α</sup> in <sup>Γ</sup>. The size of <sup>α</sup>, denoted by <sup>|</sup>α|, is the number of symbols in α; the size of Γ, denoted by |Γ|, is the sum of the sizes of formulas α in Γ, taking into account their multiplicity. A relation R is *well-founded* iff there is no infinite descending chain . . . Rx2Rx1Rx0; R is *converse well-founded* if the converse relation R−<sup>1</sup> is well-founded.

An iSL-*(Kripke) model* K is a tuple W, ≤, R, r, V where W is a non-empty set (worlds), ≤ (the intuitionistic relation) and R (the modal relation) are subsets of W ×W, r (the root) is the minimum element of W w.r.t. ≤, V (the valuation function) is a map from W to 2<sup>V</sup> such that:


Given an iSL-model K, the forcing relation between worlds of K and formulas is defined as follows:

<sup>K</sup>, w <sup>p</sup> iff <sup>p</sup> <sup>∈</sup> <sup>V</sup> (w), <sup>∀</sup><sup>p</sup> ∈V K, w - ⊥ K, w α ∧ β iff K, w α and K, w β K, w α ∨ β iff K, w α or K, w β K, w α → β iff ∀w- ≥ w, if K, w- α then K, w- β K, w α iff ∀w- ∈ W, if wRw then K, w-α.

We write w ϕ instead of K, w ϕ when the model K at hand is clear from the context. One can easily prove that forcing is persistent, i.e.: if w ϕ and w ≤ w , then w ϕ. Let Γ be a (multi)set of formulas. By w Γ we mean that <sup>w</sup> <sup>ϕ</sup>, for every <sup>ϕ</sup> in <sup>Γ</sup>. The iSL-consequence relation <sup>|</sup>=iSL is defined as follows:

$$
\Gamma \vdash\_{\mathsf{iSL}} \varphi \quad \text{iff} \quad \forall \mathcal{K} \,\forall w \,\,(\mathcal{K}, w \Vdash \Gamma \implies \mathcal{K}, w \Vdash \varphi) \,.
$$

$$\begin{array}{c c c c} \hline \hline \overline{p,\Gamma \Rightarrow p} & \text{Id} & \overline{\bot,\Gamma \Rightarrow \delta} & \frac{\alpha,\beta,\Gamma \Rightarrow \delta}{\alpha\wedge\beta,\Gamma \Rightarrow \delta} & L\wedge\\ \hline \Gamma \Rightarrow \alpha & \Gamma \Rightarrow \beta & \alpha,\Gamma \Rightarrow \delta & \frac{\alpha,\Gamma \Rightarrow \delta}{\alpha\vee\beta,\Gamma \Rightarrow \delta} & L\vee\\ \hline \alpha \rightarrow \beta,\Gamma \Rightarrow \alpha & \beta,\Gamma \Rightarrow \delta & & \frac{\alpha,\Gamma \Rightarrow \beta}{\Gamma \Rightarrow \alpha \rightarrow \beta} & R\rightarrow\\ \hline \end{array} \\ L\vee \quad \begin{array}{c c c c c c c c} \hline \alpha,\Gamma \Rightarrow \delta & \beta,\Gamma \Rightarrow \delta & & \frac{\Gamma \Rightarrow \alpha\_{k}}{\Gamma \Rightarrow \alpha\_{0} \vee \alpha\_{1}} & R\vee\\ \hline \hline \Gamma \Rightarrow \alpha\_{0} \vee \alpha\_{1} & & & \\ \hline \end{array}$$

Fig. 1. The calculus G3iSL<sup>+</sup> -(<sup>p</sup> ∈ V, <sup>k</sup> ∈ {0, <sup>1</sup>}).

The logic iSL is the set of formulas <sup>ϕ</sup> such that ∅ |=iSL <sup>ϕ</sup>. Accordingly, if <sup>ϕ</sup> ∈ iSL, there exists an iSL-model <sup>K</sup> such that <sup>r</sup> ϕ, with r the root of K; we call K a *countermodel* for ϕ. We stress that iSL satisfies the finite model property [16]; thus, we can assume that iSL-models are finite and condition (M2) can be rephrased as "R is transitive and irreflexive".

*Example 1.* Figure 5 defines a formula ψ and a countermodel K for ψ. The worlds of K are w<sup>2</sup> (the root), w7, w12, w15, w19, w24. The relations ≤ and R of K can be inferred by the displayed arrows, as accounted for in the figure. For instance w<sup>2</sup> ≤ w19, since there is a path from w<sup>2</sup> and w<sup>19</sup> (actually, a unique path); w<sup>2</sup> ≤ w<sup>15</sup> and w2Rw15, since the path from w<sup>2</sup> and w<sup>15</sup> ends with the solid arrow →. However, it is not the case that w2Rw19, since the path from w<sup>2</sup> to w<sup>19</sup> ends with the dashed arrow . In each world wk, the first line displays the value of V (wk), the remaining lines report (separated by commas) some of the formulas forced and not forced in wk. Since w<sup>2</sup> ψ, K is a countermodel for ψ.

We remark that, if we replace a dashed arrow with a solid arrow, or viceversa, we get w<sup>2</sup> ψ, thus K is no longer a countermodel for ψ. For instance, let us set <sup>w</sup><sup>2</sup> <sup>→</sup> <sup>w</sup>7. Then, <sup>w</sup>2Rw<sup>7</sup> and, since <sup>w</sup><sup>7</sup> s, we get w<sup>2</sup> - s, hence w<sup>2</sup> α. Since w<sup>7</sup> γ and w<sup>12</sup> β, it follows that w<sup>2</sup> ψ. Similarly, assume <sup>w</sup><sup>15</sup> <sup>→</sup> <sup>w</sup>19, which implies <sup>w</sup>15Rw19. Then <sup>w</sup><sup>15</sup> - -¬p (indeed, w15Rw<sup>19</sup> and w<sup>19</sup> - <sup>¬</sup>p) and, by the fact that <sup>w</sup>2Rw15, we get <sup>w</sup><sup>2</sup> - --<sup>¬</sup>p, thus <sup>w</sup><sup>2</sup> α; as in the previous case, we conclude <sup>w</sup><sup>2</sup> <sup>ψ</sup>. Let us set <sup>w</sup><sup>2</sup> <sup>→</sup> <sup>w</sup>12. Since <sup>w</sup><sup>12</sup> - -¬p and w2Rw12, we get w<sup>2</sup> - --¬p; this implies that w<sup>2</sup> ψ. ♦

In the paper we introduce some sequent calculi for iSL. For the notation and the terminology about a generic calculus C (e.g., the notions of C-tree, Cderivation, branch, depth of a C-tree), we refer to [12]. By <sup>C</sup> σ we mean that the sequent σ is derivable in the calculus C. Let C be a calculus and let ≺ be a relation on the sequents of C. A rule R of C is *decreasing w.r.t.* ≺ iff, for every application ρ of R, if σ is the conclusion of ρ and σ is any of the premises of ρ, then σ ≺ σ. A calculus C is *terminating* iff there exists a well-founded relation ≺ such that every rule of C is decreasing w.r.t. ≺.

The calculus G3iSL<sup>+</sup> in Fig. 1 is obtained by adding the rule R to the intuitionistic calculus G3i [12]. Sequents of G3iSL<sup>+</sup> have the form Γ ⇒ δ, where Γ is a finite multiset of formulas and δ is a formula. The calculus is very close to the variant G3iSL<sup>a</sup> of the calculus G3iSL for iSL presented in [13,15]. The notable difference is in the presentation of rule R-: given the conclusion Γ, -Δ ⇒ α, in G3iSL<sup>a</sup> the premise is α, Γ, -Δ, Δ <sup>⇒</sup> <sup>α</sup>, in G3iSL<sup>+</sup> the redundant multiset -Δ is omitted. The calculus G3iSL<sup>+</sup> is sound and complete for iSL:

Theorem 1. G3iSL<sup>+</sup> - <sup>Γ</sup> <sup>⇒</sup> <sup>δ</sup> *iff* <sup>Γ</sup> <sup>|</sup>=iSL <sup>δ</sup>*.*

The soundness of G3iSL<sup>+</sup> - (the only-if side of Theorem 1) immediately follows from the soundness of G3iSL<sup>a</sup> - (for a semantic proof, see the online appendix); the completeness is discussed in Sect. 4. <sup>1</sup> It is easy to check that G3iSL<sup>+</sup> enjoys the subformula property; however, as discussed in the Introduction, G3iSL<sup>+</sup> is not terminating, due to the presence of rule L→.

# 3 The Sequent Calculus **GbuSL**-

The sequent calculus GbuSL is obtained from G3iSL<sup>+</sup> by refining the sequent definition: we decorate sequents by a label l, where l can be b (blocked) or u (unblocked). Thus, a GbuSL--sequent σ has the form Γ <sup>l</sup> <sup>⇒</sup>δ, with <sup>l</sup> ∈ {b, <sup>u</sup>}; <sup>Γ</sup> and δ are referred to as the lhs and the rhs (left/right hand side) of σ respectively. We call l-sequent a sequent with label l; Sf(Γ <sup>l</sup> <sup>⇒</sup> <sup>δ</sup>) denotes the set Sf(<sup>Γ</sup> ∪ {δ}). To define the calculus, we introduce the following evaluation relation.

Definition 1 (Evaluation). *Let* Γ *be a multiset of formulas and* ϕ *a formula. We say that* Γ evaluates ϕ*, written* Γ 
ϕ*, iff* ϕ *matches the following BNF:*

<sup>ϕ</sup> := <sup>γ</sup> <sup>|</sup> <sup>ϕ</sup> <sup>∧</sup> <sup>ϕ</sup> <sup>|</sup> <sup>ϕ</sup> <sup>∨</sup> <sup>α</sup> <sup>|</sup> <sup>α</sup> <sup>∨</sup> <sup>ϕ</sup> <sup>|</sup> <sup>α</sup> <sup>→</sup> <sup>ϕ</sup> <sup>|</sup> ϕ *with* γ ∈ Γ *and* α *any formula.*

By Γ 
Δ we mean that Γ 
δ, for every δ ∈ Δ. We state some properties of evaluation.

#### Lemma 1.

*(i) If* Γ 
ϕ *and* Γ ⊆ Γ *, then* Γ ϕ*. (ii) If* Γ ∪ Δ
ϕ *and* Γ Δ*, then* Γ ∪ Γ ϕ*. (iii) If* Γ 
ϕ*, then* <sup>Γ</sup> <sup>∩</sup> Sf(ϕ) <sup>ϕ</sup>*. (iv) If* Γ 
ϕ*, then* G3iSL<sup>+</sup> - Γ ⇒ ϕ*. (v) If* Γ 
ϕ *and* K, w Γ*, then* K, w ϕ*.*

*Proof.* All the assertions are proved by induction on the structure of ϕ.

(i). Let Γ 
ϕ and Γ ⊆ Γ ; we prove Γ ϕ. If ϕ ∈ Γ, then ϕ ∈ Γ , hence Γ ϕ. Let us assume <sup>ϕ</sup> ∈ <sup>Γ</sup>. If <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>∧</sup> <sup>β</sup>, then Γ 
α and Γ 
β. By the induction hypothesis, we get Γ α and Γ β, hence Γ α∧β. The other cases are similar. (ii). Let Γ ∪ Δ
ϕ and Γ Δ; we prove Γ ∪ Γ ϕ. Let us assume ϕ ∈ Γ ∪ Δ. If ϕ ∈ Γ, then Γ ∪ Γ ϕ. Otherwise, it holds that ϕ ∈ Δ. Since Γ Δ, we

<sup>1</sup> We stress that the completeness of G3iSL<sup>+</sup> is not a consequence of the one of G3iSL<sup>a</sup> -, since rule R of G3iSL<sup>+</sup> is a restriction of rule R of G3iSL<sup>a</sup> -.

get Γ ϕ; by point (i), we conclude Γ ∪ Γ ϕ. Let us assume ϕ ∈ Γ ∪ Δ. If <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>∧</sup> <sup>β</sup>, then <sup>Γ</sup> <sup>∪</sup> Δ
α and <sup>Γ</sup> <sup>∪</sup> Δ
β. By the induction hypothesis we get Γ ∪ Γ α and Γ ∪ Γ β, hence Γ ∪ Γ α ∧ β. The other cases are similar.

(iii). Let Γ 
ϕ: we prove <sup>Γ</sup> <sup>∩</sup>Sf(ϕ)ϕ. If <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup>, then <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup> <sup>∩</sup>Sf(ϕ), which implies <sup>Γ</sup> <sup>∩</sup> Sf(ϕ) <sup>ϕ</sup>. Let <sup>ϕ</sup> ∈ <sup>Γ</sup>. If <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>∧</sup> <sup>β</sup>, then Γ 
α and Γ 
β. By the induction hypothesis, we get <sup>Γ</sup> <sup>∩</sup> Sf(α) <sup>α</sup> and <sup>Γ</sup> <sup>∩</sup> Sf(β) <sup>β</sup>. Since Sf(α) <sup>⊆</sup> Sf(<sup>α</sup> <sup>∧</sup> <sup>β</sup>) and Sf(β) <sup>⊆</sup> Sf(<sup>α</sup> <sup>∧</sup> <sup>β</sup>), by point (i) we get <sup>Γ</sup> <sup>∩</sup> Sf(<sup>α</sup> <sup>∧</sup> <sup>β</sup>) <sup>α</sup> and <sup>Γ</sup> <sup>∩</sup> Sf(<sup>α</sup> <sup>∧</sup> <sup>β</sup>) <sup>β</sup>; we conclude <sup>Γ</sup> <sup>∩</sup> Sf(<sup>α</sup> <sup>∧</sup> <sup>β</sup>) <sup>α</sup> <sup>∧</sup> <sup>β</sup>. The other cases are similar.

(iv). We prove the assertion by outlining an effective procedure to build a G3iSL<sup>+</sup> - derivation of the sequent Γ ⇒ ϕ. We start by showing that:

(∗) G3iSL<sup>+</sup> ϕ, Γ ⇒ ϕ, for every formula ϕ and every multiset of formulas Γ.

We prove (\*) by induction on the structure of <sup>ϕ</sup>. If <sup>ϕ</sup> ∈ V ∪ {⊥}, a G3iSL<sup>+</sup> - derivation of ϕ, Γ <sup>⇒</sup> <sup>ϕ</sup> is obtained by applying rule Id or rule <sup>L</sup>⊥. Otherwise, a G3iSL<sup>+</sup> --derivation of ϕ, Γ ⇒ ϕ can be built as follows, according to the form of ϕ, where the omitted G3iSL<sup>+</sup> --derivations are given by the induction hypothesis:

$$\begin{array}{ccl}\cline{2-2} & \vdots & \vdots & \vdots\\ \cline{2-2} & \alpha,\beta,\Gamma\Rightarrow\alpha & \begin{array}{c} \alpha,\beta,\Gamma\Rightarrow\beta\\ \alpha\land\beta,\Gamma\Rightarrow\alpha \end{array} & L\wedge & \begin{array}{c} \alpha,\beta,\Gamma\Rightarrow\beta\\ \alpha\land\beta,\Gamma\Rightarrow\beta \end{array} & L\wedge & \begin{array}{c} \alpha,\Gamma\Rightarrow\alpha\\ \alpha,\Gamma\Rightarrow\alpha\lor\beta \end{array} & R\vee & \begin{array}{c} \beta,\Gamma\Rightarrow\beta\\ \alpha,\Gamma\Rightarrow\alpha\lor\beta \end{array} \\\hline \end{array} & R\wedge & \begin{array}{c} \alpha,\Gamma\Rightarrow\alpha\lor\beta\\ \alpha\land\beta,\Gamma\Rightarrow\alpha\lor\beta \end{array} & R\vee & \begin{array}{c} \beta,\Gamma\Rightarrow\beta\\ \alpha\land\beta,\Gamma\Rightarrow\alpha\lor\beta \end{array} \\\hline \end{array}$$

$$\begin{array}{c} \alpha,\alpha\rightarrow\beta,\Gamma\Rightarrow\alpha \qquad \alpha,\beta,\Gamma\Rightarrow\beta\\\ \hline \alpha,\alpha\rightarrow\beta,\Gamma\Rightarrow\beta\\\ \hline \alpha\rightarrow\beta,\Gamma\Rightarrow\alpha\rightarrow\beta \end{array} \begin{array}{c} \alpha,\alpha,\Gamma\Rightarrow\alpha\\ \hline \end{array}$$

Let Γ 
ϕ; we show that <sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup> is provable in G3iSL<sup>+</sup> -. If ϕ ∈ Γ, the assertion follows by (\*). Let us assume <sup>ϕ</sup> ∈ <sup>Γ</sup>. According to the shape of <sup>ϕ</sup>, a G3iSL<sup>+</sup> - derivation of Γ ⇒ ϕ can be built as follows:

$$\begin{array}{ccccc} \vdots & \vdots & \vdots & \vdots\\ \Gamma \Rightarrow \alpha & \Gamma \Rightarrow \beta\\ \hline \Gamma \Rightarrow \alpha \land \beta & \end{array}\_{R\land} \quad \begin{array}{ccccc} \vdots & \vdots & \vdots\\ \Gamma \Rightarrow \alpha\_{k} & \Gamma \Rightarrow \beta\\ \hline \Gamma \Rightarrow \alpha \land \lor \alpha & \end{array}\_{R\lor\_{k}} \quad \begin{array}{ccccc} \alpha,\Gamma \Rightarrow \beta\\ \hline \Gamma \Rightarrow \alpha \to \beta \end{array}\_{R\to\_{k}} \quad \begin{array}{c} \Box \alpha,\Gamma \Rightarrow \alpha\\ \hline \Gamma \Rightarrow \Box \alpha \end{array}\_{R\Box \alpha} \end{array}$$

The omitted G3iSL<sup>+</sup> --derivations exist by the induction hypothesis; for instance, if <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>∧</sup> <sup>β</sup>, then Γ 
α and Γ 
β, hence both <sup>Γ</sup> <sup>⇒</sup> <sup>α</sup> and <sup>Γ</sup> <sup>⇒</sup> <sup>β</sup> are provable in G3iSL<sup>+</sup> -. In the cases <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>→</sup> <sup>β</sup> and <sup>ϕ</sup> <sup>=</sup> α, we also have to use point (i). For instance, let <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>→</sup> <sup>β</sup>; then, Γ 
β and, by point (i), we get <sup>Γ</sup> ∪ {α} <sup>β</sup>, hence the G3iSL<sup>+</sup> --derivation of α, Γ ⇒ β exists by the induction hypothesis. (v). Let Γ 
ϕ and w Γ (in K); we prove that w ϕ. The case ϕ ∈ Γ is trivial. Let <sup>ϕ</sup> ∈ <sup>Γ</sup>. If <sup>ϕ</sup> <sup>=</sup> <sup>α</sup> <sup>∧</sup> <sup>β</sup>, then Γ 
α and Γ 
β. By the induction hypothesis, we get w α and w β, hence w α ∧ β. The other cases are similar.

Fig. 2. The calculus GbuSL-(<sup>l</sup> ∈ {b, <sup>u</sup>}, <sup>k</sup> ∈ {0, <sup>1</sup>}).

The calculus GbuSL- (see Fig. 2) consists of the axiom rules Ax and L⊥, together with left/right rules for each logical operator. The calculus is oriented to backward proof search, where rules are applied bottom-up. If the conclusion of a rule has label b, the (bottom-up) application of left rules is blocked. There are two rules for right implication, namely R - <sup>→</sup> and <sup>R</sup> - <sup>→</sup>; the choice between them is settled by the evaluation relation . Right --formulas are handled by rules R- u and R- <sup>b</sup> ; here the choice is determined by the label of the conclusion. We remark that if σ = Γ, -Δ <sup>b</sup> ⇒α and Γ ∪ -Δ α, then σ is an axiom sequent (see rule Ax-) and an application of rule R- <sup>b</sup> to σ is prevented by the side condition of R- <sup>b</sup> . Rule R- <sup>b</sup> is similar to rule R of G3iSL<sup>+</sup> -: both rules introduce in the lhs of the premise a copy of the main formula α (also called *diagonal formula*); in rule R- <sup>u</sup> such a duplication is not required. In backward proof search, a <sup>b</sup>-sequent starts the construction of a branch only containing b-sequents, where only right rules are applied. This phase ends either when an axiom sequent is obtained or when no rule can be applied or when one of the rules turning a label b into u is applied (namely, rules R - <sup>→</sup> and <sup>R</sup>- <sup>b</sup> ).

*Example 2.* We show a GbuSL--derivation of the u-sequent σ<sup>0</sup> = <sup>u</sup> ⇒ ¬¬p.

$$\begin{array}{c} \begin{array}{ccc} \begin{array}{c} \Box p, \neg\Box p \stackrel{\scriptstyle \mathtt{b}}{\Rightarrow} \Box p\_{\langle 4\rangle} \end{array} \end{array} \begin{array}{c} \begin{array}{c} \mathrm{Ax^{\flat}} \\ \Box p, \bot \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} p\_{\langle 5\rangle} \end{array} \end{array} \begin{array}{c} L\bot\\ \Box p, \bot \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} p\_{\langle 5\rangle} \end{array} \end{array} \begin{array}{c} L\bot\\ L\rightarrow\\ \begin{array}{c} \begin{array}{c} \\ \bot \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} \bot \end{array} \end{array} \end{array} \end{array} \begin{array}{c} L\bot\\ L\rightarrow\\ \begin{array}{c} \begin{array}{c} \bot\\ \bot \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} \bot \end{array} \begin{array}{c} L\bot\\ L\stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} \bot \end{array} \begin{array}{c} L\bot\\ L\rightarrow\\ \begin{array}{c} \begin{array}{c} \Box p \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} \bot \end{array} \end{array} \begin{array}{c} L\bot\\ L\rightarrow\\ \begin{array}{c} \begin{array}{c} \Box p \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} \bot \end{array} \end{array} \end{array} \begin{array}{c} L\bot\\ L\rightarrow\\ \begin{array}{c} \begin{array}{c} \Box p \stackrel{\scriptstyle \mathtt{u}}{\Rightarrow} \bot \end{array} \end{array} \end{array} \end{array}$$

In the derivations each sequent is marked with an index (n) so that we can refer to it as σn. The above derivation highlights some of the peculiarities of GbuSL-. In backward proof search, σ<sup>2</sup> is obtained by a (backward) application of rule <sup>L</sup> <sup>→</sup> to <sup>σ</sup>1; the label <sup>b</sup> in <sup>σ</sup><sup>2</sup> is crucial to block the application of rule L →, which would generate an infinite branch. The sequent σ<sup>3</sup> is obtained by the application of rule R- <sup>b</sup> to σ2. In this case, the key feature is the presence of the diagonal formula p; without it, the sequent σ<sup>3</sup> would be ¬p <sup>u</sup> <sup>⇒</sup><sup>p</sup> and, after the application of L → (the only applicable rule), the left premise would be <sup>σ</sup><sup>4</sup> <sup>=</sup> <sup>¬</sup>p <sup>b</sup> ⇒p, which yields a loop (σ<sup>4</sup> = σ2). ♦

We state the main properties of GbuSL-.

#### Theorem 2.


We remark that in soundness l is any label; instead, in completeness the label is set to <sup>u</sup>. For instance, since <sup>p</sup> <sup>∨</sup> <sup>q</sup> <sup>|</sup>=iSL <sup>q</sup> <sup>∨</sup> <sup>p</sup>, completeness guarantees that the <sup>u</sup>-sequent <sup>σ</sup><sup>u</sup> <sup>=</sup> <sup>p</sup> <sup>∨</sup> <sup>q</sup> <sup>u</sup> <sup>⇒</sup><sup>q</sup> <sup>∨</sup> <sup>p</sup> is provable in GbuSL-. A GbuSL--derivation of σ<sup>u</sup> is obtained by first (upwards) applying rule <sup>L</sup><sup>∨</sup> to <sup>σ</sup><sup>u</sup> and then one of the rules R∨<sup>0</sup> or R∨1; if we first apply a right rule, we are stuck (e.g., if we apply R∨<sup>0</sup> to <sup>σ</sup><sup>u</sup>, we get the unprovable sequent <sup>p</sup> <sup>∨</sup> <sup>q</sup> <sup>u</sup> <sup>⇒</sup> <sup>q</sup>). On the contrary, the <sup>b</sup>-sequent <sup>p</sup> <sup>∨</sup> <sup>q</sup> <sup>b</sup> <sup>⇒</sup>q∨<sup>p</sup> is not provable in GbuSL-, since the label b inhibits the application of rule L∨ and forces the application of a right rule.

The subformula property of GbuSL can be easily checked by inspecting the rules; termination is discussed below and completeness in the next section. Soundness can be proved in different ways. One can exploit semantics, relying on the fact that rules preserve the consequence relation <sup>|</sup>=iSL (see the online appendix). Here we prove the soundness of GbuSL by showing that GbuSL- derivations can be mapped to G3iSL<sup>+</sup> --derivations.

#### Proposition 1. *If* GbuSL- <sup>Γ</sup> <sup>l</sup> <sup>⇒</sup>δ*, then* G3iSL<sup>+</sup> -Γ ⇒ δ*.*

*Proof.* Let T be a GbuSL--tree with root sequent σ = Γ <sup>l</sup> <sup>⇒</sup>δ; <sup>T</sup> can be translated into a G3iSL<sup>+</sup> --tree <sup>T</sup>˜ having root sequent <sup>σ</sup>˜ <sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>δ</sup> by erasing the labels and weakening the lhs of sequents when rules R - <sup>→</sup> and <sup>R</sup>- <sup>u</sup> are applied. Assume now that the GbuSL--tree T is a GbuSL--derivation of <sup>σ</sup> and let <sup>σ</sup> <sup>=</sup> <sup>Δ</sup> <sup>⇒</sup> <sup>ϕ</sup> be a leaf of <sup>T</sup>˜ which is not an axiom of G3iSL<sup>+</sup> -. Note that Δ
ϕ, hence by Lemma 1(iv) we can build a G3iSL<sup>+</sup> --derivation <sup>D</sup> of <sup>σ</sup>. By replacing in <sup>T</sup>˜ every leaf <sup>σ</sup> with the corresponding derivation <sup>D</sup>, we eventually get a G3iSL<sup>+</sup> --derivation of σ˜.

To prove the termination of GbuSL we have to introduce a proper wellfounded relation ≺bu on labelled sequents. As mentioned in the Introduction, the main problem stems from rule L→. Let σ and σ be the conclusion and the left premise of an application of rule L →; we stipulate that σ ≺bu σ since σ has label b and σ has label u; thus, we establish that b weighs less than u. Now, we need a way out to accommodate rules R - <sup>→</sup> and <sup>R</sup>- <sup>b</sup> that, read bottom-up, switch b with u. In both cases, we observe that the lhs of the premise evaluates a new formula; e.g., in the application of rule R - <sup>→</sup> having premise α, Γ <sup>u</sup> <sup>⇒</sup><sup>β</sup> and conclusion Γ <sup>l</sup> <sup>⇒</sup><sup>α</sup> <sup>→</sup> <sup>β</sup>, it holds that <sup>Γ</sup> <sup>α</sup> (side condition) and <sup>Γ</sup> ∪ {α} <sup>α</sup> (definition of ); this suggests that here we can exploit the evaluation relation. Let Ev be defined as follows:

$$\operatorname{Ev}(\varGamma \xrightarrow{l} \delta) \,=\,\{\varphi \mid \varphi \in \operatorname{Sf}(\varGamma \cup \{\delta\}) \text{ and } \varGamma \rhd \varphi\},$$

Note that Ev(σ) <sup>⊆</sup> Sf(σ). We also have to take into account the size of a sequents, where <sup>|</sup><sup>Γ</sup> <sup>l</sup> <sup>⇒</sup>δ<sup>|</sup> <sup>=</sup> <sup>|</sup>Γ<sup>|</sup> <sup>+</sup> <sup>|</sup>δ|. This leads to the definition of <sup>≺</sup>bu:

Definition 2 (≺bu). <sup>σ</sup> <sup>≺</sup>bu <sup>σ</sup> *iff one of the following conditions holds:*

*(a)* Sf(σ ) <sup>⊂</sup> Sf(σ)*; (b)* Sf(σ ) = Sf(σ) *and* Ev(σ ) <sup>⊃</sup> Ev(σ)*; (c)* Sf(σ ) = Sf(σ) *and* Ev(σ ) = Ev(σ) *and* label(σ )=b *and* label(σ)=u*; (d)* Sf(σ ) = Sf(σ) *and* Ev(σ ) = Ev(σ) *and* label(σ ) = label(σ) *and* <sup>|</sup>σ | < |σ|*.*

Proposition 2. *The relation* <sup>≺</sup>bu *is well-founded.*

*Proof.* Assume, by contradiction, that there is an infinite descending chain of the kind ... <sup>≺</sup>bu <sup>σ</sup><sup>1</sup> <sup>≺</sup>bu <sup>σ</sup>0. Since Sf(σ0) <sup>⊇</sup> Sf(σ1) <sup>⊇</sup> ... and Sf(σ0) is finite, the sets Sf(σ<sup>j</sup> ) eventually stabilize, namely: there is <sup>k</sup> <sup>≥</sup> <sup>0</sup> such that Sf(σ<sup>j</sup> ) = Sf(σk) for every <sup>j</sup> <sup>≥</sup> <sup>k</sup>. Since Ev(σ<sup>j</sup> ) <sup>⊆</sup> Sf(σ<sup>j</sup> ), we get Ev(σk) <sup>⊆</sup> Ev(σ<sup>k</sup>+1) <sup>⊆</sup> ... <sup>⊆</sup> Sf(σk). Since Sf(σk) is finite, there is <sup>m</sup> <sup>≥</sup> <sup>k</sup> such that Ev(σ<sup>j</sup> ) = Ev(σm) for every <sup>j</sup> <sup>≥</sup> <sup>m</sup>. This implies that there exists n ≥ m such that all the sequents σn, σ<sup>n</sup>+1,... have the same label; accordingly <sup>|</sup>σn<sup>|</sup> <sup>&</sup>gt; <sup>|</sup>σ<sup>n</sup>+1<sup>|</sup> <sup>&</sup>gt; <sup>|</sup>σ<sup>n</sup>+2<sup>|</sup> > ... <sup>≥</sup> <sup>0</sup>, a contradiction. We conclude that ≺bu is well-founded.

To prove that the rules of GbuSL are decreasing w.r.t.≺bu, we need the following property.

Lemma 2. *Let* ρ *be an application of a rule of* GbuSL-*, let* σ *be the conclusion of* ρ *and* σ *any of the premises. For every formula* ϕ*, if* lhs(σ)ϕ *then* lhs(σ )ϕ*.*

*Proof.* The assertion can be proved by applying Lemma 1. For instance, let σ = Γ, -Δ <sup>u</sup> ⇒α and σ = Γ,Δ <sup>u</sup> <sup>⇒</sup> <sup>α</sup> be the conclusion and the premise of rule <sup>R</sup>- u ; assume that Γ ∪ -Δ
ϕ. Since Δ -Δ, by Lemma 1(ii) get Γ ∪ Δ
ϕ.

Proposition 3. *Every rule of the calculus* GbuSL*is decreasing w.r.t.* ≺bu*.*

*Proof.* Let σ and σ be the conclusion and one of the premises of an application of a rule of GbuSL-. Note that Sf(σ ) <sup>⊆</sup> Sf(σ); moreover, if Sf(σ ) = Sf(σ), by Lemma 2 we get Ev(σ ) <sup>⊇</sup> Ev(σ). We can prove <sup>σ</sup> <sup>≺</sup>bu <sup>σ</sup> by a case analysis; we only detail two significant cases.

#### A Terminating Sequent Calculus for Intuitionistic Strong Löb Logic 33

$$\begin{array}{lcl}\hline\hline\cr\sigma\quad\mbox{Irr}&\mbox{if}\ \sigma\ \mbox{is}&\mbox{\alpha}\ \beta,\Gamma\ \mbox{\frac{\nu}{\Rightarrow\delta}\ \delta\ \mbox{\frac{\nu}{\Rightarrow}}\\\hline\mbox{\frac{\alpha\lambda\_{k}\varGamma\ \frac{\nu}{\Rightarrow}\ \delta\ \mbox{\frac{\nu}{\Rightarrow}}}{\alpha\alpha\geqslant\alpha,\Gamma\ \frac{\nu}{\Rightarrow}\ \delta\ \mbox{\frac{\nu}{\Rightarrow}}}&\mbox{Irr}&\mbox{\frac{\Gamma}{\Rightarrow}\ \frac{\nu}{\Rightarrow}\ \alpha\alpha\geqslant\alpha\_{1}\\\hline\mbox{\frac{\alpha\lambda\_{k}\varGamma\ \frac{\nu}{\Rightarrow}}\ \delta\ \mbox{\frac{\nu}{\Rightarrow}}\ \delta\ \mbox{\frac{\nu}{\Rightarrow}}&\mbox{Irr}&\mbox{\$\frac{\nu}{\Rightarrow}\$\ \alpha\geqslant\beta\$}\\\hline\\\hline\cr\mbox{\frac{\Gamma\ \frac{\nu}{\Rightarrow}\ \beta}{\Rightarrow}\ \alpha\rightarrow\beta\mbox{\frac{\nu}{\Rightarrow}\ \alpha\geqslant\beta}&\mbox{Irr}&\mbox{\$\frac{\alpha\Gamma\ \frac{\nu}{\Rightarrow}\ \beta\geqslant\beta\$}{\mbox{\frac{\nu}{\Rightarrow}\ \alpha\geqslant\beta}}&\mbox{R\x\geqslant\big{0}\$}\\\hline\cr\mbox{\frac{\Box\alpha,\Gamma^{\mathrm{at}},\Gamma^{\mathrm{r}},\Delta\ \frac{\lambda}{\Rightarrow}\ \alpha\geqslant\alpha}&\mbox{R^{\parallel}}&\mbox{\$\Gamma\neq\big{\Delta\ \alpha\geqslant\}}&\mbox{\frac{\Gamma\ \nu}{\Rightarrow}\ \beta\geqslant\big{0}\$}\\\hline\mbox{\frac{\Gamma^{\text{at}},\Gamma^{\text{r}},\square}\ \square\ \mbox{\Delta\ \frac{\lambda}{\Rightarrow}\ \square\alpha\quad\mbox{\frac{\nu}{\quad}\ \beta\geqslant\big{0}}&\mbox{Ir}&\mbox{\$\Gamma\neq\big{\Delta\ \vdots\end}}&\mbox{S\_{0}}&\mbox{\delta\in\big{\left(\$$

Fig. 3. The refutation calculus RbuSL-(<sup>l</sup> ∈ {b, <sup>u</sup>}, <sup>k</sup> ∈ {0, <sup>1</sup>}).

$$\frac{\sigma' = \alpha \to \beta, \Gamma \stackrel{\mathsf{b}}{\Rightarrow} \alpha \qquad \beta, \Gamma \stackrel{\mathsf{u}}{\Rightarrow} \delta \quad L \to \emptyset}{\sigma = \alpha \to \beta, \Gamma \stackrel{\mathsf{u}}{\Rightarrow} \delta} \ L \to \emptyset}$$

If Sf(σ ) <sup>⊂</sup> Sf(σ), then <sup>σ</sup> <sup>≺</sup>bu <sup>σ</sup> by point (a) of the definition. Otherwise, it holds that Sf(σ ) = Sf(σ) and Ev(σ ) <sup>⊇</sup> Ev(σ). If Ev(σ ) <sup>⊃</sup> Ev(σ), then <sup>σ</sup> <sup>≺</sup>bu <sup>σ</sup> by point (b); otherwise, σ ≺bu σ follows by point (c).

$$\frac{\sigma' = \Box \alpha, \Gamma, \Delta \stackrel{\mathfrak{u}}{\Rightarrow} \alpha}{\sigma = \Gamma, \Box \Delta \stackrel{l}{\Rightarrow} \Box \alpha} \, R\_{\mathsf{b}}^{\Box} \qquad \Gamma \cup \Box \Delta \not\supset \Box \alpha$$

If Sf(σ ) <sup>⊂</sup> Sf(σ), then <sup>σ</sup> <sup>≺</sup>bu <sup>σ</sup> by point (a). Otherwise, Sf(σ ) = Sf(σ) and Ev(σ ) <sup>⊇</sup> Ev(σ). Note that <sup>α</sup> <sup>∈</sup> Ev(σ ) and, by the side condition, <sup>α</sup> ∈ Ev(σ). This implies that Ev(σ ) <sup>⊃</sup> Ev(σ), hence <sup>σ</sup> <sup>≺</sup>bu <sup>σ</sup> by point (b).

By Proposition 2 and 3, we conclude that the calculus GbuSLis terminating.

#### 4 The Refutation Calculus **RbuSL**-

A common technique to prove the completeness of a sequent calculus C consists in showing that, whenever a sequent σ is not provable in C, then a countermodel for σ can be built (see, e.g., the proof of completeness of G4iSL discussed in [13,15]); we prove the completeness of GbuSL according with this plan. Following the ideas in [3–5,9], we formalize the notion of "non-provability in GbuSL-" by introducing the refutation calculus RbuSL-, a dual calculus to GbuSL-. Sequents of RbuSL-, called *antisequents*, have the form Γ <sup>l</sup> δ. Intuitively, a derivation in RbuSL of Γ <sup>l</sup> δ witnesses that the sequent Γ <sup>l</sup> <sup>⇒</sup><sup>δ</sup> is refutable, that is, not provable, in GbuSL-. Henceforth, Γat denotes a finite multiset of propositional variables, Γ <sup>→</sup> denotes a finite multiset of →-formulas (i.e., formulas of the kind α → β). The axioms of RbuSL are the *irreducible antisequents*, namely the antisequents Γ <sup>l</sup> δ such that the corresponding dual sequents Γ <sup>l</sup> <sup>⇒</sup> <sup>δ</sup> are not the conclusion of any of the rules of GbuSL-. Irreducible antisequents are characterized as follows:

Definition 3. *An antisequent* σ *is* irreducible *iff* σ = Γat, Γ <sup>→</sup>, -Δ <sup>l</sup> δ *and both (i)* <sup>δ</sup> <sup>∈</sup> (V ∪ {⊥}) \ <sup>Γ</sup>at *and (ii)* <sup>l</sup> = b *or* <sup>Γ</sup> <sup>→</sup> <sup>=</sup> <sup>∅</sup>*.*

The rules of RbuSL are displayed in Fig. 3. In rules SAt <sup>u</sup> , <sup>S</sup><sup>∨</sup> <sup>u</sup> and <sup>S</sup>- <sup>u</sup> (we call *Succ rules*) the notation {<sup>Γ</sup> <sup>b</sup> α}<sup>α</sup>→β∈Γ<sup>→</sup> means that, for every α → β ∈ Γ <sup>→</sup>, the b-antisequent Γ <sup>b</sup> α is a premise of the rule. Note that all of the Succ rules have at least one premise (in rule SAt <sup>u</sup> this is imposed by the condition <sup>Γ</sup> <sup>→</sup> <sup>=</sup> <sup>∅</sup>). The next theorem, proved below, states the soundness of RbuSL-:

Theorem 3 (Soundness of RbuSL-). *If* RbuSL- Γ <sup>u</sup> <sup>δ</sup>*, then* <sup>Γ</sup> |=iSL <sup>δ</sup>*.*

*Example 3.* Figure 4 displays the RbuSL--derivation <sup>D</sup> of <sup>σ</sup><sup>0</sup> <sup>=</sup> <sup>u</sup> ψ. The (backward) application of rule S<sup>∨</sup> <sup>u</sup> to σ<sup>2</sup> has three premises, the left-most one is related to the formula <sup>p</sup> <sup>→</sup> <sup>q</sup> in <sup>Θ</sup>. The application of rule <sup>S</sup>At <sup>u</sup> to σ<sup>7</sup> has only the premise <sup>σ</sup>8, generated by the formula <sup>¬</sup><sup>s</sup> in <sup>Λ</sup>. To <sup>σ</sup><sup>13</sup> we must apply <sup>R</sup> - <sup>→</sup>, since Σ
q. The application of rule SAt <sup>u</sup> to σ<sup>24</sup> gives rise to two premises, corresponding to the formulas ¬¬<sup>q</sup> and <sup>¬</sup><sup>p</sup> in <sup>Ω</sup>. By Theorem 3, we get |=IPL <sup>ψ</sup>, namely ψ ∈ iSL. ♦

*Countermodel Extraction.* An iSL-model K with root r is a *countermodel for* σ = Γ <sup>u</sup> δ iff r Γ and r <sup>δ</sup>; thus <sup>K</sup> certifies that <sup>Γ</sup> |=iSL <sup>δ</sup>. Let <sup>D</sup> be an RbuSL--derivation of a u-antisequent σ<sup>u</sup> <sup>0</sup> ; we show that from D we can extract a countermodel Mod(D) for <sup>σ</sup><sup>u</sup> <sup>0</sup> . A <sup>u</sup>-antisequent <sup>σ</sup> of <sup>D</sup> is *prime* iff <sup>σ</sup> is the conclusion of rule Irr or of a Succ rule. We introduce the relations , <sup>≺</sup> and <sup>≺</sup><sup>R</sup> between antisequents occurring in D:


We define Mod(D) as the structure W, <sup>≤</sup>, R, σ<sup>u</sup> <sup>r</sup> , V where:


It is easy to check that Mod(D) is an iSL-model; in particular, <sup>σ</sup><sup>u</sup> <sup>r</sup> exists since the antisequent at the root of <sup>D</sup> has label <sup>u</sup>. We introduce a *canonical map* <sup>Ψ</sup> between the <sup>u</sup>-antisequents of <sup>D</sup> and the worlds of Mod(D):

$$\begin{array}{lcl} \psi = \alpha \rightarrow (\beta \lor (\gamma \lor q)) & \alpha = (p \rightarrow q) \land \Box s \land \Box \neg p \land \Box \Box \neg q \\ \beta = \neg(p \land \neg s) & \gamma = \neg \neg q \rightarrow \Box \delta & \delta = \neg p \lor \Box \neg p \\ \Theta = p \rightarrow q, \Box s, \Box \neg p, \Box \Box \neg q, \Box \Box \neg q & A = p, q, \neg s, \Box s, \Box \Box \neg p, \Box \Box \neg q \\ \Sigma = q, \neg \neg q, \Box s, \Box \Box \neg p, \Box \Box \Box \neg q & \Upsilon = q, s, \neg \neg q, \Box \neg p, \Box \Box \neg q \\ \Omega = q, s, \neg \neg q, \neg p, \Box \neg p, \Box \neg q & \text{antisequents marked by } \star \text{ are prime} \\ \text{In } L \to \text{application} \ (\dagger) \text{ the main formula is } p \rightarrow q \text{ (thus, } p \rightarrow q \text{ is replaced with } q) \end{array}$$

$$\begin{array}{c} \begin{array}{c} \hline \hline \begin{array}{l} p,\Upsilon\ \frac{\mathsf{h}}{\mathsf{h}}\ \bot\ \mathsf{h}\ \bot\end{array} \end{array} \operatorname{Irr} \\\hline \begin{array}{l} \begin{array}{l} \Gamma\ \frac{\mathsf{h}}{\mathsf{h}}\ \bot\ \mathsf{h}\ \mathsf{h}\end{array} \end{array} \operatorname{Irr} \\\hline \begin{array}{l} \Gamma\ \frac{\mathsf{h}}{\mathsf{h}}\ \bot\ \mathsf{h}\ \mathsf{h}\end{array} \end{array} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{h}\end{subarray}} \operatorname{R}\stackrel{\operatorname{\begin{subarray}{l}\mathsf{T}\ \mathsf{h}\ \mathsf{T}\ \{\mathsf{h}\}\ \mathsf{$$

Fig. 4. The RbuSL--derivation <sup>D</sup> of <sup>σ</sup><sup>0</sup> <sup>=</sup> <sup>u</sup> ψ (see Example 3).

– Ψ(σ<sup>u</sup>) = σ<sup>u</sup> <sup>p</sup> iff σ<sup>u</sup> <sup>p</sup> is the -minimum prime antisequent <sup>σ</sup> such that <sup>σ</sup><sup>u</sup> <sup>σ</sup>.

One can easily check that Ψ is well-defined and Ψ(σp) = σp, for every prime σp. We state the main properties of Mod(D).

Theorem 4. *Let* <sup>D</sup> *be an* RbuSL-*-derivation of a* u*-antisequent* σ<sup>u</sup> 0 *.*

*(i) For every* u*-antisequent* σ<sup>u</sup> = Γ <sup>u</sup> <sup>δ</sup> *in* <sup>D</sup>*,* <sup>Ψ</sup>(σ<sup>u</sup>) <sup>Γ</sup> *and* <sup>Ψ</sup>(σ<sup>u</sup>) δ*.*

*(ii)* Mod(D) *is a countermodel for* <sup>σ</sup><sup>u</sup> 0 *.*

Point (ii) follows from (i) and the fact that Ψ(σ<sup>u</sup> <sup>0</sup> ) is the root of Mod(D). The proof of (i) is deferred below. We remark that point (ii) of Theorem 4 immediately implies the soundness of RbuSL-(Theorem 3).

*Example 4.* At the top of Fig. 5 we represent the structure of the RbuSL- derivation D of Fig. 4, displaying the information relevant to the definition of Mod(D). The countermodel Mod(D) for <sup>σ</sup><sup>0</sup> coincides with the iSL-model in the figure and described in Example 1; the figure also reports the canonical map Ψ. ♦

Fig. 5. The countermodel Mod(D) for <sup>ψ</sup> (see Examples 1, 4).

*Proof Search.* We investigate more deeply the duality between GbuSL and RbuSL-. A sequent σ = Γ <sup>l</sup> <sup>⇒</sup><sup>δ</sup> is *regular* iff <sup>l</sup> = u or <sup>Γ</sup> <sup>=</sup> <sup>Γ</sup>at, Γ <sup>→</sup>, -Δ; by σ we denote the antisequent Γ <sup>l</sup> δ. Let σ be a regular sequent; in the next proposition we show that either σ is provable in GbuSL or σ is provable in RbuSL-. The proof conveys a proof search strategy to build the proper derivation, based on backward application of the rules of GbuSL-. We give priority to the *invertible rules* of GbuSL-, namely: L∧, R∧, L∨, R - <sup>→</sup>, <sup>R</sup> - <sup>→</sup>, <sup>R</sup>- <sup>b</sup> ; as discussed in the proof of Proposition 4, the application of such rules does not require backtracking. If the search for a GbuSL--derivation of σ fails, we get an RbuSL--derivation of σ. The proof search procedure is detailed in the online appendix.

Proposition 4. *Let* σ *be a regular sequent. One can build either a* GbuSL- *derivation of* σ *or an* RbuSL-*-derivation of* σ*.*

*Proof.* Since ≺bu is well-founded (Proposition 2), we can inductively assume that the assertion holds for every regular sequent σ such that σ ≺bu σ (IH). If σ or σ is an axiom (in the respective calculus), the assertion immediately follows. If an invertible rule ρ of GbuSL is (backward) applicable to σ, we can build the proper derivation by applying ρ or its dual image in RbuSL-. For instance, let us assume that rule L∨ of GbuSL is applicable with conclusion <sup>σ</sup> <sup>=</sup> <sup>α</sup><sup>0</sup> <sup>∨</sup> <sup>α</sup>1, Γ <sup>u</sup> <sup>⇒</sup><sup>δ</sup> and premises σ<sup>k</sup> = αk, Γ <sup>u</sup> <sup>⇒</sup> <sup>δ</sup>. Let <sup>k</sup> ∈ {0, <sup>1</sup>}; since <sup>σ</sup><sup>k</sup> <sup>≺</sup>bu <sup>σ</sup> (see Proposition 3), by (IH) there exists either a GbuSL--derivation D<sup>k</sup> of σ<sup>k</sup> or an RbuSL--derivation E<sup>k</sup> of σk. According to the case, we can build one of the following derivations:

$$\begin{array}{ccccc} \mathcal{D}\_{0} & \mathcal{D}\_{1} & \mathcal{E}\_{0} & \mathcal{E}\_{1} \\ \hline \alpha\_{0}, \varGamma \xvdash{\mathfrak{u}} \delta & \alpha\_{1}, \varGamma \xRightarrow{\mathfrak{u}} \delta & \alpha\_{0}, \varGamma \xvdash{\mathfrak{u}} \delta & \alpha\_{1} \\ \hline \alpha\_{0} \vee \alpha\_{1}, \varGamma \xRightarrow{\mathfrak{u}} \delta & \alpha\_{0} \vee \alpha\_{1}, \varGamma \xRightarrow{\mathfrak{u}} \delta & \alpha\_{0} \vee \alpha\_{1}, \varGamma \xRightarrow{\mathfrak{u}} \delta & \end{array}$$

Let us assume that no invertible rule can be applied to σ; then:

$$
\sigma \dashv \sigma = \varGamma \mathbin{\Rightarrow} \delta \text{ with } \varGamma = \varGamma^{\text{at}}, \varGamma^{\frown}, \square \Delta \text{ and } \delta \in \mathcal{V} \cup \{ \bot, \delta\_0 \vee \delta\_1, \square \delta\_0 \}.
$$

We only discuss the case δ = δ0. Let σ<sup>0</sup> = Γat, Γ <sup>→</sup>, Δ <sup>u</sup> <sup>⇒</sup>δ<sup>0</sup> be the premise of the application of rule R- <sup>u</sup> of GbuSL to σ; for every α → β ∈ Γ <sup>→</sup>, let σ<sup>α</sup> = Γ <sup>b</sup> <sup>⇒</sup> <sup>α</sup> and <sup>σ</sup><sup>β</sup> <sup>=</sup> <sup>Γ</sup> \ {<sup>α</sup> <sup>→</sup> <sup>β</sup>}, β <sup>u</sup> <sup>⇒</sup> <sup>δ</sup> be the two premises of an application of rule L → of GbuSLto σ with main formula α → β. By the (IH):


One of the following four cases holds:


According to the case, we can build one of the following derivations:

$$\text{(A)}\quad\frac{\mathcal{D}\_0}{\frac{\sigma\_0}{\sigma}}\ R\_\text{u}^{\square} \qquad \text{(B)}\quad\frac{\mathcal{D}\_\alpha}{\sigma\_\alpha}\ \frac{\mathcal{E}\_\beta}{\sigma}\ L \rightarrow \quad \text{(C)}\quad\frac{\mathcal{E}\_\alpha}{\overline{\sigma}^\square}\ L \rightarrow \quad \text{(D)}\quad\frac{\dots\ \overline{\sigma\_\alpha}\dots\ \overline{\sigma\_0}}{\overline{\sigma}}\ \text{S}\_\text{u}^{\square}$$

In the proof search strategy, this corresponds to a backtrack point, since we cannot predict which case holds.

Let us assume <sup>Γ</sup> <sup>|</sup>=iSL <sup>δ</sup> and let <sup>σ</sup> <sup>=</sup> <sup>Γ</sup> <sup>u</sup> <sup>⇒</sup> <sup>δ</sup>. By Soundness of RbuSL- (Theorem 3) σ is not provable in RbuSL-, hence, by Proposition 4, σ is provable in GbuSL-; this proves the Completeness of GbuSL- (Theorem 2(iv)). By Proposition 1 it follows that G3iSL<sup>+</sup> is complete as well.

*Properties of* RbuSL-. It remains to prove point (i) of Theorem 4. By Sf−(α) we denote the set Sf(α) \ {α}; w<w means that <sup>w</sup> <sup>≤</sup> <sup>w</sup> and <sup>w</sup> <sup>=</sup> <sup>w</sup> .

Lemma 3. *Let* <sup>T</sup> <sup>b</sup> *be an* RbuSL-*-tree only containing* b*-antisequents having root* Γat, Γ <sup>→</sup>, -Δ <sup>b</sup> <sup>δ</sup>*; let* <sup>K</sup> <sup>=</sup> W, <sup>≤</sup>, R, r, V *and* <sup>w</sup> <sup>∈</sup> <sup>W</sup> *such that:*

*(I1)* w δ *, for every leaf* Γat, Γ <sup>→</sup>, -Δ <sup>b</sup> <sup>δ</sup> *of* <sup>T</sup> <sup>b</sup>*; (I2)* <sup>w</sup> (<sup>Γ</sup> <sup>→</sup> <sup>∩</sup> Sf−(δ)) <sup>∪</sup> -Δ*; (I3)* V (w) = Γat*.*

*Then,* w δ*.*

*Proof.* By induction on depth(<sup>T</sup> <sup>b</sup>). The case depth(<sup>T</sup> <sup>b</sup>)=0 is trivial, since the root of <sup>T</sup> <sup>b</sup> is also a leaf. Let depth(<sup>T</sup> <sup>b</sup>) <sup>&</sup>gt; <sup>0</sup>; we only discuss the case where

$$\mathcal{T}^{\mathsf{b}} = \begin{array}{c} \mathcal{T}\_{0}^{\mathsf{b}} \\ \frac{\sigma\_{0}^{\mathsf{b}} = \varGamma \stackrel{\mathsf{b}}{\not\rightarrow} \beta}{\varGamma \stackrel{\mathsf{b}}{\not\rightarrow} \alpha \rightarrow \beta} \end{array} \begin{array}{c} \varGamma = \varGamma^{\mathsf{at}}, \varGamma^{\mathsf{r} \rightarrow}, \Box \Delta \\ \varGamma \rh \rh \alpha \end{array}$$

By applying the induction hypothesis to the RbuSL--tree <sup>T</sup> <sup>b</sup> <sup>0</sup> , having root σ<sup>b</sup> 0 and the same leaves as <sup>T</sup> <sup>b</sup>, we get <sup>w</sup> <sup>β</sup>. Let <sup>Γ</sup><sup>α</sup> <sup>=</sup> <sup>Γ</sup> <sup>∩</sup> Sf(α); by Lemma 1(iii), <sup>Γ</sup><sup>α</sup> <sup>α</sup>. Since Sf(α) <sup>⊆</sup> Sf−(<sup>α</sup> <sup>→</sup> <sup>β</sup>), by hypotheses (I2)– (I3) we get <sup>w</sup> <sup>Γ</sup>α, which implies w α (Lemma 1(v)). This proves w α → β.

Let D be an RbuSL--derivation having a Succ rule at the root. To display D, we introduce the schema (1) below; at the same time, we define the relations and <sup>R</sup> between <sup>u</sup>-antisequents in <sup>D</sup> (for exemplifications, see Fig. 5).

$$\mathcal{D} = \begin{array}{c} \mathcal{D}\_{\chi} \\ \dots \\ \hline \\ \sigma^{\mathtt{u}} = I^{\operatorname{at}}, I^{\operatorname{--}}, \Box \Delta \stackrel{\scriptstyle \mathtt{b}}{\Rightarrow} \chi & \cdots \\ \hline \\ \sigma^{\mathtt{u}} = I^{\operatorname{at}}, I^{\operatorname{--}}, \Box \Delta \stackrel{\scriptstyle \mathtt{u}}{\leftrightarrow} \delta \end{array} \begin{array}{c} \vdots \\ \sigma^{\mathtt{u}} = I^{\operatorname{at}}, I^{\operatorname{--}}, \Delta \stackrel{\scriptstyle \mathtt{u}}{\leftrightarrow} \psi \\ \hline \\ \operatorname{Succ} \end{array} \begin{array}{c} \{1\} \\ \end{array}$$

• <sup>σ</sup><sup>b</sup> <sup>χ</sup> is any of the premises of Succ having label b.

• <sup>σ</sup><sup>u</sup> <sup>ψ</sup> is only defined if Succ is <sup>S</sup>- <sup>u</sup> (thus <sup>δ</sup> <sup>=</sup> <sup>ψ</sup>); in this case we set <sup>σ</sup><sup>u</sup> <sup>R</sup> <sup>σ</sup><sup>u</sup> ψ. • The RbuSL--derivation <sup>D</sup><sup>χ</sup> of <sup>σ</sup><sup>b</sup> <sup>χ</sup> has the form

$$\begin{array}{ccccc}\vdots & \vdots & & m+n \geq 0\\\hline \sigma\_1^{\mathsf{u}} & \rho\_1 & & & \frac{\sigma\_{\mathsf{m}}^{\mathsf{u}}}{\sigma\_m^{\mathsf{b}}} \,\rho\_n & & \frac{\tau\_{\mathsf{m}}^{\mathsf{b}}}{\tau\_1^{\mathsf{b}}} \,\mathrm{I}\mathrm{r}\,\dots & \frac{\tau\_{\mathsf{m}}^{\mathsf{b}}}{\tau\_n^{\mathsf{b}}} \,\mathrm{I}\mathrm{r}\,\dots & \frac{\tau\_{\mathsf{m}}^{\mathsf{b}}}{\mathrm{b}} \,\mathrm{I}\mathrm{r}\,\dots & \mathrm{I}\,\_{\mathsf{b}\text{-antisequences}}\\ & & & & \Gamma\_{\mathsf{\chi}}^{\mathsf{b}} & & \Gamma = I^{\mathsf{at}}, I^{--}, \Box\Delta\\ & & & & & \Gamma = I^{\mathsf{at}}, I^{--}, \Box\Delta\\ \sigma\_{\mathsf{\chi}}^{\mathsf{b}} & \Gamma & \mathsf{\bar{\chi}} & \chi\end{array}$$

– The RbuSL--tree <sup>T</sup> <sup>b</sup> <sup>χ</sup> has root σ<sup>b</sup> <sup>χ</sup> and leaves σ<sup>b</sup> <sup>1</sup> ,...,σ<sup>b</sup> <sup>m</sup>, τ <sup>b</sup> <sup>1</sup> ,...,τ <sup>b</sup> n .

$$\begin{array}{c} \text{- For every } i \in \{1, \ldots, m\}, \text{ either (A) } \rho\_i = R \xrightarrow{\theta} \text{ or (B) } \rho\_i = R\_{\text{b}}^{\square} \text{, namely:}\\ \text{(A) } \frac{\sigma\_i^{\text{u}} = \alpha, \Gamma \not\Longrightarrow \beta}{\sigma\_i^{\text{b}} = \Gamma \underset{\Rightarrow}{\Leftrightarrow} \; \alpha \to \beta}{\sigma\_i^{\text{u}} = \square \alpha, \Gamma^{\text{at}}, \Gamma^{\text{-}}, \Delta \stackrel{\text{u}}{\Leftrightarrow} \alpha} \text{ or }\\ \text{(B) } \frac{\sigma\_i^{\text{u}} = \square \alpha, \Gamma^{\text{at}}, \Gamma^{\text{-}}, \Delta \stackrel{\text{u}}{\Leftrightarrow} \alpha}{\ldots} \text{ } R\_{\text{b}}^{\square} \end{array} \\ \text{ $R\_{\text{b}}^{\square}$ }$$

In case (A) we set <sup>σ</sup><sup>u</sup> <sup>σ</sup><sup>u</sup> <sup>i</sup> , in case (B) we set <sup>σ</sup><sup>u</sup> <sup>R</sup> <sup>σ</sup><sup>u</sup> i .

Lemma 4. *Let* <sup>D</sup> *be an* RbuSL-*-derivation of* σ<sup>u</sup> = Γ <sup>u</sup> δ *having form (1) where* Γ = Γat, Γ <sup>→</sup>, -<sup>Δ</sup>*; let* <sup>K</sup> <sup>=</sup> W, <sup>≤</sup>, R, r, V *and* <sup>w</sup> <sup>∈</sup> <sup>W</sup> *such that:*


$$(J5)\ V(w) = I^{\text{at}}.$$

*Then,* w Γ *and* w δ*.*

*Proof.* We show that:


We introduce the following induction hypothesis:


We prove Point (P1). Let σ<sup>b</sup> <sup>χ</sup> be the premise of Succ displayed in schema (1). We show that the RbuSL--tree <sup>T</sup> <sup>b</sup> <sup>X</sup> and w match the hypotheses (I1)–(I3) of Lemma 3, so that we can apply the lemma to infer w χ.

We prove (I1). Assume <sup>m</sup> <sup>≥</sup> <sup>1</sup> and let <sup>i</sup> ∈ {1,...,m}; then either (A) <sup>σ</sup><sup>b</sup> <sup>i</sup> <sup>=</sup> Γ <sup>b</sup> <sup>α</sup> <sup>→</sup> <sup>β</sup> or (B) <sup>σ</sup><sup>b</sup> <sup>i</sup> <sup>=</sup> α, Γat, Γ <sup>→</sup>, Δ <sup>b</sup> α. In case (A) we have σ<sup>u</sup> <sup>i</sup> <sup>=</sup> α, Γ <sup>u</sup> <sup>β</sup> and <sup>σ</sup><sup>u</sup> <sup>σ</sup><sup>u</sup> <sup>i</sup> ; by hypothesis (J3), there is w ∈ W such that w ≤ w and w α and w β, hence w <sup>α</sup> <sup>→</sup> <sup>β</sup>. In case (B), we have <sup>σ</sup><sup>u</sup> <sup>i</sup> <sup>=</sup> α, Γat, Γ <sup>→</sup>, Δ <sup>u</sup> <sup>α</sup> and <sup>σ</sup><sup>u</sup> <sup>R</sup> <sup>σ</sup><sup>u</sup> <sup>i</sup> ; by hypothesis (J4), there is w such that wRw and w α, hence w - <sup>α</sup>. Assume <sup>n</sup> <sup>≥</sup> <sup>1</sup>, let <sup>j</sup> ∈ {1,...,n} and τ b <sup>j</sup> <sup>=</sup> <sup>Γ</sup> <sup>b</sup> δ<sup>j</sup> . Since τ <sup>b</sup> <sup>j</sup> is irreducible and <sup>V</sup> (w) = <sup>Γ</sup>at (hypothesis (J5)), we get w δ<sup>j</sup> . This proves that hypothesis (I1) holds.

We prove (I2). Let <sup>γ</sup> <sup>∈</sup> <sup>Γ</sup> <sup>→</sup> <sup>∩</sup> Sf−(χ); since <sup>|</sup>γ<sup>|</sup> <sup>&</sup>lt; <sup>|</sup>χ|, by (IH1) we get <sup>w</sup> <sup>γ</sup>. Moreover, w -Δ by (J2), thus (I2) holds. Finally, (I3) coincides with (J5). We can apply Lemma 3 and conclude w χ, and this proves Point (P1).

We prove Point (P2). Let α → β ∈ Γ <sup>→</sup>, let w ∈ W be such that w ≤ w and w α; we show that w β. Note that σ<sup>b</sup> <sup>α</sup> = Γ <sup>b</sup> α is a premise of Succ; since <sup>|</sup>α<sup>|</sup> <sup>&</sup>lt; <sup>|</sup><sup>α</sup> <sup>→</sup> <sup>β</sup>|, by (IH2) we get <sup>w</sup> α. This implies that w<w . By hypothesis (J1), w α → β, hence w β; this proves (P2).

We prove the assertion of the lemma. By (P2) and hypotheses (J2) and (J5), we get w Γ. The proof that w δ depends on the specific rule Succ at hand and follows from Point (P1) and hypothesis (J5).

*Proof (Theorem* 4(i)*).* By induction on the depth of the sequent σ<sup>u</sup> = Γ <sup>u</sup> <sup>⇒</sup><sup>δ</sup> in D. Let ρ be the rule of RbuSL having conclusion σ<sup>u</sup>. We proceed by a case analysis, only detailing some significant cases.

If ρ = Irr, then Γ = Γat, -<sup>Δ</sup> and <sup>δ</sup> <sup>∈</sup> (V ∪ {⊥}) \ <sup>Γ</sup>at and <sup>Ψ</sup>(σ<sup>u</sup>) = <sup>σ</sup><sup>u</sup>. Since V (σ<sup>u</sup>) = Γat and σ<sup>u</sup> is R-maximal, it follows that Ψ(σ<sup>u</sup>) Γ and Ψ(σ<sup>u</sup>) δ.

Let us assume that ρ = R - <sup>→</sup>. Then, <sup>σ</sup><sup>u</sup> <sup>=</sup> <sup>Γ</sup> <sup>u</sup> α → β, where Γ 
α, and the premise of ρ is σ<sup>u</sup> <sup>1</sup> <sup>=</sup> <sup>Γ</sup> <sup>u</sup> β. By the induction hypothesis, Ψ(σ<sup>u</sup> <sup>1</sup> ) <sup>Γ</sup> and Ψ(σ<sup>u</sup> <sup>1</sup> ) β. By Lemma 1(v) we get Ψ(σ<sup>u</sup> <sup>1</sup> ) <sup>α</sup>, which implies <sup>Ψ</sup>(σ<sup>u</sup> <sup>1</sup> ) α → β. Since Ψ(σ<sup>u</sup>) = Ψ(σ<sup>u</sup> <sup>1</sup> ), we conclude <sup>Ψ</sup>(σ<sup>u</sup>) <sup>Γ</sup> and <sup>Ψ</sup>(σ<sup>u</sup>) α → β.

Let us assume ρ = S- <sup>u</sup> . We have <sup>σ</sup><sup>u</sup> <sup>=</sup> <sup>Γ</sup> <sup>u</sup> δ, where Γ = Γat, Γ <sup>→</sup>, -Δ, and <sup>Ψ</sup>(σ<sup>u</sup>) = <sup>σ</sup><sup>u</sup>. Let <sup>D</sup><sup>u</sup> be the subderivation of <sup>D</sup> having root sequent <sup>σ</sup><sup>u</sup>; we apply Lemma <sup>4</sup> setting <sup>D</sup> <sup>=</sup> <sup>D</sup><sup>u</sup>, <sup>K</sup> = Mod(D) and <sup>w</sup> <sup>=</sup> <sup>σ</sup><sup>u</sup>. We check that hypotheses (J1)–(J5) hold.

Let <sup>w</sup> be a world of Mod(D) such that <sup>σ</sup><sup>u</sup> < w . There exists an u-sequent σ = Γ <sup>u</sup> <sup>⇒</sup>δ such that <sup>σ</sup><sup>u</sup> <sup>≺</sup> <sup>σ</sup> <sup>w</sup> and <sup>Γ</sup> <sup>→</sup> <sup>⊆</sup> <sup>Γ</sup> . Since depth(σ ) < depth(σ<sup>u</sup>), by the induction hypothesis we get Ψ(σ ) Γ , hence Ψ(σ ) Γ <sup>→</sup>. Since Ψ(σ ) ≤ w , we conclude w Γ <sup>→</sup>, and this proves hypothesis (J1).

Let <sup>w</sup> be a world of Mod(D) such that <sup>σ</sup><sup>u</sup>Rw . There exists an u-sequent σ = Γ <sup>u</sup> <sup>⇒</sup> <sup>δ</sup> such that <sup>σ</sup><sup>u</sup> <sup>≺</sup> <sup>σ</sup> <sup>w</sup> and <sup>Δ</sup> <sup>⊆</sup> <sup>Γ</sup> . Reasoning as in the previous case, we get w Δ, and this proves hypothesis (J2).

Let <sup>σ</sup><sup>u</sup> <sup>σ</sup> <sup>=</sup> α, Γ <sup>u</sup> β. By the induction hypothesis, Ψ(σ ) α and Ψ(σ ) <sup>β</sup>. Since <sup>σ</sup><sup>u</sup> <sup>=</sup> <sup>Ψ</sup>(σ<sup>u</sup>) <sup>≤</sup> <sup>Ψ</sup>(σ ), hypothesis (J3) holds. The proof for hypothesis (J4) is similar. Hypothesis (J5) holds by the definition of V . By applying Lemma 4, we conclude that σ<sup>u</sup> Γ and σ<sup>u</sup> δ.

*Conclusions.* In this paper we have presented a terminating sequent calculus GbuSL for iSL enjoying the subformula property; iSL is obtained by adding labels to G3iSL<sup>+</sup> -, a variant of the calculus G3iSL- [13,15]. If a sequent σ is not derivable in GbuSL-, then σ is derivable in the dual calculus RbuSL-, and from


Fig. 6. Overview of the main sequent calculi for iSL. Cut: syntactic proof of cutadmissibility; Count: proof search procedure with countermodel generation.

the RbuSL--derivation we can extract a countermodel for σ. In Fig. 6 we compare the known sequent calculi for iSL. We leave as future work the investigation of cut-admissibility for GbuSL-; this is a rather tricky task since labels impose strict constraints on the shape of derivations. We also aim to extend our approach to other provability logics related with iSL, such as the logics iGL, mHC and KM (for an overview, see e.g. [13]).

Acknowledgments. We thank the reviewers for their valuable and constructive comments. Camillo Fiorentini is member of the Gruppo Nazionale Calcolo Scientifico-Istituto Nazionale di Alta Matematica (GNCS-INdAM).

## References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Mechanised Uniform Interpolation for Modal Logics K, GL, and iSL**

Hugo F´er´ee<sup>1</sup> , Iris van der Giessen<sup>2</sup> , Sam van Gool1(B) , and Ian Shillito<sup>3</sup>

<sup>1</sup> Universit´e Paris Cit´e, CNRS, IRIF, 75013 Paris, France

vangool@irif.fr <sup>2</sup> University of Birmingham, Birmingham, UK

<sup>3</sup> Australian National University, Canberra, Australia

**Abstract.** The uniform interpolation property in a given logic can be understood as the definability of propositional quantifiers. We mechanise the computation of these quantifiers and prove correctness in the Coq proof assistant for three modal logics, namely: (1) the modal logic K, for which a pen-and-paper proof exists; (2) G¨odel-L¨ob logic GL, for which our formalisation clarifies an important point in an existing, but incomplete, sequent-style proof; and (3) intuitionistic strong L¨ob logic iSL, for which this is the first proof-theoretic construction of uniform interpolants. Our work also yields verified programs that allow one to compute the propositional quantifiers on any formula in this logic.

**Keywords:** provability logic · uniform interpolation · propositional quantifiers · formal verification · proof theory

# **1 Introduction**

Uniform interpolation is a strong form of interpolation, which says that propositional quantifiers can be defined inside the logic. More precisely, a left uniform interpolant of a formula ϕ with respect to a variable p is a p-free formula, denoted ∀pϕ, which entails ϕ, and is a consequence of any p-free formula that entails ϕ. The dual notion is that of a right uniform interpolant, denoted ∃pϕ, and a logic is said to have uniform interpolation if both left and right uniform interpolants exist for any formula. Said otherwise, uniform interpolation means that for any ϕ and p, the logic has a strongest formula without p that implies ϕ, and a weakest formula without p that is implied by ϕ.

The uniform interpolation property was first established for intuitionistic propositional logic IL by Pitts [23], and then for a number of modal logics, including basic modal logic K and G¨odel-L¨ob provability logic GL [10,25,27]. Since then, uniform interpolation has been shown to hold in various modal fixpoint logics [1,22] and substructural logics [2], and connections have been developed with description logic [11], proof theory [12,18], model theory [10,19], and universal algebra [16,20].

Existing proof methods for uniform interpolation can be divided, roughly, into two strands: one is syntactic and relies on the existence of a well-behaved sequent calculus for the logic (see e.g. [18]), the other is semantic and uses Kripke models to establish definability of bisimulation quantifiers (see e.g. [10]). An advantage of the syntactic method over the semantic one is that, at least in theory, it provides better bounds on the complexity of computing uniform interpolants. In practice, however, it is not feasible to compute uniform interpolants by hand, as the calculations quickly become complex even on small examples. The algorithms for computing uniform interpolants are often intricate, and it is a non-trivial task to implement them correctly. The first- and third-named author recently developed the first verified implementation of Pitts' algorithm for computing uniform interpolants in the case of IL, using The Coq Proof Assistant in order to formally prove the correctness of the implementation [9].

In this article, we provide mechanised proofs of the uniform interpolation property for the classical modal logics K and GL and for an intuitionistic version of strong L¨ob logic, iSL. Of these three contributions, we discuss the first one in Sect. 3, which serves as a warm-up for what follows. The formalisation of uniform interpolation for GL starts from a sequent-style proof of this theorem [5]. During our work on formalising this proof in Coq, we uncovered an incompleteness in it, and our formalisation contains a corrected version of the construction of [5], as we will explain further in Sect. 4. Finally, the uniform interpolation result for iSL is new to this paper, and resolves an open question of [13]. (T. Litak and A. Visser have shared a draft paper with us in which they obtain a different, semantic, proof of the same result, available in preprint [28].) The proof we give extends the syntactic method of Pitts, while taking advantage both of the robustness of the earlier Coq formalisation for the case of IL, and of a recently developed sequent calculus for iSL [26].

All definitions and proofs that we describe in this paper are implemented in the constructive setting of the Coq proof assistant; the code is available online at https://github.com/hferee/UIML. In particular, this means that the definitions of the uniform interpolants for the three logics at hand here are effective, which allows us to extract from the Coq implementation an OCaml program that can generate interpolants from input formulas. Throughout the paper, links to an online-readable version of the Coq proofs are given by a clickable symbol . Finally, a demonstration webpage is available at https://hferee.github.io/UIML/ demo.html where the uniform interpolants for each logic can be computed.

#### **2 Sequent Calculi and Uniform Interpolation**

In this section, we recall some standard notions that we need in this paper, pertaining to the classical modal logics K and GL, and intuitionistic modal logic iSL. We mostly follow the same notations as in [12, Ch. 1], and we refer the reader to that chapter for more details.

It will be convenient to use a more economical language for the classical setting than for the intuitionistic setting, so we define the precise syntax in some detail now. Both languages contain *boolean constant* ⊥, *connective* →, *modality* <sup>◻</sup> and a set <sup>V</sup> of countably many *(propositional) variables*, denoted p, q, . . . .

In the *classical modal language* we use the following standard classical constructors, <sup>¬</sup>, <sup>∨</sup>, <sup>∧</sup>, and ◇, which should be read as abbreviations: <sup>¬</sup><sup>ϕ</sup> := <sup>ϕ</sup> → ⊥, <sup>ϕ</sup> <sup>∨</sup> <sup>ψ</sup> := (<sup>ϕ</sup> → ⊥) <sup>→</sup> <sup>ψ</sup>, <sup>ϕ</sup> <sup>∧</sup> <sup>ψ</sup> := (<sup>ϕ</sup> <sup>→</sup> (<sup>ψ</sup> → ⊥)) → ⊥, and ◇<sup>ϕ</sup> := <sup>◻</sup>(<sup>ϕ</sup> <sup>→</sup> ⊥) → ⊥. The *intuitionistic modal language*, instead contains the *connectives* ∧, <sup>∨</sup> (no ◇) ; only <sup>¬</sup> and are abbreviations: <sup>¬</sup><sup>ϕ</sup> := <sup>ϕ</sup> → ⊥, := ¬⊥. In both the classical and intuitionistic setting, we denote modal formulas by lowercase Greek letters ϕ, ψ, . . . and we write Vars (ϕ) to denote the set of all propositional variables occurring as subformulas in the formula ϕ.

We briefly recall the axiomatisation of logics K, GL, and iSL. The logics <sup>K</sup> and GL are defined over the considered classical modal language and iSL over the intuitionistic modal language. To do so, we recall three axioms:


Also recall the rules *modus ponens* (from ϕ and ϕ → ψ infer ψ), *necessitation* (from ϕ infer ◻ϕ), and *substitution* (from ϕ infer σϕ, for any uniform substitution <sup>σ</sup>). Now, logic K is defined by the classical propositional tautologies, axiom k, and the rules modus ponens, necessitation, and substitution. The logic GL is the extension of K by the axiom gl. Furthermore, intuitionistic propositional logic IL is defined by the intuitionistic tautologies, and the rules modus ponens, necessitation, and substitution; intuitionistic modal logic iSL is the extension of IL with axioms k and sl.

#### **2.1 Sequent Calculi**

A *sequent* is a pair of finite multisets of formulas Γ and Δ, which we denote by Γ ⇒ Δ. In the intuitionistic case, Δ will necessarily be a singleton. A sequent Γ ⇒ Δ is *empty*, if Γ and Δ are empty multisets. Given two multisets Γ and Δ, we write Γ,Δ for the multiset addition of Γ and Δ, and, when ϕ is a formula, we write Γ, ϕ as notation for Γ, {ϕ}. Analogously to formulas, we write Vars (Γ) to denote the set of all propositional variables occurring as subformulas in formulas in Γ. For p ∈ V, we define Γ<sup>p</sup> := Γ \ {p} for any multiset Γ.

In the intuitionistic setting we use the following notation ◻−<sup>1</sup> on formulas:

$$
\Box^{-1}\psi := \begin{cases}
\varphi & \text{if } \psi = \Box\varphi \text{ for some formula } \varphi, \\
\psi & \text{otherwise.}
\end{cases}
$$

This notation is naturally overloaded to also apply to (multi)sets of formulas: <sup>◻</sup>−<sup>1</sup><sup>Γ</sup> := {◻−<sup>1</sup><sup>ϕ</sup> <sup>|</sup> <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup>}.

Now we define the sequent calculi that we use throughout the paper. The sequent calculus KS consists of two *initial* rules (IdP) and (⊥L), left and right implication rules (→ R) and (→ L), and the modal rule (KR); all are displayed

**Fig. 1.** Classical sequent rules. Here, Φ does not contain boxed formulae.

in Fig. 1. The sequent calculus GLS is the variant of the calculus KS in which the rule (KR) is replaced by the rule (GLR) in Fig. 1. The sequent calculus KS is well-known to be sound and complete for K, and GLS is sound and complete for GL [24]. In the rule (GLR), the formula <sup>◻</sup><sup>ψ</sup> is called the *diagonal* formula. We denote by KP(s) the multiset of all possible (KR)-premises for a given sequent s, and by GP(s) the multiset of all (GLR)-premises for s.

For iSL, we work with the calculus G4iSLt from [26], which was specifically designed with the aim to prove uniform interpolation for iSL. The calculus is an extension of the calculus G4iP for IL [7]. We show the calculus G4iSLt in Fig. 2, using the ◻−<sup>1</sup> operator to rephrase its definition slightly compared to [26].

For every sequent calculus <sup>S</sup>, we denote by <sup>S</sup> the set of sequents that are derivable using the rules in <sup>S</sup>. For a sequent <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, we then write <sup>S</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> to mean that Γ ⇒ Δ is an element of the set <sup>S</sup>.

The crucial fact for proving uniform interpolation is that each of the three calculi KS, GLS, and G4iSLt has a *complete* and *terminating* backward proof search strategy, which may only depend on a *local* loop-check. *Completeness* means that the strategy finds a proof for any sequent provable in the calculus. *Termination* means that the strategy always ends in a finite proof search tree. By a *local* loop-check we mean: the criterion for deciding whether or not to stop the proof search for a given sequent only depends on the sequent itself, and does not depend on other sequents, encountered earlier by the proof search strategy. Termination for KS, GLS, and G4iSLt is discussed in detail in Sects. 3.1, 4.1 and 5.1 respectively.

#### **2.2 Uniform Interpolation**

**Definition 1.** *A logic* L *has the* uniform interpolation property *if, for every* L*-formula* ϕ *and variable* p*, there exist* L*-formulas, denoted by* ∀pϕ *and* ∃pϕ*, satisfying the following three properties:*

*1.* p-freeness: *Vars* (∃pϕ) ⊆ *Vars* (ϕ) \ {p} *and Vars* (∀pϕ) ⊆ *Vars* (ϕ) \ {p}*,*


<sup>L</sup> ϕ → ψ *implies* <sup>L</sup> ∃pϕ → ψ, <sup>L</sup> ψ → ϕ *implies* <sup>L</sup> ψ → ∀pϕ.

**Fig. 2.** The sequent calculus G4iSLt. The sequent calculus G4iP is the restriction of G4iSLt obtained by omitting the two rules involving ◻.

**Lemma 1.** *Both classically and intuitionistically, the formulas* ∀p(ϕ → ψ) *and* ∃p(ϕ) → ∀p(ϕ → ψ) *are equivalent.*

*Proof.* The left-to-right direction is clear. For the right-to-left direction, note that the formula ∃pϕ → ∀p(ϕ → ψ) is p-free by definition. Moreover, one easily obtains that ∃pϕ → ∀p(ϕ → ψ) implies ϕ → ψ, using the implication rules and the implication properties of ∃p and ∀p. Now uniformity ensures that ∃pϕ → ∀p(ϕ → ψ) implies ∀p(ϕ → ψ).

To show uniform interpolation of the logics in the paper, we employ a standard proof-theoretic approach via the sequent calculi. The following definition merges the well-known definitions for intuitionistic logic from [23] and classical modal logic from [3].

**Definition 2.** *A set of provable sequents, denoted , has the* uniform interpolation property *if, for any sequent* Γ ⇒ Δ *and variable* p*, there exist modal formulas* <sup>E</sup><sup>p</sup>(Γ) *and* A<sup>p</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>) *such that the following three properties hold:*


$$\begin{aligned} &(a) \vdash \varPi, \mathsf{E}\_p(\varGamma) \Rightarrow \Delta, \Sigma \text{ if } p \notin Vars(\varDelta), \text{ and} \\ &(b) \vdash \varPi, \mathsf{E}\_p(\varGamma) \Rightarrow \mathsf{A}\_p(\varGamma \Rightarrow \Delta), \Sigma. \end{aligned}$$

*In the intuitionistic setting, we require* Δ *to be a singleton and* Σ *to be empty. In this paper, we say that a sequent calculus* S *has* uniform interpolation *if* <sup>S</sup> *has the uniform interpolation property.*

We provide some observations and facts in the following remarks.

*Remark 1.* When proving uniform interpolation in the classical setting, we prove a stronger statement in clause (b) of uniformity:

$$(\mathsf{b}) \vdash \Pi \Rightarrow \mathsf{A}\_p(\varGamma \Rightarrow \Delta), \Sigma^\top$$

where we omit the occurrence of E<sup>p</sup>(Γ) on the left-hand side of the sequent. In fact, now we can take E<sup>p</sup>(Γ) := <sup>¬</sup>A<sup>p</sup>(<sup>Γ</sup> ⇒ ∅) and we only have to consider clauses (b) in every property of Definition 2 as in [3]. This will be the route taken in this paper for KS and GLS.

*Remark 2.* It is well-known that the uniform interpolation property for a sequent calculus results in the uniform interpolation property for its corresponding logic [4,23]. Both classically and intuitionistically, we can define <sup>∀</sup>pϕ := A<sup>p</sup>(∅ ⇒ <sup>ϕ</sup>). In classical modal logic, we can define ∃pϕ as its dual, i.e., ∃pϕ := ¬∀p(¬ϕ). For intuitionistic modal logic, we define <sup>∃</sup>pϕ := E<sup>p</sup>({ϕ}). One may then show that, for these definitions of ∀p and ∃p, the three properties from Definition 1 follow from those in Definition 2, where, in the intuitionistic case, one needs to use the fact that E<sup>p</sup>(∅) = .

*Remark 3.* In the sequel of the paper we explicitly construct operators A<sup>p</sup>(·) (and also E<sup>p</sup>(·) in the intuitionistic case) using the terminating sequent calculi for the logics. These operators have the following properties which could be viewed as Remark 2 applied to sequents instead of formulas. In both the classical and intuitionistic setting, E<sup>p</sup>(Γ) serves as the formula <sup>∃</sup>p( Γ). In the classical case, the formula A<sup>p</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>) will be equivalent to <sup>∀</sup>p( Γ → Δ). However, intuitionistically, A<sup>p</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup>) is not equivalent to <sup>∀</sup>p( Γ → ϕ), but it is computed as E<sup>p</sup>(Γ) <sup>→</sup> A<sup>p</sup>(<sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup>). The latter does not contradict Remark <sup>2</sup> by Lemma 1. See also Remark 5 in [23].

# **3 Basic Modal Logic K**

We start our investigations on uniform interpolation for provability logics by showcasing a simple example: the modal logic K. We follow the strategy in [3] using calculus KS and provide a formalisation in Coq.

#### **3.1 Termination of the Sequent Calculus KS**

To compute the uniform interpolants for sequent calculus KS, we provide a complete and terminating proof search strategy for it. For this, we define some useful notions for sequents Γ ⇒ Δ. The *size* of Γ ⇒ Δ is the total number of symbols in the multiset Γ,Δ. We call a sequent *critical* if there is no formula of the form ϕ → ψ in Γ,Δ, and we call a critical sequent *initial* if either ⊥ ∈ Γ or Γ ∩ Δ ∩ V = ∅, that is, if the sequent Γ ⇒ Δ can be proved with an initial rule.

A complete and terminating strategy for proof search in KS can easily be defined in three steps, as follows. Given a sequent, we first saturate it by maximally iterating applications of the rules (→ L) and (→ R). This step computes a finite multiset Can(s) of critical sequents, called the *canopy* of s. Note that, if s is not critical, then all sequents in Can(s) have strictly smaller size than s. Second, we try to apply the rules (IdP) and (⊥L), and close any branches where we have an initial sequent. Third, we try to apply the rule (KR) on any remaining sequents which are not initial. Since the size of sequents decreases during the execution of this strategy as long as sequents are not initial, this strategy clearly terminates.

#### **3.2 Uniform Interpolation for KS**

**Definition 3 ( ).** *Let* <sup>p</sup> ∈ V *be a variable and* <sup>s</sup> = (Γ, <sup>◻</sup>Γ <sup>⇒</sup> <sup>Δ</sup>) *a sequent, where no* <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup> *is a boxed formula. We define* A<sup>K</sup> <sup>p</sup>(s) *recursively, as follows:*


Termination of this function is proved by an induction on the size of sequents. This definition mirrors the termination of the proof search strategy for KS. The first case corresponds to a default where the sequent bares no content. The remaining cases obviously correspond to steps of the strategy: (A<sup>K</sup> <sup>p</sup>2) postpones the computation of the interpolant to the sequents in the canopy via recursive calls; (A<sup>K</sup> <sup>p</sup>3) checks for initiality; (A<sup>K</sup> <sup>p</sup>4) is the case where we apply (KR). As this last case is the most complex, we motivate that definition in more detail now.

Because an application of the (KR) rule on a sequent s deletes the non-boxed formulas in <sup>s</sup>, we need to first record all these formulas in A<sup>K</sup> <sup>p</sup>(s): this is the role of the first two disjuncts, q∈Δ*<sup>p</sup>* q and r∈Γ*<sup>p</sup>* ¬r, which notably discard all occurrences of variable p. The third disjunct, s-∈KP(s) ◻AK p(s ), contains recursive calls on all

(KR)-premises of s, and prefixes them with a ◻ to reflect the logical strength of the rule. The last disjunct ◇A<sup>K</sup> <sup>p</sup>(Γ ⇒) is needed to obtain the uniformity from Definition 2. It considers the possibility that our sequent <sup>s</sup> = (Γ, <sup>◻</sup>Γ <sup>⇒</sup> Δ) becomes provable once the context is extended, i.e., that a sequent of the form Φ, ◻Φ , Γ, <sup>◻</sup>Γ <sup>⇒</sup> Δ, Δ is provable. In a proof of the latter, suppose that the last rule applied was (KR), triggered by a formula ◻ϕ in Δ . In the premise Φ , Γ <sup>⇒</sup> <sup>ϕ</sup> of that application, what remains of our sequent Γ, <sup>◻</sup>Γ <sup>⇒</sup> <sup>Δ</sup> is the sequent <sup>Γ</sup> <sup>⇒</sup>, on which we then perform the recursive call <sup>A</sup><sup>K</sup> <sup>p</sup>(Γ ⇒). So, the last disjunct uses a ◇ to record the possibility for a "step aside" of the proof search tree, by considering a recursive call on what remains of s through a (KR) application in an extended context.

The complexity of the function A<sup>K</sup> <sup>p</sup> lies in its recursive calls on *multisets* of sequents, and in the use of the canopy function which contains similar recursive calls. Since only computable functions can be defined in Coq, termination needs to be proved whenever Coq cannot automatically derive it. In order to formalise our two functions in Coq, we synchronously need to define them and convince Coq that all recursive calls are justified, by exhibiting a quantity which decreases along a well-founded order. Because of the complex recursive calls of our two functions, the traditional pen-and-paper definition of such an order is rather intricate to formalise, involving a well-founded order on multi-sets, cf. [9, Section 3]. To circumvent this difficulty in our formalisation of Definition 3 ( ), we use the Braga method [21] of Larchey-Wendling and Monin, which separates the definition of the function from the termination proof. More precisely, using this method we can first define a function as a relation which captures the *computational graph* of the function, and then prove that this relation is indeed functional and terminates. While this method was initially designed to capture partial functions in Coq, we here apply this method to the definition of A<sup>K</sup> <sup>p</sup> and the canopy. This allows us to separate the concerns of defining these functions and proving that the definition terminates.

Given that A<sup>K</sup> <sup>p</sup> is connected to the proof search tree, and its definition tailored to satisfy the three correctness properties for uniform interpolants, we can now prove the correctness of the definition, and formalise it in Coq.

# **Theorem 1.** *The sequent calculus* KS *has the uniform interpolation property.*

*Proof.* We have formalised in the Coq proof assistant the proof from [3] with no major changes. We have to check the three properties from Definition 2, i.e., <sup>p</sup>-freeness, implication, and uniformity. It is evident that A<sup>p</sup>(s) is <sup>p</sup>-free for every sequent <sup>s</sup>, as the computations in A<sup>K</sup> <sup>p</sup> all make sure to discard p whenever propositional variables are recorded ( ). Second, as <sup>A</sup><sup>K</sup> <sup>p</sup>(Γ ⇒ Δ) follows closely the proof search tree of <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, we obtain rather straightforwardly that A<sup>K</sup> <sup>p</sup>(Γ ⇒ Δ), Γ ⇒ Δ is provable ( ), hence proving the implication property. Finally, we make a crucial use of the disjunct ◇A<sup>K</sup> <sup>p</sup>(<sup>Γ</sup> <sup>⇒</sup>) of the case (A<sup>K</sup> <sup>p</sup>4) in the proof of uniformity ( ).

#### **4 Classical Provability Logic GL**

We now shift our focus to the logic GL. We will first provide a complete and terminating strategy for GLS. Then, in order to construct uniform interpolants for GL, we take inspiration from [5], but we modify the definition given there in order to fix an incompleteness in the correctness proof.

#### **4.1 Terminating Strategy for Sequent Calculus GLS**

In the rule (GLR), the multiset ◻Γ on the left of the premise is preserved, while the diagonal formula ◻ψ moves diagonally from the left to the right when moving from premise to conclusion. These features are known to be an obstacle to the termination of a strategy for GLS, which can be overcome by a local loop-check. Consider the following rule, labelled (IdB) for 'Identity Box'.

$$\overbrace{\Box\varphi, \varGamma\Rightarrow\Delta, \Box\varphi}^{}(\mathrm{IdB})$$

Our proof search strategy for GLS extends the one for KS: first apply (<sup>→</sup> L) and (→ R), then the initial rules (IdP), (⊥L) and (IdB), and finally the rule (GLR). When following this strategy, any application of the rule (GLR) is such that its conclusion is critical but not initial, where our definition of *initial* sequent now also includes sequents that allow for an application of (IdB). Note a subtlety of our strategy: while (IdB) is not a rule of GLS its presence in our strategy is justified by its *admissibility* [17], ensuring the completeness of this strategy.

To show termination, we define a measure on sequents which decreases, in a well-founded order, as we move upwards by applying rules according to the proof strategy. Given a sequent Γ ⇒ Δ, its measure Θ(Γ ⇒ Δ) is a pair of natural numbers (imp(Γ ⇒ Δ), β(Γ ⇒ Δ)), where the first component is the number of occurrences of the symbol → in Γ ⇒ Δ and the second component is what we call the *number of usable boxes*, β(Γ ⇒ Δ), defined as the cardinal of the set {◻<sup>ϕ</sup> <sup>|</sup> <sup>◻</sup><sup>ϕ</sup> <sup>∈</sup> Sub(<sup>Γ</sup> <sup>∪</sup> <sup>Δ</sup>)}\{◻<sup>ϕ</sup> <sup>|</sup> <sup>◻</sup><sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup>}. The idea is that <sup>β</sup> counts the number of boxed formulas of a sequent Γ ⇒ Δ which might later become the diagonal formula of an instance of (GLR) in a derivation of this sequent, when following the proof search strategy. To show termination of our strategy via Θ, we use the lexicographic order << on pairs of natural numbers, noting that, for any GLS rule with conclusion s and any premise s of that rule, we have Θ(s ) << Θ(s).

#### **4.2 Computing Uniform Interpolants for GLS**

We now replicate the argument for K for GL, using the sequent calculus GLS and the terminating and complete proof search strategy for it. A first try would be to use the modified notion of initiality, and to change the function A<sup>K</sup> <sup>p</sup> into a function AGL <sup>p</sup> by exchanging the rule (A<sup>K</sup> <sup>p</sup>4) for a similar rule that follows the rule (GLR) instead of (KR). However, this approach leads to a termination problem in the fourth case of the definition of the function, as was noticed in [3], and as we briefly explain now. In this case Γ, <sup>◻</sup>Γ <sup>⇒</sup> <sup>Δ</sup> is critical, not empty and not initial, so we would require a recursive call of the function on <sup>Γ</sup> <sup>◻</sup> <sup>Γ</sup> <sup>⇒</sup> in the last disjunct. However, this recursive call could fail to terminate, as we do not have in general that Θ(Γ , <sup>◻</sup>Γ <sup>⇒</sup>) << Θ(Γ, <sup>◻</sup>Γ <sup>⇒</sup> <sup>Δ</sup>). To address this problem, [3] used an auxiliary function N in the definition of AGL <sup>p</sup> for GL.

We recall the definition of the function N as given in [5] in Fig. 3; in Definition 4 below, we will modify this table to obtain a mutually recursive definition of the function AGL <sup>p</sup> . Given the function <sup>N</sup>, the idea is, then, to replace the rule


**Fig. 3.** Definition of function N*p*(·, ·) from [3], where t = (Σ ⇒ Π).

(AK <sup>p</sup>4) in Definition <sup>3</sup> by a rule which says that, if <sup>s</sup> = (Γ, <sup>◻</sup>Γ <sup>⇒</sup> <sup>Δ</sup>) and <sup>s</sup> is critical, not empty, and not initial, then AGL <sup>p</sup> (s) equals

$$\bigvee\_{q \in \Delta\_p} q \lor \bigvee\_{r \in \Gamma\_p} \neg r \lor \bigvee\_{s' \in \text{GP}(s)} \Box \mathsf{A}\_p^{\square}(s') \lor \bigotimes\_{t \in \text{Can}(\varGamma^{\prime}, \square \varGamma^{\prime} \Rightarrow)} \mathsf{N}\_p(s, t) \; . \tag{\mathsf{A}\_p^{\square} 4} \; $$

Here, in the last disjunct of (AGL <sup>p</sup> 4), we apply the function <sup>N</sup> to all elements of the canopy of the sequent Γ , <sup>◻</sup>Γ <sup>⇒</sup>, which is exactly what remains of the sequent <sup>s</sup> after applying (GLR) upwards. The purpose of the function N is to attempt another unfolding of AGL <sup>p</sup> in the canopy of Γ , <sup>◻</sup>Γ <sup>⇒</sup>. Indeed, the definition of N first checks whether any recursive call is necessary via the initiality check in (N1), and then proceeds in (N2) to recursively call AGL <sup>p</sup> if we are ensured that <sup>Θ</sup> decreases via the first component, or goes to (N3) if there is no such decrease. Notice that, in this last case, the definition of N is a truncation of (AGL <sup>p</sup> 4), which omits the problematic last disjunct, as it cannot be guaranteed to decrease in the recursion. The termination of AGL <sup>p</sup> is obviously ensured by definition. However, the correctness is no longer obvious, due to the truncation in the rule (N3). The key insight for proving the correctness is the following *fixed point* equivalence [5] which is valid in GL:

$$\diamond \left( \bigwedge\_{i} \left[ \alpha\_{i} \lor \Diamond \left( \bigwedge\_{i} \alpha\_{i} \land \beta \right) \right] \land \beta \right) \qquad \leftrightarrow \qquad \diamond \left( \bigwedge\_{i} \alpha\_{i} \land \beta \right) \dots$$

This equivalence can be used to prove that the diamond disjunct from the rule (AGL <sup>p</sup> 4) may be omitted in the rule (N3). In order to make this work formally, one needs the following equivalence to be derivable in GLS:

$$\diamondsuit \bigwedge\_{s' \in \text{Can}(\varGamma', \Box \varGamma' \Rightarrow)} \mathsf{N}\_p(s, s') \quad \leftrightarrow \quad \Diamond \mathsf{A}\_p^{\square}(\varGamma', \Box \varGamma' \Rightarrow)\ . \tag{1}$$

Assuming this equivalence, one can show that the uniform interpolation property holds for GLS. To justify (1), [5] relies on another equivalence between two formulas <sup>N</sup><sup>p</sup>(s, t1) and <sup>N</sup><sup>p</sup>(s, t2), where <sup>t</sup><sup>i</sup> <sup>=</sup> <sup>Γ</sup>i, <sup>◻</sup>Γ<sup>i</sup> <sup>⇒</sup> for <sup>i</sup> = 1, 2, where the multisets Γ<sup>1</sup> and Γ<sup>2</sup> are known to be equal only when considered *as sets*, i.e., not counting multiplicities. This equivalence is not formally proved, but only "observe[d]" [5, p. 17]. Since the sequents t<sup>1</sup> and t<sup>2</sup> are *identical modulo contraction*, and contraction is an admissible rule in GLS, this sounds reasonable, but we were unable to formally derive this equivalence, even after consulting with the author of [5].

The difficulty in formally proving the observation primarily lies in the fact that the function <sup>N</sup> includes computations of the canopy of our two sequents <sup>t</sup><sup>1</sup> and t2. However, the canopies of two sequents can vastly differ, even if they are identical modulo contraction. We give a minimal example of such a situation in Fig. 4, where the sequents q ⇒ p on the right find no counterparts on the left. This mismatch in canopies, then, makes it hard to prove that any call to AGL <sup>p</sup> in one canopy has a counterpart in the other canopy.

$$\begin{array}{c|c} \Rightarrow p & q \Rightarrow \\ \hline p \rightarrow q \Rightarrow \\ \end{array} \begin{array}{c|c} \Rightarrow\\ \end{array} \begin{array}{c|c} \Rightarrow\\ \end{array} \begin{array}{c|c} \Rightarrow\\ \end{array} \begin{array}{c|c} \Rightarrow\\ \end{array} \begin{array}{c|c} \begin{array}{c|c} \Rightarrow\\ \end{array} \begin{array}{c|c} \Rightarrow\\ \end{array} \begin{array}{c|c} \begin{array}{c|c} \begin{array}{c} \begin{array}{c} q,q \Rightarrow\\ \end{array} \\ \end{array} \begin{array}{c|c} \begin{array}{c|c} \left(\rightarrow\text{L}\right) \end{array} \end{array} \begin{array}{c|c} \left(\rightarrow\text{L}\right) \end{array} \end{array} \end{array}$$

**Fig. 4.** Two sequents that are equivalent up to contraction, but the canopies are not.

In order to overcome this problem, we propose to modify the mutually recursive definition of AGL <sup>p</sup> and <sup>N</sup> with respect to the one given in [5]: in strategic places, we *fully contract* sequents, notably before computing canopies. We denote by s the fully contracted version of the sequent s; that is, when s = (Γ ⇒ Δ), s denotes the sequent (Γ ⇒ Δ ), where Γ and Δ are the multisets obtained from Γ and Δ, respectively, by removing duplicates.

**Definition 4 ( ).** *Let* <sup>p</sup> ∈ V *be a variable. We define* <sup>A</sup>GL <sup>p</sup> *and* <sup>N</sup><sup>p</sup> *by a mutual recursion, as follows. Let* <sup>s</sup> = (Γ, <sup>◻</sup>Γ <sup>⇒</sup> <sup>Δ</sup>) *be a sequent, where no* <sup>ϕ</sup> <sup>∈</sup> <sup>Γ</sup> *is a boxed formula. If* <sup>s</sup> *is empty or initial, then* AGL <sup>p</sup> (s) *equals* <sup>A</sup><sup>K</sup> <sup>p</sup>(s)*, and*


*Let* <sup>t</sup> = (<sup>Σ</sup> <sup>⇒</sup> <sup>Π</sup>) *be a sequent. We also define* ( ) *the formula* N<sup>p</sup>(s, t) *as in Fig. 3, but replacing the formula in the last row of the table with:*

$$\bigvee\limits\_{q\in\Pi\_{p}} q \lor \bigvee\limits\_{r\in\Sigma\_{p}} \neg r \lor \bigvee\limits\_{t'\in GP(\overline{t})} \Box\mathsf{A}\_{p}^{\scriptscriptstyle{ac}}(t')\;\flat\;\flat$$

*where we note that the last disjunction is indexed by GP*(t) *instead of GP*(t)*.*

With this new definition, we obtain a proof of correctness of the equivalence (1), as we always fully contract sequents before computing their canopies. In our formalisation of Definition 4, we again made use of the Braga method already described in Sect. 3.

#### **4.3 Syntactic Correctness Proof**

**Theorem 2.** *The sequent calculus* GLS *has the uniform interpolation property.*

*Proof.* We refer to the formalised proofs of the first ( ), second ( ) and third ( ) property.

### **5 Intuitionistic Strong L¨ob iSL**

The aim of this section is to give a sequent-based proof of the uniform interpolation property for intuitionistic strong L¨ob logic, iSL. We will simultaneously explain the proof method of this new result, and report on our mechanisation of the definition of the propositional quantifiers in Coq. The work in this section builds on an earlier formalisation [9] of Pitts' theorem [23] that uniform interpolation holds for IL. In order to make the explanation below for iSL understandable, we first briefly review some important points of that work. We subsequently explain how to extend that definition to deal with the modality of the logic iSL, and how the correctness proof can be extended to work for that logic.

As for the classical modal logics considered above, the definitions of the propositional quantifiers A<sup>p</sup>(·) and <sup>E</sup><sup>p</sup>(·) for IL are guided by the terminating sequent calculus, G4iP (see Fig. 2). In [9,23], A<sup>p</sup>(·) and <sup>E</sup><sup>p</sup>(·) are defined for G4iP as follows. Based on the rows (EIL <sup>p</sup> 0)-(EIL <sup>p</sup> 8) and (AIL <sup>p</sup> 1)-(AIL <sup>p</sup> 13) in Fig. 5, the sets Ap(Γ ⇒ ϕ) and Ep(Γ) are defined by pattern matching. Based on this we define,

$$\mathsf{A}\_{\mathfrak{p}}^{\mathsf{UL}}(\varGamma \Rightarrow \varphi) := \bigvee \mathcal{A}\_{\mathfrak{p}}(\varGamma \Rightarrow \varphi) \quad \text{and} \quad \mathsf{E}\_{\mathfrak{p}}^{\mathsf{UL}}(\varGamma) := \bigwedge \mathcal{E}\_{\mathfrak{p}}(\varGamma). \tag{2}$$

**Theorem 3.** *The sequent calculus for* IL *has the uniform interpolation property.*

#### **5.1 Termination of Sequent Calculus G4iSLt**

The calculus G4iSLt has already been shown to be terminating [26], but we find it convenient to provide a different termination ordering here, which is closer to, and compatible with, the termination ordering used by Pitts in the context of the sequent calculus G4iP, also see [7,8]. In particular, this lets us re-use some earlier Coq engineering work [9, Thm. 3.3] that was needed to be able to apply the theorem of Dershowitz and Manna [6] that the natural order on the set of multisets of well-founded order is again well-founded. The *weight* of a formula is inductively defined, by adding a given weight for each symbol: <sup>⊥</sup>, <sup>◻</sup>,<sup>→</sup> and variables count for 1, ∧ for 2 and ∨ for 3. This naturally defines a well-founded strict preorder on the set of formulas: <sup>ϕ</sup> <sup>≺</sup><sup>f</sup> <sup>ψ</sup> iff weight(ϕ) <sup>&</sup>lt; weight(ψ).


**Fig. 5.** The top part of each table, i.e., (EIL <sup>p</sup> 0)-(EIL <sup>p</sup> 8) and (AIL <sup>p</sup> 1)-(AIL <sup>p</sup> 13) define E*p*(Γ) and A*p*(Γ ⇒ ϕ) for IL as defined in [23]. The complete table provides definitions for E*p*(Γ) and A*p*(Γ ⇒ ϕ) for iSL. In all clauses, q = p.

In [7], the preorder on sequents used to prove the termination of G4iP is the *Dershowitz-Manna* ordering on multisets induced by this ordering on formulas: Γ ⇒ ϕ ≺ Δ ⇒ ψ if the multiset Γ, ϕ is smaller than the multiset Δ, ψ. However, the -<sup>R</sup>-rule of G4iSLt is not always compatible with this ordering. Indeed, with <sup>Γ</sup> <sup>=</sup> <sup>∅</sup> and <sup>ϕ</sup> <sup>=</sup> <sup>⊥</sup>, note that {◻⊥, ⊥} ≺ {◻⊥}. The reason is that this rule both replaces a boxed formula on the right hand side with its unboxed version, which is a strict subformula, but also moves the boxed formula to the left-hand side.

We fix this issue by counting twice the right-hand side of the sequent in the multiset, accounting for the fact that a formula on the right-hand side of a sequent might be duplicated using a -<sup>R</sup> rule.

**Definition 5 (Sequent ordering).** Γ ⇒ ϕ ≺ Δ ⇒ ψ *whenever* Γ, ϕ, ϕ *is smaller than* Δ, ψ, ψ *for the multiset ordering induced by* ≺<sup>f</sup> *.*

The ordering is again well-founded, as follows from an application of the Dershowitz-Manna theorem to the fact that the weight ordering on formulas is well-founded. Also, any hypothesis of an G4iSLt rule is smaller than its conclusion. This ensures the termination of proof search for G4iSLt, but we will also use this ordering to construct the uniform interpolants.

Note that, although this order does not strictly speaking contain the original order, it is the case that, if two sequents were comparable for the original one in Pitts proof, then they still are for this modified order. This means that changing the definition of the ordering does not break the proof structure for the existing cases with no modality involved. This allows us to adapt the existing Coq formalisation for G4iP at minimal cost.

#### **5.2 Computing Uniform Interpolants for G4iSLt**

Following the same proof scheme as Pitts' for IL, we now define EiSL <sup>p</sup> (Γ) and AiSL <sup>p</sup> (Γ ⇒ ϕ).

**Definition 6.** *The formulas* EiSL <sup>p</sup> (Γ) *and* <sup>A</sup>iSL <sup>p</sup> (Γ ⇒ ϕ) *are defined by mutual induction on the* ≺ *ordering, respectively as a conjunction of a multiset of formulas* Ep(Γ) *and as a disjunction of a multiset of formulas* Ap(Γ ⇒ ϕ)*, both defined by the rules from Fig. 5.*

*Remark 4.* Our adaptation of Pitts' construction for IL to iSL adds formulas to the sets E<sup>p</sup> and A<sup>p</sup> only in the cases where some formula in Δ, θ contains a boxed subformula. As a consequence, AiSL <sup>p</sup> (<sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup>) = <sup>A</sup>IL <sup>p</sup> (<sup>Γ</sup> <sup>⇒</sup> <sup>ϕ</sup>) and <sup>E</sup>iSL <sup>p</sup> (Γ) = <sup>E</sup>IL <sup>p</sup> (Γ) whenever Γ and ϕ do not contain the ◻ modality.

*Remark 5.* Rule (EiSL <sup>p</sup> 9) can be read as adding <sup>◻</sup>EiSL <sup>p</sup> (◻−<sup>1</sup>Γ) to the set <sup>E</sup>p(Γ) whenever Γ contains at least one boxed formula (otherwise, ◻−<sup>1</sup>Γ = Γ and this definition would not be well-founded). An efficient implementation of this rule should then take care not to add multiple copies of <sup>◻</sup>EiSL <sup>p</sup> (◻−<sup>1</sup>Γ), i.e. for each boxed formula in Γ.

In order to prove the *implication* and *uniformity* properties of uniform interpolation (Definition 2) we will first require some admissibility lemmas for G4iSLt, in particular weakening and contraction. Note that, as for Pitts' proof for IL, the admissibility of cut is not necessary here and indeed, we do not use nor prove it in our Coq mechanisation. However, since cut is in fact admissible in G4iSLt [26], we allow ourselves to use this fact in our 'paper' explanations below. In addition, iSL satisfies the strongness property.

# **Lemma 2 (Strongness).** *For any formula* <sup>ϕ</sup>*,* iSL <sup>ϕ</sup> <sup>⇒</sup> <sup>◻</sup>ϕ*.*

However, we will actually use the following stronger, dual lemma instead, provable by induction on the proof derivation of iSL Δ, ϕ ⇒ ϕ.

**Lemma 3.** *If* iSL Δ, ϕ <sup>⇒</sup> <sup>ψ</sup> *then* iSL Δ, <sup>◻</sup>−<sup>1</sup><sup>ϕ</sup> <sup>⇒</sup> <sup>ψ</sup>*.*

The following lemma highlights how the interpolant interacts with the ◻ modality and its dual ◻−<sup>1</sup>.

**Lemma 4.** *For any multiset of formulas* <sup>Δ</sup>*,* iSL <sup>E</sup>iSL <sup>p</sup> (Δ) <sup>⇒</sup> <sup>◻</sup>EiSL <sup>p</sup> (◻−<sup>1</sup>Δ).

*Proof.* If Δ contains no boxed formulas, then ◻−<sup>1</sup>Δ = Δ and Lemma 2 lets us conclude. Otherwise, Δ is multiset-equivalent to Δ , ◻δ for some Δ and δ. Then, by rule (EiSL <sup>p</sup> 9), <sup>E</sup>iSL <sup>p</sup> (Δ) is a conjunction containing <sup>◻</sup>(EiSL <sup>p</sup> (◻−<sup>1</sup>Δ , δ)) which is equivalent to <sup>◻</sup>(EiSL <sup>p</sup> (◻−<sup>1</sup>Δ)) since the definition of <sup>E</sup>iSL <sup>p</sup> (·) is invariant under multiset-equivalence.

**Theorem 4.** *The sequent calculus* G4iSLt *has uniform interpolation.*

*Proof.* The p*-freeness* property is easily proved ( ). The *implication* property is proved ( ) by well-founded induction of ≺ on the sequent Δ ⇒ ϕ and mostly relies on weakening. The proof of *uniformity* ( ) is by structural induction on the derivation of iSL Γ,Δ <sup>⇒</sup> <sup>ϕ</sup>. If the last rule is an IL rule, then Pitts' proof of uniform interpolation for IL still applies. The cases for the modal rules are handled similarly, with a critical use of Lemmas 3 and 4. We postpone a detailed pen-and-paper version to a forthcoming journal publication.

#### **6 Conclusion and Future Work**

We have provided formalised sequent-style proofs of three uniform interpolation results, one well-known (K), a second subtle (GL), and a third new (iSL). One recent application of the verified implementation of uniform interpolation of IL [9] was to prove non-definability results in intuitionistic logic [19]. We hope that the implementations given in this paper and the accompanying online demo can be similarly useful in the future.

As explained in detail in Sect. 4, our effort made in formalising the argument of [5] in Coq exposed an incompleteness in the paper proof, which we were eventually able to correct. This incompleteness would not have been discovered (nor corrected) as quickly without the formalisation effort. The work in that section thus provides a further example of the usefulness of such efforts when subtle correctness proofs of algorithms in logic are concerned.

We leave to future work a more modular formal development of uniform interpolation proofs. In particular, one could formalise the theoretical results of [18] in order to obtain a general algorithm which, given as input a sufficiently well-behaved sequent calculus, produces a verified calculation of uniform interpolants for the corresponding logic. A further piece of evidence that such a general development might be possible is that the generalisation from the known result for the logic IL to the new result for the logic iSL was relatively frictionless. This shows another strength of the formalisation endeavour, allowing for an easy experimentation with the boundaries of the formalised results.

A concrete logic that we would like to capture with our work is the intuitionistic version of GL, often referred to as iGL, for which it is an open problem whether or not uniform interpolation holds [12].

A final problem that we leave to future work is the formalisation of the semantic approach to uniform interpolation, via the definability of bisimulation quantifiers, as e.g. in [10,14,15,27]. This would allow for a comparison of the two approaches, both in terms of algorithmic complexity and ease of formalisation.

**Acknowledgments.** We thank Marta B´ılkov´a, Dominique Larchey-Wendling, and Tadeusz Litak for fruitful discussions. This research received funding from the Agence Nationale de la Recherche, project ANR-23-CE48-0012. This work was partially supported by a UKRI Future Leaders Fellowship, 'Structure vs Invariant in Proofs', project reference MR/S035540/1.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Skolemisation for Intuitionistic Linear Logic**

Alessandro Bruni<sup>1</sup>, Eike Ritter2(B) , and Carsten Sch¨urmann<sup>1</sup>

<sup>1</sup> Department of Computer Science, IT University of Copenhagen, Copenhagen, Denmark

*{*brun,carsten*}*@itu.dk <sup>2</sup> School of Computer Science, University of Birmingham, Birmingham, UK E.Ritter@bham.ac.uk

**Abstract.** Focusing is a known technique for reducing the number of proofs while preserving derivability. Skolemisation is another technique designed to improve proof search, which reduces the number of backtracking steps by representing dependencies on the term level and instantiate witness terms during unification at the axioms or fail with an occurs-check otherwise. Skolemisation for classical logic is well understood, but a practical skolemisation procedure for focused intuitionistic linear logic has been elusive so far. In this paper we present a focused variant of first-order intuitionistic linear logic together with a sound and complete skolemisation procedure.

## **1 Introduction**

Modern proof search paradigms are built on variants of focused logics first introduced by Andreoli [1]. Focused logics eliminate sources of non-determinism while preserving derivability. In this paper we consider the focused logic LJF [2]. By categorising the logical connectives according to the invertibility of its left or right rules, we obtain a so-called polarised logic [2]. For example, the ∀-right rule is invertible, making ∀ a negative (or asynchronous) connective, and the ∃-left rule is invertible, making ∃ a positive (or synchronous) connective.

But even a focused proof system does not eliminate all non-determinism. There is still residual non-determinism in-between focusing steps. It is well known that we can control this non-determinism using different search strategies, such as forcing backward-chaining and forward-chaining using the atom polarity. Another remaining source of non-determinism comes from the order of quantifier openings, as choosing the wrong order may lead to additional back-tracking.

For example, consider the following judgment in multiplicative linear logic:

<sup>∀</sup>x.A(x)−◦B(x), <sup>∀</sup>y.∃u.A(u) ∃z.B(z)

Variables u introduced by the well-known rules <sup>∃</sup>L<sup>u</sup> and <sup>∀</sup>R<sup>u</sup> (and written next to the rule name) are fresh and called Eigen-variables, which we can use to construct witness terms for the universal variables on the left or the existential variables on the right. Because quantifier rules do not permute freely with other rules, one needs to resolve quantifiers in a particular order, or otherwise risk an exponential blow-up in the proof search. This fact has already been observed by Shankar [8] for LJ, who proposed to capture the necessary dependencies using Skolem functions to encode the permutation properties of LJ inference rules, guaranteeing reconstruction of LJ proofs from their skolemised counterparts.

However, na¨ıve Skolemisation is unsound in linear logic. As first noted by Lincoln [3], the sequent

$$\forall x. A \otimes B (x) \vdash A \otimes \forall u. B (u)$$

does not admit a derivation in linear logic, but its na¨ıve skolemisation does: A <sup>⊗</sup> B(x) A <sup>⊗</sup> B(u()), where x denotes an existential and u() a universal variable that must not depend on x. Introducing replication creates a similar problem, where the following sequent does not admit a derivation:

$$\forall x. !A(x) \vdash !\forall u. A(u).$$

however again its na¨ıve skolemisation loses the relative order between quantifier openings and replication, thus admitting a proof: !A(x) !A(u()).

In this paper we show that the ideas of skolemisation for classical logic and intuitionistic logic for LJ [8] carry over quite naturally to focused intuitionistic linear logics (LJF) [2]. We propose a quantifier-free version of LJF that encodes the necessary constraints called skolemised intuitionistic linear logic (SLJF). Our main contribution is to define a *skolemisation* procedure from LJF to SLJF that we show to be both sound and complete: any derivation in LJF is provable in SLJF after skolemisation and, vice versa, any derivation in SLJF of a skolemised formula allows to reconstruct a proof of the original formula. Hence we eliminate back-tracking points introduced by first-order quantifiers. We do not eliminate any back-tracking points introduced by propositional formulae.

The paper proceeds as follows: Sect. 2 introduces focused intuitionistic linear logic (LJF), Sect. 3 presents skolemised focused intuitionistic linear logic (SLJF), Sect. 4 presents a novel skolemisation procedure, Sect. 5 presents soundness and completeness results, and Sect. 6 presents our conclusion and related work.

*Contributions:* This work is to our knowledge the first work that successfully defines skolemisation for a variant of linear logic. The benefit is that during proof search any back-tracking caused by resolving quantifiers in the wrong order is eliminated and replaced by an admissibility check on the axioms.

#### **2 Focused Intuitionistic Linear Logic**

We consider the focused and polarised formulation of linear logic LJF [2] that we now present. The syntactic categories are defined as usual: we write u, v for Eigen-variables and x, y for existential variables that may be instantiated by other terms, finally N for negative formulas and P for positive formulas. We also distinguish between negative and positive atoms, written as A<sup>−</sup> and A<sup>+</sup>. We write ↑ to embed a positive formula into a negative, and ↓ for the inverse. The rest of the connectives should be self-explanatory.

$$\begin{array}{ll} \text{Atom} & A, B ::= q(t\_1 \ldots t\_n) \\ \text{Negative formula} & N ::= A^- \mid P \multimap N \mid \forall x. N \mid \uparrow P \\ \text{Positive formula} & P ::= A^+ \mid P\_1 \otimes P\_2 \mid !N \mid \exists x. P \mid \downarrow N \end{array}$$

We use the standard two-zone notation for judgments with unrestricted context Γ and linear context Δ: we write Γ; Δ N for the judgment, where at most one formula [N] <sup>∈</sup> Δ or N = [P] can be in focus. All formulas in Γ are negative and all other formulas in Δ are positive. When [N] <sup>∈</sup> Δ we say that we focus on the left, whereas when N = [P] we focus on the right, and we are in an inversion phase when no formula is in focus. To improve readability, we omit the leading ·; when the unrestricted context is empty. The rules defining LJF [2] are depicted in Fig. 1. We comment on a few interesting aspects of this logic. There are two axiom rules ax<sup>−</sup> and ax<sup>+</sup> where, intuitively, ax<sup>−</sup> triggers backwards-chaining, and ax<sup>+</sup> forward-chaining [6]. Hence we can assign polarities to atoms to select a particular proof search strategy. Once we focus on a formula, the focus is preserved until a formula with opposite polarity is encountered, in which case the focus is lost or blurred. After blurring, we enter a maximal inversion phase, where all rules without focus are applied bottom-up until no more invertible rules are applicable. The next focusing phase then commences.

Focusing is both sound and complete. i.e. every derivation (written as Γ; Δ ILL <sup>F</sup>) can be focused and every focused derivation can be embedded into plain linear logic [2]. In particular, in our own proofs in Sect. 5, we make use of the soundness of focusing.

**Theorem 1 (Focusing).** *If* Γ; Δ ILL <sup>F</sup> *and* <sup>Γ</sup> *,* <sup>Δ</sup> *and* F *are the result of polarising* <sup>Γ</sup>*,* <sup>Δ</sup> *and* F *respectively by inserting* <sup>↑</sup> *and* <sup>↓</sup> *appropriately, then* Γ ; Δ F *in focused linear logic [2].*

We now present three examples of possible derivations of sequents in LJF. We will use these examples to illustrate key aspects of our proposed skolemisation.

*Example 1.* Consider the motivating formula from the introduction that we would like to derive in LJF, assuming that the term algebra has a term <sup>t</sup><sup>0</sup>.

$$\downarrow (\forall x. (\downarrow A(x)^{-}) \lnot \exists B(x)^{-}), \downarrow (\forall x. \uparrow \exists u. \downarrow A(u)^{-}) \vdash \uparrow (\exists x. \downarrow B(x)^{-})$$

All formulas are embedded formulas, which means that there is a nondeterministic choice to be made, namely on which formula to focus next. As this example shows, it is quite important to pick the correct formula, otherwise proof search will get stuck and back-tracking is required. This observation also holds if we determine the instantiation of universal quantifiers on the left and existential quantifiers on the right by unification instead of choosing suitable terms when applying the <sup>∀</sup>L or <sup>∃</sup>R rule.

**Fig. 1.** Focused intuitionistic linear logic (LJF)

Focusing on the first assumption before the second will not yield a proof. The Eigen-variable that eventually is introduced by the nested existential quantifier inside the second assumption is needed to instantiate the universal quantifier in the first assumption. If we start by focusing on the first assumption then none of the subsequent proof states is provable, as the following two proof states (↓ A(t<sup>0</sup>) <sup>−</sup>)−◦B(t<sup>0</sup>) −, A(t<sup>1</sup>) <sup>−</sup> B(t<sup>0</sup>) <sup>−</sup> and (<sup>↓</sup> A(t<sup>0</sup>) <sup>−</sup>)−◦B(t<sup>0</sup>) −, A(t<sup>1</sup>) <sup>−</sup> B(t<sup>1</sup>) − demonstrate. Back-tracking becomes inevitable.

To construct a valid proof we must hence focus on the second assumption before considering the first. The result is a unique and complete proof tree that is depicted in Fig. 2. 

*Example 2.* Consider the sequent <sup>↓</sup> (∀x. <sup>↑</sup> (<sup>↓</sup> <sup>A</sup><sup>−</sup>⊗ ↓ B<sup>−</sup>(x))) ↑ (<sup>↓</sup> A<sup>−</sup>⊗ ↓ <sup>∀</sup>u.B<sup>−</sup>(u)). This sequent is not derivable in LJF: note that <sup>∀</sup>L needs to be above the <sup>∀</sup>R rule, but this step requires that <sup>⊗</sup>R is applied first. However, to apply <sup>⊗</sup>R, we would need to have applied <sup>⊗</sup>L first, which requires that <sup>∀</sup>L is applied first. This cyclic dependency cannot be resolved. 

*Example 3.* Consider the sequent ↓ ∀x. <sup>↑</sup>!A<sup>−</sup>(x) ↑!∀u.A<sup>−</sup>(u). This sequent is not derivable in LJF either: note that the <sup>∀</sup>L-rule needs to be above the <sup>∀</sup>R rule, but this step requires the !R rule to be applied first. However, to apply the !R rule we would need to apply the <sup>∀</sup>L rule first to ensure that the linear context is empty when we apply the !R rule. This is another cyclic dependency. 

**Fig. 2.** Example 1, unique and complete proof

Focusing removes sources of non-determinism from the propositional layer, but not from quantifier instantiation. In the next section we present a quantifierfree skolemised logic, SLJF, where quantifier dependencies are represented through skolemised terms. This way, proof search no longer needs to back-track on first-order variables, as the constraints capture all dependencies. Instead, unification at the axioms will check if the proof is admissible.

#### **3 Skolemised Focused Intuitionistic Linear Logic**

We begin now with the definition of a skolemised, focused, and polarised intuitionistic linear logic (SLJF), with the following syntactic categories:


Following the definition of LJF, we distinguish between positive and negative formulas and atoms. Backward and forward-chaining strategies are supported in SLJF, as well.

SLJF does not define any quantifiers as they are removed by skolemisation (see Sect. 4). Yet, dependencies need to be captured in some way. Quantifier

$$\begin{array}{c} \begin{array}{c} \begin{array}{c} \begin{array}{c} \phi \vdash t \end{array} \ \end{array} s/ \cdot \end{array} s/ \cdot \end{array} \qquad \begin{array}{c} \begin{array}{c} \Phi \vdash t \end{array} \begin{array}{c} \sigma \colon \Phi \to \Phi'\\ \sigma, t/x \colon \Phi \to \Phi', x \end{array} \text{s/existential} \end{array} \text{s/existential}$$
 
$$\begin{array}{c} \begin{array}{c} \Phi \vdash \vec{t} \end{array} \begin{array}{c} \sigma \colon \Phi \to \Phi'\\ \sigma, u(t)/u \colon \Phi \to \Phi', u \end{array} \text{s/ Eigen} \quad \begin{array}{c} \Phi \vdash t \end{array} \begin{array}{c} \sigma \colon \Phi \to \Phi'\\ \sigma, t/a \colon \Phi \to \Phi', a \end{array} \text{s/special}$$

**Fig. 3.** Typing rules for substitutions

rules for <sup>∀</sup>R<sup>u</sup> and <sup>∃</sup>L<sup>u</sup> introduce Eigen-variables written as u. Quantifier rules for <sup>∀</sup>L and <sup>∃</sup>R introduce existential variables, which we denote with x. And finally other rules, such as <sup>⊗</sup>R, −◦L, and !R are annotated with *special variables* a capturing the dependencies between rules that do not freely commute. These special variables are crucial during unification at the axiom level to check that the current derivation is admissible.

The semantics of the bang connective ! in SLJF is more involved than in LJF because we have to keep track of the variables capturing dependencies and form closures: One way to define the judgmental reconstruction of the exponential fragment of SLJF is to introduce a validity judgment (a; Φ; σ) : N, read as N is valid in world (a; Φ; σ), which leads to a generalised, modal Γ that no longer simply contains negative formulas N, but also closures of additional judgmental information. The special variable a is the "name" of the world in which Nσ is valid, where all possible dependencies are summarised by Φ. Φ consists of variables, where we assume tacit variable renaming to ensure that no variable name occurs twice. We write -Φ for all existential and special variables declared in Φ. In contrast to LJF, atomic propositions A<sup>−</sup> <sup>Φ</sup> and <sup>A</sup><sup>+</sup> <sup>Φ</sup> are indexed by Φ capturing all potential dependencies, which we will inspect in detail in Definition 2 where we define *admissibility*, the central definition of this paper, resolving the non-determinism related to the order in which quantifier rules are applied. The linear context remains unchanged.

Terms t are constructed from variables (existential, universal, and special) and function symbols f that are declared in a global signature Σ ::= · | <sup>Σ</sup>, f. Well-built terms are characterised by the judgment Φ t. Substitutions constructed by unification and communicated through proof search capture the constraints on the order of application of proof rules, which guarantee that a proof in SLJF gives rise to a proof in LJF. Their definition is straightforward, and the typing rules for substitutions are depicted in Fig. 3. For a substitution σ such that σ : Φ <sup>→</sup> <sup>Φ</sup> , we define the domain of σ to be Φ and the co-domain of σ to be Φ . For any context Φ and substitution σ with co-domain Ψ we write <sup>σ</sup><sup>↑</sup><sup>Φ</sup> for the substitution <sup>σ</sup> restricted to Φ <sup>∩</sup> Ψ, i.e. vσ<sup>↑</sup><sup>Φ</sup> is defined iff <sup>v</sup> <sup>∈</sup> <sup>Φ</sup> <sup>∩</sup> Ψ, and vσ<sup>↑</sup><sup>Φ</sup> <sup>=</sup> vσ in this case. We write <sup>σ</sup> \ Φ for the substitution <sup>σ</sup> restricted to <sup>Ψ</sup> \ Φ, i.e. vσ \ Φ is defined iff v <sup>∈</sup> <sup>Ψ</sup> \ Φ, and vσ \ Φ = vσ in this case. For any substitution σ we define the substitution σ<sup>n</sup> by induction over <sup>n</sup> to be <sup>σ</sup><sup>1</sup> <sup>=</sup> <sup>σ</sup>, and vσ<sup>n</sup>+1 = (vσ<sup>n</sup>)σ.

**Definition 1 (Free Variables).** *We define the free variables of a skolemised formula* K*, written* F V (K) *by induction over the structure of formulae by*

$$\begin{array}{c}FV(A\_{\Phi}^{-}) = FV(A\_{\Phi}^{+}) = \Phi\\ FV(P\_1 \otimes P\_2) = FV(P\_1) \cup FV(P\_2)\\ FV(P \multimap N) = FV(P) \cup FV(N)\\ FV(!\_{(a; \Phi; \sigma)}N) = \Phi \end{array}$$

Now we turn to the definition of admissibility, which checks whether the constraints on the order of <sup>∀</sup>L-and <sup>∃</sup>R-rules (which instantiate quantifiers) and application of non-invertible propositional rules can be satisfied when reconstructing a LJF-derivation from an SLJF-derivation.

**Definition 2 (Admissibility).** *We say* σ *is* admissible *for* <sup>Φ</sup> *if firstly for all existential and special variables* v *and for all* n*,* v *does not occur in* vσ<sup>n</sup>*, and secondly for all special variables* <sup>a</sup><sup>L</sup> *and* <sup>a</sup><sup>R</sup> *respectively and for all* <sup>n</sup>*, if* xσ<sup>n</sup> *contains a variable* <sup>a</sup><sup>L</sup> *or* <sup>a</sup><sup>R</sup> *for any* <sup>x</sup> *in the co-domain of* <sup>σ</sup>*, then the variable* <sup>a</sup><sup>R</sup> *or* <sup>a</sup><sup>L</sup> *respectively does not occur in* <sup>Φ</sup>*.*

The first condition in the definition of admissibility ensures that there are no cycles in the dependencies of <sup>∀</sup>L-and <sup>∃</sup>R-rules and non-invertible propositional rules. The second condition ensures that for each rule with two premises any Eigen-variable which is introduced in one branch is not used in the other branch. Examples of how this definition captures dependency constraints are given below.

Next, we define derivability in SLJF. The derivability judgment uses a substitution which captures the dependencies between <sup>∀</sup>L-and <sup>∃</sup>R-rules and noninvertible propositional rules.

**Definition 3 (Proof Theory).** *Let* Φ *be a context of variables,* Γ *the modal context (which refined the notion of unrestricted context from earlier in this paper),* <sup>Δ</sup> *the linear context,* P *a positive and* N *a negative formula, and* σ *a substitution. We define two mutually dependent judgments* Γ; Δ N; σ *and* Γ; Δ [P]; σ *to characterise derivability in SLJF. The rules defining these judgments are depicted in Fig. 4.*

The !R-rule introduces additional substitutions which capture the dependency of the !R-rule on the <sup>∀</sup>L-and <sup>∃</sup>R-rules which instantiate the free variables in the judgment. An example of this rule is given below. The copy-rule performs a renaming of all the bound variables in N.

*Example 4.* We give a derivation of the translation of the judgment of Example 1 in skolemised intuitionistic linear logic. We omit the modal context Γ = ·. Furthermore, let the goal of proof search be the following judgment:

$$\cdot \colon \uparrow \mid (\downarrow A(x\_1)^{-}\_{(x\_1, a\_L)}) \multimap B(x\_1)^{-}\_{(x\_1, a\_R)}, \uparrow \: A(u)^{-}\_{(x\_2, u)} \vdash B(x\_3)^{-}\_{(x\_3)}; \sigma \urcorner$$

where σ must contain the substitution u(x<sup>2</sup>)/u, which arises from skolemisation.

**Fig. 4.** Skolemised intuitionistic linear logic

We observe that only focusing rules are applicable. Focusing on A will not succeed, since A was assumed to be a negative connective, so we focus on the right. Recall, that we will not be able to remove the non-determinism introduced on the propositional level. We obtain the derivation in Fig. 5, where σ <sup>=</sup> ·, u/x<sup>1</sup>, x<sup>1</sup>/x<sup>3</sup>, u(x<sup>2</sup>)/u. This derivation holds because <sup>σ</sup> is admissible for <sup>x</sup><sup>1</sup>, a<sup>L</sup>, x<sup>2</sup> and <sup>x</sup><sup>1</sup>, a<sup>R</sup>, x<sup>3</sup>. The constraint that the variable <sup>x</sup><sup>2</sup> can be instantiated only after the <sup>∀</sup>R-rule for u has been applied is captured by the substitution u(x<sup>2</sup>)/u.

*Example 5.* Next, consider the sequent <sup>↓</sup> (∀x. <sup>↑</sup> (<sup>↓</sup> <sup>A</sup><sup>−</sup>⊗ ↓ B<sup>−</sup>x)) ↑ (<sup>↓</sup> A<sup>−</sup>⊗ ↓ <sup>∀</sup>u.B<sup>−</sup>(u)) from Example 2. To learn if this sequent is provable, we translate it into <sup>↓</sup> A<sup>−</sup> <sup>x</sup> ⊗ ↓ <sup>B</sup>(x) − <sup>x</sup> ↑ (<sup>↓</sup> <sup>A</sup><sup>a</sup>*<sup>L</sup>* ⊗ ↓ <sup>B</sup>(u) − <sup>a</sup>*R*;u). The only possible proof yields an axiom derivation [B<sup>−</sup> <sup>x</sup> ] <sup>B</sup><sup>−</sup> <sup>a</sup>*R*;u; ·, u(a<sup>R</sup>)/x , which is not valid, as ·, u/x, u(a<sup>R</sup>)/u is not admissible for x, a<sup>L</sup>. More precisely, the second condition of admissibility is violated. 


**Fig. 5.** Example 4, unique complete proof

$$\begin{array}{ll} \rho pos(A^{-}) = \downarrow A^{-} & \operatorname{neg}(A^{-}) = A^{-} \\ \rho pos(P \multimap N) = \downarrow (P \multimap N) & \operatorname{neg}(P \multimap N) = P \multimap N \\ \rho pos(\uparrow P) = P & \operatorname{neg}(\uparrow P) = \uparrow P \\ \rho pos(A^{+}) = A^{+} & \operatorname{neg}(A^{+}) = \uparrow A^{+} \\ \rho pos(\downarrow N) = \downarrow N & \operatorname{neg}(P\_{1} \otimes P\_{2}) = \uparrow \left(P\_{1} \otimes P\_{2}\right) \\ \rho pos(!\_{\left(a \neq \bullet, \sigma\right)} N\text{)} = !\_{\left(a \neq \bullet, \sigma\right)} N & \operatorname{neg}(\downarrow N) = N \\ \end{array}$$

**Fig. 6.** Polarity adjustments

*Example 6.* Now, consider the sequent ↓ ∀x. <sup>↑</sup>!A<sup>−</sup>(x) ↑!∀u.A<sup>−</sup>(u) from Example 3. The skolemised sequent is !(a;x;·)Aa,x<sup>−</sup> ↑!(b;u;u(b)/u)A<sup>−</sup>(u)u,b). The only possible derivation produces the substitution ·, u/x, x/b, u(b)/u, which is not admissible for ·, x, u, b, a. More precisely, the first condition of admissibility is violated for the variable b. This expresses the fact that in any possible LJFderivation the instantiation of x has to happen before the !R-rule and the !R -rule has to be applied before the instantiation of x, which is impossible.

#### **4 Skolemisation**

To skolemise first-order formulas in classical logic, we usually compute prenex normal forms of all formulas that occur in a sequent, where we replace all quantifiers that bind "existential" variables by Skolem constants. This idea can also be extended to intuitionistic logic [8]. This paper is to our knowledge the first to demonstrate that skolemisation can also be defined for focused, polarised, intuitionistic, first-order linear logic, as well. In this section, we show how.

Skolemisation transforms an LJF formula F (positive or negative) closed under Φ into an SLJF formula K and a substitution, which collects all variables introduced during skolemisation. Formally, we define two mutual judgments: sk<sup>L</sup>(Φ, F)=(K; σ) and sk<sup>R</sup>(Φ, F)=(K; σ). K is agnostic to polarity information, hence we prepend appropriate <sup>↑</sup> and <sup>↓</sup> connectives to convert K to the appropriate polarity by the conversion operations pos(·) and neg(·), depicted in Fig. 6. Alternatively, we could have chosen to distinguish positive and negative Ks syntactically, but this would have unnecessarily cluttered the presentation and left unnecessary backtrack points because of spurious ↑↓ and ↓↑ conversions.

We return to the definition of skolemisation, depicted in Fig. 7. The main idea behind skolemisation is to record dependencies of quantifier rules as explicit

substitutions. More precisely, if an Eigen-variable u depends on an existential variable x, a substitution u(x)/u is added during skolemisation. We do not extend the scope of an Eigen-variable beyond the !-operator as we have to distinguish between an Eigen-variable for which a new instance must be created by the copy-rule and one where the same instance may be retained.

Explicit substitutions model constraints on the order of quantifiers. The satisfiability of the constraints is checked during unification at the leaves via the admissibility condition (see Definition 2) which the substitution has to satisfy. Potential back-track points are marked by special variables a, which are associated with the ! connective. These annotations need to store enough information so that the set of constraints can be appropriately updated when copying a formula from the modal context into the linear context.

In our representation, any proof of the skolemised formula in SLJF captures an equivalence class of proofs under different quantifier orderings in LJF. Only those derivations where substitutions are admissible, i.e. do not give rise to cycles like u(x)/x or introduce undue dependencies between the left and right branches of a ⊗ or −◦, imply the existence of a proof in LJF.

The judgments can be easily extended to the case of contexts Γ and Δ for which we write sk<sup>L</sup>(Φ; Γ) and sk<sup>L</sup>(Φ; Δ). Note that tacit variable renaming is in order, to make sure that no spurious cycles are accidentally introduced in the partial order defined by the constraints.

*Example 7.* We return to Example 1 and simply present the skolemisation of the three formulas that define the judgment:

$$\downarrow (\forall x. (\downarrow A(x)) \lnot\lnot B(x)), \downarrow (\forall x. \uparrow \exists u. \downarrow A(u)) \vdash \uparrow (\exists x. \downarrow B(x))$$

First, we skolemise each of the formulas individually.

$$\begin{aligned} \text{sk}\_L(\cdot; \downarrow (\forall x. (\downarrow A(x)) \text{--} \circ B(x))) &= (\downarrow A(x)\_{(x, a\_L)}) \text{-} \circ B(x)\_{(x, a\_R)}; \cdot \\ \text{sk}\_L(\cdot; \downarrow (\forall x. \uparrow \exists u. \downarrow A(u))) &= A(u)\_{(x, u)}; u(x)/u \\ \text{sk}\_R(\cdot; \uparrow (\exists x. \downarrow B(x))) &= B(x)\_{(x)}; \end{aligned}$$

Second, we assemble the results into a judgment in SLJF, which then looks as follows. To this end, we α-convert the variables,

$$(\downarrow A(x\_1)\_{(x\_1, a\_L)}) \lhd B(x\_1)\_{(x\_1, a\_R)}, A(u)\_{(x\_2, u)} \vdash B(x\_3)\_{(x\_3)}; u(x\_2)/u)$$

The attentive reader might have noticed that we already gave a proof of this judgment in the previous section in Example 1, after turning the first two formulas positive, because they constitute the linear context.

# **5 Meta Theory**

We begin now with the presentation of the soundness result (see Sect. 5.1) and the completeness result (see Sect. 5.2). Together they imply that skolemisation preserves provability. These theorems also imply that proof search in SLJF will be more efficient than in LJF since it avoids quantifier level back-tracking. Proof search in skolemised form will not miss any solutions.

$$\begin{aligned} \operatorname{sk}\_{L}(\Phi,\varphi) &= \operatorname{pos}(A\_{\Phi}); \qquad \operatorname{sk}\_{R}(\Phi;\operatorname{A}) = \operatorname{neg}(A\_{\Phi});\\ \operatorname{sk}\_{L}(\Phi,\varphi;F\_{K}) &= K; \sigma & \operatorname{sk}\_{R}(\Phi;\operatorname{\overline{a}};F) = K; \sigma\\ \operatorname{where } \operatorname{sk}\_{L}(\Phi;\operatorname{\overline{a}};F) &= K; \sigma & \operatorname{where } \operatorname{sk}\_{R}(\Phi;\operatorname{\overline{a}};F) = K; \sigma \\ \operatorname{sk}\_{L}(\Phi;\operatorname{\overline{a}};\operatorname{\overline{u}}) &= K; \sigma,\operatorname{u}(\Phi,\varphi) \land u & \operatorname{sk}\_{R}(\Phi;\operatorname{\overline{a}};F) = K; \sigma,\operatorname{u}(\operatorname{\overline{a}},\varphi) \land u \\ \operatorname{sk}\_{L}(\Phi;F\_{L};F) &= K; \sigma & \operatorname{where } \operatorname{sk}\_{L}(\Phi;\operatorname{\overline{a}};F) = K; \sigma\\ \operatorname{sk}\_{L}(\Phi;F\_{1};F\_{2}) &= \operatorname{pos}(K\_{1}) \operatorname{pos}(K\_{2}); \sigma\_{1},\sigma\_{2} & \operatorname{sk}\_{R}(\Phi;F\_{1}\otimes F\_{2}) = \operatorname{pos}(K\_{1}) \operatorname{of}(\operatorname{\overline{a}}\_{L}); \sigma\_{1},\sigma\_{2} \\ \operatorname{where } \operatorname{sk}\_{L}(\Phi;F\_{1}) &= K\_{1}; \sigma\_{1} & \operatorname{where } \operatorname{sk}\_{R}(\Phi;\operatorname{\overline{a}}\_{L};F\_{1}) = K\_{1}; \sigma\_{1} \\ \operatorname{sk}\_{L}(\Phi;F\_{2}) &= K\_{2}; \sigma\_{2} & \operatorname{sk}\_{R}(\Phi;\operatorname{\overline{a}}\_{L};F\_{2}) = K\_{2}; \$$

**Fig. 7.** Skolemisation

#### **5.1 Soundness**

For the soundness direction, we show that any valid derivation in LJF can be translated into a valid derivation in SLJF after skolemisation.

#### **Lemma 1 (Weakening).**


*Proof.* The proof is a simple induction over derivation in all three cases.

Next, we prove three admissibility properties for <sup>⊗</sup>R, −◦L, and copy, respectively, that we will invoke from within the proof of the soundness theorem. In the interest of space, we provide a proof only for the first of the three lemmas.

**Lemma 2 (Admissibility of** <sup>⊗</sup>**R).** *Assume* Γ; Δ<sup>1</sup> neg(K<sup>1</sup>); <sup>σ</sup> *and* Γ; Δ<sup>2</sup> neg(K<sup>2</sup>); σ *with proofs of height at most* n *such that the first application of the focus-rule is the focus R-rule. Then also* Γ; Δ<sup>1</sup>, <sup>Δ</sup><sup>2</sup> neg(pos(K<sup>1</sup>)⊗pos(K<sup>2</sup>)); <sup>σ</sup>*.*

*Proof.* We prove this property by induction over n. There are several cases. Firstly, assume that there is any positive formula in Δ<sup>1</sup> or Δ<sup>2</sup> which is not an atom. Again, there are several cases. We start by assuming Δ<sup>1</sup> <sup>=</sup> <sup>K</sup> <sup>1</sup> <sup>⊗</sup> <sup>K</sup> <sup>2</sup>, <sup>Δ</sup> 1 and the derivation is

$$\frac{\Gamma; K\_1', K\_2', \Delta\_1' \vdash neg(K\_1); \sigma}{\Gamma; K\_1' \otimes K\_2', \Delta\_1' \vdash neg(K\_1); \sigma}$$

Hence by induction hypothesis we have Γ; K <sup>1</sup>, K <sup>2</sup>, <sup>Δ</sup> <sup>1</sup>, <sup>Δ</sup><sup>2</sup> neg(pos(K<sup>1</sup>) <sup>⊗</sup> pos(K<sup>2</sup>)); σ and hence also Γ; K <sup>1</sup> <sup>⊗</sup> <sup>K</sup> <sup>2</sup>, <sup>Δ</sup> <sup>1</sup>, <sup>Δ</sup><sup>2</sup> neg(pos(K<sup>1</sup>) <sup>⊗</sup> pos(K<sup>2</sup>)); σ . Now assume that Δ<sup>1</sup> =!(a;Φ;σ-)N, <sup>Δ</sup> <sup>1</sup> and the derivation is

$$\frac{\Gamma, (a; \Phi; \sigma') \colon N; \Delta'\_1 \vdash neg(K\_1); \sigma}{\Gamma; !\_{(a; \Phi; \sigma')} N, \Delta'\_1 \vdash neg(K\_1); \sigma}$$

By Lemma 1, we also have Γ,(a; Φ; σ ): <sup>N</sup>; Δ<sup>2</sup> neg(K<sup>2</sup>); <sup>σ</sup>. By induction hypothesis we have Γ,(a; Φ; σ ): N; Δ <sup>1</sup>, <sup>Δ</sup><sup>2</sup> neg(pos(K<sup>1</sup>) <sup>⊗</sup> pos(K<sup>2</sup>)); <sup>σ</sup> and hence also Γ; !(a;Φ;σ-)N, <sup>Δ</sup> <sup>1</sup>, <sup>Δ</sup><sup>2</sup> neg(pos(K<sup>1</sup>) <sup>⊗</sup> pos(K<sup>2</sup>)); σ.

Secondly, assume that <sup>K</sup><sup>1</sup> <sup>=</sup> <sup>N</sup><sup>1</sup>, where <sup>N</sup><sup>1</sup> is a negative formula and <sup>K</sup><sup>2</sup> <sup>=</sup> <sup>P</sup><sup>2</sup>, where <sup>P</sup><sup>2</sup> is a positive formula. By assumption there is a derivation

$$\frac{\Gamma, \Delta\_2 \vdash [P\_2] \sigma}{\Gamma; \Delta\_2 \vdash \uparrow P\_2; \sigma}$$

There is also a derivation

$$\frac{\Gamma; \Delta\_1 \vdash N\_1; \sigma}{\Gamma; \Delta\_1 \vdash [\downarrow N\_1]; \sigma}$$

Hence we also have the following derivation:

$$\frac{\frac{\Gamma;\,\Delta\_1\vdash N\_1;\sigma}{\Gamma;\,\Delta\_1\vdash[\downarrow N\_1];\sigma}\;\Gamma;\,\Delta\_2\vdash[P\_2];\sigma}{\frac{\Gamma;\,\Delta\_1,\,\Delta\_2\vdash[\downarrow N\_1\otimes P\_2];\sigma}{\Gamma;\,\Delta\_1,\,\Delta\_2\vdash\uparrow\;(\downarrow N\_1\otimes P\_2);\sigma}}$$

By assumption we obtain Γ; Δ<sup>1</sup>, <sup>Δ</sup><sup>2</sup> ↑ (<sup>↓</sup> <sup>N</sup><sup>1</sup> <sup>⊗</sup> <sup>P</sup><sup>2</sup>); <sup>σ</sup>. All other cases of <sup>K</sup><sup>1</sup> and <sup>K</sup><sup>2</sup> being positive or negative are similar.

# **Lemma 3 (Admissibility of** −◦**L).** *Assume*

$$
\Gamma; \Delta\_1 \vdash neg(K\_1); \sigma \quad \text{and} \quad \Gamma; \Delta\_2, pos(K\_2) \vdash K; \sigma
$$

*with proofs of height at most* n *such that the first application of the focus-rule is the focus L-rule for* <sup>K</sup><sup>1</sup>*. and the focus R-rule for* K<sup>2</sup>*. Then also*

$$\Gamma; \Delta\_1, \Delta\_2, neg(pos(K\_1) \multimap pos(K\_2)) \vdash K; \sigma$$

*Proof.* Similar to the proof of Lemma 2.

# **Lemma 4 (Admissibility of** copy**).** *Assume*

$$(\Gamma, (a; \Phi; \sigma') \colon N; pos(N\{\vec{v}'/\vec{v}\}), \Delta \vdash neg(K); \sigma, \sigma' \{\vec{v}'/\vec{v}\})$$

*with a proof of height at most* n *such that the first application of the focusrule is the focus L-rule applied to* pos(N{v /v})*. Then also* <sup>Γ</sup>,(a; Φ; σ ): N; Δ neg(K); σ*.*

*Proof.* Similar to the proof of Lemma 2.

**Theorem 2 (Soundness).** *Let* Φ *be a context which contains all the free variables of* <sup>Γ</sup>*,* <sup>Δ</sup> *and* F*. Let* σ : Φ <sup>→</sup> <sup>Φ</sup> *be a substitution. Assume* <sup>Γ</sup>σ<sup>↑</sup>-<sup>Φ</sup>; Δσ<sup>↑</sup>-<sup>Φ</sup> F σ<sup>↑</sup>-<sup>Φ</sup> *in focused intuitionistic linear logic. Let* sk<sup>L</sup>(Φ; Γ) = Γ ; σΓ- *,* sk<sup>L</sup>(Φ; Δ) = Δ ; σΔ *and* sk<sup>R</sup>(Φ; F) = K; σ<sup>K</sup>*. Let* τ <sup>=</sup> σΓ- , σΔ- , σ<sup>K</sup>*. Let* <sup>Φ</sup> = (F V (Γ ) <sup>∪</sup> F V (Δ ) <sup>∪</sup> F V (Φ<sup>F</sup> )) \ <sup>Φ</sup>*. Assume that* <sup>σ</sup> *does not contain any bound variables of* Γ*,* Γ *,* Δ*,* Δ *,* F *or* K*. Moreover, assume whenever* <sup>Φ</sup> *contains a variable* <sup>a</sup><sup>L</sup> *or* <sup>a</sup><sup>R</sup>*, then the corresponding variable* <sup>a</sup><sup>R</sup> *or* <sup>a</sup><sup>L</sup> *respectively does not occur in* <sup>Φ</sup>*. Then there exists a substitution* σ : Φ, <sup>Φ</sup> <sup>→</sup> <sup>Φ</sup> *such that*

$$\operatorname{neg}(\Gamma'); \Delta' \vdash K; \sigma, \tau, \sigma' \ . ,$$

*Proof.* Induction over the derivation of Γσ<sup>↑</sup>-<sup>Φ</sup>; Δσ<sup>↑</sup>-<sup>Φ</sup> F σ<sup>↑</sup>-<sup>Φ</sup>. The axiom case follows from the definition of admissibility, ⊗R follows from Lemma 2, and −◦L from Lemma 3. Now we consider the case of ∀L. By definition, skL(Φ; <sup>∀</sup>x.F) = skL((x, Φ); F). Moreover, t contains only variables in Φ. Hence we can apply the induction hypothesis with replacing Φ by Φ, x. The next case is <sup>∀</sup>R. Consider any formula <sup>∀</sup>u.F. Skolemisation introduces another Eigenvariable u. Hence we can apply the induction hypothesis with replacing Φ by <sup>Φ</sup>, u. The case for copy is a direct consequence of Lemma 4. All other cases are immediate. 

#### **5.2 Completeness**

We now prove the completeness direction of skolemisation, which means that we can turn a proof in SLJF directly into a proof in LJF, by inserting at appropriate places quantifier rules, as captured by the constraints. We introduce an order relation to capture constraints on the order of rules in the proof.

**Definition 4.** *For any substitution* σ*, define an order* < *by* x<u *or* x<a *if* a *or* u *occur in* xσ*, and* u<x *or* u<a *if the variable* x *or* a *occurs in* u(z<sup>1</sup>,...,z<sup>n</sup>)*.*

#### **Lemma 5 (Strengthening).**

*(i) Assume* <sup>Γ</sup>,(a ; Φ; σ ) : <sup>K</sup>; Δ<sup>1</sup> <sup>K</sup> ; σ *and there exists a free variable* x *in* K *such that* <sup>a</sup><sup>R</sup> *occurs in* xσ*. Moreover assume that* <sup>a</sup><sup>L</sup> *occurs in every axiom of* K *. Then also* Γ; Δ<sup>1</sup> <sup>K</sup> σ*.*

*(ii) Assume* <sup>Γ</sup>,(a ; Φ; σ ) : <sup>K</sup>; Δ<sup>2</sup> <sup>K</sup> ; σ *and there exists a free variable* x *in* K *such that* <sup>a</sup><sup>L</sup> *occurs in* xσ*. Then also* Γ; Δ<sup>2</sup> <sup>K</sup> ; σ*.*

*Proof.* (i) If the copy-rule for K is applied during the derivation, the linear context contains the free variable <sup>x</sup> such that <sup>a</sup><sup>R</sup> occurs in xσ. As <sup>a</sup><sup>L</sup> occurs in all atoms of K , the variable x must not occur in any of the linear formulae in the axioms in the derivation of Γ,(a ; Φ; σ ) : <sup>K</sup>; Δ<sup>1</sup> <sup>K</sup> ; σ because of the admissibility condition. Hence no subformula of K can occur in the linear formulae in the axioms in this derivation either. Hence there is also a derivation of Γ; Δ<sup>1</sup> <sup>K</sup> ; σ, which does not involve K. (ii) A similar argument applies. 

**Lemma 6.** *Assume* Γ; Δ<sup>1</sup>, <sup>Δ</sup><sup>2</sup> ↑ (K<sup>1</sup> <sup>⊗</sup> <sup>K</sup><sup>2</sup>); <sup>σ</sup>*. Furthermore assume that each formula* <sup>K</sup> *in* <sup>Δ</sup><sup>1</sup> *and* <sup>Δ</sup><sup>2</sup> *is either a formula* <sup>↓</sup> <sup>K</sup> *, or there exists a free existential variable* <sup>x</sup> *in* <sup>K</sup> *such that* <sup>a</sup><sup>L</sup> *or* <sup>a</sup><sup>R</sup> *occurs in* xσ*, where* <sup>a</sup><sup>L</sup> *and* <sup>a</sup><sup>R</sup> *are the special variables introduced by the skolemisation of* <sup>K</sup><sup>1</sup> <sup>⊗</sup> <sup>K</sup>2*. Moreover assume that the first focusing rule applied is the focus R-rule. Then* Γ; Δ<sup>1</sup> <sup>K</sup><sup>1</sup>; <sup>σ</sup> *and* Γ; Δ<sup>2</sup> <sup>K</sup><sup>2</sup>; <sup>σ</sup>*.*

*Proof.* We use an induction over the structure of Δ<sup>1</sup> and Δ2. Firstly, consider the case Γ; K <sup>1</sup> <sup>⊗</sup> <sup>K</sup> <sup>2</sup>, <sup>Δ</sup><sup>1</sup>, <sup>Δ</sup><sup>2</sup> ↑ (K<sup>1</sup> <sup>⊗</sup> <sup>K</sup><sup>2</sup>); <sup>σ</sup>. We have a derivation

$$\frac{\Gamma; K\_1', K\_2', \Delta\_1, \Delta\_2 \vdash \uparrow (K\_1 \otimes K\_2)' \sigma}{\Gamma; K\_1' \otimes K\_2', \Delta\_1, \Delta\_2 \vdash \uparrow (K\_1 \otimes K\_2); \sigma}$$

By induction hypothesis we have Γ; Δ <sup>1</sup>; K<sup>1</sup>; σ and Γ; Δ <sup>2</sup> <sup>K</sup><sup>2</sup>; <sup>σ</sup>. Assume <sup>a</sup><sup>L</sup> occurs in xσ. Because σ is admissible for Γ; Δ <sup>2</sup>, K <sup>1</sup> and <sup>K</sup> <sup>2</sup> must be part of Δ 1. Hence Δ <sup>1</sup> <sup>=</sup> <sup>K</sup> <sup>1</sup>, K <sup>2</sup>, <sup>Δ</sup><sup>1</sup> and Δ <sup>2</sup> = Δ2. An application of the <sup>⊗</sup>L-rule now produces Γ; K <sup>1</sup> <sup>⊗</sup> <sup>K</sup> <sup>2</sup>, <sup>Δ</sup>1; K<sup>1</sup>; σ.

Next we consider the case Γ; !(a-Φ;σ-)K, <sup>Δ</sup><sup>1</sup>, <sup>Δ</sup><sup>2</sup> ↑ (K<sup>1</sup> <sup>⊗</sup> <sup>K</sup><sup>2</sup>); <sup>σ</sup>. Assume without loss of generality <sup>a</sup><sup>R</sup> occurs in xσ. We have a derivation

$$\frac{\Gamma, (a'; \Phi; \sigma'): K; \Delta\_1, \Delta\_2 \vdash \uparrow (K\_1 \otimes K\_2); \sigma}{\Gamma; \mathfrak{l}\_{(a'; \Phi; \sigma')} K, \Delta\_1, \Delta\_2 \vdash \uparrow (K\_1 \otimes K\_2); \sigma}$$

By induction hypothesis we have Γ,(a ; Φ; σ ) : K; Δ1; K<sup>1</sup>; σ and Γ,(a ; Φ; σ ) : <sup>K</sup>; Δ<sup>2</sup> <sup>K</sup><sup>2</sup>; <sup>σ</sup>. An application of the !L-rule yields Γ; !(a-;Φ;σ-)K, <sup>Δ</sup>1; K<sup>1</sup>; σ and Lemma <sup>5</sup> yields Γ; Δ<sup>2</sup> <sup>K</sup><sup>2</sup>; <sup>σ</sup>. 

**Lemma 7.** *Assume* Γ; Δ<sup>1</sup>, <sup>Δ</sup><sup>2</sup>, <sup>↓</sup> (K<sup>1</sup>−◦K<sup>2</sup>) <sup>K</sup>; <sup>σ</sup>*. Furthermore assume that each formula* <sup>K</sup> *in* <sup>Δ</sup>1*,* <sup>Δ</sup><sup>2</sup> *and* <sup>K</sup> *is either a formula* <sup>↓</sup> <sup>K</sup>*, or there exists a free existential variable* <sup>x</sup> *in* <sup>K</sup> *such that* <sup>a</sup><sup>L</sup> *or* <sup>a</sup><sup>R</sup> *occurs in* xσ*. Moreover assume that the first focusing rule applied is the focus L-rule for* K<sup>1</sup>−◦K<sup>2</sup>*. Then* Γ; Δ<sup>1</sup> <sup>K</sup><sup>1</sup>; <sup>σ</sup> *and* Γ; Δ<sup>2</sup>, K<sup>2</sup> <sup>K</sup>; <sup>σ</sup>*.*

*Proof.* Similar to the proof of Lemma 6.

**Lemma 8.** *Assume* Γ; Δ ↓!(a,φ;σ-)K; σ *and the first occurrence of the focusrule is the focus R-rule followed by* !R *with* <sup>Γ</sup> *containing the side formulae. Let* x *be a free variable* x *of* <sup>Γ</sup>*,* <sup>Δ</sup> *or* !(a,φ;σ-)K*.*


*Proof.* (i) By induction over the number of steps before application of the focus R-rule. Assume that the first rule applied is the focus R-rule. There are several cases. Firstly, assume u occurs bound in Γ. We consider here only the case that <sup>u</sup> occurs in (a<sup>1</sup>, <sup>Φ</sup><sup>1</sup>, σ<sup>1</sup>) : N<sup>1</sup>, which is part of Γ; all other cases are similar. By assumption we have u<a<sup>1</sup> and x<u. The !R-rule implies <sup>a</sup><sup>1</sup> < a. If <sup>x</sup> occurs freely in Γ, we also have a<x via the !R-rule, which is a contradiction. If <sup>x</sup> occurs freely in <sup>K</sup>, then we also have <sup>a</sup><sup>1</sup> < x via the !R-rule, which is a contradiction. Secondly, assume u occurs bound in K. Hence x cannot be a free variable of K. In this case we have u<a and x<u by assumption, together with a<x by the !R-rule, which is a contradiction. The step case is true because there are fewer free variables in the conclusion of a rule than in the premises.

(ii) Assume x<a. Then there must exist a u such that x<u and u<a. The latter implies u is a bound variable in K, which is a contradiction to (i).

**Theorem 3 (Completeness).** *Let* Φ *be a set of Eigen-, special, and existential variables which contains all the free variables of* <sup>Γ</sup>*,* <sup>Δ</sup> *and* F*. Let* σ : Φ <sup>→</sup> <sup>Φ</sup> *be a substitution. Let* sk<sup>L</sup>(Φ; Γ) = (Γ ; σΓ- )*,* sk<sup>L</sup>(Φ; Δ) = (Δ ; σΔ- ) *and* sk<sup>R</sup>(Φ; F) = (K; σ<sup>K</sup>)*. Let* <sup>Φ</sup> = (F V (Γ ) <sup>∪</sup> F V (Δ ) <sup>∪</sup> F V (K)) \ <sup>Φ</sup> *and* τ <sup>=</sup> σΓ- , σΔ- , σ<sup>K</sup>*. Let* σ : Φ, <sup>Φ</sup> <sup>→</sup> <sup>Φ</sup> *be a substitution.*


*Proof.* We use firstly an induction over the derivation of neg(Γ ); Δ K; σ, τ, σ and secondly an induction over the structure of Δ, F. Let Δ = <sup>F</sup><sup>1</sup>,...,F<sup>n</sup> and <sup>Δ</sup> <sup>=</sup> K<sup>1</sup>,...,K<sup>n</sup>. Let V <sup>=</sup> {x<sup>1</sup>,..., x<sup>k</sup>, u<sup>1</sup>,...,u<sup>m</sup>} be the set of outermost bound variables of Δ , K (including names). There are several cases. Firstly, if there exists a <sup>i</sup> such that 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup> and <sup>F</sup><sup>i</sup> is a tensor product or a formula !N, or F is a linear implication, we apply the corresponding inference rule and then the induction hypothesis.

Secondly, assume there exists an Eigen-variable u <sup>∈</sup> V . Assume F <sup>=</sup> <sup>∀</sup>u.F . Hence by induction hypothesis we have Γσ<sup>↑</sup>-<sup>Φ</sup>; Δσ<sup>↑</sup>-<sup>Φ</sup> <sup>F</sup> σ<sup>↑</sup>-<sup>Φ</sup>. By assumption, u does not occur in xσ for any variable x in the co-domain of σ. Now the <sup>∀</sup>R-rule yields the claim. Now assume F <sup>=</sup> <sup>∃</sup>u.F . This case is similar to <sup>∀</sup>R.

Thirdly, assume there exists an existential variable in V . Let x be an existential variable which is maximal in V . Assume F <sup>=</sup> <sup>∃</sup>x.F . We show that every Eigen-variable u of xσ is a free variable of Δ, F. By definition, we have x<u. Assume u is a bound variable in Δ, F. If u is a bound variable of F, we would have u<x, which is a contradiction. Hence u is a bound variable of Δ. Because u is not an outermost bound variable, there exists a bound existential variable y such that u<y. Hence x is not a maximal bound variable. By induction hypothesis we have Γσ↑-<sup>Φ</sup>; Δσ↑-<sup>Φ</sup> <sup>F</sup> σ↑-<sup>Φ</sup>, and now we apply the <sup>∃</sup>R-rule. Now assume <sup>F</sup><sup>1</sup> <sup>=</sup> <sup>∀</sup>x.F <sup>1</sup>. Similar to the <sup>∃</sup>R-case.

Next, assume there are no maximal first-order variables in V . By definition, the special variables corresponding to the last rule applied to the skolemised version where the principal formula is asynchronous are now the only maximal elements in V . <sup>⊗</sup>R and −◦L are direct consequences of Lemma <sup>6</sup> and Lemma 7, respectively. For !R, let x be any outermost bound variable in Γ, Δ or K which is not maximal in V . Because x < a, there exists a variable y or u in V such that x<y or x<u, which is a contradiction. Hence we can use the !R-rule of the skolemised calculus and the induction hypothesis. Finally, the axiom rule in the skolemised calculus implies n = 1, and hence Γσ<sup>↑</sup>-<sup>Φ</sup>; F1σ<sup>↑</sup>-<sup>Φ</sup> F σ<sup>↑</sup>-<sup>Φ</sup>. 

# **6 Conclusion**

In this paper, we revisit the technique of skolemisation and adopt it for proof search in first-order focused and polarised intuitionistic linear logic (LJF). The central idea is to encode quantifier dependencies by constraints, and the global partial order in which quantifier rules have to be applied by a substitution. We propose a domain specific logic called SLJF, which avoids back-tracking during proof search when variable instantiations are derived by unification.

*Related Work:* Shankar [8] first propose an adaptation of skolemisation to LJ. Our paper can be seen as a generalisation of this work to focused and polarised linear logic. Reis and Paleo [7] propose a technique called epsilonisation to characterise the permutability of rules in LJ. Their approach is elegant but impractical, because it trades an exponential growth in the search space with an exponential growth in the size of the proof terms. McLaughlin and Pfenning [4] propose an effective proof search technique based on the inverse method for focused and polarised intuitionistic logic. To our knowledge, the resulting theorem prover Imogen [5] would benefit from the presentation of skolemisation in our paper, since it requires backtracking to resolve the first-order non-determinism during proof search.

*Applications:* There are ample of applications for skolemisation. To our knowledge, proof search algorithms for intuitionistic or substructural logic are good at removing non-determinism from the propositional level, but don't solve the problem at the first-order level. Skolemisation can also be applied to improve intuitionistic theorem provers further, such as Imogen. With the results in this paper we believe that we are able to achieve such results without much of a performance penalty.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Local Intuitionistic Modal Logics and Their Calculi**

Philippe Balbiani<sup>1</sup> , Han Gao2(B) , C¸ i˘gdem Gencer<sup>1</sup> , and Nicola Olivetti<sup>2</sup>

<sup>1</sup> CNRS-INPT-UT3, IRIT, Toulouse, France {philippe.balbiani,cigdem.gencer}@irit.fr <sup>2</sup> Aix-Marseille University, CNRS, LIS, Marseille, France {gao.han,nicola.olivetti}@lis-lab.fr

**Abstract.** We investigate intuitionistic modal logics with locally interpreted and ♦. The basic logic **LIK** is stronger than constructive modal logic **WK** and incomparable with intuitionistic modal logic **IK**. We propose an axiomatization of **LIK** and some of its extensions. Additionally, we present bi-nested calculi for **LIK** and these extensions, providing both a decision procedure and a procedure of finite countermodel extraction.

**Keywords:** Intuitionistic Modal Logic · Axiomatization · Sequent Calculus · Decidability

## **1 Introduction**

Intuitionistic modal logic (**IML**) has a long history, starting from the pioneering work by Fitch [10] and Prawitz [16]. Along the time, two traditions have emerged. The first tradition, called *intuitionistic modal logics* [7–9,15,17], aims to define modalities justified by an intuitionistic meta-theory. In this tradition, the fundamental logic is **IK**, considered as the intuitionistic counterpart of the minimal normal modal logic **K**. The second tradition, known as *constructive modal logics*, is mainly motivated by computer science applications like Curry-Howard correspondence, verification and contextual reasoning, etc. In this tradition, the basic logics are **CCDL** [19] and **CK** [3].

However, there are other intuitionistic modal logics with natural interpretations of modalities that have received little interest and deserve to be studied. One approach can be to study intuitionistic modal logic on a common semantic ground in terms of a bi-relational model (W, ≤, R, V ) combining an intuitionistic pre-order ≤ on states/worlds and an accessibility relation R for modalities. The present work aims to study several intuitionistic modal logics where, in a bi-relational model, the modal operators are classically interpreted:

(1) x -A iff for all y such that Rxy it holds y A;

(2) x ♦A iff there exists y such that Rxy and y A.

We call these forcing conditions "local" as they do not involve worlds ≤-greater or ≤-smaller than x. Meanwhile, we require that all the intuitionistic axioms remain valid in the full logic. This is conveyed by the *hereditary property* (HP), which says for any formula A, if A is forced by a world x, it will also be forced by any upper world of x. In order to ensure (HP), we need to postulate two frame conditions which relate ≤ and R in a bi-relational model: the conditions of *downward confluence* (DC) and *forward confluence* (FC) [1,4,9,17]. We call the basic **K**-style logic **LIK** by *local* **IK**.

In the literature, Boˇzi´c and Doˇsen [4] studied separately the --fragment and the ♦-fragment of **LIK** and also considered a logic combining and ♦. However, the logic they obtained is stronger than **LIK**, since they considered a restricted class of frames. Moreover, in their setting, ♦ becomes definable in terms of -, which is inappropriate from an intuitionistic point of view. In other respect, Boˇzi´c and Doˇsen did not tackle the decidability issue. Besides, a logic related to **LIK** has been considered in [5] in the context of substructural logics. More recently, the S4-extension of **LIK** has been shown to be decidable [1].

In this paper, we consider **LIK** and some of its extensions with axioms characterizing seriality, reflexivity and transitivity of the accessibility relation R in a bi-relational model. We provide complete axiomatizations for them with respect to appropriate classes of models. The basic logic **LIK** is stronger than Wijesekera's **CCDL** as well as another intuitionistic modal logic **FIK** which only assumes forward confluence on models [2]. But **LIK** is incomparable with **IK**. It is noteworthy that **LIK** fails to satisfy the disjunction property. However, unexpectedly, its extension with axioms characterizing either seriality or reflexivity of the accessibility relation possesses this property.

Turning to proof theory, we propose bi-nested sequent calculi for **LIK** and its extensions. A bi-nested calculus uses two kinds of nestings in the syntax: the first one is used for ≥-upper worlds proposed by Fitting in [11]. Recently a nested sequent calculus using Fitting's nesting to capture an extension of **CCDL** has been presented in [6]. The second one is for R-successors, which is used in several nested sequent calculi for other **IML**s [12,14,18]. A calculus for **IK** intended to combine the two nestings was also preliminarily considered in [13]. A bi-nested sequent calculus with the same bi-nested structure is proposed for the logic **FIK** in [2] where the frame condition of forward confluence is captured by a suitable "interaction" rule. A calculus for **LIK** can be obtained from the calculus for **FIK** by adopting a "local" -, or by adding another "interaction" rule capturing the downward confluence frame condition. Calculi for the extensions of **LIK** are defined by adding suitable modal rules.

We prove that these calculi provide a decision procedure for the logic **LIK** and some of its extensions. Moreover, we show the semantic completeness of these calculi: from a single failed derivation under a suitable strategy, it is possible to extract a *finite* countermodel for the given sequent at the root. In addition, for the extensions of **LIK** with (**D**) or (**T**), a syntactic proof of the disjunction property via the calculi is provided. These results demonstrate that bi-nested sequent calculus is a powerful and flexible tool which constitutes an alternative to other formalisms like labelled sequent calculus and is capable to treat uniformly various **IML**s.<sup>1</sup>

# **2 Local Intuitionistic Modal Logic**

Let **At** be a set (with members called *atoms* and denoted p, q, etc.).

**Definition 1 (Formulas).** *Let* L *be the set (with members called* formulas *and denoted* A*,* B*, etc.) of finite words over* **At**∪ {⊃, , ⊥,∨,∧, -,♦,(,)} *defined by*

> A ::= p | (A ⊃ A) ||⊥| (A ∨ A) | (A ∧ A) | -A | ♦A

*where* p *ranges over* **At***. We follow the standard rules for omission of the parentheses. For all* A ∈ L*, we write* ¬A *as* A ⊃ ⊥*.*

For all sets Γ of formulas, let -Γ = {A ∈ L : -A ∈ Γ} and ♦Γ = {♦A ∈ L : A ∈ Γ}.

**Definition 2 (Frames).** *A* frame *is a relational structure* (W, ≤, R) *where* W *is a nonempty set of* worlds*,* ≤ *is a preorder on* W *and* R *is a binary relation on* W*. A frame* (W, ≤, R) *is* forward (resp. downward) confluent *if* ≥ ◦R ⊆ R◦ ≥ *(resp.* ≤ ◦R ⊆ R◦ ≤*). For all* X ⊆ {**D**, **T**, **4**}*, an* X*-frame is a frame* (W, ≤, R) *such that* R *is serial if* **D** ∈ X*,* R *is reflexive if* **T** ∈ X *and* R *is transitive if* **<sup>4</sup>** <sup>∈</sup> <sup>X</sup>*. Let* <sup>C</sup><sup>X</sup> **fdc** *be the class of forward and downward confluent* X*-frames. We write "*C**fdc***" instead of "*C<sup>∅</sup> **fdc***".*

We can see that <sup>C</sup>**ref fdc** ⊆ C**ser fdc** ⊆ C**fdc**.

**Definition 3 (Valuations, Models and Truth Conditions).** *For all frames* (W, ≤, R)*, a subset* U *of* W *is* ≤-closed *if for all* s, t ∈ W*, if* s ∈ U *and* s ≤ t *then* t ∈ U*. A* valuation on (W, ≤, R) *is a function* V : **At** −→ ℘(W) *such that for all* p ∈ **At***,* V (p) *is* ≤*-closed. A* model based on (W, ≤, R) *is a model of the form* (W, ≤, R, V )*. In a model* M = (W, ≤, R, V )*, for all* x ∈ W *and for all* A ∈ L*, the* satisfiability of Aat xin M *(in symbols* M, x A*) is defined as usual when* A*'s main connective is either ,* ⊥*,* ∨ *or* ∧ *and as follows otherwise:*


*When* M *is clear from the context, we simply write* x A*. The notions of truth and validity are defined as usual.*

**Lemma 1 (Hereditary Property).** *Let* (W, ≤, R, V ) *be a forward and downward confluent model. For all* A ∈ L *and* x, x ∈ W*, if* x A *and* x ≤ x *then* x A*.*

<sup>1</sup> The full version with proofs is available on ArXiv: https://arxiv.org/abs/2403.06772.

Note that our definition of differs from the definitions proposed by Fischer Servi [9] and Wijesekera [19]. In both settings,

x -A iff for all x ∈ W with x ≤ x and for all y ∈ W with Rx y, it holds y A;

whereas in [19],

x ♦A iff for all x ∈ W with x ≤ x , there exists y ∈ W such that Rx y and y A.

However, these satisfiability relations collapse on forward and downward confluent frames.

**Proposition 1.** *In* C**fdc***, our definition of determines the same satisfiability relation as the relations determined by definitions in [9] and [19].*

From now on in this section, when we write frame (resp. model), we mean forward and downward confluent frame (resp. model).

Obviously, validity in C**fdc** is closed under the following inference rules:

<sup>A</sup> <sup>⊃</sup> B A (**MP**) <sup>B</sup> <sup>A</sup> (**NEC**) -A

Moreover, the following axiom schemes are valid in C**fdc**:

(**K**-) -(A ⊃ B) ⊃ (-A ⊃ -B) (**K**♦) -(A ⊃ B) ⊃ (♦A ⊃ ♦B) (**DP**) ♦(A ∨ B) ⊃ ♦A ∨ ♦B (**RV**) -(A ∨ B) ⊃ ♦A ∨ -B (**N**) ¬♦⊥

In <sup>C</sup>**<sup>D</sup> fdc** (resp. <sup>C</sup>**<sup>T</sup> fdc**, <sup>C</sup>**<sup>4</sup> fdc**), modal axiom **D** (resp. **T**, **4**) is valid:

$$(\mathbf{D}) \diamondsuit \top (\mathbf{T}) \ (\square A \supset A) \land (A \supset \diamondsuit A) \ (\mathbf{4}) \ (\square A \supset \square \square A) \land (\diamondsuit A \supset \diamondsuit A)$$

Axiom (**RV**) is also considered in [1] where it is called (**CD**) for *constant domain*, since it is related with the first-order formula ∀x.(P(x) ∨ Q(x)) ⊃ ∃x.P(x) ∨ ∀x.Q(x) which is intuitionistically valid when models with constant domains are considered.

**Definition 4 (Axiom System).** *For all* X ⊆ {**D**, **T**, **4**}*, let LIK*X *be the axiomatic system consisting of all standard axioms of IPL, the inference rules (***MP***) and (***NEC***), the axioms* **K**-*,* **K**♦*,* **N***,* **DP** *and* **RV** *and containing in addition the axioms from* X*. We write LIK for LIK*∅*. Derivations are defined as usual. We write* **LIK**<sup>X</sup> A *when* A *is LIK*X*-derivable. The set of all LIK*X*derivable formulas is also denoted as LIK*X*.*

From now on in this section, let X ⊆ {**D**, **T**, **4**}.

**Lemma 2.** *If* **D** ∈ X *or* **T** ∈ X *then* p ⊃ ♦p *and* ¬-⊥ *are in LIK*X*.*

#### **Theorem 1 (Soundness).** *LIK*X*-derivable formulas are* <sup>C</sup><sup>X</sup> **fdc***-validities.*

Next we prove completeness, which is the converse of soundness, saying that every formula valid in <sup>C</sup><sup>X</sup> **fdc** is **LIK**X-derivable. At the heart of our completeness proof lies the concept of theory. Let **L** = **LIK**X.

**Definition 5 (Theories).** *A theory is a set of formulas containing* **L** *and closed with respect to MP. A theory* Γ *is proper if* ⊥ ∈ Γ*. A proper theory* Γ *is prime if for all formulas* A, B*, if* A ∨ B ∈ Γ *then either* A ∈ Γ*, or* B ∈ Γ*.*

**Lemma 3.** *If* **D** ∈ X *or* **T** ∈ X *then for all theories* Γ*, we have* ♦-Γ ⊆ Γ*.*

**Definition 6 (Canonical Model).** *The* canonical model (W**L**, ≤**<sup>L</sup>**, R**L**, V**L**) *is a tuple where*


**Lemma 4.** *1.* (W**L**, ≤**<sup>L</sup>**, R**L**, V**L**) *is forward confluent,*


The proof of the completeness is based on the following lemmas.

### **Lemma 5 (Existence Lemma).** *Let* Γ *be a prime theory.*


**Lemma 6 (Truth Lemma).** *For all formulas* A *and all* Γ ∈ W**L***, we have* A ∈ Γ *if and only if* (W**L**, ≤**<sup>L</sup>**, R**L**, V**L**), Γ A*.*

From Lemma 6, we conclude

**Theorem 2 (Completeness).** *All* <sup>C</sup><sup>X</sup> **fdc***-validities are LIK*X*-derivable.*

In [17, Chapter 3], Simpson discusses the formal features that might be expected for an intuitionistic modal logic **L**:


Now, we show that **LIK**X possesses the formal features that might be expected of an intuitionistic modal logic.

**Proposition 2.** *1. LIK*X *is conservative over* **IPL***,*


#### **3 Bi-nested Sequent Calculi**

In this section we present bi-nested calculi for **LIK** and its extensions **LIKD** and **LIKT**. These calculi are called *bi-nested* in the sense that they make use of two kinds of nesting representing ≤-upper worlds and R-successors in the semantics, similar to the calculus for **FIK** presented in [2]. In a basic system for **LIK**, two rules encoding forward and downward confluence are contained. We will show that the latter rule called (inter↓) is admissible in a smaller system without it, thus by dropping out this rule we still have a complete calculus for **LIK**. However, as we will see, the (inter↓) rule is required to prove the semantic completeness of the calculus and further allows us to obtain counter-model extraction. We also prove the disjunction property for **LIKD** and **LIKT** using the calculi.

In order to define the calculi we first give some preliminary notions.

#### **Definition 7 (Bi-Nested Sequent).** *A bi-nested sequent* S *is defined as:*


We use S and T to denote a bi-nested sequent and simply call it "sequent" in the rest of this paper. The antecedent and consequent of a sequent S are denoted by Ant(S) and Con(S). Syntactic objects of the shape S and [T] are called implication and modal blocks respectively.

The notion of modal degree can be extended from a formula to a sequent.

**Definition 8 (Modal Degree).** *Modal degree md*(F) *for a formula* F *is defined as usual. Let* Γ *be a finite (multi)set of formulas, define md*(Γ) = *md*( - Γ)*. For a sequent* S = Γ ⇒ Δ,T1,...,Tn, [S1],..., [Sm]*, we define md*(S) = max{*md*(Γ), *md*(Δ), *md*(T1),..., *md*(Tn), *md*(S1)+1,..., *md*(Sm)+1}*.*

Context is defined as usual in standard nested calculi which can be regarded as a placeholder to be filled by a sequent.

**Definition 9 (Context).** *A context* G{ } *is inductively defined as follows:*

*– The empty context* { } *is a context.*

*– if* Γ ⇒ Δ *is a sequent and* G { } *is a context, then both* Γ ⇒ Δ,G { } *and* Γ ⇒ Δ, [G { }] *are contexts.*

*Example 1.* Given a context G{ } = p ∧ q, r ⇒ ♦p,p ⇒ [⇒ q], [{ }] and a sequent S = p ⇒ q ∨ r, [r ⇒ s], we have G{S} = p ∧ q, r ⇒ ♦p,p ⇒ [⇒ q], [p ⇒ q ∨ r, [r ⇒ s]].

**Definition 10 (**∈·,∈[·] ,∈<sup>+</sup>**-Relation).** *Let* <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1, Γ<sup>2</sup> <sup>⇒</sup> <sup>Δ</sup><sup>2</sup> *be two sequents. We denote* Γ<sup>1</sup> ⇒ Δ<sup>1</sup> ∈· <sup>0</sup> Γ<sup>2</sup> ⇒ Δ<sup>2</sup> *if* Γ<sup>1</sup> ⇒ Δ1 ∈ Δ<sup>2</sup> *and let* ∈· *be the transitive closure of* ∈· <sup>0</sup> *. Relations* <sup>∈</sup>[·] <sup>0</sup> *and* <sup>∈</sup>[·] *for modal blocks are defined similarly. Besides, let* <sup>∈</sup><sup>+</sup> <sup>0</sup> = ∈· <sup>0</sup> ∪ ∈[·] <sup>0</sup> *and finally let* <sup>∈</sup><sup>+</sup> *be the reflexive-transitive closure of* <sup>∈</sup><sup>+</sup> 0 *.*

When we say <sup>S</sup> <sup>∈</sup><sup>+</sup> <sup>S</sup>, it is equivalent to say that <sup>S</sup> <sup>=</sup> <sup>G</sup>{S } for some context G.

As we will see, some rules in the calculi propagate formulas in the antecedent ("positive part") or the consequent ("negative part") of sequents into a modal block. The two operators in the following definition single out these formulas of a sequent.

**Definition 11 (-Operator and -Operator).** *Let* Λ ⇒ Θ *be a sequent and* Fm(Θ) *the multiset of formulas directly belonging to* Θ*.*

*Let* Θ- <sup>=</sup> <sup>∅</sup> *if* <sup>Θ</sup> *is* [·]*-free;* <sup>Θ</sup>- = [Φ<sup>1</sup> <sup>⇒</sup> <sup>Ψ</sup>- <sup>1</sup>],..., [Φ<sup>k</sup> <sup>⇒</sup> <sup>Ψ</sup>- <sup>k</sup>]*, if* Θ = Θ0, [Φ<sup>1</sup> ⇒ Ψ1],..., [Φ<sup>k</sup> ⇒ Ψk] *and* Θ<sup>0</sup> *is* [·]*-free.*

*Dually let* <sup>⇒</sup> <sup>Θ</sup> <sup>=</sup> <sup>⇒</sup> Fm(Θ) *if* <sup>Θ</sup> *is* [·]*-free;* <sup>⇒</sup> <sup>Θ</sup> <sup>=</sup> <sup>⇒</sup> Fm(Θ0), [<sup>⇒</sup> Ψ <sup>1</sup>],..., [<sup>⇒</sup> <sup>Ψ</sup> <sup>k</sup>] *if* Θ = Θ0, [Φ<sup>1</sup> ⇒ Ψ1],..., [Φ<sup>k</sup> ⇒ Ψk] *and* Θ<sup>0</sup> *is* [·]*-free.*

*Example 2.* Consider the sequent G{S} = p ∧ q, r ⇒ ♦p,p ⇒ [⇒ q], [p ⇒ q ∨ r, [r ⇒ s]] of Example 1, denote Ant(G{S}) and Suc(G{S}) by Λ and Θ respectively, we can see by definition, <sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup>- = p ∧ q, r ⇒ [p ⇒ [r ⇒]] while <sup>⇒</sup> <sup>Θ</sup> <sup>=</sup> <sup>⇒</sup> ♦p, [<sup>⇒</sup> <sup>q</sup> <sup>∨</sup> r, [<sup>⇒</sup> <sup>s</sup>]].

**Definition 12.** *Rules for the basic logic LIK and its modal extensions are given in Fig. 1, which consists of the basic calculus* **CLIK** *and modal rules corresponding to axioms* (**D**), (**T**♦) *and* (**T**-)*. We define* **CLIKD** = **CLIK** + (**D**) *and* **CLIKT** = **CLIK** + (**T**-)+(**T**♦)*.*

The notions of *derivation* and *proof* in a calculus are defined as usual. We say a formula A is *provable* if the sequent ⇒ A has a proof in the calculus.

Here are some remarks on the rules. First, the rule (id) which only concerns atoms can be easily generalized to arbitrary formulas. Reading the rule upwards, the rule (⊃R) introduces an implication block · while the rules (♦L) and (-R) introduce a modal block [·]. Observe that the (-<sup>R</sup>) rule corresponds to the "local" interpretation of -. The rule (inter→) is intended to capture Forward Confluence, whereas the rule (inter↓) Downward Confluence. Finally the (trans) rule captures the Hereditary Property. All the rules of **CLIK**, except (-<sup>R</sup>) and (inter↓) belong to the calculus **CFIK** for the logic **FIK** [2], we will discuss the relation between the two calculi later in the section.

$$\begin{array}{cc} \hline G(\Gamma,\bot\to\Delta) & (\rideset{}\vbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\mathcal{\overline{\mathcal{A}}\right{\mathcal{\mathcal{A}}}\right{\mathcal{\mathcal{A}}}\right{\mathcal{I}}}}}}}}}}}\mathrel{\text{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\mathcal{\overline{\mathcal{A}}\right{\mathcal{\mathcal{A}}}\right{\mathcal{\mathcal{A}}}}}}}}}}}}\mathrel{\text{\hbox{\hbox{\hbox{\hbox{\hbox{\mathcal{A}}\cdot{\mathcal{A}}\right{\mathcal{I}}}\mathcal{I}}}}}}\color{\hbox{\hbox{\hbox{\hbox{\hbox{\hbox{\mathcal{A}}\cdot{\mathcal{A}}\mathcal{I}}\right\{\mathcal{I}}}}}}}}\color{\hbox{\hbox{\hbox{\hbox{\mathcal{I}}\cdot{\mathcal{A}}}}}}\color{\hbox{\hbox{\hbox{\mathcal{I}}\cdot{\mathcal{A}}}}}}}\\\hline}}\Gamma\{\Gamma\}\mathsf{\mathcal{A}\}\mathsf{\mathcal{A}\}\mathsf{\mathcal{I}\}}\qquad\mathsf{$$

**Fig. 1.** Bi-nested rules for local intuitionistic modal logics

We can verify that each axiom of **LIK** in Sect. 2 is provable in **CLIK**. An example of axiom (**RV**) is given below.

*Example 3.* We show -(p ∨ q) ⇒ ♦p ∨ q is provable.

$$\begin{array}{c} \Box(p\lor q)\Rightarrow\lozenge p, [p\Rightarrow q, p] \quad \overline{\Box(p\lor q)\Rightarrow\lozenge p, [q\Rightarrow q, p]} \quad \overline{\text{(id)}} \quad \overline{\text{(}\forall L\text{)}}\\ \hline \overline{\Box(p\lor q)\Rightarrow\lozenge p, [p\lor q\Rightarrow q, p]} \quad \overline{\Box(\Box\_L)} \quad \overline{\text{(}\Box\_L\text{)}}\\ \hline \overline{\Box(p\lor q)\Rightarrow\lozenge p, [\Rightarrow q, p]} \quad \overline{\langle\diamond\_R\rangle} \quad \qquad \langle\diamond\_R\rangle\\ \hline \overline{\Box(p\lor q)\Rightarrow\lozenge p, \Box q} \quad \overline{\langle\square\_R\rangle}\\ \hline \overline{\Box(p\lor q)\Rightarrow\lozenge p\lor\sqhd p} \quad \overline{\langle\diamond\_R\rangle} \end{array}$$

We now show that **CLIK** is sound with respect to the semantics. The first step is to extend the forcing relation to sequents and blocks therein.

**Definition 13.** *Let* M = (W, ≤, R, V ) *be a bi-relational model and* x ∈ W*. The satisfiability relation is extended to sequents as follows:*


*We say* S *is* valid *in* M *iff* ∀w ∈ W*, we have* M, w S*. We say* S *is* valid *iff it is valid in every model.*

**Definition 14.** *For a rule (*r*) of the form* <sup>G</sup>{S1} <sup>G</sup>{S2} <sup>G</sup>{S} *or* G{S1} <sup>G</sup>{S} *, we say (*r*) is valid if the following holds: if for each* i*,* x G{Si}*, then it follows* x G{S}*.*

We can easily verify the validity of each rule and then obtain the soundness of **CLIK** by a standard induction on a derivation. The soundness of **CLIKD** and **CLIKT** can be proven similarly.

**Theorem 3 (Soundness of CLIK).** *If a formula* A *is provable in* **CLIK***, then it is valid in* **LIK***.*

Next, we show that the rule (inter↓) is admissible in the calculus **CLIK***<sup>−</sup>* = **CLIK**\{(inter↓)}. The proof can be easily extended to the modal extensions as well. In order to prove this, we need some preliminary facts. First, weakening and contraction rules (wL)(wR)(cL)(cL) defined as usual are *height-preserving* (hp) admissible in **CLIK***<sup>−</sup>* , not only applied to formulas but also blocks. Moreover, extended weakening rules <sup>S</sup> <sup>G</sup>{S} , <sup>G</sup>{Γ⇒Δ-} <sup>G</sup>{Γ⇒Δ} , <sup>G</sup>{Γ⇒Δ} <sup>G</sup>{Γ⇒Δ} are hp-admissible as well.

**Proposition 3.** *The* (*inter*↓) *rule is admissible in* **C***LIK<sup>−</sup> . Consequently, a sequent* S *is provable in* **C***LIK if and only if* S *is provable in* **C***LIK<sup>−</sup> .*

As mentioned above, all the rules in **CLIK**, except (-<sup>R</sup>) and (inter↓), belong to the calculus **CFIK** for the logic **FIK** [2]. As a difference with **LIK**, the logic **FIK** adopts the "global" forcing condition for as in [9,17,19] and only forward confluence on the frame. The (-<sup>R</sup>) rule in **CFIK** is <sup>G</sup>{Γ⇒Δ,⇒[⇒A]} G{Γ⇒Δ,-<sup>A</sup>} . It can be proved that this rule is admissible in **CLIK***<sup>−</sup>* and on the opposite direction, the "local" (-<sup>R</sup>) rule in **CLIK** is admissible in **CFIK**+ (inter↓). Thus **CFIK**+ (inter↓) can be regarded as another equivalent variant of **CLIK**, which is obtained in *a modular way* from the one for **FIK**.

We end this section by considering the disjunction property. For simplicity, we only work in **CLIK***<sup>−</sup>* and its extensions. Let **CLIKD***<sup>−</sup>* = **CLIK***<sup>−</sup>* + (**D**) and **CLIKT***<sup>−</sup>* = **CLIK***<sup>−</sup>* + (**T**-)+(**T**♦). Consider the formula -⊥ ∨ ♦ which is provable in **CLIK***<sup>−</sup>* , but it is easy to see neither -<sup>⊥</sup> nor ♦ are provable.<sup>2</sup> However, this counterexample does not hold in **LIKD** or **LIKT** since ♦ is provable in both calculi. We show that the disjunction property indeed holds for both **CLIKD***<sup>−</sup>* and **CLIKT***<sup>−</sup>* . The key fact is expressed by the following lemma:

<sup>2</sup> We thank Tiziano Dalmonte for suggesting this counterexample.

**Lemma 7.** *Suppose* S = ⇒ A1,...,Am,G1,...,Gn, [H1],..., [Hl] *is provable in* **CLIKD***<sup>−</sup> (resp.* **CLIKT***<sup>−</sup> ), where* Ai*'s are formulas,* G<sup>j</sup> *and* Hk*'s are sequents. Further assume that each* H<sup>k</sup> *is of the form* ⇒ Θ<sup>k</sup> *and for each sequent* <sup>T</sup> <sup>∈</sup>[·] <sup>H</sup>k*,* <sup>T</sup> *has an empty antecedent. Then either* <sup>⇒</sup> <sup>A</sup><sup>i</sup> *or* ⇒ G<sup>j</sup> *or* <sup>⇒</sup> [Hk] *is provable in* **CLIKD***<sup>−</sup> (resp.* **CLIKT***<sup>−</sup> ) for some* i ≤ m, j ≤ n, k ≤ l*.*

We obtain the disjunction property by an obvious application of the lemma.

**Proposition 4 (Disjunction Property for CLIKD***<sup>−</sup>* **and CLIKT***<sup>−</sup>* **).** *For any formulas* A, B*, if* ⇒ A ∨ B *is provable in* **CLIKD***<sup>−</sup> (resp.* **CLIKT***<sup>−</sup> ), then either* ⇒ A *or* ⇒ B *is provable* **CLIKD***<sup>−</sup> (resp.* **CLIKT***<sup>−</sup> ).*

#### **4 Termination**

In this section we define decision procedure for **LIK** as well as its extensions **LIKD** and **LIKT** based on the calculi in Sect. 3. We treat first **LIK**, then at the end of the section we will briefly describe how to adopt the the procedure to the extensions. The terminating proof-search procedure is essential for the semantic completeness of the calculi, as well as for countermodel construction, as we will demonstrate in the following section.

We have introduced two calculi for **LIK**, namely **CLIK** and **CLIK***<sup>−</sup>* . For **CLIK***<sup>−</sup>* , we can obtain a terminating proof-search procedure by adapting the one in [2] for the calculus of **FIK**. Actually, the decision procedure for **CLIK***<sup>−</sup>* is remarkably simpler than that for **FIK**, as "blocking" is not needed to prevent loops. For **CLIK**, however, some extra work needs to be done. Despite the equivalence of **CLIK** and **CLIK***<sup>−</sup>* in terms of provability, constructing a countermodel from a failed proof in **CLIK***<sup>−</sup>* poses a challenge due to the absence of a rule capturing downward confluence. Therefore, we need to explore a terminating proof-search procedure for **CLIK** to further advance our goal of proving semantic completeness.

Recall our ultimate aim is to build a countermodel from a failed derivation, in which the main ingredient is the pre-order relation ≤ in the model construction. This relation is specified by the following notion of *structural inclusion* between sequents, which is also used in defining the saturation conditions required for termination.

**Definition 15 (Structural Inclusion** <sup>⊆</sup>**<sup>S</sup>).** *Let* <sup>S</sup><sup>1</sup> <sup>=</sup> <sup>Γ</sup><sup>1</sup> <sup>⇒</sup> <sup>Δ</sup>1, S<sup>2</sup> <sup>=</sup> <sup>Γ</sup><sup>2</sup> <sup>⇒</sup> Δ<sup>2</sup> *be two sequents. We say that* S<sup>1</sup> *is structurally included in* S2*, denoted by* <sup>S</sup><sup>1</sup> <sup>⊆</sup>**<sup>S</sup>** <sup>S</sup>2*, when all the following holds:*


It is easy to see <sup>⊆</sup>**<sup>S</sup>** is both reflexive and transitive.

We now define an equivalent variant **CCLIK** of **CLIK** which adopts a cumulative version of the rules along with some bookkeeping. Moreover the (⊃R) rule is modified in order to prevent loops. This calculus will be used as a base for the following decision procedure and then semantic completeness. At first we reformulate the -operator as below, annotating the generated -sequents by the full sequent where it comes from.

**Definition 16.** *Let* Fm(Θ) *be the multiset of formulas directly belonging to* Θ*. We define the -operator with annotation as follows:*

*–* <sup>⇒</sup><sup>Λ</sup>⇒<sup>Θ</sup> <sup>Θ</sup> <sup>=</sup> <sup>⇒</sup> Fm(Θ) *if* <sup>Θ</sup> *is* [·]*-free; –* <sup>⇒</sup><sup>Λ</sup>⇒<sup>Θ</sup> <sup>Θ</sup> <sup>=</sup> <sup>⇒</sup> Fm(Θ0), [⇒<sup>Φ</sup>1⇒Ψ<sup>1</sup> <sup>Ψ</sup> <sup>1</sup>],..., [⇒<sup>Φ</sup>k⇒Ψ<sup>k</sup> <sup>Ψ</sup> <sup>k</sup>] *if* Θ = Θ0, [Φ<sup>1</sup> ⇒ Ψ1],..., [Φ<sup>k</sup> ⇒ Ψk] *and* Θ<sup>0</sup> *is* [·]*-free.*

The -sequents are generated only by applications of (inter↓), and we use the annotation (the subscript of ⇒) to "track" the implication block from which a -sequent is generated. The annotation can be omitted and we simply write <sup>⇒</sup> <sup>Θ</sup> whenever we do not need to track an (inter↓) application.

**Definition 17 (The -Annotated Cumulative Calculus CCLIK).** *The cumulative calculus* **CCLIK** *operates on set-based sequents, where a set-based sequent* S = Γ ⇒ Δ *is defined as in definition 7, with the distinction that* Γ *is a* set *of formulas and* Δ *is a* set *of formulas and/or blocks (containing set-based sequents). The rules are as follows:*

*–* (⊥L), (R), (*id*), (-<sup>L</sup>), (♦R)*,* (*trans*) *and* (*inter*→) *as in* **CLIK***. –* (⊃R) *is replaced by two rules for* A ∈ Γ *or* A /∈ Γ*:*

$$\frac{G\{\Gamma\Rightarrow\Delta, A\supset B, B\}}{G\{\Gamma\Rightarrow\Delta, A\supset B\}}(A\in\varGamma) \quad \frac{G\{\Gamma\Rightarrow\Delta, A\supset B, \langle A\Rightarrow B\rangle\}}{G\{\Gamma\Rightarrow\Delta, A\supset B\}}(A\notin\varGamma)$$

*–* (*inter*↓) *is replaced by the following annotated rule:*

$$\frac{G\{\Gamma \Rightarrow \Delta, \langle \Sigma \Rightarrow \Pi, [\Lambda \Rightarrow \Theta] \rangle, [\Rightarrow\_{\Lambda \Rightarrow \Theta} \,\,\Theta^{\sharp}]\}}{G\{\Gamma \Rightarrow \Delta, \langle \Sigma \Rightarrow \Pi, [\Lambda \Rightarrow \Theta] \rangle\}} \,\, ^{\vee} \,\, ^{\vee} \,\, ^{\vee}$$

*– The other rules in* **C***LIK are modified by keeping the principal formula in the premises. For example, the cumulative versions of* (∧L), (-<sup>R</sup>) *are:*

$$\frac{G\{A,B,A\land B,\Gamma\Rightarrow\Delta\}}{G\{A\land B,\Gamma\Rightarrow\Delta\}}\begin{pmatrix}\land\_L \end{pmatrix} \quad \frac{G\{\Gamma\Rightarrow\Delta,\Box A,\{\Rightarrow A\}\}}{G\{\Gamma\Rightarrow\Delta,\Box A\}}\begin{pmatrix}\square\_R\end{pmatrix}$$

Given the admissibility of weakening and contraction in **CLIK**, the following proposition is a direct consequence.

**Proposition 5.** *A sequent* S *is provable in* **CLIK** *iff* S *is provable in* **CCLIK***.*

Next, we introduce saturation conditions for each rule in **CCLIK**. They are needed for both termination and counter-model extraction.

**Definition 18 (Saturation Conditions).** *Let* S = Γ ⇒ Δ *be a sequent. We say* S *satisfies the saturation condition on the top level with respect to* (⊃R) : *If* A ⊃ B ∈ Δ*, then either* A ∈ Γ *and* B ∈ Δ*, or there is* Σ ⇒ Π ∈ Δ *with* A ∈ Σ *and* B ∈ Π*.* (♦R) : *If* ♦A ∈ Δ *and* [Σ ⇒ Π] ∈ Δ*, then* A ∈ Π*.* (♦L) : *If* ♦A ∈ Γ*, then there is* [Σ ⇒ Π] ∈ Δ *with* A ∈ Σ*.* (-<sup>R</sup>) : *If* -A ∈ Δ*, then there is* [Λ ⇒ Θ] ∈ Δ *with* A ∈ Θ*.* (-<sup>L</sup>) : *If* -A ∈ Γ *and* [Σ ⇒ Π] ∈ Δ*, then* A ∈ Σ*.* (*inter*↓) : *If* <sup>Σ</sup> <sup>⇒</sup> Π, [<sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup>] ∈ <sup>Δ</sup>*, then there is* [<sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup>] <sup>∈</sup> <sup>Δ</sup> *s.t.* <sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup> <sup>⊆</sup>**<sup>S</sup>** <sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup>*.* (*inter*→) : *If* <sup>Σ</sup> <sup>⇒</sup> <sup>Π</sup>, [<sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup>] <sup>∈</sup> <sup>Δ</sup>*, then there is* [<sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup>] <sup>∈</sup> <sup>Π</sup> *s.t.* <sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup> <sup>⊆</sup>**<sup>S</sup>** <sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup>*.* (*trans*) : *If* Σ ⇒ Π ∈ Δ*, then* Γ ⊆ Σ*. Saturation conditions for the other propositional rules are defined as usual.*

We say a sequent is saturated with a rule (r) if it satisfies the saturation condition associated with (r). We say a backward application of a rule (r) to a sequent S is *redundant* if S already satisfies the corresponding saturation condition associated with (r).

**Proposition 6.** *Let* S = Γ ⇒ Δ *be a sequent. If* S *is saturated with* (*trans*)*,* (*inter*→) *and* (*inter*↓)*, then for* <sup>Σ</sup> <sup>⇒</sup> <sup>Π</sup> ∈ <sup>Δ</sup>*, we have* <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> <sup>⊆</sup>**<sup>S</sup>** <sup>Σ</sup> <sup>⇒</sup> <sup>Π</sup>*.*

In order to define a terminating proof-search strategy based on **CCLIK**, we first impose the following constraints:

(i) *No rule is applied to an axiom* and (ii) *No rule is applied redundantly.*

However there is a problem: backward proof search only respecting these basic constraints does not necessarily ensure that *any* leaf of a derivation, to which no rule can be applied non-redundantly, satisfies *all* the saturation conditions of rules in **CCLIK**. This is a significant difference from the calculus of **FIK** in [2]. The problematic case is the saturation condition for the (inter↓) rule.

*Example 4.* Let us consider the sequent -(p ∨ q) ⇒ r ⊃ s. After some preliminary steps, we obtain two sequents:


Suppose we select (i) and then apply (inter↓) obtaining (i'): -(p ∨ q) ⇒ r ⊃ s,-(p ∨ q), r ⇒ s, [p ∨ q, p, r ⇒ s], [⇒ s]. After applying (-<sup>L</sup>), (∨L) and (inter→), we further obtain:

(iii). -(p ∨ q) ⇒ r ⊃ s,-(p ∨ q), r ⇒ s, [p ∨ q, p, r ⇒ s], [p ∨ q, p ⇒ s] (iv). -(p ∨ q) ⇒ r ⊃ s,-(p ∨ q), r ⇒ s, [p ∨ q, p, r ⇒ s], [p ∨ q, q ⇒], [p ∨ q, q ⇒ s]

We can see that (iii) satisfies the saturation condition for (inter↓), as p ∨ q, p ⇒ <sup>s</sup> <sup>⊆</sup>**<sup>S</sup>** <sup>p</sup> <sup>∨</sup> q, p, r <sup>⇒</sup> <sup>s</sup> but (iv) does not, since there is no [<sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup>] s.t. <sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup> <sup>⊆</sup>**<sup>S</sup>** p ∨ q, p, r ⇒ s. Sequent (iv) would not give in itself a model satisfying (DC) and it is not obvious how to extend it in order to satisfy (DC).<sup>3</sup> This example also

<sup>3</sup> Observe that a disallowed *redundant* application of (inter↓) to the block [<sup>p</sup> <sup>∨</sup> q, q <sup>⇒</sup>] would not help, as it would reproduce the branching.

shows the inadequacy of **CLIK***<sup>−</sup>* for semantic completeness, as sequent expansion in **CLIK***<sup>−</sup>* terminates with (i) and (ii), from which we do not know how to define a model satisfying (DC).

This means that certain branches in a derivation may lead to unprovable sequents from which we do not know how to build a "correct" counter-model directly. Hence, to obtain a "correct" counter-model, we require a mechanism that chooses the suitable branch which ensures the saturation condition for (inter↓). This is provided by the tracking mechanism and realization procedure defined below.

**Definition 19 (Tracking Record Based on** <sup>∈</sup>[·] **).** *Let* S *be a set-based sequent which is saturated with respect to all the left rules in* **CCLIK***. Take an arbitrary set of formulas, denoted as* <sup>Γ</sup>*. Let* <sup>Ω</sup> <sup>=</sup> {<sup>T</sup> <sup>|</sup> <sup>T</sup> <sup>=</sup> S or T <sup>∈</sup>[·] <sup>S</sup>}*. For each* <sup>T</sup> <sup>∈</sup> <sup>Ω</sup>*, we define* <sup>G</sup>S(T,Γ)*, the* <sup>∈</sup>[·] *-based tracking record of* Γ *in* S*, which is a subset of* Ant(T) *as follows:*

	- *if* -A ∈ GS(T , Γ)*, then* A ∈ GS(T,Γ)*;*
	- *if* ♦A ∈ GS(T , Γ) *and* A ∈ Ant(T)*, then* A ∈ GS(T,Γ)*;*
	- *if* A ∧ B ∈ GS(T,Γ)*, then* A, B ∈ GS(T,Γ)*;*
	- *if* A ∨ B ∈ GS(T,Γ) *and* A ∈ Ant(T)*, then* A ∈ GS(T,Γ)*;*
	- *if* A ⊃ B ∈ GS(T,Γ) *and* B ∈ Ant(T)*, then* B ∈ GS(T,Γ)*.*

Tracking record is used to control rule applications to and within a block created by (inter↓), preserving the saturation condition associated to it.

**Definition 20 (Realization).** *Let* S = Γ ⇒ Δ,S1, [S2]*, where* S<sup>1</sup> = Σ ⇒ Π, [<sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup>]*,* <sup>S</sup><sup>2</sup> <sup>=</sup> <sup>⇒</sup><sup>Λ</sup>⇒<sup>Θ</sup> <sup>Θ</sup> *and* <sup>Γ</sup> <sup>⊆</sup> <sup>Σ</sup>*. Moreover, we assume that* <sup>S</sup><sup>1</sup> *is saturated with respect to all the left rules in* **CCLIK***. Using the* <sup>∈</sup>[·] *-based tracking record of* Γ *in* S1*, we define the realization of the block* [S2] *in* S *as follows:*

	- *if* <sup>Ψ</sup> *is block-free, then* <sup>f</sup><sup>S</sup><sup>1</sup> (T) = <sup>G</sup>(<sup>Φ</sup> <sup>⇒</sup> Ψ,Γ) <sup>⇒</sup> <sup>Ψ</sup>*.*

*– otherwise* Ψ = Ψ0, [T1],..., [Tk] *where* Ψ<sup>0</sup> *is a set of formulas, then* f<sup>S</sup><sup>1</sup> (T) = G(Φ ⇒ Ψ,Γ) ⇒ Ψ0, [f<sup>S</sup><sup>1</sup> (T1)],..., [f<sup>S</sup><sup>1</sup> (Tk)]*.*

*(ii). With* f<sup>S</sup><sup>1</sup> (S2)*, the realization of* [S2] *in* S *is* Γ ⇒ Δ,S1, [f<sup>S</sup><sup>1</sup> (S2)]*.*

As the next proposition shows the expansion produced by a realization procedure is not an additional logical step; rather, it can be obtained by applying the rules of the calculus while selecting the appropriate branch.

**Proposition 7.** *Let* S = Γ ⇒ Δ,S1, [S2]*, where* S<sup>1</sup> = Σ ⇒ Π, [Λ ⇒ Θ] *and* <sup>S</sup><sup>2</sup> <sup>=</sup> <sup>⇒</sup><sup>Λ</sup>⇒<sup>Θ</sup> <sup>Θ</sup> *and* <sup>Γ</sup> <sup>⊆</sup> <sup>Σ</sup>*. If* <sup>S</sup><sup>1</sup> *is saturated with respect to all the left rules in* **CCLIK***, then for the sequent* S = Γ ⇒ Δ,S1, [f<sup>S</sup><sup>1</sup> (S2)] *which is obtained by the realization procedure in Definition 20, we have*

*(i).* S *is saturated with respect to all the left rules applied to or within* [fS<sup>1</sup> (S2)]*; (ii).* <sup>f</sup>S<sup>1</sup> (S2) <sup>⊆</sup>**<sup>S</sup>** <sup>Λ</sup> <sup>⇒</sup> <sup>Θ</sup>*;*

*(iii).* S *can be obtained by applying left rules of* **CCLIK** *to* [S2] *in* S*.*

*Example 5.* We go back to sequent (i') in Example 4. Let

$$\begin{array}{l} S\_1 = \Box (p \lor q) \Rightarrow \Box r \supset \Box s, \langle \Box (p \lor q), \Box r \Rightarrow \Box s, [p \lor q, p, r \Rightarrow s] \rangle, [\Rightarrow s] \\ S\_1 = \Box (p \lor q), \Box r \Rightarrow \Box s, [p \lor q, p, r \Rightarrow s] \\ S\_2 = \Rightarrow s, \ T = p \lor q, p, r \Rightarrow s \end{array}$$

Since [S2] is produced by (inter↓) from T, we have S<sup>2</sup> = ⇒<sup>T</sup> s. We are intended to realize the block [S2] in S by the tracking record of Ant(S) in S1. By definition, we have

$$\begin{aligned} \mathfrak{G}\_{S\_1}(S\_1, Ant(S)) &= Ant(S) = \{\Box(p \vee q)\}, \\ \mathfrak{G}\_{S\_1}(T, Ant(S)) &= \{p \vee q, p\} \end{aligned}$$

According to realization, by applying f<sup>S</sup><sup>1</sup> (·) to S2, we get f<sup>S</sup><sup>1</sup> (⇒<sup>T</sup> s) = p∨q, p ⇒ s. Thus, the entire output sequent is

$$
\Box(p \lor q) \Rightarrow \Box r \supset \Box s, \langle \Box(p \lor q), \Box r \Rightarrow \Box s, [p \lor q, p, r \Rightarrow s] \rangle, [p \lor q, p \Rightarrow s]
$$

And this is just (iii) in Example 4, which is the right expansion of (i').

In order to define the proof-search procedure, we first divide all the rules of **CCLIK** into four groups as (R1): all propositional and modal rules except (⊃R); (R2): (trans) and (inter→); (R3): (⊃R); and (R4): (inter↓).

Let <sup>S</sup> <sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup>, we denote by <sup>Δ</sup>¯ the sequent obtained by removing all the (nested) occurrences of ·-blocks in Δ. 4

**Definition 21 (Saturation).** *Let* S = Γ ⇒ Δ *be a sequent and not an axiom.* S *is called:*


**Definition 22 (Global Saturation).** *Let* S *be a sequent and not an axiom.* <sup>S</sup> *is called* global-Ri-saturated *if for each* <sup>T</sup> <sup>∈</sup><sup>+</sup> <sup>S</sup>*,* <sup>T</sup> *is Ri-saturated where* <sup>i</sup> ∈ {1, <sup>2</sup>, <sup>3</sup>}*;* global-saturated *if for each* <sup>T</sup> <sup>∈</sup><sup>+</sup> <sup>S</sup>*,* <sup>T</sup> *is R4-saturated.*

In order to specify the proof-search procedure, we make use of the following four macro-steps that extend a given derivation D by expanding a leaf S. Each procedure applies rules *non-redundantly* to some <sup>T</sup> <sup>=</sup> <sup>Γ</sup> <sup>⇒</sup> <sup>Δ</sup> <sup>∈</sup><sup>+</sup> <sup>S</sup>.

<sup>4</sup> For example, let <sup>Δ</sup> <sup>=</sup> B, <sup>Σ</sup> <sup>⇒</sup> <sup>Π</sup>, [<sup>Λ</sup> <sup>⇒</sup> [<sup>D</sup> <sup>⇒</sup> E, <sup>P</sup> <sup>⇒</sup> <sup>Q</sup>]], then <sup>Δ</sup>¯ <sup>=</sup> B, [<sup>Λ</sup> <sup>⇒</sup> [D ⇒ E]].

#### **Algorithm 1:** PROC0(S0)



It can be proved that each of these four macro-steps terminates. The claim is almost obvious except for **EXP1** (see [2, Proposition 46]).

**Proposition 8.** *Given a finite derivation* <sup>D</sup>*, a finite leaf* <sup>S</sup> *of* <sup>D</sup> *and* <sup>T</sup> <sup>∈</sup><sup>+</sup> <sup>S</sup>*, then for* i ∈ {1, 2, 3, 4}*, each EXPi*(D, S, T) *terminates by producing a finite expansion of* D *where all sequents are finite.*

Now we define the procedure. We first demonstrate the preliminary procedure PROC0(S0) (see Algorithm 1)which builds a derivation with root S<sup>0</sup> and only uses the macro-steps **EXP1**(·) to **EXP3**(·), thus only the rules in **CLIK***<sup>−</sup>* are applied. It follows that PROC0(A) decides whether a formula A is valid in **LIK**. Additionally, the procedure PROC0(·) is then used as a subroutine in the full procedure PROC(⇒ A) to obtain either a proof of A or a global-saturated sequent, see Algorithm 2.

**Proposition 9.** *Given a sequent* S0*,* PROC0(S0) *produces a finite derivation with all the leaves axiomatic or at least one global-R3-saturated leaf.*


Lastly, we show that PROC(A) terminates.

**Theorem 4 (Termination for CCLIK).** *Proof-search for a formula* A *in* **CCLIK** *terminates with a finite derivation in which either all the leaves are axiomatic or there is at least one global-saturated leaf.*

We can also obtain decision procedures for **CLIKD** and **CLIKT** in a similar way. Consider a cumulative version **CCLIKD** and **CCLIKT** of the respective calculi and define suitable saturation conditions associated the extra modal rules, for a sequent S = Γ ⇒ Δ:

(**D**): if Γ -∪ Δ♦ is non-empty. then Δ is not [·]-free.

(**T**-/**T**♦): if -A ∈ Γ (resp. ♦A ∈ Δ), then A ∈ Γ (resp. A ∈ Δ).

The saturation condition for (**D**) prevents a useless generation of infinitely nested empty blocks of the form [⇒ [... ⇒ [⇒] ...]], which can be created by the backward application of the (**D**)-rule. The procedure PROC0(·) integrates the rules for (**D**) or (**T**)'s accordingly: the rule (**D**) is applied immediately after each round of **EXP2**(·) while the two (**T**) rules are integrated in **EXP1**(·). As a result, we can obtain:

**Theorem 5 (Termination for CCLIKD and CCLIKT).** *Proof-search for a formula* A *in* **CCLIKD** *and* **CCLIKT** *terminates with a finite derivation in which either all the leaves are axiomatic or there is at least one global-saturated leaf.*

#### **5 Completeness**

Using the decision procedure from the previous section, we show how to build a countermodel for an unprovable formula, which entails the completeness of **CCLIK**. Subsequently, we adapt this construction to **CCLIKD** and **CCLIKT** as well.

Given a global-saturated sequent S in **CCLIK**, we define a model M<sup>S</sup> for it as below.

**Definition 23.** *The model* M<sup>S</sup> = (WS, ≤S, RS, VS) *is a quadruple where -* <sup>W</sup><sup>S</sup> <sup>=</sup> {xΦ⇒<sup>Ψ</sup> <sup>|</sup> <sup>Φ</sup> <sup>⇒</sup> <sup>Ψ</sup> <sup>∈</sup><sup>+</sup> <sup>S</sup>}*; -* <sup>x</sup>S<sup>1</sup> <sup>≤</sup><sup>S</sup> <sup>x</sup>S<sup>2</sup> *if* <sup>S</sup><sup>1</sup> <sup>⊆</sup>**<sup>S</sup>** <sup>S</sup>2*; -* <sup>R</sup>SxS<sup>1</sup> <sup>x</sup>S<sup>2</sup> *if* <sup>S</sup><sup>2</sup> <sup>∈</sup>[·] <sup>0</sup> S1*; - for each* p ∈ **At***, let* VS(p) = {xΦ⇒<sup>Ψ</sup> | p ∈ Φ}*.*

**Proposition 10.** M<sup>S</sup> *satisfies (FC) and (DC).*

**Lemma 8 (Truth Lemma for CCLIK).** *Let* S *be a global-saturated sequent in* **CCLIK** *and* M<sup>S</sup> = (WS, ≤S, RS, VS) *defined as above. (a). If* A ∈ Φ*, then* <sup>M</sup>S, x<sup>Φ</sup>⇒<sup>Ψ</sup> <sup>A</sup>*; (b). If* <sup>A</sup> <sup>∈</sup> <sup>Ψ</sup>*, then* <sup>M</sup>S, x<sup>Φ</sup>⇒<sup>Ψ</sup> -A*.*

By the truth lemma we obtain as usual the completeness of **CCLIK**.

**Theorem 6 (Completeness of CCLIK).** *If* A *is valid in* **LIK***, then* A *is provable in* **CLIK***.*

*Example 6.* We show how to build a countermodel for the formula (♦p ⊃ q) ⊃ -(p ⊃ q) which is not provable in **CCLIK**. Ignoring the first step, we initialize the derivation with ♦p ⊃ q ⇒ -(p ⊃ q). By backward application of rules, one branch of the derivation ends up with the following saturated sequent

$$S\_0 = \Diamond p \supset \Box q \Rightarrow \Box (p \supset q), \Diamond p, [\Rightarrow p \supset q, p, \langle p \Rightarrow q \rangle]$$

and we further let S<sup>1</sup> = ⇒ p ⊃ q, p,p ⇒ q while S<sup>2</sup> = p ⇒ q. We then get the model M<sup>S</sup><sup>0</sup> = (W, ≤, R, V ) where

– W = {x<sup>S</sup><sup>0</sup> , x<sup>S</sup><sup>1</sup> , x<sup>S</sup><sup>2</sup> }; – x<sup>S</sup><sup>1</sup> ≤ x<sup>S</sup><sup>2</sup> , x<sup>S</sup><sup>0</sup> ≤ x<sup>S</sup><sup>0</sup> , x<sup>S</sup><sup>1</sup> ≤ x<sup>S</sup><sup>1</sup> , x<sup>S</sup><sup>2</sup> ≤ x<sup>S</sup><sup>2</sup> ; – Rx<sup>S</sup><sup>0</sup> x<sup>S</sup><sup>1</sup> ; – <sup>V</sup> (p) = {x<sup>S</sup><sup>2</sup> } and <sup>V</sup> (q) = <sup>∅</sup>.

It is easy to see that x<sup>S</sup><sup>0</sup> (♦p ⊃ q) ⊃ -(p ⊃ q).

Next, we consider the completeness of **CCLIKD** and **CCLIKT**. We consider the model M<sup>S</sup> = (WS, ≤S, RS, VS) for a global-saturated sequent S in either calculi, where WS, ≤<sup>S</sup> and V<sup>S</sup> as in Definition 23, R<sup>S</sup> modified as follows:


Trivially the relation R<sup>S</sup> is serial or reflexive according to **CLIKD** or **CLIKT**, moreover models for **CCLIKD** and **CCLIKT** still satisfy (FC) and (DC). Finally,

**Theorem 7 (Completeness of CCLIKD and CCLIKT).** *If* A *is valid in* **LIKD** (*resp.* **LIKT**)*, then* A *is provable in* **CCLIKD** (*resp.* **CCLIKT**)*.*

## **6 Conclusion**

We studied **LIK**, the basic intuitionistic modal logic with locally defined modalities as well as some of its extensions. In further research, we intend to investigate both axiomatizations and calculi of extensions to the whole modal cube. For instance, we would like to provide a (terminating) calculus for the **S4** extension of **LIK** (the logic is studied in [1]). Since **LIK** is incomparable with **IK**, we may also wonder what the "super" intuitionistic modal logic obtained by combining both is. Our broader goal is to establish a framework of axiomatization and uniform calculi for a wide range of **IML**s, including other natural variants that have been little studied or remain entirely unexplored so far.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Non-iterative Modal Resolution Calculi**

Dirk Pattinson1(B) and Cl´audia Nalon<sup>2</sup>

<sup>1</sup> School of Computing, The Australian National University, Canberra, Australia dirk.pattinson@anu.edu.au

<sup>2</sup> Department of Computer Science, University of Bras´ılia, Bras´ılia, Brazil nalon@unb.br

**Abstract.** Non-monotonic modal logics are typically interpreted over neighbourhood frames. For unary operators, this is just a set of worlds, together with an endofunction on predicates (subsets of worlds). It is known that all systems of not necessarily monotonic modal logics that are axiomatised by formulae of modal rank at most one (non-iterative modal logics) are Kripke-complete over neighbourhood semantics. In this paper, we give a uniform construction to obtain complete resolution calculi for all non-iterative logics. We show completeness for generative calculi (where new clauses with new literals are added to the clause set) by means of a canonical model construction. We then define absorptive calculi (where new clauses are generated by generalised resolution rules) and establish completeness by translating between generative and absorptive calculi. Instances of our construction re-prove completeness for already known calculi, but also give rise to a number of previously unknown complete calculi.

**Keywords:** Modal Logics · Automated Reasoning · Resolution

# **1 Introduction**

There are two standard ways to define modal logics. The *syntactic* approach specifies a logic by means of its axioms and proof rules. One way of defining the modal logic K is as the least set of formulae that contains all instances of propositional tautologies and the K-axioms, and is closed under modus ponens and necessitation. Alternatively, we can take a *semantic* approach, and define a logic as the set of formulae that is valid over a given class of frames. For the modal logic K, this is typically the class of formulae valid over all Kripke frames, but we can alternatively define K as the class of all formulae that are valid in all neighbourhood frames where neighbourhoods are closed under finite intersections. More often than not, the frame class under consideration is also described using logical formulae as axioms.

No matter whether we take a syntactic or semantic approach, the questions remain the same: can we define a proof calculus that allows us to derive all formulae of the logic? Can we decide whether a formula is in the logic?

In this paper, we answer these questions uniformly for the class of all *noniterative* modal logics and *resolution calculi*. Non-iterative logics are defined (either syntactically or semantically) by axioms without nesting of modal operators. While this excludes e.g. logics with (generalised) transitivity axioms, it still covers a large class of specimens. Examples include various classical modal logics of Chellas [8], all standard conditional logics treated in [19], extensions of the modal logic K with reflexivity, seriality and functionality [6], graded and probabilistic modal logic [13,14], Pauly's coalition logic [22], a variety of deontic logics [24] and logics of agency [11]. For all these logics, we construct a complete resolution system that can be turned into a decision procedure. From a syntactic viewpoint, we cannot restrict ourselves to normal modal logics. That is, our basic modal systems will only include modal congruence (from φ ↔ ψ infer φ ↔ ψ, or its multi-argument, multi-modal generalisation). Consequently on the semantic side, we adopt neighbourhood semantics as the most general semantic framework. For this semantics, Lewis [16] has already shown that noniterative logics are complete with respect to the class of neighbourhood frames that are defined by their axioms. Here, completeness is understood with respect to a Hilbert-style system, where deduction is defined as the closure of propositional tautologies and axioms under substitution, modus ponens, and modal congruence. Here, we use the same classes of frames (that are defined by modal axioms), and show that our resolution systems are complete with respect to these frames. Considering the same semantics, this builds a bridge between syntactically defined logics, and the resolution systems that we introduce.

Our technical contribution is the definition, and analysis, of two different types of resolution calculi for each non-iterative logic. The first system that we call *generative* extends propositional resolution with modal rules that produce new clauses with possibly new modal literals. For example, the modal congruence rule above introduces the clause ¬p ∨ q, i.e. p → q, in contrast to more standard calculi that are based on resolving conflicting literals. In these calculi that we call *absorptive*, the modal congruence rule would identify p and ¬q as conflicting, and – assuming that p and q are equivalent – adds the clause D ∨ E if D ∨ ¬p and E ∨ q are already derived. The reason for introducing both calculi is technical: generative calculi are much more suited to a canonical model construction that we use to prove completeness. In particular, maximally consistent sets behave in the expected way (they contain every literal or its negation). On the other hand, absorptive calculi are the calculi *de rigeur*, and transforming generative proofs to absorptive proofs, we obtain completeness for absorptive calculi by translation.

Methodologically, we make an interesting, but not entirely unexpected discovery. While in propositional logic, we can derive completeness of resolution directly from completeness of a cut-free sequent calculus (e.g. [10]), this method *fails* for modal logic: for example, the set Φ = {p,¬p ∨ q, p,¬q} is evidently satisfiable (at a world, in a neighbourhood or Kripke model), but Φ ⊥ in a sequent calculus for classical (or normal) modal logic where Δ ∈ Φ are treated as additional axioms or initial sequents. Because the additional initial sequents Φ play the role of *global assumptions*, Φ Γ means that Γ is valid in all models where all Δ ∈ Φ are true globally (at *all* worlds). Hence Φ ⊥ as there is no model where all φ ∈ Φ are globally true. Despite the fact that we do not obtain a resolution calculus *directly* from a sequent calculus (by forgetting the propositional rules), both calculi are still closely related. To ensure *completeness* of the resolution systems, we employ the same technical condition that guarantees *cut elimination* in sequent calculi: in both cases, we require that modal rules are *cut-closed*, i.e. two applications of modal rules, followed by a resolution step between their conclusions, can be replaced by a single modal rule (whose premisses are derivable from the premisses of the original rule). In cut-elimination proofs, this is what allows us to propagate cut towards the leaves of a proof tree. For resolution calculi, this property ensures that a consistent set remains consistent if we extend the language: an inconsistency in the larger system would involve new variables, and cut-closure allows us to eliminate them. We discuss this phenomenon more in the conclusion.

*Related Work.* As far as we are aware, our paper is the first to study the construction of resolution calculi from a more general perspective, i.e. focusing on properties such as non-iterative axioms rather than on concretely given logical systems. There is a large body of work on resolution calculi on normal modal logics [1–3,7,9,12,17,18] but [20] appears to be the only paper on modal resolution for non-normal calculi. All of the above approaches focus on concretely given calculi in contrast to this paper that uniformly applies to all calculi with noniterative axioms. The notion of cut-closure has been used to construct cut-free sequent calculi in [21]. Indeed, the results of *op.cit.* will give complete, cut-free sequent calculi that have precisely the same modal rules as our generative systems. Of course, we are not the first to observe this deep relationship between sequent calculi and resolution, although our paper appears to be the first that follows a semantic route to directly express completeness of resolution. Avron [4] has discussed the relationship between resolution and sequent calculi for propositional and first order logic, and Mints [17] has considered modal calculi; both from the perspective of syntactical translation. To our knowledge, there is no work that relates sequent calculi and resolution for non-normal modal logics, or on methods that apply to a range of logics in a uniform way.

#### **2 Preliminaries**

**Definition 1.** Let V be a set of propositional variables that we fix throughout. The language L of modal logic is given by the grammar

$$\mathcal{L} \ni \phi ::= p \mid \neg \phi \mid \phi \lor \phi \mid \Box \phi$$

where p ∈ V. A *substitution* is a mapping σ : V → L, and we denote the result of uniformly substituting each p ∈ V with σ(p) in a formula φ by φσ. A *global formula* is of the form G(φ) where φ is a formula. Propositional and modal literals are given by PL(V) = -{p,¬p | p ∈ V} and ML(V) = -{p,¬p | p ∈ V}, respectively. We denote the set of literals over V by Lit(V) = PL(V) ∪ ML(V). Two literals are *disparate* if the variables that occur in them are different. A *clause* is a finite disjunction of (propositional or modal) literals. We identify a clause with the set of its literals, and sometimes say that a literal is an element of a clause, or write D<sup>0</sup> ⊆ D<sup>1</sup> to indicate that clause D<sup>0</sup> is a subclause of D1. In particular, we consider two clauses as equal if they have the same literals. A clause is *propositional* if all literals are propositional. We distinguish local clauses, written l<sup>1</sup> ∨ ··· ∨ ln, and *global clauses*, written G(l<sup>1</sup> ∨ ··· ∨ ln). We sometimes refer to formulae and clauses as *local formulae* or *local* clauses to emphasise the distinction to their global counterparts. We write Cl(V) = {l<sup>1</sup> ∨ ···∨ l<sup>n</sup> | l1,...,l<sup>n</sup> ∈ Lit(V)} for the set of clauses with literals in Lit(V).

The following notion of truth distinguishes local and global clauses.

**Definition 2.** A *neighbourhood frame* is a pair (W, N) where W is a set (of worlds) and N : W → PP(W) is a (neighbourhood) function where P(X) denotes the powerset of a set X. A *neighbourhood model* is a triple (W, N, θ) where (W, N) is a neighbourhood frame, and θ : V → P(W) is a (valuation) function. We say that the model (W, N, θ) is *based* on the frame (W, N). Truth w |= φ of a formula φ at a world w ∈ W is given by

$$\begin{aligned} w &= p \text{ iff } w \in \theta(p) & \quad w \mid = \neg \phi \text{ iff } w \not\models \phi\\ w &= \phi \lor \psi \text{ iff } w \mid = \phi \text{ or } w \mid = \psi & \quad w \mid = \Box \phi \text{ iff } \{\phi\} \in N(w) \end{aligned}$$

where φ = {w ∈ W | w |= φ} is the truth set of φ ∈ L. We occasionally write M,w |= φ or even (M,N,θ), w |= φ if we want to emphasise the (carrier of) the model. This defines the interpretation of local formulae and clauses. For global formulae and clauses, we have w |= G(φ) iff w |= φ for all w ∈ W. We use standard terminology, and write (W, N, θ) |= φ if (W, N, θ), w |= φ for all w ∈ W, and (W, N) |= φ if (W, N, θ) |= φ for all θ : V → P(W). If F is a class of neighbourhood frames, we write F |= φ if F |= φ for all frames F ∈ F. A formula φ is *satisfiable* in a class F of neighbourhood frames if there is a neighbourhood model (W, N, θ) with (W, N) ∈ F, and w ∈ W such that (W, N, θ), w |= φ; otherwise, φ is *unsatisfiable* in F. The notion of (un)satisfiability is extended as usual to sets of formulae.

It is standard that every formula can be converted to an equi-satisfiable set of global and local clauses in linear time.

**Proposition 3 (Normal Form** [20]**).** *Every (local or global) formula can be converted to an equisatisfiable set of (global and local) clauses.*

*Proof.* Let φ ∈ L be a formula and p ∈ V be a fresh propositional variable (that does not occur in φ). We write R(p ≡ φ) for R(p)(φ) where the function R : V →L→ Cl(V) is given by

$$\begin{aligned} R(p \equiv \phi\_1 \land \phi\_2) &= R(p\_1 \equiv \phi\_1) \cup R(p\_2 \equiv \phi\_2) \cup \{ \neg p \lor p\_1, \neg p \lor p\_2, \neg p\_1 \lor \neg p\_2 \lor p \} \\ R(p \equiv \phi\_1 \lor \phi\_2) &= R(p\_1 \equiv \phi\_1) \cup R(p\_2 \equiv \phi\_2) \cup \{ \neg p \lor p\_1 \lor p\_2, \neg p\_1 \lor p, \neg p\_2 \lor p \} \\ R(p \equiv \square \phi) &= R(q \equiv \phi) \cup \{ \neg p \lor \square q, \neg \square q \lor p \} \\ R(p \equiv \neg \phi) &= R(q \equiv \phi) \cup \{ \neg p \lor q, \neg q \lor p \} \end{aligned}$$

where, in each of the clauses, p1, p<sup>2</sup> and q are fresh. It is a routine induction to show that φ and {p}∪{G(D) | D ∈ R(p ≡ φ)} are equi-satisfiable when p does not occur in φ. The same holds for G(φ) and {G(p)}∪{G(D) | D ∈ R(p≡φ)}.

## **3 Non-iterative Logics and Their Calculi**

**Definition 4.** A formula <sup>φ</sup> ∈ L is *non-iterative* if, for every subformula ψ of φ, the formula ψ is purely propositional, i.e. does not contain a modal operator. If Ax is a set of (not necessarily non-iterative) formulae, then Frm(Ax) is the class of neighbourhood frames (W, N) so that (W, N) |= φ for all φ ∈ Ax.

A *rule* is an n + 1-tuple (φ1,...,φn, φ0), written as φ<sup>1</sup> ...φn/φ<sup>0</sup> where the φ<sup>i</sup> are formulae, and φ1,...,φ<sup>n</sup> are the premisses, and φ<sup>0</sup> is the *conclusion*. It is *non-iterative* if all the premisses are propositional clauses, and the conclusion is a (not necessarily propositional) clause. If Rl is a set of (not necessarily noniterative) rules, then the class of Frm(Rl) is the class (W, N) of neighbourhood frames such that (W, N, θ) |= φ<sup>0</sup> whenever (W, N, θ) |= φ<sup>i</sup> (all i = 1,...,n), for all θ : V → P(W).

A set Ax of formulae (thought of as axioms) and a set Rl of rules are *equivalent* if they define the same frames, i.e. Frm(Ax) = Frm(Rl).

It is easy to convert between non-iterative rules and axioms [23].

**Definition 5.** We write cnf(φ) for a (chosen) conjunctive normal form of a formula φ. The rules *induced* by the non-iterative axiom φ are the rules induced by the (non-iterative) clauses γ1,...,γ<sup>n</sup> that constitute the conjunctive normal form of φ, that is, cnf(φ) = γ<sup>1</sup> ∧···∧ γn.

A non-iterative clause γ = l<sup>1</sup> ∨ ... ∨ l<sup>n</sup> ∨ ♥φ<sup>1</sup> ∨···∨♥φ<sup>n</sup> induces the rule ι(γ) = δ<sup>1</sup> ...δk/l1∨···∨l<sup>n</sup> ∨♥p1∨···∨♥p<sup>n</sup> where p1,...,p<sup>n</sup> are pairwise distinct, fresh, propositional variables, ♥∈{-,¬-} and δ<sup>1</sup> ∧···∧ δ<sup>k</sup> is a conjunctive normal form of (p<sup>1</sup> ↔ φ1) ∧···∧ (p<sup>n</sup> ↔ φn).

If on the contrary, ρ = γ<sup>1</sup> ...γn/γ<sup>0</sup> is a non-iterative rule, the *axiom* induced by ρ is ι(ρ) = γ0σ where σ is the most general unifier of γ<sup>1</sup> ∧···∧ γn.

The above construction ensures that induced axioms and rules are equivalent in the sense of Definition 4.

**Proposition 6.** *Every set* Ax *of axioms is equivalent to the set of* -{ι(α) | α ∈ Ax} *of induced rules, and every set* Rl *of non-iterative rules is equivalent to the set* {ι(ρ) | ρ ∈ Rl} *of induced axioms.*

In examples, the situation is as follows.

**Example 7.** The classical modal logic E is defined by the empty set of (extra) axioms that induce an empty set of rules. The K-axiom -(p → q) → (p → q) induces the rule ¬r ∨ ¬p ∨ q, p ∨ r,¬q ∨ r/¬r ∨ ¬p ∨ q. In the presence of the congruence rule, necessitation can be replaced by the axiom which gives the rule p/p. One can show that the (simplified) set of rules N = {¬p ∨ ¬q ∨ r/¬p ∨ ¬q ∨ r; p/p}, as well as the set S = {¬p<sup>1</sup> ∨···∨¬p<sup>n</sup> ∨ p0/¬p<sup>1</sup> ∨ ···∨¬p<sup>n</sup> ∨ p<sup>0</sup> | n ≥ 0} are equivalent to the K-axiom and -. We call N and S the *non-standard* and *standard* rules for K. As we are demonstrating in Example 19 the non-standard rules will not give us completeness as they are not cut-closed (Definition 20).

As our calculi apply to *all* non-iterative logics, we are parametric in a set of (non-iterative) rules. For a set Rl of rules, we define an *generative* calculus that adds new clauses with possibly new literals, and an *absorptive* variant, where clauses are combined and conflicting literals are removed.

**Definition 8.** Let Rl be a set of non-iterative rules. The rules

$$\begin{array}{cccc} \frac{D \lor l \quad D' \lor \neg l}{D \lor D'} & \frac{\mathsf{G}(D)}{D} \end{array} \quad \begin{array}{cccc} \frac{\mathsf{G}(D)}{D} & \frac{\mathsf{G}(D \lor l)}{\mathsf{G}(D \lor D')} & \frac{\neg p \lor q \quad p \lor \neg q}{\neg \Box p \lor \Box q} \end{array}$$

are called *local resolution* (LR), the *global-local rule* (GL), *global resolution* (GR), and the *modal congruence rule* (MC), respectively. We write Rl<sup>C</sup> <sup>=</sup> Rl ∪ {(MC)} for the extension of Rl with the modal congruence rule.

The *generative calculus* given by Rl has the rules (GR), (GL), (LR) and all rules

$$
\begin{array}{ccc}
\mathsf{G}(D\_1^s) & \dots & \mathsf{G}(D\_n^s) \\
\hline
\mathsf{G}(D\_0)
\end{array}
$$

for which <sup>D</sup><sup>1</sup> ...Dn/D<sup>0</sup> <sup>∈</sup> Rl<sup>C</sup> and <sup>D</sup><sup>s</sup> 1,...,D<sup>s</sup> <sup>n</sup> are subclauses of D1,...,Dn. The *absorptive calculus* defined by Rl has the rules (GR), (GL), (LR) and the rules

$$
\begin{array}{ccccccccc}
\mathbf{G}(D\_1^s) & \dots & \mathbf{G}(D\_n^s) & \mathbf{G}(E\_1 \vee \neg l\_1) & \dots & \mathbf{G}(E\_k \vee \neg l\_k) \\ \hline \\ & \mathbf{G}(E\_1 \vee \dots \vee E\_k) \\ \\ & \dots & \mathbf{G}(D\_n^s) & E\_1 \vee \neg l\_1 & \dots & E\_k \vee \neg l\_k \\ \hline \\ & & E\_1 \vee \dots \vee E\_k & & \\
\end{array}
$$

where <sup>D</sup><sup>1</sup> ...Dn/D<sup>0</sup> <sup>∈</sup> Rl<sup>C</sup> and <sup>D</sup><sup>s</sup> <sup>i</sup> ⊆ D<sup>i</sup> is a subclause of Di, for all i = 1,...,n.

If Γ is a set of local and global clauses, we write Γ <sup>G</sup> (resp. Γ A) for the least set of (local and global) clauses that contains Γ and is closed under all instances of the rules of generative (resp. absorptive) rules defined by Rl. We write Γ <sup>∗</sup> γ if γ ∈ Γ <sup>∗</sup> for ∗ = G, A.

Generative and absorptive calculi serve a different purpose: we are going to prove semantic completeness for generative calculi, and then show that derivation in absorptive calculi can be translated to generative calculi, thus establishing completeness for absorptive calculi as well. In particular, we only consider notions like maximal consistency for generative calculi.

**Example 9.** The modal logic E just has the congruence rule. The generative and absorptive local version of the congruence rule are

$$(\mathsf{GC}) \frac{\mathsf{G}(D\_0) \quad \mathsf{G}(D\_1)}{\mathsf{G}(\neg \Box p \lor \Box q)} \qquad (\mathsf{ACL}) \frac{\mathsf{G}(D\_0) \quad \mathsf{G}(D\_1) \quad C\_1 \lor \Box p \quad C\_2 \lor \neg \Box q}{C\_1 \lor C\_2}$$

where D<sup>0</sup> ⊆ ¬p ∨ q and D<sup>1</sup> ⊆ ¬q ∨ p are subclauses. In the global version (ACG) of the absorptive rule, all clauses of the rightmost rule are under a global modality. For the standard rule set of modal K, the generative version looks like the sequent rule on the left

$$\frac{\mathsf{G}(D)}{\mathsf{G}(\neg\square p\_1 \lor \cdots \lor \neg\square p\_n \lor \square p\_0)} \quad \frac{\mathsf{G}(D) \quad D\_1 \lor \square p\_1 \quad \dots \quad D\_n \lor \square p\_n \quad D\_0 \lor \neg\square p\_0}{D\_1 \lor \cdots \lor D\_n \lor D\_0}$$

with the local absorptive rule on the right. Again D ⊆ ¬p<sup>1</sup> ∨···∨ p<sup>n</sup> ∨ p<sup>0</sup> is a subclause, and all clauses are under a global modality in the global absorptive variant of the rule.

It is easy to see that both the generative and the absorptive calculus are sound.

**Proposition 10 (Soundness).** *Let* Rl *be a set of non-iterative rules. Then* Γ <sup>∗</sup> *for both* ∗ = G, A *only if* Γ *is unsatisfiable in the class* Frm(Rl) *of* Rl*frames.*

*Proof.* We show that γ is satisfiable whenever Γ is by induction on Γ <sup>∗</sup> γ.

In particular, if Rl is equivalent to a set Ax of non-iterative axioms, the calculus Rl is sound with respect to Frm(Ax). We collect some elementary results on the calculi just introduced. The most important one is the trichotomy theorem for generative calculi:

**Theorem 11 (Trichotomy).** *Let* l *be a modal or propositional literal, and let* Φ *be a set of local and global clauses, and* D *a local clause with* Φ ∪ {l} <sup>G</sup> D*. Then (1)* D = l *or (2)* Φ <sup>G</sup> D *or (3)* Φ ∪ {¬l} <sup>G</sup> D*.*

*Proof.* By induction on the proof of Φ ∪ {l} <sup>G</sup> D. Note that the format of the rules guarantees us that Φ <sup>G</sup> G(D) whenever Φ ∪ {l} <sup>G</sup> G(D), as rules with global conclusions only have global premisses.

**Remark 12.** The trichotomy fails for absorptive calculi. Over the empty set of rules Rl = ∅, i.e. for the modal logic E, consider Φ = {G(¬p∨q),G(¬q∨p),¬q}. Then Φ ∪ {p} <sup>A</sup> but neither = p nor Φ <sup>A</sup> or Φ <sup>A</sup> ¬p hold.

The trichotomy property is a stepping stone to prove negation completeness for maximally consistent sets. As trichotomy fails for absorptive calculi, negation completeness only holds for generative calculi, too.

**Definition 13.** Let G be a set of global clauses over a (finite or infinite) set V of variables, and let Φ be a set of local clauses over the same set of variables. Then Φ is G*-inconsistent* if G ∪ Φ <sup>G</sup> , and G*-consistent*, otherwise. The set Φ is G*-maximally consistent* if Φ is G-consistent, and for every clause D ∈ Cl(V) with D /∈ Φ, we have that Φ ∪ {D} is G-inconsistent.

Technically speaking, it would be more appropriate to speak of generatively (maximally) consistent sets, but we elide the qualifier 'generative' as we never consider these notions for absorptive calculi.

**Lemma 14.** *Let* M *be* G*-maximally consistent and* l *be a (propositional or modal) literal. Then* l ∈ M *or* ¬l ∈ M*.*

*Proof.* If neither l ∈ M nor ¬l ∈ M, then M ∪ {l} <sup>G</sup> and M ∪ {¬l} <sup>G</sup> . Using the trichotomy lemma, this entails that M <sup>G</sup> , contradiction to M being consistent.

Moreover, this gives a characterisation of maximally consistent sets as given by a set of singleton clauses.

**Lemma 15.** *Let* G *be a set of global clauses over a set* V<sup>0</sup> *of propositional variables. Let* L ⊂ V<sup>0</sup> ∪ {p | p ∈ V} *be a set of positive literals, and* L<sup>¬</sup> = L ∪ {¬l | l ∈ Lit(V0) \ L}*. Then there is a 1-1 correspondence*

{<sup>M</sup> <sup>|</sup> <sup>M</sup> <sup>G</sup>*-maximally consistent*} <sup>f</sup> −→ {L ⊆ V<sup>0</sup> | L<sup>¬</sup> G*-consistent*}

*given by* <sup>f</sup>(M) = <sup>M</sup> <sup>∩</sup> Lit(V0) *from left to right, and* <sup>f</sup> <sup>−</sup><sup>1</sup>(L) = {<sup>D</sup> <sup>∨</sup> <sup>l</sup> <sup>|</sup> <sup>D</sup> <sup>∈</sup> Cl(V0), l ∈ L<sup>¬</sup>}*. Moreover,* M *and* (f(M)) *are logically equivalent.*

The trichotomy law also allows us to show a limited form of deductive completeness for propositional resolution which is known in the literature, consequence completeness [15], although our proof appears to be new. We state the theorem for the generative calculi of Definition 8. It evidently remains true for propositional resolution.

**Lemma 16.** *Let* Φ *be a set of local clauses, and let* D *be a local clause with pairwise disparate literals such that* Φ → D *is a propositional tautology. Then there is a subclause* D<sup>0</sup> ⊆ D *of* D *such that* Φ <sup>G</sup> D0*.*

*Proof.* We use completeness of propositional resolution (which is the only rule applicable) and assume that D = l<sup>1</sup> ∨···∨ l<sup>n</sup> with the l<sup>i</sup> pairwise disparate. If Φ → D is a tautology, then Φ∪{¬l1,...,¬ln} is unsatisfiable. By completeness of propositional resolution, Φ ∪ {¬l1,...,¬ln} <sup>G</sup> . Repeated application of the trichotomy lemma yields a subclause D<sup>0</sup> ⊆ D such that Φ <sup>G</sup> D0.

**Remark 17.** The above theorem fails without the assumption that the literals that occur in D are pairwise disparate. Take for example Φ = ∅ and D = q ∨ ¬q. Then clearly Φ → q ∨ ¬q is a tautology, but Φ <sup>G</sup> q ∨ ¬q is false. The reason is that repeated application of the trichotomy lemma fails: we have Φ ∪ {q} ∪ {¬q} <sup>G</sup> ⊥. Hence by trichotomy, either Φ ∪ {q} <sup>G</sup> ⊥, or Φ ∪ {q} <sup>G</sup> q as ¬q = is impossible. In the first case, we can apply trichotomy again. In the second, another application leaves the evident possibility that q = q.

## **4 Completeness**

Throughout the section, we fix a set Rl of non-iterative rules. Our first goal is to show completeness for the generative calculus. That is, if Φ is a finite and consistent set of local and global clauses, then Φ is satisfiable in Frm(Rl).

As Φ is finite, only a finite number of variables will appear in (clauses in) Φ. Our construction has two stages. We start with a finite set V<sup>0</sup> of propositional variables. This allows us to consider maximally consistent sets of clauses over V0. We then extend the language with new variables V1. The purpose of these new variables is to give names to collections of maximally consistent sets. For example, for every maximally consistent set M, we will have a variable p<sup>M</sup> such that p<sup>M</sup> = M, and for a set S of maximally consistent sets, we add a variable with the interpretation p<sup>S</sup> = M∈S M.

**Definition 18.** Let V<sup>0</sup> be a finite set of variables, and G<sup>0</sup> be a finite set of global clauses over variables in V0. The *extension* of V<sup>0</sup> and G<sup>0</sup> are the sets V<sup>1</sup> of variables, and G<sup>1</sup> of global clauses where the set V<sup>1</sup> extends V<sup>0</sup> with


The set G<sup>1</sup> extends G<sup>0</sup> with the clauses G(E) where E is in one of the following:

$$\begin{array}{l} \{\neg p\_{S} \lor \bigvee\_{M \in S} p\_{M} \} \cup \{\neg p\_{M} \lor p\_{S} \mid M \in S\}, \text{ to express that } p\_{S} \leftrightarrow \bigvee\_{M \in S} p\_{M}; \\\ \{\bigvee\_{D \in M} \neg p\_{D} \lor p\_{M} \} \cup \{\neg p\_{M} \lor p\_{D} \mid D \in M\}, \text{ to express } p\_{M} \leftrightarrow \bigwedge\_{D \in M} p\_{D}; \\\ \{\neg p\_{D} \lor p\_{M} \} \cup \{\neg l \lor p\_{D} \mid l \in D\}, \text{ to express that } p\_{D} \leftrightarrow D. \end{array}$$

We let W<sup>i</sup> = {M ⊆ Cl(Vi) | M G0-maximally consistent}, defining two sets of maximally consistent sets of clauses: W<sup>0</sup> are clauses over the original variables V<sup>0</sup> and W<sup>1</sup> are maximally consistent sets over the extended language.

To define the structure of the canonical model, we would like to extend every G0-maximally consistent set M to a G1-maximally consistent set Mˆ , and define N0(M) = {S ⊆ W<sup>0</sup> | <sup>p</sup><sup>S</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> }. While this will allow us to establish that the frame conditions (defined by the rules of the calculus) hold, it is not true that every G0-consistent set is G1-consistent.

**Example 19.** Let <sup>V</sup><sup>0</sup> <sup>=</sup> {p, q, r, s} and consider generative rules corresponding to the nonstandard rules for K from Example 7, that is

$$\frac{\mathsf{G}(D)}{\mathsf{G}(\neg\square p \lor \neg\square q \lor \square r)}(D \subseteq \neg p \lor \neg q \lor r) \qquad \frac{\mathsf{G}(D)}{\mathsf{G}(\square p)}(D \subseteq p)$$

Consider the set G<sup>0</sup> = {¬p∨¬q∨¬r∨s} and let H = {p, q, r,¬s}. Then H is G0-consistent (no resolution rule can be applied), but it is not G1-consistent. If S = {M ∈ W<sup>0</sup> | {p, q} ⊆ M}, then p<sup>S</sup> is equivalent to p ∧ q under G1. Hence we have that G<sup>1</sup> <sup>G</sup> G(¬p ∨ ¬q ∨ pS), and also G<sup>1</sup> <sup>G</sup> G(¬p<sup>S</sup> ∨ ¬r ∨ s). Applying the K-rule to both, we obtain G(¬p ∨ ¬q ∨ pS) and G(¬p<sup>S</sup> ∨ ¬r ∨ s). Applying resolution, and converting to a local clause, we have that G<sup>1</sup> <sup>G</sup> ¬p∨ ¬q ∨ ¬r ∨ s so that H is clearly G1-inconsistent.

The key here is that in G<sup>1</sup> we have more propositional variables and defining axioms that allow us to make more modal deductions. The crucial point in the above example is that we could apply the modal rule in two different ways, and the apply cut to the rule conclusions. Had we chosen the standard rules for K, i.e. ¬p<sup>1</sup> ∨···∨¬p<sup>n</sup> ∨ p0/¬p<sup>1</sup> ∨···∨¬p<sup>n</sup> ∨ p<sup>0</sup> for all n ≥ 0, the above set H would not have been G0-consistent. The requirement of *cut-closure* addresses this problem, and also ensures that G0-consistency implies G1-consistency.

**Definition 20.** Let Rl be a set of non-iterative rules. Then Rl is *cut-closed* if, for any two instances on the left

$$\frac{D\_1 \lor \cdots \lor D\_n}{l \lor D\_0} \quad \frac{E\_1 \lor \cdots \lor E\_m}{\neg l \lor E\_0} \qquad \leadsto \qquad \frac{F\_1 \lor \cdots \lor F\_k}{D\_0 \lor E\_0}$$

there exists a rule instance in Rl (on the right) such that {D1,. . . ,Dn,E1,. . . , Em}F<sup>i</sup> in propositional resolution for all i = 1,...,k.

Clearly, the paradigmatic example is the rule set of K.

**Example 21.** The nonstandard set of rules for K from Example 7 is not cutclosed: a cut between two instances of the binary K-rule gives a conclusion of the form ¬p ∨ ¬q ∨ ¬r ∨ ¬t which is clearly not an instance of any of the rules. We therefore need to generalise the rule to ¬p<sup>1</sup> ∨···∨¬p<sup>n</sup> ∨ p0/¬p<sup>1</sup> ∨ ···∨¬p<sup>n</sup> ∨ p0, i.e. the standard set of rules is cut-closed.

Crucially, cut-closed sets guarantee preservation of consistency.

**Lemma 22.** *Let* Rl *be a cut-closed set of non-iterative rules, and let* G<sup>0</sup> *and* G<sup>1</sup> *be as in Definition 18. Then every* G0*-consistent set is* G1*-consistent.*

*Proof.* We use the fact that resolution is confluent, i.e. that we can change the order of resolution steps *ad libitum*. That is, given clauses D ∨ l<sup>1</sup> ∨ l2, ¬l<sup>1</sup> ∨ E<sup>1</sup> and ¬l<sup>2</sup> ∨ E2, we can resolve with ¬l<sup>1</sup> ∨ E<sup>1</sup> first (to obtain D ∨ E<sup>1</sup> ∨l2) and then resolve with ¬l<sup>2</sup> ∨ E<sup>2</sup> to get D ∨ E<sup>1</sup> ∨ E2, which we also obtain if we change the order of resolution steps.

Now assume that H is G0-consistent, but G1-inconsistent. Then the derivation of from G<sup>1</sup> ∪ H needs to contain a modal rule, as the extension G<sup>1</sup> of G<sup>0</sup> is purely definitional.

Using the confluence property of resolution, we may permute resolution steps so that cuts between conclusions of modal rules are performed first. Using cutclosure, we can replace modal rules, and the cuts between their conclusions, by a single modal rule. We now claim that the ensuing proof is already a proof in G0. This follows, as we can establish by induction that every proof that uses at least one G1-axiom (with variables in V1\V0) has a clause with at least one variable in V0\V<sup>1</sup> as a conclusion.

**Definition 23 (Canonical Model).** In the terminology of the previous definition and now assuming that Rl is cut-closed, for <sup>M</sup> <sup>∈</sup> <sup>W</sup>0, let <sup>M</sup><sup>ˆ</sup> <sup>∈</sup> <sup>W</sup><sup>1</sup> be a maximally consistent extension of <sup>M</sup>, that is, we require that <sup>M</sup> <sup>⊆</sup> <sup>M</sup><sup>ˆ</sup> .

The *canonical model* over the set G<sup>0</sup> of global clauses and V<sup>0</sup> of variables is <sup>M</sup> = (W0, N0, θ0) where <sup>θ</sup>0(p) = {<sup>M</sup> <sup>∈</sup> <sup>W</sup><sup>0</sup> <sup>|</sup> <sup>p</sup> <sup>∈</sup> <sup>M</sup>} and <sup>N</sup>0(M) = {<sup>S</sup> <sup>⊆</sup> <sup>W</sup><sup>0</sup> <sup>|</sup> <sup>p</sup><sup>S</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> }.

In the sequel, we fix V<sup>0</sup> and G<sup>0</sup> and speak of *the* canonical model. Maximally consistent sets are closed under resolution:

**Lemma 24.** *Let* G *be a set of global clauses, and let* M *be a* G*-maximally consistent set. Then* D ∈ M ⇐⇒ M <sup>G</sup> D *and* D1∨D<sup>2</sup> ∈ M *whenever both* D1∨¬l *and* D<sup>2</sup> ∨ l ∈ M*.*

*Proof.* The second item is immediate from the first. Assume for a contradiction that M <sup>G</sup> D but D /∈ M. If D = l<sup>1</sup> ∨···∨ ln, then ¬l1,...,¬l<sup>n</sup> ∈ M. But then M <sup>G</sup> , contradicting the consistency of M.

The truth lemma requires us to establish the premisses of the modal rules. This is split into two lemmas.

**Lemma 25.** *Let* <sup>q</sup> <sup>∈</sup> <sup>V</sup><sup>0</sup> *and let* <sup>S</sup> <sup>=</sup> q = {M ∈ W<sup>0</sup> | q ∈ M}*. Then* G<sup>1</sup> <sup>G</sup> G(¬p<sup>S</sup> ∨ q)*.*

*Proof.* We have that G<sup>1</sup> <sup>G</sup> G(¬p<sup>M</sup> ∨ pq) for all M ∈ S by definition of S. We also have G<sup>1</sup> <sup>G</sup> G(¬p<sup>S</sup> ∨ <sup>M</sup>∈<sup>S</sup> <sup>p</sup>M). By propositional resolution, we have G<sup>1</sup> <sup>G</sup> G(¬p<sup>S</sup> ∨ pq). As we also have G(¬p<sup>q</sup> ∨ q) ∈ G<sup>1</sup> by construction, we apply resolution again to obtain G<sup>1</sup> <sup>G</sup> G(¬p<sup>S</sup> ∨ q).

The reverse implication is more difficult, and we need the following which essentially capitalises on the fact that all our rules with global conclusions have global premisses only.

**Lemma and Definition 26.** *Let* G *be a set of global clauses. The* global closure *of* <sup>G</sup> *is the set* <sup>G</sup><sup>G</sup> <sup>=</sup> {G(D) <sup>|</sup> <sup>G</sup> <sup>G</sup> <sup>G</sup>(D)} *of global clauses that are derivable from* <sup>D</sup>*. The* boundary *of* <sup>G</sup> *is the set* <sup>G</sup><sup>B</sup> <sup>=</sup> {<sup>D</sup> <sup>|</sup> <sup>G</sup>(D) <sup>∈</sup> <sup>G</sup><sup>G</sup>} *of local clauses that are derived from their global counterpart. With this terminology,* <sup>G</sup><sup>B</sup> <sup>=</sup> {<sup>D</sup> <sup>|</sup> <sup>G</sup> <sup>G</sup> <sup>D</sup>}*.*

*Proof.* This is immediate from the shape of the rules, as there are no rules with local premisses and global conclusions. It can be proved straightforwardly using induction on the derivation of G <sup>G</sup> D.

**Lemma 27.** *Let* <sup>G</sup> *be a set of global clauses, and suppose that* <sup>G</sup> <sup>G</sup> <sup>D</sup>*, for a local clause* D*. Then also* G <sup>G</sup> G(D)*.*

*Proof.* By induction on the derivation of D. More precisely, we show that if G <sup>G</sup> C, for a local or global clause C, then G <sup>G</sup> C0, where C<sup>0</sup> = C if C is global, and C<sup>0</sup> = G(C), if C is local. The key here is that all rules that only deal with local clauses (propositional resolution) have a global counterpart.

The following is the companion to Lemma 25.

**Lemma 28.** *Let* <sup>q</sup> <sup>∈</sup> <sup>V</sup><sup>0</sup> *and let* <sup>S</sup> <sup>=</sup> q = {M ∈ W<sup>0</sup> | q ∈ M}*. Then* G<sup>1</sup> <sup>G</sup> G(D)*, for a subclause* D ⊆ ¬q ∨ pS*.*

*Proof.* The formula q → { L<sup>¬</sup> | q ∈ L ⊆ V0} is a tautology. As any G1 inconsistent set is inconsistent with G<sup>B</sup> <sup>1</sup> , the same applies to <sup>q</sup> <sup>∧</sup>G<sup>B</sup> <sup>1</sup> → { L<sup>¬</sup> | <sup>q</sup> <sup>∈</sup> <sup>L</sup> <sup>⊆</sup> <sup>V</sup>0G1-consistent}. By Lemma <sup>15</sup> we get that <sup>q</sup> <sup>∧</sup> <sup>G</sup><sup>B</sup> <sup>1</sup> → { M | q ∈ <sup>M</sup> <sup>∈</sup> <sup>W</sup>0}. As <sup>p</sup><sup>S</sup> is equivalent to the last disjunction under <sup>G</sup><sup>B</sup> <sup>1</sup> , we finally obtain that <sup>q</sup> <sup>∧</sup> <sup>G</sup><sup>B</sup> <sup>1</sup> → p<sup>S</sup> is a tautology. Lemma 26 then yields the claim.

This gives us enough ammunition to establish the truth lemma:

**Lemma 29 (Truth Lemma).** *In the canonical model, we have* <sup>D</sup> <sup>∈</sup> <sup>M</sup> ⇐⇒ M |= D*, for all* M ∈ W<sup>1</sup> *and all local clauses* D *over* V0*.*

*Proof.* By Lemma 14 we just need to show the claim for singleton clauses. For propositional literals, this is immediate from the definition of the valuation θ: we have M |= p iff M ∈ θ(p) iff p ∈ M. For the modal case, we have to show that q ∈ M iff <sup>p</sup><sup>S</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> where <sup>S</sup> <sup>=</sup> q = {M ∈ W<sup>0</sup> | q ∈ M}.

By Lemma 25 and Lemma 28, we have that G<sup>1</sup> <sup>G</sup> G(D0) and G<sup>1</sup> <sup>G</sup> G(D1), where D<sup>0</sup> is a subclause of ¬p<sup>S</sup> ∨q and D<sup>1</sup> is a subclause of ¬q ∨pS. The modal rule allows us to conclude that G<sup>1</sup> <sup>G</sup> G(¬p<sup>s</sup> ∨ q) as well as G(¬q ∨ ps).

We can now argue that q ∈ M iff <sup>q</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> (as <sup>M</sup> is <sup>G</sup>0-maximally consistent and <sup>M</sup> <sup>⊆</sup> <sup>M</sup><sup>ˆ</sup> ) iff <sup>p</sup><sup>S</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> (by resolving with the derivable clauses <sup>¬</sup>p<sup>s</sup> ∨ q and ¬q ∨ ps).

For completeness, we still need to establish that the canonical model satisfies all axioms in A. We use Lemma 15.

**Lemma 30.** *Let* (W0, N0) *be the frame of the canonical modal, and let* <sup>θ</sup> : <sup>V</sup> <sup>→</sup> P(W0) *be* any *valuation. Moreover, let* D *be a local propositional clause such that* (W0, N0, θ) |= D*. Then there is a subclause* D<sup>0</sup> ⊆ D *of* D *such that* G<sup>1</sup> <sup>G</sup> G(D0σ) *where* σ(q) = pθ(q)*.*

*Proof.* This is similar in spirit to the proof of Lemma 28. We know that → { L<sup>¬</sup> | L ⊆ V0} is a tautology. As every G0-inconsistent set is inconsistent with the boundary G<sup>B</sup> <sup>1</sup> , we obtain that G<sup>B</sup> <sup>1</sup> → { L<sup>¬</sup> | q ∈ L ⊆ V<sup>0</sup> G0-inconsistent}. Using Lemma 15, we may replace L<sup>¬</sup> with maximally consistent sets, i.e. G<sup>B</sup> <sup>1</sup> → { M | M ∈ W0} is a tautology. As (W0, N0, θ) |= D, any maximally consistent M ∈ W<sup>0</sup> is either an element of θ(q) for q ∈ D, or an element of W<sup>0</sup> \ θ(q), for ¬q ∈ D. As p<sup>S</sup> is equivalent to {M | M ∈ S} under G<sup>B</sup> <sup>1</sup> , we obtain that {G<sup>B</sup> <sup>1</sup> → pθ(q) | q ∈ D} ∨ {¬pθ(q) | ¬q ∈ D} are tautologies, which entails the claim as in Lemma 28.

The previous lemma has shown that we can derive the substituted premiss of a rule in A. The next lemma shows that derivability of the substituted conclusion turns into semantic validity in the canonical model.

**Lemma 31.** *In the canonical model, for* <sup>M</sup> <sup>∈</sup> <sup>W</sup><sup>0</sup> *and* <sup>S</sup> <sup>⊆</sup> <sup>W</sup>0*, we have that* <sup>p</sup><sup>S</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> ⇐⇒ <sup>M</sup> <sup>∈</sup> <sup>S</sup> *and* <sup>p</sup><sup>S</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> ⇐⇒ <sup>S</sup> <sup>∈</sup> <sup>N</sup>0(M)*.*

This allows us to show that the canonical model is in the right frame class.

**Lemma 32.** *Let* Ax *be a set of non-iterative axioms and* Rl *an equivalent set of rules. Then* <sup>M</sup> <sup>∈</sup> Frm(A) *for the canonical model* <sup>M</sup> *given by* Rl*.*

*Proof.* Let θ be *any* valuation, and let π/γ be a rule in Rl such that (W0, N0, θ) |= π. We show that (W0, N0, θ) |= γ, and the result follows from Lemma 15. Assuming that π = D<sup>1</sup> ...Dn, the previous lemma gives us subclauses D<sup>s</sup> <sup>i</sup> ⊆ D<sup>i</sup> such that <sup>G</sup><sup>1</sup> <sup>G</sup> <sup>G</sup>(D<sup>s</sup> <sup>i</sup> σ) where σ(q) = pθ(q). Applying the rule π/γ ∈ A, this gives G<sup>1</sup> <sup>G</sup> G(D0σ) where D<sup>0</sup> = γ is the conclusion of the rule π/γ. Let M ∈ W0, and showing that (W0, N0, θ), M <sup>|</sup><sup>=</sup> <sup>D</sup><sup>0</sup> implies the claim. As <sup>M</sup><sup>ˆ</sup> is maximally consistent, there is a literal <sup>l</sup> <sup>∈</sup> <sup>D</sup>0<sup>σ</sup> with <sup>l</sup> <sup>∈</sup> <sup>M</sup><sup>ˆ</sup> . It follows from Lemma <sup>31</sup> that (W0, N0, θ) |= l, hence (W0, N0, θ) |= D0. As D<sup>0</sup> = γ was the conclusion of the rule π/γ, this is all we had to show.

Finally:

**Theorem 33 (Generative Completeness).** *Let* Φ *be a set of local and global clauses, and let* Rl *be a set of non-iterative, cut-closed rules. If* Φ *is unsatisfiable in* Frm(Rl)*, then* Φ <sup>G</sup> *.*

*Proof.* As usual, by contraposition: Let G<sup>0</sup> denote the global clauses of Φ, and let M be a maximally G-consistent set that contains all the local clauses of Φ. In the canonical model, we have that M |= φ for all φ ∈ Φ, so Φ is satisfiable. By the last lemma, we have <sup>M</sup> <sup>∈</sup> Frm(A) so that <sup>Φ</sup> is satisfiable in Frm(A).

The criticism of generative calculi is that they are not very "resolution-like". In particular, the "spirit" of resolution is the removal of conflicting literals, i.e. the absorptive calculi. We now show that both are equivalent.

**Lemma 34.** *Suppose that* Φ *is a set of local or global clauses, and assume that* Φ <sup>G</sup> *. Then* Φ <sup>A</sup> *whenever* <sup>G</sup> *and* <sup>A</sup> *are induced by a cut-closed set of rules.*

*Proof.* We demonstrate how to successively replace a generative instance of a rule in Rl<sup>C</sup> by an absorptive one. If the derivation <sup>Φ</sup> <sup>G</sup> contains an instance of a modal rule (or the congruence rule), assume that there is no other modal rule further below. As the derivation ends in , every literal must either be resolved against the conclusion of a modal rule (in which case, we can use cut-closure to replace the two rule instances with a new one), or it must be resolved against a clause that is not. Successively applying cut-closure, we are left with just the second case, i.e. with a proof tree of the following form if the last clause is local:

$$\begin{array}{c} \mathbf{G}(D\_1^s) \quad \dots \quad \mathbf{G}(D\_n^s) \\ \hline \mathbf{G}(l\_1 \lor \dots \lor l\_n) \\ \hline \hline l\_1 \lor \dots \lor l\_n \end{array} \quad \begin{array}{c} \mathbf{G}(D\_n^s) \\ \hline \\ l\_1 \lor E\_1 \\ \hline \end{array}$$

$$\begin{array}{c} \neg l\_1 \lor E\_1 \\ \hline \cdot \cdot \cdot \\ \hline E\_1 \lor \dots \lor E\_n \end{array} \quad \begin{array}{c} \neg l\_2 \lor E\_2 \\ \hline \cdot \cdot \cdot \\ \hline \end{array}$$

This proof tree can be replaced by its absorptive variant, i.e. the rule instance

$$
\begin{array}{cccc}
\mathsf{G}(D\_1^s) & \dots & \mathsf{G}(D\_n^s) & \neg l\_1 \lor E\_1 & \dots & \neg l\_n \lor E\_n \\
\hline
 & E\_1 \lor \dots \lor E\_n
\end{array}
$$

thus reducing the number of applications of generative rules by one. If the conclusion of the cascade of cuts is global, we use the global variant of the absorptive rule instead.

This gives us completeness for the absorptive calculus, too.

**Theorem 35 (Absorptive Completeness).** *Let* Φ *be a set of local and global clauses, and let* Rl *be a set of cut-closed, non-iterative rules. If* Φ *is unsatisfiable in* Frm(A)*, then* Φ <sup>A</sup> *.*

Using Lewis' theorem, i.e. completeness of a Hilbert system for non-iterative axioms over the class of neighbourhood frames defined by the axioms, we can now also close the loop between syntactically defined logics, and their resolution systems.

**Theorem 36.** *Let* Ax *be a set of non-iterative axioms, and let* Rl *be a cut-closed, equivalent set of rules. If* <sup>H</sup> φ *is the provability predicate in the Hilbert system given by* Ax*, and* Φ *is the result of translating* φ *into an equisatisfiable set of clauses, then* <sup>H</sup> φ → ⊥ *iff* Φ <sup>A</sup> *iff* Φ <sup>G</sup> *iff* φ *is unsatisfiable in* Frm(Ax)*.*

*Proof.* Lewis [16] shows completeness of <sup>H</sup> with respect to Frm(Ax), and we apply Theorem 35 and Theorem 33.

The task of finding a complete resolution calculus then boils down to exhibiting a cut-closed set of rules for a given modal logic. We demonstrate this using the example of functional roles in description logic, and role inclusions [5].

**Example 37.** We consider a modal logic with two normal operators, and . In description logic parlance, they correspond to two different roles. We assume that the role corresponding to is functional (R(i, j) ∧ R(i, k) → j = k). Axiomatically, this means that is a K-modality and additionally satisfies p ∧ q → (p ∧ q). The second modality, -, just satisfies the K-axioms. A role inclusion is expressed using a transfer axiom p → p. While the natural semantics here are Kripke frames (with two relations, the first functional, and a subset of the second), the semantics in terms of neighbourhood frames (with two neighbourhood functions) is equivalent (for weak completeness).

1. The axiom of functionality is equivalent to the rule

$$\frac{\neg p \lor q \lor r}{\neg \blacksquare p \lor \blacksquare q \lor \blacksquare r} \qquad \frac{\neg p\_0 \lor p\_1 \lor \cdots \lor p\_n}{\neg \blacksquare p\_0 \lor \blacksquare p\_1 \lor \cdots \lor \blacksquare p\_n}$$

which readily generalises to the rule scheme (for n ≥ 1) above. Note that the rule p/p is not an instance of functionality. Cuts between the conclusion of the K-rule and the above scheme yield the rule

$$\left(\dagger\_1\right) \frac{\neg a\_1 \lor \cdots \lor \neg a\_n \lor b\_1 \lor \cdots \lor b\_k}{\neg \blacksquare a\_1 \lor \cdots \lor \neg \blacksquare a\_n \lor \blacksquare b\_1 \lor \cdots \lor \blacksquare b\_k}$$

where n ≥ 0 and k ≥ 1. It is easy to see that this set is cut-closed.

2. The rule for the K-modality in Example 19, that is

$$(\dagger\_2) \frac{\neg a\_1 \lor \cdots \lor \neg a\_n \lor a\_0}{\neg \square a\_1 \lor \cdots \lor \neg \square a\_n \lor \square a\_0}$$

is already cut-closed.

3. To incorporate the role inclusion axiom p → p, we need to modify the above rules by resolving their conclusions with the axiom ¬p ∨ p. This changes the above rules to

$$(\dagger\_3) \frac{\neg a\_1 \lor \cdots \lor \neg a\_n \lor b\_1 \lor \cdots \lor b\_k}{\neg \bigcirc a\_1 \lor \cdots \lor \neg \bigcirc a\_n \lor \blacksquare b\_1 \lor \cdots \lor \blacksquare b\_k}$$

where n, k are as above and ∈{-, }, and

$$(\dagger\_4) \frac{\neg a\_1 \lor \cdots \lor \neg a\_n \lor a\_0}{\neg \square a\_1 \lor \cdots \lor \neg \square a\_n \lor \bigcirc a\_0}$$

where ∈{-, }. To this, we add the axiom as a rule without premiss, viz

$$(\dagger^5) \overline{\neg\square p \lor \blacksquare q}$$

4. One now checks that the rules (†3),(†4) and (†5) together are cut-closed and equivalent to the respective axioms. This means that we can apply Theorem 36 to obtain a complete resolution calculus.

#### **5 Conclusion and Further Work**

We have given a general method to construct complete resolution calculi for the class of all non-iterative modal logics. In doing so, we have defined, for each logic, a generative and an absorptive calculus that can be translated into one another. Conceptually, the generative calculus can be seen as a stripped-down sequent calculus that only consists of the modal rule and the cut rules, and we have proved completeness for this calculus, under the same condition, *cut-closure*, that would also give rise to cut elimination in a sequent calculus. The naive method to convert a sequent calculus to resolution (elide all propositional rules and just keep cut and the modal rules) is bound to fail. For example, consider the clauses (viewed as sequents) Φ = {p, p,¬q,¬p ∨ q}. With sequents in Φ as additional axioms in the sequent calculus for the modal logic E, we can derive the empty sequent (clause) using just cut, weakening and the congruence rule. However, Φ is evidently satisfiable in the class of neighbourhood frames: we need a world that validates both p and q, where p and q have different truth sets in the model, and stipulate the truth set of p to be the only neighbourhood. The reason is that proving ⊥ in a sequent calculus with additional assumptions Φ, means that ⊥ is valid in all models that satisfy Φ *globally* whereas the notion of consistency of interest in modal logic is *local*. *A fortiori*, this is the reason why we needed to distinguish between local and global clauses in the calculus we have given. This points to a deeper question on the relationship between sequent calculi and resolution systems. Can we just take *any* cut-free sequent calculus and turn it into a resolution system (with a suitable notion of global clause)? Can we use more liberal notions of cut-closure? Is there a purely syntactic way to translate between sequent calculi and resolution systems? Can we use this to lift the restriction to non-iterative axioms? Can we employ a more general notion of cut-closure, e.g. as in [21] which would immediately give resolution calculi for several conditional logics? We plan on discussing these questions in further work.

**Acknowledgments.** This research was partially supported by a gift from Northrop Grumman Corporation.

**Disclosure of Interests.** The authors have no competing interests to declare that are relevant to the content of this article.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **A Logic for Repair and State Recovery in Byzantine Fault-Tolerant Multi-agent Systems**

Hans van Ditmarsch<sup>1</sup> , Krisztina Fruzsa<sup>2</sup> , Roman Kuznets2(B) , and Ulrich Schmid<sup>2</sup>

<sup>1</sup> CNRS, University of Toulouse, IRIT, Toulouse, France <sup>2</sup> Embedded Computing Systems Group, TU Wien, Vienna, Austria krisztina.fruzsa@tuwien.ac.at, *{*rkuznets,s*}*@ecs.tuwien.ac.at

**Abstract.** We provide novel epistemic logical language and semantics for modeling and analysis of byzantine fault-tolerant multi-agent systems, with the intent of not only facilitating reasoning about the agents' fault status but also supporting model updates for repair and state recovery. Besides the standard knowledge modalities, our logic provides additional agent-specific hope modalities capable of expressing that an agent is not faulty, and also dynamic modalities enabling change to the agents' correctness status. These dynamic modalities are interpreted as model updates that come in three flavors: fully public, more private, and/or involving factual change. Tailored examples demonstrate the utility and flexibility of our logic for modeling a wide range of fault-detection, isolation, and recovery (FDIR) approaches in mission-critical distributed systems. By providing complete axiomatizations for all variants of our logic, we also create a foundation for building future verification tools for this important class of fault-tolerant applications.

**Keywords:** byzantine fault-tolerant distributed systems · FDIR · multi-agent systems · modal logic

## **1 Introduction and Overview**

*State of the Art.* A few years ago, the standard epistemic analysis of distributed systems via the runs-and-systems framework [13,18,28] was finally extended [22– 24] to fault-tolerant systems with (fully) *byzantine* agents [25]. Byzantine agents constitute the worst-case scenario in terms of fault-tolerance: not only can they arbitrarily deviate from their respective protocols, but the perception of their own actions and observed events can be corrupted, possibly unbeknownst to them, resulting in false memories. Whether byzantine agents are actually present

c The Author(s) 2024

K. Fruzsa—Was a PhD student in the FWF doctoral program LogiCS (W1255) and also supported by the FWF project DMAC [10.55776/P32431].

R. Kuznets—Funded by the FWF ByzDEL project [10.55776/P33600].

C. Benzm¨uller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 114–134, 2024. https://doi.org/10.1007/978-3-031-63501-4\_7

in a system, the very possibility of their presence has drastic and debilitating effects on the epistemic state of all agents, including the correct (i.e., non-faulty) ones, due to the inability to rule out so-called *brain-in-a-vat* scenarios [29]: a brain-in-a-vat agent is a faulty agent with completely corrupted perceptions that provide no reliable information about the system [23]. In such a system, *no* agent can ever know certain elementary facts, such as their own or some other agent's correctness, no matter whether the system is asynchronous [23] or synchronous [34]. Agents can, however, sometimes know their own faultiness or obtain belief in some other agents' faultiness [33].

In light of knowledge Kiϕ often being unachievable in systems with byzantine agents, [23] also introduced a weaker epistemic notion called *hope*. It was initially defined as <sup>H</sup>i<sup>ϕ</sup> := *correct<sup>i</sup>* <sup>→</sup> <sup>K</sup>i(*correct<sup>i</sup>* <sup>→</sup> <sup>ϕ</sup>), where the designated atom *correct<sup>i</sup>* represents agent i's correctness. In this setting, one can define belief as <sup>B</sup>i<sup>ϕ</sup> := <sup>K</sup>i(*correct<sup>i</sup>* <sup>→</sup> <sup>ϕ</sup>) [33]. Hope was successfully used in [15] to analyze the *Firing Rebels with Relay* (FRR) problem, which is the core of the well-known *consistent broadcasting* primitive [36]. Consistent broadcasting has been used as a pivotal building block in fault-tolerant distributed algorithms, e.g., for byzantine fault-tolerant clock synchronization [10,16,31,36,39], synchronous consensus [37], and as a general reduction of distributed task solvability in systems with byzantine failures to solvability in systems with crash failures [26].

The hope modality was first axiomatized in [14] using *correct<sup>i</sup>* as designated atoms. Whereas the resulting logic turned out to be well-suited for modeling and analyzing problems in byzantine fault-tolerant distributed computing systems like FRR [15], it is unfortunately not normal. Our long-term goal of also creating the foundations for *automated* verification of such applications hence suggested to look for an alternative axiomatization. In [6], we presented a normal modal logic that combines KB4<sup>n</sup> hope modalities with S5<sup>n</sup> knowledge modalities, which is based on defining *correct<sup>i</sup>* := <sup>¬</sup>Hi<sup>⊥</sup> via frame-characterizable axioms. This logic indeed unlocks powerful techniques developed for normal modal logics both in model checkers like DEMO [11] or MCK [17] and, in particular, in epistemic theorem proving environments such as LWB [20].

Still, both versions [6,14] of the logic of hope target byzantine fault-tolerant distributed systems only where, once faulty, agents remain faulty and cannot be "repaired" to become correct again. Indeed, solutions for problems like FRR employ *fault-masking techniques* based on replication [35], which prevent the adverse effects of the faulty agents from contaminating the behavior of the correct agents but do not attempt to change the behavior of the faulty agents. Unfortunately, fault masking is only feasible if no more than a certain fraction f of the overall <sup>n</sup> agents in the system may become faulty (e.g., <sup>n</sup> <sup>≥</sup> <sup>3</sup><sup>f</sup> + 1 in the case of FRR). Should it ever happen that more than f agents become faulty in a run, no properties can typically be guaranteed anymore, which would be devastating in mission-critical applications.

*Fault-detection, isolation, and recovery* (FDIR) is an alternative fault-tolerance technique, which attempts to discover and repair agents that became faulty in order to subsequently re-integrate them into the system. The primary target here are permanent faults, which do not go away "by themselves" after some time but rather require explicit corrective actions. Pioneering fault-tolerant systems implementations like MAFT [21] and GUARDS [30] combined fault-masking techniques like byzantine agreement [25] and FDIR approaches to harvest the best of both worlds.

Various paradigms have been proposed for implementing the steps in FDIR: Fault-detection can be done by a central FDIR unit, which is implemented in some very reliable technology and oversees the whole distributed system. Alternatively, distributed FDIR employs distributed diagnosis [38], e.g., based on evidence [1], and is typically combined with byzantine consensus [25] to ensure agreement among the replicated FDIR units. Agents diagnosed as faulty are subsequently forced to reset and execute built-in self tests, possibly followed by repair actions like hardware reconfiguration. Viewed at a very abstract level, the FDI steps of FDIR thus cause a faulty agent to become correct again. Becoming correct again is, however, not enough to enable the agent to also participate in the (on-going) execution of the remaining system. The latter also requires a successful *state recovery* step R, which makes the local state of the agent consistent with the current global system state. Various recovery techniques have been proposed for this purpose, ranging from pro-active recovery [32], where the local state of *every* agent is periodically replaced by a majority-voted version, to techniques based on checkpointing & rollback or message-logging & replay, see [12] for a survey. The common aspect of all these techniques is that the local state of the recovering agent is changed based on information originating from other agents.

*Our Contribution.* In this paper,<sup>1</sup> we provide the first logic that not only enables one to reason about the fault status of agents, but also provides mechanisms for updating the model so as to change the fault status of agents, as well as their local states. Instead of handling such dynamics in the byzantine extension of the runs-and-systems framework [22–24], i.e., in a temporal epistemic setting, we do it in a dynamic epistemic setting: we restrict our attention to the instants where the ultimate goal of (i) the FDI steps (successfully repairing a faulty processor) and (ii) the R step (recovering the repaired processor's local state) is reached, and investigate the dynamics of the agents' correctness/faultiness and its interaction with knowledge at these instants.

Our approach enables us to separate the issue of (1) verifying the correctness of the specification of an FDIR mechanism from the problem of (2) guaranteeing the correctness of its protocol implementation, and to focus on (1). Indeed, verifying the correctness of the implementation of some specification is the standard problem in formal verification, and powerful tools exist that can be used for this purpose. However, even a fully verified FDIR protocol would be completely useless if the FDIR specification was erroneous from the outset, in the sense that it does not correctly identify and hence repair faulty agents in some cases.

<sup>1</sup> An extended version of the paper, which also provides the proofs and additional details that had to be dropped here, can be found in [7].

Our novel logics and the underlying model update procedures provide, to the best of our knowledge, the first suitable foundations for (1), as they allow to formally specify (1.a) *when* a model update shall happen, and (1.b) the result of the model update. While we cannot claim that no better approach exists, our various examples at least reveal that we can model many crucial situations arising in FDIR schemes.

In order to introduce the core features of our logic and its update mechanisms, we use a simple example: Consider two agents a and b, each knowing their own local states, where global state ij, with i, j ∈ {0, <sup>1</sup>}, means that <sup>a</sup>'s local state is i and b's local state is j. To describe agent a's local state i we use an atomic proposition pa, where p<sup>a</sup> is true if i = 1 in global state ij and p<sup>a</sup> is false if i = 0, and similarly for b's local state j and atomic proposition pb.

Knowledge and hope of the agents is represented in a Kripke model M for our system consisting of four states (worlds), shown in the left part of the figure above. Knowledge <sup>K</sup><sup>i</sup> is interpreted by a knowledge relation <sup>K</sup><sup>i</sup> and hope <sup>H</sup><sup>i</sup> is interpreted by a hope relation Hi. Worlds that are Ki-indistinguishable, in the sense that agent i cannot distinguish which of the worlds is the actual one, are connected by an i-labeled link, where we assume reflexivity, symmetry, and transitivity. Worlds ij that are in the non-empty part of the <sup>H</sup><sup>i</sup> relation, where agent i is correct, have i outlined as **0** or **1**. For example, in the world depicted as 0**1** above, agent a is faulty and agent b is correct.

Now assume that we want agent a to become correct in states 01 and 11 where p<sup>b</sup> is true. For example, this could be dictated by an FDIR mechanism that caused b to diagnose a as faulty. Changing the fault status of a accordingly (while not changing the correctness of b) results in the updated model on the right in the above figure. Note that a was correct in state 00 in the left model, but did not know this, whereas agent a knows that she is correct in state 00 after the update. Such a model update will be specified in our approach by a suitable *hope update formula* for every agent, which, in the above example, is <sup>¬</sup>Ha⊥ ∨ <sup>p</sup><sup>b</sup> for agent <sup>a</sup> and <sup>¬</sup>Hb<sup>⊥</sup> for agent <sup>b</sup>. Note carefully that every hope update formula implicitly specifies both (a) the situation in the original model in which a change of the hope relation is applied, namely, some agent i's correctness/faultiness status encoded as <sup>¬</sup>Hi⊥/Hi⊥, and (b) the result of the respective update of the hope relation.

Clearly, different FDIR approaches will require very different hope update formulas for describing their effects. In our logic, we provide two basic hope update mechanisms that can be used here: *public* updates, in which the agents are certain about the exact hope updates occurring at other agents, and *private* updates (strictly speaking, semi-private updates [5]), in which the agents may be uncertain about the particular hope updates occurring at other agents. The former is suitable for FDIR approaches where a central FDIR unit in the system triggers and coordinates all FDIR activities, the latter is needed for some distributed FDIR schemes.

Moreover, whereas the agents' local states do not necessarily have to be changed when becoming correct, FDIR usually requires to erase traces of erroneous behavior before recovery from the history in the R step. Our logic hence provides an additional *factual change* mechanism for accomplishing this as well. For example, simultaneously with or after becoming correct, agents may also need to change their local state by making false the atomic proposition that records that step 134 of the protocol was (erroneously) executed. Analogous to hope update formulas, suitable *factual change formulas* are used to encode when and how atomic propositions will change. Besides syntax and semantics, we provide complete axiomatizations of all variants of our logic, and demonstrate its utility and flexibility for modeling a wide range of FDIR mechanisms by means of many application examples. In order to focus on the essentials, we use only 2 agent examples for highlighting particular challenges arising in FDIR. We note, however, that it is usually straightforward to generalize those for more than two agents, and to even combine them for modeling more realistic FDIR scenarios.

*Summary of the Utility of Our Logic.* Besides contributing novel model update mechanisms to the state-of-the-art in dynamic epistemic logic, the main utility of our logic is that it enables epistemic reasoning and verification of FDIR mechanism *specifications*. Indeed, even a fully verified protocol implementation of some FDIR mechanism would be meaningless if its specification allowed unintended effects. Our hope update/factual change formulas formally and exhaustively specify what the respective model update accomplishes, i.e., encode both the preconditions for changing some agent's fault status/atomic propositions and the actual change. Given an initial model and these update formulas, our logic thus enables one to check (even automatically) whether the updated model has all the properties intended by the designer, whether certain state invariants are preserved by the update, etc. Needless to say, there are many reasons why a chosen specification might be wrong in this respect: the initial model might not provide all the required information, undesired fault status changes could be triggered in some worlds, or supporting information required for an agent to recover its local state might not be available. The ability to (automatically) verify the absence of such undesired effects of the specification of an FDIR mechanism is hence important in the design of mission-critical distributed systems.

*Paper Organization.* Section 2 recalls the syntax and semantics of the logic for knowledge and hope [6]. Section 3 expands this language with dynamic modalities for publicly changing hope. Section 4 generalizes the language to private updates. In Sect. 5, we add factual change to our setting. Some conclusions in Sect. 6 complete our paper.

#### **2 A Logic of Hope and Knowledge**

We succinctly present the logic of hope and knowledge [6]. Throughout our presentation, let <sup>A</sup> := {1,...,n} be a finite set of agents and let Prop be a non-empty countable set of atomic propositions.

*Syntax.* The language L*KH* is defined as

$$\varphi ::= p \mid \neg \varphi \mid (\varphi \land \varphi) \mid K\_i \varphi \mid H\_i \varphi,\tag{1}$$

where <sup>p</sup> <sup>∈</sup> Prop and <sup>i</sup> ∈ A. We take to be the abbreviation for some fixed propositional tautology and ⊥ for ¬ . We also use standard abbreviations for the remaining boolean connectives, <sup>K</sup><sup>i</sup><sup>ϕ</sup> for the dual modality <sup>¬</sup>Ki¬<sup>ϕ</sup> for 'agent <sup>a</sup> considers <sup>ϕ</sup> possible', <sup>H</sup><sup>i</sup><sup>ϕ</sup> for <sup>¬</sup>Hi¬ϕ, and <sup>E</sup>G<sup>ϕ</sup> for mutual knowledge <sup>i</sup>∈<sup>G</sup> <sup>K</sup>i<sup>ϕ</sup> in a group <sup>G</sup> ⊆ A. Finally, we define belief <sup>B</sup>i<sup>ϕ</sup> as <sup>K</sup>i(¬Hi⊥ → <sup>ϕ</sup>); we recall that <sup>¬</sup>Hi<sup>⊥</sup> means that <sup>i</sup> is correct.

*Structures.* <sup>A</sup> *Kripke model* is a tuple <sup>M</sup> = (W, π, <sup>K</sup>, <sup>H</sup>) where <sup>W</sup> is a non-empty set of *worlds* (or *states*), <sup>π</sup> : Prop → P(W) is a *valuation function* mapping each atomic proposition to the set of worlds where it is true, and <sup>K</sup> : A→P(<sup>W</sup> <sup>×</sup>W) and <sup>H</sup> : A→P(<sup>W</sup> <sup>×</sup> <sup>W</sup>) are functions that assign to each agent <sup>i</sup> <sup>a</sup> *knowledge relation* <sup>K</sup><sup>i</sup> <sup>⊆</sup> <sup>W</sup> <sup>×</sup> <sup>W</sup> respectively a *hope relation* <sup>H</sup><sup>i</sup> <sup>⊆</sup> <sup>W</sup> <sup>×</sup> <sup>W</sup>, where we have written <sup>K</sup><sup>i</sup> resp. <sup>H</sup><sup>i</sup> for <sup>K</sup>(i) and <sup>H</sup>(i). We write <sup>H</sup>i(w) for {<sup>v</sup> <sup>|</sup> (w, v) ∈ Hi} and <sup>w</sup>Hi<sup>v</sup> for (w, v) ∈ Hi, and similarly for <sup>K</sup>i. We require knowledge relations <sup>K</sup><sup>i</sup> to be equivalence relations and hope relations H<sup>i</sup> to be shift-serial (that is, if <sup>w</sup>Hiv, then there exists a <sup>z</sup> <sup>∈</sup> <sup>W</sup> such that <sup>v</sup>Hiz). In addition, the following conditions should also be satisfied:

<sup>H</sup>in<sup>K</sup> : <sup>H</sup><sup>i</sup> ⊆ Ki, one<sup>H</sup> : (∀w, v <sup>∈</sup> <sup>W</sup>)(Hi(w) <sup>=</sup> <sup>∅</sup> ∧ Hi(v) <sup>=</sup> <sup>∅</sup> <sup>∧</sup> <sup>w</sup>Ki<sup>v</sup> <sup>=</sup><sup>⇒</sup> <sup>w</sup>Hiv).

It can be shown that all H<sup>i</sup> relations are so-called *partial equivalence relations*: they are transitive and symmetric binary relations [27].

The class of Kripke models (W, π, <sup>K</sup>, <sup>H</sup>) (given <sup>A</sup> and Prop) is named KH.

*Semantics.* We define truth for formulas <sup>ϕ</sup> ∈ L*KH* at a world <sup>w</sup> of a model <sup>M</sup> <sup>=</sup> (W, π, <sup>K</sup>, <sup>H</sup>) ∈ KH in the standard way: in particular, M,w <sup>|</sup><sup>=</sup> <sup>p</sup> iff <sup>w</sup> <sup>∈</sup> <sup>π</sup>(p) where <sup>p</sup> <sup>∈</sup> Prop; boolean connectives are classical; M,w <sup>|</sup><sup>=</sup> <sup>K</sup>i<sup>ϕ</sup> iff M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup> for all <sup>v</sup> such that <sup>w</sup>Kiv; and M,w <sup>|</sup><sup>=</sup> <sup>H</sup>i<sup>ϕ</sup> iff M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup> for all <sup>v</sup> such that <sup>w</sup>Hiv. A formula <sup>ϕ</sup> is *valid in model* <sup>M</sup>, denoted <sup>M</sup> <sup>|</sup><sup>=</sup> <sup>ϕ</sup>, iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup> for all <sup>w</sup> <sup>∈</sup> <sup>W</sup>, and it is *valid*, notation <sup>|</sup><sup>=</sup> <sup>ϕ</sup> (or KH |<sup>=</sup> <sup>ϕ</sup>) iff it is valid in all models <sup>M</sup> ∈ KH. The axiom system *KH* for knowledge and hope is given below. 

$$\begin{array}{l|l} \text{and it is } valid, \text{ notation } \Vdash \varphi \text{ (or } \mathcal{K}\mathcal{H} = \varphi\text{) iff it is valid in all models } M \in \mathcal{K}\mathcal{H} \\ \text{The axiom system } \mathcal{K}\mathcal{H} \text{ for knowledge and hope is given below.} \\ \\ P \quad \text{all propositional tautologies} \quad T^{K} \quad K\_{i}\varphi \to \varphi \\ K^{\dagger} \quad H\_{i} \neg H\_{i} \bot \\ K^{K} \quad K\_{i}(\varphi \to \psi) \land K\_{i}\varphi \to K\_{i}\psi \\ \text{ $\ast$ } \quad & MP \quad \text{from } \varphi \text{ and } \varphi \to \psi, \text{ infer } \psi \\ \text{ $\ast$ } \quad & \sim K\_{i}\varphi \to K\_{i}\neg K\_{i}\varphi \end{array}$$

**Theorem 1 (**[6]**).** *KH is sound and complete with respect to* KH*.*

## **3 Public Hope Update**

#### **3.1 Syntax and Semantics**

**Definition 2 (Logical language).** *Language* <sup>L</sup>*pub KH is obtained by adding the construct* [ϕ, . . . , ϕ n ]ϕ *to BNF* (1)*.*

We read a formula of the shape [ϕ1,...,ϕn]ψ, often abbreviated as [ϕ]ψ as follows: after revising or updating hope for agent i with respect to ϕ<sup>i</sup> for all agents <sup>i</sup> ∈ A simultaneously, <sup>ψ</sup> (is true). We call the formula <sup>ϕ</sup><sup>i</sup> the *hope update formula for agent* i.

**Definition 3 (Semantics of public hope update).** *Let a tuple* ϕ <sup>∈</sup> (L*pub KH* )<sup>n</sup>*, a model* <sup>M</sup> = (W, π, <sup>K</sup>, <sup>H</sup>) ∈ KH*, and a world* <sup>w</sup> <sup>∈</sup> <sup>W</sup> *be given. Then*

> M,w <sup>|</sup>= [ϕ]<sup>ψ</sup> *iff* <sup>M</sup>ϕ-, w <sup>|</sup><sup>=</sup> ψ,

*where* Mϕ- := (W, π, <sup>K</sup>, <sup>H</sup>ϕ-) *such that for each agent* <sup>i</sup> ∈ A*:*

$$w\mathcal{H}\_i^\chi v \qquad \text{iff} \qquad w\mathcal{K}\_i v, \quad M, w \vdash \chi, \quad \text{and} \quad M, v \vdash \chi$$

*and where we write* <sup>H</sup><sup>χ</sup> <sup>i</sup> *for* (Hϕ-)<sup>i</sup> *if the* i*-th formula in* ϕ *is* χ*.*

If M,w <sup>|</sup><sup>=</sup> <sup>χ</sup>, then <sup>H</sup><sup>χ</sup> <sup>i</sup> (w) = <sup>∅</sup>: agent <sup>i</sup> is faulty in state <sup>w</sup> after the update, i.e., <sup>H</sup>i<sup>⊥</sup> is true. Whereas if M,w <sup>|</sup><sup>=</sup> <sup>χ</sup>, then <sup>H</sup><sup>χ</sup> <sup>i</sup> (w) <sup>=</sup> <sup>∅</sup>: agent <sup>i</sup> is correct in state <sup>w</sup> after the update, i.e., <sup>¬</sup>Hi<sup>⊥</sup> is true. If the hope update formula for agent <sup>i</sup> is <sup>¬</sup>Hi⊥, then <sup>¬</sup>Hi<sup>⊥</sup> is true in the same states before and after the update. Therefore, <sup>H</sup><sup>¬</sup>H*i*<sup>⊥</sup> <sup>i</sup> <sup>=</sup> <sup>H</sup>i: the hope relation for <sup>i</sup> does not change. On the other hand, if the hope update formula for agent <sup>i</sup> is <sup>H</sup>i⊥, then <sup>H</sup><sup>H</sup>*i*<sup>⊥</sup> <sup>i</sup> (w) = <sup>∅</sup> iff <sup>H</sup>i(w) <sup>=</sup> <sup>∅</sup>: the correctness of agent <sup>i</sup> flips in every state. If we wish to model that agent i becomes *more correct* (in the model), then the hope update formula for agent <sup>i</sup> should have the shape <sup>¬</sup>Hi⊥ ∨ <sup>ϕ</sup>: the left disjunct <sup>¬</sup>Hi<sup>⊥</sup> guarantees that in all states where i already was correct, she remains correct. We write

$$[\varphi]\_i \psi \quad \text{for} \quad [\neg H\_1 \bot, \dots, \neg H\_{i-1} \bot, \ \varphi, \ \neg H\_{i+1} \bot, \dots, \neg H\_n \bot] \psi$$

Similarly, we write [ϕ]G<sup>ψ</sup> if the hope update formulas for all agents <sup>i</sup> <sup>∈</sup> <sup>G</sup> is <sup>ϕ</sup> and other agents <sup>j</sup> have the trivial hope update formula <sup>¬</sup>Hj⊥.

**Proposition 4.** *If* ϕ <sup>∈</sup> (L*pub KH* )<sup>n</sup> *and* <sup>M</sup> = (W, π, <sup>K</sup>, <sup>H</sup>) ∈ KH *then* <sup>M</sup>ϕ-∈ KH*.*

*Proof.* Let <sup>i</sup> ∈ A and <sup>χ</sup> be the <sup>i</sup>th formula in ϕ. We need to show that relation <sup>H</sup><sup>χ</sup> i is shift-serial and that it satisfies properties HinK and oneH.


– [oneH]: Let w, v <sup>∈</sup> <sup>W</sup>. Assume that <sup>H</sup><sup>χ</sup> <sup>i</sup> (w) <sup>=</sup> <sup>∅</sup>, that <sup>H</sup><sup>χ</sup> <sup>i</sup> (v) <sup>=</sup> <sup>∅</sup>, and that <sup>w</sup>Kiv. It follows that there exists some <sup>w</sup> ∈ H<sup>χ</sup> <sup>i</sup> (w), implying that M,w <sup>|</sup><sup>=</sup> <sup>χ</sup>, and <sup>v</sup> ∈ H<sup>χ</sup> <sup>i</sup> (v), implying that M,v <sup>|</sup><sup>=</sup> <sup>χ</sup>. Now <sup>w</sup>H<sup>χ</sup> <sup>i</sup> <sup>v</sup> follows immediately.

The hope update ϕ for an agent a is reminiscent of the refinement semantics of public announcement ϕ [4]. However, unlike a public announcement, the hope update installs an entirely novel hope relation and discards the old one.

#### **3.2 Applications**

In this section, we apply the logical semantics just introduced to represent some typical scenarios that occur in FDIR applications. We provide several simple two-agent examples.

*Example 5 (Correction based on agent* b *having diagnosed* a *as faulty).* To correct agent <sup>a</sup> based on <sup>K</sup>bHa⊥, we update agent <sup>a</sup>'s hope relation based on formula <sup>¬</sup>Ha⊥ ∨ <sup>K</sup>bHa<sup>⊥</sup> (and agent <sup>b</sup>'s hope relation based on formula <sup>¬</sup>Hb⊥). We recall that the disjunct <sup>¬</sup>Ha<sup>⊥</sup> guarantees that agent <sup>a</sup> will stay correct if he already was. The resulting model transformation is:

After the update, in states 00 where a was correct and 10 where a was faulty:

M, <sup>00</sup> <sup>|</sup>= [¬Ha⊥ ∨ <sup>K</sup>bHa⊥]a¬Ha<sup>⊥</sup> <sup>a</sup> is still correct M, <sup>00</sup> <sup>|</sup>= [¬Ha⊥ ∨ <sup>K</sup>bHa⊥]aKa¬Ha<sup>⊥</sup> <sup>a</sup> now knows he is correct M, <sup>10</sup> <sup>|</sup>= [¬Ha⊥ ∨ <sup>K</sup>bHa⊥]aHa<sup>⊥</sup> <sup>a</sup> is still faulty M, <sup>10</sup> <sup>|</sup>= [¬Ha⊥ ∨ <sup>K</sup>bHa⊥]aK<sup>a</sup>¬Ha<sup>⊥</sup> <sup>a</sup> now considers possible he is correct M, <sup>10</sup> <sup>|</sup>= [¬Ha⊥ ∨ <sup>K</sup>bHa⊥]aKbK<sup>a</sup>¬Ha<sup>⊥</sup> ...b now knows that

A straightforward generalization of this hope update is correction based on distributed fault detection, where all agents in some sufficiently large group G need to diagnose agent <sup>a</sup> as faulty. If <sup>G</sup> is fixed, <sup>¬</sup>Ha⊥ ∨ <sup>E</sup>GHa<sup>⊥</sup> achieves this goal. If any group <sup>G</sup> of at least k > 1 agents is eligible, then <sup>¬</sup>Ha⊥ ∨ |G|=k <sup>G</sup>⊆A <sup>E</sup>GHa<sup>⊥</sup> is the formula of choice.

Unfortunately, Example 5 cannot be applied in byzantine settings in general, since *knowledge* of other agents' faults is usually not attainable [23]. Hence, one has to either resort to a weaker belief-based alternative or else to an important special case of Example 5, namely, *self-correction*, where <sup>G</sup> <sup>=</sup> {a}, i.e., agent <sup>a</sup> diagnoses itself as faulty. This remains feasible in the byzantine setting because one's own fault is among the few things an agent can know in such systems [23]. We illustrate this in Example 6.

*Example 6 (Self-correction under constraints).* Self-correction of agent a without constraints is carried out on the condition that <sup>a</sup> knows he is faulty (KaHa⊥). The hope update formula for self-correction of agent a with an optional additional constraint ϕ is

$$\neg H\_a \bot \lor (\varphi \land K\_a H\_a \bot) \lor$$

where the <sup>¬</sup>Ha<sup>⊥</sup> part corresponds to the worlds where agent <sup>a</sup> is already correct and the <sup>ϕ</sup> <sup>∧</sup> <sup>K</sup>aHa<sup>⊥</sup> part says that, if he knows that he is faulty (KaHa⊥), then he attempts to self-correct and succeeds if, additionally, a (possibly external) condition ϕ holds. Very similarly to Example 5 we now add an additional constraint ϕ = pb. Notice that the update is indeed slightly different than in Example 5, as a no longer becomes correct in world 01.

After the update, we get in states 00 and 10 (where a was correct resp. faulty):

$$\begin{aligned} & \text{After the update, we get in states } 00 \text{ and } 10 \text{ (where } a \text{ was correct resp. faulty)}\\ & \text{and } 01 \mid \neg H\_a \bot \vee (p\_b \wedge K\_a H\_a \bot) \rfloor\_a \neg H\_a \bot \\ & \text{and } 00 \mid \neg \neg H\_a \bot \vee (p\_b \wedge K\_a H\_a \bot) \rfloor\_a \widehat{K}\_a H\_a \bot \qquad a \text{ still cons. poss. he is faulty} \\ & \text{and } 10 \mid \neg \neg H\_a \bot \vee (p\_b \wedge K\_a H\_a \bot) \rfloor\_a H\_a \bot \qquad a \text{ is still faulty} \\ & \text{and } 10 \mid \neg \neg H\_a \bot \vee (p\_b \wedge K\_a H\_a \bot) \rfloor\_a \widehat{K}\_a \neg H\_a \bot \qquad a \text{ now cons. poss. he is correct} \\ & \text{and } 10 \mid \neg \neg H\_a \bot \vee (p\_b \wedge K\_a H\_a \bot) \rfloor\_a K\_b \widehat{K}\_a \neg H\_a \bot \ldots \; b \text{ now knows that} \end{aligned}$$

*Byzantine Agents.* We now turn our attention to a different problem that needs to be solved in fault-tolerant distributed systems like MAFT [21] and GUARDS [30] that combine fault-masking approaches with FDIR. What is needed here is to monitor whether there are at most f faulty agents among the n agents in the system, and take countermeasures when the formula *Byz*<sup>f</sup> := 

$$Byz\_f := \bigvee\_{\substack{G \subseteq \mathcal{A} \\ |G| = n-f}} \bigwedge\_{i \in G} \neg H\_i \bot$$

is in danger of getting violated or even is violated already. The most basic way to enforce the global condition *Byz*<sup>f</sup> in a hope update is by a constraint on the hope update formulas, rather than by their actual shape. All that is needed here is to ensure, given hope update formulas ϕ = (ϕ1,...,ϕn), that at least <sup>n</sup> <sup>−</sup> <sup>f</sup> of those are true, which can be expressed by the formula ϕ <sup>n</sup>−<sup>f</sup> := 

$$\vec{\varphi}^{n-f} \coloneqq \bigvee\_{\substack{G \subseteq \mathcal{A} \\ |G| = n-f}} \bigwedge\_{i \in G} \varphi\_i.$$

We now have the validity

$$= \vec{\varphi}^{n-f} \rightarrow [\vec{\varphi}] Byz\_f.$$

In particular, we also have the weaker <sup>|</sup><sup>=</sup> *Byz*<sup>f</sup> <sup>∧</sup>ϕ <sup>n</sup>−<sup>f</sup> <sup>→</sup> [ϕ]*Byz*<sup>f</sup> . In other words, M,w <sup>|</sup><sup>=</sup> *Byz*<sup>f</sup> <sup>∧</sup>ϕ <sup>n</sup>−<sup>f</sup> implies <sup>M</sup>ϕ-, w <sup>|</sup><sup>=</sup> *Byz*<sup>f</sup> . We could also consider generalized schemas such as: <sup>M</sup> <sup>|</sup><sup>=</sup> *Byz*<sup>f</sup> <sup>∧</sup> ϕ <sup>n</sup>−<sup>f</sup> implies <sup>M</sup>ϕ- |= *Byz*<sup>f</sup> . In all these cases, the initial assumption *Byz*<sup>f</sup> is superfluous.

Such a condition is, of course, too abstract for practical purposes. What would be needed here are concrete hope update formulas by which we can update a model when *Byz*<sup>f</sup> might become false resp. is false already, in which case it must cause the correction of sufficiently many agents to guarantee that *Byz*<sup>f</sup> is still true resp. becomes true again after the update. Recall that belief Biψ is defined as <sup>K</sup>i(¬Hi⊥ → <sup>ψ</sup>). If we define <sup>B</sup>≥<sup>f</sup><sup>ψ</sup> := 

$$B\_{\geq f}\psi := \bigvee\_{\substack{G \subseteq \mathcal{A} \\ |G|=f}} \bigwedge\_{i \in G} B\_i \psi,$$

it easy to see by the pigeonhole principle that <sup>|</sup><sup>=</sup> *Byz*<sup>f</sup> <sup>∧</sup> <sup>B</sup>≥f+1<sup>ψ</sup> <sup>→</sup> ψ. Using <sup>ψ</sup> <sup>=</sup> <sup>H</sup>a<sup>⊥</sup> will hence result in one fewer faulty agent. To the formula <sup>B</sup>≥f+1Ha<sup>⊥</sup> we add a disjunct <sup>¬</sup>Ha<sup>⊥</sup> to ensure correct agents remain correct.

$$|\cdot| = Byz\_f \wedge B\_{\geq f+1} H\_a \perp \to [\neg H\_a \perp \lor B\_{\geq f+1} H\_a \perp]\_a Byz\_{f-1} \cdot$$

#### **3.3 Axiomatization**

Axiomatization *KH pub* of the logical semantics for <sup>L</sup>*pub KH* extends axiom system *KH* with axioms describing the interaction between hope updates and other logical connectives. The axiomatization is a straightforward reduction system, where the interesting interaction happens in hope update binding hope.

**Definition 7 (Axiomatization** *KH pub***).** *KH pub extends KH with* 

$$\begin{array}{llll} \text{In 7 (Axiomaticization } \mathcal{K}\mathcal{H}^{pub}). & \mathcal{K}\mathcal{H}^{pub} \text{ extends } \mathcal{K}\mathcal{H} \text{ with }\\ [\tilde{\varphi}]p & \longleftrightarrow p & [\tilde{\varphi}]K\_{i}\psi \leftarrow K\_{i}[\tilde{\varphi}]\psi\\ [\tilde{\varphi}]\neg\psi & \longleftrightarrow \neg[\tilde{\varphi}]\psi & [\tilde{\varphi}]H\_{i}\psi \leftarrow \left(\varphi\_{i} \to K\_{i}(\varphi\_{i} \to [\tilde{\varphi}]\psi)\right) \\ [\tilde{\varphi}](\psi \wedge \xi) & \longleftrightarrow [\tilde{\varphi}]\psi \wedge [\tilde{\varphi}]\xi & [\tilde{\varphi}][\tilde{\chi}]\psi \leftarrow \left[[\tilde{\varphi}]\chi\_{1}, \ldots, [\tilde{\varphi}]\chi\_{n}\right]\psi \end{array}$$

*where* ϕ = (ϕ1,...,ϕn) <sup>∈</sup> (L*pub KH* )<sup>n</sup>*,* χ = (χ1,...,χn) <sup>∈</sup> (L*pub KH* )<sup>n</sup>*,* ψ, ξ ∈ L*pub KH ,* <sup>p</sup> <sup>∈</sup> Prop*, and* <sup>i</sup> ∈ A*.*

**Theorem 8 (Soundness).** *For all* <sup>ϕ</sup> ∈ L*pub KH , KH pub* <sup>ϕ</sup> *implies* KH |<sup>=</sup> <sup>ϕ</sup>*.* 

*Proof.* Out of all additional axioms, we only show the most interesting case of hope being updated: we show the validity of [ϕ]Hi<sup>ψ</sup> <sup>↔</sup> <sup>ϕ</sup><sup>i</sup> <sup>→</sup> <sup>K</sup>i(ϕ<sup>i</sup> <sup>→</sup> [ϕ]ψ) : M,w <sup>|</sup>= [ϕ]Hi<sup>ψ</sup> iff Mϕ-, w <sup>|</sup><sup>=</sup> <sup>H</sup>i<sup>ψ</sup> iff <sup>∀</sup><sup>v</sup> ∈ H<sup>ϕ</sup>*<sup>i</sup>* <sup>i</sup> (w) Mϕ-, v <sup>|</sup><sup>=</sup> <sup>ψ</sup> iff

(∀<sup>v</sup> <sup>∈</sup> <sup>W</sup>) <sup>v</sup> ∈ Ki(w) & M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> & M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> <sup>M</sup>ϕ-, v <sup>|</sup><sup>=</sup> <sup>ψ</sup> iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> (∀<sup>v</sup> <sup>∈</sup> <sup>W</sup>) <sup>v</sup> ∈ Ki(w) & M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> <sup>M</sup>ϕ-, v <sup>|</sup><sup>=</sup> <sup>ψ</sup> iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> <sup>∀</sup><sup>v</sup> ∈ Ki(w) (M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> <sup>M</sup>ϕ-, v <sup>|</sup><sup>=</sup> <sup>ψ</sup>) iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> <sup>∀</sup><sup>v</sup> ∈ Ki(w) (M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> M,v <sup>|</sup>= [ϕ]ψ) iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> <sup>∀</sup><sup>v</sup> ∈ Ki(w) M,v <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>→</sup> [ϕ]<sup>ψ</sup> iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>=</sup><sup>⇒</sup> M,w <sup>|</sup><sup>=</sup> <sup>K</sup>i(ϕ<sup>i</sup> <sup>→</sup> [ϕ]ψ) iff M,w <sup>|</sup><sup>=</sup> <sup>ϕ</sup><sup>i</sup> <sup>→</sup> <sup>K</sup>i(ϕ<sup>i</sup> <sup>→</sup> [ϕ]ψ).

Every formula in <sup>L</sup>*pub KH* is provably equivalent to a formula in L*KH* (Lemma 13). To prove this, we first define the *weight* or *complexity* of a given formula (Definition 9) and show a number of inequalities comparing the left-hand side to the right-hand side of the reduction axioms in axiomatization *KH pub* (Lemma 10). Subsequently, we define a translation from <sup>L</sup>*pub KH* to L*KH* (Definition 11) and finally show that the translation is a terminating rewrite procedure (Proposition 12).

**Definition 9.** *The* complexity <sup>c</sup> : <sup>L</sup>*pub KH* <sup>→</sup> **<sup>N</sup>** *of* <sup>L</sup>pub *KH -formulas is defined recursively, where* <sup>p</sup> <sup>∈</sup> Prop*,* <sup>i</sup> ∈ A*, and* <sup>c</sup>(ϕ) := max{c(ϕi) <sup>|</sup> <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>}*:* 

$$\begin{array}{ll} \text{Here } p \in \text{row}, \; i \in \mathcal{A}, \; una \; c(\varphi) := \max\{c(\varphi\_i) \mid 1 \le i \le n\}. \\\\ c(p) & := 1 & c(K\_i \varphi) := c(\varphi) + 1 \\ c(\neg \varphi) & := c(\varphi) + 1 & c(H\_i \varphi) := c(\varphi) + 4 \\ c(\varphi \land \xi) & := \max\{c(\varphi), c(\xi)\} + 1 & c([\vec{\varphi}|\xi] := \left(c(\vec{\varphi}) + 1\right) \cdot c(\xi) \end{array}$$

**Lemma 10.** *For each axiom* <sup>θ</sup><sup>l</sup> <sup>↔</sup> <sup>θ</sup><sup>r</sup> *from Definition 7,* <sup>c</sup>(θl) > c(θr)*.*

**Definition 11.** *The* translation <sup>t</sup> : <sup>L</sup>pub *KH* → L*KH is defined recursively, where* <sup>p</sup> <sup>∈</sup> Prop*,* <sup>i</sup> ∈ A*, and the* <sup>i</sup>*-th formula of* ϕ *is* <sup>ϕ</sup>i*:* <sup>t</sup>(p) := p t 

$$\begin{array}{lcl} t(p) &:= p & t\left([\vec{\varphi}]p\right) &:= p\\ t(\neg\varphi) &:= \neg t(\varphi) & t\left([\vec{\varphi}]\neg\xi\right) &:= \neg t\left([\vec{\varphi}]\xi\right)\\ t(\varphi\wedge\xi) &:= t(\varphi)\wedge t(\xi) & t\left([\vec{\varphi}](\xi\wedge\chi)\right) &:= t\left([\vec{\varphi}]\xi\wedge[\vec{\varphi}]\chi\right)\\ t(K\_i\varphi) &:= K\_i t(\varphi) & t\left([\vec{\varphi}]K\_i\xi\right) &:= t\left(K\_i[\vec{\varphi}]\xi\right)\\ t(H\_i\varphi) &:= H\_i t(\varphi) &:= t\left([\vec{\varphi}]H\_i\xi\right) &:= t\left(\varphi\_i \to K\_i(\varphi\_i \to [\vec{\varphi}]\xi)\right)\\ t\left([\vec{\varphi}]\chi\_1,\ldots,\chi\_n\right)\xi &:= t\left([[\vec{\varphi}]\chi\_1,\ldots,[\vec{\varphi}]\chi\_n]\xi\right) &:= t\left([[\vec{\varphi}]\chi\_1,\ldots,[\vec{\varphi}]\chi\_n]\xi\right) \end{array}$$

**Proposition 12 (Termination).** *For all* <sup>ϕ</sup> ∈ L*pub KH ,* <sup>t</sup>(ϕ) ∈ L*KH .*

*Proof* This follows by induction on <sup>c</sup>(ϕ).

**Lemma 13 (Equiexpressivity).** *Language* <sup>L</sup>*pub KH is equiexpressive with* L*KH .*

*Proof.* It follows by induction on <sup>c</sup>(ϕ) that *KH pub* <sup>ϕ</sup> <sup>↔</sup> <sup>t</sup>(ϕ) for all <sup>ϕ</sup> ∈ L*pub KH* , where, by Proposition 12, <sup>t</sup>(ϕ) ∈ L*KH* .

**Theorem 14 (Soundness and completeness).** *For all* <sup>ϕ</sup> ∈ L*pub KH ,*

$$
\mathcal{K}\mathcal{H}^{\text{opub}} \vdash \varphi \qquad \Longleftrightarrow \qquad \mathcal{K}\mathcal{H} \vdash \varphi.
$$

*Proof.* Soundness was proven in Theorem 8. To prove completeness, assume KH |<sup>=</sup> <sup>ϕ</sup>. According to Lemma 13, we have *KH pub* <sup>ϕ</sup> <sup>↔</sup> <sup>t</sup>(ϕ). Therefore, by Theorem 8, KH |<sup>=</sup> <sup>ϕ</sup> <sup>↔</sup> <sup>t</sup>(ϕ) follows. Since KH |<sup>=</sup> <sup>ϕ</sup> (by assumption), we obtain KH |<sup>=</sup> <sup>t</sup>(ϕ). By applying Theorem 1, *KH* <sup>t</sup>(ϕ) further follows. Consequently, *KH pub* <sup>t</sup>(ϕ). Finally, since *KH pub* <sup>ϕ</sup> <sup>↔</sup> <sup>t</sup>(ϕ), *KH pub* <sup>ϕ</sup>.

**Corollary 15 (Necessitation for public hope updates).**

*KH pub* <sup>ψ</sup> <sup>=</sup><sup>⇒</sup> *KH pub* [ϕ]ψ.

## **4 Private Hope Update**

In the case of the public hope update mechanism introduced in Sect. 3, after the update there is no uncertainty about what happened. In some distributed FDIR schemes, including self-correction, however, the hope update at an agent occurs in a less public way. To increase the application coverage of our logic, we therefore provide the alternative of private hope updates. For that, we use structures inspired by action models. Strictly speaking, such updates are known as *semiprivate* (or *semi-public*) updates, as the agents are aware of their uncertainty and know what they are uncertain about, whereas in fully private update the agent does not know that the action took place [5] and may, in fact, believe that nothing happened. The resulting language can be viewed as a generalization of <sup>L</sup>pub *KH* , where the latter now becomes a special case.

#### **4.1 Syntax and Semantics**

**Definition 16 (Hope update model).** *A* hope update model *for a logical language* <sup>L</sup> *is a tuple* <sup>U</sup> = (E, ϑ, <sup>K</sup><sup>U</sup> ), *where* <sup>E</sup> *is a non-empty set of* actions*,* <sup>ϑ</sup> : <sup>E</sup> <sup>→</sup> (A→L) *is a* hope update function*, and* <sup>K</sup><sup>U</sup> : A→P(<sup>E</sup> <sup>×</sup> <sup>E</sup>) *such that all* <sup>K</sup><sup>U</sup> <sup>i</sup> *are equivalence relations. For* <sup>ϑ</sup>(e)(i) *we write* <sup>ϑ</sup>i(e)*. As before, formulas* <sup>ϑ</sup>i(e) ∈ L *are* hope update formulas*. A* pointed hope update model *is a pair* (U, e) *where* <sup>e</sup> <sup>∈</sup> <sup>E</sup>*.*

**Definition 17 (Language** <sup>L</sup>priv *KH* **).** *We obtain language* <sup>L</sup>priv *KH by adding the construct* [U, e]ϕ *to BNF* (1)*, where* (U, e) *is a pointed hope update model.*

Definition 17 is given by mutual recursion as usual: all hope update models U are for the language <sup>L</sup>priv *KH* .

**Definition 18 (Semantics of private hope update).** *Let* <sup>U</sup> = (E, ϑ, <sup>K</sup><sup>U</sup> ) *be a hope update model,* <sup>M</sup> = (W, π, <sup>K</sup>, <sup>H</sup>) ∈ KH*,* <sup>w</sup> <sup>∈</sup> <sup>W</sup>*, and* <sup>e</sup> <sup>∈</sup> <sup>E</sup>*. Then:*

$$[M, w] = [U, e] \varphi \quad \text{iff} \quad M \times U, (w, e) \models \varphi,$$

*where* <sup>M</sup> <sup>×</sup> <sup>U</sup> = (W×, π×, <sup>K</sup><sup>×</sup>, <sup>H</sup><sup>×</sup>) *is such that:*

$$\begin{array}{lll} W^\times &:=& W \times E \\ (w, e) \in \pi^\times(p) &if & w \in \pi(p) \\ (w, e) \mathcal{K}\_i^\times(v, f) &if & w \mathcal{K}\_i v \text{ and } e \mathcal{K}\_i^U f \\ (w, e) \mathcal{H}\_i^\times(v, f) &if & (w, e) \mathcal{K}\_i^\times(v, f), M, w \mid = \vartheta\_i(e), \text{ and } M, v \mid = \vartheta\_i(f) \end{array}$$

Public hope updates can be viewed as singleton hope update models. Given formulas ϕ <sup>∈</sup> (Lpub *KH* )n, define *pub* := ({e}, ϑ, <sup>K</sup>*pub*), where <sup>ϑ</sup>i(e) := <sup>ϕ</sup><sup>i</sup> and <sup>K</sup>*pub* := {(e, e)}.

*Difference with Action Models.* Although our hope update models look like action models, they are not really action models in the sense of [2]. Our actions do not have executability preconditions, such that the updated model is not a restricted modal product but rather the full product. Another difference is that, by analogy with Kripke models for knowledge and hope, we would then have expected a hope relation in the update models. But there is none in our approach.

# **Proposition 19.** <sup>M</sup> <sup>×</sup> <sup>U</sup> ∈ KH *for any hope update model* <sup>U</sup> *and* <sup>M</sup> ∈ KH*.*

*Proof.* The proof is somewhat similar to that of Proposition 4. It is obvious that all K<sup>×</sup> <sup>i</sup> are equivalence relations. Let us show now that for all <sup>i</sup> ∈ A relations <sup>H</sup><sup>×</sup> i are shift-serial and that they satisfy the properties HinK and oneH. 


**Definition 20.** *Let* <sup>U</sup> = (E, ϑ, <sup>K</sup><sup>U</sup> ) *and* <sup>U</sup> = (E , ϑ , <sup>K</sup><sup>U</sup>- ) *be hope update models. The* composition (U;U ) *is* (E, ϑ, <sup>K</sup><sup>U</sup>;U- ) *such that:*

$$\begin{array}{llll} E'' & := & E \times E'\\ (e, e')\mathcal{K}\_i^{U;U'}(f, f') & \text{iff} & e\mathcal{K}\_i^U f \text{ and } e'\mathcal{K}\_i^{U'} f'\\ \vartheta'''(e, e') & := & [U, e]\vartheta'(e') \end{array}$$

Since <sup>K</sup><sup>U</sup> <sup>i</sup> and <sup>K</sup><sup>U</sup>- <sup>i</sup> are equivalence relations, <sup>K</sup><sup>U</sup>;U- <sup>i</sup> is also an equivalence relation, so that (U;U ) is a hope update model.

#### **4.2 Applications**

The arguably most important usage of private updates in distributed FDIR is to express the uncertainty of agents about whether an update affects other agents.

*Example 21 (Private correction).* We reconsider the example from Sect. 1, only this time we privately correct agent a based on p<sup>b</sup> such that agent b is uncertain whether the hope update happens. This can be modeled by two hope update formulas for agent <sup>a</sup>: <sup>¬</sup>Ha⊥ ∨ <sup>p</sup><sup>b</sup> and <sup>¬</sup>Ha⊥. With <sup>¬</sup>Ha⊥ ∨ <sup>p</sup><sup>b</sup> we associate an event c<sup>p</sup>*<sup>b</sup>* where the correction takes place based on the additional constraint pb, and with <sup>¬</sup>Ha<sup>⊥</sup> we associate an event noc where correction does not take place. Writing <sup>ϑ</sup>(e) = (ϑa(e), ϑb(e) , we get <sup>U</sup> := (E, ϑ, <sup>K</sup><sup>U</sup> ), where:

$$\begin{array}{lll} E & := \{c\_{p\_b}, noc\} & \mathcal{K}\_a^U := \text{the identity relation } \{ (e, e) \mid e \in E \} \\ \vartheta(c\_{p\_b}) & := (\neg H\_a \bot \lor p\_b, \neg H\_b \bot) & \mathcal{K}\_b^U := \text{the universal relation } E \times E \\ \vartheta(noc) & := (\neg H\_a \bot, \neg H\_b \bot) \end{array}$$

When naming worlds, we have abstracted away from the event being executed in a world. Having the same name therefore does not mean being the same world. For example, the world **11** at the front of the cube 'really' is the pair (11, c<sup>p</sup>*<sup>b</sup>* ) with H<sup>a</sup> (11, c<sup>p</sup>*<sup>b</sup>* ) <sup>=</sup> <sup>∅</sup> and <sup>H</sup><sup>b</sup> (11, c<sup>p</sup>*<sup>b</sup>* ) <sup>=</sup> <sup>∅</sup>. We now have for example that:

$$\begin{array}{l} M, 01 \mid = H\_a \bot \land [U, c\_{p\_b}] (\neg H\_a \bot \land K\_a \neg H\_a \bot) & \quad a \text{ knows it became correct} \\ M, 01 \mid = [U, c\_{p\_b}] \neg K\_b K\_a \neg H\_a \bot & \quad \dots \text{ but } b \text{ doesn't know that} \\ M, 01 \mid = K\_b H\_a \bot \land [U, c\_{p\_b}] \neg (K\_b H\_a \bot \lor K\_b \neg H\_a \bot) \; b \text{ is ignored of } a \text{'s fault} \end{array}$$

#### **4.3 Axiomatization**

**Definition 22 (Axiomatization** *KH priv***).** *KH priv consists of KH and*

$$\begin{array}{lcl} [U,e]p & \longleftrightarrow p\\ [U,e]\neg\varphi & \longleftrightarrow \neg[U,e]\varphi\\ [U,e](\varphi\land\psi) & \longleftrightarrow [U,e]\varphi\land[U,e]\psi\\ [U,e]K\_i\varphi & \longleftrightarrow \bigwedge\_{e\mathcal{K}\_i^Uf}K\_i[U,f]\varphi\\ [U,e]H\_i\varphi & \longleftrightarrow \left(\vartheta\_i(e)\to \bigwedge\_{e\mathcal{K}\_{i'f}^Uf}K\_i(\vartheta\_i(f)\to [U,f]\varphi)\right)\\ [U,e][U',e']\varphi & \longleftrightarrow \left[(U,U'),(e,e')\right]\varphi \end{array}$$

**Theorem 23 (Soundness).** *For all* <sup>ϕ</sup> ∈ L*priv KH , KH priv* <sup>ϕ</sup> *implies* KH |<sup>=</sup> <sup>ϕ</sup>*.*

Similarly to the previous section, one can show that every formula in <sup>L</sup>*priv KH* is provably equivalent to a formula in <sup>L</sup>*KH* , by defining <sup>L</sup>*priv KH* -formulas complexity, showing complexity inequalities concerning the reduction axioms in axiomatization *KH priv*, defining a translation from <sup>L</sup>*priv KH* to L*KH* , and observing that this translation is a terminating rewrite procedure. We thus obtain:

**Proposition 24 (Termination).** *For all* <sup>ϕ</sup> ∈ L*priv KH ,* <sup>t</sup>(ϕ) ∈ L*KH .* **Lemma 25 (Equiexpressivity).** *Language* <sup>L</sup>*priv KH is equiexpressive with* L*KH , i.e., for all* <sup>ϕ</sup> ∈ L*priv KH , KH priv* <sup>ϕ</sup> <sup>↔</sup> <sup>t</sup>(ϕ)*.*

**Theorem 26 (Soundness and completeness).** *For all* <sup>ϕ</sup> ∈ L*priv KH ,*

*KH priv* <sup>ϕ</sup> ⇐⇒ KH |<sup>=</sup> ϕ.

Necessitation for private hope update is an admissible inference rule in *KH priv*.

# **5 Factual Change**

In this section, we provide a way to add factual change to our model updates. This is going along well-trodden paths in dynamic epistemic logic [3,8,9].

#### **5.1 Syntax, Semantics, and Axiomatization**

**Definition 27 (Hope update model with factual change).** *To obtain a* hope update model with factual change <sup>U</sup> = (E, ϑ, σ, <sup>K</sup><sup>U</sup> ) *from a hope update model* (E, ϑ, <sup>K</sup><sup>U</sup> ) *for a language* <sup>L</sup> *we add parameter* <sup>σ</sup> : <sup>E</sup> <sup>→</sup> (Prop → L)*. We require that each* σ(e) *is only finitely different from the identity function.*

The finitary requirement is needed in order to keep the language well-defined. In this section, by hope update models we mean hope update models with factual change.

**Definition 28 (Language** <sup>L</sup><sup>f</sup> *KH* **).** *Language* <sup>L</sup><sup>f</sup> *KH is obtained by adding the construct* [U, e]<sup>ϕ</sup> *to the BNF of the language* <sup>L</sup>*KH , where* (U, e) *is a pointed hope update model with factual change for the language* <sup>L</sup><sup>f</sup> *KH .*

As in the previous section, Definition 28 is given by mutual recursion and from here on all hope update models are for language <sup>L</sup><sup>f</sup> *KH* .

**Definition 29 (Semantics).** *Let* <sup>U</sup> = (E, ϑ, σ, <sup>K</sup><sup>U</sup> )*,* <sup>M</sup> = (W, π, <sup>K</sup>, <sup>H</sup>) ∈ KH*,* <sup>w</sup> <sup>∈</sup> <sup>W</sup>*, and* <sup>e</sup> <sup>∈</sup> <sup>E</sup>*. Then, as in Definition 18,* M,w <sup>|</sup>= [U, e]<sup>ϕ</sup> *iff* <sup>M</sup> <sup>×</sup> U,(w, e) <sup>|</sup><sup>=</sup> <sup>ϕ</sup>*, only now* <sup>M</sup> <sup>×</sup> <sup>U</sup> = (W×, π×, <sup>K</sup><sup>×</sup>, <sup>H</sup><sup>×</sup>) *is such that:*

$$\begin{aligned} W^\times &:= W \times E; & (w, e) \in \pi^\times(p) \iff & M, w \vDash \sigma(e)(p); \\ & (w, e) \mathcal{K}\_i^\times(v, f) &\iff & w \mathcal{K}\_i v \text{ and } e \mathcal{K}\_i^U f; \\ (w, e) \mathcal{H}\_i^\times(v, f) &\iff & (w, e) \mathcal{K}\_i^\times(v, f), M, w \vDash \vartheta\_i(e), \; and \; M, v \vDash \vartheta\_i(f). \end{aligned}$$

The only difference between Definitions 18 and 29 is that the clause for the valuation of the former is: (w, e) <sup>∈</sup> <sup>π</sup>×(p) iff <sup>w</sup> <sup>∈</sup> <sup>π</sup>(p). In other words, then the valuation of facts does not change, and the valuation in the world w is carried forward to that in the updated worlds (w, e). It is easy to see that KH |= [U, e]<sup>p</sup> <sup>↔</sup> <sup>σ</sup>(e)(p), as we immediately obtain that: M,w <sup>|</sup>= [U, e]<sup>p</sup> iff <sup>M</sup> <sup>×</sup>U,(w, e) <sup>|</sup><sup>=</sup> <sup>p</sup> iff (w, e) <sup>∈</sup> <sup>π</sup>×(p) iff M,w <sup>|</sup><sup>=</sup> <sup>σ</sup>(e)(p). This turns out to be the only difference:

**Definition 30 (Axiomatization** *KH* <sup>f</sup> **).** *Axiom system KH* <sup>f</sup> *is obtained from KH priv by replacing the first equivalence in Definition 22 with* [U, e]<sup>p</sup> <sup>↔</sup> <sup>σ</sup>(e)(p)*.*

#### **Theorem 31 (Soundness).** *For all* <sup>ϕ</sup> ∈ L<sup>f</sup> *KH , KH* <sup>f</sup> <sup>ϕ</sup> *implies* KH |<sup>=</sup> <sup>ϕ</sup>*.*

In itself it is quite remarkable that the required changes are fairly minimal, given the enormously enhanced flexibility in specifying distributed system behavior. With techniques quite similar to those employed for the hope update model logic without factual change, we can also get completeness for the hope update logic with factual change. Lacking space did not allow us to include many of the details; the interested reader is referred to the extended version [7] of this paper.

**Lemma 32 (Equiexpressivity).** *Language* <sup>L</sup><sup>f</sup> *KH is equiexpressive with* L*KH .*

**Theorem 33 (Soundness and completeness).** *For all* <sup>ϕ</sup> ∈ L<sup>f</sup> *KH ,*

*KH* <sup>f</sup> <sup>ϕ</sup> ⇐⇒ KH |<sup>=</sup> ϕ.

#### **5.2 Applications**

The importance of adding factual change to our framework comes from the fact that, in practical protocols implementing FDIR mechanisms, agents usually take decisions based on what they recorded in their local states. We demonstrate the essentials of combined hope updates and state recovery in Example 34, which combines the variant of self-correction introduced in Example 6 with state recovery needs that would arise in the alternating bit protocol [19].

*Example 34 (Private self-correction with state recovery).* The alternating bit protocol (ABP) for transmitting an arbitrarily generated stream of consecutive data packets from a sender to a receiver over an unreliable communication channel uses messages that additionally contain a sequence number consisting of 1 bit only. The latter switches from one message to the next, by alternating atomic propositions q<sup>s</sup> and q<sup>r</sup> containing the next sequence number to be used for the next message generated by the sender resp. receiver side of the channel. In addition, the ABP maintains atomic propositions p<sup>s</sup> and p<sup>r</sup> holding the last sequence number used by sender resp. receiver side. In more detail, the sending of data packet dn, starting from (qs, qr) = (0, 0) and (ps, pr) = (1, 1), is completed in three phases ([19]): (i) if <sup>q</sup><sup>s</sup> <sup>=</sup> <sup>p</sup>s, sender <sup>s</sup> sets <sup>p</sup><sup>s</sup> := <sup>q</sup><sup>s</sup> = 0 and generates a message (dn, ps) to be repeatedly sent; (ii) when receiver r receives (dn, qr) (with q<sup>r</sup> = 0 here), it records dn, sets p<sup>r</sup> := q<sup>r</sup> = 0, generates a message (ack, pr) to be repeatedly sent back to s, and switches to the next sequence number q<sup>r</sup> := 1; (iii) if sender s receives (ack, ps) (with p<sup>s</sup> = 0 here), it switches to the next sequence number <sup>q</sup><sup>s</sup> := <sup>¬</sup>p<sup>s</sup> = 1. Note that the next sequence numbers (qs, qr) have moved from (0, 0) via (0, 1) to (1, 1), whereas the last sequence numbers (ps, pr) moved from (1, 1) to (0, 1) to (0, 0). From here, the above phases are just repeated (with all sequence numbers flipped) for sending dn+1. Thus, during a correct run of the ABP, (qs, qr) continuously cycles through (0, 0), (0, 1), (1, 1), (1, 0), (0, 0), . . . .

If, however, a transient fault would flip the value of either q<sup>s</sup> or qr, the ABP deadlocks and therefore requires correction. Due to the asymmetry of the ABP regarding sender and receiver, the need for a correction of the receiver can be conveniently determined by checking the equality of p<sup>r</sup> and qr, and can be performed by just setting <sup>q</sup><sup>r</sup> := <sup>¬</sup>pr.

We model agent r successfully self-correcting and recovering its state from <sup>p</sup><sup>r</sup> <sup>=</sup> <sup>q</sup>r, that is, based on <sup>p</sup><sup>r</sup> <sup>↔</sup> <sup>q</sup>r. At the same time, <sup>s</sup> is uncertain whether r has corrected itself (event scr<sup>p</sup>*r*=q*<sup>r</sup>* ) or not (event noscr). Again writing ϑ(e) as (ϑa(e), ϑb(e) , this is encoded in the hope update model <sup>U</sup> := (E, ϑ, σ, <sup>K</sup><sup>U</sup> ), where:

$$\begin{array}{lcl} E & := \{ scr\_{p\_r = q\_r}, noscr \} & \sigma(scr\_{p\_r = q\_r})(q\_r) := \neg p\_r \\ \vartheta(scr\_{p\_r = q\_r}) := (\neg H\_s \bot, p\_r \leftrightarrow q\_r) & \begin{array}{l} \sigma(scr\_{p\_r = q\_r})(q\_r) := \neg p\_r \\ \mathcal{K}\_s^U & := E \times E \\ \mathcal{K}\_r^U & := \{ (e, e) \mid e \in E \} \end{array} \\ \hline \end{array}$$

Note that <sup>H</sup>r<sup>⊥</sup> is equivalent to <sup>p</sup><sup>r</sup> <sup>↔</sup> <sup>q</sup>r, making <sup>H</sup>r<sup>⊥</sup> locally detectable by <sup>r</sup> and resulting in <sup>ϑ</sup>(scr<sup>p</sup>*r*=q*<sup>r</sup>* )=(¬Hs⊥, Hr⊥). All atoms for noscr and all atoms other than q<sup>r</sup> for scr<sup>p</sup>*r*=q*<sup>r</sup>* remain unchanged. Coding the atoms in each state as psqs.prqr, the resulting update is:

The only change happens in global states **<sup>00</sup>**.00 and **<sup>01</sup>**.00 where <sup>p</sup><sup>r</sup> <sup>↔</sup> <sup>q</sup><sup>r</sup> causes the hope update and q<sup>r</sup> is set to be the opposite of pr. After the update, we get:

$$\begin{array}{l} M, 00.00 \mid = [U, scr\_{p\_r = q\_r}] (\neg H\_r \bot \wedge K\_r q\_r) & r \text{ is correct and learned } q\_r\\ M, 00.00 \mid = [U, scr\_{p\_r = q\_r}] \bar{K}\_r \neg H\_r \bot & r \text{ is now sure she is correct} \\ M, 00.00 \mid = [U, scr\_{p\_r = q\_r}] (\neg K\_r q\_s \wedge \neg K\_r \neg q\_s) & r \text{ remains unsure regarding } q\_s\\ M, 00.00 \mid = [U, scr\_{p \leftarrow q\_r}] \hat{K}\_s H\_r \bot & s \text{ consist} \; \begin{array}{l} \text{consid. possible } r \text{ is faulty} \end{array} \end{array}$$

#### **6 Conclusions and Further Research**

We gave various dynamic epistemic semantics for the modeling and analysis of byzantine fault-tolerant multi-agent systems, expanding a known logic containing knowledge and hope modalities. We provided complete axiomatizations for our logics and applied them to fault-detection, isolation, and recovery (FDIR) in distributed computing. For future research we envision alternative dynamic epistemic update mechanisms, as well as embedding our logic into the (temporal epistemic) runs-and-systems approach.

**Acknowledgments.** We thank the anonymous reviewers for the suggestions on how to improve the paper. We are grateful for multiple fruitful discussions with and enthusiastic support from Giorgio Cignarale, Stephan Felber, Rojo Randrianomentsoa, Hugo Rinc´on Galeana, and Thomas Schl¨ogl.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Calculi, Proof Theory and Decision Procedures**

# **A Decision Method for First-Order Stream Logic**

Harald Ruess(B)

Entalus Computer Science Lab, 2071 Gulf of Mexico Drive, Longboat Key, FL 34228, USA harald.ruess@entalus.com

**Abstract.** Our main result is a doubly exponential decision procedure for the first-order equality theory of streams with addition, convolution, and control-oriented stream operations. This stream logic is shown to be expressive for solving basic problems in stream calculus.

**Keywords:** Decision Procedures · First-Order Logic · Stream Calculus · Formal Power Series · Real-Closed Rings · Quantifier Elimination

### **1 Introduction**

Quantified stream constraints are often used in the principled design of reactive computing systems [7,8,10,25,26]. However, automated solutions to these constraints can be challenging, as quantifying over streams effectively is secondorder.

Quantifying over sets of natural numbers, for instance, encodes quantifying over streams in the monadic second-order logic MSO(ω) [19] of ω-infinite words over a finite alphabet.<sup>1</sup> This logic is decidable, but only non-elementarily so, based on the well-known characterization of the set of models of any *MSO*(ω) formula in terms of a finite-state machine [9]. Equivalently, the logic-automaton connection yields a non-elementary decision procedure for a first-order equality theory of streams [34].

Here we study a first-order stream logic that is not limited to finite alphabets, and which includes an expressive combination of nonlinear arithmetic stream operators, such as convolution, with control-oriented stream operators, such as shifting. Compared to *MSO*(ω), however, this stream logic is restrictive in that it only supports quantifying over streams, not over positions in streams.

Our main result is that the validity of first-order stream formulas (in the language of ordered rings) in the structure of real-valued streams is decided in doubly exponential time. In contrast to automata-based procedures for monadic second-order logics, our decision procedure is not limited to streams over a finite

<sup>1</sup> For example, the set of even numbers represents the Boolean-valued stream (1, <sup>0</sup>, <sup>1</sup>, <sup>0</sup>, <sup>1</sup>,...), since the <sup>i</sup>-th position, for <sup>i</sup> <sup>∈</sup> <sup>N</sup>, is 'on' if and only if <sup>i</sup> is even.

c The Author(s) 2024

C. Benzm¨uller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 137–156, 2024. https://doi.org/10.1007/978-3-031-63501-4\_8

**Fig. 1.** Stream circuit.

alphabet, and the time complexity of our procedure is doubly exponential instead of non-elementary as in [34]. Definitional extensions demonstrate the expressive power of this stream logic in solving a number of fundamental problems in the coalgebraic *stream calculus* [38].

The structure of the developments is as follows. Section 2 motivates quantified stream logic with typical examples from *stream calculus* [38], and Sect. 3 summarizes, with the intention of making the exposition largely self-contained, essential properties of streams. Since we are targeting stream calculus, we restrict ourselves to streams with real-numbered elements only. However, the results in this paper clearly generalize to streams with elements from either a totally ordered commutative integral ring or a totally ordered field. Streams are identified with *formal power series* [32] and the superset of streams with finite history prefixes is identified with *formal Laurent series*. Based on this identification of streams with their generating function it is straightforward to establish that streams are orderable and also Cauchy complete for the prefix distance.

Based on these developments it is shown in Sect. 4 that streams are a *real closed valuation ring* and their extension with finite histories are a *real closed field*. The main technical hurdle is the derivation of an *intermediate value property* (IVP) for streams. As an ordered and complete non-Archimedean domain, streams lack the *least upper bound* property. The usual dichotomic procedure for proving IVP therefore does not apply. Ordered streams admit quantifier elimination as a consequence of real closedness.

The results in Sect. 5 therefore are direct consequences of the quantifier elimination procedures for real closed valuation rings [12] and for real closed ordered fields [44] together with the doubly exponential bound obtained by cylindrical algebraic decomposition [18] in the case of real closed ordered fields. In Sect. 6, the language of decidable stream logic is conservatively extended by shift operators, constants for rational and automatic streams, and stream projections. Section 7 concludes with some remarks.

#### **2 Examples**

We motivate the rˆole of quantified stream logic for encoding some typical problems from stream calculus.

*Observational Equivalence.* Two stream processors T1, T<sup>2</sup> are *observationally equivalent* if the first-order formula in Example 1 holds.

*Example 1 (Observational Equivalence).*

$$(\forall z, y\_1, y\_2) \, T\_1(z, y\_1) \, \wedge \, T\_2(z, y\_2) \Rightarrow y\_1 = y\_2$$

The logical variables z, y1, and y<sup>2</sup> are interpreted over discrete and real-valued streams, and Ti(z,yi), for i = 1, 2, are binary predicates for defining the possible output streams y<sup>i</sup> of processor T<sup>i</sup> on input stream z.

In *stream calculus* [38], the relations Ti(z,yi) are typically of the form y<sup>i</sup> = f<sup>i</sup> · z, where the *transfer function* f<sup>i</sup> is a stream, and the output stream y<sup>i</sup> is obtained by stream convolution of f<sup>i</sup> with the input stream z. These algebraic specifications are expressive for the set of all stream circuits [40].

*Functionality.* A stream processor T is *functional* if the first-order stream formula in Example 2 with one quantifier alternation holds.

*Example 2 (Functionality).*

$$(\forall z)(\exists y) \, T(z, y) \land (\forall u) \, u \neq y \Rightarrow \neg T(z, u)$$

*Non-Interference.* We now consider streams of system output that are divided into a *low* and a *high* security part. In such an environment, a stream processor T is said to be *non-interfering* [22,29,30] if executing T always results in indistinguishable low outputs at every step.

*Example 3 (Non-Interference).*

$$(\forall z, y\_1, y\_2) \, T(z, y\_1) \land T(z, y\_2) \Rightarrow \, hd(y\_1) =\_L \, hd(y\_2) \Rightarrow y\_1 =\_L y\_2,$$

where *hd*(yi), for i = 1, 2, denote initial values, and *hd*(y1) =<sup>L</sup> *hd*(y2) is assumed to hold if and only if the *low* parts of the two head elements *hd*(y1) and *hd*(y1) are equal. Similarly, the (overloaded) relation y<sup>1</sup> =<sup>L</sup> y<sup>2</sup> on streams is assumed to hold if all the respective projections to the low parts are equal. These non-interference properties are prominent examples of a larger class of *hyper-properties* [14] for comparing two or more traces. Quantifier alternation between existential and universal quantifiers is required for the formalization of more general hyperproperties.

*Stream Circuits.* We take into consideration some typical design steps for the stream circuit in Fig. 1. At moment 0 this circuit inputs the first value z0. The initial value 0 of the register D<sup>1</sup> is added to this by A, and the result y<sup>0</sup> = z<sup>0</sup> +0= z<sup>0</sup> is the first value to be output. At the same time, this value z<sup>0</sup> is copied by C, and stored as the new value of the register D1. The next step is to input the value z1, add the current value z<sup>0</sup> of the register to it, and output the resulting value y<sup>1</sup> = z<sup>0</sup> + z1. Simultaneously, this value is copied and saved as the new value of the register. In the next step, the input is z<sup>2</sup> and the output is the value <sup>y</sup><sup>2</sup> <sup>=</sup> <sup>z</sup><sup>0</sup> <sup>+</sup> <sup>z</sup><sup>1</sup> <sup>+</sup> <sup>z</sup>2. In general, the output <sup>y</sup>k, for <sup>k</sup> <sup>∈</sup> <sup>N</sup>, of the circuit in Fig. 1 is determined by the sum k <sup>i</sup>=0 z<sup>i</sup> of the finite history z<sup>0</sup> ...z<sup>k</sup> of inputs. In other words, y = (1, 1, 1,...) · z, where · denotes stream convolution. This input-output behavior of the stream circuit in Fig. 1 can be verified by showing that the stream logic formula in Example 4 is valid.

*Example 4 (Analysis).*

$$\begin{aligned} (\forall z, y, h\_1, h\_2, h\_3) \\ h\_1 = D\_1(h\_2) \land h\_3 = A(z, h\_1) \land h\_2 = C(h\_3) \land y = C(h\_3) \\ \Rightarrow \ y = (1, 1, 1, \ldots) \cdot z \end{aligned}$$

The stream (1, 1,...) is considered to be an interpreted constant symbol in the logic, and D1, A, and C are interpreted function symbols.

Finally, the formula in Example 5 with one quantifier alternation allows to synthesize the transfer function by constructing explicit witnesses for existentially quantified variables in an underlying proof procedure.

*Example 5 (Synthesis).*

$$\begin{aligned} \left(\forall z, y, h\_1, h\_2, h\_3\right) \\ h\_1 = D\_1(h\_2) \land h\_3 = A(z, h\_1) \land h\_2 = C(h\_3) \land y = C(h\_3) \\ \Rightarrow \left(\exists u\right) y = u \cdot z \end{aligned}$$

#### **3 On Streams**

A *real-valued stream* is an infinite sequence (ai)<sup>i</sup>∈<sup>N</sup> with a<sup>i</sup> ∈ R, where R denotes the real numbers. Depending on the context, streams are also referred to as real-valued discrete streams or signals, ω-streams, ω-sequences, or ω-words. The *generating function* [11] of a stream is a *formal power series*

$$\sum\_{i \in \mathbb{N}} a\_i X^i \tag{1}$$

in the *indefinite* X. These power series are *formal* because the symbol X is not instantiated and there is no notion of convergence. The element a<sup>i</sup> ∈ R is the *coefficient* of X<sup>i</sup> , and the set of formal power series with coefficients in R is denoted by R-X. We also write f<sup>i</sup> for the coefficient of X<sup>i</sup> in the formal power series. Now, a *polynomial* in <sup>R</sup>[X] of degree <sup>n</sup> <sup>∈</sup> <sup>N</sup> is a formal power series <sup>f</sup> with f<sup>n</sup> = 0 and f<sup>i</sup> = 0 for all i>n. We use the terms streams and formal power series interchangeably for their one-to-one correspondence.

Addition of streams f,g ∈ R-X is pointwise, and streams are multiplied by convolution.

$$f + g := \sum\_{i \in \mathbb{N}} (f\_i + g\_i)X^i \tag{2}$$

$$f \cdot g := \sum\_{i \in \mathbb{N}} (\sum\_{j=0}^{i} f\_j g\_{i-j}) X^i \tag{3}$$

With these operations (R-X, +, ·, 0, 1) becomes a *commutative integral ring* with additive unit 0 := (0, 0,...) and multiplicative unit 1 := (1, 0, 0,...). The real number line R is embedded in the polynomial ring R[X], which itself is embedded in R-X. Moreover, the *rational functions* R(X) are defined as the fraction field of the polynomials R[X]. R-X and R(X) are incomparable in that neither R-X nor R(X) contains the other.

**Proposition 1.** *For* f ∈ R-<sup>X</sup>*, the* multiplicative inverse <sup>f</sup> <sup>−</sup><sup>1</sup> ∈ R-X *exists if only if* f<sup>0</sup> = 0*.*

*Proof.* Let f,g ∈ R-X. The identity f · g = 1 holds, by the defining identity (3) for convolution, if and only if f0g<sup>0</sup> = 1 and k <sup>i</sup>=0 fig<sup>k</sup>−<sup>i</sup> = 0 for all k ≥ 1. The latter equality is rewritten as f0g<sup>k</sup> = −k <sup>i</sup>=1 fig<sup>k</sup>−<sup>i</sup>. Now, f0g<sup>0</sup> = 1 can be solved for g<sup>0</sup> if and only if f<sup>0</sup> = 0. In this case, g<sup>0</sup> = <sup>1</sup>/<sup>f</sup><sup>0</sup> and g<sup>k</sup> = −g<sup>0</sup> k <sup>i</sup>=1 fig<sup>k</sup>−<sup>i</sup>, for k ≥ 1, yielding a solution for g, which gives the multiplicative inverse of f.

We also write the quotient <sup>f</sup>/<sup>g</sup> instead of <sup>f</sup> · <sup>g</sup>−<sup>1</sup>, whenever <sup>g</sup>−<sup>1</sup> exists.

*Example 6.*

$$\begin{aligned} 1'(1 - X) &= (1, 1, 1, 1, \dots) \\ 1'(1 - X)^2 &= (1, 2, 3, 4, \dots) \\ 1'(1 - rX) &= (1, r, r^2, r^3, \dots) &\text{for } r \in \mathcal{R} \end{aligned}$$

These identities are easily verified by the defining identities for convolution (3) and for the multiplicative inverse. The first stream identity, for instance, is verified by the identity (1, −1, 0,...) · (1, 1, 1,...) = (1, 0, 0,...), since 1 − X is identified with (1, −1, 0,...).

A stream in R-X is *rational* if it is expressible as a quotient <sup>p</sup>/<sup>q</sup> of polynomials p, q ∈ R[X] such that q<sup>0</sup> =0[40]. Rational streams, as a subring of the formal power series R-X, are central to *stream calculus* because of their close correspondence to stream circuits [40].

*Example 7 (*[37]*).* Let f,g be rational streams with real-valued coefficients. Using the defining equations

$$\begin{aligned} D\_1(f) &:= X \cdot f \\ A(f, g) &:= f + g \\ C(f) &:= f \end{aligned}$$

for the unit delay register D1, addition A of two streams, and copying C of a stream, we obtain from the stream circuit in Fig. 1 a system of defining equations h<sup>1</sup> = X ·h2, h<sup>3</sup> = z+h1, h<sup>2</sup> = h3, y = h3. Back substitution for the intermediate streams h3, h1, and h2, in this order, yields an equational constraint y = z + (X · y), which is equivalent to y = <sup>1</sup>/(1−X) · z. Now, y = (k <sup>i</sup>=0 zi)<sup>k</sup>∈<sup>N</sup> as a result of the identity for <sup>1</sup>/(1−X) in Example 6.

*Remark 1. Rational streams* substantially differ from the *rational functions*. The inverse <sup>1</sup>/X, for example, is not a rational stream, and it is not even a formal power series. But it is in R(X).

**Fig. 2.** Commuting stream embeddings ('∗' denotes completion for valuation <sup>|</sup>.|, and '/' the fraction field construction.

The field R((X)) of *formal Laurent series* is the fraction field of the formal power series R-X. Elements of R((X)) therefore are of the form

$$\sum\_{i=-n}^{\infty} a\_i X^i,\tag{4}$$

for <sup>n</sup> <sup>∈</sup> <sup>N</sup> and <sup>a</sup><sup>i</sup> ∈ R. They can therefore be thought of as streams that are preceded by a finite, and possibly empty, history, which are used for "rewinding computations". In fact, every formal Laurent series is of the form <sup>X</sup>−<sup>n</sup> · <sup>f</sup>, for some <sup>n</sup> <sup>∈</sup> <sup>N</sup> and for <sup>f</sup> ∈ R-X a formal power series.

The valuation <sup>v</sup> : <sup>R</sup>((X)) <sup>→</sup> <sup>Z</sup> ∪ {∞} with <sup>v</sup>(0) := <sup>∞</sup> and <sup>v</sup>(f), for <sup>f</sup> = 0, is the minimal index <sup>k</sup> <sup>∈</sup> <sup>Z</sup> with <sup>f</sup><sup>k</sup> = 0. In the latter case, <sup>f</sup><sup>k</sup> is also said to be the *lead coefficient* of f. Now, the set R((X)) of formal Laurent series is *orderable* (see Appendix A) by the *positive cone* R((X))<sup>+</sup> of formal Laurent series with positive lead coefficient. This set determines a strict ordering f<g, for f,g ∈ R((X)), which is defined to hold if and only if g − f ∈ R((X))+, and a total ordering f ≤ g, which holds if and only if f<g or f = g. The restriction of ≤ to the formal power series in R-X is also a total order.

#### **Proposition 2.**

*1.* (R-X; +, ·, 0, 1; ≤) *is a totally ordered commutative integral ring. 2.* (R((X)); +, ·, 0, 1; ≤) *is a totally ordered field.*

As a consequence of Proposition 2.2, R((X)) is *formally real* (−1 can not be written as a sum of nonzero squares in R((X))), R((X)) is not algebraically closed (for example, the polynomial <sup>X</sup><sup>2</sup> + 1 has no root), and <sup>R</sup>((X)) is of characteristic 0 (0 can not be written as a sum of 1s). Moreover, the Archimedean property (see [41]) fails to hold for R((X)), because X < 1+1+ ... + 1, no matter how many 1's we add together.

From the (normalized) valuation v one obtains, with the convention 2−∞ := 0, the absolute value function <sup>|</sup>.<sup>|</sup> : <sup>R</sup>((X)) → R<sup>≥</sup><sup>0</sup> by setting

$$|f| := 2^{-v(f)}.\tag{5}$$

By construction, |.| is the *non-Archimedean absolute value* on R((X)) corresponding to the valuation <sup>v</sup> [31]. Now, the induced metric <sup>d</sup> : <sup>R</sup>((X)) × R((X)) → R<sup>≥</sup><sup>0</sup> with

$$d(f, g) := |f - g|\tag{6}$$

measures the distance between f and g in terms of the longest common prefix. Again, by construction, the *strong triangle inequality*

$$d(f, h) \le \max(d(f, g), d(g, h)).\tag{7}$$

holds for all f, g, h ∈ R((X)), and therefore d is ultrametric.

**Proposition 3.** (R((X)), d) *is an ultrametric space.*

*Example 8.* The scaled identity function I<sup>f</sup> (x) := f · x, for f = 0, is uniformly continuous in the topology induced by the metric d. <sup>2</sup> For given ε > 0, let δ := <sup>ε</sup>/|f|. Now, d(x, y) < δ implies d(f · x, f · y) = |f| d(x, y) < |f| δ = ε for all x, y ∈ R((X)).

**Proposition 4.** *Both addition and multiplication of formal Laurent series in* R((X)) *are continuous in the topology induced by the prefix metric* d*.*

The notions of Cauchy sequences and convergence in the metric space (R((X)), d) are defined as usual. For example, lim<sup>n</sup>→∞ <sup>X</sup><sup>n</sup> = 0 and lim<sup>n</sup>→∞ n <sup>k</sup>=0 <sup>X</sup><sup>k</sup> <sup>=</sup> <sup>1</sup>/(1−X). For a given sequence (fk)<sup>k</sup>∈<sup>N</sup> of formal Laurent series, (1) the sequence ( - <sup>f</sup>k)<sup>k</sup>∈<sup>N</sup> is *Cauchy* iff lim<sup>k</sup>→∞ <sup>d</sup>(f<sup>k</sup>+1, fk) = 0, (2) the series <sup>∞</sup> <sup>k</sup>=0 f<sup>k</sup> := lim<sup>n</sup>→∞ n <sup>k</sup>=0 f<sup>k</sup> converges iff lim<sup>k</sup>→∞ f<sup>k</sup> = 0, and (3) suppose that lim<sup>k</sup>→∞ f<sup>k</sup> = f = 0, then there exists an integer N > 0 such that for all m ≥ N, |fm| = |f<sup>N</sup> | = |f|. These properties follow directly from the fact that |.| is a non-Archimedean absolute value.

# **Proposition 5.** (R((X)), d) *is Cauchy complete.*

*Proof.* Let (fk)<sup>k</sup>∈<sup>N</sup> be a Cauchy sequence with <sup>f</sup><sup>k</sup> ∈ R((X)). Then, for all <sup>c</sup> <sup>∈</sup> <sup>N</sup> there is <sup>N</sup><sup>c</sup> <sup>∈</sup> <sup>N</sup> such that <sup>d</sup>(fn, fm) <sup>&</sup>lt; <sup>|</sup>X<sup>c</sup><sup>|</sup> for all n, m <sup>≥</sup> <sup>N</sup>c. But this means that <sup>f</sup><sup>n</sup> <sup>−</sup> <sup>f</sup><sup>m</sup> <sup>∈</sup> <sup>X</sup><sup>c</sup> · R((X)). Since <sup>f</sup><sup>k</sup> are Laurent series, there are <sup>M</sup><sup>k</sup> <sup>∈</sup> <sup>Z</sup> and ak,i ∈ R such that f<sup>k</sup> = - <sup>i</sup>≥M*<sup>k</sup>* <sup>a</sup>k,iX<sup>i</sup> . Consequently, (ak,i)<sup>k</sup>∈<sup>N</sup> is constant for <sup>k</sup> large enough. Now, there exists <sup>J</sup> <sup>∈</sup> <sup>Z</sup> such that

$$\lim\_{k \to \infty} f\_k = \sum\_{i \ge J} (\lim\_{k \to \infty} a\_{k,i}) X^i \in \mathcal{R}((X)),$$

and therefore R((X)) is Cauchy complete.

Indeed, R((X)) can be shown to be the Cauchy completion of R(X), and the stream embeddings discussed so far commute as displayed in Fig. 2. <sup>3</sup> Finally, as a non-Archimedean, Cauchy complete, and totally ordered field, R((X)) lacks the *least upper bound property*, that is, there exists a non-empty subset of R((X)) with an upper bound and no least upper bound in R((X)).

<sup>2</sup> The topology induced by the order <sup>≤</sup> on streams is identical to the topology induced by the prefix metric d.

<sup>3</sup> This story continues, as <sup>R</sup>((X)) is a subfield of the real closed Levi-Civita field, which itself is the Cauchy completion of the Newton-Puiseux series ∪<sup>∞</sup> *l*=1R((X<sup>1</sup>*/<sup>l</sup>* )) over the reals, which can also be shown to be real closed.

#### **4 Real Closedness**

R((X)) is a totally ordered field by Proposition 2. To show that R((X)) is *real closed*, we therefore still need to demonstrate the existence of a square root for streams and the existence of roots for all odd degree polynomials in R((X))[Y ], where Y is a single indeterminate (cmp. Appendix B). General results on the preservation of real-closedness ([1], §6.23, (1)-(2); [42], p. 221) are not applicable for demonstrating real-closedness of R((X)).

The main step for showing real-closedness of R((X)) is an intermediate value property (IVP) for streams. It should be recalled that the standard proof of the IVP for a continuous function over the field of real numbers essentially uses the fact that intervals and connected subsets coincide in the real number field and that continuous functions preserve connectedness. When working with the non-Archimedean, complete, and ordered field R((X)), however, such an argument is no longer applicable, as it lacks the least upper bound property and therefore also the dichotomic procedure for proving IVP. In this case, not only do the Archimedean proofs of the IVP not work, but the IVP does not hold in general. It nevertheless holds for special cases [6].

**Lemma 1 (IVP).** *For a polynomial* P(Y ) ∈ R-X[Y ] *and* α, β ∈ R-X *such that* P(α) < 0 < P(β)*, there exists* γ ∈ R-X ∩ (α, β) *with* P(γ)=0*.*

*Proof.* Since R-X is the Cauchy completion of R[X], there are sequences (an)<sup>n</sup>∈<sup>N</sup> and (bn)<sup>n</sup>∈<sup>N</sup> of polynomials an, b<sup>n</sup> ∈ R[X] such that lim<sup>n</sup>→∞ a<sup>n</sup> = α and lim<sup>n</sup>→∞ b<sup>n</sup> = β. From the assumptions P(α) < 0 < P(β) and continuity of the polynomial P in the topology induced by the prefix metric d, one can therefore find a, b ∈ R-X in the sequences (an) and (bn) with α ≤ a<b ≤ β and P(a) < 0 < P(b). For continuity of P, P(α) = P(lim<sup>n</sup>→∞ an) = lim<sup>n</sup>→∞ P(an). Now, for 0 < ε := <sup>|</sup><sup>P</sup> (α)<sup>|</sup> /2, there exists <sup>N</sup> <sup>∈</sup> <sup>N</sup> such that for <sup>d</sup>(P(an), P(α)) < ε for all n ≥ N. Therefore, P(a) < 0 for a := a<sup>N</sup> . The construction for b is similar.

The proof proceeds along two cases. If there is γ ∈ R-X ∩ (a, b) such that P(γ) = 0 we are finished. Otherwise, f(γ) = 0 for all γ ∈ R-X ∩ (a, b). We define <sup>α</sup><sup>0</sup> := <sup>a</sup>, <sup>β</sup><sup>0</sup> := <sup>b</sup>, and, for <sup>m</sup> <sup>∈</sup> <sup>N</sup>,

$$[\alpha\_{m+1}, \beta\_{m+1}] = \begin{cases} [\alpha\_m, \delta\_m] : \text{ if } f(\delta\_m) > 0 \\ [\delta\_m, \beta\_m] : \text{ if } f(\delta\_m) < 0 \end{cases},$$

where δ<sup>m</sup> := <sup>1</sup>/2(α<sup>m</sup> + βm) ∈ R-X. By assumption, P(δm) = 0, and, by construction, (αm)<sup>m</sup>∈<sup>N</sup> is a non-decreasing and (βm)<sup>m</sup>∈<sup>N</sup> a non-increasing sequence in <sup>R</sup>[X] such that, for all <sup>m</sup> <sup>∈</sup> <sup>N</sup>, <sup>α</sup><sup>m</sup> < βm, <sup>d</sup>(αm, βm) <sup>≤</sup> <sup>2</sup>−<sup>m</sup>, <sup>T</sup>(αm) <sup>&</sup>lt; 0, and T(βm) > 0. Therefore, both (αm)<sup>m</sup>∈<sup>N</sup> and (βm)<sup>m</sup>∈<sup>N</sup> are Cauchy, (αm)<sup>m</sup>∈<sup>N</sup> converges from below, and (βm)<sup>m</sup>∈<sup>N</sup> converges from above to a point γ. Now, γ ∈ R-X, since R-X is the Cauchy completion of R[X]. Since P is continuous we obtain

$$\lim\_{m \to \infty} \underbrace{P(\alpha\_m)}\_{<0} = P(\lim\_{m \to \infty} \alpha\_m) = P(\gamma) = P(\lim\_{m \to \infty} \beta\_m) = \lim\_{m \to \infty} \underbrace{P(\beta\_m)}\_{>0},$$

and therefore P(γ) = 0. This establishes the claim.

A *real closed ring* is an ordered domain which has the intermediate value property for polynomials in one variable. From the IVP for formal power series in Lemma 1 we immediately obtain the following three properties that characterize *real closed rings* [12].

#### **Proposition 6.**


*Proof.* In each of the three cases a certain polynomial changes sign, and hence has a root. The relevant polynomials in R-X[Y ] are:


*Example 9.* (1, 2, 3,...) = (1, 1, 1,...), since, using the identities in Example 6, (1, 1, 1,...)<sup>2</sup> = (1/(1−X))<sup>2</sup> = <sup>1</sup>/(1−X)<sup>2</sup> = (1, 2, 3,...).

Alternatively, square roots of streams are constructed as unique solutions of corecursive identities.

*Remark 2 (Corecursive definition of square root* [39]*).* Assume f ∈ R-X with head coefficient f<sup>0</sup> > 0 and tail f ∈ R-<sup>X</sup>. Then, <sup>√</sup><sup>f</sup> ∈ R-X is the unique solution (for the unknown g) of the corecursive identity g = <sup>f</sup>- /( <sup>√</sup>f0+g), for the tail <sup>g</sup> of <sup>g</sup>, and the initial condition <sup>g</sup><sup>0</sup> <sup>=</sup> <sup>√</sup>f<sup>0</sup> for the head <sup>g</sup><sup>0</sup> of <sup>g</sup>. Now, for all f,g ∈ R-<sup>X</sup> with <sup>f</sup> <sup>&</sup>gt; 0, if <sup>g</sup> · <sup>g</sup> <sup>=</sup> <sup>f</sup> then either <sup>g</sup> <sup>=</sup> <sup>√</sup><sup>f</sup> or <sup>g</sup> <sup>=</sup> −√<sup>f</sup>, depending on whether the head g<sup>0</sup> is positive or negative ([39], Theorem 7.1).

It is an immediate consequence of property (1) of Proposition 6 that the formal power series R-X is a proper *valuation ring* of its fraction field R((X)); that is, <sup>f</sup> or <sup>f</sup> <sup>−</sup><sup>1</sup> lies in <sup>R</sup>-X for each nonzero f ∈ R((X)). Since R-X also satisfies the IVP (Lemma 1) we obtain:

**Corollary 1.** (R-X; +, ·, 0, 1; ≤) *is a* real closed ordered valuation ring*.*

Formal Laurent series, as the fraction field of formal power series, inherit the properties (2) and (3) in Proposition 6.

#### **Proposition 7.**


*Proof.* Assume 0 < <sup>f</sup>/<sup>g</sup> ∈ R((X)). Then 0 < f ·g ∈ R-X, and <sup>√</sup>f·g/<sup>g</sup> is the square root of <sup>f</sup>/g. For establishing (2), assume P(Y ) ∈ R((X))[Y ] be a polynomial of odd degree n. Choose 0 = h ∈ R((X)) such that h · P(Y ) ∈ R-X[Y ]. Now, <sup>Q</sup>(<sup>Y</sup> ) := <sup>h</sup><sup>n</sup> · <sup>P</sup>(Y/h) is a monic polynomial in <sup>R</sup>-X[Y ] of odd degree. Applying Proposition (6.2) to q(Y ) we see that p(Y ) has a root in R((X)).

Formal Laurent series are real closed (see Appendix B) as an immediate consequence of Proposition 7.

**Corollary 2.** (R((X)); +, ·, 0, 1; ≤) *is a real closed ordered field.*

Therefore the ordering ≤ on R((X)) is unique.

# **5 Decision Method**

The first-order theory Trcf of ordered, real closed fields (see Appendix B) admits quantifier elimination [16,44]. That is, for every formula φ in the language Lor (cmp. Appendix B) of ordered rings/fields there exists a quantifier free formula <sup>ψ</sup> in this language with *FV* (ψ) <sup>⊆</sup> *FV* (φ)<sup>4</sup> such that <sup>T</sup>rcf <sup>|</sup>= (<sup>φ</sup> ⇐⇒ <sup>ψ</sup>). Thus, Corollary 2 implies quantifier elimination for the streams in R((X)).

**Theorem 1.** *Let* ϕ *be a first-order formula in the language* Lor *of ordered fields; then there is a computable function for deciding whether* ϕ *holds in the* Lor*-structure* (R((X)); +, ·, 0, 1; ≤) *of streams.*

As an immediate consequence of the quantifier elimination property for R((X)), the structure of formal Laurent series with real-valued coefficients is *elementarily equivalent* to the real numbers in that they satisfy the same first-order Lor-sentences. Notice that decidability of R((X)) already follows from the developments in ([4], Corollary), since the field R is of characteristic 0. This observation, however, does not yield quantifier elimination.

There is an explicit quantifier elimination procedure for real closed valuation rings, which uses quantifier elimination on its fraction field as a subprocedure ([12], Section 2). Therefore, by Corollary 1, we obtain a decision procedure for first-order formulas and streams in R-X, which has quantifier elimination for R((X)) as a subprocedure.

**Theorem 2.** *Let* ϕ *be a first-order formula in the language* Lor∪{|} *of ordered rings extended with divisibility; then there is a computable function for deciding whether* ϕ *holds in the* Lor ∪ {|}*-structure* (R-X; +, ·, 0, 1; |, ≤) *of streams.*

Tarski's original algorithm for quantifier elimination has non-elementary computational complexity [44], but cylindrical algebraic decomposition provides a decision procedure of complexity d<sup>2</sup>*O*(*n*) [18], where n is the total number of variables (free and bound), and d is the product of the degrees of the polynomials occurring in the formula.

<sup>4</sup> *FV* (.) denotes the set of free variables in a formula.

**Theorem 3.** *Let* ϕ *be a first-order formula in the language* Lor *of ordered fields. Then the validity of* ϕ *in the structure* R((X)) *of streams is decided with complexity* d<sup>2</sup>*O*(*n*) *, where* n *is the total number of variables (free and bound), and* d *is the product of the degrees of the polynomials occurring in* ϕ*.*

This worst-case complexity is nearly optimal for quantifier elimination for real closed fields [20]. For existentially quantified conjunctions of literals of the form (∃x1,...,xk) <sup>∧</sup><sup>n</sup> <sup>i</sup>=1 pi(x1,...,xk)  0, where  stands for either <, =, or > the worst-case complexity is <sup>n</sup>k+1 · <sup>d</sup><sup>O</sup>(k) arithmetic operations and polynomial space [5]. Various implementations of decision procedures for real closed fields use virtual term substitution [46] or conflict-driven clause learning [24].

## **6 Definitional Extensions**

We consider definitional extensions of the first-order theory Trcf of ordered real closed fields for encoding some fundamental concepts of stream calculus. The transfer function in Example 7 of the stream circuit in Fig. 1, for example, is encoded as a first-order formula in the language Lor of (ordered) rings extended with constant symbols X and <sup>1</sup>/(1−X).

*Example 10.*

$$\left(\left(\forall z, y, h\_1\right)\left(h\_1 = \overline{X} \cdot y \land y = z + h\_1\right) \Rightarrow y = \overline{\sqrt{(1 - X)}} \cdot z,\right)$$

where the logical variables z, y, h<sup>1</sup> are interpreted over streams in R-X. To obtain a decision procedure for these kinds of formula, we therefore


*Relativization.* There is a monadic formula with an ∃∀∃∀ quantifier prefix and no parameters for uniformly defining the formal power series R-X in R((X)), as a direct consequence of Ax's construction [4].<sup>5</sup> Moreover, <sup>R</sup>-X is ∀∃-definable in R((X)) by ([35], Theorem 2 together with footnote 2), since the valuation ring R-X is Henselian. The model-theoretic developments in [35], however, do not provide an explicit definitional formula. But explicit definitions of valuation rings in valued fields are studied in [3,15,21].

From these considerations we obtain an explicit definition in R((X)) of the monadic predicate S(x) for characterizing the set of streams in R-X. By relativization of quantifiers with respect to this predicate S we therefore assume from now on that all logical variables are interpreted over the streams in R-X. In addition, we are assuming definitions R(x) for given, and possibly finite, subsets R of real number embeddings. For example, the algebraic definition

$$(\forall x)\,\overline{\mathbb{F}\_2}(x) \iff x = x^2 \tag{8}$$

defines the binary set {0, 1} of streams.

<sup>5</sup> This observation holds for any field of coefficients.

*Shifting Streams.* The *fundamental theorem of stream calculus* [38] states that for every f ∈ R-X there exist unique r ∈ R and f ∈ R-X with f = [r]+X ·f . In this case, r is the *head* coefficient, [r] is the embedding of the real number r as a stream in R-X, and f is the *tail* of the stream f. Therefore, the definition

$$(\forall z)\,\overline{X} = z \iff (\forall y)\,(\exists^1 y\_0, y')\,\overline{R}(y\_0) \land y = y\_0 + z \cdot y',\tag{9}$$

for X a fresh constant symbol, yields a conservative extension Trcf[S, R, X] of the theory Trcf, with X, as an element of R-X, the only possible interpretation for the constant symbol X. Notice that the definitional formula (9) for X requires ∀∃∀ quantifier alternation due to the <sup>∃</sup><sup>1</sup> quantifier involved.

*Example 11.* The basic stream constructors of stream circuits for addition A, multiplication <sup>M</sup><sup>q</sup> by a rational <sup>q</sup> <sup>∈</sup> <sup>Q</sup>, and unit delay <sup>D</sup><sup>1</sup> are defined by (the universal closures of)

$$\begin{aligned} \overline{A}(x\_1, x\_2) = y &\iff y = x\_1 + x\_2\\ \overline{M\_{n/m}}(x) = y &\iff my = nx\\ \overline{D\_1}(x) = y &\iff y = \overline{X} \cdot x, \end{aligned}$$

where <sup>D</sup>1, <sup>A</sup>, and <sup>M</sup>*n*/*<sup>m</sup>* for n, m <sup>∈</sup> <sup>N</sup> with <sup>m</sup> = 0, are new function symbols, and the variables are interpreted over R((X)). Synchronous composition of two stream circuits, say S(x, y) and T(y, z), is specified in terms of the quantified conjunction (∃y) S(x, y) ∧ T(y, z), where existential quantification is used for *hiding* the intermediate y stream [43].

*Rational Streams.* We are now extending the language of ordered rings with constant symbols for rational streams (with rational coefficients). This extended language is expressive, for example, for encoding *equivalence* of rational stream transformers. We are considering rational streams f = <sup>p</sup>(X) /<sup>q</sup>(X) with rational coefficients. In this case, the head for q(X) is nonzero and f ∈ R-X. Multiplication by q(X) and by the least common multiple of the denominators of all rational coefficients in p(X) and q(X) yields an equality constraint in the language Lor[S, R, X]. More precisely, let R<sup>Q</sup> be a set of fresh constant symbols for all rational streams (except for X) and Trcf[S, R, X, R<sup>Q</sup>] the extension of Trcf by the definitions

$$(\forall y)\,\overline{f} = y \iff \tilde{p}(\overline{X}) \cdot y = \tilde{q}(\overline{X}) \tag{10}$$

for each (but <sup>X</sup>) rational stream <sup>f</sup>, ˜p(x) := c p(x), and ˜q(x) := c q(x), for <sup>c</sup> <sup>∈</sup> <sup>N</sup> the least common multiple of the denominators of coefficients of p(x) and q(x); then: Trcf[S, R, X, R<sup>Q</sup>] is a conservative extension of Trcf, and all the symbols f ∈ R<sup>Q</sup> have the rational stream interpretation f.

*Remark 3.* Alternatively, a rational stream f (with rational coefficients) can be finitely represented in terms of linear transformations <sup>H</sup> : <sup>Q</sup><sup>d</sup> <sup>→</sup> <sup>Q</sup> and <sup>G</sup> : <sup>Q</sup><sup>d</sup> <sup>→</sup> <sup>Q</sup><sup>d</sup>, where <sup>d</sup> is the finite dimension of the linear span of the iterated tails of f [40]. Constraints for the finite number d of linear independent iterated tails are obtained from the anamorphism (H, G), which is the unique homomorphism from the coalgebra H, G ∈ <sup>Q</sup><sup>d</sup> <sup>→</sup> <sup>Q</sup> <sup>×</sup> <sup>Q</sup><sup>d</sup> to the corresponding final stream coalgebra.

*Automatic Streams.* We exemplify the encoding of a certain class of regular streams as (semi-)algebraic constraints in stream logic. Consider the *Prouhet-Thue-Morse* [2] stream *ptm* <sup>∈</sup> <sup>F</sup>2-X, for F<sup>2</sup> the finite field of characteristic 2. The n*th* -coefficient of this stream is 1 if and only if the number of 1's in the 2-adic representation [n]<sup>2</sup> of n is even. In other words, the n*th* -coefficient is 1 if and only if [n]<sup>2</sup> is in 0∗(10∗10∗)∗. This regular expression yields an equivalent deterministic finite automaton with two states, namely "odd number of 1s" and "even number of 1s". Such a stream is also said to be *automatic* [2].

Christol's characterization [13] of algebraic (over the rational functions with coefficients from a finite field) power series in terms of deterministic finite automata (with outputs) implies that the stream *ptm* is algebraic over F2[X]. For instance, the stream *p*tm can be shown to be a root of the polynomial <sup>X</sup> + (1 + <sup>X</sup><sup>2</sup>) · <sup>Y</sup> + (1 + <sup>X</sup>)<sup>3</sup> · <sup>Y</sup> <sup>2</sup> of degree 2 and coefficients in <sup>F</sup>2[X]. A semi-algebraic constraint for ruling out other than the intended solution can be read-off, say, from a Sturm chain.

In this way, Christol's theorem supports the logical definition in stream logic of all kinds of analytic functions (sin, cos, . . . ) over finite fields. But not over the reals, as otherwise we could define the natural numbers using expressions such as sin (πx) = 0. And we could therefore encode undecidable identity problems over certain classes of analytic functions [36], even without using π [28].

*Heads and Tails.* On the basis of the *fundamental law of the stream calculus* for formal power series, we define operators for stream projection and consing. Now, the theory Trcf[S, R, X, hd,tl, cons] with the new (compared with Trcf[S, R, X]) definitional axioms

$$(\forall x, x') \,\overline{t}\overline{l}(x) = x' \iff (\exists x\_0) \,\overline{R}(x\_0) \land x = x\_0 + \overline{X} \cdot x' \tag{11}$$

$$(\forall x, x\_0) \overline{hd}(x) = x\_0 \iff \overline{R}(x\_0) \land (\exists x') \, x = x\_0 + \overline{X} \cdot x' \tag{12}$$

$$(\forall x\_0, x', y) \overline{cons}(x\_0, x') = y \iff \overline{R}(x\_0) \land y = x\_0 + \overline{X} \cdot x' \tag{13}$$

is a conservative extension of Trcf. Moreover, hd(x) = y (tl(x) = y) holds in the structure R-X if and only if y is interpreted by the head (tail) of the interpretation of x; similarly for consing.

With these definitions we may now also express corecursive identities in a decidable first-order equality theory. The following example codifies the Fibonacci recurrence (see Example 6) in our (extended) decidable logic.

*Example 12.*

$$\begin{aligned} \overline{hd}(x) &= 0 \\ \overline{hd}(\overline{t}\overline{l}(x)) &= 1 \\ \overline{t}\overline{l}^2(x) - \overline{t}\overline{l}(x) - x &= 0. \end{aligned}$$

These kinds of *behavioral stream identities* are ubiquitous in stream calculus [38], for example, for specifying filter circuits.

*Example 13 (*3*-*2*-filter).* A 3-2-filter with input stream x and output y is specified in stream logic by three initial conditions and the difference equation

$$\begin{aligned} \overline{h}\overline{d}(y) &= \overline{h}\overline{d}(\overline{t}\overline{l}(y)) = \overline{h}\overline{d}(\overline{t}\overline{l}^2(y)) = 0\\ \overline{t}\overline{l}^3(y) &= c\_0x + c\_1\overline{t}\overline{l}(x) + \overline{t}\overline{l}^3(x) + c\_2c\_3\overline{t}\overline{l}^2(y) + c\_4\overline{t}\overline{l}(y), \end{aligned}$$

for constants <sup>c</sup>0,...,c<sup>4</sup> <sup>∈</sup> <sup>Z</sup>.

*Example 14 (Timing Diagrams).* The rising edge stream is specified in Scadelike [17] programming notation using the combined equation

$$y = 0 \to x \land \neg pre(x).$$

That is, the head of y is 0 and the tail of y is specified by the expression to the right of the arrow. Notice that the Scade notation *pre*(x) is similar to the shift operation in that *pre*(x)=(⊥, x0, x1,...), where ⊥ indicates that the head element is undefined. The rising edge stream E is specified corecursively in stream logic by

$$(\forall x, y)\,\overline{E}(x) = y \iff (\overline{hd}(y) = 0 \land \overline{tl}(y) = \overline{and}(x, \overline{not}(\overline{tl}(x)))),$$

for an arithmetic encoding of the logical stream operators *and* and *not*.

The decision procedure for stream logic may also be used in *coinductive* proofs for deciding whether or not a given binary stream relation is a bisimulation.

*Example 15 (Bisimulation).* A binary relation B on streams, expressed as a formula in stream logic with two free variables, is a *bisimulation* [38] if and only if the Lor[S, R, X, hd,tl] formula

$$(\forall x, y) \, B(x, y) \Rightarrow \overline{hd}(x) = \overline{hd}(y) \land B(\overline{tl}(x), \overline{tl}(y))$$

holds in the structure of streams.

Finally, we exemplify how corecursively defined stream functions are defined in a conservative extension of Trcf.

*Example 16 (Stream Zip).* The function *Z* for zipping the coefficients of two streams is defined by the corecursive identities

$$(\forall x, y) \; \overline{hd}(\overline{Z}(x, y)) = \overline{hd}(x) \; \land \; \overline{tl}(\overline{Z}(x, y)) = \overline{Z}(y, \overline{tl}(x)) .$$

Since there is a unique<sup>6</sup> interpretation in <sup>R</sup>-X satisfying these identities, the function symbol Z is defined implicitly in the theory Trcf[S, R, X, hd,tl,Z]. Now, by Beth's definability theorem [23], Z is also explicitly definable, say, on the basis of Craig interpolation.

*Example 17.* Assuming definitions E(x) and O(x) for sampling its stream argument x at even and at odd positions, respectively, we may now prompt our verification procedure to establish stream equalities such as

$$(\forall x) \, x = \overline{Z}(\overline{E}(x), \overline{O}(x)),$$

without using the bisimulation principle and without the need for constructing an explicit bisimulation relation.

The developments in Examples 16 and 17 generalize to all *stream differential equations* ([38], Chapter 11).

## **7 Conclusions**

First-order stream logic is expressive for encoding problems of stream calculus. It is decidable in doubly exponential time, and its decision procedure is based on quantifier elimination for the theory of real closed ordered fields. Some of the proposed encodings for the relativization of quantifiers, however, lead to additional quantifier alternations (and variables and constraints) in problem formulations, which significantly increases the computational effort required to solve these constraints. Thus, it remains to be seen whether and how exactly a decision procedure for stream logic based on quantifier elimination for real closed fields makes practical progress compared to mature implementations of the non-elementary logic-automaton connection [27,33].

Alternatively, the decision procedure for first-order stream logic can be based directly, that is, without relativizing the stream quantifiers, on a quantifier elimination procedure for real closed valuation rings [12]. But these algorithms have not been studied and explored nearly as much as quantifier elimination for real closed fields, and the author is not aware of a reasonable computer implementation.

<sup>6</sup> See ([38], Theorem 252) for constructing unique solutions of corecursive identities based on the uniqueness of anamorphisms into the final stream coalgebra.

# **A Orderable Fields**

A field K is *orderable* if there exists a non-empty K<sup>+</sup> ⊂ K such that


Provided that K is orderable we can generate a strict order on K by x<y if and only if (y − x) ∈ K+. Furthermore, a total ordering ≤ on K is defined by x ≤ y if and only if x<y or x = y, and (K, ≤) is said to be a *(totally) ordered field*. Now, the *absolute value* of x ∈ K is defined by |x| := max(−x, x). The *triangle inequality*

$$|x+y| \le |x| + |y|\tag{14}$$

holds for ordered fields. As −|x|−|y| ≤ x+y ≤ |x|+|y|, we have |x+y|≤|x|+|y|, because x + y ≤ |x| + |y| and −(x + y) ≤ |x| + |y|.

Let K be an ordered field and a ∈K\{0} fixed. The scaled identity function Ia(x) := ax is uniformly continuous in the order topology of K. For given ε ∈ K+, let δ := <sup>ε</sup>/|a|. Indeed, for all x, y ∈ K, |x − y| < δ implies |ax − ay| = |a| |x − y| < |a|δ = ε. Consequently, every polynomial in K is continuous.

A field K is orderable iff it is *formally real* (see [45], Chapter 11), that is, −1 is not the sum of squares, or alternatively, the equation x<sup>2</sup> <sup>0</sup> + ... + x<sup>2</sup> <sup>n</sup> = 0 has only trivial (that is, x<sup>k</sup> = 0 for each k) solutions in K.

#### **B Real Closed Fields**

A field K is a *real closed field* if it satisfies the following.


Alternatively, a field K is *real closed* if K is formally real, but has no formally real proper algebraic extension field.

Let <sup>K</sup> be a real closed totally ordered field and <sup>x</sup> ∈ K. Then x > 0 iff <sup>x</sup> <sup>=</sup> <sup>y</sup><sup>2</sup> for some y ∈ K. Suppose x > 0, then, by definition of real closedness, there exists <sup>y</sup> ∈ K such that <sup>x</sup> <sup>=</sup> <sup>y</sup><sup>2</sup>. Conversely, suppose <sup>x</sup> <sup>=</sup> <sup>y</sup><sup>2</sup> for some <sup>y</sup> ∈ K, then, by the definition of <sup>K</sup>+, we have <sup>y</sup><sup>2</sup> ∈ K<sup>+</sup> for all <sup>y</sup> ∈ K, and therefore x > 0. Thus every real closed field is ordered in a unique way.

Artin and Schreier's theorem gives us two equivalent conditions for a field K to be real closed: for a field K, the following are equivalent


3. <sup>K</sup>(i) is algebraically closed and <sup>K</sup> <sup>=</sup> <sup>K</sup>(i) (where <sup>i</sup> denotes √−1).

This characterization provides the basis (see axioms 16) and 17 below) for a firstorder axiomatization of (ordered) real closed fields. The language of ordered rings (and fields), Lor consists of a binary relation symbols ≤, two binary operator symbols, +, ·, one unary operator symbol −, and two constant symbols 0, 1. Now, the first-order theory Trcf of ordered real closed fields consists of all Lorstructures M satisfying the following set of axioms.

*Field Axioms.*

1. (∀x, y, z) x · (y + z) = x · y + x · z 2. (∀x, y, z) x + (y + z)=(x + y) + z 3. (∀x, y, z) x · (y · z)=(x · y) · z 4. (∀x, y) x + y = y + x 5. (∀x, y) x · y = y · x 6. (∀x) x +0= x 7. (∀x) x + (−x)=0 8. (∀x) x · 1 = x 9. (∀x) x = 0 ⇒ (∃y) x · y = 1

*Total Ordering Axioms.*

10. (∀x) x ≤ x 11. (∀x, y, z) x ≤ y ∧ y ≤ z ⇒ x ≤ z 12. (∀x, y) x ≤ y ∧ y ≤ x ⇒ x = y 13. (∀x, y) x ≤ y ∨ y ≤ x 14. (∀x, y, z) x ≤ y ⇒ x + z ≤ y + z 15. (∀x, y) 0 ≤ x ∧ 0 ≤ y ⇒ 0 ≤ x · y

*Existence of Square Root.*

16. (∀x)(∃y) y · y = x ∨ y · y = −x

*Every polynomial of odd degree has a root.*

17. (∀a0,...,an) <sup>a</sup><sup>n</sup> = 0 <sup>⇒</sup> (∃x) <sup>a</sup><sup>0</sup> <sup>+</sup> <sup>a</sup><sup>1</sup> · <sup>x</sup> <sup>+</sup> ... <sup>+</sup> <sup>a</sup><sup>n</sup> · <sup>x</sup><sup>n</sup> = 0 for odd <sup>n</sup> <sup>∈</sup> <sup>N</sup>

If an Lor-structure M satisfies the axioms for ordered real closed fields above, then M is called a *model* of Trcf. Any model of Trcf is *elementarily equivalent* to the real numbers. In other words, it has the same first-order properties as the field of ordered reals.

# **References**


46. Weispfenning, V.: Quantifier elimination for real algebra-the quadratic case and beyond. Appl. Algebra Eng. Commun. Comput. **8**, 85–101 (1997)

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **What Is Decidable in Separation Logic Beyond Progress, Connectivity and Establishment?**

Tanguy Bozec1, Nicolas Peltier1 , Quentin Petitjean2(B) , and Mihaela Sighireanu<sup>2</sup>

<sup>1</sup> Univ. Grenoble Alpes, CNRS, LIG, 38000 Grenoble, France <sup>2</sup> Univ. Paris-Saclay, CNRS, ENS Paris-Saclay, Laboratoire Methodes Formelles, ´ 91190 Gif-sur-Yvette, France quentin.petitjean@ens-paris-saclay.fr

**Abstract.** The predicate definitions in Separation Logic (SL) play an important role: they capture a large spectrum of unbounded heap shapes due to their inductiveness. This expressiveness power comes with a limitation: the entailment problem is undecidable if predicates have general inductive definitions (ID). Iosif et al. [8] proposed syntactic and semantic conditions, called PCE, on the ID of predicates to ensure the decidability of the entailment problem. We provide a (possibly nonterminating) algorithm to transform arbitrary ID into equivalent PCE definitions when possible. We show that the existence of an equivalent PCE definition for a given ID is undecidable, but we identify necessary conditions that are decidable. The algorithm has been implemented, and experimental results are reported on a benchmark, including significant examples from SL-COMP.

**Keywords:** Separation logic · Inductive definitions · Bounded treewidth fragment · PCE fragment · Symbolic heaps · Decision procedures

# **1 Introduction**

Separation logic (SL) [9,11] is widely used in verification to reason about programs manipulating dynamically allocated memory. Formulas in SL are defined from atoms of the form *x* → (*y*1,..., *yk*), stating that at location (i.e., a memory address), *x* is allocated a memory block containing the tuple built from values of *y*1,..., *yk*, and emp, stating that the heap is empty, i.e., that there are no allocated locations. SL includes the standard logical connectives and quantifiers, together with a special connective ϕ<sup>1</sup> ϕ2, called separating conjunction, asserting that formulas ϕ<sup>1</sup> and ϕ<sup>2</sup> are satisfied on disjoint parts of the heap. This particular feature of the logic ensures the scalability of program analyses by enabling *local reasoning*: the properties of a program may be asserted and established by referring only to the part of the heap that is affected by the program. To specify recursive data structures, the SL formulas include predicate atoms defined by inductive rules with a fixpoint semantics. For instance, list segments from *x* to *y* may be defined by the following rules:

This work has been partially funded by the French National Research Agency project ANR-21-CE48-0011.

$$\mathbf{1s}(\mathbf{x}, \mathbf{y}) \Leftarrow \mathbf{emp} \star \mathbf{x} \approx \mathbf{y}, \qquad \mathbf{1s}(\mathbf{x}, \mathbf{y}) \Leftarrow \exists \mathbf{z}. (\mathbf{x} \rightarrow (\mathbf{z}) \star \mathbf{1s}(\mathbf{z}, \mathbf{y})). \tag{1}$$

Many problems in verification boil down to checking the validity of entailments between formulas in SL. In general, unsurprisingly, entailment is undecidable. However, several fragments have been identified for which the entailment problem is decidable. Among these fragments, the so-called *PCE fragment* is one of the most expressive ones [8]. Decidability was initially established by reduction to monadic second-order logic on graphs with bounded treewidth. Later, more efficient algorithms were proposed [4,10], and the problem turned out to be 2-Exptime-complete [3]. The PCE fragment is defined by restricting the syntax and the semantics of the inductive rules defining the predicates. Each rule is required to satisfy three properties (formally defined later): (P)rogress, (C)onnectivity and (E)stablishment. Informally, the conditions respectively assert that: (P) every rule allocates *exactly* one location; (C) the allocated locations have a tree-shaped structure which mimics the call tree of the predicates, and (E) every location not associated with a free variable is (eventually) allocated. A PCE formula is a formula in which all predicates are defined by PCE rules. Most usual data structures in programming can be defined using PCE rules. However, the PCE conditions impose rigid constraints on the rules' syntax, which are not necessarily satisfied in practice by user-provided rules. For instance, the above rules of ls (Eq. (1)) are *not PCE* (because the first rule of ls allocates no location), while the following ones, although specifying non-empty list segments, are PCE:

$$\mathbf{1s}^{\dagger}(\mathbf{x}, \mathbf{y}) \Leftarrow \mathbf{x} \rightarrow (\mathbf{y}), \qquad \mathbf{1s}^{\dagger}(\mathbf{x}, \mathbf{y}) \Leftarrow \exists \mathbf{z}. (\mathbf{x} \rightarrow (\mathbf{z}) \star \mathbf{1s}^{\dagger}(\mathbf{z}, \mathbf{y})). \tag{2}$$

The non-PCE formula ls(*x*, *<sup>y</sup>*) can then be written as a PCE formula (emp *<sup>x</sup>* <sup>≈</sup> *<sup>y</sup>*) <sup>∨</sup> ls<sup>+</sup>(*x*, *<sup>y</sup>*). Other, rather natural, definitions of ls<sup>+</sup> can be given, which are not PCE (the second rule of ls*<sup>m</sup>* allocates no location, and the second rule of ls*<sup>e</sup>* is not connected):

$$\mathbf{1s}^{\mathfrak{m}}(\mathbf{x}, \mathbf{y}) \Leftarrow \mathbf{x} \rightarrow (\mathbf{y}), \qquad \mathbf{1s}^{\mathfrak{m}}(\mathbf{x}, \mathbf{y}) \Leftarrow \exists \mathfrak{z}. (\mathbf{1s}^{\mathfrak{m}}(\mathbf{x}, \mathbf{z}) \star \mathbf{1s}^{\mathfrak{m}}(\mathbf{z}, \mathbf{y})), \tag{3}$$

$$\mathbf{1s}^{\epsilon}(\mathbf{x}, \mathbf{y}) \Leftarrow \mathbf{x} \rightarrow \mathbf{(y)}, \qquad \mathbf{1s}^{\epsilon}(\mathbf{x}, \mathbf{y}) \Leftarrow \exists \mathbf{z}. (\mathbf{1s}^{\epsilon}(\mathbf{x}, \mathbf{z}) \star z \rightarrow \mathbf{(y)}). \tag{4}$$

Similarly, the following definition of lists of odd length is not PCE:

$$\mathbf{1s^1(x,y)} \Leftarrow x \rightarrow (\mathbf{y}), \qquad \mathbf{1s^1(x,y)} \Leftarrow \exists z\_1, z\_2. \left( x \rightarrow (z\_1) \star z\_1 \rightarrow (z\_2) \star \mathbf{1s^1(z\_2,y)} \right), \tag{5}$$

but it is clear that it can be transformed into a PCE definition by replacing the inductive rule (at right) with the following ones:

$$\mathbf{1s^1(x,y)} \Leftarrow \exists \mathsf{z\_1.(x \to (z\_1) \star \mathbf{1s^2(z\_1, y)})}, \qquad \mathbf{1s^2(z\_1, y)} \Leftarrow \exists \mathsf{z\_2.(z\_1 \to (z\_2) \star \mathbf{1s^1(z\_2, y)})}.\tag{6}$$

A natural question thus arises, which has not been investigated so far: can algorithms be provided to identify whether a formula can be rewritten into an equivalent PCE formula and to effectively compute such a formula (and the associated inductive rules) if possible? The present paper aims to address these issues.

*Contributions.* We first observe that the PCE problem — i.e., the problem of testing whether a given formula admits an equivalent PCE formula — is undecidable. The result follows from the undecidability of testing whether context-free grammar is regular. Then, we provide a procedure for transforming some formulas that do not satisfy the PCE conditions into equivalent PCE formulas. Equivalence is guaranteed in all cases, but the procedure does not always terminate. We also identify cases for which the formulas cannot possibly admit any equivalent PCE formula. More precisely, we identify a property called *PCE-compatibility*, which is strictly weaker than PCE, in the sense that any formula that is equivalent to a PCE formula is PCE-compatible, but the converse does not hold, and we prove that this property is decidable. To sum up, given a formula ϕ, the procedure may either terminate with a negative answer (if ϕ is not PCE-compatible) or may terminate with a positive answer and output a PCE formula equivalent to ϕ or may diverge (if ϕ is PCE-compatible, but no equivalent PCE formula can be obtained).

To our knowledge, there is no published work on this topic. In [7], the authors proposed inductive definitions (ID, termed "recursive definitions" in [8]) with syntactic restrictions incomparable to PCE since they require linearity and compositionality of the ID to obtain decidability of the entailment problem. This class of ID (disregarding data constraints) may be translated by our procedure into PCE form, i.e., they are PCEcompatible. In [5], other decidable fragments of entailment problems are considered, which do not fulfil the PCE conditions but can be reduced to PCE entailment. Unlike the present approach, the reduction proposed in [5] does not preserve the equivalence of formulas. In [4], the establishment condition is replaced by a condition on the equalities occurring in the problem.

### **2 Separation Logic with Inductive Definitions**

We recall the definition of the syntax and semantics of SL with inductive definitions. Missing definitions, further explanations and examples can be found in [8]. We briefly review standard notations: card(*A*) denotes the cardinality of set *A*, and *A B* denotes the disjoint union of sets *<sup>A</sup>* and *<sup>B</sup>*. The set {*<sup>x</sup>* <sup>∈</sup> <sup>Z</sup> <sup>|</sup> *<sup>i</sup>* <sup>≤</sup> *<sup>x</sup>* <sup>≤</sup> *<sup>j</sup>*} is denoted by *i*, *j*. The domain of a function *f* is written dom(*f*). The equivalence class of an element *x* w.r.t. some equivalence relation is written [*x*], and the set {[*x*] | *x* ∈ *S* } is written *S* . The relation will sometimes be omitted if it is clear from the context. We often identify an equivalence relation with the set of its equivalence classes. For any binary relation →, we denote by →∗ its reflexive and transitive closure. A set *R* is a set of *roots* for → if for all elements *x*, *y* such that *x* → *y*, there exists *r* ∈ *R* such that *r* →∗ *x*. It is *minimal* if, moreover, there is no set of roots *R* such that *R* ⊂ *R* (where ⊂ denotes strict inclusion).

**Definition 1 (SL formulas).** *Let* V *be a countably infinite set of* variables*, and let* P *be a set of* spatial predicate symbols*, where each symbol p* ∈ P *is associated with a unique arity* #(*p*) *(with countably infinite sets of predicate symbols of each arity). The set of* SL-formulas *(or simply formulas)* ϕ *is inductively defined as follows:*

<sup>ϕ</sup> :<sup>=</sup> emp <sup>|</sup> *<sup>x</sup>* <sup>→</sup> (*y*1,..., *yk*) <sup>|</sup> *<sup>x</sup>* <sup>≈</sup> *<sup>y</sup>* <sup>|</sup> *<sup>x</sup>* ≈ *<sup>y</sup>* <sup>|</sup> <sup>ϕ</sup>1∨ϕ<sup>2</sup> <sup>|</sup> <sup>ϕ</sup>1ϕ<sup>2</sup> <sup>|</sup> *<sup>p</sup>*(*x*1,..., *<sup>x</sup>*#(*<sup>p</sup>*)) | ∃*x*. ϕ<sup>1</sup>

*where* <sup>ϕ</sup>1, ϕ<sup>2</sup> *are formulas, p* ∈ P*, k* <sup>∈</sup> <sup>N</sup> *and x*, *<sup>y</sup>*, *<sup>x</sup>*1,..., *<sup>x</sup>*#(*p*), *<sup>y</sup>*1,..., *yk* ∈ V*.*

Note that negations are not supported. The considered fragment is similar to that of [4] (with disjunctions added), with the slight difference that points-to atoms *x* → (*y*1,..., *yk*) contain tuples of arbitrary length *k* ≥ 0. Let *fv*(ϕ) be the set of free variables in ϕ. A *substitution* σ is a function from variables to variables; its domain dom(σ) is the set of variables *x* such that σ(*x*) *x*, and its image img(σ) = σ(dom(σ)). For any expression (variable, tuple or set of variables, or formula) *e*, we denote by *e*σ the expression obtained from *e* by replacing every free occurrence of a variable *x* by σ(*x*). A *symbolic heap* is a formula containing no occurrence of ∨. By distributivity of and ∃ over ∨, any formula ϕ can be reduced to an equivalent disjunction of symbolic heaps, denoted by *dnf*(ϕ). An *inductive rule associated with the predicate p* has the form *p*(*x*1,..., *xn*) ⇐ ϕ, where *x*1,..., *xn* are pairwise distinct variables, *n* = #(*p*), and ϕ is a formula with *fv*(ϕ) ⊆ {*x*1,..., *xn*}. If ϕ is not a symbolic heap, then *p*(*x*1,..., *xn*) ⇐ ϕ may be replaced by the rules {*p*(*x*1,..., *xn*) ⇐ ϕ*<sup>i</sup>* | *i* ∈ -1, *m*}, where ϕ1,...,ϕ*<sup>m</sup>* are symbolic heaps such that *<sup>m</sup> <sup>i</sup>*=<sup>1</sup> ϕ*<sup>i</sup>* is *dnf*(ϕ). We assume in the following that this transformation is applied eagerly to every rule. A *set of inductive definitions* (SID) R is a set of inductive rules such that, for all predicates *p*, R contains finitely many rules associated with *p*. We write *p*(*y*1,..., *yn*) ⇐R ψ if R contains a rule *p*(*x*1,..., *xn*) ⇐ ϕ, with ψ = ϕ{*xi* → *yi* | *i* ∈ -1, *n*}.

**Definition 2 (SL structure).** *Let* L *be a countably infinite set of so-called* locations*. An SL-structure is a pair* (s, h) *where* s *is a* store*, i.e., a partial function from* V *to* L*, and* h *is a* heap*, i.e., a partial finite function from* L *to* L∗*, which can be written as a relation:* <sup>h</sup>() <sup>=</sup> (1,...,*k*) *<sup>i</sup>*ff (, 1,...,*k*) <sup>∈</sup> <sup>h</sup>, *<sup>k</sup>* <sup>∈</sup> <sup>N</sup>*.*

For any heap h, we let *ref*(h) = { | <sup>0</sup> ∈ dom(h), occurs in h(0)}, *loc*(h) = *ref*(h)∪ dom(h) and *dgl*(h) = *loc*(h)dom(h) (for "dangling pointers"). Locations in dom(h) and variables *x* such that s(*x*) ∈ dom(h) are *allocated*. We write →<sup>h</sup>  iff ∈ dom(h), and  occurs in h().

**Definition 3 (SL semantics).** *Given a formula* ϕ*, a SID* R *and a structure* (s, h) *with fv*(ϕ) ⊆ dom(s)*, the satisfaction relation* |=<sup>R</sup> *is inductively defined as the least relation such that* (s, h) |=<sup>R</sup> ϕ *i*ff *one of the following conditions holds:*


*We write* ϕ |=<sup>R</sup> ψ *if for every structure* (s, h) *we have* (s, h) |=<sup>R</sup> ϕ =⇒ (s, h) |=<sup>R</sup> ψ*. If both* ϕ |=<sup>R</sup> ψ *and* ψ |=<sup>R</sup> ϕ *hold, then we write* ϕ ≡R ψ*.*

**Definition 4 (SL model).** *An* R-model *of* ϕ *is a structure* (s, h) *such that* (s, h) |=<sup>R</sup> ϕ*. Given two pairs* (ϕ,R) *and* (ϕ ,R )*, where* ϕ, ϕ *are formulas and* R,R *are SID, we write* (ϕ,R) ≡ (ϕ ,R ) *i*ff (s, h) |=<sup>R</sup> ϕ ⇐⇒ (s, h) |=<sup>R</sup> ϕ *holds for all structures* (s, h)*.*

We emphasize that the atoms *x* ≈ *y* or *x* ≈ *y* only hold for empty heaps (this convention simplifies notations as it avoids the use of standard conjunction). Formulas are taken modulo the usual properties of SL connectives: associativity and commutativity of and <sup>∨</sup>, neutrality of emp for , commutativity of <sup>≈</sup>,≈, and also modulo prenex form and α-renaming. We also assume that bound variables are renamed to avoid any name collision. Rules are defined up to a renaming of free variables.

## **3 The PCE Problem**

We now recall the conditions from [8], ensuring the decidability of the entailment problem.

**Definition 5 (PCE rule and SID).** *Let r be a function mapping every spatial predicate p* ∈ P *to an element of* -1, #(*p*)*. For any atom p*(*x*1,..., *xn*)*, the variable xr*(*p*) *is the* root *of p*(*x*1,..., *xn*)*, and the root of an atom x* → (*y*1,..., *yk*) *is x. A rule p*(*x*1,..., *xn*) ⇐ ϕ *is PCE w.r.t. some SID* R *if it is:*


*A SID* R *is PCE if every rule is PCE w.r.t.* R*. A formula* ϕ *is PCE if every predicate used in* ϕ *is defined by PCE rules.*

The problem we are investigating in the present paper is the following:

**Definition 6 (PCE problem).** *Given a pair* (ϕ,R)*, the* PCE problem *lies in deciding whether there exists a formula* ϕ *and a PCE SID* R *such that* (ϕ,R) ≡ (ϕ ,R )*.*

Assuming that ϕ is atomic is sufficient (complex formulas may be introduced by inductive rules), but the possibility that ϕ is non-atomic allows for greater expressiveness. If one restricts oneself to list-shaped structures denoting words, then the PCE conditions essentially state that the set of denoted words is regular. This entails the following result, obtained by reduction from the regularity of context-free languages:

#### **Theorem 1.** *The PCE problem is undecidable.*

It may be observed that the structures (s, h) satisfying PCE pairs (ϕ,R) necessarily satisfy two essential properties. First, due to the connectivity condition, these structures necessarily admit a bounded number of roots, which correspond to locations assigned by s to (possibly quantified) variables occurring inside ϕ (at some root position in a predicate or points-to atom, as defined in Definition 5).

Structures with multiple roots are permitted (e.g., doubly linked lists), but due to the connectivity condition, if *x* is the root of an atom ϕ, then, for every model (s, h) of ϕ, the singleton {s(*x*)} is a set of roots for →<sup>h</sup> (i.e., all locations in *loc*(h) must be accessible from s(*x*)). Disjoint structures built in parallel (such as two lists with the same length) are not allowed1. Second, these structures also admit a bounded number of "dangling pointers" (i.e., elements of *dgl*(h)), which again correspond (by s) to variables occurring in ϕ, since all the variables introduced by unfolding rules must be allocated due to the establishment property. The latter property turned out to be essential for decidability [6]. This yields the definition of a property called *PCE-compatibility*:

**Definition 7 (PCE-compatibility).** *Let k* <sup>∈</sup> <sup>N</sup>*. A structure* (s, <sup>h</sup>) *is k*-PCE-compatible *if (i)* card(*dgl*(h)) ≤ *k and (ii) there exists a set of roots R for* →<sup>h</sup> *with* card(*R*) ≤ *k. A pair* (ϕ,R) *is k*-PCE-compatible *if every* R*-model of* ϕ *is k-PCE-compatible.*

**Proposition 1.** *Let* ϕ *be a formula, and* R *be a PCE SID. Every* R*-model* (s, h) *of* ϕ *is k-PCE-compatible, where k is the number of (free or bound) variables in* ϕ*.*

*Example 1.* Let us consider the formula ϕ = *p*(*x*, *y*) and the SID R<sup>1</sup> below. For readability, we employ the same variable names in predicate definitions and predicate calls to avoid introducing the renaming of variables:

$$\begin{aligned} p(\mathbf{x}, \mathbf{y}) &\Leftarrow\exists z.z\rightarrow(\mathbf{x}, \mathbf{y}), & q(\mathbf{y}) &\Leftarrow\exists z, u, t. \left(\mathbf{y} \rightarrow (\mathbf{z}, t) \star r(\mathbf{z}, u, t)\right), \\ p(\mathbf{x}, \mathbf{y}) &\Leftarrow\mathbf{x} \rightarrow (\mathbf{y}) \star q(\mathbf{y}), & r(\mathbf{z}, u, t) &\Leftarrow\mathbf{z} \rightarrow (u) \star t \rightarrow (t). \end{aligned} \tag{7}$$

The SID R1, and thus (ϕ,R1), are not PCE. In the first rule for *p*, *z* is root but not a free variable, the rule defining *q* is not established for the existential variable *u* and the rule defining *r* does not respect the progress condition as it has two points-to atoms.

# **4 Overview of Our Procedure**

The (nonterminating) algorithm for transforming a pair (Φ,R) into an equivalent PCE pair is divided into four main steps (from now on, we denote the target formula by Φ, whereas the meta-variable ϕ is reserved for formulas occurring in inductive rules).

**Step 1:** We compute abstractions of the models of Φ (and of all relevant predicate atoms). The aim is to extract relevant information about the constraints satisfied by these models concerning (dis)equalities, heap reachability and allocated locations. The abstractions are constructed over a set of variables that includes the variables freely occurring in the formulas, together with some additional variables — the so-called *invisible variables* — that correspond to existential variables that either occur in Φ or are introduced by unfolding inductive rules. The usefulness of invisible variables will be demonstrated later. The computation does not terminate in general, as the set of abstractions is infinite (due to the presence of invisible variables). However, we prove that the computation terminates exactly when the considered formula is *k*-PCE-compatible (for some *<sup>k</sup>* <sup>∈</sup> <sup>N</sup>). Furthermore, we introduce a technique — the so-called *ISIV* condition — to detect when the formula is not *k*-PCE-compatible during the computation of the abstractions. This ensures termination in all cases and also proves that the problem of

<sup>1</sup> Indeed, to satisfy the connectivity condition the two lists must be defined in distinct atoms (as they are not connected). But then it is impossible to ensure that they have the same number of elements.

deciding whether a given pair is *k*-PCE-compatible, for some *k*, is decidable. This step is detailed in Sect. 5.

**Step 2:** We transform the set of rules in order to ensure that every predicate is associated with a unique abstraction, in which all invisible variables are replaced by visible ones. This step always terminates. It adds some combinatorial explosion that could be reduced by a smart transformation, but it greatly simplifies the technical developments. This step is detailed in Sect. 6.

**Step 3:** We apply some transformations on the SID to ensure that every abstraction admits exactly one root. This step may fail in the case where the structures described by the rules do not have this property. See Sect. 7.

**Step 4:** We recursively transform any rule *<sup>p</sup>*(#»*<sup>x</sup>* ) ⇐ <sup>ϕ</sup> into a PCE rule by decomposing ϕ into a separating conjunction *y* → (*z*1,...,*zk*) ϕ<sup>1</sup> ··· ϕ*<sup>k</sup>* where *y* is the root of the structure and every ϕ*<sup>i</sup>* encodes a structure of root *zi*. Each of these formulas ϕ*<sup>i</sup>* may then be associated with fresh predicate atoms if needed. The process is repeated until one gets a fixpoint. Equivalence is always preserved, but termination is not guaranteed. This step is detailed in Sect. 8.

Before describing all these steps, we wish to convey some general explanations about the difficulties that arise when one tries to enforce each condition in Definition 5.

**The progress condition** can often be enforced by introducing additional predicates to ensure that each rule allocates exactly one location. For instance, the definition of lists of odd length in Eq. (5) is not PCE, but it can be transformed into a PCE definition by replacing the inductive rule (at right) with the two inductive rules given in Eq. (6) (introducing a new predicate ls2(*x*, *y*)). The key point is that the root of the structure must be associated with a parameter of the predicate, which sometimes requires the addition of new existential variables in the formula. For instance, the formula *p*(*x*) with *p*(*x*) ⇐ ∃*y*. *y* → (*x*) will be written: ∃*y*. *p* (*x*, *y*) with *p* (*x*, *y*) ⇐ *y* → (*x*). The set of roots is computed in Step 1 above, and invisible roots (like *y* in the above example) are made visible during Step 2. Note that this technique is applicable only if the number of such roots is bounded; the ISIV condition will ensure that this constraint is satisfied.

**The connectivity condition** is enforced by using the abstract reachability relation computed during Step 1 to identify the predicate atoms that do not satisfy this condition and by modifying the rules to delay the call to these predicates until the connectivity condition is satisfied. For instance, the first rule below is modified into the second one:

$$q(\mathbf{x}) \Leftarrow \exists \mathbf{y}\_1, \mathbf{y}\_2, \mathbf{y}\_3. (\mathbf{x} \to (\mathbf{y}\_1, \mathbf{y}\_2) \star \mathbf{I} \mathbf{s}^+(\mathbf{y}\_1, \mathbf{y}\_3) \star \mathbf{I} \mathbf{s}^+(\mathbf{y}\_3, \mathbf{y}\_3) \star \mathbf{I} \mathbf{s}^+(\mathbf{y}\_2, \mathbf{y}\_2)), \quad (8)$$

$$q(\mathbf{x}) \Leftarrow \exists \mathbf{y}\_1, \mathbf{y}\_2, \mathbf{y}\_3. \left(\mathbf{x} \rightarrow (\mathbf{y}\_1, \mathbf{y}\_2) \star q'(\mathbf{y}\_1, \mathbf{y}\_3) \star \mathbf{1} \mathbf{s}^+(\mathbf{y}\_2, \mathbf{y}\_2)\right), \tag{9}$$

where *q* (*y*1, *y*3) is defined similarly to ls<sup>+</sup>(*y*1, *y*3) in Eq. (2) except the first rule:

$$q'(\mathbf{y}\_1, \mathbf{y}\_3) \Leftarrow \mathbf{y}\_1 \rightarrow (\mathbf{y}\_3) \star \mathbf{1} \mathbf{s}^+(\mathbf{y}\_3, \mathbf{y}\_3), \qquad q'(\mathbf{y}\_1, \mathbf{y}\_3) \Leftarrow \exists \mathbf{z}. (\mathbf{y}\_1 \rightarrow (\mathbf{z}) \star q'(\mathbf{z}, \mathbf{y}\_3)).\tag{10}$$

**The establishment condition** may be enforced in two ways. If the considered existential variable only occurs in pure atoms (disequalities or equalities), then it can be eliminated using usual quantifier elimination techniques. For instance, the predicate *r*(*x*) ⇐ ∃*y*. *x* → () *x* ≈ *y* can be reduced into *r*(*x*) ⇐ *x* → () since a location *y* distinct from *x* always exists (recall that the equational atom *x* ≈ *y* only holds for empty heaps). Otherwise, one must collect the set of all variables that are reachable but not allocated and associate them with new existential variables in ϕ (and parameters of predicates). For instance, the formula *r* (*x*) with *r* (*x*) ⇐ ∃*y*. *x* → (*y*) is transformed into ∃*y*.*r*(*x*, *y*) with *r*(*x*, *y*) ⇐ *x* → (*y*). These variables correspond to invisible variables computed during Step 1 and transformed into visible variables in Step 2. Again, the ISIV condition ensures that the number of such variables is bounded.

# **5 Abstracting Models and Formulas**

We formalize the notion of abstraction that summarizes the main features (locations defined and allocated, reachability, etc.) of models and SL-formulas. Then, we define two relations between abstractions and SL-structures. Finally, we define the abstraction process for a formula, i.e., how we attach a set of abstractions to an SL-formula.

**Definition 8 (Abstraction).** *An* abstraction *is a tuple A* =*V*, -, , *Vv*, *Va*, *h*, *where: (i) V is a set of variables and is an equivalence relation on V; (ii) (disequality relation) is a symmetric and irreflexive binary relation on V; (iii) Vv* ⊆ *V is a finite set of variables called* visible variables*; (iv) Va* ⊆ *V is a subset of classes of variables called* allocated variables*; (v) h* : *Va* −→ *<sup>V</sup>*<sup>∗</sup> *is a partial* heap mapping *which associates a tuple of classes of variables of arbitrary size to some class of allocated variables; (vi)* ⊆ *V* × *V is a* reachability relation *which is a relation such that* ∀ [*x*] ∈ *Va and* ∀ *y* ∈ *h*([*x*])*,* ([*x*] , *y* ) ∈*. The set of all abstractions is denoted by* A*. We designate the components of an abstraction A using the dotted notation by A*•*V, A*•*Vv, etc. The set of* invisible variables *of A is A*•*Vinv A*•*V* -*A*•*Vv.*

Abstractions are taken modulo renaming of invisible variables: two abstractions, *A*<sup>1</sup> and *A*2, are considered equal, denoted *A*<sup>1</sup> = *A*2, if there exists a renaming σ of invisible variables such that *A*<sup>1</sup> = *A*2σ.

**Fig. 1.** Examples of abstractions.

*Example 2.* Figure 1 graphically represents three abstractions denoted *A<sup>p</sup>* <sup>1</sup> , *Ar* <sup>1</sup> and *Aq* 1. Equivalence classes are represented by circles and are labelled by variable names. Allocated classes are filled grey; invisible variables are prefixed with ∃, and [ ] are omitted. Disequalities are represented with dashed lines, while heap and reachability relations are represented with tick resp. snaked arrows.

An SL-structure is a model of an abstraction if its store is *coherent* with the abstraction (i.e., it maps equal variables to the same location and disequal variables to different locations) and its heap contains at least all the reachability relations of the abstraction. However, the model may contain more allocated locations and paths between locations. On the other hand, an abstraction of an SL-structure captures *exactly* the visibility of variables in the store, the equivalence between variables and the reachability of locations in the heap; it abstracts the paths between locations labelled by (visible or invisible) variables and going through locations not labelled by some variable.

**Definition 9 (Model and Abstraction).** *A structure* (s, h) *is a* model *of an abstraction A, denoted by* (s, h) |= *A, if there exists a functional extension* s˙ *of* s *satisfying the following conditions: (i)* dom(s˙) = *A*•*V and* dom(s) = *A*•*Vv; (ii) If* (*x*, *y*) ∈ *A*•- *then* s˙(*x*) = s˙(*y*)*; (iii) If* ([*x*] , *y* ) ∈ *A*• *then* s˙(*x*) s˙(*y*)*; (iv) For all x* ∈ *A*•*V, if* [*x*] ∈ *A*•*Va then* s˙(*x*) ∈ dom(h)*; (v) For all* [*x*] ∈ *A*•*Va if A*•*h*([*x*]) = ( *y*1 ,..., *yk* ) *then* h(s˙(*x*)) = (s˙(*y*1),..., s˙(*yk*))*; (vi) For all x*, *y* ∈ *V, if* ([*x*] , *y* ) ∈ *A*• *then there exists a path* <sup>0</sup> →<sup>h</sup> ···→<sup>h</sup> *<sup>n</sup> in* h *such that* <sup>0</sup> = s˙(*x*)*, <sup>n</sup>* = s˙(*y*) *and* {1,...,*n*−<sup>1</sup>} ∩ img(s˙) = ∅*. If* (s, h) |= *A and the converses of Items (ii), (iii) and (vi) hold, then A* is an abstraction of (s, h)*. The set of all abstractions of* (s, h) *is denoted by* abs(s, h)*.*

*Example 3.* Consider the structure (s1, h1) defined over the set of variables {*x*, *y*} with s1(*x*) = 1, s1(*y*) = <sup>2</sup> 1, h1(0) = (1, 2). *A<sup>p</sup>* <sup>1</sup> from Fig. 1 is an abstraction of (s1, h1) for s˙1(*z*) = 0. Moreover, *A<sup>p</sup>* <sup>1</sup> has as model (s2, h2) with s1(*x*) = s1(*y*) = 1, h1(0) = (1, 1).

The following operations on abstractions are used in our abstraction process.

**Definition 10 (Pure abstractions).** *The* empty abstraction*, denoted A*emp*, has all its components empty sets. Let V*<sup>0</sup> *be a set of variables. The* abstraction of equalities *over V*0*, denoted A*≈(*V*0)*, is V*0, {*V*0}, ∅, *V*0, ∅, ∅, ∅*, i.e., all variables are visible and in the same equivalence class. The* abstraction of disequalities *over V*<sup>0</sup> *is A*≈(*V*0) = *V*0, Id*<sup>V</sup>*<sup>0</sup> , *<sup>V</sup>*<sup>2</sup> 0 - Id*<sup>V</sup>*<sup>0</sup> , *<sup>V</sup>*0, <sup>∅</sup>, <sup>∅</sup>, ∅*, i.e., all variables are visible and pairwise distinct, and none is allocated.*

Note that we identify equivalence relations with the set of their equivalence classes so that {*V*0} denotes the relation {(*x*, *y*) | *x*, *y* ∈ *V*0}.

**Definition 11 (Quantified abstractions).** *Let V*<sup>0</sup> ⊆ *A*•*V be a set of variables. The* hiding of *V*<sup>0</sup> in *A, denoted by A*∃(*V*0)*, is the abstraction having the same components as A except the set of visible variables, i.e., A*∃(*V*0) •*Vv* <sup>=</sup> *<sup>A</sup>*•*Vv* -*V*0*.*

**Definition 12 (Separated abstractions).** *Let A*<sup>1</sup> *and A*<sup>2</sup> *be two abstractions; w.l.o.g., we consider that A*<sup>1</sup> •*Vinv* ∩ *A*<sup>2</sup> •*Vinv* = ∅*, i.e., the sets of invisible variables are disjoint (modulo renaming). Let V* <sup>=</sup> *<sup>A</sup>*<sup>1</sup> •*<sup>V</sup>* <sup>∪</sup> *<sup>A</sup>*<sup>2</sup> •*V and the equivalence relation over V defined by the transitive closure of A*<sup>1</sup> •-∪*A*<sup>2</sup> •-*. Consider now the relation over V*- *(the set of equivalence classes of* -*) defined by the symmetric closure of the relation:* {([*x*]- , *y* - ) <sup>|</sup> *<sup>x</sup>*, *<sup>y</sup>* <sup>∈</sup> *<sup>V</sup>*, ([*x*]*Ai* •- , *y Ai* •-) ∈ *Ai* •, *i* ∈ {1, 2}} ∪ {([*x*1]- , [*x*2]- ) | *xi* ∈ *V*, [*xi*]*Ai* •-∈ *Ai* •*Va*, *i* ∈ {1, 2}}*. If is irreflexive, then A*<sup>1</sup> *and A*<sup>2</sup> *are* separated*.*

**Definition 13 (Separating abstractions).** *The* separating composition *A*<sup>1</sup> *A*<sup>2</sup> *of two separated abstractions A*<sup>1</sup> *and A*<sup>2</sup> *is the abstraction A such that:*

$$\begin{array}{lcl} & \mathbf{-} - A\_{\star \star} \mathbf{V} = \mathbf{V}^{\star}; A\_{\star \star} \star = \hspaceeqarrow ; A\_{\star} \star \ne \hspaceeqarrow \star\\ & \mathbf{-} - A\_{\star \star} \mathbf{V}\_{\nu} = A\_{1} \mathbf{-} V\_{\nu} \cup A\_{2} \mathbf{-} V\_{\nu};\\ & \mathbf{-} - A\_{\star \star} \overline{\mathbf{V}}\_{a} = \{ [\mathbf{x}]\_{A\_{\star \star} \star} \; \mid \; [\mathbf{x}]\_{A\_{\star \star} \star} \in A\_{i}; \overline{\mathbf{V}}\_{a}, i \in \{1, 2\} \};\\ & \mathbf{-} - A\_{\star \star} \mathbf{h} = \{ [\mathbf{x}]\_{A\_{\star \star} \star} \; \mapsto \ ( [\mathbf{y}\_{1}]\_{A\_{\star \star} \star}, \dots, [\mathbf{y}\_{n}]\_{A\_{\star \star} \star}) \quad | \quad A\_{i} \star h([\mathbf{x}]\_{A\_{i \star} \star}) \; = \ ( [\mathbf{y}\_{1}]\_{A\_{i \star} \star}, \dots, [\mathbf{y}\_{n}]\_{A\_{i} \star} ) \};\\ & [\mathbf{y}\_{n}]\_{A\_{i \star} \star}) \; i \in \{1, 2\} \};\\ & - A\_{\star \star} \leadsto = \{ ([\mathbf{x}]\_{A\_{\star \star} \star}, [\mathbf{y}]\_{A\_{\star \star} \star}) \; | \quad ([\mathbf{x}]\_{A\_{i \star} \star}, [\mathbf{y}]\_{A\_{i \star} \star}) \in A\_{i \star} \frown \mathbf{$$

The following definitions are used to build the reachability relation in abstractions by replacing chains [*x*0] → [*x*1] → ... → [*xn*−1] → [*xn*] related by *A*•*h* with the tuple ([*x*0] , [*xn*]) in *A*• if the variables *xi* with *i* ∈ [1, *n* − 1] are not "special" for *A*.

**Definition 14 (Roots).** *The* roots of an abstraction *A,* root(*A*)*, is the set of minimal sets of roots of A*•*. We denote by x* ∈∀ root(*A*) *or* [*x*] ∈∀ root(*A*) *that* [*x*] *belongs to all sets in* root(*A*) *and by x* ∈∃ root(*A*) *or* [*x*] ∈∃ root(*A*) *that* [*x*] *belongs to at least one set in* root(*A*)*.*

As *A*• may contain cycles, roots are not uniquely defined. However, the algorithm for computing abstractions will ensure that root(*A*) is always non-empty.

**Definition 15 (Special and persistent variables).** *A variable x* ∈ *A*•*Vinv is* special *if its equivalence class is a singleton and it satisfies one of the following conditions: (i) x* ∈∀ root(*A*)*, i.e., x occurs in all sets of roots of A; (ii)* [*x*] *A*•*Va, i.e., x is not allocated, and there exists y* ∈ *A*•*Va such that* ( *y* , [*x*]) ∈ *A*•*, i.e., x is reachable from an allocated variable; (iii) there exists y* ∈ *A*•*Vv such that y* ∈∃ root(*A*) *and* [*x*] ∈ *A*•*h*( *y* )*, i.e., x is pointed to by a possible root that is visible; (iv) there exists y* ∈ *A*•*Va such that y* ∈∀ root(*A*) *and* [*x*] ∈ *A*•*h*( *y* )*, i.e., x is pointed to by a necessary root that is visible or invisible. An invisible variable is* persistent *if it satisfies one of the items* (*i*) *or* (*ii*) *above. The set of persistent variables is denoted by A*•*Vper.*

*Example 4.* Abstractions *A<sup>p</sup>* <sup>1</sup> and *Aq* <sup>1</sup> in Fig. 1 have a singleton set of roots built from one class: root(*A<sup>p</sup>* <sup>1</sup> ) <sup>=</sup> {{[*z*]}} and root(*Aq* <sup>1</sup>) = {{ *y* }}, while *Ar* <sup>1</sup> has a unique set of roots but containing two classes root(*Ar* <sup>1</sup>) <sup>=</sup> {{[*z*], [*t*]}}. The variable *<sup>z</sup>* is not visible in *<sup>A</sup><sup>p</sup>* <sup>1</sup> , but it is special and persistent since it fulfils the condition (i) of Definition 15. All the variables in *Aq* <sup>1</sup> are special, but only *y* and *u* are persistent.

**Definition 16 (Disconnected variable).** *A variable x* ∈ *A*•*Vv is disconnected if it satisfies the following two conditions: (1)* [*x*] *A*•*Va, i.e., x is not allocated; and (2) for all y* ∈ *A*•*Va*, ( *y* , [*x*]) *A*•*, i.e., x is not pointed by an allocated variable.*

If a variable is disconnected, any variable in its equivalence class is also disconnected. Moreover, a disconnected variable cannot be special. For any equivalence relation , we denote by *x* the restriction of to the elements distinct from *x*. Similarly, *S x* denotes the set { *y* | *y* ∈ *S*, *y x*}, and for any relation → on equivalence classes of , <sup>→</sup> *x* is the corresponding relation on equivalence classes of *x*.

**Definition 17 (Deletion of variables not special).** *Let A be an abstraction and x* ∈ *A*•*Vinv a variable that is not special. We define* rem(*A*, *x*)*, the abstraction obtained by deleting x from A as follows: A*rem <sup>=</sup> *A*•*<sup>V</sup>* -{*x*}, *A*•- *x*, *A*• *x*, *A*•*Vv*, *A*•*Va x*, *A*•*h*- *x*, *x with* = {( *y* , [*z*]) | *y* , [*z*] ∈ *A*•*V* ∧ ( *y* , [*x*]) ∈ *A*• ∧ ([*x*] , [*z*]) ∈ *A*•} ∪ *A*•*. We denote by* rem(*A*) *the abstraction obtained by removing all variables not special in A.*

**Definition 18 (Set of abstractions of a symbolic heap).** *Let* ϕ *be a symbolic heap formula of SL. The set of abstractions of a formula* ϕ*, denoted* abs(ϕ)*, is inductively constructed using the rules in Tab. 1.*

*Example 5.* Consider the pair (ϕ,R) introduced by Example 1. The abstractions of ϕ are built by firstly building the abstractions of the predicates *r*(*z*, *u*, *t*) and then *q*(*y*) — that calls *r* — defined by the rules in Eq. (7). Then ϕ = *p*(*x*, *y*) has two abstractions. The first is *A<sup>p</sup>* <sup>1</sup> from Fig. 1, obtained from the non-recursive rule of *<sup>p</sup>*. The second is *<sup>A</sup><sup>p</sup>* <sup>2</sup> in Fig. 2, obtained from *A*<sup>2</sup> by removing variables *z* and *t* using the procedure in Definition 17 because they are not special. The abstraction *A*<sup>2</sup> is obtained by applying the rule [Sep] on *Aq* <sup>1</sup> in Fig. 1, which is an abstraction of *q*(*y*), and the abstraction obtained by the rule [Pto] for *<sup>x</sup>* <sup>→</sup> (*y*).

**Fig. 2.** Abstraction *A*<sup>2</sup>

Given *A* ∈ abs(ϕ), we consider the implicit tree of construction of *A* using rules in Definition 18: every node of this tree is an abstraction created by one of the rules [Ex], [Pred] and [Sep], and every leaf is an abstraction of an atomic formula. Therefore, every node of this tree is associated with a formula, which is a sub-formula of an unfolding of ϕ.

**Table 1.** Computing Abstractions of a Symbolic Heap Formula

**Definition 19 (Condition "Infinite Set of Invisible Variables" (ISIV)).** *The abstraction A* ∈ abs(*p*(*x*1,..., *xn*)) *satisfies the condition ISIV if there exists an abstraction A in the construction tree of A such that:*


Intuitively, the condition asserts that a "loop" exists in the unfolding tree of *p*, where persistent variables are introduced inside the loop. As one can go through the loop an arbitrary number of times, this entails that some branch exists with an unbounded number of persistent variables, which in turn entails that non-*k*-PCE-compatible models exist. If this condition is satisfied by one abstraction built during this step, the algorithm fails. The following theorem states that the algorithm is correct and complete:

**Theorem 2.** *Let* ϕ *be a formula and let* R *be an SID. We suppose that the construction of abstractions terminates without failing. If A* ∈ abs(ϕ)*, then there exists a model* (s, h) *of* ϕ *such that A is an abstraction of* (s, h)*. Moreover, if* ϕ *admits a model* (s, h)*, then there exists an abstraction A of* ϕ *such that* (s, h) |= *A.*

We also show that the algorithm terminates, provided the ISIV condition is used to dismiss pairs (ϕ,R) that are not *k*-PCE-compatible (thus that cannot admit any equivalent PCE pair, by Proposition 1):

**Theorem 3.** *Let* <sup>ϕ</sup> *be a formula and let* <sup>R</sup> *be an SID. If there exists k* <sup>∈</sup> <sup>N</sup> *such that* (ϕ,R) *is k-PCE-compatible, then the computation of* abs(ϕ) *terminates without failure (hence the ISIV condition is never fulfilled). Otherwise, the ISIV condition eventually applies during the computation of* abs(ϕ)*. Consequently, the problem of testing whether* (ϕ,R) *is k*-PCE-compatible *for some k* <sup>∈</sup> <sup>N</sup> *is decidable.*

## **6 Predicates with Exactly One Abstraction**

We describe an algorithm reducing any pair (Φ,R) into an equivalent pair (Φ†,R†) such that every predicate atom admits exactly one abstraction with no invisible variables. We also get rid of some existential variables when possible. The eventual goal is to ensure that the rules that were obtained are established (in the sense of Definition 5). We need to introduce some definitions and notations. A *disconnected set* for an *n*-ary predicate *p* and an abstraction *A* ∈ abs(*p*(*x*1,..., *xn*)) is any subset *I* of {1,..., *n*} such that all variables *xi* for *i* ∈ *I* are disconnected in *A*. Let R be an SID. Let *x*1,..., *xn*,... be an infinite sequence of pairwise distinct variables, which will be used to denote the formal parameters of the predicates. For each *n*-ary predicate *p* occurring in R, for each abstraction *A* ∈ abs(*p*(*x*1,..., *xn*)) and for all disconnected sets *I* for *p*, *A*, we introduce a fresh predicate *p<sup>A</sup> <sup>I</sup>* , of arity *n* + *m* − card(*I*), where *m* = card(*A*•*Vinv*). Intuitively, *pA <sup>I</sup>* will denote some "projection" of the structures corresponding to the abstraction *A*. The additional arguments will denote the invisible variables. The removed arguments correspond to disconnected variables.

*Example 6.* The predicate *p*, defined by rules on the left in Example 1, has two abstractions (one by rule), *A<sup>p</sup>* <sup>1</sup> and *<sup>A</sup><sup>p</sup>* <sup>2</sup> , where all roots are connected. In the same example, predicates *q* and *r* also have only one abstraction. For all these predicates, the sets *I* are always ∅.

The rules associated with *p<sup>A</sup> <sup>I</sup>* are obtained from those associated with *p* as follows. For every formula <sup>ϕ</sup> such that *<sup>p</sup>*(*x*1,..., *xn*) ⇐R <sup>ϕ</sup>, where <sup>ϕ</sup> is of the form <sup>∃</sup>#»*<sup>y</sup>* . (*q*1(#»*u*1) ··· *qk*(#»*uk*) ϕ ) and ϕ contains no predicate symbol, and for all abstractions *Ai* ∈ abs(*qi*(*x*1,..., *x*#(*qi*))) (for *i* ∈ -1, *k*), we add the rule:

$$p\_I^A(\overrightarrow{s}', \mathbf{x}'\_1, \dots, \mathbf{x}'\_m) \Leftarrow \exists \overrightarrow{z}'. (q\_{1J\_1}^{A\_l}(\overrightarrow{t}'\_1, \overrightarrow{v}'\_1) \star \dots \star q\_{kJ\_k}^{A\_l}(\overrightarrow{t}'\_k, \overrightarrow{v}'\_k) \star \varphi'')\sigma \qquad (11)$$

if all the following conditions hold:


The obtained set of rules is denoted by R†. It is clear that R† is finite (up to αrenaming) if R is finite and abs(*p*(*x*1,..., *xn*)) is finite for all *n*-ary predicates *p* in R.

*Example 7.* The new rules for *p*, *q*, and *r* defined in the SID R<sup>1</sup> in Ex. 1 are given below:

*p Ap* 1 <sup>∅</sup> (*x*, *<sup>y</sup>*,*z*) ⇐ *<sup>z</sup>* <sup>→</sup> (*x*, *<sup>y</sup>*) , *p Ap* 2 <sup>∅</sup> (*x*, *<sup>y</sup>*, *<sup>u</sup>*) ⇐ ∃*z*, *<sup>t</sup>*. (*<sup>x</sup>* <sup>→</sup> (*y*) *q Aq* 1 <sup>∅</sup> (*y*,*z*, *<sup>t</sup>*, *<sup>u</sup>*)) , *q Aq* 1 <sup>∅</sup> (*y*,*z*, *<sup>t</sup>*, *<sup>u</sup>*) ⇐ *<sup>y</sup>* <sup>→</sup> (*z*, *<sup>t</sup>*) *<sup>r</sup>*(*z*, *<sup>t</sup>*, *<sup>u</sup>*) , *r Ar* 1 <sup>∅</sup> (*z*, *<sup>t</sup>*, *<sup>u</sup>*) ⇐ *<sup>u</sup>* ≈ *<sup>t</sup> <sup>z</sup>* <sup>→</sup> (*u*) *<sup>t</sup>* <sup>→</sup> (*t*) . (12)

The arity of predicates *p Ap* 2 <sup>∅</sup> and *<sup>q</sup> Aq* 1 <sup>∅</sup> has been changed to include the invisible but special variable *u*, and the predicate *p Ap* 1 <sup>∅</sup> now does not have an invisible root any more.

*Example 8.* In this example, we show how disconnected variables may be eliminated. Let *p*, *q* be predicates defined by the rules: *p*(*x*, *y*) ⇐ ∃*z*. (*x* → (*y*) *q*(*x*,*z*)), *q*(*x*, *y*) ⇐ *x* ≈ *y*. *p*(*x*1, *x*2) and *q*(*x*1, *x*2) both admit one abstraction, *Ap* and *Aq*, respectively, defined by:

$$A\_p = \left( \{ \mathbf{x}\_1, \mathbf{x}\_2 \}, \{ \{ \mathbf{x}\_1 \}, \{ \mathbf{x}\_2 \} \}, \emptyset, \{ \mathbf{x}\_1, \mathbf{x}\_2 \}, \{ \{ \mathbf{x}\_1 \} \} \{ \{ \mathbf{x}\_1 \} \leftrightarrow \{ \mathbf{x}\_2 \} \}, \emptyset \right), \tag{13}$$

$$A\_q = (\{\mathbf{x}\_1, \mathbf{x}\_2\}, \{\{\mathbf{x}\_1\}, \{\mathbf{x}\_2\}\}, \{\{\{\mathbf{x}\_1\}, \{\mathbf{x}\_2\}\}\}, \{\mathbf{x}\_1, \mathbf{x}\_2\}, \emptyset, \emptyset, \emptyset) \,. \tag{14}$$

The above transformation produces the rules: *p Ap* <sup>∅</sup> (*x*, *<sup>y</sup>*) ⇐ (*<sup>x</sup>* <sup>→</sup> (*y*) *<sup>q</sup> Aq* {2} (*x*)) and *q Ar* {2} (*x*) ⇐ emp. The variable *<sup>z</sup>* is eliminated, as it is disconnected in the abstraction corresponding to *x* → (*y*) *q*(*x*,*z*). This yields the introduction of a predicate *q Ar* {2} in which the second argument of *q* is dismissed.

The above transformation may be applied to the formulas Φ occurring in pairs (Φ,R). Since the establishment condition applies only to the variables occurring in the rule and not to the existential variables of Φ, there is no need to eliminate any predicate argument in this case; thus, we may simply take *I* = ∅ for the predicates

<sup>2</sup> In the latter case several substitutions exist, one of them can be chosen arbitrarily (the resulting rules are identical up to α-renaming, e.g., ∃*x*∃*y*(*x* ≈ *y q*(*x*, *y*)) can be written ∃*x*(*x* ≈ *y q*(*x*, *y*)){*y* ← *x*} or ∃*y*(*x* ≈ *y q*(*x*, *y*)){*x* ← *y*}).

*pA <sup>I</sup>* such that *p* appears in Φ. Predicates of the form *q<sup>B</sup> <sup>I</sup>* with *I* ∅ will never appear at the root level in Φ, but they may appear in the rules of the predicates *p<sup>A</sup>* <sup>∅</sup> (in practice, such rules will be computed on demand). More precisely, we denote by Φ† the formula obtained from Φ by replacing every atom *p*(*y*1,..., *yn*) in Φ by the formula *<sup>A</sup>*∈abs(*p*(*x*1,...,*xn*)) <sup>∃</sup>#»*yA*. *<sup>p</sup><sup>A</sup>* <sup>∅</sup> (*y*1,..., *yn*, #»*yA*), where #»*yA* is the sequence of variables in *<sup>A</sup>*•*Vinv* (with arbitrary order). Note that in the case where abs(*p*(*x*1,..., *xn*)) = ∅, *p*(*y*1,..., *yn*) is replaced by an empty disjunction, i.e., by false. The properties of this transformation are stated by the following result:

**Theorem 4.** (Φ,R) <sup>≡</sup> (Φ†,R†)*. Moreover, for all predicates p<sup>A</sup> <sup>I</sup> defined in* R†*, the set* abs(*p<sup>A</sup> <sup>I</sup>* (#»*<sup>y</sup>* , *<sup>x</sup>* <sup>1</sup>,..., *x <sup>m</sup>*)) *contains exactly one abstraction.*

## **7 Abstractions with Exactly One Root**

We introduce an algorithm that transforms the considered SID by introducing and removing predicates such that the abstraction of each predicate *p* defined by the new R has only one root. This transformation is done in two steps: first, change predicates with an abstraction without roots, and then change predicates with an abstraction with more than one root. The transformation may fail if the structures corresponding to a given recursive predicate have multiple roots, as such structures cannot be defined by PCE rules (e.g., two parallel lists of the same length).

**Removal of Abstractions Without Root:** Let us consider every predicate *p* such that its abstraction *Ap* <sup>∈</sup> abs(*p*(#»*<sup>x</sup>* )) satisfies root(*Ap*) <sup>=</sup> <sup>∅</sup>. Because the abstraction of *p* has no root, the associated structure has no allocated locations, and the predicate can only be unfolded into formulas that do not contain points-to. Thus, for each unfolding of *p* of abstraction *A*, which cannot be unfolded any more, it only contains equalities and disequalities that are abstracted in *A* by *A*• and *A*•. As a consequence, we can create a formula ϕ*<sup>A</sup>* = (*i*, *<sup>j</sup>*∈*I*<sup>≈</sup> *ai* ≈ *aj*) (*i*, *<sup>j</sup>*∈*I*≈ *bi* ≈ *bj*) with {*ai* ≈ *aj* | *i*, *j* ∈ *I*≈} = *A*•- and {*bi* ≈ *bj* | *i*, *j* ∈ *I*≈} = *A*•. We can then replace every occurrence of *p* with ϕ*A*.

**Removal of Abstractions With Several Roots:** We suppose now that for all predicates *<sup>p</sup>*, the abstraction *Ap* <sup>∈</sup> abs(*p*(#»*<sup>x</sup>* )) verifies root(*Ap*) <sup>∅</sup>. Now let us consider every predicate *<sup>p</sup>* such that its abstraction *Ap* <sup>∈</sup> abs(*p*(#»*<sup>x</sup>* )) has at least two roots, i.e., for all *R* ∈ root(*Ap*), card(*R*) ≥ 2. If *p* does not call itself, we unfold *p* by replacing each occurrence of *p* with its definition using the rules in SID. Otherwise, the transformation is considered impossible, and it fails.

At this point, if the transformation does not fail, we obtain:

**Proposition 2 (Every abstraction has a single root).** *After applying the transformation in this section, for all predicates p, for all abstractions A* <sup>∈</sup> abs(*p*(#»*<sup>x</sup>* ))*, there exists a set R* ∈ root(*A*) *such that* card(*R*) = 1*.*

*Remark 1.* We wish to emphasize that the failure of the above operation does not imply that the transformation is unfeasible. For instance, one could, in principle, define two lists of arbitrary (possibly distinct) lengths using one single inductive predicate, adding elements in one of the lists in a non-deterministic way, although such a definition is very unlikely to occur in practice. Then, our algorithm would fail (as it will detect that the structure has two roots), although a PCE presentation exists. Extending the algorithm to cover such cases is part of future work.

#### **8 Transformation into PCE Rules**

The last step of the transformation is a procedure reducing any pair (Φ†,R†) into an equivalent pair (Φ‡,R‡) such that Φ‡ and R‡ are PCE formula resp. SID.

To this aim, we first introduce so-called *derived predicates* (adapted and extended from [4]), the rules of which can be computed from the rules defining predicate symbols. The aim is to extract from the call tree of a spatial atom the part that corresponds to another atom. Given a SID R and two spatial atoms γ and λ, we denote by γ −−• λ the atom defined by the following rules:

$$\begin{aligned} \gamma \multimap \lambda &\Longleftrightarrow \exists \vec{\chi} \, ^\star . (\varphi \star (\gamma \multimap \lambda')), & \text{for all } \varphi , \lambda' \text{ with } \lambda \Longleftrightarrow\_R \exists \vec{\chi} . (\varphi \star \lambda') \quad (\text{up to AC of } \star), \\ \gamma \multimap \lambda &\Longleftrightarrow \chi \multimap \chi \, \_1 \star \dots \star \, ^\star \chi \approx \mathfrak{y}\_n, & \text{if } \gamma = p(\mathfrak{x}\_1, \dots, \mathfrak{x}\_n) \text{ and } \lambda = p(\mathfrak{y}\_1, \dots, \mathfrak{y}\_n), \text{ or } \\ & \gamma = \mathfrak{x}\_1 \rightarrow (\mathfrak{x}\_2, \dots, \mathfrak{x}\_n) \text{ and } \lambda = \mathfrak{y}\_1 \rightarrow (\mathfrak{y}\_2, \dots, \mathfrak{y}\_n). \end{aligned} \tag{15}$$

We assume that all such rules occur in R. Intuitively, γ −−• λ encodes a structure defined as the atom λ but in which a call to γ is removed. It is easy to see that γ −−• λ is unsatisfiable if λ is a points-to atom and γ is a predicate atom. By definition, (*x*<sup>1</sup> → (*x*2,..., *xn*)) −−• (*y*<sup>1</sup> → (*y*2,..., *ym*)) is equivalent to *x*<sup>1</sup> ≈ *y*<sup>1</sup> ··· *xn* ≈ *yn* if *m* = *n* and unsatisfiable otherwise. These remarks can be used to simplify the rules above (e.g., by removing rules with unsatisfiable bodies).

For instance, given the rules *p*(*x*) ⇐ ∃*y*.(*x* → (*y*) *p*(*y*)) and *p*(*x*) ⇐ *x* → (), the derived atoms *p*(*x* ) −−• *<sup>p</sup>*(*x*) and (*<sup>x</sup>* <sup>→</sup> ()) −−• *<sup>p</sup>*(*x*) both denote a list segment from *<sup>x</sup>* to *<sup>x</sup>* , whereas (*x* → (*x*)) −−• *p*(*x*) denotes a list with a "hole" at *x* . The corresponding rules are, after simplification:

$$p(\mathbf{x'}) \rightharpoonup p(\mathbf{x}) \Leftarrow \exists \mathbf{y}. \left(\mathbf{x} \to (\mathbf{y}) \star (p(\mathbf{x'}) \rightharpoonup p(\mathbf{y}))\right), \qquad \qquad p(\mathbf{x'}) \rightharpoonup p(\mathbf{x}) \Leftarrow \mathbf{x} \approx \mathbf{x'}, \tag{16}$$

$$\mathbf{x}' \rightarrow (\mathbf{) \rightarrow p(\mathbf{x}) \Leftarrow} \exists \mathbf{y}. (\mathbf{x} \rightarrow (\mathbf{y}) \star (\mathbf{x}' \rightarrow (\mathbf{0} \rightarrow p(\mathbf{y}))), \qquad \mathbf{x}' \rightarrow (\mathbf{0} \rightarrow p(\mathbf{x}) \Leftarrow} \mathbf{x} \approx \mathbf{x}', \tag{17}$$

$$p(\mathbf{x'} \rightarrow (\mathbf{x''})) \rightarrow p(\mathbf{x}) \Leftarrow \exists \mathbf{y}. (\mathbf{x} \rightarrow (\mathbf{y}) \ \star (\mathbf{x'} \rightarrow (\mathbf{x''}) \rightarrow p(\mathbf{y}))), \tag{18}$$

$$p(\mathbf{x'} \rightarrow (\mathbf{x''})) \rightarrow p(\mathbf{x}) \Leftarrow \mathbf{x} \approx \mathbf{x'} \star p(\mathbf{x''}) \,. \tag{19}$$

The operator −−• can be nested, for instance (*x*<sup>1</sup> → (*x* <sup>1</sup>)) −−• (*p*(*x*2) −−• *p*(*x*)) denotes a list segment from *x* to *x*<sup>2</sup> with a hole at *x*1.

Consider a rule ρ = *p*(*x*1,..., *xn*) ⇐ ϕ, where ϕ denotes the quantifier-free formula such that <sup>ϕ</sup> <sup>=</sup> <sup>∃</sup>#»*<sup>z</sup>* . ϕ . By Theorem 4, the formulas ϕ and ϕ have unique abstractions *A*<sup>ϕ</sup> and *A*<sup>ϕ</sup> , respectively (in what follows the notations [*x*] and always refer to abstraction *A*<sup>ϕ</sup> ). Recall that, at this point, establishment is ensured, and all roots are visible. As ϕ only has a unique abstraction, there is a unique *k* ∈ -1, *n* such that [*xk*] is the root of *A*<sup>ϕ</sup> and the tuple pointed to by the location associated with *xk* contains only locations associated with variables *y*1,..., *ym* that are visible or special in *A*ϕ, with *A*<sup>ϕ</sup> •*h*([*xk*]) = ( *y*1 ,..., *ym* ). To make the rule ρ PCE, it must be rewritten to have the form *<sup>p</sup>*(*x*1,..., *xn*) ⇐ ∃#»*<sup>z</sup>* . *xk* <sup>→</sup> (*y*1,..., *ym*) *<sup>q</sup>*1(# »*w*1) ··· *ql*(#»*wl*) ψ, where <sup>ψ</sup> is a pure formula, and the root of each atom *qi*(#»*wi*) is in {*y*1,..., *ym*}. There are two cases:

**Case 1:** Assume that ϕ contains a points-to atom *x <sup>k</sup>* → (*y* <sup>1</sup>,..., *y l* ), with *x k* = [*xk*] and *y i* = *yi* for all *i* ∈ -1, *l*. The formula ϕ is of the form *x <sup>k</sup>* → (*y* <sup>1</sup>,..., *y m*)ψψ , where ψ contains only points-to and predicate atoms and ψ is a pure formula. The formula ψ may be decomposed into ϕ<sup>1</sup> ··· ϕ*<sup>l</sup>*  , where each formula ϕ*<sup>i</sup>* allocates only variables *z* such that *yji* <sup>∗</sup> [*z*], where *yj*<sup>1</sup> ,..., *yjl*  are variables in {*y*1,..., *yl*} such that the *yji* are pairwise distinct. Such a decomposition necessarily exists<sup>3</sup> since [*xk*] is the root of , and every class reachable from [*xk*] must be reachable from one of the *yi* . For *i* ∈ -1, *l* , if ϕ*<sup>i</sup>* is not a predicate atom, then we create a fresh predicate *qi* whose arguments are all the variables #»*wi* that appear in <sup>ϕ</sup>*i*, we create the rule *qi*(#»*wi*) ⇐ <sup>ϕ</sup>*i*, and we replace in <sup>ϕ</sup> the formula <sup>ϕ</sup>*<sup>i</sup>* by *qi*(#»*wi*). We get a rule <sup>ρ</sup> that is now PCE.

**Case 2:** Now assume that ϕ contains no such points-to atom *x <sup>k</sup>* → (*y* <sup>1</sup>,..., *y l* ). We have to extract this points-to from some rule that, when unfolded, creates it and add it to a new rule equivalent to ρ. Because *A*<sup>ϕ</sup> is unique and because every predicate also has a unique abstraction, only one atom can allocate *xk*, and this atom must be a predicate atom (because of case 1). Thus ϕ is of the form *q*(*w* ) ϕ, where *xk* is allocated in every model of *q*(*w* ). By the previous construction, the atom *q*(*w* ) may be replaced by *xk* → (*y*1,..., *yl*) (*xk* → (*y*1,..., *yl*) −−• *q*(*w* )). We get a new rule <sup>ρ</sup> <sup>=</sup> *<sup>p</sup>*(*x*1,..., *xn*) ⇐ ∃#»*<sup>z</sup>* . *xk* <sup>→</sup> (*y*1,..., *yl*) (*xk* <sup>→</sup> (*y*1,..., *yl*) −−• *<sup>q</sup>*(*<sup>w</sup>* )) ϕ which fulfils the previous condition, and we may apply the transformation described in the previous item to ρ . The new rules associated with *xk* → (*y*1,..., *yl*) −−• *p* 1( #» *x* <sup>1</sup>) are added to the set of rules.

The above transformations are applied until all rules are PCE. Note that termination is not guaranteed (indeed, not all *k*-PCE-compatible pairs (Φ,R) admit an equivalent PCE pair, and the existence of such a pair is undecidable by Theorem 1). To enforce termination in some cases, a form of memoization may be used: the predicates introduced above may be reused if the corresponding formulas are equivalent. As logical equivalence is hard to test (undecidable in general), we only check that the rules associated with both predicates are identical up to a renaming of existential variables and spatial predicates. In practice, termination may be ensured by imposing limitations on the number of rules or predicates. We show that if the transformation terminates, we obtain the desired result.

**Theorem 5.** *Let* (Φ†,R†) *be any pair obtained by applying the transformations in Secs. 6 and 7. If the computation of* (Φ‡,R‡) *terminates, then* (Φ†,R†) ≡ (Φ‡,R‡)*. Also, the SID* R‡*, and thus* Φ‡*, are PCE.*

## **9 Experimental Evaluation and Conclusion**

We devised an algorithm to construct PCE rules for a given formula (if possible). The existence of such a presentation is undecidable, but we identify a property called PCEcompatibility, which is decidable and weaker. Our algorithm helps to relax the rigid conditions on the PCE presentations. It is also able to construct PCE rules in some more complex cases by performing deep, global transformations on the rules. We have

<sup>3</sup> If several decompositions exist, then one of them is chosen arbitrarily.

implemented an initial version of the algorithm in OCaml using the Cyclist [2] framework and applied it to benchmarks taken from this framework and SL-COMP [1]. The program comprises approximately 3000 lines of code. To ensure efficiency, the implemented procedure is somewhat simplified compared to the algorithm described in this paper: in Step Sect. 8, we avoid the use of derived predicates and instead employ a fixed-depth unfolding of predicate atoms (the other sections strictly adhere to the theoretical definitions). All tests are performed with a timeout of 30 seconds. The running time is low in most examples. In the 145 tested examples, 105 are successfully transformed into equivalent PCE-formulas, 20 trigger the ISIV condition (the structures are not *k*-PCE-compatible), 3 examples fail at Step Sect. 7 (recursive structures with multiple roots) and 17 other timeout. The program and input data are available at https:// hal.science/hal-04549937. We find the results highly encouraging, as about 86% of the tested examples are successfully managed. Therefore, this tool may be used to provide a measure of the difficulty of the examples in the SL-COMP benchmark.

We end the paper by identifying some lines of future work. For efficiency, we first plan to refine the transformation by avoiding the systematic reduction to oneabstraction predicates given in Sect. 6. Indeed, this transformation is very convenient from a theoretical point of view but introduces some additional computational blowup, which could be avoided in some cases. We wish to strengthen the definition of *k*-PCE-compatible ID in order to capture additional properties of PCE definitions. Notice that the semi-decidability of the PCE problem is an open question. Finally, it could also be interesting to extend the transformation to *E*-restricted IDs, a fragment of nonestablished IDs introduced in [4], for which the entailment is decidable.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Sequents vs Hypersequents for ˚Aqvist Systems**

Agata Ciabattoni and Matteo Tesi(B)

Institute of Logic and Computation, Vienna University of Technology, Vienna, Austria agata@logic.at, matteo.tesi@tuwien.ac.at

**Abstract.** Enhancing cut-free expressiveness through minimal structural additions to sequent calculus is a natural step. We focus on ˚Aqvist's system **F** with cautious monotonicity (**CM**), a deontic logic extension of **S5**, for which we define a sequent calculus employing (semi) analytic cuts.The transition to hypersequents is key to develop modular and cut-free calculi for **F** + (**CM**) and **G**, also supporting countermodel construction.

# **1 Introduction**

Normative reasoning is crucial across various fields, including law and artificial intelligence. It is effectively formalized by deontic logic, the branch of logic that deals with obligations and related concepts. Numerous deontic logics have emerged, and they can be broadly classified into *preference-based* and *normbased systems* [11]. The latter analyse deontic modalities with reference to a set of explicit norms, while the former employ possible world semantics. Preferencebased systems are particularly useful to model contrary to duty obligations (i.e., obligations that come into force when some other obligation is violated) and defeasible deontic conditionals. ˚Aqvist's landmark systems [1] **E**, **F**, and **G**, fall into this category. Semantically, they are characterized by preference models using relations to represent the betterness of states. They extend the modal logic **S5** with a dyadic obligation -(*B/A*) ("B is obligatory, given A") which is true when the best A-worlds are all B-worlds. A more recent addition to the family [27] is **F** with the addition of cautious monotonicity (CM) from the non-monotonic literature [12,18]. **E**, **F**, **F** + (**CM**), and **G** are modular systems with increasing deductive strength w.r.t. the sets of theorems they derive. The last two systems correspond to well-known conditional logics: **G** is **VTA** [13], one of Lewis' logics, while **F** + (**CM**) corresponds to Preferential Conditional Logic **PCL** [6] supplemented with the absoluteness axiom, that reflects the fact that the ranking is not world-relative. **PCL** contains as a fragment the **KLM** preferential logic **P** [18] for default reasoning.

Reasoning necessitates (finding) derivations and countermodels. The exploration of the proof theory for these logics has only recently become a focal point.

C. Benzm¨uller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 176–195, 2024.

https://doi.org/10.1007/978-3-031-63501-4\_10

Prior to that, the only available calculi for them were Hilbert systems, which are unsuitable for the mentioned tasks. Since Gentzen's introduction in 193**5**, sequent calculi in which the cut rule is admissible (or eliminable) have been employed for these purposes. Although crucial to simulate modus ponens, the cut rule poses a hindrance to proof search. Cut-free sequent systems are not available for ˚Aqvist's systems insofar as they contain an **S5** modality which impedes their formulation<sup>1</sup>. Many sequent calculus generalizations, like hypersequents, nested, and labelled sequents, have been introduced to capture logics without cut-free formulations. Notably, hypersequents are characterized by less complex objects and expressiveness compared to nested sequents, which, in turn, are less complex and expressive than labelled sequents, see e.g. [22]. Using hypersequents, modular cut-free calculi have been introduced for **E** and **F** in [8,9]. The situation for **G** and **F** + (**CM**) is less clear. Although **G** semantically arises by imposing to **F** + (**CM**) totality on frames, this is not reflected in their calculi: (forms of) labelled sequents [20,24] have been employed for **PCL**, and a hypersequent calculus with blocks (incorporating a shallow form of nesting) [14] for **G**.

This leaves open the question whether *modular* and *cut-free* calculi, using a *simpler framework*, can be defined for **F** + (**CM**) and **G**. Simplicity in the proof formalism is advantageous for proving meta-logical results and streamlining the proof search space. Indeed the introduction of additional structure in the basic objects manipulated by the formalism often poses obstacles in these endeavors.

Our positive answer to the question relies on the use of an alternative semantics (w.r.t. preference models) [28]. We first introduce a *sequent* calculus **SFcm** for **F** + (**CM**). Like the calculus in [25] for **S5**, **SFcm** lacks completeness without cuts. Nevertheless, we show that a restricted form of cuts, we call them semianalytic, suffices. We present a syntactic procedure, akin to cut-elimination, to transform **SFcm** proofs with arbitrary cuts into proofs with semi-analytic cuts, simplifying the method in [7]. Extending **SFcm** to encompass **G** would be hard, if possible at all. Sequent calculi, are indeed known to be inadequate for capturing modal logics with linear frames (Ch.9 in [15]). To achieve modular and cut-free calculi for **F** + (**CM**) and **G**, we shift from the sequent to the hypersequent framework. The use of hypersequents (which are sequents working in parallel) enables the definition of structural rules operating across multiple sequents. In particular, adapting the peculiar hypersequent rule for **S5** from [4] simplifies the rules for **SFcm**, resulting in a cut-free hypersequent calculus for **F** + (**CM**). A calculus for **G** is obtained by adding (a version of) the communication rule from [3], designed to capture G¨odel logic [10]. We prove cut-elimination for both calculi and modify them into proof-search oriented calculi, providing proofs of decidability and countermodel construction from failed derivations.

Similarly to the calculi for **E** and **F** in [8,9] we encode maximality by a (**S4** type) modal operator. -(*B/A*) can be indirectly defined as ✷(*A* → ¬B*et*¬(*A* ∧

<sup>1</sup> The standard sequent calculus [25] for **S5** is not cut-free but it is complete with analytic cuts [30] (i.e. cuts whose cut-formula is a subformula of the conclusion [29]).

B*et*(*A* → *B*))). B*et* is not part of the language of **F** + (**CM**) and **G**, but is used at the meta-level in the calculi to define rules for the dyadic obligation.

# **2 F + (CM) and G in a Nutshell**

We present the logics **F** + (**CM**) and **G** both syntactically and semantically. Let PropVar be a countable set of atomic formulas. Their language is defined by the following BNF:

$$A ::= p \in \text{PropVar} \mid \neg A \mid A \to A \mid \Box A \mid \bigcirc (A / A)$$

✷*A* is read as "*A* is settled as true", and -(*B/A*) as "*B* is obligatory, given *A*". The Boolean connectives other than ¬ and → are defined as usual.

**Definition 1. F** *consists of any Hilbert system for S5 augmented with:*


**F** + (**CM**) *and* **G** *extend* **F** *with axioms (CM) and (RM) respectively:*

$$
\bigcirc(B/A) \land \bigcirc(C/A) \to \bigcirc(C/A \land B) \tag{CM}
$$

$$\neg\bigcirc\bigcirc(\neg B/A)\land\bigcirc(C/A)\to\bigcirc(C/A\land B)\tag{RM}$$

(COK) is the analogue of axiom **K**, (Sh) expresses a "half" of deduction theorem (or residuation property). The absoluteness axiom (Abs) of [21] corresponds to the removal of world-relative accessibility relations. (O-Nec) is the deontic counterpart of the necessitation rule. (Ext) enables the substitution of necessarily equivalent sentences in the antecedent of deontic conditionals. (Id) is the deontic analogue of the identity principle. These axioms define the logic **E**.

**F** extends **E** with (D*-*) that rules out conflicts between obligations for possible antecedents. (CM) and (RM) are cautious and rational monotony from the nonmonotonic literature [18]. Introduced in [12] (CM) expresses a weakened form of strengthening of the antecedent, while (RM) a stronger form: if *B* is permitted given *A*, and *C* is obligatory given *A*, then *C* is obligatory given *A* ∧ *B*.

Semantics for the logics **E**, **F**, **F** + (**CM**) and **G** can be given in terms of preference models, see [28]. This semantics was used in [8,9] to define cut-free hypersequent calculi for **E** and **F**. With preference models, structures are easily described, but they come with complex model theoretic conditions on the valuation function. In this paper we adopt a different semantics. This semantics has a more complex truth condition for the deontic operator, involving a ∀∃∀ nesting of quantifiers [28], but simpler frame and valuation conditions.

The original language does not include the modality B*et*, but we add it to the semantic explanation of connectives for clarity.

**Definition 2.** *A preference model for* **F** + (**CM**) *is a triple W,* ≤*, v , where* ≤ *is a reflexive and transitive order on W and v* : *PropVar* → P(*W*) *a valuation function. The truth conditions for a formula in a world are defined as:*


*Models for* **G** *are obtained by imposing totality, i.e.,* ∀*x*∀*y*(*x* ≤ *y* ∨ *y* ≤ *x*)*.*

**Theorem 1 ([28]). F** + (**CM**) *(resp.* **G***) is sound and complete with respect to the semantics of (resp. total) preference models.*

Note that the truth condition for the operator -(*B/A*) can be rewritten, using the conditions for *,*→*,*¬ and B*et*, as:

$$x \Vdash^\* \bigcirc (B/A) \quad \text{iff} \quad x \Vdash^\* \sqsubset (A \to \neg \mathcal{B} \\ \text{et} \neg (A \land \mathcal{B} \\ \text{et} (A \to B)))$$

# **3 A Sequent Calculus for F + (CM)**

We introduce a sequent calculus **SFcm** for **F** + (**CM**), whose completeness relies on the use of cuts of a restricted form.

**SFcm** is obtained by adding the rules for the deontic modality and for the betterness operator to a (slightly modified<sup>2</sup> version of) the sequent calculus in [25] for **S5**. The cuts required in **SFcm** are a generalization of analytic cuts (arising from the calculus for **S5** [30]), due to the shape of the rules for the deontic modality<sup>3</sup>. We use *Γ, Δ, Π, ...* as metavariables for multisets of formulas.

**Definition 3.** *The sequent calculus* **SFcm** *consists of a variant of Gentzen's calculus LK for classical logic, with axioms Γ, p* ⇒ *p, Δ, extended with the rules below*

$$\begin{array}{c} \Gamma \stackrel{\square \heartsuit \heartsuit}{\Longrightarrow} A, \Delta \stackrel{\square \heartsuit}{\Longrightarrow} R \Box \quad \frac{A, \Gamma \Rightarrow \Delta}{\square A, \Gamma \Rightarrow \Delta} \quad L \Box \quad \frac{\Gamma \stackrel{\square \heartsuit}{\Longrightarrow}, \Gamma^{b} \Rightarrow A, \Delta \stackrel{\square \heartsuit}{\Longrightarrow} R \mathit{Bet} \quad \frac{A, \Gamma \Rightarrow \Delta}{\partial \mathit{net} A, \Gamma \Rightarrow \Delta} \quad L \mathit{Bet} \end{array}$$

$$\frac{I^{\square \heartsuit \heartsuit}, A, \mathcal{Bet} \vdash (A \land \mathcal{Bet}(A \to B)) \Rightarrow \Delta^{\square \heartsuit}}{\Gamma \Rightarrow \bigcirc(B/A), \Delta} \ R \big\triangleright \quad \xrightarrow{\Gamma \Rightarrow \Delta, A} \frac{\Gamma \Rightarrow \Delta, A \qquad \Gamma \Rightarrow \Delta, \mathcal{Bet} \neg(A \land \mathcal{Bet}(A \to B))}{\bigcirc(B/A), \Gamma \Rightarrow \Delta} \ L \big\triangleright \quad$$

*where <sup>Γ</sup><sup>b</sup>* <sup>=</sup> {B*etA* <sup>|</sup> <sup>B</sup>*etA* <sup>∈</sup> *<sup>Γ</sup>*} *and <sup>Γ</sup>* -- = {*A* | *A* ∈ *Γ*} ∪ {-(*B/A*)| - (*B/A*) ∈ *Γ*}*.*

.

<sup>2</sup> Our *<sup>R</sup>* rule derives the absoluteness axiom. <sup>3</sup> -(*B/A*) could have been introduced as a defined operator. However, since our main concern is the investigation of dyadic deontic logics we preferred to retain the obligation connective as a primitive element, and generalize the notion of analytic cut.

The notion of derivation, principal formulas and *height* of a derivation are as usual. The derived rules for conjunction and disjunction are as in Genten's LK and the generalization of initial sequents to arbitrary formulas is provable. A rule is (height-preserving) admissible if, whenever the premises are derivable, so is the conclusion (with at most the same height). In **SFcm** the weakening rules ( *<sup>Γ</sup>* <sup>⇒</sup> *<sup>Δ</sup>* LW *A, Γ* <sup>⇒</sup> *<sup>Δ</sup>* and *<sup>Γ</sup>* <sup>⇒</sup> *<sup>Δ</sup>* RW *<sup>Γ</sup>* <sup>⇒</sup> *Δ, A* ) are height-preserving admissible. The rules of contraction ( *A, A, Γ* <sup>⇒</sup> *<sup>Δ</sup>* LC *A, Γ* <sup>⇒</sup> *<sup>Δ</sup>* and *<sup>Γ</sup>* <sup>⇒</sup> *Δ, A, A* RC *<sup>Γ</sup>* <sup>⇒</sup> *Δ, A* ) are explicitly present.

**Theorem 2 (Soundness). SFcm** *is sound for* **F** + (**CM**)*.*

*Proof.* By induction on the height of the **SFcm** derivation distinguishing cases according to the last rule applied. Initial sequents are clearly sound. We discuss only the cases of the right rules for the modal operator B*et* and -(*A/B*).

RB*et*: Let us assume that the sequent *Γ* --*, Γ<sup>b</sup>* <sup>⇒</sup> *<sup>Δ</sup>*--*, A* is valid. Let *x, y* be worlds such that *x* ≤ *y* and we assume that *x* - - *Γ*. Hence we get *y* - - *Γ* -- ∧ - *<sup>Γ</sup><sup>b</sup>* (by transitivity of <sup>≤</sup>) which yields (i) *<sup>y</sup>* - *Δ*- or (ii) *y* - *A*. In (i), we get *x* - *Δ*, in (ii) *x* -B*etA*, giving the desired conclusion.

R-: Assume that *Γ* --*, A,* B*et*¬(*A* ∧ B*et*(*A* → *B*)) ⇒ *Δ*- is valid. We argue by contradiction assuming that the conclusion *Γ* ⇒ *Δ,*-(*B/A*) is not valid. Hence there is a world *x* which satisfies every formula in *Γ* and falsifies every formula in *Δ* and -(*B/A*). By definition there is *y* s.t.: *y* - *A* and there is not a world *z* such that *y* ≤ *z* and *z* - *A* and *z* - B*et*(*A* → *B*). Since *x* - - *Γ* --, we get that *y* - - *Γ* --. We also have *y* - *A* and *y* - B*et*¬(*A* ∧ B*et*(*A* → *B*)). As a consequence of the validity of *Γ* --*, A,* B*et*¬(*A* ∧ B*et*(*A* → *B*)) ⇒ *Δ*--, we get that *y* - *Δ*--, which entails *x* - *Δ*--, a contradiction.

**Theorem 3 (Completeness with cut).** *Each theorem of* **F** + (**CM**) *has a proof in* **SFcm** *with the addition of the cut rule.*

*Proof.* It suffices to show that all the axioms of **F** + (**CM**) are provable in **SFcm**. Modus Ponens corresponds to the provability of *A, A* → *B* ⇒ *B* and two applications of cut. The necessity rule is a particular case of *R*. The axioms of classical logic are clearly derivable. In what follows, we omit to write trivially derivable premises to increase the readability of the derivations.

– A derivation of (CM) is as follow (omitting trivially derivable premises)

– The **S4** axioms are trivially derivable. The characteristic axiom of **S5** is derivable using analytic cuts, as follows

$$\begin{array}{ll} \frac{A \Rightarrow A}{A, \neg A \Rightarrow} \text{L} \neg\\ \frac{A, \neg A \Rightarrow}{A, \square \neg A \Rightarrow} \text{L} \neg\\ \frac{A \Rightarrow \neg \square \neg A}{A \Rightarrow \neg \square \neg A} \text{R} \neg\\ \hline A \Rightarrow \neg \square \neg A \end{array} \begin{array}{ll} \frac{\square \neg A \Rightarrow \square \neg A}{\Rightarrow \neg \square \neg A, \square \neg A} \text{R} \neg\\ \frac{\exists \neg \square \neg \square \neg A, \square \neg A}{\Rightarrow \square \neg \square \neg A, \square \neg A} \text{R} \neg\\ \frac{\square \neg \square \neg A}{A \Rightarrow \square \neg \square \neg A} \text{L} \neg\\ \end{array} \text{R} \square$$

The cut on ¬¬*A* is analytic because it is a subformula of ¬¬*A*. – The axiom (D∗) -(⊥*/A*) → ¬*A* is derivable in **SFcm** as follow

$$\begin{array}{c} \begin{array}{c} \widehat{\bigcirc}(\bot/A), A, A \rightarrow \bot, \mathsf{Set}(A \rightarrow \bot) \Rightarrow\\ \widehat{\bigcirc}(\bot/A), A, \mathsf{Set}(A \rightarrow \bot) \Rightarrow\\ \widehat{\bigcirc}(\bot/A), A \wedge \mathsf{Set}(A \rightarrow \bot) \Rightarrow \end{array} \mbox{\tiny\mathsf{L}\rightsquigarrow} \\\ \begin{array}{c} A \Rightarrow A \qquad \frac{\bigcirc(\bot/A), A \rightarrow \mathsf{Set}(A \rightarrow \bot) \Rightarrow}{\bigcirc(\bot/A), A \Rightarrow \mathsf{Set}\neg(A \wedge \mathsf{Set}(A \rightarrow \bot))} \mbox{\tiny\mathsf{L}\bigcirc} \\\ \end{array} \end{array} \begin{array}{c} \begin{array}{c} \mathsf{L}\wedge \\ \hline \end{array} \right\} \end{array}$$

item The axiom (Sh) -(*C/A*∧*B*) ⇒ -(*B* → *C/A*) is derivable in **SFcm**. We construct the following derivation (the topmost sequent is clearly derivable).

*<sup>A</sup>* <sup>∧</sup> *<sup>B</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>∧</sup> *<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*)*,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>⇒</sup> <sup>R</sup>B*et*,R<sup>¬</sup> *A, B,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>⇒</sup> *C,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> *<sup>B</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>∧</sup> *<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>L</sup>- -(*C/A* <sup>∧</sup> *<sup>B</sup>*)*, A, B,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>⇒</sup> *<sup>C</sup>* <sup>R</sup>B*et*, R<sup>→</sup> (twice) -(*C/A* <sup>∧</sup> *<sup>B</sup>*)*, A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>⇒</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>R</sup><sup>∧</sup> -(*C/A* <sup>∧</sup> *<sup>B</sup>*)*, A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>⇒</sup> *<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>L</sup>B*et*,L<sup>¬</sup> -(*C/A* <sup>∧</sup> *<sup>B</sup>*)*, A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*)))*,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>⇒</sup> <sup>L</sup>*<sup>C</sup>* -(*C/A* <sup>∧</sup> *<sup>B</sup>*)*, A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>⇒</sup> <sup>R</sup>- -(*C/A* ∧ *B*) ⇒ -(*B* → *C/A*)

– The axiom (COK) -(*B* → *C/A*)*,*-(*B/A*) ⇒ -(*C/A*) is derivable in **SFcm**. We construct the following derivation.

*A,* <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))*,* <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)*,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>⇒</sup> <sup>R</sup>B*et*, R¬, L<sup>∧</sup> *A,* <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)*,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>⇒</sup> <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> (*<sup>B</sup>* <sup>→</sup> *<sup>C</sup>*))) <sup>L</sup>- -(*<sup>B</sup>* <sup>→</sup> *C/A*)*, A,* <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)*,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>⇒</sup> <sup>R</sup>B*et*, R¬, L<sup>∧</sup> -(*<sup>B</sup>* <sup>→</sup> *C/A*)*, A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>⇒</sup> <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)) <sup>L</sup>- -(*B* → *C/A*)*,*-(*B/A*)*, A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>C</sup>*)) <sup>⇒</sup> <sup>R</sup>-, L∧ -(*B* → *C/A*)*,*-(*B/A*) ⇒ -(*C/A*)

The topmost sequent is clearly derivable.

The derivations in **SFcm** of axioms (Id) -(*A/A*) and (Abs) -(*B/A*) → - (*B/A*) are evident. Also the extensionality axiom (*A* ↔ *B*) → (-(*C/A*) ↔ -(*C/B*)) is easy to derive.

#### **3.1 From Cuts to Semi-analytic Cuts**

We provide a syntactic procedure to restrict cuts in **SFcm** to semi-analytic cuts, where an instance of the cut rule

$$\frac{\Gamma \Rightarrow C, \Delta \quad \Sigma, C \Rightarrow \Pi}{\Gamma, \Sigma \Rightarrow \Delta, \Pi} \text{ cut}$$

is *semi-analytic* if *C* is a generalized subformula of the conclusion, i.e. *C* ∈ SUB(*Γ* ∪*Σ* ∪ *Δ* ∪ *Π*), where for any formula *A*, SUB(*A*) is inductively defined as


The notion of generalized subformula naturally extends to multisets of formulas.

To restrict the use of cuts to semi-analytic cuts we reformulate, simplify and also broaden the applicability of the method in [7] to apply to rules more general than so-called simple rules. Specifically, the inherent (almost) local structure of the proof below could seamlessly accommodate rules having more than one principal formula, as well as rules that do not obey the subformula property. Prior to [7], proofs of restriction of cuts to analytic cuts, e.g., [17,26,30,31] were all logic-tailored and, with the exception of [30], relied on semantic arguments.

*Proof Idea:* We start considering an uppermost non semi-analytic cut (semianalytic cuts are left in the derivation). Cuts on boolean connectives are handled using rule invertibilities (and reduced in the usual way). Non semi-analytic cuts with cut-formulas ✷*A*, B*et A* and -(*B/A*) need a different approach as their rules are not invertible; we shift them upwards until their cut formulas are principal (and then reduced). Notice that the rules RB*et*, R and R do not allow to shift *any* cut upwards; however they permit to permute upward any cut in which (∗) the other premise is a right rule introducing the cut formula B*etA*, *A* or -(*B/A*) (because of the "good" contexts of these rules). To reach the scenario (∗) we need to bring the considered cut beyond the rules that do not allow the permutation, jumping directly to the point where the cut-formula is introduced. We do that by tracing (bottom up) all the ancestors<sup>4</sup> of the cut formulas on the right hand side (RHS), and replacing the cut (actually we consider mix) by new semi-analytic cuts. Following [7], the premises of these new semi-analytic cuts are obtained by replacing the cut-formulas in the original derivation with the contexts of the right rules introducing the cut-formulas (switching their side of the sequent), taking care that the resulting proof is still a correct derivation.

Smaller cuts are cuts of lesser degrees, according to the following definition.

**Definition 4.** *The degree of a formula A,* dg(*A*) *is inductively defined:*


<sup>4</sup> This is the familiar parametric ancestor relation of [5].

*–* dg(-(*C/B*)) = 3 · dg(*B*) + dg(*C*)+7

**Definition 5.** *The non-analytic cut rank σ*(D) *of a proof is the maximal degree +1 of non-semi analytic cut formulas in* D*. The cut rank of a proof ρ*(D) *is the maximal degree +1 of cut formulas in* D*.*

By *A<sup>n</sup>* we denote *n*-repetitions of the formula *A*. As here we focus on the elimination of cuts that are non semi-analytic, we use the non-analytic cut rank.

**Lemma 1.** *The rules for* → *and* ¬ *are height and (non-analytic) rankpreserving invertible.*

**Lemma 2.** *Given derivations* D<sup>1</sup> *and* D<sup>2</sup> *of Γ* ⇒ *Δ, X and X, Π* ⇒ *Σ with σ*(D1)*, σ*(D2) ≤ dg(*X*) *and with X principal in the last rule applied in* D<sup>1</sup> *and* D2*, there is a derivation* D *of Γ,Π* ⇒ *Δ, Σ with σ*(D) ≤ dg(*X*)*.*

*Proof.* Easy in case of the propositional connectives, B*et*, and .

If the cut formula is principal in applications of the rule for -, we have:

$$\frac{\frac{\Gamma \sqcap \mathbb{C} \urcorner \bigcirc \text{A}, \mathsf{B} \text{et} \vdash (\text{A} \land \mathsf{B} \text{et} (\text{A} \to \text{B})) \Rightarrow \Delta^{\square \heartsuit \upcirc} \text{R} \bigcirc}{\Gamma \Rightarrow \Delta, \bigcirc (\text{B} / \text{A})}\\\frac{\Pi \Rightarrow \Sigma, A \qquad \Pi \Rightarrow \Sigma, \mathsf{B} \text{et} \vdash (\text{A} \land \mathsf{B} \text{et} (\text{A} \to \text{B})) \text{}}{\bigcirc (\text{B} / \text{A}), \Pi \Rightarrow \Sigma} \text{Cut}$$

We construct the following derivation:

*Π* ⇒ *Σ,* B*et*¬(*A* ∧ B*et*(*A* → *B*)) *Π* ⇒ *Σ,A Γ* --*, A,* B*et*¬(*A* ∧ B*et*(*A* → *B*)) ⇒ *Δ*-- Cut *Γ* --*, Π,* B*et*¬(*A* ∧ B*et*(*A* → *B*)) ⇒ *Σ,Δ*-- Cut *Γ* --*, Π*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*--*, Σ*<sup>2</sup> LC,RC, LW,RW *Γ,Π* ⇒ *Δ, Σ*

The modified version of the rules *R*, *R* and *R*B*et* in the lemma below will be used to simplify the presentation of case (**B**) in the proof of Theorem 4: when shifting upward a non semi-analytic cut over the right rules for ✷, B*et* or -.

**Lemma 3.** *The versions R , R and R* B*et of the rules R, R and R*B*et with Σ*-- <sup>1</sup> *,..., Σ*-*<sup>m</sup> (resp.* - *Π*-- <sup>1</sup> *,...,* - *Π*-*<sup>n</sup> ) in their antecedent (resp. consequent) are admissible.*

*Proof.* (*R* ): Given *Σ*-- <sup>1</sup> *,..., Σ*-*<sup>m</sup> , Γ* -- ⇒ *Δ*--*,* - *Π*-- <sup>1</sup> *,...,* - *Π*-*<sup>n</sup> , B*, we first apply the invertibility of the derived rules for and (Lemma 1). The *R* conclusion *Σ*-- <sup>1</sup> *,..., Σ*-*<sup>m</sup> , Γ* -- ⇒ *Δ*--*,* - *Π*-- <sup>1</sup> *,...,* - *Π*-*<sup>n</sup> , B* is obtained by multiple applications of *R*, and of the logical rules. The proof for *R* and *R* B*et* is analogous.

**Theorem 4.** *Given the derivations* <sup>D</sup><sup>1</sup> *of <sup>Γ</sup>* <sup>⇒</sup> *Δ, X<sup>m</sup> and* <sup>D</sup><sup>2</sup> *of <sup>X</sup><sup>n</sup>, Π* <sup>⇒</sup> *<sup>Σ</sup> containing only semi-analytic cuts, there is a derivation* D *of Γ,Π* ⇒ *Δ, Σ with σ*(D) ≤ dg(*X*)*.*

*Proof.* We first replace all (analytic) cuts on *X* in D<sup>1</sup> and D2, by applications of contraction. The theorem's claim is proved by induction on the sum of the height of the derivations D<sup>1</sup> and D2. If the cut-formula is a connective of classical logic the claim follows by Lemmas 1 and 2. We consider D<sup>1</sup> and distinguish two cases: the cut formula is principal in the last rule applied or it is not.

**(A) The cut formula is principal in the last rule applied in** D1. We consider cases according to the last rule (*r*) applied in D2:


*Γb, Γ* -- ⇒ *Δ*--*, B* <sup>R</sup>B*et <sup>Γ</sup>* <sup>⇒</sup> *Δ,* <sup>B</sup>*etB<sup>n</sup>* B*etBm, Πb, Π*-- ⇒ *Σ*--*, C* <sup>R</sup>B*et* <sup>B</sup>*etBm, Π* <sup>⇒</sup> *Σ,* <sup>B</sup>*etC* Cut *Γ,Π* <sup>⇒</sup> *Δ, Σ,* <sup>B</sup>*etC*

We proceed as follows:

$$\frac{\begin{array}{c}\Gamma^{b},\Gamma^{\square \bigcirc \bigcirc} \Rightarrow \Delta^{\bigcirc \bigcirc},B\\\hline\Gamma^{b},\Gamma^{\square \bigcirc \bigcirc} \Rightarrow \Delta^{\bigcirc \bigcirc},\mathcal{B}etB\end{array}}{\begin{array}{c}\Gamma^{b},\Gamma^{\square \bigcirc},\Pi^{b},\Pi^{\square \bigcirc},\Pi^{\square \bigcirc},\mathcal{B}^{\square \bigcirc},C\\\hline\end{array}\begin{array}{c}\mathcal{B}etB^{m},\Pi^{b},\Pi^{\square \bigcirc}\Rightarrow \Delta^{\bigcirc \bigcirc},C\\\hline\end{array}\begin{array}{c}\Box^{\bigcirc},C\\\hline\end{array}\_{\mathsf{Cut}}$$

**(B) The cut formula is not principal in the last rule applied in** D1**.** We distinguish sub-cases according to the last rule (*r*) applied in D1.


$$\begin{array}{c} \dots \qquad \qquad \underbrace{\Theta\_{i}^{\square \bigcirc \bigcirc} \Rightarrow A\_{i}^{\square \bigcirc}, \square A^{t-1}, A}\_{\Theta\_{i} \Rightarrow A\_{i}, \square A^{t\_{i}}} \operatorname{R} \square \qquad \ldots \\ \qquad \vdots \\ \qquad \vdots \\ \quad \frac{\varcirc^{\bigcirc}, I^{\square \bigcirc \bigcirc} \Rightarrow \Delta^{\square \bigcirc}, \square A^{n}, B}{\varRightarrow \Delta, \square A^{n}, \mathscr{B}etB}\_{\varRightarrow \Delta, \square A^{n}, \mathscr{B}etB} \quad \bigcirc\_{\Pi \dashRightarrow \Delta} A^{m}, \Pi \Rightarrow \Sigma \\ \hline \end{array} \qquad \begin{array}{c} \square A^{m}, \Pi \Rightarrow \Sigma \\ \hline \end{array} \operatorname{Cut}$$

For the sake of simplicity we first consider the case in which the cut formula is principal only in *one* branch of D<sup>1</sup> (w.l.o.g. the one displayed above); the general case is handled in the same way with an additional combinatorial argument. The cut is replaced by (*Θ*-- *<sup>i</sup>* ⇒ - *Θ*-- *<sup>i</sup>* and *Λ*-- *<sup>i</sup>* <sup>⇒</sup> *<sup>Λ</sup>*-- *<sup>i</sup>* are clearly derivable):

$$\begin{array}{clcl}\cline{2-4} & \cline{2-4} & \cline{2-4} \\ & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \\ \cline{2-4} & \cline{2-4} & \cline{2-4} \end{array}$$

The first derivation above, say D <sup>1</sup> is obtained from D<sup>1</sup> by substituting *all* occurrences of the cut formulas with - *Θ*-- *<sup>i</sup>* , and the second derivation D 1 by removing the cut formula from the RHS and adding *Λ*-- *<sup>i</sup>* to the LHS. The correctness of the application of the rules in these sub-derivations is guaranteed by Lemma 3. The cut between *Θ*-- *<sup>i</sup>* <sup>⇒</sup> *<sup>Λ</sup>*-- *<sup>i</sup> , A<sup>l</sup><sup>i</sup>* and *A<sup>m</sup>, Π* <sup>⇒</sup> *<sup>Σ</sup>* is handled by induction hypothesis. The rule Cut<sup>∗</sup> can be replaced by new semi-analytic cuts (see Lemma 4 below, in the particular case *n* = 1). The argument which ensures the semi-analyticity of the new cuts is at the end of the proof.

In the general case, there may be *k* branches in which the cut formula is principal, with the following conclusions of *R* rules introducing *A*'s:

$$\{\Theta\_j^{\square \heartsuit \heartsuit} \Rightarrow A\_j^{\square \heartsuit \heartsuit}, \square A^{l\_j} \mid j \in \{1, \dots, k\}\}.$$

We now need to construct - following the pattern detailed for D <sup>1</sup> and D 1 - derivations with all the possible combinations of length *k* of the contexts - *Θ*-- *<sup>k</sup>*<sup>1</sup> and *<sup>Λ</sup>*-- *<sup>k</sup>*<sup>2</sup> , with *k*<sup>1</sup> = *k*<sup>2</sup> and *k*1*, k*<sup>2</sup> ∈ {1*,...,k*}, inverting their polarities, i.e. their position w.r.t. the sequent arrow. To witness a concrete example, if *k* = 2, we construct the derivations of the sequents: *Λ*-- <sup>1</sup> *, Λ*-- <sup>2</sup> *, Γ* <sup>⇒</sup> *Δ,* <sup>B</sup>*etB*; *<sup>Λ</sup>*-- <sup>1</sup> *, Γ* ⇒ *Δ,* B*etB,* - *Θ*-- <sup>2</sup> ; *Λ*-- <sup>2</sup> *, Γ* ⇒ *Δ,* B*etB,* - *Θ*-- <sup>1</sup> and *Γ* ⇒ *Δ,* B*etB,* - *Θ*-- <sup>1</sup> *,* - *Θ*-- <sup>2</sup> . In general, by suitably replacing all the occurrences of the cut formulas in D<sup>1</sup> we obtain 2*<sup>k</sup>* derivations of *Υ, Γ* <sup>⇒</sup> *Δ,* <sup>B</sup>*etB,*Ξ, for any multiset *<sup>Υ</sup>* and Ξ s.t. *<sup>C</sup><sup>j</sup>* <sup>∈</sup> *<sup>Υ</sup>* if and only if *<sup>C</sup><sup>j</sup>* <sup>=</sup> *<sup>Λ</sup>*-- *<sup>j</sup>* and *C<sup>j</sup>* ∈ Ξ if and only if *C<sup>j</sup>* = - *Θ*-- *j* for some *j*, |*Υ* ∪ Ξ| = *k* and if *C<sup>j</sup> , C<sup>l</sup>* ∈ *Υ* ∪ Ξ, then *j* = *l*. The correctness of the resulting derivations follows again by Lemma 3. The desired sequent *Γ,Π* ⇒ *Δ,* B*etB, Σ* is obtained by using the derived rule Cut<sup>∗</sup> (Lemma 4 below) also with the *k* derivations of *Θ*-- *<sup>j</sup> , Π* <sup>⇒</sup> *<sup>Λ</sup>*-- *<sup>j</sup> , Σ* obtained by the induction hypothesis. It remains to show that all cut-formulas of the newly introduced cuts are generalized subformulas, i.e. that *E* ∈ SUB(*Γ,Δ*) for every *<sup>E</sup>* <sup>∈</sup> *<sup>Θ</sup>*-- *<sup>j</sup>* <sup>∪</sup> *<sup>Λ</sup>*-- *<sup>j</sup>* , and hence that the newly introduced cuts are semianalytic (by Lemma 4). Indeed, by assumption every formula in D<sup>1</sup> is in SUB(*Γ, Δ, X*). Therefore the only case to be excluded is that *E* is *A*. Assume by contradiction that this is the case. The *A* cannot change side of the sequent, and is not in SUB(*Γ,Δ*) by hypothesis. As there is no cut on *A* in D<sup>1</sup> (being all these cuts replaced by contractions), the only remaining possibility is that *A* has been removed by a cut on a formula containing *A* as a subformula, but this cannot be the case by hypothesis.

The lemma below shows that cuts on conjunctions and disjunctions of generalized subformulas can be simulated by semi-analytic cuts.

**Lemma 4.** *Let Θ* = *A*1*, ..., An, Λ* = *B*1*, ..., B<sup>n</sup> be conjunctions and disjunctions of formulas in* SUB(*Γ, Π, Δ, Σ*)*, the rule, with Λ<sup>j</sup>* ⊆ *Λ, Θ<sup>j</sup>* ⊆ *Θ,* |*Λ<sup>j</sup>* ∪ *Θ<sup>j</sup>* | = *n:*

$$\frac{\{\Lambda\_j, \Pi \Rightarrow \Sigma, \Theta\_j \mid \text{ for all } C\_l, C\_t \in \Lambda\_j \cup \Theta\_j(l \neq t)\}}{\Pi, \Gamma \Rightarrow \Delta, \Sigma} \text{ } \frac{\{A\_i, \Gamma \Rightarrow \Delta, B\_i\}\_{i=1,\dots,n} \text{ } }{\text{Cut}}$$

*is admissible in* **SFcm** *without using non semi-analytic cuts.*

*Proof.* We first show that the rule Cut<sup>∗</sup> is admissible using arbitrary cuts on the formulas *Ai, Bi*s and the contraction rules. The proof is by induction on *n*.

– If *n* = 1, then the proof follows applying twice the cut rule:

*<sup>Π</sup>* <sup>⇒</sup> *Σ,A*<sup>1</sup> *<sup>A</sup>*1*, Γ* <sup>⇒</sup> *Δ, B*<sup>1</sup> Cut *Π, Γ* <sup>⇒</sup> *Δ, Σ, B*<sup>1</sup> *<sup>B</sup>*1*, Π* <sup>⇒</sup> *<sup>Σ</sup>* Cut *Π, Π, Γ* <sup>⇒</sup> *Δ, Σ, Σ* LC,RC *Π, Γ* ⇒ *Δ, Σ*

– Let *n* = *k* + 1 and assume that the claim holds for *k*. We have *Θ* = *A*1*, ..., Ak, Ak*+1*, Λ* = *B*1*, ..., Bk, Bk*+1 and the 2*<sup>k</sup>*+1 left premises of the rule can be rewritten as:

$$\begin{cases} A\_j, \Pi \Rightarrow \Sigma, \Theta\_j, A\_{k+1} \mid for \ all \ C\_l, C\_t \in A\_j \cup \Theta\_j(l \neq t) \} \cup \\ B\_{k+1}, A\_j, \Pi \Rightarrow \Sigma, \Theta\_j \mid for \ all \ C\_l, C\_t \in A\_j \cup \Theta\_j(l \neq t) \} \end{cases}$$

with *Θ<sup>j</sup>* ⊆ {*A*1*,...,Ak*} and *Λ<sup>j</sup>* ⊆ {*A*1*,...,Ak*}. Hence we proceed as follows:

$$\frac{\{\Lambda\_j, \Pi \Rightarrow \Sigma, \Theta\_j, A\_{k+1} \mid \text{ for all } C\_l, C\_l \in \Lambda\_j \cup \Theta\_j(l \neq t)\}}{\Pi, \Gamma \Rightarrow \Delta, \Sigma, A\_{k+1}} \text{ cut}^\*$$

the application of Cut<sup>∗</sup> is admissible by induction hypothesis. Analogously, we construct a derivation of *Bk*+1*, Π, Γ* ⇒ *Δ, Σ*:

$$\frac{\{B\_{k+1}, \Lambda\_j, \Pi \Rightarrow \Sigma, \Theta\_j \mid for \text{ all } C\_l, C\_t \in \Lambda\_j \cup \Theta\_j(l \neq t)\}}{B\_{k+1}, \Pi, \Gamma \Rightarrow \Delta, \Sigma} \text{ cut}^\*$$

applying the induction hypothesis.

The conclusion now follows from two applications of the cut rule with the sequent *Ak*+1*, Π* ⇒ *Σ,Bk*+1 followed by contraction.

The claim of the lemma is now obtained observing that cuts on *A<sup>i</sup>* and *B<sup>i</sup>* can be transformed into semi-analytic cuts by exploiting the invertibility of the derived rules for ∧ and ∨, because by hypothesis *Ai, B<sup>j</sup>* ∈ SUB(*Γ, Π, Δ, Σ*).

**Theorem 5.** *Any* **SFcm** *proof with cuts can be transformed into a proof of the same sequent that only uses semi-analytic cuts.*

*Proof.* Let D be an **SFcm** proof with *σ*(D) *>* 0. We proceed by a double induction on *σ*(D)*, nσ*(D) , where *nσ*(D) is the number of applications of cut in D with non-analytic cut rank *σ*(D). Consider an uppermost application of nonanalytic (*cut*) in D with rank *σ*(D). By applying Theorem 4 to its premises either *σ*(D) or *nσ*(D) decreases.

*Remark 1.* The above result can be adapted to define sequent calculi with restricted cuts for the sequent calculus version of the calculi for **E** and **F** in [8,9]. These calculi would be obtained by replacing in **SFcm** the rules for B*et* and -(*B/A*) with the corresponding sequent rules for **E** and **F**.

# **4 A Hypersequent Calculus for F + (CM) and G**

The calculus **SFcm** uses semi-analytic cuts, and is not easily extendable to capture **G**<sup>5</sup>. Additionally, it would be challenging, if possible at all, to adapt it into a proof-search-oriented calculus for **F** + (**CM**). Inspired by the transition in [4,19,23] from sequent calculus with analytic cuts [25] for the logic **S5** to a cut-free hypersequent calculus, we shift from the sequent to the hypersequent framework. Hypersequents are arguably the easiest generalization of sequents [2– 4], consisting of multisets of sequents (called *components*) working in parallel and separated by the symbol "|". We introduce a cut-free hypersequent calculus **HFcm** for **F** + (**CM**). **HFcm** incorporates the sequent calculus for the logic **S4** as a sub-calculus and adds an additional layer of information by considering a single sequent to live in the context of hypersequents. Axioms and rules (including cut) of **HFcm** are obtained by adding to each sequent in **SFcm** a context *G* or *H*, standing for a (possibly empty) hypersequent, and simplifying the right rules for , B*et* and -, as follows (with explicit weakening rules):

$$\frac{G \mid I^{\square \bigcirc \bigcirc} \Rightarrow A}{G \mid I^{\square \bigcirc \bigcirc} \Rightarrow \bigcirc A} \quad \frac{G \mid I^{\square \bigcirc \bigcirc}, I^{b} \Rightarrow A}{G \mid I^{\square \bigcirc}, I^{b} \Rightarrow \mathcal{B}etA} \quad \frac{G \mid I^{\square \bigcirc \bigcirc}, A, \mathcal{B}et \neg(A \wedge \mathcal{B}et(A \rightarrow B)) \Rightarrow \neg}{G \mid I^{\square \bigcirc} \Rightarrow \bigcirc(B/A)}$$

To manipulate the additional structure w.r.t. sequents, any hypersequent calculus contains *external structural rules* that operate on whole sequents. Standard rules are ext. weakening (ew) and ext. contraction (ec) (see below), which behave like weakening and contraction over whole sequents. The hypersequent structure opens the possibility to define new rules that allow the "exchange of information" between different components. These rules increase the expressive power of hypersequent calculi compared to sequent calculi, enabling the definition of cutfree calculi for logics that escape a cut-free sequent formulation; in the case of **S5** this is done using the rule (*s*5 ) below (the is added to deal with **F** + (**CM**))

$$\frac{G}{|G \mid \Gamma \Rightarrow \Pi'} \text{ (ew)}\quad \frac{G \mid \Gamma \Rightarrow \Pi \mid \Gamma \Rightarrow \Pi}{G \mid \Gamma \Rightarrow \Pi} \text{ (ec)}\quad \frac{G \mid \Gamma'^{\Box \bigcirc}, \Gamma' \Rightarrow \Pi'}{G \mid \Gamma \Rightarrow \mid \Gamma' \Rightarrow \Pi'} \text{ (s5')}$$

<sup>5</sup> The totality conditions, is the same as for G¨odel logic [4] and S4.3 [16].

Hence the crucial difference w.r.t. the calculus **SFcm** is that, due to the structural rules (*ec*) and (*s*5 ), we can now restrict to single-succedent modal right rules without impairing cut-free completeness.

*Remark 2.* A cut-free hypersequent calculus for **F** was introduced in [9] by adding one rule to the calculus for **E** [8]. While **F** + (**CM**) extends **F** (and **E**), our calculus is not a modular extension of these two. Indeed **HFcm** stems from an *alternative semantics* definition. Note that the premise *A,* B*et*¬*A* ⇒ *B* of the right rule for in these calculi would be trivially derivable in **HFcm**.

Given a hypersequent *Γ*<sup>1</sup> ⇒ *Δ*<sup>1</sup> | *...* | *Γ<sup>n</sup>* ⇒ *Δn*, its interpretation *ι* is defined: (*Γ*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> <sup>|</sup> *...* <sup>|</sup> *<sup>Γ</sup><sup>n</sup>* <sup>⇒</sup> *<sup>Δ</sup>n*)*<sup>ι</sup>* := ( - *Γ*<sup>1</sup> → *Δ*1) ∨ *...* ∨ ( - *Γ<sup>n</sup>* → *Δn*)

**Theorem 6. HFcm** *is sound and complete with cuts w.r.t.* **F** + (**CM**)*.*

*Proof.* The soundness proof follows the pattern detailed for **SFcm**. Completeness is ensured by the derivation of (CM).

A calculus for **G** is obtained in a modular way by adding an external structural rule to the calculus **HFcm** for **F** + (**CM**). The additional rule is a slightly modified version of the well known communication rule, introduced by Avron [3] for capturing G¨odel logic, and used in [16] for the modal logic **S4.3**:

$$\frac{G\mid\varPi^{\square\bigcirc\bigcirc},\varPi^{b},\varGamma\Rightarrow\Delta}{G\mid\varGamma\Rightarrow\Delta\mid\varPi\Rightarrow\Sigma}\operatorname{com}$$

**Theorem 7. HG** *is sound and complete in presence of cuts w.r.t.* **G**

*Proof. Soundness:* By induction on the height of the derivation. We only consider the case of the rule *com*. If the conclusion is not valid, then there are worlds *x* and *y* where *x* (*y*) forces every formula in *Γ* (*Π*) and *x* (*y*) falsifies every formula in *Δ* (*Σ*). By totality *x* ≤ *y* or *y* ≤ *x*. If *x* ≤ *y*, then *y* forces all the , and B*et* formulas in *Γ* and thus, by the validity of the premise *G* | *Γ* --*, Γ<sup>b</sup>, Π* <sup>⇒</sup> *<sup>Σ</sup>*, we get an immediate contradiction. The other case is symmetrical.

*Completeness in Presence of Cuts:* follows by the derivability of axiom (RM) (the topmost sequent is derivable).

one premise of the rule *com* is omitted for space reasons.

# **5 Cut-Elimination for HFcm and HG**

We prove that the calculus **HG** (and hence **HFcm**) admits cut-elimination. The strategy is the same as for the hypersequent calculus for **E** in [8].

*Proof idea*: As for the cut-reduction proof of **SFcm**, cuts on a formula of the form ¬*A* or *A* → *B* are reduced using invertibility. In contrast with **SFcm**, we can shift cuts with cut-formulas of the form ✷*A*, B*et A* and -(*B/A*) upwards until the cut formula is principal, using a specific order. First over the premise containing the cut formula on the right hand side (Lemma 6), due to the change made w.r.t. **SFcm** to the right rules of B*et*, , and -. Afterwards, over the other premise (Lemma 7). Note that when a rule introducing the cut formula on the right hand side is reached, the context has a shape that matches with the other premise of the cut and allows us to permute the cut upwards, similarly to case (**A**) from Theorem 4. When the cut formula becomes principal also on the left hand side, it can be replaced by cuts on smaller formulas.

Henceforth we use the same inductive measure of the *degree* of formulas as in Sect. 3, while the rank of a derivation D is now *ρ*(D) (Definition 5). The following lemmas refer to derivations in **HG** (and hence in **HFcm**).

The invertibility of the hypersequent version of the rules for → and ¬ (Lemma 1) also holds in **HG** and is rank-preserving.

**Lemma 5.** *Given derivations* D<sup>1</sup> *of G* | *Γ* ⇒ *Δ, X and* D<sup>2</sup> *of H* | *X, Π* ⇒ *Σ with X principal in a logical, modal or deontic rule in both premises and ρ*(D*i*) ≤ dg(*X*)*, there is a derivation* D *of G* | *H* | *Γ,Π* ⇒ *Δ, Σ with ρ*(D) ≤ dg(*X*)*.*

*Proof.* As in Lemma 2 (the hypersequent structure plays no role).

The following lemmas are formulated in order to prove the admissibility of cuts on multiple occurrences of formulas taking into account the presence of explicit rules for contraction, both internal and external.

**Lemma 6 (Right shift).** *Given* D<sup>1</sup> *of <sup>H</sup>* <sup>|</sup> *<sup>Π</sup>*<sup>1</sup> <sup>⇒</sup> *<sup>Σ</sup>*1*, X<sup>n</sup>*<sup>1</sup> <sup>|</sup> *...* <sup>|</sup> *<sup>Π</sup><sup>m</sup>* <sup>⇒</sup> *<sup>Σ</sup>m, X<sup>n</sup><sup>m</sup> in* **HG**(**HFcm**) *and* D<sup>2</sup> *of G* | *X, Γ* ⇒ *Δ with ρ*(D1)*, ρ*(D2) ≤ dg(*X*)*, there is a derivation* D*, with ρ*(D) ≤ dg(*X*)*, of*

$$G \mid H \mid I^{n\_1}, H\_1 \Rightarrow \Sigma\_1, \Delta^{n\_1} \mid \dots \mid I^{n\_m}, H\_m \Rightarrow \Sigma\_m, \Delta^{n\_m}$$

*Proof.* By induction on the height of D1. If it is an initial sequent or the last applied rule acts on sequents in *H*, the proof is trivial. If the cut formula is principal in a logical (modal, deontic) rule, then we use Lemma 7. Assume that the cut formula is not principal. If the rule is R-, RB*et* and R, then the claim follows by internal and external weakening (because such rules permit a single formula in the RHS). Otherwise, the cut is permuted and removed by induction hypothesis (note that the RHS of the rules (*s*5 ) and (*com*), if present, remains unchanged in the premises, along with the associated context on the LHS).

Once we have reached the right rule introducing the cut formula B*etA*, -(*A/B*), or *A*, we can shift the cut upward over the other premise of the cut, as shown in the next lemma.

**Lemma 7 (Left shift).** *Given* D<sup>2</sup> *of <sup>G</sup>* <sup>|</sup> *<sup>X</sup><sup>n</sup>*<sup>1</sup> *, Γ*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> <sup>|</sup> *...* <sup>|</sup> *<sup>X</sup><sup>n</sup>m, Γ<sup>m</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>m</sup> and* D<sup>1</sup> *of H* | *Π* ⇒ *Σ,X where X is principal in the last rule applied in* D<sup>1</sup> *with ρ*(D1)*, ρ*(D2) ≤ dg(*X*)*, there is a derivation* D *with ρ*(D) ≤ dg(*X*) *of*

*<sup>G</sup>* <sup>|</sup> *<sup>H</sup>* <sup>|</sup> *<sup>Π</sup>n*<sup>1</sup> *, Γ*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*1*, Σn*<sup>1</sup> <sup>|</sup> *...* <sup>|</sup> *<sup>Π</sup>nm, Γ<sup>m</sup>* <sup>⇒</sup> *<sup>Δ</sup>m, Σn<sup>m</sup>*

*Proof.* By induction on the height of the derivation D2. The proof is similar to case **(A)** in Theorem 4. The hypersequent structure does not alter the proof, the only additional cases to consider are those involving hypersequent structural rules. See, e.g. [8] for (*s*5 ). We consider the case of (*com*) where the cut formula moves from a component to another. W.l.o.g. we show a case in which we have two components in D2, as in:

$$\begin{array}{c} \frac{G \mid H^{\square \bigcirc \bigcirc \bot}, H^{b} \Rightarrow B}{\mid G \mid H \Rightarrow \Sigma, \mathsf{Set} B} \; \mathsf{R}\_{\mathsf{Set}} \; \mathsf{e} \; \begin{array}{c} \Gamma\_{1}, \mathsf{B} \mathsf{et} B^{n\_{2}}, \Gamma\_{2}^{b} \Rightarrow \Delta\_{1} \; \ \mathsf{B} \mathsf{et} B^{n\_{2}}, \Gamma\_{2}, \Gamma\_{1}^{b} \Rightarrow \Delta\_{2} \\ \Gamma\_{1} \Rightarrow \Delta\_{1} \; \middle| \; \mathsf{B} \mathsf{et} B^{n\_{2}}, \Gamma\_{2} \Rightarrow \Delta\_{2} \; \end{array} \; \mathsf{C} \; \mathsf{u} \; \mathsf{B} \\ \hline \end{array}$$

assuming that one of the active components does not contain the cut formula (the other case is analogous). We construct the following derivation:

*G* | *Π*--*, Π<sup>b</sup>* <sup>⇒</sup> *<sup>B</sup>* <sup>R</sup>B*et G* | *Π*--*, Π<sup>b</sup>* <sup>⇒</sup> <sup>B</sup>*etB Γ*1*,* <sup>B</sup>*etBn*<sup>2</sup> *, Γ<sup>b</sup>* <sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> Cut *G* | *Γ*1*,*(*Π*--*, Πb*)*n*<sup>2</sup> *, Γ<sup>b</sup>* <sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> LC *G* | *Γ*1*, Π*--*, Πb, Γ<sup>b</sup>* <sup>2</sup> ⇒ *Δ*<sup>1</sup> *G* | *Π*--*, Π<sup>b</sup>* <sup>⇒</sup> *<sup>B</sup>* <sup>R</sup>B*et G* | *Π*--*, Π<sup>b</sup>* <sup>⇒</sup> <sup>B</sup>*etB G* <sup>|</sup> <sup>B</sup>*etBn*<sup>2</sup> *, Γ*2*, Γ<sup>b</sup>* <sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>2</sup> Cut *G* |(*Π*--*, Πb*)*n*<sup>2</sup> *, Γ*2*, Γ<sup>b</sup>* <sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>2</sup> LC *G* | *Π*--*, Πb, Γ*2*, Γ<sup>b</sup>* <sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>2</sup> com *G* | *Π*--*, Γ*<sup>1</sup> ⇒ *Δ*<sup>1</sup> | *Π*--*, Πb, Γ*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>2</sup> LW,RW *G* | *Π*--*, Γ*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> <sup>|</sup> *<sup>Π</sup>n*<sup>2</sup> *, Γ*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*2*, Σn*<sup>2</sup> s5' *G* | *Π*-- ⇒ | *<sup>Γ</sup>*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> <sup>|</sup> *<sup>Π</sup>n*<sup>2</sup> *, Γ*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*2*, Σn*<sup>2</sup> LW,RW *<sup>G</sup>* <sup>|</sup> *<sup>Π</sup>n*<sup>2</sup> *, Γ*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*2*, Σn*<sup>2</sup> <sup>|</sup> *<sup>Γ</sup>*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> <sup>|</sup> *<sup>Π</sup>n*<sup>2</sup> *, Γ*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*2*, Σn*<sup>2</sup> EC *<sup>G</sup>* <sup>|</sup> *<sup>Γ</sup>*<sup>1</sup> <sup>⇒</sup> *<sup>Δ</sup>*<sup>1</sup> <sup>|</sup> *<sup>Π</sup>n*<sup>2</sup> *, Γ*<sup>2</sup> <sup>⇒</sup> *<sup>Δ</sup>*2*, Σn*<sup>2</sup>

where cuts are removed by induction hypothesis on the height of the derivation.

**Theorem 8.** *Any* **HFcm** (**HG**) *proof with cuts can be transformed into a proof of the same hypersequent that does not use cuts.*

**Corollary 1. HFcm** *and* **HG** *are cut-free complete w.r.t.* **F** + (**CM**) *and* **G***.*

# **6 Proof Search Oriented Calculi for F + (CM) and G**

We transform the hypersequent calculi **HFcm** and **HG** into proof-search oriented calculi. The resulting systems feature reversible rules, with structural rules absorbed into logical ones, allowing for the construction of countermodels. This process follows the pattern established, e.g., for system **E** in [8].

**Definition 6.** *The* **HFcm***ps calculus consists of the initial hypersequents of the shape G* | *Γ, p* ⇒ *Δ, p, the (usual) rules for the propositional connectives that repeat the introduced formulas in the premises, together with:*

*– <sup>G</sup>* <sup>|</sup> *<sup>Γ</sup>* <sup>⇒</sup> *Δ,* -(*B/A*) <sup>|</sup> *A,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)) <sup>⇒</sup> *<sup>R</sup>*- *G* | *Γ* ⇒ *Δ,* -(*B/A*) *G* | - (*B/A*)*, Γ* ⇒ *Δ, A G* | - (*B/A*)*, Γ* <sup>⇒</sup> *Δ,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)) *<sup>L</sup>*-<sup>1</sup> *<sup>G</sup>* | - (*B/A*)*, Γ* ⇒ *Δ G* | - (*B/A*)*, Γ* ⇒ *Δ* | *Π* ⇒ *Σ,A G* | - (*B/A*)*, Γ* <sup>⇒</sup> *<sup>Δ</sup>* <sup>|</sup> *<sup>Π</sup>* <sup>⇒</sup> *Σ,* <sup>B</sup>*et*¬(*<sup>A</sup>* <sup>∧</sup> <sup>B</sup>*et*(*<sup>A</sup>* <sup>→</sup> *<sup>B</sup>*)) *<sup>L</sup>*-<sup>2</sup> *<sup>G</sup>* | -(*B/A*)*, Γ* ⇒ *Δ* | *Π* ⇒ *Σ*

$$\frac{G \mid \varGamma \Rightarrow \Delta, \mathsf{Bet}A \mid \varGamma^{b} \Rightarrow A}{G \mid \varGamma \Rightarrow \Delta, \mathsf{Bet}A} \; \mathsf{RBE} \; \; \; \; \; \; \frac{G \mid A, \mathsf{Bet}A, \Gamma \Rightarrow \Delta}{G \mid \mathsf{Bet}A, \Gamma \Rightarrow \Delta} \; \; \; \; \; \mathsf{Bet} \; \; \; \; \; \; \mathsf{T} \Rightarrow \Delta}$$

*– <sup>G</sup>* <sup>|</sup> *<sup>Γ</sup>* <sup>⇒</sup> *A, Δ* | ⇒ *<sup>A</sup> <sup>R</sup> <sup>G</sup>* <sup>|</sup> *<sup>Γ</sup>* <sup>⇒</sup> *A, Δ G* | *A, A, Γ* ⇒ *Δ <sup>L</sup>*<sup>1</sup> *<sup>G</sup>* <sup>|</sup> *A, Γ* <sup>⇒</sup> *<sup>Δ</sup> G* | *A, Γ* ⇒ *Δ* | *A, Π* ⇒ *Σ <sup>L</sup>*<sup>2</sup> *<sup>G</sup>* <sup>|</sup> *A, Γ* <sup>⇒</sup> *<sup>Δ</sup>* <sup>|</sup> *<sup>Π</sup>* <sup>⇒</sup> *<sup>Σ</sup>*

*The proof search oriented calculus* **HG***ps for* **G** *extends* **HFcm***ps with the rule:*

$$\frac{G \mid \varGamma\_1, \varGamma\_2^b \Rightarrow \varDelta\_1 \mid \varGamma\_2 \Rightarrow \varDelta\_2}{G \mid \varGamma\_1 \Rightarrow \varDelta\_1 \mid \varGamma\_2, \varGamma\_1^b \Rightarrow \varDelta\_2} \; \_{com}$$

Notice the peculiar shape of the rules L-<sup>2</sup> and L2, designed to absorb the hypersequent structural rule (*s*5 ). The rule *com* acts only on B*et* formulas. This depends on the fact that and are governed by rules which introduce bottom-up formulas in every component.

**Lemma 8.** *The rules of (internal and external weakening) and contraction are height-preserving admissible in* **HFcm***ps. Every rule of the calculus is heightpreserving invertible in* **HFcm***ps.*

*Proof.* The height-preserving admissibility of internal and external weakening follows from a straightforward induction on the height of the derivation. Invertibility follows from weakening. The contraction rules are admissible due to the repetition of every formula and component in each premise.

**Theorem 9 (Soundness of HFcm***ps* (**HG***ps*)**).** *If a hypersequent G is derivable in* **HFcm***ps* (**HG***ps*)*, then so is in* **HFcm** (**HG**)*.*

*Proof.* Follows from the structural rules of **HFcm**.

#### **6.1 Decidability and Countermodel Construction**

We define a proof search procedure which terminates for every sequent. If the proof search fails, we show how to extract a countermodel out of it.

**Definition 7.** *A hypersequent H is saturated w.r.t. the system* **HFcm***ps if it is not an initial sequent and for every component Γ* ⇒ *Δ in H, whenever Γ* ⇒ *Δ contains the principal formulas in the conclusion of a rule (r), then H also contains the formulas introduced by one of the premisses of (r) for every rule (r). For example, in the case of* B*et, we have:*

*– (L*B*et). If Γ,* B*etA* ⇒ *Δ* ∈ *H, then A* ∈ *Γ.*

*– (R*B*et). If <sup>Γ</sup>* <sup>⇒</sup> *Δ,* <sup>B</sup>*etA* <sup>∈</sup> *<sup>H</sup>, then Π, Γ<sup>b</sup>* <sup>⇒</sup> *Σ,A* <sup>∈</sup> *<sup>H</sup> for some Π, Σ.*

*The saturation condition w.r.t.* **HG***ps is defined adding the condition:*

*– (com). If <sup>Γ</sup>* <sup>⇒</sup> *<sup>Δ</sup>* <sup>∈</sup> *<sup>H</sup> and <sup>Π</sup>* <sup>⇒</sup> *<sup>Σ</sup>* <sup>∈</sup> *<sup>H</sup> then either <sup>Π</sup><sup>b</sup> in <sup>Γ</sup> or <sup>Γ</sup><sup>b</sup> in <sup>Π</sup>.*

**Theorem 10.** *Given* ⇒ *A there is a derivation or a saturated hypersequent.*

*Proof.* We start showing that the number of hypersequent components can be bounded in any derivation D of ⇒ *A*. Indeed, the rules which introduce new components are R, R and RB*et*. Consider first R: we show that this rule is applied exactly once to each formula (say *B*), occurring in the consequent of a component and creates only one new component, no matter if *B* appears in the consequent of many components. To illustrate the situation, consider, e.g.,

*<sup>H</sup>* <sup>|</sup> *<sup>Γ</sup><sup>i</sup>* <sup>⇒</sup> *<sup>Δ</sup>i, <sup>B</sup>* <sup>|</sup> *<sup>Θ</sup>* <sup>⇒</sup> *B,Λ*<sup>|</sup> *...* <sup>|</sup> *Π, Γ<sup>j</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>j</sup> ,Σ, <sup>B</sup>* | ⇒ *<sup>B</sup>* <sup>R</sup>- *H* | *Γ<sup>i</sup>* ⇒ *Δi, B* | *Θ* ⇒ *B,Λ*| *...* | *Π, Γ<sup>j</sup>* ⇒ *Δ<sup>j</sup> ,Σ, B* . . .D *<sup>H</sup>* <sup>|</sup> *<sup>Γ</sup><sup>i</sup>* <sup>⇒</sup> *<sup>Δ</sup>i, <sup>B</sup>* | ⇒ *<sup>B</sup>* <sup>|</sup> *...* <sup>|</sup> *<sup>Γ</sup><sup>j</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>j</sup> , <sup>B</sup>* <sup>R</sup>- *H* | *Γ<sup>i</sup>* ⇒ *Δi, B* | *...* | *Γ<sup>j</sup>* ⇒ *Δ<sup>j</sup> , B* ❀ *<sup>H</sup>* <sup>|</sup> *<sup>Γ</sup><sup>i</sup>* <sup>⇒</sup> *<sup>Δ</sup>i, <sup>B</sup>* <sup>|</sup> *<sup>Θ</sup>* <sup>⇒</sup> *B,Λ*<sup>|</sup> *...* <sup>|</sup> *Π, Γ<sup>j</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>j</sup> ,Σ, <sup>B</sup>* | ⇒ *<sup>B</sup>* LW,RW *<sup>H</sup>* <sup>|</sup> *<sup>Γ</sup><sup>i</sup>* <sup>⇒</sup> *<sup>Δ</sup>i, <sup>B</sup>* <sup>|</sup> *<sup>Θ</sup>* <sup>⇒</sup> *B,Λ*<sup>|</sup> *...* <sup>|</sup> *Π, Γ<sup>j</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>j</sup> ,Σ, <sup>B</sup>* <sup>|</sup> *<sup>Θ</sup>* <sup>⇒</sup> *B,Λ* EC *H* | *Γ<sup>i</sup>* ⇒ *Δi, B* | *Θ* ⇒ *B,Λ*| *...* | *Π, Γ<sup>j</sup>* ⇒ *Δ<sup>j</sup> ,Σ, B* . . .D *<sup>H</sup>* <sup>|</sup> *<sup>Γ</sup><sup>i</sup>* <sup>⇒</sup> *<sup>Δ</sup>i, <sup>B</sup>* | ⇒ *<sup>B</sup>* <sup>|</sup> *...* <sup>|</sup> *<sup>Γ</sup><sup>j</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>j</sup> , <sup>B</sup>* <sup>R</sup>- *H* | *Γ<sup>i</sup>* ⇒ *Δi, B* | *...* | *Γ<sup>j</sup>* ⇒ *Δ<sup>j</sup> , B*

Hence the number of components created by R is bounded by the number of boxed subformulas of *A*, whence it is O(n). The situation for Ris similar.

RB*et* requires more care, being B*et* an **S4** modality. In this case, having bounded the number of applications of R and R-, we assume that if there is an infinite introduction bottom-up of components these are introduced by the rule RB*et*. Hence, since the number of possible sequents is finite (in particular 2|2|SUB(*A*)<sup>|</sup> | ), there has to be a repetition. In this case, we have met the saturation condition for the rule RB*et*. Thus the number of components is finite. Since we can rule out rule applications for which the saturation condition has already been met (due to the admissibility of contraction), every rule introduces bottom-up a new component or new formulas in the components, hence the length of every branch of a putative derivation of *A* is bounded and the derivation is finite.

The next theorem ensures the completeness of our calculi and show how to extract countermodels out of a failed proof search.

#### **Theorem 11.** *If A is valid in* **F** + (**CM**) *(***G***), is derivable in* **HFcm***ps (***HG***ps).*

*Proof.* By contraposition. If *A* is not derivable, by Theorem 10 there is a saturated hypersequent: *Γ*<sup>1</sup> ⇒ *Δ*<sup>1</sup> | *...* | *Γ<sup>n</sup>* ⇒ *Δn*. We assign labels to the components *i* : *Γ<sup>i</sup>* ⇒ *Δ<sup>i</sup>* (*i* ∈ {1*,...,n*}) and consider the model: M = {1*,...,n*}*,* ≤*, v* with *<sup>i</sup>* <sup>≤</sup> *<sup>j</sup>* if and only if *<sup>Γ</sup><sup>b</sup> <sup>i</sup>* ⊆ *Γ<sup>j</sup>* and *i* ∈ *v*(*p*) if and only if *p* ∈ *Γi*.

We have to check that the model is reflexive and transitive in the case of **HFcm***ps* and total in the case of **HG***ps*. The relation <sup>≤</sup> is reflexive and transitive, because set inclusion is reflexive and transitive. As regards totality, we observe that the saturation condition for (*com*) ensures that for every *i* and *j*, *Γ<sup>b</sup> <sup>i</sup>* ⊆ *Γ<sup>j</sup>* or *Γ<sup>b</sup> <sup>j</sup>* ⊆ *Γ<sup>i</sup>* which gives by definition *i* ≤ *j* or *j* ≤ *i*.

We now show that for every *i* in the model M we have *i* - *B* if *B* ∈ *Γ<sup>i</sup>* and *i* -*B* if *B* ∈ *Δi*. We argue by induction on the degree of the formulas.


hypothesis we have *j* - *C*, hence the desired conclusion. If B*etC* ∈ *Δi*, then by definition of saturation there is *<sup>Γ</sup><sup>j</sup>* <sup>⇒</sup> *<sup>Δ</sup><sup>j</sup> , C* with *<sup>Γ</sup><sup>b</sup> <sup>i</sup>* ⊆ *Γ<sup>j</sup>* so *i* ≤ *j*, and by induction hypothesis *i* -*C*, so the desired conclusion follows.

*Remark 3.* The above countermodel construction can be adapted<sup>6</sup> to define a proof-search-oriented calculus for G¨odel-Dummett logic [10].

**Concluding Remark:** we demonstrated that for **F** + (**CM**) (and ˚Aqvist systems **E** and **F**), while it is possible to define sequent calculi that use semianalytic cuts, the hypersequent framework provides a modular and cut-free approach, enabling the capture of **F** + (**CM**) and **G**, and supporting countermodel construction.

**Acknowledgements.** Work supported by the FWF project I 6372-N.

# **References**


$$\frac{G \mid \Gamma \Rightarrow \Delta, A \to B \mid \Gamma, A \Rightarrow B}{G \mid \Gamma \Rightarrow \Delta, A \to B} \quad \mathbf{R} \longmapsto \frac{G \mid A \to B, \Gamma \Rightarrow \Delta, A \qquad \qquad G \mid B, A \to B, \Gamma \Rightarrow \Delta}{G \mid A \to B, \Gamma \Rightarrow \Delta} \quad \mathbf{L} \longmapsto \Delta$$

<sup>6</sup> Using the multiple conclusion version of calculus in [3] (whose rule *com* moves any multiset of formulas) in which the rules for <sup>→</sup> are replaced by: *<sup>G</sup>* <sup>|</sup> *<sup>Γ</sup>* <sup>⇒</sup> *Δ, A* <sup>→</sup> *<sup>B</sup>* <sup>|</sup> *Γ, A* <sup>⇒</sup> *<sup>B</sup>*


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Uniform Substitution for Differential Refinement Logic**

Enguerrand Prebet and Andr´e Platzer(B)

Karlsruhe Institute of Technology, Karlsruhe, Germany {enguerrand.prebet,platzer}@kit.edu

**Abstract.** This paper introduces a uniform substitution calculus for differential refinement logic dRL. The logic dRL extends the differential dynamic logic dL such that one can simultaneously reason about properties of and relations between hybrid systems. Refinements are useful e.g. for simplifying proofs by relating a concrete hybrid system to an abstract one from which the property can be proved more easily. Uniform substitution is the key to parsimonious prover microkernels. It enables the verbatim use of single axiom formulas instead of axiom schemata with soundness-critical side conditions scattered across the proof calculus. The uniform substitution rule can then be used to instantiate all axioms soundly. Access to differential variables in dRL enables more control over the notion of refinement, which is shown to be decidable on a fragment of hybrid programs.

**Keywords:** Uniform substitution · Differential dynamic logic · Refinement · Hybrid systems

# **1 Introduction**

Hybrid systems modeled by joint discrete dynamics and continuous dynamics are important and subtle systems in need of sound proofs [26] on account of their important applications [15,16,20,22,32]. Since such systems are important to get right, hybrid systems verification techniques themselves should be sound. Uniform substitution [24,25,27,28], originally phrased by Church for first-order logic [10, §35,40], has been identified as the key technique reducing the soundnesscritical core to a prover microkernel and is behind the KeYmaera X prover [14].

This paper designs a corresponding uniform substitution proof calculus for differential refinement logic (dRL) [19]. The logic dRL is unique in its capabilities of proving simultaneous hybrid systems properties and hybrid systems refinement relations. This ability of dRL has been shown to be beneficial for establishing refinement relations of system implementations to verification abstractions and for relating time-triggered implementation models to event-triggered

c The Author(s) 2024

Funding has been provided by an Alexander von Humboldt Professorship and the pilot program Core Informatics (KiKIT) of the Helmholtz Association (HGF).

C. Benzm¨uller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 196–215, 2024. https://doi.org/10.1007/978-3-031-63501-4\_11

verification models [18]. The latter relation overcomes a stark divide in embedded system design principles while combining ease of verification with ease of implementation in ways that neither design paradigm alone supports. But such proving power only helps practical system verification if the theoretical proof calculi are implemented in a sound way and, in fact, dRL has not yet been implemented at all. Such an implementation is significantly simplified and significantly easier to get sound by identifying a uniform substitution calculus, which has no axiom schemata with their usual side conditions (and the algorithms implementing them) but merely a finite list of concrete dRL formulas as axioms. Reasoning directly with these concrete formulas also makes the proofs easier as the conditions are checked only when uniform substitution is used. This means that a direct consequence of the axioms could have more admissible substitution instances than the axioms themselves, whereas with schemata, the side conditions would pile up and not generalize as well. Other beneficial side effects include the fact that dRL now acquires a Hilbert-style proof calculus that is significantly more flexible and also more modular than dRL's previous sequent calculus.

Challenges include the fact that uniform substitution calculi for hybrid systems give a differential-form semantics to differentials and differential symbols [25], which is critical to obtain logic-based decision procedures for differential equation invariants [30], but also renders some sequent calculus proof rules of dRL unsound due to the resulting finer-grained view on differential equations. The flip side is that this finer view distinguishes widely different classes of differential equations better, thereby making it easier to tell apart different differential equations that merely coincide on the overall reachable set while having different temporal behavior. This difference is exploited here to obtain a decidability result for refinement for a fragment of hybrid systems. Other challenges to overcome are the unexpected definition of free variables of refinements, which are required for soundness. The core of the resulting calculus has been implemented in KeYmaera X<sup>1</sup>, extending the prover microkernel in 4 h of work with about 300 lines of code, mostly spent on writing down all the new axioms.

## **2 Related Work**

Hybrid programs in dRL form a Kleene algebra with tests [17]. Program equivalence for Kleene algebra with tests is known to be decidable for abstract atomic programs. Refinement α ≤ β can be recovered and defined as α∪β = β, but that duplicates reasoning about β. Certain classes of hypotheses can be added to the theory, e.g. Hoare-like triples ?p; α; ?¬q = ?*false*, without breaking the decidability [11]. This however does not extend when limited commutativity is allowed, which arises even in the discrete fragment: (x := 2; y := 3) = (y := 3; x := 2) but (x := 2; x := 3) = (x := 3; x := 2). KAT with only discrete assignments has been studied as Schematic KAT [4]. dRL can derive the axioms of Schematic KAT, but also allows reasoning with continuous dynamics and differential equations.

<sup>1</sup> https://github.com/LS-Lab/KeYmaeraX-release/tree/dRL.

The Event-B method [1] is a formalism for reasoning about discrete models where the primary mechanism is refinement to check the conformance between abstract models and more detailed ones. Multiple different formalisms have been proposed. Hybrid Event-B [2,5,6] is an extension with tool support [8] for hybrid systems with events corresponding to discrete and continuous evolutions. These continuous steps are however abstracted by the invariants they are assumed to satisfy. Event-B can also be extended with theories [9]. By adding some axioms about differential equations, it allows refinement reasoning with some continuous dynamics [3,12]. In contrast, dRL captures the continuous dynamics directly and proves the invariants as a consequence of the continuous dynamics.

Uniform substitution was proposed by Alonzo Church for first-order logic to capture axioms instead of axiom schemata [10, §35,40]. Modern uniform substitution originated for dL to support hybrid systems theorem proving in simple ways [25], extended to hybrid games in differential game logic dGL [27], and to communicating parallel programs dLCHP [7]. This work is complementing the approach by adding refinement reasoning in a uniform substitution calculus for hybrid systems. Developing uniform substitution calculi are key to the design of small soundness-critical prover microkernels such as KeYmaera X [14].

# **3 Differential Refinement Logic dRL**

Differential refinement logic dRL [19] extends the differential dynamic logic dL for hybrid systems [23] with a first-class refinement operator ≤ on hybrid systems. This section presents *differential-form* dRL, which prepares dRL for the features needed for dL's uniform substitution axiomatization, most notably the inclusion of differential terms alongside function symbols, predicate symbols, and program constant symbols, but also the requisite inclusion of differential variable symbols. Differential terms (θ) are the fundamental logical device with which to enable sound [25] and complete [29,30] reasoning about differential equations.

#### **3.1 Syntax**

This section defines the syntax of the differential refinement logic dRL. The set of all variables is V. To each variable x ∈ V is associated a *differential symbol* x which is also in V. Its purpose is to use x to refer to the time-derivative of variable x during a differential equation, but also to cleverly relay that information to surrounding formulas in a sound way [25]. It is this (crucial) presence of differential symbols, that gives differential-form dRL a refined notion of refinement, especially of differential equations, compared to its sequent calculus predecessor [19].

**Definition 1 (Terms).** Terms *are defined by the grammar below where* x ∈ V *is a variable,* f *is a function symbol of arity* n *and* θ, η, θ1,...,θ<sup>n</sup> *are terms:*

$$\theta, \eta ::= x \mid f(\theta\_1, \dots, \theta\_n) \mid \theta + \eta \mid \theta \cdot \eta \mid (\theta)'$$

Terms have the usual arithmetic operations and function symbols. They also have differentials of terms (θ) which describe how the value of θ changes locally depending on the values of the differential symbols associated to the variables of θ.

**Definition 2 (Formulas).** Formulas *are defined by the grammar below where* θ, η, θ1,...,θ<sup>n</sup> *are terms,* p *is a predicate symbol of arity* n, φ, ψ *are formulas and* α, β *are hybrid programs (Definition 3):*

$$\{\phi, \psi ::= \theta \le \eta \mid p(\theta\_1, \dots, \theta\_n) \mid \neg \phi \mid \phi \land \psi \mid \forall x \phi \mid [\alpha] \phi \mid \alpha \le \beta\}$$

In addition to the operators of first-order logic of real arithmetic, formulas also contain the dL modality [α]φ which expresses that the formula φ holds after all possible runs of the hybrid program α. dRL extends dL with the refinement operator α ≤ β which expresses that α refines β as β has more behaviors than α: it is true in a state ν if all states reachable by hybrid program α from ν can be reached by hybrid program β. The program equivalence α = β is shorthand for α ≤ β ∧ β ≤ α. This will be made explicit by axiom (=) in Sect. 5.

Note the fundamental difference between dRL modal formula [α]φ, which expresses that all runs of hybrid program α satisfy dRL formula φ, compared to the dRL refinement formula <sup>α</sup> <sup>≤</sup> <sup>β</sup>, which expresses that all runs of hybrid program α are also runs of hybrid program β. Both dRL formulas refer to the runs of a hybrid program α, but only the former states a property of the (final) states reached, while only the latter relates the overall transition behavior of hybrid program α to that of another program. Just like [α]φ, formula α ≤ β is a dRL formula and not just a judgment, so it can be true in some states and false in others. This makes it possible to easily express conditional refinement as <sup>φ</sup> <sup>→</sup> <sup>α</sup> <sup>≤</sup> <sup>β</sup> meaning that if <sup>φ</sup> is true initially, then <sup>α</sup> refines <sup>β</sup>. The logic dRL is closed under all operators. For example the dRL formula [α]<sup>β</sup> <sup>≤</sup> <sup>γ</sup> expresses that after all runs of α it is the case that all runs of β are also runs of γ. Just like in an ordinary implication, φ → α ≤ β says nothing about what happens when the initial state does not satisfy φ. Just like ordinary dynamic logic modalities, [α]β ≤ γ says nothing about what happens before program α ran. Indeed, this extended capabilities that dRL is closed under all operators will add to its expressibility and the eloquence of its uniform substitution proof calculus.

**Definition 3 (Hybrid Programs).** Hybrid programs *are defined by the grammar below where* x *is a variable,* θ *is a term,* a *is a program constant,* ψ *is a differential-free formula and* α, β *are hybrid programs:*

$$\{\alpha, \beta ::= a \mid \text{?} \psi \mid x := \theta \mid x := \* \mid x' = \theta \& \psi \mid \alpha \cup \beta \mid \alpha; \beta \mid \alpha^\*\}$$

The *test* ?ψ behaves like a skip if the formula ψ is true in the current state and blocks the system otherwise. The *assignment* x := θ instantaneously updates the value of the variable x to the value of the term θ. The *nondeterministic assignment* x := ∗ updates the value of the variable x to an arbitrary value. The *differential equation* x = θ & ψ behaves like a continuous evolution where both the differential equation x = θ and the evolution domain ψ holds. The *nondeterministic choice* α ∪ β can behave like either α or β. The *sequence* α; β behaves like α followed by β. The *nondeterministic repetition* α<sup>∗</sup> behaves like α repeated an arbitrary natural number of times.

*Example 1 (Modelling safe breaking).* Let us consider a car that needs to stop before a wall at distance m. It starts from a safe position and can accelerate with acceleration A if some safety condition safe<sup>T</sup> (x) is true or brake with braking force B. The controller is run at most every T seconds. Proving its safety can be achieved by proving the following dRL formula:

$$A \ge 0 \land B > 0 \land x + v^2 / 2B \le m \to [car\_T]x \le m$$

$$car\_T ::= (a := -B \cup \text{"safe}\_T(x); a := A); t\_0 := t; x' = v, v' = a, t' = 1 \&\ t - t\_0 \le T$$

Such system, called *time-triggered*, can be refined to a *event-triggered* system where the controller is sure to run before a critical event, leaving the domain E(x), occurs. Event-triggered systems are easier to verify but less realistic. With dRL and the axiom ([≤]) below, the time-triggered system can be proved safe by proving the safety of the event-triggered system and the refinement between the two systems:

$$A \ge 0 \land B \ge 0 \land x + v^2 / 2B \le m \to car\_T \le car\_E \land [car\_E] x \le m$$

$$car\_E ::= (a := -B \cup ? \text{safe}\_E(x); a := A); t\_0 := t; x' = v, v' = a, t' = 1 \& \, E(x)$$

#### **3.2 Semantics**

A state <sup>ν</sup> is a mapping V → <sup>R</sup>. The state <sup>ν</sup><sup>r</sup> <sup>x</sup> agrees with the state ν except for the variable <sup>x</sup> whose value is <sup>r</sup> <sup>∈</sup> <sup>R</sup>. State <sup>ω</sup> is a <sup>U</sup>*-variation* of <sup>ν</sup> if <sup>ω</sup> and <sup>ν</sup> are equal on the complement U of that set of variables U. For instance, ν<sup>r</sup> <sup>x</sup> is an {x}-variation of ν. The set of all states is S. The interpretation of a function symbol of arity <sup>n</sup> in *interpretation* <sup>I</sup> is a smooth function <sup>I</sup>(f) : <sup>R</sup><sup>n</sup> <sup>→</sup> <sup>R</sup>.

**Definition 4 (Term semantics).** *The* semantics of a term θ *in interpretation* I *and state* ν *is its value* Iν<sup>θ</sup> <sup>∈</sup> <sup>R</sup> *and is defined as follows:*

1.  $I\nu[x] = \nu(x)$ 
2.  $I\nu[f(\theta\_1, \dots, \theta\_n)] = I(f)(I\nu[\theta\_1], \dots, I\nu[\theta\_n])$ 
3.  $I\nu[\theta + \eta] = I\nu[\theta] + I\nu[\eta]$ 
4.  $I\nu[\theta \cdot \eta] = I\nu[\theta] \cdot I\nu[\eta]$ 

5.  $I\nu[\ell(\theta)'] = \sum\_{x \in \mathcal{V}} \nu(x')\frac{\partial I[\theta]}{\partial x}$   $(\nu) = \sum\_{x \in \mathcal{V}} \nu(x')\frac{\partial I[\theta]}{\partial x}$ 

The partial derivative ∂Iνθ ∂x corresponds to the derivative of the one-dimensional function <sup>X</sup> <sup>→</sup> Iν<sup>X</sup> <sup>x</sup> θ at X = ν(x). Since Iνθ denotes a smooth function, the derivative always exists.

Since hybrid programs appear in formulas and vice versa, the interpretation of hybrid programs and formulas is defined by simultaneous induction. The interpretation of a predicate symbol of arity n in interpretation I is an n-ary relation <sup>I</sup>(p) <sup>⊆</sup> <sup>R</sup>n. The interpretation of a program constant symbol <sup>a</sup> in interpretation I is a state-transition relation I(a) ⊆S×S where (ν, ω) ∈ Ia iff the program constant a can reach the state ω starting from the state ν.

**Definition 5 (dRL semantics).** *The* semantics of a formula φ *for an interpretation* I *is the subset* Iφ ⊆ S *of states in which* φ *is true and defined as:*

*1.* ν ∈ Iθ ≤ η *iff* Iνθ ≤ Iνη *2.* ν ∈ Ip(θ1,...,θn) *iff* (Iνθ1,...,Iνθn) ∈ I(p) *3.* ν ∈ I-¬φ *iff* ν /∈ Iφ *4.* ν ∈ Iφ ∧ ψ *iff* ν ∈ Iφ *and* ν ∈ Iψ *5.* ν ∈ I-<sup>∀</sup>x φ *iff* <sup>ν</sup><sup>r</sup> <sup>x</sup> ∈ I<sup>φ</sup> *for all* <sup>r</sup> <sup>∈</sup> <sup>R</sup> *6.* ν ∈ I-[α]φ *iff* ω ∈ Iφ *for all* (ν, ω) ∈ Iα *7.* ν ∈ Iα ≤ β *iff* (ν, ω) ∈ Iβ *for all* (ν, ω) ∈ Iα

A formula φ is *valid in* I if Iφ = S. A formula φ is *valid* if it is valid in all interpretations.

**Definition 6 (Transition semantics of programs).** *The* semantics of a hybrid program α *for an interpretation* I *is the transition relation* Iα ⊆ S×S *and is defined as follows:*

*1.* Ia = I(a)


Most importantly, α ≤ β is true in a state ν iff all states ω reachable from ν by running program α are also reachable by running β from ν.

The transition for a differential equation x = θ & ψ synchronizes the differential symbol x with the current time-derivative of x, i.e. θ, and then evolves the system continuously along the solution ϕ of the differential equation x = θ within the domain ψ. Differential equations are the only hybrid programs that intrinsically relate variables with their associated differential symbol.

As differential equations effectively *change* the value of differential symbols, this is taken into account in the semantics of refinements. The differential equations x = 1 and x = 2 are *not* equivalent: although both can reach the same values for x, their respective end states will always have a different value for x . This behavior differs from the original semantics of dRL [19]. Intuitively, this notion of refinement corresponds to assuming that differential equations evolve with a global time t = 1. Other extensions of dL like dLCHP [7] already assume the presence of such global time. This property allows to express refinements of differential equations as a dL formula as shown in the axiom (ODE) below.

#### **3.3 Static Semantics**

Uniform substitution relies on the notions of free and bound variables to prevent any unsound substitution attempts. Static semantics gives a definition for free and bound variables of terms, formulas and hybrid programs based on their (dynamic) semantics, which can be defined as in dL [25]:

**Definition 7 (Static semantics).** *The* static semantics *defines the free variables* FV(θ)*,* FV(φ) *and* FV(α)*, which are the variables whose values the expression depends on, and the bound variables* BV(α)*, which are the variables whose values may change during the execution of* α*. They are defined formally as follows:*

FV(θ) = {<sup>x</sup> ∈ V : *<sup>∃</sup>*I, ν, <sup>ν</sup>˜*<sup>a</sup>* {x}*-variation of* <sup>ν</sup> *such that* Iνθ = Iν˜θ} FV(θ) = {<sup>x</sup> ∈ V : *<sup>∃</sup>*I, ν, <sup>ν</sup>˜*<sup>a</sup>* {x}*-variation of* <sup>ν</sup> *such that* <sup>ν</sup> <sup>∈</sup> <sup>I</sup>φ ν˜} FV(α) = {<sup>x</sup> ∈ V : *<sup>∃</sup>*I, ν, ω, <sup>ν</sup>˜*<sup>a</sup>* {x}*-variation of* <sup>ν</sup> *such that* (ν, ω) <sup>∈</sup> <sup>I</sup>α *and ∀* ω˜{x}*-variation of* ω *such that* (˜ν, ω˜) ∈/ Iα} BV(α) = {<sup>x</sup> ∈ V : *<sup>∃</sup>*I, ν, ω*such that* (ν, ω) <sup>∈</sup> <sup>I</sup>α *and* ν(x) = ω(x)}

Free and bounds variables are the only information needed about the logic to ensure that the result of uniform substitution is only defined when sound. The coincidence lemmas [25] show that the truth-values of formulas only depend on their free variables and the interpretation of the symbols appearing in them (similarly for terms and hybrid programs). The set of function, predicate, and program symbols appearing in a formula, term or hybrid program is denoted Σ(·).

**Lemma 1 (Coincidence for terms** [25]**).** *The set* FV(θ) *is the smallest set with the coincidence property for* <sup>θ</sup>*: If* <sup>ν</sup> = ˜<sup>ν</sup> *on* <sup>V</sup> <sup>⊇</sup> FV(θ) *and* <sup>I</sup> <sup>=</sup> <sup>J</sup> *on* <sup>Σ</sup>(θ)*, then* Iνθ = Jν˜θ*.*

**Lemma 2 (Coincidence for formulas** [25]**).** *The set* FV(φ) *is the smallest set with the coincidence property for* <sup>φ</sup>*: If* <sup>ν</sup> = ˜<sup>ν</sup> *on* <sup>V</sup> <sup>⊇</sup> FV(φ) *and* <sup>I</sup> <sup>=</sup> <sup>J</sup> *on* Σ(φ)*, then* ν ∈ Iφ *iff* ν˜ ∈ Jφ*.*

**Lemma 3 (Coincidence for hybrid programs** [25]**).** *The set* FV(α) *is the smallest set with the coincidence property for* <sup>α</sup>*: If* <sup>ν</sup> = ˜<sup>ν</sup> *on* <sup>V</sup> <sup>⊇</sup> FV(α) *and* I = J *on* Σ(α)*, then* (ν, ω) ∈ Iα *implies* (˜ν, ω˜) ∈ Jα *for some* ω˜ *with* ω = ˜ω *on* V *.*

The proof [25] requires a mutual induction on the structure of the formula and hybrid program to show that Iφ = Jφ and Iα = Jα which extends to the refinement case. The rest is done by induction on the set of variables S where the states ν and ˜ν can differ.

**Lemma 4 (Bound effect** [25]**).** *The set* BV(α) *is the smallest set with the bound effect property for* α*: If* (ν, ω) ∈ Iα*, then* ν = ω *on* BV(α)-*.*

These sets are the smallest sets with the coincidence property, which means that all conservative extensions of these sets can also be used soundly. We define FV(θ), FV(φ), FV(α) and BV(α) as such overapproximations that can be computed syntactically. Computing the free variables for a formula [α]φ requires the *must-bound variables* of the hybrid program α, written MBV(α). They represent the variables that will be written in all executions of α. These sets are given in [31] and are constructed in a standard way [25], except for the new refinement operator.

Since the behavior of hybrid program α and β only depends on their respective free variables (Lemma 3), it would be tempting to define FV(α ≤ β) = FV(α) ∪ FV(β) stating that the refinement depends on the variables for which either program depends on. Somewhat surprisingly, this would be unsound for reasons that truly touch on the nature of refinement. Take the refinement formula ?true ≤ x := 1 and a state ν with ν(x) = 0. Then ν /∈ I-?true ≤ x := 1. However if the initial value of x is 1, then the refinement holds: ν<sup>1</sup> <sup>x</sup> ∈ I-?true ≤ x := 1, because the assignment <sup>x</sup> := 1 has no effect. In fact FV(?true <sup>≤</sup> <sup>x</sup> := 1) = {x} even though FV(?true) = FV(<sup>x</sup> := 1) = <sup>∅</sup>. To obtain a sound definition of FV(α ≤ β), one needs to take into account the variables that may be written in one program, BV(α) ∪ BV(β), but that can also remain unmodified (which makes them depend on their initial values), so not in MBV(α)∩MBV(β). Hence, the (syntactic) free variables of a refinement are defined as follows:

$$\text{FV}(\alpha \le \beta) = \text{FV}(\alpha) \cup \text{FV}(\beta) \cup ((\text{BV}(\alpha) \cup \text{BV}(\beta)) \mid (\text{MBV}(\alpha) \cap \text{MBV}(\beta)))$$

With this definition for refinements as the only but notable outlier to an otherwise standard definition of the syntatic computations for a static semantics [25], the static semantics FV(φ) etc. can be proved to be sound overapproximations of the static semantics FV(φ) from Definition 7 and thereby enjoy the coincidence Lemmas 1–3 and the bound effect Lemma 4, respectively.

**Lemma 5 (Soundness of static semantics).** *For all terms* θ*, formulas* φ *and hybrid programs* α*:*

$$FV(\theta) \supseteq \mathsf{PV}(\theta) \quad FV(\phi) \supseteq \mathsf{PV}(\phi) \quad FV(\alpha) \supseteq \mathsf{PV}(\alpha) \quad BV(\alpha) \supseteq \mathsf{BV}(\alpha)$$

The proof of FV(·) <sup>⊇</sup> FV(·) for formulas and hybrid programs is the only case affected by the addition of refinement operators compared to prior proofs [25, Lem. 17]. It is proved by induction on the structure of the formulas and hybrid programs. For hybrid programs, the property shown for FV(α) is stronger than the coincidence property from Lemma 3, enforcing ω = ˜ω on V ∪MBV(α) rather than V .

For the case of the refinement operator α ≤ β, the main insight is visible when proving that ˜ν ∈ Jα ≤ β implies ν ∈ Iα ≤ β with ν = ˜ν on V and I = J on Σ(α ≤ β). For any (ν, ω) ∈ Iα, we have (˜ν, ω˜) ∈ Jα, (˜ν, ω˜) ∈ Jβ and (ν, μ) ∈ Iβ for some states ˜ω, μ by repeated use of the induction hypothesis and the definition of refinement. Both the induction hypothesis and Lemma 4 give us information on ˜ω and μ. As V ⊇ FV(α ≤ β), the definition of FV(α ≤ β) is crucial for ensuring that this knowledge is enough to fully determine ˜ω and μ from ν, ω and ˜ν, and then that ω = μ.

### **4 Uniform Substitution**

A *uniform substitution* σ is a mapping from terms of the form f(*·*) to terms σ(f(*·*)), from formulas of the form p(*·*) to formulas σ(p(*·*)), and from program constants a to hybrid programs σ(a). The reserved 0-ary function symbol *·* marks

**Fig. 1.** Recursive application of uniform substitution with input taboos *U* ⊆ V

the position where the argument, e.g. θ in p(θ), will be substituted in the resulting expression. Soundness of such substitutions requires that the substitution does not introduce new free variables in a context where they are bound [10].

Figure 1 defines the result σ<sup>U</sup> φ of applying a uniform substitution σ with taboo set U ⊆ V to a formula φ (or term θ, or hybrid programs α respectively) [28]. For hybrid programs α, the substitution result σ<sup>U</sup> <sup>V</sup> α for input taboo U ⊆ V also outputs a taboo set V ⊆ V, written in subscript notation, that will be tabooed after program α. Taboos U, V are sets of variables that cannot be substituted in free during the application of the substitution, because they have been bound within the context and, thus, potentially changed their meaning compared to the original substitution σ. The difference is that the input U is already taboo when the substitution σ is applied to α while V is the new output taboo after α. Finally, σ(φ) is short for σ∅φ started without initial taboos. The key advantage to working with uniform substitution applications with taboo passing is that they enable an efficient one-pass substitution [28] compared to the classical Church-style uniform substitution application mechanism that checks admissibility at every binding operator along the way [25]. One-pass uniform substitution postpones admissibility checks till the actual substitutions of function and predicate symbols according to explicit taboos carried around.

Despite the surprising definition of the free variables of a refinement, defining uniform substitution for the refinement case is standard, the input taboo U is given to both programs except that their output taboos V,W are discarded:

$$
\sigma^U(\alpha \le \beta) = \sigma\_V^U \alpha \le \sigma\_W^U \beta^U
$$

The reason is two-fold:


This last statement is a consequence of BV(σα) ⊆ BV(α) and MBV(σα) ⊇ MBV(α), which is proved by a direct induction.

#### **4.1 Uniform Substitutions and Adjoint Interpretations**

The proof of the soundness of uniform substitution follows the same structure as the proof of the uniform substitution lemma for dGL [28] but adapted to hybrid programs instead of hybrid games and generalized to the presence of refinements. The output taboo V of a uniform substitution σ<sup>U</sup> <sup>V</sup> α will include the original taboo set U and all variables bound in the program α.

**Lemma 6 (Taboo set computation** [28]**).** *If* σ<sup>U</sup> <sup>V</sup> α *is defined, then* V ⊇ U ∪ BV(σ<sup>U</sup> <sup>V</sup> α)*.*

Whereas uniform substitutions are syntactic transformations on expressions, their semantic counterparts are semantic transformations on interpretations. The two are related by Lemmas 7 and 8. Let I<sup>d</sup> *·* denote the interpretation that agrees with interpretation I except for the constant function symbol *·* which is interpreted as the constant <sup>d</sup> <sup>∈</sup> <sup>R</sup>.

**Definition 8 (Adjoint interpretation).** *For an interpretation* I *and a state* ω*, the* adjoint interpretation σ<sup>∗</sup> <sup>ω</sup>I *modifies the interpretation of each function symbol* f ∈ σ*, predicate symbol* p ∈ σ *and program constant* a ∈ σ *as follows:*

$$\begin{aligned} \sigma^\*\_{\omega} I(f) &: \mathbb{R} \to \mathbb{R}; d \mapsto I^d\_{\bullet} \omega \lbrack \sigma f(\cdot) \rbrack \\ \sigma^\*\_{\omega} I(p) &= \{ d \in \mathbb{R} \: \, : \: \omega \in I^d\_{\bullet} \lbrack \sigma p(\cdot) \rbrack \} \\ \sigma^\*\_{\omega} I(a) &= I \lbrack \sigma a \rbrack \end{aligned}$$

**Lemma 7 (Uniform substitution for terms** [28]**).** *The uniform substitution* σ *for taboo* U ⊆ V *and its adjoint interpretation* σ<sup>∗</sup> <sup>ω</sup>I *for* I,ω *have the same semantics on* U*-variations* ν *of* ω *for all* terms θ*:*

$$I\nu[\sigma^U \theta] = \sigma^\*\_{\omega} I\nu[\theta]$$

**Lemma 8 (Uniform substitution for formulas, programs).** *Uniform substitution* σ *for taboo* U ⊆ V *and its adjoint interpretation* σ<sup>∗</sup> <sup>ω</sup>I *for* I,ω *have the same semantics on* U*-variations* ν *of* ω *for all* formulas φ *and* hybrid programs α*:*

*for all* U*-variations* ν *of* ω : ν ∈ I<sup>σ</sup><sup>U</sup> <sup>φ</sup> *iff* <sup>ν</sup> <sup>∈</sup> <sup>σ</sup><sup>∗</sup> ωIφ *for all states* μ *and all* U*-variations* ν *of* ω : (ν, μ) ∈ IσU <sup>V</sup> α *iff* (ν, μ) ∈ σ<sup>∗</sup> ωIα

The proof is done by simultaneous induction on the structure of σ, α and φ for all U, ν, ω and μ [31]. The use of U-variations is critical when the induction hypothesis needs to be used in a state other than ν, e.g. for quantifiers and modalities. Without considering the extension of the refinement operator, this result was previously proved in a weaker form (<sup>U</sup> <sup>=</sup> <sup>∅</sup>) for dL [25] or for more complex semantics like hybrid games [28].

#### **4.2 Soundness of Uniform Substitution**

Lemma 8 is essentially all that is required to ensure the sound application of uniform substitution. First, uniform substitution can be used to have a sound instantiation of the axioms, using the uniform substitution rule (US). A proof rule is *sound* if the validity of the premises implies the validity of the conclusion.

**Theorem 1 (Soundness of uniform substitution** [28]**).** *The proof rule* (US) *is sound.*

$$(\text{US})\frac{\phi}{\sigma(\phi)}$$

Uniform substitution can also be used on rules or whole inferences, as long as they are *locally sound*, i.e. the conclusion is valid in any interpretation where the premises are valid. Locally sound inferences are also sound.

**Theorem 2 (Soundness of uniform substitution for rules** [28]**).** *All locally sound inferences remain locally sound when substituted with a uniform substitu-*

$$
\begin{array}{cccc}
\text{tion } \sigma \text{ with } tabo \text{ set } \mathcal{V}. &\\\
\phi\_1 & \dots & \phi\_n \\
\hline \psi & & \\
\end{array}
\text{locally sound implies } \begin{array}{cccc}
\sigma^{\mathcal{V}}\phi\_1 & \dots & \sigma^{\mathcal{V}}\phi\_n \\
\hline \sigma^{\mathcal{V}}\psi & & \\
\end{array} \text{ locally sound.}
$$

#### **5 Proof Calculus**

Most notably, uniform substitution makes it possible to use concrete dRL formulas as axioms instead of axiom schemata that accept infinitely many formulas as axioms. Axioms are finite syntactic objects, and are thus easy to implement, while axiom schemata are ultimately algorithms accepting certain formulas as input while rejecting others [25]. Figure 2 lists the axioms of dRL. dRL also satisfies the axioms of KAT [17], Schematic KAT [4] and the axioms of dL [31]. Some axioms use the reverse implication φ ← ψ instead of ψ → φ for emphasis.

In the axiom ([≤]), ¯x stands for the (finite) vector of all relevant variables (alternative treatments [25,28] of p(¯x) use quantifier symbols or additional program constants instead, but are not necessary for this paper). This characteristic axiom of dRL expresses that if formula p(¯x) holds after all runs of hybrid program b, then it also holds after any refinement a. Thus, as long as a proof of the refinement is given, it is possible to replace hybrid programs inside modalities. In general, axioms are meant to be applied to the axiom key (marked blue).

Refinement is transitive (≤<sup>t</sup>), allowing the introduction of intermediate refinements c similar to the role that cuts play in first-order logic.

Axioms (∪<sup>l</sup>) and (∪<sup>r</sup>) decompose the choice operator using logical connectives. As the choice a∪b can behave like either subprograms, whenever it refines a program c, both a and b must refine c. Axiom (∪<sup>r</sup>) is not an equivalence though. a ≤ b ∨ a ≤ c says that for each initial state, one of the two refinement holds. However, when a is nondeterministic, and so can have multiple end states for one initial state, it may not be the case despite the left-hand side being true.

Axiom (;) helps proving a refinement between two sequences of programs (a; b ≤ c; d) by proving the refinement of the first programs (a ≤ c) and the refinement of the second programs, but only after all executions of a ([a]b ≤ d). Axioms (?det) and (:=det) are particular cases of the axiom (;) where the implication can be strengthened to an equivalence. As such, the implication from right to left is not required for both axioms [31].

Axioms (loopl), (loopr) and (unloop) are used to prove refinements of loops. The first two state that if adding a program before or after only leads to less executions, then adding an unbounded number of executions, i.e. a loop, will also lead to less executions. The axiom (unloop) is useful for comparing two loops, as it allows to reduce the problem to comparing the loop bodies. Both axioms (loopl) and (unloop) need a box modality when proving the refinement of the

#### **Fig. 2.** Axioms of dRL

loop body, as the refinement must be proved after any number of iterations of a.

The axiom (ODE) describes how to prove refinements between differential equations. A refinement x = f(x) & p(x) ≤ x = g(x) & q(x) is true iff throughout the execution of the former ODE, it always satisfies the latter differential equation and evolution domain. Along with the axioms (DW=) and (DE=), these axioms subsume differential cut (DC), differential weakening (DW) and differential effect (DE) from dL [31]. The equivalence in the axiom (ODE) effectively means that refinements of differential equations can *always* be reduced to standard dL formulas, which is essential to our decidability result.

The axiom (DX) states that a differential equation always has a solution for the interval [0, 0]. In that case, the execution succeeds only if the domain holds, and the correct value f(x) is assigned to the differential variable x . The axiom (ODEidemp) states that following the same differential equation twice in a row is equivalent to following it only once, because the concatenation of solutions of the same differential equation is still a solution of the same differential equation.

Compared to the original sequent calculus for dRL [19], the proof rule schemata matching infinitely many instances are now replaced by a *finite* number of axioms that are concrete dRL formulas rather than standing for infinitely many instances. The infinitely many possible instances can then be recovered soundly using the uniform substitution rule (US). Because of this two-step mechanism, reasoning with the axioms can be done without considering the possible instantiations. Take for instance the sound equivalence x := f; x := ∗ = x := ∗. The proof can be done by transitivity (≤t) with x := ∗; ?x = f; x := ∗ as intermediate step [31]. But the same proof cannot be done by replacing f by any term θ: the intermediate program is not always equivalent to the other two (e.g. for θ = x + 1). On the other hand, by proving the equivalence for f and then using rule (US), the equivalence can be proved for all terms θ.

The dRL axioms are also more modular than its cast-in-stone sequent calculus rules. For instance, with rule (G) and axiom (K), any implication φ → ψ, e.g. (∪<sup>r</sup>), can be used to prove [a]φ → [a]ψ. This would not fit the shape of the corresponding sequent rule, which requires ψ at the top level. The lack of differential symbols in the original sequent calculus [19] changes the soundness of some rules: the match direction field rule (MDF) would allow rescaling the right-hand side of a differential equation, which is unsound here as it would change the resulting differential symbols. Conversely, only the reverse implication of the axiom (ODE) would be sound in the original calculus, again for lack of differential symbols. The dRL axioms are proved sound [31]:

**Theorem 3 (Soundness of dRL axioms).** *All axioms of dRL are sound.*

# **6 Decidability of Refinement for a Fragment of dRL**

This section identifies a subset of hybrid programs for which the refinement problem is decidable. It is focused on concrete programs, i.e. programs without function symbols, predicate symbols or program constants. They have the following high-level structure: (ctrl; plant) <sup>∗</sup> where a discrete, loop-free program ctrl, modelling a controller that sets some parameters ¯u, then a continuous program plant that describes the dynamics of the variables ¯y according to the choice of the parameters ¯u. These steps are then repeated nondeterministically. The continuous variables ¯y (and by extension ¯y ) are expected to be distinct from the discrete variables ¯u and also contain a global clock t which follows the differential equation t = 1. The presence of the clock t is not needed for comparing the differential equations, but to distinguish between discrete executions and hybrid executions.

For two such programs, (ctrla; planta) <sup>∗</sup> and (ctrlb; plantb) ∗ , a canonical proof of the refinement has the following shape (omitting uses of MP for brevity):

$$\begin{array}{c c} \dots \\ \hline \overline{ctrl\_a \le c trl\_b} & \overline{[ctrl\_a](plant\_a \le plant\_b)} \\ \hline \overline{G} \overline{[(ctrl\_a;plant\_a)^\*](ctrl\_a;plant\_a \le ctrl\_b;plant\_b)} \\ \text{unloop} & \overline{[(ctrl\_a;plant\_a)^\*](ctrl\_a;plant\_a \le ctrl\_b;plant\_b)} \\ \hline \overline{(ctrl\_a;plant\_a)^\*} \le \left(ctrl\_b;plant\_b\right)^\* \\ \end{array}$$

This means that proving the refinement of the whole programs is reduced to proving the refinement of the controllers, ctrl<sup>a</sup> ≤ ctrl<sup>b</sup> and the refinement of the plants after all ctrl<sup>a</sup> executions, [ctrla](plant<sup>a</sup> ≤ plantb). With our restrictions on the controllers, the first refinement is always decidable.

**Lemma 9.** *For concrete, discrete and loop-free controllers* ctrl<sup>a</sup> *and* ctrlb*, the validity of* ctrl<sup>a</sup> <sup>≤</sup> ctrl<sup>b</sup> *is decidable by dRL proof.*

Given a controller ctrla, it is possible to synthesize a first-order formula φa(x, x<sup>+</sup>) that characterizes the behavior of ctrla, where x (resp. x<sup>+</sup>) corresponds to the variables after (resp. before) the controller [21]. Using the dRL axioms, ctrl<sup>a</sup> <sup>≤</sup> ctrl<sup>b</sup> is provable from <sup>φ</sup>a(x, x<sup>+</sup>) <sup>→</sup> <sup>φ</sup>b(x, x<sup>+</sup>). The validity of the latter is decidable as it is first-order real arithmetic [33]. The full proof is in [31].

The second refinement, [ctrla](plant<sup>a</sup> ≤ plantb), is more complex. Let us write the two plants as plant<sup>a</sup> ≡ y¯ = p(¯y, u¯) & Q and plant<sup>b</sup> ≡ y¯ = q(¯y, u¯) & R for some polynomials p(¯y, u¯), q(¯y, u¯) and formulas Q, R. The axiom ODE entails that we must prove [ctrla][planta](p(¯y, u¯) = q(¯y, u¯)∧R), which no longer contains any refinement. For the decidability result (Theorem 4) to hold, we require that the validity of this formula is decidable.

There are two cases which always ensure this. First, if the differential equation plant<sup>a</sup> admits a solution expressible in dRL (e.g. a polynomial), then using standard dL reasoning, the formula can be reduced to a first-order formula and thus its validity can be decided. The differential equation from Example 1, x = v, v = a, is such a case.

The second case is when domain R is algebraic, i.e. of the form i <sup>j</sup> pij (x) = 0 for some polynomial pij and Q, the domain of planta, is a semialgebraic set [30].

The remaining question is now to show that the approach presented above is complete, meaning it always succeeds when the refinement holds. The only additional constraint we require is that the controller ctrl<sup>b</sup> is idempotent.

**Definition 9. (Idempotent controller).** *A controller* ctrl *is* idempotent *if it satisfies* ctrl; ctrl = ctrl*.*

An idempotent controller cannot reach more states by executing multiple times without any continuous dynamics happening. Pure reactive controllers, i.e. controllers for which the parameters' values only depend on the values of the continuous variables, are always idempotent. This is the case for the controllers in Example 1: x := −B∪?safe<sup>T</sup> (x); x := A. On the other hand, counting the number of times the controller has been executed would not be idempotent.

**Lemma 10.** *This derived rule is invertible, if* ctrl<sup>b</sup> *is idempotent.*

$$\frac{ctrl\_a; plant\_a \le ctrl\_b; plant\_b}{(ctrl\_a; plant\_a)^\* \le (ctrl\_b; plant\_b)^\*}$$

The derivation of the rule is given in the canonical proof. The converse, that the conclusion implies the premise, is more involved [31]. Proving ctrla; plant<sup>a</sup> ≤ (ctrlb; plantb) <sup>∗</sup> from (ctrla; planta) <sup>∗</sup> ≤ (ctrlb; plantb) <sup>∗</sup> is done by unfolding the loop on the left. To get rid of the loop on the right, we use the fact that ctrl<sup>b</sup>

is idempotent. It means that if the global time is not modified, then we can assume without loss of generality that the controller (and thus also the plant) is executed only once. The case when the global time is modified additionally considers the value of the derivative to ensure that there is an execution of the right program that does not require looping.

With the above lemma, we can now state the decidability result.

**Theorem 4 (Decidability of refinement for idempotent controllers).** *For concrete hybrid programs* ctrla; plant<sup>a</sup> *and* ctrlb; plant<sup>b</sup> *discrete loop-free* ctrla, ctrl<sup>b</sup> *and with* plant<sup>a</sup> ≡ y¯ = p(¯y, u¯) & Q *and* plant<sup>b</sup> ≡ y¯ = q(¯y, u¯) & R*, if* ctrl<sup>b</sup> *is idempotent, and the validity of* [ctrla][planta](p(¯y, u¯) = q(¯y, u¯) ∧ R) *is decidable, then the validity of* (ctrla; planta) <sup>∗</sup> ≤ (ctrlb; plantb) <sup>∗</sup> *is also decidable.*

In particular, the theorem applies to the event-triggered model and the timetriggered model templates used to show how to prove that the latter refines the former [19]. Indeed, their controller template is loop-free and idempotent and the differential equation are assumed to be solvable. Theorem 4 strengthens their result by showing the completeness of the approach.

## **7 Conclusion**

This paper introduced a uniform substitution proof calculus for differential refinement logic dRL. This yields a parsimonious prover microkernel for hybrid systems verification that simultaneously works for properties of and relations between hybrid systems. The handling of refinement relations between hybrid systems is subtle even only in its static semantics, which makes the correctness proofs of this paper particularly interesting. The uniform substitution is one-pass [28] giving it respectable performance advantages compared to Church-style uniform substitutions. While the joint presence of differential equations reasoning and refinement reasoning causes challenges, a resulting benefit besides soundness is that a finer notion of differential equation refinement is obtained with logical decidability properties on a fragment of hybrid systems refinements.

Future work involves improving the implementation of the uniform substitution calculus in KeYmaera X. Although the prover microkernel was straightforward following the uniform substitution process and list of dRL's uniform substitution axioms, the prover would benefit from quality of life features, e.g. using the axioms to rewrite on subprograms, and an implementation of the refinement decision algorithm for the decidable fragment. Another axis of research is to combine refinements with hybrid games, with a proper semantics and adapt the new axioms of dRL to games, some of which would not be sound as is.

# **A Additional dRL Axioms**

Axioms of dL also include the differential axioms, e.g. (x) = x [25], to reason on terms, which are omitted as it is not the main focus of this paper. Axioms preceded by a star can be derived from other axioms [31].


**Fig. 3.** Additional axioms of dRL

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Sequent Systems on Undirected Graphs**

Matteo Acclavio(B)

University of Sussex, Brighton, UK m.acclavio@sussex.ac.uk

**Abstract.** In this paper we explore the design of sequent calculi operating on graphs. For this purpose, we introduce logical connectives allowing us to extend the well-known correspondence between classical propositional formulas and cographs. We define sequent systems operating on formulas containing such connectives, and we prove, using an analyticity argument based on cut-elimination, that our systems provide conservative extensions of multiplicative linear logic (without and with mix) and classical propositional logic. We conclude by showing that one of our systems captures graph isomorphism as logical equivalence and that it is sound and complete for the graphical logic GS.

**Keywords:** Sequent Calculus · Graph Modular Decomposition · Analyticity

#### **1 Introduction**

In theoretical computer science, *formulas* play a crucial role in describing complex abstract objects. At the syntactical level, the formulas of a logic describe complex structures by means of unary and binary operators, usually thought of as *connectives* and *modalities* respectively. On the other hand, graph-based syntaxes are often favored in formal representation, as they provide an intuitive and canonical description of properties, relations and systems. By means of example, consider the two graphs below:

*abcd* or *abc d*

It follows from results in [21,62] that describing any of the above graphs by means of formulas only employing binary connectives would require repeating at least one vertex. As a consequence, formulas describing complex graphs are usually long and convoluted, and specific *encodings* are needed to standardize such formulas.

Since graphs are ubiquitous in theoretical computer science and its applications, a natural question to ask is whether it is possible to define formalisms having graphs, instead of formulas, as first-class terms of the syntax. Such a paradigm shift would allow the design of efficient automated tools, reducing the need to handle the bureaucracy introduced in order to deal with the encoding required to represent graphs. At the same time, a graphical syntax would provide a useful tool for investigations such as the ones in [36] or [25,27], where the authors restrain their framework to sequentialparallel orders, as these can be represented by means of formulas with at most binary connectives.

Two recent lines of work have generalized proof theoretical methodologies to graphs, extending the correspondence between classical propositional formulas and cographs. In these works, systems operating on graphs are defined via local and contextfree rewriting rules, similar to the approach in *deep inference* systems [8,33,34]. The first line of research, carried out by Calk, Das, Rice and Waring in various works, explores the use of maximal stable sets/cliques-preserving homomorphisms to define notions of entailment1, and study the resulting proof theory [16,17,23,24,63]. Here, the use of a deep inference formalism is natural, since the rules of the calculus are local rewritings. The second line of research, investigated by the author, Horne, Mauw and Straßburger in several contributions [3–5], studies the (sub-)structural proof theory of arbitrary graphs, with an approach inspired by linear logic [29] and deep inference [33]. The main goal of this line of research, partially achieved with the system GVsl operating on mixed graphs [3], is to obtain a generalization of the completeness result of the logic BV with respect to pomset inclusion. The logic BV contains a non-commutative binary connective allowing to represent series-parallel partial order multisets as formulas in the syntax (as in Retore's ´ Pomset logic [57]), and to capture order inclusion as logical implication. However, as shown in [60], no cut-free sequent system for BV can exist – therefore neither for Pomset logic, which strictly contains it [53,54]. For this reason, the aforementioned line of work focused on deep inference systems, and the question about the existence of a cut-free sequent calculus for GS (the restriction of GVsl on undirected graphs originally defined in [4]) was left open.

In this paper, we focus on the definition of sequent calculi for *graphical logics*, and we positively answer the above question by providing, among other results, a cut-free sound and complete sequent calculus for GS. By using standard techniques in sequent calculus, we thus obtain a proof of analyticity for this logic which is simpler and more concise with respect to the one in [5].

To achieve these results, we introduce *graphical connectives*, which are operators that can be naturally interpreted as graphs. We then define the sequent calculi MGL, MGL◦ and KGL, containing rules to handle these connectives. After showing that cutelimination holds for these systems, we prove that MGL, MGL◦ and KGL define conservative extensions of *multiplicative linear logic*, *multiplicative linear logic with mix* and *classical propositional logic* respectively. We then prove that formulas interpreted as the same graph are logically equivalent, thus justifying the fact that we consider these systems as operating on graphs rather than formulas. We conclude by showing that MGL◦ is sound and complete with respect to the logic GS, thus providing a simple sequent calculus for the logic.

The paper is structured as follows. In Sect. 2 we show how to use the notion of *modular decomposition* for graphs from [28,41] to define graphical connectives. In this way, we extend to general graphs the well-known correspondence between classical propositional formulas and *cographs* [21,28,41]. Then, in Sect. 3, we introduce the proof systems MGL, MGL◦ and KGL, and we prove their cut-elimination and analyticity. This section also discusses the conservativity results. In Sect. 4 we show that formulas representing isomorphic graphs are logically equivalent in these logics. Finally, in Sect. 5 we prove that MGL◦ is sound and complete with respect to the graphical logic GS. We conclude with Sect. 6, by discussing future research directions and applications. Due to space limitations, details of certain proofs have been omitted from this manuscript However, detailed proofs can be found in [2].

<sup>1</sup> A similar approach was proposed in [56] for studying pomsets.

# **2 From Graphs to Formulas**

In this section we first recall standard results from the literature on graphs, the notion of *modular decomposition* and the one of *cographs*, which are graphs whose modular decomposition only contains two prime graphs which can be naturally interpreted as (binary) conjunction and disjunction. We then introduce the notion of *graphical connectives*, allowing us to extend the correspondence between cographs and propositional formulas to general graphs, allowing us to represent graphs via formulas constructed using graphical connectives.

#### **2.1 Graphs and Modules**

In this work are interested in using *(labeled) graphs* to represent patterns of interactions by means of the binary relations (edges) between their components (vertices). We recall the standard notion of identity on labeled graphs (i.e., *isomorphism*) and define the rougher notion of *similarity* (isomorphism up-to vertex labels).

**Definition 1.** *<sup>A</sup>* <sup>L</sup>*-labeled graph (or simply graph) G* <sup>=</sup> *VG*, *G*, *<sup>G</sup> is given by a finite set of vertices VG, a partial labeling function <sup>G</sup>* : *VG* → L *associating a label* (*v*) *from a given set of labels* L *to each vertex v* ∈ *VG (we may represent <sup>G</sup> as a set of equations of the form* (*v*) = *<sup>v</sup> and denote by* ∅ *the empty function), and a non-reflexive symmetric edge relation <sup>G</sup>* ⊂ *VG* × *VG whose elements, called edges, may be denoted vw instead of* (*v*,*w*)*. The empty graph* ∅,∅,∅ *is denoted* <sup>∅</sup> *and we define the edge relation G* - - (*v*,*w*) <sup>|</sup> *<sup>v</sup> w and vw <sup>G</sup> .*

*A similarity between two graphs G and G is a bijection f* : *VG* → *VG such that x G y i*ff *f*(*x*) *G f*(*y*) *for any x*, *y* ∈ *VG. A symmetry is a similarity of a graph with itself. An isomorphism is a similarity f such that* (*v*) = (*f*(*v*)) *for any v* ∈ *VG. Two graphs G and G are similar (denoted G* ∼ *G ) if there is a similarity between G and G . They are isomorphic (denoted G* = *G ) if there is an isomorphism between G and G . From now on, we consider two isomorphic graphs to be the same graph.*

*Two vertices v and w in G are connected if there is a sequence v* = *u*0,..., *un* = *w of vertices in G (called path) such that ui*−<sup>1</sup> *G ui for all i* ∈ {1,..., *n*}*. A connected component of G is a maximal set of connected vertices in G. A graph G is a clique (resp. a stable set) i*ff *G* <sup>=</sup> <sup>∅</sup> *(resp. <sup>G</sup>* = ∅*).*

*Note 1.* When drawing a graph or an unlabeled graph we draw whenever *vw*, we draw no edge at all whenever *v w*. We may represent a vertex by using its label instead of its name. For example, the single-vertex graph *<sup>G</sup>* <sup>=</sup> {*v*}, *G*,∅ may be represented either by the vertex (name) *v* or by the vertex label *G*(*v*) (in this case we may write • if *G*(*v*) is not defined).

*Example 1.* Consider the following graphs:

$$\begin{aligned} F &= \left\langle \left\{ \mu\_1, \mu\_2, \mu\_3, \mu\_4 \right\}, \left\{ \ell(\mu\_1) = a, \ell(\mu\_2) = b, \ell(\mu\_3) = c, \ell(\mu\_4) = d \right\}, \left\{ \mu\_1 \mu\_2, \mu\_2 \mu\_3, \mu\_3 \mu\_4 \right\} \right\rangle \\ G &= \left\langle \left\{ \nu\_1, \nu\_2, \nu\_3, \nu\_4 \right\}, \left\{ \ell(\nu\_1) = b, \ell(\nu\_2) = a, \ell(\nu\_3) = c, \ell(\nu\_4) = d \right\}, \left\{ \nu\_1 \nu\_2, \nu\_1 \nu\_3, \nu\_3 \nu\_4 \right\} \right\rangle \\ H &= \left\langle \left\{ \nu\_1, \nu\_2, \nu\_3, \nu\_4 \right\}, \left\{ \ell(\nu\_1) = a, \ell(\nu\_2) = b, \ell(\nu\_3) = c, \ell(\nu\_4) = d \right\}, \left\{ \nu\_1 \nu\_2, \nu\_1 \nu\_3, \nu\_3 \nu\_4 \right\} \right\rangle \end{aligned} \tag{1}$$

$$\mathop{\rm P}\_{a}\limits\_{b}\Bigg(\sum\_{b}\Bigg(\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big]\big]\big]\big]\big]\big]\big]\big]\big]\big]\big]\big}\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big]\big]\big]\big]\big]\big]\big]\big]\big}\big]\big}\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big[\big$$

**Fig. 1.** A graph and one of its modular and the corresponding formula-like representations.

$$\text{We have } F \sim G \sim H \text{ and } G = F = a \--- b \--- c \dots \newline d \ne b \neg \dots \newline c \neg \dots \newline d = H. \dots$$

*Note 2.* Whenever we say that two graphs are the same, we assume they share the same set of vertices and labeling function, therefore implicitly assuming the isomorphism *f* to be given. This allows us to verify whether two graphs are isomorphic (i.e., the same) in polynomial time on the number of vertices.

We recall the notion of *module* [26,28,35,41,45,48], allowing us to represent a graph using a tree-like syntax. A module is a subset of vertices of a graph having the same edge-relation with any vertex outside the subset, generalizing what can usually be observed in formulas, where, in the formula tree, each literal in a subformula has the same least common ancestor with a given literal not belonging to the subformula itself.

**Definition 2.** *Let G* = *VG*, *G*, *EG be a graph and W* ⊆ *VG. The graph induced by W is the graph G*|*<sup>W</sup>* - *W*, *G*|*<sup>W</sup>* , *<sup>G</sup>* ∩ (*W* × *W*) *where G*|*<sup>W</sup>* (*v*) -*G*(*v*) *for all v* ∈ *W.*

*A module of a graph G is a subset M of VG such that xz i*ff *yz for any x*, *y* ∈ *M, <sup>z</sup>* <sup>∈</sup> *VG* \ *M. A module M is trivial if M* <sup>=</sup> <sup>∅</sup>*, M* <sup>=</sup> *VG, or M* <sup>=</sup> {*x*} *for some x* <sup>∈</sup> *VG. From now on, we identify a module M of a graph G with the induced subgraph G*|*M.*

*Remark 1.* A connected component of a graph *G* is a module of *G*.

*Note 3.* We may optimize graph representations by bordering vertices of a same module by a closed line. An edge connected to such a closed line denotes the existence of an edge to each vertex inside it (see Fig. 1). By means of example, consider the following graph and its more compact modular representation.

The notion of module is related to a notion of context, which can be intuitively formulated as a graph with a "hole".

**Definition 3.** *A context* C[-] *is a (non-empty) graph containing a single occurrence of a special vertex* - *(with* (-) *undefined). It is trivial if* C[-] = -*. If* C[-] *is a context and G a graph, we define* C[*G*] *as the graph obtained by replacing by G. Formally,*

$$\mathcal{C}[G] \coloneqq \begin{cases} \left(V\_{\mathbb{C}[\square]} \mid \{\square\} \right) \uplus V\_{G} \; , \\ \ell\_{\mathbb{C}} \cup \ell\_{G} \; , \\ \left\{\nu\nu \mid \, \nu, w \in V\_{\mathbb{C}[\square]} \mid \{\square\}, \, \nu^{\complement} \mathcal{C}^{[\square]} w \right\} \cup \left\{\nu\nu \mid \nu \in V\_{\mathbb{C}[\square]} \mid \{\square\}, w \in V\_{G}, \nu^{\complement} \mathcal{D} \right\} \end{cases}$$

*Remark 2.* The notion of context and the one of module are interdefinable. In fact, a set of vertices *M* is a module of a graph *G* iff there is a context C[-] such that *G* = C[*M*].

Note that *M* is a module of a graph *G* iff there is a context C[-] such that *G* = C[*M*]. We generalize this idea of replacing a vertex of a graph with a module by defining the operations of *composition-via* a graph, where all vertices of a graph are replaced in a "modular way" by modules.

**Definition 4.** *Let G be a graph with VG* = {*v*1,..., *vn*} *and let H*1,..., *Hn be graphs. We define the composition of H*1,..., *Hn via G as the graph G*-*H*1,..., *Hn obtained by replacing each vertex vi of G with a module Hi for all i* ∈ {1,..., *n*}*. Formally,*

$$G\left\{H\_1,\dots,H\_n\right\} = \left\langle \bigcup\_{i=1}^n V\_{H\_i}, \bigcup\_{i=1}^n \ell\_{H\_i}, \left(\bigcup\_{i=1}^n \stackrel{H\_i}{\prec}\right) \cup \left\{ (\mathbf{x}, \mathbf{y}) \middle| \mathbf{x} \in V\_{H\_i}, \mathbf{y} \in V\_{H\_j}, \mathbf{v}\_i \stackrel{G}{\prec} \mathbf{v}\_j \right\} \right\rangle \tag{3}$$

*The subgraphs H*1,..., *Hn are called factors of G*-*H*1,..., *Hn and, by definition, are (possibly not maximal) modules of G*-*H*1,..., *Hn.*

*Remark 3.* The operation of composition-via *G* forgets the information carried by the labeling function *G*. Moreover, if σ is a similitude between two graphs *G* and *G* , then *G*-*H*1,..., *Hn* = *G* -*H*<sup>σ</sup>(1),..., *H*<sup>σ</sup>(*n*).

In order to establish a connection between graphs and formulas, from now on we only consider graphs whose set of labels belong to the set L = *a*, *a*<sup>⊥</sup> | *a* ∈ A where A is a fixed set of propositional variables. We then define the *dual* of a graph.

**Definition 5.** *Let G* = *VG*, *G*, *EG be a graph. We define the dual graph of G as the graph G*<sup>⊥</sup> - *VG*, *G* , *G*<sup>⊥</sup> *with G*<sup>⊥</sup> (*v*) = (*G*(*v*)) <sup>⊥</sup> *(assuming a*⊥⊥ = *a for all a* ∈ A*).*

#### **2.2 Classical Propositional Formulas as Cographs**

The set of *classical (propositional) formulas* is generated from a set of propositional variable A using the *negation* (·) <sup>⊥</sup>, the *disjunction* ∨ and the *conjunction* ∧ using the following grammar:

$$\phi, \psi \coloneqq a \mid \phi \lor \psi \mid \phi \land \psi \mid \phi^{\perp} \qquad \text{with } a \in \mathcal{R}. \tag{4}$$

We define a map from literals to single-vertex graphs, which extends to formulas via the composition-via the unlabeled two-vertices stable set and two-vertices clique.

**Definition 6.** *Let* <sup>φ</sup> *be a classical formula, and let* <sup>S</sup><sup>2</sup> <sup>=</sup> {*v*1, *<sup>v</sup>*2},∅,∅ *and* <sup>K</sup><sup>2</sup> <sup>=</sup> {*v*1, *<sup>v</sup>*2},∅, {*v*1*v*2}*. We define the graph* <sup>φ</sup> *as follows:*

$$\begin{array}{ll} \llbracket \boldsymbol{a} \rrbracket = \boldsymbol{a} & \llbracket \boldsymbol{\phi}^{\perp} \rrbracket = \llbracket \boldsymbol{\phi} \rrbracket^{\perp} & \llbracket \boldsymbol{\phi} \boldsymbol{\lor} \boldsymbol{\psi} \boldsymbol{\Psi} \rrbracket = \mathtt{S}\_{2} \left( \llbracket \boldsymbol{\phi} \rrbracket \rrbracket, \llbracket \boldsymbol{\psi} \rrbracket \rrbracket \right) & \llbracket \boldsymbol{\phi} \boldsymbol{\land} \boldsymbol{\psi} \rrbracket \rrbracket = \mathtt{K}\_{2} \left( \llbracket \boldsymbol{\phi} \rrbracket \rrbracket, \llbracket \boldsymbol{\psi} \rrbracket \rrbracket \right) \end{array}$$

*where we denote by a the single-vertex graph, whose vertex is labeled by a. A cograph is a graph G such that there is a classical formula* φ *such that G* = φ *.*

*Example 2.* Let φ and ψ classical formulas containing occurrences of atoms {*a*1,..., *an*} and {*b*1,... *bm*} respectively. Then the graph φ ∧ ψ can be represented as follows:

$$\left\|\begin{matrix}\boldsymbol{\phi}\wedge\boldsymbol{\psi}\end{matrix}\right\| = \left\|\begin{matrix}\boldsymbol{a}\cdot\boldsymbol{\psi}\end{matrix}\right\| \left\|\begin{matrix}\boldsymbol{b}\_{\perp}\\ \vdots\\ \boldsymbol{a}\_{\boldsymbol{m}}\end{matrix}\right\| = \left\|\begin{matrix}\boldsymbol{a}\_{\perp}\\ \vdots\\ \boldsymbol{a}\_{\boldsymbol{m}}\end{matrix}\right\| \left\|\begin{matrix}\boldsymbol{b}\_{\perp}\\ \vdots\\ \boldsymbol{b}\_{\boldsymbol{m}}\end{matrix}\right\| = \left\|\begin{matrix}\boldsymbol{a}\_{\perp}\\ \vdots\\ \boldsymbol{a}\_{\boldsymbol{m}}\end{matrix}\right\|^{\perp} \left\|\begin{matrix}\boldsymbol{b}\_{\perp}\\ \vdots\\ \boldsymbol{b}\_{\boldsymbol{m}}\end{matrix}\right\|^{\perp} = (\left\|\begin{matrix}\boldsymbol{\phi}\boldsymbol{\omega}\vee\boldsymbol{\psi}^{\perp}\end{matrix}\right\|^{\perp}$$

Note that an equivalent definition of cographs can be given using only the graph S<sup>2</sup> (or K2) and duality.

We can easily observe that the map [[·]] well-behaves with respect to the equivalence over formulas generated by the associativity and commutativity of connectives and the de Morgan laws below.

$$\begin{array}{ll}\text{Equivalence laws} & \begin{cases} \phi \lor \psi \equiv \psi \lor \phi & \phi \lor (\psi \lor \chi) \equiv (\phi \lor \psi) \lor \chi \\ \phi \land \psi \equiv \psi \land \phi & \phi \land (\psi \land \chi) \equiv (\phi \land \psi) \land \chi \end{cases} & \begin{array}{ll} \phi \lor (\psi \lor \chi) \equiv (\phi \lor \psi) \lor \chi \\ \phi \land (\psi \land \chi) \equiv (\phi \land \psi) \land \chi \end{array} & (5) \\ \text{De-Morgan laws} & \begin{array}{ll} (\phi^{\bot})^{\bot} \equiv \phi & (\phi \land \psi)^{\bot} \equiv \phi^{\bot} \lor \psi^{\bot} \end{array} \end{array} \tag{5}$$

**Proposition 1.** *Let* φ *and* ψ *be classical formulas. Then* φ ≡ ψ *i*ff φ = ψ *.*

We finally recall an alternative definition of cographs as graphs containing no induced subgraph of a specific shape, and we recall the theorem establishing the relation between

**Definition 7.** *A graph G is* **P4***-free if there it contains no four vertices v*1, *v*2, *v*3, *v*<sup>4</sup> *such that the induced subgraph G*|{*<sup>v</sup>*1,*v*2,*v*3,*v*4} *is similar to the graph abc <sup>d</sup> .*

**Theorem 1 (**[28]**).** *Let G be a graph. Then G is a cograph i*ff *G is* P4*-free.*

#### **2.3 Modular Decomposition of Graphs**

We recall the notion of *prime graph*, allowing us to provide canonical representatives of graphs via modular decomposition. (see e.g., [26,28,35,41,45,48]).

**Definition 8.** *A graph G is prime if* |*VG*| > 1 *and all its modules are trivial.*

We recall the following standard result from the literature.

**Theorem 2 (**[41]**).** *Let G be a graph with at least two vertices. Then there are nonempty modules M*1,..., *Mn of G and a prime graph P such that G* = *P*-*M*1,..., *Mn.*

This result allows us to describe graphs using its *modular decomposition*, that is, using single-vertex graphs and operations of composition-via prime graphs only.

**Definition 9.** *Let G be a non-empty graph. A modular decomposition of G is a way to write G using single-vertex graphs and the operation of composition-via prime graphs:*


Ambiguity arises in modular decomposition due to the presence of cliques or stable sets with more than three vertices, graph symmetries, and the presence of symmetric but non-isomorphic graphs. The first two ambiguities are akin to the one observed in propositional logic, where conjunction and disjunction are considered associative and commutative. These are addressed similarly in the framework we discuss in this paper. However, to reduce the latter source of ambiguity, we introduce the notion of *basis of graphical connectives*.

**Definition 10.** *<sup>A</sup> graphical connective <sup>C</sup>* <sup>=</sup> *V*C, <sup>C</sup> *(with arity n* = |*V*C|*) is given by a finite list of vertices V*<sup>C</sup> = *v*1,..., *vn and a non-reflexive symmetric edge relation* C *over the set of vertices occurring in V*C*. We denote by GC the graph corresponding to C, that is, the graph GC* <sup>=</sup> {*<sup>v</sup>* <sup>|</sup> *v in V*C},∅, <sup>C</sup> *. The composition-via a graphical connective is defined as the composition-via the graph GC. A graphical connective is prime if GC is a prime graph. A set* P *of prime graphical connectives is a basis if for each prime graph P there is a unique connective C* ∈ P *such that P* ∼ *GC.*

*Given an n-ary connective C, we define the group*<sup>2</sup> *of symmetries of C (*S(*C*)*) and the set of dualizing symmetries of C (*S⊥(*C*)*) as the following sets of permutations over the set* {1,..., *n*}*:*

$$\begin{aligned} \mathfrak{S}(C) & \coloneqq \{ \sigma \mid C\{H\_1, \dots, H\_n\} = C\{H\_{\sigma(1)}, \dots, H\_{\sigma(n)}\} \} \\ \mathfrak{S}^\perp(C) & \coloneqq \left\{ \sigma \mid (C\{H\_1, \dots, H\_n\})^\perp = C\{H\_{\sigma(1)}^\perp, \dots, H\_{\sigma(n)}^\perp\} \right\} \end{aligned} \text{ (for any } H\_1, \dots, H\_n\text{)} . \qquad (6)$$

*We introduce the following graphical connectives:*

$$\begin{aligned} \mathsf{T}\{\boldsymbol{\nu}\_{1},\boldsymbol{\nu}\_{2}\} &:= \langle\langle\boldsymbol{\nu}\_{1},\boldsymbol{\nu}\_{2}\rangle,\mathcal{O}\rangle = \underbrace{\{\boldsymbol{\nu}\_{1}\quad\boldsymbol{\nu}\_{2}\}}\_{\mathsf{T}\in\mathsf{\{\{\boldsymbol{\nu}\_{1},\ldots,\boldsymbol{\nu}\_{n}\},\{\boldsymbol{\nu}\_{i}\boldsymbol{\nu}\_{i}\}\ \mathrel{\mathop{:}}\mathsf{E}\{\boldsymbol{\nu}\_{1}\}}\_{\mathsf{T}\in\mathsf{\{\{\boldsymbol{\nu}\_{1},\ldots,\boldsymbol{\nu}\_{n}\},\{\boldsymbol{\nu}\_{i}\boldsymbol{\nu}\_{i}\}\ \boldsymbol{\nu}\_{i}\}\ \langle\boldsymbol{\nu}\_{2}\rangle} = \underbrace{\{\boldsymbol{\nu}\_{1}\cdots\boldsymbol{\nu}\_{2}\}}\_{\mathsf{T}\in\mathsf{\{\{\boldsymbol{\nu}\_{1},\ldots,\boldsymbol{\nu}\_{n}\},\{\boldsymbol{\nu}\_{2}\}\ \boldsymbol{\nu}\_{i}\}\ \langle\boldsymbol{\nu}\_{2}\rangle}\_{\mathsf{T}\in\mathsf{\{\{\boldsymbol{\nu}\_{1},\ldots,\boldsymbol{\nu}\_{n}\},\{\boldsymbol{\nu}\_{2}\}\ \boldsymbol{\nu}\_{i}\}\ \langle\boldsymbol{\nu}\_{i}\rangle} \\ &\qquad\qquad\qquad\qquad\qquad\qquad\mathsf{Bull}\{\boldsymbol{\nu}\_{1},\ldots,\boldsymbol{\nu}\_{n}\} \coloneqq \langle\langle\boldsymbol{\nu}\_{1},\ldots,\boldsymbol{\nu}\_{n},\boldsymbol{\nu}\_{i}\rangle,\{\boldsymbol{\nu}\_{1}\}\boldsymbol{\nu}\_{i}\rangle\ \langle\boldsymbol{\nu}\_{2}\rangle \langle\boldsymbol{\nu}\_{i}\rangle \\ &= \underbrace{\left\{\boldsymbol{\nu}\_{1}\cdots\boldsymbol{\nu}\_{2}\,\ldots\left$$

We can reformulate the standard result on modular decomposition as follows.

**Theorem 3.** *Let G be a non-empty graph and* P *a basis. Then there is a unique way (up to symmetries of graphical connectives and associativity of and* ⊗*) to write G using single-vertex graphs and the graphical connectives in* P*.*

**Corollary 1.** *Two graphs are isomorphic i*ff *they admit a same modular decomposition.*

#### **2.4 Graphs as Formulas**

In order to represent graphs as formulas, we define new connectives beyond conjunction and disjunction to represent graphical connectives in a basis P. From now on, we assume to be fixed a basis P containing the graphical connectives in Eq. (7).

<sup>2</sup> It can be easily shown that S*<sup>n</sup>* contains the identity permutation (denoted id) and is a subgroup of the group of permutations over the set {1,..., *n*}.

**Definition 11.** *The set of formulas is generated by the set of propositional atoms* A*, a unit* ◦*, and a basis of graphical connective* P *using the following syntax:*

$$\{\phi\_1, \dots, \phi\_n \coloneqq \circ \mid a \mid a^\perp \mid \kappa\_P \llbracket \phi\_1, \dots, \phi\_{n\_P} \rrbracket \qquad \text{with } a \in \mathcal{R} \text{ and } P \in \mathcal{P} \tag{8}$$

*We simply denote (resp.* ⊗*) the binary connective* κ- *(resp.* κ⊗*) and we write* φ ψ *instead of* κ-φ, ψ *(resp.* φ ⊗ ψ *instead of* κ⊗φ, ψ*). The arity of the connective* κ*<sup>P</sup> is the arity nP of P. A literal is a formula of the form a or a*<sup>⊥</sup> *for an atom a* ∈ A*. The set of literals is denoted* L*. A formula is unit-free if it contains no occurrences of* ◦ *and vacuous if it contains no atoms. A formula is pure if non-vacuous and such that its vacuous subformulas are* ◦*. A* **MLL***-formula is a formula containing only occurrences of connectives and* ⊗*. A context formula (or simply context)* ζ[-] *is a formula containing an hole taking the place of an atom. Given a context* ζ[-]*, the formula* ζ[φ] *is defined by simply replacing the atom with the formula* φ*. For example, if* ζ[-] = ψ (- ⊗ χ)*, then* ζ[φ] = ψ (φ ⊗ χ)*.*

*For each* φ *formula (or context), the graph* φ *is defined as follows:*

$$\begin{array}{ccccc} \|\Box\| = \Box & \|\circ\| = \otimes & \|a\| = a & \|a^{\perp}\| = a^{\perp} & \|\kappa\_P\langle\phi\_1, \dots, \phi\_n\rangle\| = P\left(\left\|\left[\phi\_1\right], \dots, \left\|\left[\phi\_n\right]\right\|\right) & (9) \end{array}$$

*Note 4.* We may consider a formula φ over the set of occurrences of literals {*x*1,..., *xn*} as a *synthetic connective* φ with arity *n*. That is, we may denote by φψ1,...,ψ*n* the formula obtained by replacing each literal *xi* (with *i* ∈ {1,..., *n*}) with a formula ψ*i*. The set of *symmetries* of φ (denoted S(φ)) is the set of permutations σ over {1,..., *n*} such that φ*x*1,..., *xn* = φ*x*<sup>σ</sup>(1),..., *x*<sup>σ</sup>(*n*) .

**Definition 12.** *The equivalence relation* ≡ *over formulas is generated by the following:*


*for each P* ∈ P *(with arity nP* = |*VP*|*), and for each* σ ∈ S(*P*) *and* ρ ∈ S⊥(*P*)*. The (linear) negation over formulas is defined by letting*

◦⊥ = ◦ *and* φ⊥⊥ = φ *and* κ*P*φ1,...,φ*nP* <sup>⊥</sup> = κ*Q*φ<sup>⊥</sup> σ(1),...,φ<sup>⊥</sup> <sup>σ</sup>(*nP*)

*where Q is the (unique) prime connective in* P *such that we have* κ*Pa*1,..., *an* = *Qa*⊥ <sup>σ</sup>(1),..., *a*<sup>⊥</sup> σ(*n*) *for a permutation* <sup>σ</sup> *over the set* {1,..., *<sup>n</sup>*}*.* <sup>3</sup>

*The linear implication* φ ψ *is defined as* φ<sup>⊥</sup> ψ*, while the logical equivalence* φ ψ *is defined as* (φ ψ) ⊗(ψ φ)*.*

<sup>3</sup> Note that the permutation σ may be not unique. If we consider formulas up-to the equivalence relation ≡, this is irrelevant. Otherwise, in the definition of the linear negation we should also provide a specific permutation σ*<sup>P</sup>* for each prime connective *P* ∈ P.

*Remark 4.* As explained in [5] (Sect. 9), the graphical connectives we discuss in this paper are *multiplicative connectives* (in the sense of [6,22,32,47]) but they are not the same as the *connectives-as-partitions* discussed in these works. In fact, there is a unique 4-ary graphical connective P4, which has the symmetry group {id, (1, 4)(2, 3)}, while, as shown in [6,47], there is a unique pair of dual *non-decomposable* (i.e., which cannot be described using smaller connectives) 4-ary multiplicative connectives-as-partitions G<sup>4</sup> and G⊥ <sup>4</sup> , and <sup>S</sup>(P4) <sup>S</sup>(G4) <sup>=</sup> <sup>S</sup>(G<sup>⊥</sup> 4 ).

The following result is a consequence of Theorem 2.

**Proposition 2.** *Let* φ *and* ψ *be formulas. If* φ ≡ ψ*, then* φ = ψ *. Moreover, if* φ *and* ψ *are unit-free, then* φ ≡ ψ *i*ff φ = ψ *.*

For an example of why the equivalence result does not hold in the presence of units, consider the (non-equivalent) formulas ◦ ⊗ ◦ and ◦ ◦.

# **3 Sequent Calculi over Graphs-as-Formulas**

We assume the reader to be familiar with the definition of sequent calculus derivations as trees of sequents (see, e.g., [61]) but we recall here some definitions.

**Definition 13.** *A sequent is a set of occurrences of formulas. A sequent system* S *is a set of sequent rules as the ones in Fig. 2. A derivation (resp. open derivation) over* S *is a tree of sequents such that each node (resp. each node except some leaves, called open premises) is the conclusion of a rule with premises its children. In a sequent rule* r*, we say that a formula is active (resp. principal) if it occurs in one of its premises (resp. in its conclusion) but not in its conclusion (resp. but in none of its premises) A*

*proof of a sequent* Γ *is a derivation with root* Γ *denoted* <sup>π</sup> <sup>S</sup> <sup>Γ</sup> *. We denote by* Γ π S Γ *an open*

*derivation with conclusion* Γ *and a single open premise* Γ *. A rule is admissible in* S *if there is a derivation of the conclusion of the rule whenever all premises of the rule are derivable. A rule is derivable in* S*, if there is a derivation in* S *from the premises to the conclusion of the rule.*

**Definition 14.** *We define the following sequent systems using the rules axiom (*ax*), par (), tensor (*⊗*), weakening (*w*), contraction (*c*), mix (*mix*), dual connectives (*d-κ*) unitor (*u<sup>κ</sup> *), and weak-distributivity (*wd⊗*) in Fig. 2.*


*Remark 5.* Rules *axiom* (ax), *par* (), *tensor* (⊗), *cut* (cut), and *mix* (mix) are the standard as in multiplicative linear logic with mix. Note that ax is restricted to atomic formulas. The rule d-κ handles a pair of dual connectives at the same time, as it may be done by rules in focused proof systems (see, e.g. [9,50,51]) or rules for modalities

$$\begin{split} \mathop{\vdash}^{\mathsf{m}\text{\texttimes}} & \frac{\vdash \varGamma\_{1} \quad \vdash \varGamma\_{2}}{\vdash \varGamma\_{1}, \varGamma\_{2}} \qquad \text{w.t.}\_{\mathsf{b}} \begin{subarray}{} \mathsf{w} \models \Gamma, \phi\_{\mathsf{k}} \quad \vdash \mathscr{A}, \kappa \left[ \phi\_{1}, \ldots, \phi\_{\mathsf{k}-1}, \diamond, \phi\_{\mathsf{k}+1}, \ldots, \phi\_{\mathsf{n}} \right] \mathsf{l} \\ \vdash \varGamma, \mathscr{A}, \kappa \left[ \phi\_{\mathsf{l}\tau(1)}, \ldots, \phi\_{\mathsf{r}\tau(n)} \right] \end{subarray} \\ \mathop{\vdash}^{\mathsf{u}\_{\mathsf{x}}} & \frac{\vdash \varGamma, \mathscr{A}\big[ \phi\_{\mathsf{f}\tau(1)}, \ldots, \phi\_{\mathsf{k}}, \phi\_{\mathsf{f}\tau(n)} \big] \mathsf{l} \left[ \varGamma \v{\in} \mathsf{z}(\mathsf{x}) \right]}{\vdash \varGamma, \kappa \left[ \phi\_{\mathsf{l}}, \ldots, \phi\_{\mathsf{k}}, \phi\_{\mathsf{k}+1}, \ldots, \phi\_{\mathsf{k}} \right] \mathsf{l} \left[ \Vdash \{\phi\_{\mathsf{r}(1)}, \ldots, \phi\_{\mathsf{r}(n)} \} \right] \mathsf{l} \neq \big[ \varGamma \v{\in} \mathsf{l} \ \phi\_{\mathsf{r}\tau(1)} \} \end{split}$$

#### **Fig. 2.** Sequent rules.

in modal logic and linear logic (see, e.g., [12,14,31,44]). Intuitively, while in standard two-sided sequent calculi the right-conjunction rule (∧*<sup>R</sup>* below) internalizes a metaconjunction between the premises of the rule, that is,

$$\begin{aligned} \sqrt{I\_1, \phi\_1 \vdash \psi\_1, \mathcal{A}\_1} \quad \text{``and''} \quad \boxed{I\_2, \phi\_2 \vdash \psi\_2, \mathcal{A}\_2} \end{aligned} $$

the rule d-κ internalizes a meta-κ-connective between the premises by introducing the same connective on both sides of the sequent, as shown below in the case κ = P4.

$$\frac{\mathbb{P}\_{4}\left(\overbrace{\Gamma\_{1},\phi\_{1}\mapsto\psi\_{1},\mathcal{A}\_{1}}\right)}{\Gamma\_{1},\Gamma\_{2},\Gamma\_{3},\Gamma\_{4},\kappa\_{\mathbb{P}\_{4}}[\phi\_{1},\phi\_{2},\phi\_{3},\phi\_{4}]\vdash\kappa\_{\mathbb{P}\_{4}}[\psi\_{1},\psi\_{2},\psi\_{3},\psi\_{4}]},\frac{\left(\overbrace{\Gamma\_{4},\phi\_{4}\mapsto\psi\_{4},\mathcal{A}\_{4}}\right)}{\left(\psi\_{1},\psi\_{2}\mapsto\psi\_{2}\right)}\left(\overbrace{\Gamma\_{3},\psi\_{3},\psi\_{4},\psi\_{4}}\right)\in\mathbb{R}\_{\mathbb{P}\_{4}}[\psi\_{1},\psi\_{2},\psi\_{3},\psi\_{4}],\mathcal{A}\_{1},\mathcal{A}\_{2},\mathcal{A}\_{3},\mathcal{A}\_{4}}{\left(12\right)}\tag{12}$$

Note that in the rule ∧*<sup>R</sup>* in Eq. (11) only a single occurrence of the connective ∧ occurs in the conclusion, on the right-hand side of . This because the absence of the conjunction ∧ on the left-hand side is irrelevant since a two-sided sequent Γ Δ is interpreted as the formula <sup>φ</sup>∈<sup>Γ</sup> φ<sup>⊥</sup> ∨ <sup>ψ</sup>∈<sup>Δ</sup> ψ .

The names of the rules *unitor* (u<sup>κ</sup> ) and *weak-distributivity* (wd⊗) are inspired by the literature of *monoidal categories* [46] and *weakly distributive categories* [19,20,59]. The rule u<sup>κ</sup> internalizes the fact that the unit ◦ is the neutral element for all connectives (its side condition prevents the creation of non-pure formulas). Under the assumption of the existence of a ◦ which is the unit of both ⊗ and , the rule wd<sup>⊗</sup> generalizes the *weak-distributive law* of the ⊗ over the , that is,

$$
\phi \otimes (\psi \otimes \chi) \longrightarrow (\phi \otimes \psi) \otimes \chi \tag{13}
$$

to the weak-distributive law of ⊗ over any connective (see below on the top)

$$\begin{array}{c} \chi \otimes \kappa \left[ \phi\_1, \dots, \phi\_k, \psi, \phi\_{k+1}, \dots, \phi\_n \right] \longrightarrow \kappa \left[ \phi\_1, \dots, \phi\_k, \psi \otimes \chi, \phi\_{k+1}, \dots, \phi\_n \right] \\\ \kappa \left[ \phi\_1, \dots, \phi\_k, \psi \otimes \chi, \phi\_{k+1}, \dots, \phi\_n \right] \longrightarrow \kappa \left[ \phi\_1, \dots, \phi\_k, \psi, \phi\_{k+1}, \dots, \phi\_n \right] \otimes \chi \end{array} \tag{14}$$

Note that an additional law is required to formalize the weak-distributive law of all connectives over (see the bottom of Eq. (14)). This law corresponds to the rule wd- in Fig. 3.

$$\begin{array}{ccccc} \mathsf{A}\times \overline{\begin{array}{c} \mathsf{f}\end{array}} \stackrel{\mathsf{\mathsf{f}}\text{ pour} \end{array} & \mathsf{cut}\begin{array}{c} \mathsf{\mathsf{f}}\to\Gamma\_{1},\mathsf{\mathsf{\mathsf{f}}}\to\Gamma\_{2},\mathsf{\mathsf{\mathsf{\mathsf{f}}}}\vdash\\ \mathsf{\mathsf{f}}\to\Gamma\_{1},\Gamma\_{2} \end{array} & \mathsf{\mathsf{\mathsf{\mathsf{f}}}\text{ \mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{$$

$$\begin{array}{ccc} \cline{2-4} \diamond \frac{\Gamma \vdash \Gamma, \psi \quad \vdash \Box, \psi \quad \llbracket \!\!\! \| \!\!\!/ \| \!\!\!\|}{\vdash \Gamma, \Delta, \zeta \lbrack \!\!\!\| \!\!\/\|} & \{\!\!\!\} & \rightsquigarrow \frac{\Gamma \vdash \Gamma \vdash \Gamma, \psi \quad \scriptstyle \psi \quad \scriptstyle \exists \!\!\!\/ \| \!\!\/\| \} & \begin{array}{c} \cline{2-4} \diamond \Gamma \vdash \Gamma \vdash \Gamma \vdash \psi \quad \scriptstyle \exists \!\!\/ \| \!\!\/\| \,\psi \end{array} & \begin{array}{c} \cline{2-4} \diamond \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \vdash \Gamma \end{array} \end{array}$$

**Fig. 3.** Admissible rules in MGL◦ .

#### **3.1 Properties of the Sequent Systems**

We start by observing that these systems are *initial coherent* [10,50], that is, we can derive the implication φ φ for any pure formula φ only using atomic axioms. To prove this result we observe that the generalized version of d-κ (that is, the rule d-χ) is derivable by induction on the structure of χ using the rule d-κ

**Lemma 1.** *Let* χ *be a pure formula. Then rule* d-χ *is derivable.*

**Corollary 2.** *The rule* AX *is derivable in* MGL *and in* MGL◦ *.*

**Theorem 4.** MGL*,* MGL◦ *, and* KGL *are initial coherent w.r.t. pure formulas.*

The admissibility of cut is proven via *cut-elimination*.

**Theorem 5.** *Let* <sup>X</sup> ∈ {MGL, MGL◦ , KGL}*. The rule* cut *is admissible in* <sup>X</sup>*.*

*Proof.* We define the *size* of a formula as the sum of the number of ◦, connectives and twice the number of literals in it. The *size* of a derivation is the sum of the sizes of the active formulas in all cut-rules. In Fig. 4 we only provide the less standard cutelimination steps: the ones for ax, <sup>w</sup>, <sup>c</sup>, and ⊗ -*vs*- are the standard ones, while <sup>d</sup>-κ-*vs*-d-κ and <sup>u</sup><sup>κ</sup> -*vs*-u<sup>κ</sup> (where both <sup>u</sup><sup>κ</sup> rules introduce a ◦ in the same "position") are as expected, that is, by cutting each of the corresponding premises of the rules. The result for MGL and MGL◦ follows by the fact that each *cut-elimination step* applied to any cut-rule reduces the size of a derivation, while for KGL we have to consider also weak-normalization result via a cut-elimination strategy prioritizing the elimination of top-most cut-rules.

Note that to ensure that both active formulas of a cut-rule are principal with respect to the rule immediately above it, we also need to consider among the standard *commutative* cut-elimination steps (independent rule permutations) and the special step in Fig. 5. The treatment of these steps, as well as the definition of a size taking into account them, is not covered in detail here because it is standard in the literature.

**Corollary 3.** *Let* <sup>X</sup> ∈ {MGL, MGL◦ , KGL}*. If* <sup>X</sup> φ ψ *and* <sup>X</sup> ψ χ*, then* <sup>X</sup> φ χ*.*

The admissibility of the cut-rule implies analyticity of MGL and KGL via the standard *sub-formula property*, that is, all formulas occurring in a premise of a rule are subformulas of the ones in the conclusion. However, as already observed in [3–5], the same result does not hold for MGL◦ because the rule u<sup>κ</sup> and more-than-binary connectives introduce the possibility of having *sub-connectives*, that is, connectives with smaller arity behaving as if certain entries of the connective are fixed to be units.

#### **Fig. 4.** The cut-elimination steps for the structural rules.


**Fig. 5.** Special commutative cut-elimination step for u<sup>κ</sup> .

**Definition 15.** *Let P and Q be prime graphs and let i*<sup>1</sup> < ... < *ik be integers in* {1,..., |*P*|}*. If P*-◦,..., ◦, *vi*<sup>1</sup> , ◦,..., ◦, *vik* , ◦,..., ◦ ∼ *Qv*1,..., *vn for (any) singlevertex graphs v*1,..., *vn, then we say that the connective* κ*<sup>Q</sup> is a sub-connective of* κ*<sup>P</sup> and we may write* κ*<sup>P</sup>*|*<sup>i</sup>* 1,...,*i <sup>k</sup>* = κ*Q. A quasi-subformula of a formula* φ = κ*P*ψ1,...,ψ*n is a formula of the form* κ*<sup>P</sup>* |*i* 1,...,*i k* ψ *i*1 ,...,ψ *ik with* ψ *ij a quasi-subformula of* ψ*ij for all ij* ∈ {*i*1,..., *ik*}*.*

**Corollary 4 (Conservativity).** MGL *is a conservative extension of* MLL = {ax, , ⊗}*.* MGL◦ *is a conservative extension of* MLL◦ = {ax, , ⊗, mix}*.* KGL *is a conservative extension of* LK = MLL ∪ {w, <sup>c</sup>}*.*

*Proof.* The results for MGL and KGL follow from the fact that these systems satisfy the standard sub-formula property for cut-free derivations, therefore no connective other than and ⊗ can be introduced during proof search. The result for MGL◦ follows from the fact that it satisfies the *quasi-subformula property* (i.e., every formula in the premise of a rule is a quasi-subformula a formula in its conclusion), and that and ⊗ have no sub-connectives.

For both MGL and MGL◦ we have the following *splitting* result, ensuring that it is always possible, during proof search, to apply a rule removing a connective after having applied certain rules in the context. Note that, in the literature of linear logic, the

$$\begin{array}{cl} \cline{2-4} \text{wps} \xrightleftharpoons \var[\begin{array}{c} \cline{2-4} F, \phi, \psi\\ \hline F, \phi, \psi \rhd \crs \theta \end{array} \leadsto{\rightsquigarrow} \hspace{\$\mathop{\!}{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!{\!}{\!{\!{\!{\!{\!{\!$$

**Fig. 6.** Steps to eliminate wdrules.

splitting lemma is usually formulated as a special case of the next lemma, ensuring that an occurrence of the connective ⊗ can be removed (by applying a ⊗-rule), but without requiring the possibility of the need of applying rules to the context.

**Lemma 2 (Splitting).** *Let* Γ, κφ1,...,φ*n be a sequent and let* <sup>X</sup> ∈ {MGL, MGL◦ }*. If* <sup>X</sup> Γ, κφ1,...,φ*n, then there is a derivation of the following shape*

π1 Γ , χ<sup>φ</sup>1,...,φ*<sup>k</sup>*−<sup>1</sup>, φ*<sup>k</sup>*+<sup>1</sup>, φ*n* <sup>u</sup><sup>κ</sup> Γ , κφ1,...,φ*<sup>k</sup>*−<sup>1</sup>, ◦, φ*<sup>k</sup>*+<sup>1</sup>, φ*n* π0 Γ, κφ1,...,φ*<sup>k</sup>*−<sup>1</sup>, ◦, φ*<sup>k</sup>*+<sup>1</sup>, φ*n or* π1 Δ1, φ<sup>1</sup> ··· π*n* <sup>Δ</sup>*n*, φ*<sup>n</sup>* <sup>r</sup> Γ , κφ1,...,φ*n* π0 Γ, κφ1,...,φ*n with* <sup>r</sup> ∈ {, ⊗, d-κ} *.*

*Proof.* By case analysis of the last rule occurring in a proof π of Γ, κφ1,...,φ*n*.

We conclude this section by proving the admissibility of rules wdand deep.

**Lemma 3.** *The rule* wd *is admissible in* MGL◦ *.*

**Fig. 7.** Deep inference structural rules, the atomic contraction and the generalized medial rule.

*Proof.* In Fig. 6 we provide a procedure to remove (top-down) all occurrences of wd-. Similar to cut-elimination, this procedure requires the use the commutative steps to ensure that the active formula of a wd we aim at removing is principal with respect to the rule immediately above it.

**Lemma 4.** *The rule* deep *is admissible in* MGL◦ *.*

*Proof.* By induction on the structure of ζ[-]. The case with ζ[-] = is an application of wd⊗, otherwise we conclude using Lemma 2.

#### **3.2 A Decomposition Result for KGL**

We can extend the decomposition result for deep inference systems in the context of classical logic [13,15] to KGL using the deep inference (structural) rules from Fig. 7, including the *generalized medial* rule proposed in [17].

**Theorem 6 (Decomposition).** *Let* Γ *be a sequent. If* KGL Γ*, then:*


*Proof.* The proof of Item 1 is immediate by replacing structural rules with deep ones, and applying rule permutations. Item 2 is a consequence of the previous point after showing (by induction) that each instance of c↓-rule can be replaced by a derivation containing m and ac↓ only, and conclude by applying rule permutations to push acrules below m-rules, and w↓ to the bottom of a derivation. For a reference, see [7].

## **4 Graph Isomorphism as Logical Equivalence**

In this section we show that two pure formulas φ and ψ are interpreted by the same graph (i.e., φ = ψ ) iff they are logically equivalent (i.e., φ ψ).

**Theorem 7.** *Let* φ *and* ψ *be formulas.*

*1. If* φ *and* ψ *are unit-free, then* φ = ψ *i*ff MGL φ ψ*.*

*2. If* φ *and* ψ *are pure, then* φ = ψ *i*ff MGL◦ φ ψ*.*

*Proof.* After Proposition 2, to prove Item 1 it suffices to show that each De Morgan law φ ≡ ψ in Definition 12 (with φ and ψ unit-free) corresponds to a logical equivalence φ ψ which is derivable in MGL. We then conclude by Corollary 3. To prove Item 2, we first show that we can find unit-free formulas φ and ψ such that φ φ and ψ ψ are derivable in MGL◦ (using AX, d-κ, and u<sup>κ</sup> only), and we then conclude using the previous point.

$$\begin{array}{c} \ll & \frac{\mathcal{Q}}{a^{\perp} \cdot \mathcal{N}} \\ \hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\h\\ \hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\hfil\h\\ \hfil\hfil\h$$

**Fig. 8.** Inference rules in GS, with *P* any prime graph and *Mi* ∅ *M <sup>i</sup>* for all *i* ∈ {1,..., *n*}.

#### **5 Soundness and Completeness of MGL**◦ **with Respect to GS**

In this section, we show that the graphical logic GS from [4,5], defined by a deep inference system operating on graphs, is the set of graphs corresponding to formulas that are provable in MGL◦ . Note that we here consider the system GS = ai↓, <sup>s</sup>-, <sup>s</sup>⊗, <sup>p</sup>↓ defined by the rules in Fig. 8, which have a slightly different formulation with respect to [4,5]: we consider p-rules with a stronger side condition which is balanced by the presence of <sup>s</sup><sup>⊗</sup> in the system.4

To prove the main result of this section, we use the admissibility of wd and deep (Lemmas 3 and 4) to prove that if *H* and *G* are graphs such that there is an application of a rule s-, <sup>s</sup>⊗, or <sup>p</sup>↓ (even deep in a context) with premise *H* and conclusion *G*, then there are formulas φ and ψ, with φ = *H* and ψ = *G*, such that ψ φ.

**Lemma 5.** *Let* <sup>r</sup> ∈ {s-, <sup>s</sup>⊗, <sup>p</sup>↓}*. If H* r *<sup>G</sup> , then there are formulas* <sup>φ</sup> *and* <sup>ψ</sup> *with* <sup>φ</sup> = *G and* ψ = *H such that* MGL◦ ψ⊥, φ*.*

*Proof.* If C[-] = -, then the following implications trivially hold in MGL◦ :

$$\begin{aligned} \kappa \left[ \mu\_{1}, \ldots, \mu\_{i-1}, \mu\_{i} \rhd \nu, \mu\_{i+1}, \ldots, \mu\_{n} \right] &\multimap \kappa \left[ \mu\_{1}, \ldots, \mu\_{i-1}, \Box \otimes \nu, \mu\_{i+1}, \ldots, \mu\_{n} \right] \\ \mu\_{i} \otimes \kappa \left[ \mu\_{1}, \ldots, \mu\_{i-1}, \Box \otimes \nu, \mu\_{i+1}, \ldots, \mu\_{n} \right] &\multimap \kappa \left[ \mu\_{1}, \ldots, \mu\_{i-1}, \mu\_{i} \otimes \nu, \mu\_{i+1}, \ldots, \mu\_{n} \right] \\ (\mu\_{1} \otimes \nu\_{1}) \otimes \cdots \otimes (\mu\_{n} \otimes \nu\_{n}) &\multimap \kappa\_{P^{\perp}} \left[ \mu\_{1}, \ldots, \mu\_{n} \right] \otimes \kappa\_{P} \left[ \nu\_{1}, \ldots, \nu\_{n} \right] \end{aligned}$$

If C[-] = κ*P*-C [-], *M*1,..., *Mn* -, then we assume w.l.o.g., there is a context formula ζ[-] = κ*P*ζ [-], μ1,...,μ*n* such that ζ[-] = C[-] and ζ [-] = C [-] . We conclude since, by inductive hypothesis on C[-], there is a derivation as follows:

IH (ζ [ψ ]) <sup>⊥</sup> , ζ [φ ] AX μ<sup>⊥</sup> <sup>1</sup> , μ<sup>1</sup> ··· AX μ<sup>⊥</sup> *<sup>n</sup>* , μ*<sup>n</sup>* <sup>d</sup>-<sup>κ</sup> κ*<sup>P</sup>*<sup>⊥</sup> (ζ [ψ ]) <sup>⊥</sup> , μ<sup>⊥</sup> <sup>1</sup> ,...,μ<sup>⊥</sup> *n* , κ*<sup>P</sup>* ζ [φ ], μ1,...,μ*<sup>n</sup>* .

We are now able to prove the main result of this section, that is, establishing a correspondence between graphs provable in GS and graphs which are the image via [[·]] of formulas provable in MGL◦ .

**Theorem 8.** *Let* φ *a pure formula and let G* = φ <sup>∅</sup>*. Then* GS *G i*ff MGL◦ <sup>φ</sup>*.*

<sup>4</sup> The proof that the formulation we consider in this paper, where all factors *Mi* and *Ni* are required to be non-empty is equivalent to the ones in the literature, where is either asked that only all factors *Mi* (as in [5]) or *Mi* -*Ni* (as in [4]) are non-empty, is provided in [2].

*Proof.* If there is a derivation π of Γ in MGL◦ , then we define a derivation [[π]] of [[Γ]] in GS by induction by induction on the last rule r in π. The translation translates a ax into an instance of ai↓, a , mix and u<sup>κ</sup> into no rule (using properties of the open deduction formalism, and the fact premise and conclusion sequents correspond to the same graph), ⊗ and <sup>d</sup>-κ into an instance of <sup>p</sup>↓, and wd<sup>⊗</sup> into an instance of <sup>p</sup>↓.

Conversely, if <sup>D</sup> is a proof of *<sup>G</sup>* <sup>∅</sup> in GS, then we define a proof <sup>π</sup><sup>D</sup> of <sup>φ</sup> by induction on the number *<sup>n</sup>* of rules in <sup>D</sup>, where *<sup>n</sup>* 0 because we are assuming *<sup>G</sup>* <sup>∅</sup>.

$$\begin{aligned} \text{1- } & \text{If } n = 1 \text{, then } G = a \otimes a^{\perp} \text{ and } \pi\_{\mathcal{D}} = \underbrace{\text{ar}}\_{\mathcal{P}} \overbrace{\begin{subarray}{c} \mp a, a^{\perp} \\ \mp a \otimes a^{\perp} \end{subarray}}^{\text{ax}} . \\ \text{1- } & \text{If } n > 1 \text{, then the derivation } \mathcal{D} \text{ is of the form } \mathcal{D} = \underset{\text{r} \,\frac{\cdot \,\, \, \text{ $H$ }}{\text{ $H$ }}}^{\text{ax}} \text{ and by inductive hypothesis} \end{aligned}$$

esis we have a proof π<sup>D</sup> of a formula ψ such that ψ = *H*. If <sup>r</sup> ∈ {s-, <sup>s</sup>⊗, <sup>p</sup>↓}, then by Lemma 5 we have a derivation with cut as the one below on the left of a formula φ such that φ = *G*. Thus we conclude by Theorem 5.

$$\mathop{\mathsf{h}\mathsf{c}\mathsf{c}\mathsf{c}\mathsf{d}\mathsf{e}\ \frac{\prod\mathsf{H}}{\mathsf{h}^{\mathsf{c}}} \xleftarrow{\prod\mathsf{L}\mathsf{c}\mathsf{e}\mathsf{m}\mathsf{a}^{\mathsf{c}}} \mathsf{s}}{\mathsf{h}\ \mathsf{e}\ \mathsf{d}\mathsf{e}\ \mathsf{h}} \quad\quad\quad\quad\stackrel{\mathsf{Theorem.5}}{\sim\mathsf{s}^{\mathsf{a}}} \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!$$

Otherwise r = ai↓, then it must have been applied deep inside a context C[-] = ζ[-] such that <sup>C</sup>[∅] <sup>=</sup> *<sup>H</sup>* <sup>=</sup> <sup>ψ</sup> . Therefore φ = ζ[*a a*⊥]. We conclude by applying Lemma 4 to the derivation above on the right.

*Remark 6.* In a different line of work [17] the authors define the *boolean graphical logic* (or GBL), as a graphical logic conservatively extending LK defined by maximalclique-preserving graph morphisms. As a consequence of Corollary 4 and theorem 8, we conclude that KGL and GBL are not the same since the following counterexample

from [5] (for GS) is in GBL but not in KGL .

$$a \smile\_{c \dashrightarrow a^{\perp}}^{b \dashrightarrow c^{\perp}} \succ^{\perp}.$$

#### **6 Conclusion and Future Works**

In this paper we have provided foundations for the design of proof systems operating on graphs by defining *graphical connectives*, a class of logical operators generalizing the classical conjunction and disjunction, and whose semantics is solely defined by their interpretation as prime graphs. We introduced cut-free sequent calculi operating on formulas containing graphical connectives, where graph isomorphism can be captured by logical equivalence. We also discussed the relationship of these systems with graphical logics studied in the literature [4,5,17].

We illustrate below a number of future research directions originating from this work different from the suggestions of the respective authors of using the graphical logic GS to extend the works in [11,18,49], where the authors suggest the possibility of extending their current results by generalizing their methods based on "classical" formulas to graphs.

**Categorical Semantics.** Unit-free *star-autonomous* and *IsoMix* categories [19,20] provide categorical models of MLL and MLL◦ respectively. We conjecture that categorical models for MGL and MGL◦ can be defined by enriching such structures with additional *n*-ary monoidal products and natural transformations, reflecting the symmetries observed in the symmetry groups of prime graphs.

**Digraphs, Games and Event Structures.** In this work we have extended the correspondence between classical propositional and cographs from [21] to the case of general (undirected) graphs using graphical connectives, and the same idea can be found in [3] where mixed graphs generalize *relation webs* used to encode BV-formulas [33]. Similarly, we foresee the definition of proof systems operating on directed graphs as conservative extensions of intuitionistic propositional logic beyond *arenas* – directed graphs used in Hyland-Ong *game semantics* [40] to encode propositional intuitionistic formulas, which are characterized by the absence of induced subgraphs of a specific shape. This would provide new insights on the proof theory connected to concurrent games [1,58,64], and could be used to define automated tools operating on event structures [55].

**Fig. 9.** On the left: the same proof net in the original Girard's syntax and Retore's one. On the ´ right: an RB-proof net of <sup>κ</sup>P4 *a*, *<sup>b</sup>*, *<sup>c</sup>*, *<sup>d</sup>* <sup>κ</sup>P4 *a*, *<sup>b</sup>*, *<sup>c</sup>*, *<sup>d</sup>* containing the chorded æ-cycle *<sup>a</sup>* · *<sup>b</sup>* · *<sup>b</sup>*<sup>⊥</sup> · *d*<sup>⊥</sup> · *d* · *c* · *c*<sup>⊥</sup> · *a*⊥.

**Proof Nets and Automated Proof Search.** We plan to design proof nets [22,29,30] for MGL and MGL◦ , as well as combinatorial proofs [38,39] for KGL. For this purpose, we envisage extending Retore's ´ *handsome proof net* syntax, where proof nets are represented by two-colored graphs (see the left of Fig. 9). In Retore's syntax, the ´ graph induced by the vertices corresponding to the inputs of a -gate (or a ⊗-gate) is similar to the corresponding prime graph (resp. ⊗). Thus, gates for graphical connectives could be easily defined by extending this correspondence (see the proof net on the right of Fig. 9). The standard correctness condition defined via *acyclicity* fails for these proof nets, as shown in the right-hand side of Fig. 9: the (correct) proof-net of the sequent P4*a*, *b*, *c*, *d* P4*a*, *b*, *c*, *d* contains a cycle. We foresee the possibility of using results on the *primeval* decomposition of graphs [37,42] to isolate those cycles witnessing unsoundness, as proposed in [52]. This may provide a methodology to develop machine-learning guided automated theorem provers using the methods in [43].

**Acknowledgments.** The author thanks the anonymous reviewers for the feedback which helped improve the final version of this manuscript.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# A Proof Theory of (*ω*-)Context-Free Languages, via Non-wellfounded Proofs

Anupam Das and Abhishek De(B)

School of Computer Science, University of Birmingham, Birmingham, UK {a.das,a.de}@bham.ac.uk

Abstract. We investigate the proof theory of regular expressions with fixed points, construed as a notation for (ω-)context-free grammars. Starting with a hypersequential system for regular expressions due to Das and Pous [15], we define its extension by least fixed points and prove the soundness and completeness of its non-wellfounded proofs for the standard language model. From here we apply proof-theoretic techniques to recover an infinitary axiomatisation of the resulting equational theory, complete for inclusions of context-free languages. Finally, we extend our syntax by greatest fixed points, now computing ω-context-free languages. We show the soundness and completeness of the corresponding system using a mixture of proof-theoretic and game-theoretic techniques.

Keywords: Proof theory · Context-free languages · Omega-languages · Games · Chomsky algebra · Non-wellfounded proofs

## 1 Introduction

The characterisation of context-free languages (CFLs) as the least solutions of algebraic inequalities, sometimes known as the *ALGOL-like theorem*, is a folklore result attributed to several luminaries of formal language theory including Ginsburg and Rice [21], Schutzenberger [52], and Gruska [23]. This induces a syntax for CFLs by adding least fixed point operators to regular expressions, as first noted by Salomaa [51]. Leiß [38] called these constructs "μ-expressions" and defined an algebraic theory over them by appropriately extending Kleene algebras, which work over regular expressions. Notable recent developments include a generalisation of Antimirov's partial derivatives to μ-expressions [54] and criteria for identifying μ-expressions that can be parsed unambiguously [34].

Establishing axiomatisations and proof systems for classes of formal languages has been a difficult challenge. Many *theories* of regular expressions, such as Kleene algebras (KA) were proposed in the late 20th century (see, e.g., [6,28,29]). The completeness of KA for the (equational) theory of regular languages, due to Kozen [29] and Krob [35] independently, is a celebrated result that has led to several extensions and refinements, e.g. [7,31–33]. More recently the proof theory of KA has been studied via *infinitary* systems. On one hand, [49] proposed an ω*-branching* sequent calculus and on the other hand [12,15,25] have studied *cyclic* 'hypersequential' calculi.

c The Author(s) 2024

C. Benzmüller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 237–256, 2024. https://doi.org/10.1007/978-3-031-63501-4\_13

Fig. 1. Summary of our main contributions. Each arrow → denotes an inclusion of equational theories, over an appropriate language of μ-expressions. The gray arrow, Theorem 11, is also a consequence of the remaining black ones. (Color figure online)

Inclusion of CFLs is Π<sup>0</sup> <sup>1</sup> -complete, so any recursive (hence also cyclic) axiomatisation must necessarily be incomplete. Nonetheless various theories of μexpressions have been extensively studied, in particular *Chomsky algebras* and μ*-semirings* [17,18,39,40], giving rise to a rich algebraic theory. Indeed Grathwohl, Henglein, and Kozen [22] have given a complete (but infinitary) axiomatisation of the equational theory of μ-expressions, by extending these algebraic theories with a *continuity* principle for least fixed points.

Contributions. In this paper, we propose a *non-wellfounded* system μHKA<sup>∞</sup> for μ-expressions. It can be seen as an extension of the cyclic system of [15] for regular expressions. Our first main contribution is the adequacy of this system for CFLs: μHKA<sup>∞</sup> proves e = f just if the CFLs computed by e and f, L(e) and L(f) respectively, are the same. We use this result to obtain an alternative proof of completeness of the infinitary axiomatisation μCA of [22], comprising our second main result. Our method is inspired by previous techniques in nonwellfounded proof theory, namely [11,53], employing 'projections' to translate non-wellfounded proofs to wellfounded ones. Our result is actually somewhat stronger than that of [22], since our wellfounded proofs are furthermore *cut-free*.

Finally we develop an extension μνHKA of (leftmost) μHKA by adding *greatest* fixed points, ν, for which L(·) extends to a model of ω*-context-free languages*. Our third main contribution is the soundness and completeness of μνHKA for L(·). Compared to μHKA, the difficulty for metalogical reasoning here is to control interleavings of μ and ν, both for soundness argument and in controlling proof search for completeness. To this end, we employ *game theoretic* techniques to characterise word membership and control proof search.

All our main results are summarised in Fig. 1. Due to space constraints many proofs and auxiliary material are omitted, but may be found in a full version [9].

#### 2 A Syntax for Context-Free Grammars

Throughout this work we make use of a finite set A (the alphabet) of letters, written a, b, . . . , and a countable set V of variables, written X, Y, . . . . When speaking about context-free grammars (CFGs), we always assume non-terminals are from V and the terminals are from A.

We define (μ-)expressions, written e, f, etc., by:

$$e, f, \dots \quad \because = 0 \mid 1 \mid X \mid a \mid e + f \mid e \cdot f \mid \mu X e \tag{1}$$

We usually simply write ef instead of e·f. μ is considered a variable binder, with the *free variables* FV(e) of an expression e defined as expected. We sometimes refer to expressions as *formulas*, and write for the subformula relation.

μ-expressions compute languages of finite words in the expected way:

Definition 1 (Language Semantics). *Let us temporarily expand the syntax of expressions to include each language* A ⊆ A<sup>∗</sup> *as a constant symbol. We interpret each closed expression (of this expanded language) as a subset of* A<sup>∗</sup> *as follows:*

*–* <sup>L</sup>(0) := <sup>∅</sup> *–* L(1) := {ε} *–* L(a) := {a} *–* L(A) := A *–* L(e + f) := L(e) ∪ L(f) *–* L(ef) := {vw : v ∈ L(e), w ∈ L(f)} *–* L(μXe(X)) := -{A ⊇ L(e(A))}

Note that all the operators of our syntax correspond to monotone operations on P(A<sup>∗</sup>), with respect to ⊆. Thus L(μXe(X)) is just the least fixed point of the operation A → L(e(A)), by the Knaster-Tarski fixed point theorem.

The productive expressions, written p, q etc. are generated by:

$$p, q, \dots \quad \dots = \quad a \quad \mid \quad p+q \quad \mid \quad p\cdot e \quad \mid \quad e\cdot p \quad \mid \quad \mu Xp \tag{2}$$

We say that an expression is guarded if each variable occurrence occurs free in a productive subexpression. Left-productive and left-guarded are defined in the same way, only omitting the clause e · p in the grammar above. For convenience of exposition we shall employ the following convention throughout:

#### Convention 2. *Henceforth we assume all expressions are guarded.*

*Example 3. (Empty language).* In the semantics above, note that the empty language ∅ is computed by several expressions, not only 0 but also μXX and μX(aX). Note that whle the former is unguarded the latter is (left-)guarded. In this sense the inclusion of 0 is somewhat 'syntactic sugar', but it will facilitate some of our later development.

*Example 4. (Kleene star and universal language).* For any expression e we can compute its Kleene star e<sup>∗</sup> := μX(1+eX) or e<sup>∗</sup> := μX(1+Xe). These definitions are guarded just when e is productive. Now, note that we also have not included a symbol for the universal language A<sup>∗</sup>. We can compute this by the expression ( A) ∗ , which is guarded as A is productive.


Fig. 2. Rules of the system μHKA.

It is well-known that μ-expressions compute just the context-free (CF) languages [21,23,52]. In fact this holds even under the restriction to left-guarded expressions, by simulating the *Greibach normal form*:

Theorem 5. (Adequacy, see, e.g., [17,18]). L *is context-free (and* ε /∈ L*)* ⇐⇒ L = L(e) *for some* e *left-guarded (and left-productive, respectively).*

*Example 6.* Consider the left-guarded expressions Dyck<sup>1</sup> := μX(1 + X X) and {a<sup>n</sup>b<sup>n</sup>}<sup>n</sup> := μX(1+aXb). As suggested, Dyck<sup>1</sup> indeed computes the language of well-bracketed words over alphabet {,}, whereas {a<sup>n</sup>b<sup>n</sup>}<sup>n</sup> computes the set of words *ab* with |*a*| = |*b*|. We can also write (a∗b∗) := μX(1 + aX + Xb), which is guarded but not left-guarded. However, if we define Kleene ∗ as in Example 4, then we can write a<sup>∗</sup> and b<sup>∗</sup> as left-guarded expressions and then take their product for an alternative representation of (a∗b∗). Note that the empty language ∅ is computed by the left-guarded expression μX(aX), cf. Example 3.

# 3 A Non-wellfounded Proof System

In this section we extend a calculus HKA from [15] for regular expressions to all μexpressions, and prove soundness and completeness of its non-wellfounded proofs for the language model L(·). We shall apply this result in the next section to deduce completeness of an infinitary axiomatisation for L(·), before considering the extension to *greatest* fixed points later.

A hypersequent has the form Γ → S where Γ (the LHS) is a list of expressions (a cedent) and S (the RHS) is a set of such lists. We interpret lists by the product of their elements, and sets by the sum of their elements. Thus we extend our notation for language semantics by L(Γ) := L( Γ) and L(S) := L(Γ).

<sup>Γ</sup>∈<sup>S</sup> The system μHKA is given by the rules in Fig. 2. Here we use commas to delimit elements of a list or set and square brackets [, ] to delimit lists in a set. In the k rules, we write aS := {[a, Γ] : Γ ∈ S} and Sa := {[Γ, a] : Γ ∈ S}.

For each inference step, as typeset in Fig. 2, the principal formula is the distinguished magenta formula occurrence in the lower sequent, while any distinguished magenta formula occurrences in upper sequents are auxiliary. (Other colours may be safely ignored for now).

Our system differs from the original presentation of HKA in [15] as (a) we have general fixed point rules, not just for the Kleene ∗; and (b) we have included both left and right versions of the k rule, for symmetry. We extend the corresponding notions of non-wellfounded proof appropriately:

Definition 7 (Non-wellfounded Proofs). *A preproof (of* μHKA*) is generated* coinductively *from the rules of* μHKA *i.e. it is a possibly infinite tree of sequents (of height* ≤ ω*) generated by the rules of* μHKA*. A preproof is regular or cyclic if it has only finitely many distinct subproofs. An infinite branch of a preproof is progressing if it has infinitely many* μ*-*l *steps. A preproof is progressing, or a* ∞*-proof, if all its infinite branches are progressing. We write* μHKA <sup>∞</sup> Γ → S *if* Γ → S *has a* ∞*-proof in* μHKA*, and sometimes write* μHKA<sup>∞</sup> *for the class of* ∞*-proofs of* μHKA*.*

Note that our progress condition on preproofs is equivalent to simply checking that every infinite branch has infinitely many left-logical or k steps, as μ-l is the only rule among these that does not decrease the size of the LHS. This is simpler than usual conditions from non-wellfounded proof theory, as we do not have any alternations between the least and greatest fixed points. Indeed we shall require a more complex criterion later when dealing with ω-languages. Note that, as regular preproofs may be written naturally as finite graphs, checking progressiveness for them is efficiently decidable (even in **NL**, see e.g. [8,15]).

The need for such a complex hypersequential line structure is justified in [15] by the desideratum of *regular* completeness for the theory of regular expressions: intuitionistic 'Lambek-like' systems, cf. e.g. [16,26,49] are incomplete (wrt regular cut-free proofs). The complexity of the RHS of sequents in HKA is justified by consideration of proof search for, say, a<sup>∗</sup> → (aa)<sup>∗</sup> + a(aa)<sup>∗</sup> and (a + b)<sup>∗</sup> → a∗(ba∗)∗, requiring reasoning under sums and products, respectively.

In our extended system, we gain *more* regular proofs of inclusions between context-free languages. For instance:

*Example 8.* Recall the guarded expressions {a<sup>n</sup>b<sup>n</sup>}<sup>n</sup> and (a∗b∗) from Example 6. We have the regular <sup>∞</sup>-proof <sup>R</sup> in Fig. <sup>3</sup> of {a<sup>n</sup>b<sup>n</sup>}<sup>n</sup> <sup>→</sup> [(a∗b∗)], where • marks roots of identical subproofs. Note that indeed the only infinite branch, looping on •, has infinitely many μ-l steps.

*Remark 9 (Impossibility of General Regular Completeness).* At this juncture let us make an important point: it is impossible to have any (sound) recursively enumerable system, let alone regular cut-free proofs, complete for context-free inclusions, since this problem is Π<sup>0</sup> <sup>1</sup> -complete (see e.g. [27]). In this sense examples of regular proofs are somewhat coincidental.

It is not hard to see that each rule of μHKA is sound for language semantics:

Fig. 3. A regular <sup>∞</sup>-proof <sup>R</sup> of {a*<sup>n</sup>*b*<sup>n</sup>*}*<sup>n</sup>* <sup>→</sup> [(a∗b∗)].

Lemma 10 (Local Soundness). *For each inference step,*

$$\text{For } \frac{\Gamma\_0 \to S\_0 \quad \cdots \quad \Gamma\_{k-1} \to S\_{k-1}}{\Gamma \to S} \tag{3}$$

*for some* k ≤ 2*, we have:* ∀i<k L(Γi) ⊆ L(Si) =⇒ L(Γ) ⊆ L(S)*.*

Consequently wellfounded μHKA proofs are also sound for L(·), by induction on their structure. For non-wellfounded proofs, we must employ a less constructive argument, typical of non-wellfounded proof theory:

Theorem 11 (Soundness). μHKA <sup>∞</sup> Γ → S =⇒ L(Γ) ⊆ L(S)*.*

*Proof (Sketch).* For contradiction, we use (the contrapositive of) Lemma 10 to construct an infinite 'invalid' branch B, along with an associated sequence of words (wi)i<ω of non-increasing length separating the LHS from the RHS. Now, either B has infinitely many k steps, meaning (|w<sup>i</sup>|)i<ω has no least element, or there are only finitely many k steps, in which case |w<sup>i</sup>| is eventually dominated by the number of productive expressions in the sequent, by guardedness.

By inspection of the rules of μHKA we have:

Lemma 12 (Invertibility). *Let* r *be a logical step as in* (3)*.* L(Γ) ⊆ L(S) =⇒ L(Γi) ⊆ L(Si)*, for each* i<k*.*

Theorem 13 (Completeness). L(Γ) ⊆ L(S) ⇒ μHKA <sup>∞</sup> Γ → S*.*

In fact, we can obtain a stronger result for left-guarded sequents, namely the 'leftmost completeness' as we will see later in Sect. 5. There leftmostness is necessary for soundness, but here completeness is rather straightforward.

*Proof (Sketch).* We describe a bottom-up proof search strategy:


#### 4 Completeness of an Infinitary Cut-Free Axiomatisation

While our completeness result above was relatively simple to establish we can use it, along with proof theoretic techniques, to deduce completeness of an infinitary axiomatisation of the theory of μ-expressions. In fact we obtain an alternative proof of the result of [22], strengthening it to a 'cut-free' calculus μHKAω.

Write μCA for the set of axioms consisting of:


We are using the notation f <sup>n</sup>(0) defined by f <sup>0</sup>(0) := 0 and f <sup>n</sup>+1(0) := f(f <sup>n</sup>(0)). We also write e ≤ f for the natural order given by e+f = f. Now define μHKA<sup>ω</sup> to be the extension of μHKA by the 'ω-rule':

$$
\omega \frac{\{\varGamma, e^n(0), \varGamma' \to S\}\_{n < \omega}}{\Gamma, \varPi e(X), \varGamma' \to S}
$$

By inspection of the rules we have soundness of μHKA<sup>ω</sup> for μCA:

Proposition 14. μHKA<sup>ω</sup> Γ → S =⇒ μCA Γ ≤ <sup>Δ</sup>∈<sup>S</sup> Δ*.*

Here the soundness of the ω-rule above is immediate from μ-continuity in μCA. Note, in particular, that μCA already proves that μXe(X) is indeed a fixed point of e(·), i.e. e(μXe(X)) = μXe(X) [22]. The main result of this section is:

Theorem 15. μHKA <sup>∞</sup> e → f =⇒ μHKA<sup>ω</sup> e ≤ f

Note that, immediately from Theorem 13 and Proposition 14, we obtain:

# Corollary 16. L(e) ⊆ L(f) =⇒ μHKA<sup>ω</sup> e ≤ f =⇒ μCA e ≤ f

To prove Theorem 15 we employ similar techniques to those used for an extension of *linear logic* with least and greatest fixed points [11], only specialised to the current setting.

Lemma 17 (Projection). *For each* ∞*-proof* P *of* Γ, μXe(X), Γ → S *there are* <sup>∞</sup>*-proofs* <sup>P</sup>(n) *of* Γ, e<sup>n</sup>(0), Γ <sup>→</sup> <sup>S</sup>*, for each* n<ω*.*

The definition of P(n) is somewhat subtle, relying on a form of 'signature' common in fixed point logics, restricted to ω. See [11, Definition 15, Proposition 18] for a formal definition and proof of the analogous result. We shall thus use the notation P(n) etc. freely in the sequel.

From here it is simple to provide a translation from μHKA ∞-proofs to μHKA<sup>ω</sup> preproofs, as in Definition 22 shortly. However, to prove the image of the translation is *wellfounded*, we shall need some structural proof theoretic machinery, which will also serve later use when dealing with greatest fixed points in Sects. 5 and 6.

#### 4.1 Intermezzo: Ancestry and Threads

Given an inference step r, as typeset in Fig. 2, we say a formula occurrence f in an upper sequent is an immediate ancestor of a formula occurrence e in the lower sequent if they have the same colour; furthermore if e and f are occur in a cedent Γ, Γ , Δ, Δ , they must be the matching occurrences of the same formula (i.e. at the same position in the cedent); similarly if e and f occur in the RHS context S, they must be matching occurrences in matching lists.

Construing immediate ancestry as a directed graph allows us to characterise progress by consideration of its paths:

Definition 18 ((Progressing) Threads). *Fix a preproof* P*. A thread is a maximal path in the graph of immediate ancestry. An infinite thread on the LHS is progressing if it is infinitely often principal (i.o.p.) for a* μ*-*l *step.*

Our overloading of terminology is suggestive:

Proposition 19. P *is progressing* ⇔ *each branch of* P *has a progressing thread.*

This has a somewhat subtle proof, relying on König's lemma on the ancestry graph of a progressing branch in order to recover a progressing thread.

*Example 20.* Recall the ∞-proof in Example 8. The only infinite branch, looping on •, has a progressing thread indicated in magenta.

Fact 21 (See, e.g., [30,36]) *Any i.o.p. thread has a unique smallest i.o.p. formula, under the subformula relation. This formula must be a fixed point formula.*

#### 4.2 Translation to *ω*-Branching System

We are now ready to give a translation from μHKA<sup>∞</sup> to μHKAω.

Definition 22 (ω-Translation). *For preproofs* P *define* P <sup>ω</sup> *by coinduction:*

*–* · <sup>ω</sup> *commutes with any step not a* μ*-*l*.*

Theorem 15 now follows immediately from the following result, obtained by analysis of progressing threads in the image of the ω-translation:

Lemma 23. <sup>P</sup> *is progressing* <sup>=</sup><sup>⇒</sup> <sup>P</sup> <sup>ω</sup> *is wellfounded.*

The proof of Lemma 23 follows the same argument as for the analogous result in [11, Lemma 23].

*Example 24.* Recalling Example 8, let us see the ω-translation of R in 3. First, let us (suggestively) write {akbk}k<n for the <sup>n</sup>th approximant of {anbn}n, i.e. {akbk}k<<sup>0</sup> := 0 and {akbk}k<n+1 := 1 + <sup>a</sup>{akbk}k<nb. Now <sup>R</sup><sup>ω</sup> is given below, left, where recursively R(0) := <sup>0</sup>-<sup>l</sup> 0 → (a∗b∗) and R(n + 1) is given below, right:

#### 5 Greatest Fixed Points and *ω*-Languages

We extend the grammar of expressions from (1) by:

$$e, f \dots \quad \dots \quad \dots \quad | \quad \nu Xe(X)$$

We call such expressions μν*-expressions* when we need to distinguish them from ones without ν. The notions of a *(left-)productive* and *(left-)guarded* expression are defined in the same way, extending the grammar of (2) by the clause νXp.

As expected μν-expressions denote languages of finite and infinite words:

Definition 25 (Intended Semantics of μν-Expressions). *We extend the notation* vw *to all* v, w ∈ A<sup>≤</sup><sup>ω</sup> *by setting* vw <sup>=</sup> <sup>v</sup> *when* <sup>|</sup>v<sup>|</sup> <sup>=</sup> <sup>ω</sup>*. We extend the definition of* L(·) *from Definition 1 to all* μν*-expressions by setting* L(νXe(X)) := {<sup>A</sup> ⊆ L(e(A))} *where now* <sup>A</sup> *varies over subsets of* <sup>A</sup><sup>≤</sup><sup>ω</sup>*.*

Again, since all the operations are monotone, L(νXe(X)) is indeed the greatest fixed point of the operation A → L(e(A)), by the Knaster-Tarski theorem. In fact (ω-)languages computed by μν-expressions are just the 'ω-context-free languages' (ω-CFLs), cf. [5,42], defined as the 'Kleene closure' of CFLs:

Definition 26 (ω-Context-Free Languages). *For* <sup>A</sup> ⊆ A<sup>+</sup> *we write* <sup>A</sup><sup>ω</sup> := {w0w1w<sup>2</sup> ··· : <sup>∀</sup>i<ωw<sup>i</sup> <sup>∈</sup> <sup>A</sup>}*. The class of* <sup>ω</sup>*-CFLs (*CF<sup>ω</sup>*) is defined by:*

$$\mathsf{CF}^{\omega} \ := \left\{ \bigcup\_{i$$

It is not hard to see that each ω-CFL is computed by a μν-expression, by noting that <sup>L</sup>(e)<sup>ω</sup> <sup>=</sup> <sup>L</sup>(νX(eX)):

Proposition 27. <sup>L</sup> <sup>∈</sup> CF<sup>ω</sup> <sup>=</sup><sup>⇒</sup> <sup>L</sup> <sup>=</sup> <sup>L</sup>(e) *for some left-productive* <sup>e</sup>*.*

We shall address the converse of this result later. First let us present our system for μν-expressions, a natural extension of μHKA earlier:

Definition 28 (System). *The system* μνHKA *extends* μHKA *by the rules:*

$$\nu \cdot l \frac{\Gamma, e(\nu Xe(X)), \Gamma' \to S}{\Gamma, \nu Xe(X), \Gamma' \to S} \quad \nu \cdot r \frac{\Gamma \to S, [\Delta, e(\nu Xe(X), \Delta'] \text{]}}{\Gamma \to S, [\Delta, \nu Xe(X), \Delta']} \tag{4}$$

Preproofs *for this system are defined just as for* μHKA *before. The definitions of* immediate ancestor *and* thread *for* μνHKA *extends that of* μHKA *from Definition 18 according to the colouring above in* (4)*.*

However we must be more nuanced in defining progress, requiring a definition at the level of threads as in Sect. 4. Noting that Fact 21 holds for our extended language with νs as well as μs, we call an i.o.p. thread a μ-thread (or ν-thread) if its smallest i.o.p. formula is a μ-formula (or ν-formula, respectively).

Definition 29 (Progress). *Fix a preproof* P*. We say that an infinite thread* τ *along a (infinite) branch* B *of* P *is progressing if it is i.o.p. and it is a* μ*thread on the LHS or it is a* ν*-thread on the RHS.* B *is progressing if it has a progressing thread.* P *is a* ∞*-proof of* μνHKA *if each of its infinite branches has a progressing thread.*

*Example 30.* Write e := νZ(abZ) and f := μY (b + νX(aY X)). The sequent e → [f] has a preproof given in Fig. 4. This preproof has just one infinite branch, looping on •, which indeed has a progressing thread following the magenta formulas. The only fixed point infinitely often principal along this thread is νX(afX), which is principal at each •. Thus this preproof is a proof and e → [f] is a theorem of μHKA<sup>∞</sup>.

Note that, even though this preproof is progressing, the infinite branch's smallest i.o.p. formula on the RHS is *not* a ν-formula, e.g. given by the magenta thread, as f is also i.o.p. Let us point out that (a) the progressiveness condition only requires *existence* of a progressing thread, even if other threads are not progressing (like the unique LHS thread above).

#### Some Necessary Conventions: Left-Guarded and Leftmost

Crucially, due to the asymmetry in the definition of the product of infinite words, we must employ further conventions to ensure soundness and completeness of ∞-proofs for L(·). Our choice of conventions is inspired by the usual 'leftmost' semantics of 'ω-CFGs', which we shall see in the next section.

First, we shall henceforth work with a *lefmost* restriction of μνHKA in order to maintain soundness for L(·):

Fig. 4. A μνHKA ∞-preproof of e → [f], where e := νZ(abZ) and f := μY (b + νX(aY X)).

Definition 31. *A* μνHKA *preproof is leftmost if each logical step has principal formula the leftmost formula of its cedent, and there are no* k<sup>r</sup>*-steps. Write* μνHKA *for the restriction of* μνHKA *to only leftmost steps and* μνHKA<sup>∞</sup> *for the class of* ∞*-proofs of* μνHKA*.*

We must also restrict ourselves to left-guarded expressios in the sequel:

Convention 32 *Henceforth, all expressions are assumed to be left-guarded.*

Let us justify both of these restrictions via some examples.

*Remark 33 (Unsound for Non-leftmost).* Unlike the μ-only setting it turns out that μνHKA<sup>∞</sup> is unsound without the leftmost restriction, regardless of leftguardedness. For instance consider the preproof,

. . . <sup>ν</sup>-<sup>r</sup> a, • <sup>→</sup> [a, νX(aX)] ·-<sup>r</sup> <sup>→</sup> [aνX(aX)] <sup>ν</sup>-<sup>r</sup> • <sup>→</sup> [νX(aX)]

where a, • roots the same subproof as •, but for an extra a on the left of every RHS. Of course the endsequent is not valid, as the LHS denotes {ε} while the RHS denotes {a<sup>ω</sup>}. Note also that, while it is progressing thanks to the thread in magenta, it is not leftmost due to the topmost displayed ν-r step.

*Remark 34 (Incomplete for Unguarded).* On the other hand, without the leftguardedness restriction, μνHKA<sup>∞</sup> is not complete. For instance the sequent νXX <sup>→</sup> [ ], {[a, νXX]}<sup>a</sup>∈A is indeed valid as both sides compute all of <sup>P</sup>(A<sup>≤</sup><sup>ω</sup>):


Fig. 5. Rules of the evaluation puzzle.

any word is either empty or begins with a letter. However the only available (leftmost) rule application, bottom-up, is ν-l, which is a fixed point of leftmost proof search, obviously not yielding a progressing preproof.

## 6 Metalogical Results: A Game-Theoretic Approach

Now we return to addressing the expressiveness of both the syntax of μνexpressions and our system μνHKA<sup>∞</sup>, employing game-theoretic methods.

#### 6.1 Evaluation Puzzle and Soundness

As an engine for our main metalogical results about μνHKA, and for a converse to Proposition 27, we first characterise membership via games:

Definition 35. *The evaluation puzzle is a puzzle (i.e. one-player game) whose positions are pairs* (w, Γ) *where* <sup>w</sup> ∈ A<sup>≤</sup><sup>ω</sup> *and* <sup>Γ</sup> *is a cedent, i.e. a list of* μν*-expressions. A play of the puzzle runs according to the rules in Fig. 5: puzzle-play is deterministic at each state except when the expression is a sum, in which case a choice must be made. During a play of the evaluation puzzle, formula ancestry and threads are defined as for* μνHKA *preproofs, by associating each move with the LHS of a left logical rule. A play is winning if:*


*Example 36.* Define d := μX( + X X), the set of non-empty well-bracketed words. Let <sup>d</sup><sup>ω</sup> := νY dY . Let us look at a play from (<sup>ω</sup>, [d<sup>ω</sup>]).

$$\begin{array}{c} \longrightarrow \begin{array}{c} (\langle \,^\omega, [d^\omega] \rangle) \longrightarrow (\langle \,^\omega, [dd^\omega] \rangle) \longrightarrow (\langle \,^\omega, [d, d^\omega] \rangle) \longrightarrow (\langle \,^\omega, [\rangle \rangle + \langle d \rangle d, d^\omega]) \end{array} \longrightarrow (\langle \,^\omega, [\langle d \rangle d, d^\omega] \rangle) \\ \longrightarrow \begin{array}{c} \downarrow \\ \downarrow \\ \end{array} \end{array}$$

The play continues without d<sup>ω</sup> ever being principal (essentially, going into deeper and deeper nesting to match a  with a ). Since even the first match is never made there is no hope of progress. The play (and, in fact, any play) is thus losing. On the other hand the following play from (u, [d<sup>ω</sup>]), where <sup>u</sup> = ( )<sup>ω</sup> is indeed winning, with progressing ν-thread indicated in magenta.

(*u,*[*dω*]) (*u,*[*d,dω*]) (*u,*[+*dd,dω*]) (*u,*[*,dω*]) (*u,*[*,,dω*]) (*u,*[*,dω*]) <sup>2</sup>

# Theorem 37 (Evaluation). w ∈ L(Γ) ⇔ *there is a winning play from* (w, Γ)*.*

The proof is rather involved, employing the method of 'signatures' common in fixed point logics, cf. e.g. [48], which serve as 'least witnesses' to word membership via carefully managing *ordinal approximants* for fixed points. Here we must be somewhat more careful in the argument because positions of our puzzle include *cedents*, not single formulas: we must crucially assign signatures to *each* formula of a cedent. Working with cedents rather than formulas allows the evaluation puzzle to remain strictly single player. This is critical for expressivity: *alternating* context-free grammars and pushdown automata compute more than just CFLs [4,45].

We can now prove the soundness of μνHKA<sup>∞</sup> by reduction to Theorem 37:

# Theorem 38 (Soundness). μνHKA <sup>∞</sup> Γ → S =⇒ L(Γ) ⊆ L(S)*.*

*Proof (Sketch).* Let P be a ∞-proof of Γ → S and w ∈ L(Γ). We show w ∈ L(S). First, since w ∈ L(Γ) there is a winning play π from (w, Γ) by Theorem 37, which induces a unique (maximal) branch B<sup>π</sup> of P which must have a progressing thread τ . Now, since π is a *winning* play from (w, e), τ cannot be on the LHS, so it is an RHS ν-thread following, say, a sequence of cedents [Γi]i<ω. By construction [Γi]i<ω has an infinite subsequence, namely whenever it is principal, that forms (the right components of) a winning play from (w, Γ0), with Γ<sup>0</sup> ∈ S. Thus indeed w ∈ L(S) by Theorem 37.

#### 6.2 *ω*-Context-Freeness via Muller Grammars

We can now use the adequacy of the evaluation puzzle to recover a converse of Proposition 27. For this, we need to recall a grammar-formulation of CF<sup>ω</sup>, due to Cohen and Gold [5] and independently Nivat [46,47].

A Muller (ω-)CFG (MCFG) is a CFG G, equipped with a set F ⊆ P(V) of accepting sets of productions. We define a rewrite relation →<sup>G</sup> ⊆ (V∪A)<sup>∗</sup> × (V∪A)∗, leftmost reduction, by *a*Xv →<sup>G</sup> *a*uv whenever *a* ∈ A<sup>∗</sup>, X → u is a production of G and v ∈ (V∪A)∗. A leftmost derivation is just a maximal (possibly infinite) sequence along <sup>→</sup>G. We say <sup>G</sup> accepts <sup>w</sup> ∈ A<sup>≤</sup><sup>ω</sup> if there is a leftmost derivation δ such that δ converges to w and the set of infinitely often occurring states that are LHSs of productions along δ is in F. We write L(G) for the set of words G accepts.

Theorem 39 ([5,46,47]). *Let* <sup>L</sup> ⊆ A<sup>ω</sup>*.* <sup>L</sup> <sup>∈</sup> CF<sup>ω</sup> <sup>⇔</sup> <sup>L</sup> <sup>=</sup> <sup>L</sup>(G) *for a MCFG* <sup>G</sup>*.*

Now we have a converse of Proposition 27 by:

Proposition 40. *For each expression* e *there is a MCFG* G *s.t.* L(e) = L(G)*.*

*Proof (sketch).* Given a μν-expression e, we construct a grammar just like in the proof of Theorem 5, but with extra clause XνXf(X) → Xf(νXf(X)). We maintain two copies of each non-terminal, one magenta and one normal so that a derivation also 'guesses' a ν-thread 'on the fly'. Now set F, the set of acceptable sets, to include all sets extending some {X<sup>f</sup> : f ∈ E}, for E with the smallest expression a ν-formula, by normal non-terminals. Now any accepting leftmost derivation of a word w from X<sup>e</sup> describes a winning play of the evaluation puzzle from (w, e) and vice-versa.

#### 6.3 Proof Search Game and Completeness

In order to prove completeness of μνHKA<sup>∞</sup>, we need to introduce a gametheoretic mechanism for organising proof search, in particular so that we can rely on *determinacy* principles thereof.

Definition 41 (Proof Search Game). *The* proof search game *(for* μνHKA*) is a two-player game played between Prover* (**P**)*, whose positions are inference steps of* μνHKA*, and Denier* (**D**)*, whose positions are sequents of* μνHKA*. A play of the game starts from a particular sequent: at each turn,* **P** *chooses an inference step with the current sequent as conclusion, and* **D** *chooses a premiss of that step; the process repeats from this sequent as long as possible.*

*An infinite play of the game is won by* **P** *(aka lost by* **D***) if the branch constructed has a progressing thread; otherwise it is won by* **D** *(aka lost by* **P***). In the case of deadlock, the player with no valid move loses.*

Proposition 42 (Determinacy (∃0#)). *The proof search game is determined, i.e. from any sequent* Γ → S*, either* **P** *or* **D** *has a winning strategy.*

Note that the winning condition of the proof search game is (lightface) analytic, i.e. Σ<sup>1</sup> <sup>1</sup> : "there *exists* a progressing thread". Lightface analytic determinacy lies beyond ZFC, as indicated equivalent to the existence of 0# [24]. Further consideration of our metatheory is beyond the scope of this work.

It is not hard to see that **P**-winning-strategies are 'just' ∞-proofs. Our goal is to show a similar result for **D**, a sort of 'countermodel construction'.

Lemma 43. **<sup>D</sup>** *has a winning strategy from* <sup>Γ</sup> <sup>→</sup> <sup>S</sup> <sup>=</sup>⇒ L(Γ) \ L(S) <sup>=</sup> <sup>∅</sup>*.*

Before proving this, let us point out that Lemma 12 applies equally to the system μνHKA. We also have the useful observation:

Proposition 44 (Modal). L(aΓ) ⊆ {ε} ∪ <sup>a</sup>∈A L(aSa) =⇒ L(Γ) ⊆ L(Sa)*.*

This follows directly from the definition of L(·). Now we can carry out our 'countermodel construction' from **D**-winning-strategies:

*Proof (Sketch, of Lemma* 43*).* Construct a **P**-strategy p that is deadlock-free by always preserving validity, relying on Lemma 12 and Proposition 44. Now, suppose d is a **D**-winning-strategy and play p against it to construct a play B = (S<sup>i</sup>)i<ω = (Γ<sup>i</sup> → Si)i<ω. Note that indeed this play must be infinite since (a) p is deadlock-free; and (b) d is **D**-winning. Now, let w = k*l <sup>a</sup>*∈<sup>B</sup> a be the product of labels of k steps along B, in the order they appear bottom-up. We claim w ∈ L(Γ) \ L(S):


Now from Proposition 42 and Lemma 43, observing that **P**-winning-strategies are just ∞-proofs, we conclude:

Theorem 45 (Completeness). L(Γ) ⊆ L(S) =⇒ μνHKA <sup>∞</sup> Γ → S*.*

#### 7 Complexity Matters and Further Perspectives

In this section we make further comments, in particular regarding the complexity of our systems, at the level of arithmetical and analytical hierarchies. These concepts are well-surveyed in standard textbooks, e.g. [44,50], as well as various online resources.

Complexity and Irregularity for Finite Words. The equational theory of <sup>μ</sup>-expressions in <sup>L</sup>(·) is <sup>Π</sup><sup>0</sup> <sup>1</sup> -complete, i.e. co-recursively-enumerable, due to the same complexity of universality of context-free grammars (see, e.g., [27]). In this sense there is no hope of attaining a finitely presentable (e.g. cyclic, inductive) system for the equational theory of μ-expressions in L(·). However it is not hard to see that our wellfounded system μHKA<sup>ω</sup> enjoys optimal Π<sup>0</sup> <sup>1</sup> proof search, thanks to invertibility and termination of the rules, along with decidability of membership checking. Indeed a similar argument is used by Palka in [49] for the theory of '∗-continuous action lattices'. Furthermore let us point out that our non-wellfounded system also enjoys optimal proof search: μHKA <sup>∞</sup> Γ → S is equivalent, by invertibility, to checking that *every* sequent *a* → S reachable by only left rules in bottom-up proof search has a polynomial-size proof (bound induced by length of leftmost derivations). This is a Π<sup>0</sup> <sup>1</sup> property.

Complexity and Inaxiomatisability for Infinite Words. It would be natural to wonder whether a similar argument to Sect. 4 gives rise to some infinitary axiomatisation of the equational theory of μν-expressions in L(·). In fact, it turns out this is impossible: the equational theory of ω-CFLs is Π<sup>1</sup> <sup>2</sup> -complete [19], so there is no hope of a Π<sup>0</sup> <sup>1</sup> (or even Σ<sup>1</sup> <sup>2</sup> ) axiomatisation. In particular, the projection argument of Sect. 4 cannot be scaled to the full system μνHKA because · does not distribute over in L(·), for the corresponding putative 'right ω steps' for ν. For instance 0 = ((aa)<sup>∗</sup> ∩ a(aa)∗)a<sup>∗</sup> = (aa)∗a<sup>∗</sup> ∩ a(aa)∗a<sup>∗</sup> = aa∗. Indeed let us point out that here it is crucial to use our hypersequential system HKA as a base rather than, say, the intuitionistic systems of other proof theoretic works for regular expressions (and friends) [16,49]: the appropriate extension of those systems by μs and νs should indeed enjoy an ω-translation, due to only one formula on the right, rendering them incomplete.

Again let us point out that ∞-provability in μνHKA, in a sense, enjoys optimal complexity. By determinacy of the proof search game, μνHKA <sup>∞</sup> Γ → S if and only if there is *no* **D**-winning-strategy from Γ → S. The latter is indeed a Π<sup>1</sup> <sup>2</sup> statement: "*for every* **D**-strategy, *there exists* a play along which *there exists* a progressing thread".

Comparison to [22]. Our method for showing completeness of μHKA<sup>ω</sup> is quite different from the analogous result of [22] which uses the notion of 'rank' for μformulas, cf. [1]. Our result is somewhat stronger, giving *cut-free* completeness, but it could be possible to use ranks directly to obtain such a result too. More interestingly, the notion of projections and ω-translation should be well-defined (for LHS μ formulas) even in the presence of νs, cf. [11], whereas the rank method apparently breaks down in such extensions. This means that our method should also scale to μνHKA ∞-proofs where, say, each infinite branch has a LHS μthread. It would be interesting to see if this method can be used to axiomatise some natural fragments of ω-context-free inclusions.

Note that, strictly speaking, our completeness result for μCA was only given for the guarded fragment. However it is known that μCA (and even weaker theories) already proves the equivalence of each expression to one that is even left-guarded, by formalising conversion to Greibach normal form [18].

# 8 Conclusions

In this work we investigated of the proof theory of context-free languages (CFLs) over a syntax of μ-expressions. We defined a non-wellfounded proof system μHKA<sup>∞</sup> and showed its soundness and completeness for the model L(·) of context-free languages. We used this completeness result to recover the same for a cut-free ω-branching system μHKA<sup>ω</sup> via proof-theoretic techniques. This gave an alternative proof of the completeness for the theory of μ-continuous Chomsky algebras from [22]. We extended μ-expressions by *greatest* fixed points to obtain a syntax for ω-context-free languages. We studied an extension by *greatest* fixed points, μνHKA<sup>∞</sup> and showed its soundness and completeness for the model L(·) of context-free languages, employing game theoretic techniques.

Since inclusion of CFLs is Π<sup>0</sup> <sup>1</sup> -complete, no recursively enumerable (r.e.) system can be sound and complete for their equational theory. However, by restricting products to a letter on the left one can obtain a syntax for *rightlinear grammars*. Indeed, for such a restriction complete cyclic systems can be duly obtained [10]. It would be interesting to investigate systems for related decidable or r.e. inclusion problems, e.g. inclusions of context-free languages in regular languages, and inclusions of *visibly pushdown* languages [2,3].

The positions of our evaluation puzzle for μν-expressions use cedents to decompose products, similar to the stack of a pushdown automaton, rather than requiring an additional player. Previous works have similarly proposed modelchecking games for (fragments/variations of) context-free expressions, cf. [37,43], where more complex winning conditions seem to be required. It would be interesting to compare our evaluation puzzle to those games in more detail.

Note that our completeness result, via determinacy of the proof search game, depends on the assumption of (lightface) analytic determinacy. It is natural to ask whether this is necessary, but this consideration is beyond the scope of this work. Let us point out, however, that even ω-context-free determinacy exceeds the capacity of ZFC [20,41].

Finally, it would be interesting to study the *structural* proof theory arising from systems μHKA<sup>∞</sup> and μνHKA<sup>∞</sup>, cf. [16]. It would also be interesting to see if the restriction to leftmost ∞-proofs can be replaced by stronger progress conditions, such as the 'alternating threads' from [13,14], in a similar hypersequential system for predicate logic. Note that the same leftmost constraint was employed in [25] for an extension of HKA to ω*-regular languages*.

Acknowledgments. This work was supported by a UKRI Future Leaders Fellowship, 'Structure vs Invariants in Proofs', project reference MR/S035540/1. The authors are grateful to anonymous reviewers for their helpful comments (in particular, leading to Example 30) and for pointing us to relevant literature such as [37,43,45].

#### References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# A Cyclic Proof System for Guarded Kleene Algebra with Tests

Jan Rooduijn1(B), Dexter Kozen<sup>2</sup>, and Alexandra Silva<sup>2</sup>

<sup>1</sup> Institute of Logic, Language and Computation, University of Amsterdam, Amsterdam, The Netherlands janrooduijn@gmail.com <sup>2</sup> Cornell University, Ithaca, NY, USA

Abstract. Guarded Kleene Algebra with Tests (GKAT for short) is an efficient fragment of Kleene Algebra with Tests, suitable for reasoning about simple imperative while-programs. Following earlier work by Das and Pous on Kleene Algebra, we study GKAT from a proof-theoretical perspective. The deterministic nature of GKAT allows for a non-well-founded sequent system whose set of regular proofs is complete with respect to the guarded language model. This is unlike the situation with Kleene Algebra, where hypersequents are required. Moreover, the decision procedure induced by proof search runs in NLOGSPACE, whereas that of Kleene Algebra is in PSPACE.

Keywords: Kleene Algebra · Guarded Kleene Algebra with Tests · Cyclic proofs

# 1 Introduction

Guarded Kleene Algebra with Test (GKAT) is the fragment of Kleene Algebra with Tests (KAT) comprised of the deterministic while programs. Those are the programs built up from sequential composition (e · f), conditional branching (if-b-then-e-else-f) and loops (while b do e). For an introduction to KAT we refer the reader to [10]. The first papers focusing on the fragment of KAT that is nowadays called GKAT are Kozen's [11] and Kozen & Tseng's [12], where it is used to study the relative power of several programming constructs.

As GKAT is a fragment of KAT, it directly inherits a rich theory. It admits a language semantics in the form of *guarded strings* and for every expression there is a corresponding KAT-automaton. Already in [12] it was argued that GKAT expressions are more closely related to so-called *strictly deterministic automata*, where every state transition executes a primitive program. Smolka et al. significantly advanced the theory of GKAT in [22], by studying various additional semantics, identifying the precise class of strictly deterministic automata corresponding

The research of Jan Rooduijn has been made possible by a grant from the Dutch Research Council NWO, project number 617.001.857.

c The Author(s) 2024

C. Benzmüller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 257–275, 2024. https://doi.org/10.1007/978-3-031-63501-4\_14

to GKAT-expressions (proving a *Kleene theorem*), giving a nearly linear decision procedure of the equivalence of GKAT-expressions, and studying its equational axiomatisation. Since then GKAT has received considerable further attention, *e.g.* in [17,20,21,24].

One of the most challenging and intriguing aspects of GKAT is its proof theory. The standard equational axiomatisation of KAT from [10] does not simply restrict to GKAT, since a derivation of an expression that lies within the GKAT-fragment might very well contain expressions that lie outside of it. Moreover, the axiomatisation of KAT contains a least fixed point rule that relies on the equational definability of inclusion, which does not seem to be available in GKAT.

In [22], this problem is circumvented by introducing a custom equational axiomatisation for GKAT that uses a *unique* fixed point rule. While a notable result, this solution is still not entirely satisfactory. First, completeness is only proven under the inclusion of a variant of the unique fixed point rule that operates on entire systems of equations (this problem was recently addressed for the so-called *skip-free* fragment of GKAT in [21]). Moreover, even the ordinary, single-equation, unique fixed point rule contains a non-algebraic side-condition, analogous to the empty word property in Salomaa's axiomatisation of Kleene Algebra [18]. Because of this, a proper definition of 'a GKAT' is still lacking.

In recent years the proof theory of logics with fixed point operators (such as while-b-do-e) has seen increasing interest in *non-well-founded* proofs. In such proofs, branches need not to be closed by axioms, but may alternatively be infinitely deep. To preserve soundness, a progress condition is often imposed on each infinite branch, facilitating a soundness proof by infinite descent. In some cases non-well-founded proofs can be represented by finite trees with backedges, which are then called *cyclic proofs*. See *e.g.* [2,4,5,8,13] for a variety of such approaches. Often, the non-well-founded proof theory of some logic is closely related to its corresponding automata theory. Taking the proof-theoretical perspective, however, can be advantageous because it is more fine-grained and provides a natural setting for establishing results such as interpolation [3,14], cut elimination [1,19], and completeness by proof transformation [6,23].

In [7], Das & Pous study the non-well-founded proof theory of Kleene Algebra, a close relative of GKAT (for background on Kleene Algebra we refer the reader to [9]). They show that a natural non-well-founded sequent system for Kleene Algebra is not complete when restricting to the subset of cyclic proofs. To remedy this, they introduce a *hypersequent* calculus, whose cyclic proofs *are* complete. They give a proof-search procedure for this calculus and show that it runs in PSPACE. Since deciding Kleene Algebra expressions is PSPACE-complete, their proof-search procedure induces an optimal decision procedure for this problem. In a follow-up paper together with Doumane, left-handed completeness of Kleene Algebra is proven by translating cyclic proofs in the hypersequent calculus to well-founded proofs in left-handed Kleene Algebra [6].

The goal of the present paper is to study the non-well-founded proof theory of GKAT. This is interesting in its own right, for instance because, as we will see, it has some striking differences with Kleene Algebra. Moreover, we hope it opens up new avenues for exploring the completeness of algebraic proof systems for GKAT, through the translation of our cyclic proofs.

Outline. Our paper is structured as follows.


Our Contributions. Our paper closely follows the treatment of Kleene Algebra in [7]. Nevertheless, we make the following original contributions:


Due to space limitations several proofs are only sketched or omitted entirely. Full versions of these proofs can be found in the extended version of this paper [15].

# 2 Preliminaries

#### 2.1 Syntax

The language of GKAT has two sorts, namely *programs* and a subset thereof consisting of *tests*. It is built from a finite and non-empty set T of *primitive tests* and a non-empty set Σ of *primitive programs*, where T and Σ are disjoint. For the rest of this paper we fix such sets T and Σ. We reserve the letters t and p to refer, respectively, to arbitrary primitive tests and primitive programs. The first of the following grammars defines the *tests*, and the second the *expressions*.

$$a, b, c ::= 0 \mid 1 \mid t \mid \overline{b} \mid b \lor c \mid b \cdot c \qquad \quad e, f ::= b \mid p \mid e \cdot f \mid e +\_b f \mid e^{(b)},$$

where <sup>t</sup> <sup>∈</sup> <sup>T</sup> and <sup>p</sup> <sup>∈</sup> <sup>Σ</sup>. Intuitively, the operator <sup>+</sup><sup>b</sup> stands for the if-then-else construct, and the operator (−)(b) stands for the while loop. Note that the tests are simply propositional formulas. It is convention to use · instead of ∧ for conjunction. As usual, we often omit · for syntactical convenience, *e.g.* by writing pq instead of p · q.

*Example 1.* The idea of GKAT is to model imperative programs. For instance, the expression (<sup>p</sup> <sup>+</sup><sup>b</sup> <sup>q</sup>)(a) represents the following imperative program:

#### while a do (if b then p else q)

*Remark 1.* As mentioned in the introduction, GKAT is a fragment of Kleene Algebra with Tests, or KAT [10]. The syntax of KAT is the same as that of GKAT, but with unrestricted union + instead of guarded union +b, and unrestricted iteration (−)<sup>∗</sup> instead of the while loop operator (−)(b). The embedding <sup>ϕ</sup> of GKAT into KAT acts on guarded union and guarded iteration as follows, and commutes with all other operators: <sup>ϕ</sup>(e+<sup>b</sup> <sup>f</sup>) = <sup>b</sup> ·ϕ(e)+<sup>b</sup> ·ϕ(f), and <sup>ϕ</sup>(e(b))=(<sup>b</sup> ·ϕ(e))<sup>∗</sup> · <sup>b</sup>.

#### 2.2 Semantics

There are several kinds of semantics for GKAT. In [22], a *language* semantics, a *relational* semantics, and a *probabilistic* semantics are given. In this paper we are only concerned with the language semantics, which we shall now describe.

We denote by At the set of *atoms* of the free Boolean algebra generated by <sup>T</sup> <sup>=</sup> {t1,...tn}. That is, At consists of all tests of the form <sup>c</sup><sup>1</sup> ··· <sup>c</sup>n, where <sup>c</sup><sup>i</sup> ∈ {ti,ti} for each <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>. Lowercase Greek letters (α, β, γ, . . .) will be used to denote elements of At. A *guarded string* is an element of the regular set At · (<sup>Σ</sup> · At)∗. That is, a string of the form <sup>α</sup>1p1α2p<sup>2</sup> ··· <sup>α</sup>npnαn+1. We will interpret expressions as languages (formally just sets) of guarded strings. The sequential composition operator · is interpreted by the *fusion product* , given by L K := {xαy <sup>|</sup> xα <sup>∈</sup> L and αy <sup>∈</sup> K}. For the interpretation of <sup>+</sup>b, we define for every set of atoms B <sup>⊆</sup> At the following operation of *guarded union* on languages: <sup>L</sup>+<sup>B</sup> <sup>K</sup> := (<sup>B</sup> L)∪(<sup>B</sup> K), where <sup>B</sup> is At\B. For the interpretation of (−)(b), we stipulate:

$$L^0 := \mathsf{At} \qquad \qquad L^{n+1} := L^n \diamond L \qquad \qquad L^B := \bigcup\_{n \ge 0} (B \diamond L)^n \diamond \overline{B}$$

Finally, the semantics of GKAT is inductively defined as follows:

$$\begin{aligned} \left[\mathbb{b}\right] &:= \{\alpha \in \mathsf{At} : \alpha \le b\} & \quad \left[p\right] &:= \{\alpha p\beta : \alpha, \beta \in \mathsf{At}\} & \quad \left[e \cdot f\right] &:= \left[e\right] \diamond \left[f\right] \\ \left[e +\_b f\right] &:= \left[e\right] +\_{\left[b\right]} \left[f\right] & \quad \left[e^{\left[b\right]}\right] &:= \left[e\right] \left[\right] \end{aligned}$$

Note that the interpretation of · between tests is the same whether they are regarded as tests or as programs, *i.e.* b <sup>∩</sup> c <sup>=</sup> b c.

*Remark 2.* While the semantics of expressions is explicitly defined, the semantics of tests is derived implicitly through the free Boolean algebra generated by T. It is standard in the GKAT literature to address the Boolean content in this manner.

*Example 2.* In a guarded string, atoms can be thought of as states of a machine, and programs as executions. For instance, in case of the guarded string αpβ, the machine starts in state α, then executes program p, and ends in state β. Let us briefly check which guarded strings of, say, the form αpβqγ belong to the interpretation -(<sup>p</sup> <sup>+</sup><sup>b</sup> <sup>q</sup>)(a) of the program of Example 1. First, we must have α <sup>≤</sup> a, for otherwise we would not enter the loop. Moreover, we have α <sup>≤</sup> b, for otherwise q rather than p would be executed. Similarly, we find that β <sup>≤</sup> a, <sup>b</sup>. Since the loop is exited after two iterations, we must have γ <sup>≤</sup> <sup>a</sup>. Hence, we find

$$
\alpha p \beta q \gamma \in \left[ (p+b, q)^{(a)} \right] \Leftrightarrow \alpha \le a, b \text{ and } \beta \le a, \overline{b} \text{ and } \gamma \le \overline{a}.
$$

We state two simple facts that will be useful later on.

Lemma 1. *For any two languages* L, K *of guarded strings, and primitive program* p*, we have:*

$$(i) \ L^{n+1} = L \diamond L^n; \qquad (ii) \ \llbracket p \rrbracket \diamond L = \lbrack p \rrbracket \diamond K \text{ } implies \ L = K.$$

*Remark 3.* The fact that GKAT models deterministic programs is reflected in the fact that sets of guarded strings arising as interpretations of GKAT-expressions satisfy a certain *determinacy property*. Namely, for every xαy and xαz in L, either y and z are both empty, or both begin with the same primitive program. We refer the reader to [22] for more details.

*Remark 4.* The language semantics of GKAT is the same as that of KAT (see [10]), in the sense that e <sup>=</sup> ϕ(e), where ϕ is the embedding from Remark 1, the semantic brackets on the right-hand side denote the standard interpretation in KAT, and e is any GKAT-expression.

# 3 The Non-well-founded Proof System **SGKAT***<sup>∞</sup>*

In this section we commence our proof-theoretical study of GKAT. We will present a cyclic sequent system for GKAT, inspired by the cyclic sequent system for Kleene Algebra presented in [7]. In passing, we will compare our system to the latter.

Definition 1 (Sequent). *<sup>A</sup>* sequent *is a triple* (Γ, A, Δ)*, written* <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>*, where* A <sup>⊆</sup> At *and* Γ *and* Δ *are (possibly empty) lists of* GKAT*-expressions.*

The list on the left-hand side of a sequent is called its *antecedent*, and the list on the right-hand side its *succedent*. In general we refer to lists of expressions as *cedents*. The symbol refers to the empty cedent.

*Remark 5.* As the system in [7] only deals with Kleene Algebra, it does not include tests. We choose the deal with the tests present in GKAT by augmenting each sequent by a set of atoms. This tucks away the Boolean content, as is usual in the GKAT literature, allowing us to omit propositional rules.

Definition 2 (Validity). *We say that a sequent* <sup>e</sup><sup>1</sup>,...,e<sup>n</sup> <sup>⇒</sup><sup>A</sup> <sup>f</sup><sup>1</sup>,...,f<sup>m</sup> *is* valid *whenever* A <sup>e</sup><sup>1</sup> ··· <sup>e</sup><sup>n</sup> <sup>⊆</sup> <sup>f</sup><sup>1</sup> ··· <sup>f</sup><sup>n</sup>*.*

We often abuse notation writing -Γ instead of <sup>e</sup><sup>1</sup> ··· <sup>e</sup><sup>n</sup>, where <sup>Γ</sup> <sup>=</sup> <sup>e</sup><sup>1</sup>,...,e<sup>n</sup>.

*Example 3.* An example of a valid sequent is given by (cp)(b) <sup>⇒</sup>At (p(cp+<sup>b</sup> 1))(b). The antecedent denotes guarded strings <sup>α</sup><sup>1</sup>pα<sup>2</sup><sup>p</sup> ··· <sup>α</sup><sup>n</sup>pα<sup>n</sup>+1 where <sup>α</sup><sup>i</sup> <sup>≤</sup> b, c for each <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>, and <sup>α</sup><sup>n</sup>+1 <sup>≤</sup> <sup>b</sup>. The succedent denotes such strings where <sup>α</sup><sup>i</sup> <sup>≤</sup> <sup>c</sup> is only required for those <sup>1</sup> <sup>≤</sup> i <sup>≤</sup> n where i is even.

*Remark 6.* Like the sequents for Kleene Algebra in [7], our sequents express language *inclusion*, rather than language equivalence. For Kleene Algebra this difference is insignificant, as the two notions are interdefinable using unrestricted union: e <sup>⊆</sup> f <sup>⇔</sup> e <sup>+</sup> f <sup>=</sup> f. For GKAT, however, it is not clear how to define language inclusion in terms of language equivalence. As a result, an advantage of axiomatising language inclusion rather than language equivalence, is that the while-operator can be axiomatised as a *least* fixed point, eliminating the need for a *strict productivity* requirement as is present in the axiomatisation in [22].

Given a set of atoms A and a test b, we write A b for A b, *i.e.* the set of atoms {α <sup>∈</sup> A : α <sup>≤</sup> b}. The rules of SGKAT are given in Fig. 1. Importantly, the rules are always applied to the leftmost expression in a cedent. As a result, we have the following lemma, that later will be used in the completeness proof.

Lemma 2. *Let* <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> *be a sequent, and let* <sup>r</sup> *be any rule of* SGKAT*. Then there is at most one rule instance of* <sup>r</sup> *with conclusion* <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>*.*


Fig. 1. The rules of SGKAT. The side condition (†) requires that A b = A.

*Remark 7.* Following [7], we call k a 'modal' rule. The reason is simply that it looks like the rule k (sometimes called K or ) in the standard sequent calculus for basic modal logic. Our system also features a second modal rule, called k0. Like <sup>k</sup>, this rule adds a primitive program p to the antecedent of the sequent. Since the premiss of k<sup>0</sup> entails that -Γ <sup>=</sup> -0, the antecedent of its conclusion will denote the empty language, and is therefore included in any succedent Δ.

*Remark 8.* Note that the rules of SGKAT are highly symmetric. Indeed, the only rules that behave differently on the left than on the right, are the b-rules and <sup>k</sup>0. Note that b-l changes the set of atoms, while b-r uses a side condition. The asymmetry of k<sup>0</sup> is clear: the succedent of the premiss has a 0, whereas the antecedent does not. A third asymmetry will be introduced in Definition 3, with a condition on infinite branches that is sensitive to (b)-l but not to (b)-r.

*Remark 9.* The authors of [20] study a variant of GKAT that omits the so-called *early termination axiom*, which equates all programs that eventually fail. They give a denotational model of this variant in the form of certain kinds of trees. We conjecture that omitting the rule k<sup>0</sup> from our system will make it sound and complete with respect to this denotational model.

$$\begin{array}{c} (b) \multicolumn{2}{r}{p \Rightarrow\_{\mathsf{At}[b]} 1,1^{(b)}, p \quad (\mathsf{\bullet})} \quad \overline{p \Rightarrow\_{\mathsf{@}} p} \multicolumn{2}{r}{}\\ \cline{2-4} \quad \overline{p \Rightarrow\_{\mathsf{At}[b]} 1,1^{(b)}, p} \multicolumn{2}{r}{}\\ \cline{2-4} \quad \overline{p \Rightarrow\_{\mathsf{At}[b]} 1,1^{(b)}, p \quad (\mathsf{\bullet})} \end{array} \quad \begin{array}{c} \rightharpoon{} \\ \cline{2-4} \quad \overline{p \Rightarrow\_{\mathsf{At}[b]} \epsilon} \quad \overline{\begin{array}{c} \overline{\epsilon \Rightarrow\_{\mathsf{At}} \epsilon} \ \mathsf{\cdot} \\ \overline{p \Rightarrow\_{\mathsf{At}[b]} p} \end{array} \Big| \mathsf{\cdot} \\ \cline{2-4} \quad \overline{p \Rightarrow\_{\mathsf{At}[b]} 1^{(b)}, p} \multicolumn{2}{r}{}\\ \cline{2-4} \quad \overline{p \Rightarrow\_{\mathsf{At}[b]} 1^{(b)} \cdot p} \end{array} \quad \begin{array}{c} \mathsf{id} \\ \overline{p \Rightarrow\_{\mathsf{At}[b]} p} \ \mathsf{id} \\ \mathsf{\cdot} \\ \cline{2-4} \quad \overline{\begin{array}{c} \overline{\epsilon \Rightarrow\_{\mathsf{At}[b]} p} \ \mathsf{\cdot} \\ \overline{\begin{array}{c} \overline{\epsilon} \Rightarrow\_{\mathsf{At}[b]} p \end{array} \end{array} \quad \begin{array}{c} \mathsf{id} \\ \overline{p \Rightarrow\_{\mathsf{At}[b]} p} \ \mathsf{\cdot} \\ \overline{\begin{array}{c} \overline{\epsilon} \Rightarrow\_{\mathsf{At}[b]} p \end{array} \right\} \end{array}$$

Fig. 2. An SGKAT∞-derivation that is not a proof.

An SGKAT∞*-derivation* is a (possibly infinite) tree generated by the rules of SGKAT. Such a derivation is said to be *closed* if every leaf is an axiom.

Definition 3 (Proof). *A closed* SGKAT∞*-derivation is said to be an* SGKAT∞-proof *if every infinite branch is* fair *for* (b)*-*l*,* i.e. *contains infinitely many applications of the rule* (b)*-*l*.*

We write SGKAT <sup>∞</sup> <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> if there is an SGKAT∞-proof of <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>.

*Example 4.* Not every SGKAT∞-derivation is a proof. Consider for instance the following derivation, where (•) indicates that the derivation repeat itself (Fig. 2).

*Example 5.* Let <sup>Δ</sup><sup>1</sup> := (p(cp+<sup>b</sup> 1))(b) and <sup>Δ</sup><sup>2</sup> := cp+<sup>b</sup> <sup>1</sup>, Δ<sup>1</sup>. The following proof <sup>Π</sup><sup>1</sup> is an example SGKAT∞-proof of the sequent of Example 3. We again use (•) to indicate that the proof repeats itself at this leaf and, for the sake of readability, omit branches that can be closed immediately by an application of ⊥ (Fig. 3).

To illustrate the omission of branches that can be immediately closed by an application of <sup>⊥</sup>, let us write out the two applications of <sup>+</sup>b-<sup>r</sup> in <sup>Π</sup><sup>1</sup>.

$$\begin{array}{ccccc} \epsilon \Rightarrow\_{\mathsf{At}|bc} \mathsf{c}p, \Delta\_{1} & \overline{\epsilon \Rightarrow\_{\emptyset} 1, \Delta\_{1}} & \bot & \overline{\epsilon \Rightarrow\_{\emptyset} \mathsf{c}p, \Delta\_{1}} & \epsilon \Rightarrow\_{\mathsf{At}|\mathsf{b}} 1, \Delta\_{1} \\\hline \hline \epsilon \Rightarrow\_{\mathsf{At}|bc} \Delta\_{2} & & & & & \epsilon \Rightarrow\_{\mathsf{At}|\mathsf{b}} \Delta\_{2} & \\\hline \end{array}$$

It can also be helpful to think of the set of atoms as *selecting* one of the premisses.

We close this section with a useful definition and a lemma.

Definition 4 (Exposure). *A list* Γ *of expressions is said to be* exposed *if it is either empty or begins with a primitive program.*

Recall that the sets of primitive tests and primitive programs are disjoint. Hence an exposed list Γ cannot start with a test. The following easy lemma will be useful later on.

Lemma 3. *Let* Γ *and* Δ *be exposed lists of expressions. Then:*

*(i)* αx <sup>∈</sup> -Γ <sup>⇔</sup> βx <sup>∈</sup> -Γ *for all* α, β <sup>∈</sup> At *(ii)* <sup>Γ</sup> <sup>⇒</sup>At <sup>Δ</sup> *is valid if and only if* <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> *is valid for some* <sup>A</sup> <sup>=</sup> <sup>∅</sup>*.*

Fig. 3. The SGKAT∞-proof Π1.

#### 4 Soundness

In this section we prove that SGKAT<sup>∞</sup> is sound. We will first prove that *wellfounded* (that is, finite) SGKAT∞-proofs are sound. The following straightforward facts will be useful in the soundness proof.

Lemma 4. *For any set* A *of atoms, test* b*, and cedent* Θ*, we have:*

*(i)* <sup>e</sup> <sup>+</sup><sup>b</sup> f,Θ = (b e, Θ) <sup>∪</sup> (b f,Θ)*; (ii)* e(b), Θ = (b e, e(b), Θ) <sup>∪</sup> (b -Θ)*.*

We prioritise the rules of SGKAT in order of occurrence in Fig. 1, reading leftto-right, top-to-bottom. Hence, each left logical rule is of higher priority than each right logical rule, which is of higher priority than each axiom or modal rule. Recall that a rule is *sound* if the validity of all its premisses implies the validity of its conclusion. Conversely, a rule is *invertible* if the validity of its conclusion implies the validity of all of its premisses.

We say that a rule application *has priority* of there is no higher-priority rule with the same conclusion. Conveniently, the following proposition entails that every rule instance which has priority is invertible. This will aid our proof search procedure in Sect. 6.

Proposition 1. *Every rule of* SGKAT *is sound. Moreover, every rule is invertible except for* k *and* k0*, which are invertible whenever they have priority.*

*Proof (sketch).* We treat two illustrative cases. For the rule <sup>+</sup>b-r, we find

$$\begin{aligned} A \diamond \begin{bmatrix} I \end{bmatrix} &\subseteq \begin{bmatrix} e+\_b \ f \end{bmatrix} \diamond \begin{bmatrix} \Delta \end{bmatrix} \\ \Leftrightarrow A \diamond \begin{bmatrix} I \end{bmatrix} &\subseteq \begin{pmatrix} \begin{bmatrix} b \end{bmatrix} \diamond \begin{bmatrix} e,\Delta \end{bmatrix} \end{bmatrix} \cup \begin{pmatrix} \begin{bmatrix} \overline{b} \end{bmatrix} \diamond \begin{bmatrix} f,\Delta \end{bmatrix} \end{aligned}$$
 
$$\begin{aligned} \Leftrightarrow A \top b \diamond \begin{bmatrix} I \end{bmatrix} &\subseteq \begin{bmatrix} e,\Delta \end{bmatrix} \text{ or } A \top \overline{b} \subseteq \begin{bmatrix} f,\Delta \end{bmatrix}, \end{aligned}$$

where the first equivalence holds due to Lemma 4.(ii), and the second due to A -Γ = (b A -Γ) <sup>∪</sup> (b A -Γ) and Lemma 4.(i).

The other rule we will treat is k. Suppose first that some application of k does *not* have priority. The only rule of higher priority than k which can have a conclusion of the form p, Γ <sup>⇒</sup><sup>A</sup> p, Δ is <sup>⊥</sup>. In this case <sup>A</sup> <sup>=</sup> <sup>∅</sup>, which means that the conclusion must be valid. Hence any application of k that does not have priority is vacuously sound. It need, however, not be invertible, as the following rule instance demonstrates

$$\mathsf{k}\xrightarrow[p,1]{}\frac{1\Rightarrow\_{\mathsf{At}}0}{p,1\Rightarrow\_{\mathsf{@}}p,0}$$

Next, suppose that some application of k does have priority. This means that the set <sup>A</sup> of atoms in the conclusion p, Γ <sup>⇒</sup><sup>A</sup> p, Δ is *not* empty. We will show that under this restriction the rule is both sound and invertible. Let α <sup>∈</sup> A. We have

$$\begin{array}{c} A \diamond [p, \varGamma] \subseteq [p, \varDelta] \Leftrightarrow A \diamond [p] \diamond [\varGamma] \subseteq [p] \diamond [\varDelta] \qquad \qquad \qquad (\text{seq. int.})\\ \Leftrightarrow \alpha \diamond [p] \diamond [\varGamma] \subseteq [p] \diamond [\varDelta] \qquad \qquad (\alpha \in A, \text{Lem.} \text{3})\\ \Leftrightarrow [p] \diamond [\varGamma] \subseteq [p] \diamond [\varDelta] \qquad \qquad \qquad \qquad (\text{Lem. 3})\\ \Leftrightarrow [\varGamma] \subseteq [\varDelta], \end{array}$$

as required. The step marked by † is the following property of guarded languages: p <sup>L</sup> <sup>=</sup> p K implies L <sup>=</sup> K.

Proposition 1 entails that all finite proofs are sound. We will now extend this result to non-well-founded proofs, closely following the treatment in [7]. We first recursively define a syntactic abbreviation: [e(b)] <sup>0</sup> := b and [e(b)] <sup>n</sup>+1 := be[e(b)] n.

Lemma 5. *For every* <sup>n</sup> <sup>∈</sup> <sup>N</sup>*: if we have* SGKAT <sup>∞</sup> <sup>e</sup>(b), Γ <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>*, then we also have* SGKAT <sup>∞</sup> [e(b)] n, Γ <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>*.*

We let the *while-height* wh(e) be the maximal nesting of while loops in a given expression e. Formally,

$$\begin{array}{ll} -\mathsf{w}\mathsf{h}(b) = \mathsf{w}\mathsf{h}(p) = 0; & -\mathsf{w}\mathsf{h}(e \cdot f) = \mathsf{w}\mathsf{h}(e +\_{b} f) = \max\{\mathsf{w}\mathsf{h}(e), \mathsf{w}\mathsf{h}(f)\};\\ -\mathsf{w}\mathsf{h}(e^{(b)}) = \mathsf{w}\mathsf{h}(e) + 1. & \\ \end{array}$$

Given a list Γ, the *weighted while-height* wwh(Γ) of Γ is defined to be the multiset [wh(e) : e <sup>∈</sup> Γ]. We order such multisets using the Dershowitz-Manna ordering (for linear orders): we say that N<M if and only if N <sup>=</sup> M and for the greatest n such that N(n) <sup>=</sup> M(n), it holds that N(n) < M(n).

Note that in any SGKAT-derivation the weighted while-height of the antecedent does not increase when reading bottom-up. Moreover, we have:

Lemma 6. wwh([e(b)] n, Γ) < wwh(e(b), Γ) *for every* n <sup>∈</sup> <sup>N</sup>*.*

Finally, we can prove the soundness theorem using induction on wwh(Γ).

#### Theorem 1 (Soundness). *If* SGKAT <sup>∞</sup> <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>*, then* <sup>A</sup> -Γ <sup>⊆</sup> -Δ*.*

*Proof.* We prove this by induction on wwh(Γ). Given a proof <sup>π</sup> of <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>, let <sup>B</sup> contain for each infinite branch of π the node of least depth to which a rule (b)-l is applied. Note that <sup>B</sup> must be finite, for otherwise, by Kőnig's Lemma, the proof π cut off along <sup>B</sup> would have an infinite branch that does not satisfy the fairness condition.

Note that Proposition 1 entails that of every finite derivation with valid leaves the conclusion is valid. Hence, it suffices to show that each of the nodes in B is valid. To that end, consider an arbitrary such node labelled e(b), Γ <sup>⇒</sup><sup>A</sup>- Δ and the subproof π it generates. By Lemma 5, we have that [e(b)] n, Γ <sup>⇒</sup><sup>A</sup>- Δ is provable for every <sup>n</sup>. Lemma <sup>6</sup> gives wwh([e(b)] n, Γ ) < wwh(e(b), Γ ) <sup>≤</sup> wwh(Γ), and thus we may apply the induction hypothesis to obtain

$$A' \diamond \left[ [e^{(b)}]^n \right] \diamond [I] \subseteq [\Delta].$$

for every n <sup>∈</sup> <sup>N</sup>. Then by

$$\bigcup\_{n} (A' \diamond \| [e^{(b)}]^n \| \diamond [\Gamma] ) = A' \diamond \bigcup\_{n} (\| [e^{(b)}]^n \| ) \diamond [\Gamma] = A' \diamond \| e \| ^{\llbracket b \rrbracket \rrbracket} \diamond [\Gamma] ,$$

we obtain that e(b), Γ <sup>⇒</sup><sup>A</sup>- Δ is valid, as required.

#### 5 Regularity

Before we show that SGKAT<sup>∞</sup> is not only sound, but also complete, we will first show that every SGKAT∞-proof is *finite-state*, *i.e.* that it contains at most finitely many distinct sequents.

The results of this section crucially depend on the fact that we are only applying rules to the leftmost expressions of cedents. Indeed, otherwise one could easily create infinitely many distinct sequents by simply unravelling the same while loop e(b) infinitely often.

Our treatment differs from that in [7] in two major ways. First, we formalise the notion of (sub)occurrence using the standard notion of a *syntax tree*. Secondly, and more importantly, we obtain a quadratic bound on the number of distinct sequents occurring in a proof, rather than an exponential one. In fact, we will show that the number of distinct antecedents (succedents) is *linear* in the size of the syntax tree of the antecedent (succedent) of the root. We will do this by showing that each leftmost expression of a cedent in the proof (given as node of the syntax tree of a root cedent) can only occur in the proof as the leftmost expression of that *unique* cedent.

Definition 5. *The* syntax tree (T<sup>e</sup>, l<sup>e</sup>) *of an expression* <sup>e</sup> *is a well-founded, labelled and ordered tree, defined by the following induction on* e*.*


Definition 6. *An* e-cedent *is a list of nodes in the syntax tree of* e*. The* realisation *of an* <sup>e</sup>*-cedent* <sup>u</sup><sup>1</sup>,...,u<sup>n</sup> *is the cedent* <sup>l</sup><sup>e</sup>(u<sup>1</sup>),...,l<sup>e</sup>(u<sup>n</sup>)*.*

Given the leftmost expression of a cedent, we will now explicitly define the cedent that it must be the leftmost expression of.

Definition 7. *Let* u *be a node in the syntax tree of* e*. We define the* e*-cedent* tail(u) *inductively as follows:*

	- *if* mc <sup>=</sup> ·*, let* <sup>u</sup><sup>1</sup> *and* <sup>u</sup><sup>2</sup> *be, respectively, the first and second child of* <sup>u</sup>*. We set* tail(u<sup>1</sup>) := <sup>u</sup><sup>2</sup>,tail(u) *and* tail(u<sup>2</sup>) := tail(u)*.*
	- *if* mc = +b*, let* <sup>u</sup><sup>1</sup> *and* <sup>u</sup><sup>2</sup> *again be its first and second child. We set* tail(u<sup>1</sup>) := tail(u<sup>2</sup>) := tail(u)*.*
	- *if* mc = (−)(b)*, let* v *be the single child of* u*. We set* tail(v) := u,tail(u)*.*

*An* e*-cedent is called* tail*-generated if it is empty or of the form* u,tail(u) *for some node* u *in the syntax tree of* e*.*

*Example 6.* Below is the syntax tree of (p(p+<sup>b</sup> 1))(b) and a calculation of tail(u<sup>3</sup>).

The following lemma embodies the key idea for the main result of this section: every leftmost expression is the leftmost expression of a unique cedent.

Lemma 7. *Let* <sup>π</sup> *be an* SGKAT∞*-derivation of a sequent of the form* <sup>e</sup> <sup>⇒</sup><sup>A</sup> <sup>f</sup>*. Then every antecedent in* π *is the realisation of a* tail*-generated* e*-sequent, and every succedent is the realisation of a* tail*-generated* f*-sequent or* <sup>0</sup>*-sequent.*

*Proof.* We first prove the following claim.

Let e be an expression and let u be a node in its syntax tree. Then tail(u) is a tail-generated e-sequent.

We prove this by induction on the syntax tree of e. For the root ρ, we have tail(ρ) = , which is tail-generated by definition. Now suppose that the thesis holds for some arbitrary node u in the syntax tree of e. We will show that the thesis holds for the children of u by a case distinction on the main connective mc of u.


Using this claim, the lemma follows by bottom-up induction on π. For the base case, note that e and f are realisations of the roots of their respective syntax trees. Such a root ρ is tail-generated, since ρ <sup>=</sup> ρ, <sup>=</sup> ρ,tail(ρ). The induction step follows by direct inspection of the rules of SGKAT.

The number of realisations of tail-generated e-sequents is clearly linear in the size of the syntax tree of e, for every expression e. Hence we obtain:

Corollary 1. *The number of distinct sequents in an* SGKAT∞*-proof of* <sup>e</sup> <sup>⇒</sup><sup>A</sup> <sup>f</sup> *is quadratic in* <sup>|</sup>T<sup>e</sup><sup>|</sup> <sup>+</sup> <sup>|</sup>T<sup>f</sup> <sup>|</sup>*.*

Note that the above lemma and corollary can easily be generalised to arbitrary (rather than singleton) cedents, by rewriting each cedent <sup>e</sup><sup>1</sup>,...,e<sup>n</sup> as <sup>e</sup><sup>1</sup> ··· <sup>e</sup><sup>n</sup>.

Recall that a non-well-founded tree is *regular* if it contains only finitely many pairwise non-isomorphic subtrees. The following corollary follows by a standard argument in the literature (see *e.g* [16, Corollary I.2.23]).

Corollary 2. *If* <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> *has an* SGKAT∞*-proof, then it has a regular one.*

We define a *cyclic* SGKAT*-proof* as a regular SGKAT∞-proof. Cyclic proofs can be equivalently described using finite trees with back edges, but this is not needed for the purposes of the present paper.

#### 6 Completeness and Complexity

In this section we prove the completeness of SGKAT∞. Our argument uses a proof search procedure, which we will show to induce a NLOGSPACE decision procedure for the language inclusion problem of GKAT expressions. The material in this section is again inspired by [7], but requires several modifications to treat the tests present in GKAT.

First note the following fact.

Lemma 8. *Any valid sequent is the conclusion of some rule application.*

Note that in the following lemma A and B may be distinct.

Lemma 9. *Let* π *be a derivation using only right logical rules and containing a branch of the form:*

$$\begin{aligned} \Gamma & \Rightarrow\_B e^{(b)}, \Delta \\ & \vdots \\ \hline \Gamma & \Rightarrow\_A e^{(b)}, \Delta \end{aligned} \tag{\*}$$

*such that (1)* <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>e</sup>(b), Δ *is valid, and (2) every succedent on the branch has* <sup>e</sup>(b), Δ *as a final segment. Then* <sup>Γ</sup> <sup>⇒</sup><sup>B</sup> <sup>0</sup> *is valid.*

*Proof.* We claim that <sup>e</sup>(b) <sup>⇒</sup><sup>B</sup> <sup>0</sup> is provable. We will show this by exploiting the symmetry of the left and right logical rules of SGKAT (cf. Remark 8). Since on the branch (\*) every rule is a right logical rule, and e(b), Δ is preserved throughout, we can construct a derivation <sup>π</sup> of <sup>e</sup>(b) <sup>⇒</sup><sup>B</sup> <sup>0</sup> from <sup>π</sup> by applying the analogous left logical rules to e(b). Note that the set of atoms <sup>B</sup> precisely determines the branch (\*), in the sense that for every leaf <sup>Γ</sup> <sup>⇒</sup><sup>C</sup> <sup>Θ</sup> of <sup>π</sup> it holds that <sup>C</sup> <sup>∩</sup><sup>B</sup> <sup>=</sup> <sup>∅</sup>. Hence, as the root of <sup>π</sup> is <sup>e</sup>(b) <sup>⇒</sup><sup>B</sup> <sup>0</sup>, every branch of <sup>π</sup> except for the one corresponding to (\*) can be closed directly by an application of ⊥. The branch corresponding to (\*) is of the form

$$e^{(b)} \Rightarrow\_B 0$$

$$\begin{array}{l}\vdots\\e^{(b)} \Rightarrow\_B 0\end{array}\text{(b)-}l\tag{\*}$$

and can thus be closed by a back edge. The resulting finite tree with back edges clearly represents an SGKAT∞-proof.

Now by soundness, we have B e(b) <sup>=</sup> <sup>∅</sup>. Moreover, by the invertibility of the right logical rules and hypothesis (1), we get

$$B \diamond \lbrack I' \rbrack \subseteq B \diamond \lbrack e^{(b)} \rbrack \diamond \lbrack \Delta \rbrack = \emptyset,$$

as required.

Lemma 10. *Let* (Γ<sup>n</sup> <sup>⇒</sup><sup>A</sup>*<sup>n</sup>* <sup>Δ</sup><sup>n</sup>)<sup>n</sup>∈<sup>ω</sup> *be an infinite branch of some* SGKAT∞ *derivation on which the rule* (b)*-*r *is applied infinitely often. Then there are* n, m *with* n<m *such that the following hold:*


*Proof.* First note that k<sup>0</sup> is not applied on this branch, because if it were then there could not be infinitely many applications of (b)-r.

Since the proof is finite-state (cf. Corollary 1), there must be a k <sup>≥</sup> <sup>0</sup> be such that every <sup>Δ</sup><sup>i</sup> with <sup>i</sup> <sup>≥</sup> <sup>k</sup> occurs infinitely often on the branch above. Denote by <sup>|</sup>Δ<sup>|</sup> the length of a given list Δ and let l be minimum of {|Δi<sup>|</sup> : i <sup>≥</sup> k}. In other words, <sup>l</sup> is the minimal length of the <sup>Δ</sup><sup>i</sup> with <sup>i</sup> <sup>≥</sup> <sup>k</sup>.

To prove the lemma, we first claim that there is an n <sup>≥</sup> k such that <sup>|</sup>Δn<sup>|</sup> <sup>=</sup> <sup>l</sup> and the leftmost expression in <sup>Δ</sup><sup>n</sup> is of the form <sup>e</sup>(b) for some <sup>e</sup>. Suppose, towards a contradiction, that this is not the case. Then there must be a u <sup>≥</sup> k such that <sup>|</sup>Δu<sup>|</sup> <sup>=</sup> <sup>l</sup> and the leftmost expression in <sup>Δ</sup><sup>u</sup> is *not* of the form <sup>e</sup>(b) for any <sup>e</sup>. Note that (b)-<sup>r</sup> is the only rule apart from <sup>k</sup><sup>0</sup> that can increase the length of the succedent (when read bottom-up). It follows that for no w <sup>≥</sup> u the leftmost expression in <sup>Δ</sup><sup>w</sup> is of the form <sup>e</sup>(b), contradicting the fact that (b)-<sup>r</sup> is applied infinitely often.

Now let <sup>n</sup> <sup>≥</sup> <sup>k</sup> be such that <sup>|</sup>Δ<sup>n</sup><sup>|</sup> <sup>=</sup> <sup>l</sup> and the leftmost expression of <sup>Δ</sup><sup>n</sup> is <sup>e</sup>(b). Since the rule (b)-<sup>r</sup> must at some point after <sup>Δ</sup><sup>n</sup> be applied to <sup>e</sup>(b), we may assume without loss of generality that <sup>Γ</sup><sup>n</sup> <sup>⇒</sup><sup>A</sup>*<sup>n</sup>* <sup>Δ</sup><sup>n</sup> is the conclusion of an application of (b)-r. By the pigeonhole principle, there must be an m>n such that <sup>Γ</sup><sup>n</sup> <sup>⇒</sup><sup>A</sup>*<sup>n</sup>* <sup>Δ</sup><sup>n</sup> and <sup>Γ</sup><sup>m</sup> <sup>⇒</sup><sup>A</sup>*<sup>m</sup>* <sup>Δ</sup><sup>m</sup> are the same sequents. We claim that these sequents satisfy the three properties above. Properties (i) and (ii) directly hold by construction. Property (iii) follows from the fact that <sup>Δ</sup><sup>n</sup> is of minimal length and has e(b) as leftmost expression.

With the above lemmas in place, we are ready for the completeness proof.

#### Theorem 2 (Completeness). *Every valid sequent is provable in* SGKAT∞*.*

*Proof.* Given a valid sequent, we do a bottom-up proof search with the following strategy. Throughout the procedure all leaves remain valid, in most cases by an appeal to invertibility.

	- (a) We reach a leaf at which no right logical rule can be applied. This means that the leaf must be a valid sequent of the form <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> such that <sup>Γ</sup> is exposed, and Δ is either exposed or begins with a test b such A b <sup>=</sup> A. We go to stage (4).
	- (b) If (a) does not happen, then at some point we must reach a valid sequent of the <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>e</sup>(b), Δ which together with an ancestor satisfies properties (i) - (iii) of Lemma 10. In this case Lemma 9 is applicable. Hence we must be at a leaf of the form <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>e</sup>(b), Δ such that <sup>e</sup>(b) <sup>⇒</sup><sup>A</sup> <sup>0</sup> is valid. We then go to stage (3).

Since at some point either (a) or (b) must be the case, stage (2) always terminates.

3. We are at a valid leaf of the form <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>e</sup>(b), Δ, where <sup>Γ</sup> is exposed. If <sup>A</sup> <sup>=</sup> <sup>∅</sup>, we apply <sup>⊥</sup>. Otherwise, if <sup>A</sup> <sup>=</sup> <sup>∅</sup>, we use the validity of <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>e</sup>(b), Δ and <sup>e</sup>(b) <sup>⇒</sup><sup>A</sup> <sup>0</sup> to find:

$$A \diamond \llbracket \lbrack \Gamma \rbrack \subseteq A \diamond \llbracket \lbrack e^{(b)} \rbrack \diamond \llbracket \blacksquare \llbracket \Delta \rbrack = \emptyset.$$

We claim that -Γ <sup>=</sup> <sup>∅</sup>. Indeed, suppose towards a contradiction that αx <sup>∈</sup> -Γ. By the exposedness of Γ and item (i) of Lemma 3, we would have βx <sup>∈</sup> -Γ for some β <sup>∈</sup> A, contradicting the statement above. Therefore, the sequent <sup>Γ</sup> <sup>⇒</sup>At <sup>0</sup> is valid. We apply the rule <sup>k</sup><sup>0</sup> and loop back to stage (1). Stage (3) only comprises a single step and thus always terminates.

4. Let <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> be the current leaf. By construction <sup>Γ</sup> <sup>⇒</sup><sup>A</sup> <sup>Δ</sup> is valid, <sup>Γ</sup> is exposed, and Δ is either exposed or begins with a test b such that A b <sup>=</sup> A. Note that only rules id, <sup>⊥</sup>, <sup>k</sup>, and <sup>k</sup><sup>0</sup> can be applicable. By Lemma 8, at least one of them must be applicable. If id is applicable, apply id. If <sup>⊥</sup> is applicable, apply <sup>⊥</sup>. If <sup>k</sup> is applicable, apply <sup>k</sup> and loop back to stage (1). Note that this application of k will have priority and is therefore invertible.

Finally, suppose that only k<sup>0</sup> is applicable. We claim that, by validity, the list Γ is not . Indeed, since A is non-empty, and Δ either begins with a primitive program p or a test b such that A b <sup>=</sup> A, the sequent

 <sup>⇒</sup><sup>A</sup> <sup>Δ</sup>

must be invalid. Hence <sup>Γ</sup> must be of the form p, Θ. We apply <sup>k</sup>0, which has priority and thus is invertible, and loop back to stage (1).

Similarly to stage (3), stage (4) only comprises a single step and thus always terminates.

We claim that the constructed derivation is fair for (b)-l. Indeed, every stage except stage (1) terminates. Therefore, every infinite branch must either eventually remain in stage (1), or pass through stages (3) or (4) infinitely often. Since k and <sup>k</sup><sup>0</sup> shorten the antecedent, and no left logical rule other than (b)-<sup>l</sup> lengthens it, such branches must be fair.

By Corollary 2 we obtain that the subset of cyclic SGKAT-proofs is also complete.

#### Corollary 3. *Every valid sequent has a regular* SGKAT∞*-proof.*

Proposition 2. *The proof search procedure of Theorem 2 runs in* coNLOGSPACE*. Hence proof search, and thus also the language inclusion problem for* GKAT*-expressions, is in* NLOGSPACE*.*

*Proof (sketch).* Assume without loss of generality that the initial sequent is of the form <sup>e</sup> <sup>⇒</sup><sup>A</sup> <sup>f</sup>. We non-deterministically search for a failing branch, at each iteration storing only the last sequent. By Lemma 7 this can be done by storing two pointers to, respectively, the syntax trees <sup>T</sup><sup>e</sup> and <sup>T</sup><sup>f</sup> , together with a set of atoms. The loop check of stage (2) can be replaced by a counter. Indeed, stage (2) must always hit a repetition after <sup>|</sup>At|·|T<sup>f</sup> <sup>|</sup> steps, where <sup>m</sup> is the number of nodes in the syntax tree. After this repetition there must be a continuation that reaches a repetition to which Lemma 9 applies before this stage has taken <sup>2</sup>·|At|·|T<sup>f</sup> <sup>|</sup> steps in total. Finally, a global counter can be used to limit the depth of the search. Indeed, a failing branch needs at most one repetition (in stage (2), to which k<sup>0</sup> is applied) and all other repetitions can be cut out. Hence if there is a failing branch, there must be one of size at most <sup>4</sup> · |T<sup>e</sup>|·|At|·|T<sup>f</sup> <sup>|</sup>.

#### 7 Conclusion and Future Work

In this paper we have presented a non-well-founded proof system SGKAT<sup>∞</sup> for GKAT. We have shown that the system is sound and complete with respect to the language model. In fact, the fragment of *regular* proofs is already complete, which means one can view SGKAT as a cyclic proof system. Our system is similar to the system for Kleene Algebra in [7], but the deterministic nature of GKAT allows us to use ordinary sequents rather than hypersequents. To deal with the tests of GKAT every sequent is annotated by a set of atoms. Like in [7], our completeness argument makes use of a proof search procedure. Here again the relative simplicity of GKAT pays off: the proof search procedure induces an NLOGSPACE decision procedure, whereas that of Kleene Algebra is in PSPACE.

The most natural question for future work is whether our system could be used to prove the completeness of some (ordered)-algebraic axiomatisation of GKAT. We envision using the original GKAT axioms (see [22, Figure 1]), but basing it on *inequational* logic rather than equational logic. This would allow one to use a *least* fixed point rule of the form

$$\frac{eg+\_b f \le g}{e^{(b)}f \le g}$$

eliminating the need for a Salomaa-style side condition. We hope to be able to prove the completeness of such an inequational system by translating cyclic SGKAT-proofs into well-founded proofs in the inequational system. This is inspired by the paper [6], where a similar strategy is used to give an alternative proof of the left-handed completeness of Kleene Algebra.

Another relevant question is the exact complexity of the language inclusion problem for GKAT-expressions. We have obtained an upper bound of NLOGSPACE, but do not know whether it is optimal.

Finally, it would be interesting to verify the conjecture in Remark 9 above.

Acknowledgments. Jan Rooduijn thanks Anupam Das, Tobias Kappé, Johannes Marti and Yde Venema for insightful discussions on the topic of this paper. Alexandra Silva wants to acknowledge Sonia Marin, who some years ago proposed a similar master project at UCL. We moreover thank the reviewers for their helpful comments, in particular for pointing out that our complexity result could be sharpened. Lastly, Jan Rooduijn is grateful for the inspiring four-week research visit at the Computer Science department of Cornell in the summer of 2022.

#### References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Unification, Rewriting and Computational Models**

# **Unification in the Description Logic** *ELHR***<sup>+</sup> Without the Top Concept Modulo Cycle-Restricted Ontologies**

Franz Baader1,2 and Oliver Fern´andez Gil1,2(B)

<sup>1</sup> Institute of Theoretical Computer Science, TU Dresden, Dresden, Germany {franz.baader,oliver.fernandez}@tu-dresden.de <sup>2</sup> Center for Scalable Data Analytics and Artificial Intelligence (ScaDS.AI), Dresden/Leipzig, Germany

**Abstract.** Unification has been introduced in Description Logic (DL) as a means to detect redundancies in ontologies. In particular, it was shown that testing unifiability in the DL EL is an NP-complete problem, and this result has been extended in several directions. Surprisingly, it turned out that the complexity increases to PSpace if one disallows the use of the top concept in concept descriptions. Motivated by features of the medical ontology SNOMED CT, we extend this result to a setting where the top concept is disallowed, but there is a background ontology consisting of restricted forms of concept and role inclusion axioms. We are able to show that the presence of such axioms does not increase the complexity of unification without top, i.e., testing for unifiability remains a PSpace-complete problem.

**Keywords:** Unification · Description Logics · Complexity

# **1 Introduction**

Description Logics (DLs) [10] are a prominent family of logic-based knowledge representation languages, which offer their users a good compromise between expressiveness and complexity of reasoning, and constitute the formal and algorithmic foundation of the standard Web Ontology Language OWL 2.<sup>1</sup> The DL EL, which provides the concept constructors conjunction (-), existential restriction (∃r.C), and top concept (), is a rather inexpressive, but nevertheless very useful member of this family. On the one hand, the important reasoning problems, such as the subsumption and the equivalence problem, in EL and some of its extensions are decidable in polynomial time [8,22]. On the other hand, EL and its tractable extensions are frequently used to define biomedical ontologies, such as the large medical ontology SNOMED CT.<sup>2</sup> To illustrate the use of the top concept, whose absence plays an important rˆole in this paper, consider the

<sup>1</sup> https://www.w3.org/TR/owl2-overview/.

<sup>2</sup> https://www.ihtsdo.org/snomed-ct/.

c The Author(s) 2024

C. Benzm¨uller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 279–297, 2024. https://doi.org/10.1007/978-3-031-63501-4\_15

EL concept descriptions *Man* -<sup>∃</sup>*child*. and *Man* -<sup>∃</sup>*child*.*Female* of the concepts *Father* and *Father of a daughter*, respectively. In the former description, the top concept is used since no further properties of the child are to be required.

Unification in DLs has been introduced in [17] as a new inference service, motivated by the need for detecting redundancies in ontologies, in a setting where different ontology engineers (OEs) constructing the ontology may model the same concepts on different levels of granularity. For example, assume that (using the style of SNOMED CT definitions) one OE models the concept of a *viral infection of the lung* as

#### *ViralInfection* -<sup>∃</sup>*findingSite*.*LungStructure*,

whereas another one models it as

#### *LungInfection* -<sup>∃</sup>*causativeAgent*.*Virus*.

Here *ViralInfection* and *LungInfection* are used as atomic concepts without further defining them, i.e., the two OEs made different decisions when to stop the modelling process. The resulting concept descriptions are not equivalent, but they are nevertheless meant to represent the same concept. They can be made equivalent by treating the concept names *ViralInfection* and *LungInfection* as variables, and then substituting the first one by *Infection* -<sup>∃</sup>*causativeAgent*.*Virus* and the second one by *Infection* - ∃*findingSite*.*LungStructure*. In this case, we say that the descriptions are unifiable, and call the substitution that makes them equivalent a *unifier*. Intuitively, such a unifier proposes definitions for the concept names that are used as variables. In [7], unification and its extension to disunification are used to construct new medical concepts from SNOMED CT.

Unification in EL was first investigated in [14], where it was proved that deciding unifiability is an NP-complete problem. The NP upper bound was shown in that paper using a brute-force "guess and then test" NP algorithm. More practical algorithms for solving this problem and for computing unifiers were presented in [16] and [15], where the former describes a goal-oriented transformation-based algorithm and the latter is based on a translation to SAT. Implementations of these two algorithms are provided by the system UEL<sup>3</sup> [13], which is also available as a plug-in for the ontology editor Prot´eg´e. At the time these algorithms were developed, SNOMED CT was an EL ontology consisting of acyclic concept definitions. Since such definitions can be encoded into the unification problem (see Sect. 2.3 in [16]), algorithms for unification of EL concept descriptions (without background ontology) could be applied to SNOMED CT.

There was, however, one problem with employing these algorithms in the context of SNOMED CT: the top concept is not used in SNOMED CT, but the concepts generated by EL unification might contain , even if applied to concept descriptions not containing . Thus, the concept descriptions produced by the

<sup>3</sup> https://sourceforge.net/projects/uel/.

unifier are not necessarily in the style of SNOMED CT. For example, assume that we are looking for a unifier satisfying the two subsumption constraints<sup>4</sup>

> <sup>∃</sup>*findingSite*.*LungStructure* ? <sup>∃</sup>*findingSite*.X, <sup>∃</sup>*findingSite*.*HeartStructure* ? <sup>∃</sup>*findingSite*.X.

It is easy to see that there is only one unifier of these two constraints, which replaces <sup>X</sup> with . Unification in EL−, i.e., the fragment of EL in which the top constructor is disallowed, was investigated in [1,18]. Surprisingly, it turned out that the absence of makes unification considerably harder, both from a conceptual and a computational complexity point of view. In fact, the complexity of deciding unifiability increases from NP-complete for EL to PSpace-complete for EL−. The unification algorithm for EL− introduced in [1,18] basically proceeds as follows. It first applies the unification algorithm for EL to compute so-called local unifiers. If none of them is an EL−-unifier, then it tries to augment the images of the variables by conjoining concept descriptions called particles. The task of finding appropriate particles is reduced to solving certain systems of linear language inclusions, which can be realized in PSpace using an automata-based approach.

The current version of SNOMED CT consists not only of acyclic concept definitions, but also contains more general concept inclusions (GCIs). In addition, properties of the part-of relation are no longer encoded using the so-called SEP-triplet encoding [27], but are directly expressed via role axioms [29], which can, for instance, be used to state that the part-of relation is transitive and that proper-part-of is a subrole of part-of. Decidability of unification in EL w.r.t. a background ontology consisting of GCIs is still an open problem. In [2], it is shown that the problem remains in NP if the ontology is cycle-restricted, which is a condition that the current version of SNOMED CT satisfies. Extensions of this result to the DL ELHR<sup>+</sup> , which additionally allows for transitive roles and role inclusion axioms, were presented in [3,5], where the former introduces a SAT-based algorithm and the latter a transformation-based one. However, in all these algorithms, unifiers may introduce concept descriptions containing . In our example with the different finding site, however, the presence of the GCIs *LungStructure UpperBodyStructure* and *HeartStructure UpperBodyStructure* would yield a unifier not using , namely the one that replaces X with *UpperBodyStructure*.

The purpose of this paper is to combine the approach for unification in EL− [1,18] with the one for unification in ELHR<sup>+</sup> w.r.t. cycle-restricted ontologies [2,3,5], to obtain a unification algorithm for ELH− <sup>R</sup><sup>+</sup> w.r.t. cycle-restricted ontologies. This algorithm follows the line of the one for EL− in that it basically first generates ELHR<sup>+</sup> -unifiers, which it then tries to augment with particles.

<sup>4</sup> Instead of equivalence constraints, as in our above example and in early work on unification in DLs, we consider here a set of subsumption constraints as unification problem. It is easy to see that these two kinds of unification problems can be reduced to each other [2].

Appropriate particles are found as solutions of certain linear language inclusions. However, due to the presence of GCIs and role axioms, quite a number of non-trivial changes and additions are required. In particular, the solutions of the systems of linear language inclusions as constructed in [1,18] cannot capture particles that are appropriate due to the presence of an ontology. For instance, in our example, *UpperBodyStructure* would be such a particle. To repair this problem, we first need to show that, in ELH− <sup>R</sup><sup>+</sup> , unifiability w.r.t. a cycle-restricted ontology can be characterized by the existence of a special type of unifiers. Afterwards, we exploit the properties of this kind of unifiers to define more sophisticated systems of language inclusions, which encode the semantics of GCIs and role axioms occurring in a background ontology. The solutions of such systems then yield also particles that are appropriate only due to the presence of this ontology.

While the unification problem investigated in this paper is motivated by an application in ontology engineering, it is also of interest for unification theory [19], which is concerned with unification-related properties of equational theories. In fact, unification in DLs can be seen as a special case of unification modulo equational theories, where the respective equational theory axiomatizes equivalence in the DL under consideration. For EL and ELHR<sup>+</sup> , the corresponding equational theories can be found in [28]. The ones for the case without top can be obtained from them by removing the constant 1 from the signature, and all identities containing it from the axiomatization. The results in [1,18] and in the present paper show that the seemingly harmless removal of a constant from the equational theory may increase the complexity of the unification problem considerably. Considering unification w.r.t. a background ontology corresponds to adding a finite set of ground identities to the corresponding equational theory. For the word problem, it was shown that decidability is stable under adding finite sets of ground identities to theories such as commutativity or associativity-commutativity [11,20,24,25]. For unification, it was shown in [12] that adding finite sets of ground identities to the theory *ACUI* of an associativity-commutativity-idempotent symbol with a unit leaves the unification problem decidable. The results in [2,3,5] can be seen as such transfer results, but they require a restriction on the ground identities corresponding to cyclerestrictedness.

Due to space constraints, we cannot give detailed proof of our results here. They can be found in [9].

#### **2 Subsumption and Unification in** *ELHR***<sup>+</sup> and** *ELH−- R***<sup>+</sup>**

First, we briefly introduce syntax and semantics of the DLs investigated in this paper. Then, we recall a useful characterization of subsumption for these logics, and finally define the unification problem.

#### **2.1 The DLs** *ELHR***<sup>+</sup> and** *ELH−- R***<sup>+</sup>**

Starting with countably infinite sets N<sup>C</sup> and N<sup>R</sup> of concept names and role names, ELHR<sup>+</sup> *-concept descriptions* (for short, *concepts*) are built using the concept constructors *conjunction* (-), *existential restriction* (∃r.C), and *top* (). When building ELH− <sup>R</sup><sup>+</sup> -concepts, the constructor is not available. An ELHR<sup>+</sup> -ontology <sup>O</sup> is a finite set of *general concept inclusions (GCIs)* <sup>C</sup> <sup>D</sup>, *role hierarchy axioms* <sup>r</sup> <sup>s</sup>, and *transitivity axioms* <sup>r</sup> ◦ <sup>r</sup> <sup>r</sup>, where C, D are ELHR<sup>+</sup> -concepts and r, s are role names. In an ELH− <sup>R</sup><sup>+</sup> -ontology, the concepts occurring in GCIs must be ELH− <sup>R</sup><sup>+</sup> -concepts.

The following two notions will play an important rˆole in our unification algorithm. An *atom* is either a concept name or an existential restriction, and a *particle* is an atom of the form <sup>∃</sup>r1.∃r2. ···∃rn.A for a concept name <sup>A</sup>, which we write as <sup>∃</sup>w.A, where <sup>w</sup> <sup>=</sup> <sup>r</sup><sup>1</sup> ...r<sup>n</sup> is viewed as a word over the alphabet <sup>N</sup>R. Every ELHR<sup>+</sup> -concept <sup>C</sup> is a conjunction of atoms, where the empty conjunction represents . These atoms are called the *top-level atoms* of <sup>C</sup>. The set *Ats*(C) consists of all atoms (not just top-level ones) occurring in <sup>C</sup>, and *Ats*(O) for an ontology O consists of the atoms of all concepts occurring in O. The set of particles of an ELH− <sup>R</sup><sup>+</sup> -concept is defined inductively: *Part*(A) := {A} for each concept name <sup>A</sup>, *Part*(∃r.C) := {∃r.P <sup>|</sup> <sup>P</sup> <sup>∈</sup> *Part*(C)}, and *Part*(C-<sup>D</sup>) := *Part*(C)∪*Part*(D). For example, if <sup>C</sup> <sup>=</sup> <sup>∃</sup>r.(∃s.A -<sup>∃</sup>r.B), then *Part*(C) = {∃rs.A, <sup>∃</sup>rr.B} and *Ats*(C) = {C, <sup>∃</sup>s.A, <sup>∃</sup>r.B, A, B}, where <sup>C</sup> is the only top-level atom.

The *semantics* of ELHR<sup>+</sup> -concepts and ontologies is defined using the notion of an *interpretation* <sup>I</sup> = (ΔI, .I), which has a set <sup>Δ</sup><sup>I</sup> <sup>=</sup> <sup>∅</sup> as interpretation domain, and assigns a subset <sup>A</sup><sup>I</sup> <sup>⊆</sup> <sup>Δ</sup><sup>I</sup> to each concept name <sup>A</sup> and a binary relation <sup>r</sup><sup>I</sup> <sup>⊆</sup> <sup>Δ</sup><sup>I</sup> <sup>×</sup> <sup>Δ</sup><sup>I</sup> to each role name <sup>r</sup>. The interpretation function . <sup>I</sup> is extended to ELHR<sup>+</sup> -concepts as usual: <sup>I</sup> := <sup>Δ</sup>I, (<sup>C</sup> - <sup>D</sup>)<sup>I</sup> := <sup>C</sup><sup>I</sup> <sup>∩</sup> <sup>D</sup>I, and (∃r.C)<sup>I</sup> := {<sup>d</sup> <sup>∈</sup> <sup>Δ</sup><sup>I</sup> | ∃e.((d, e) <sup>∈</sup> <sup>r</sup><sup>I</sup> <sup>∧</sup> <sup>e</sup> <sup>∈</sup> <sup>C</sup>I)}. The interpretation <sup>I</sup> is a *model* of the ELHR<sup>+</sup> -ontology <sup>O</sup> if <sup>C</sup> <sup>D</sup> ∈ O implies <sup>C</sup><sup>I</sup> <sup>⊆</sup> <sup>D</sup>I, <sup>r</sup> <sup>s</sup> ∈ O implies <sup>r</sup><sup>I</sup> <sup>⊆</sup> <sup>s</sup>I, and <sup>r</sup> ◦ <sup>r</sup> <sup>r</sup> ∈ O implies that <sup>r</sup><sup>I</sup> is transitive.

#### **2.2 Subsumption in** *ELHR***<sup>+</sup> and** *ELH−- R***<sup>+</sup>**

Given an ELHR<sup>+</sup> -ontology <sup>O</sup> and ELHR<sup>+</sup> -concepts C, D, we say that <sup>C</sup> is *subsumed* by <sup>D</sup> w.r.t. <sup>O</sup> (written <sup>C</sup> <sup>O</sup> <sup>D</sup>) if <sup>C</sup><sup>I</sup> <sup>⊆</sup> <sup>D</sup><sup>I</sup> for all models <sup>I</sup> of <sup>O</sup>. They are *equivalent* w.r.t. <sup>O</sup> (written <sup>C</sup> <sup>≡</sup><sup>O</sup> <sup>D</sup>) if <sup>C</sup> <sup>O</sup> <sup>D</sup> and <sup>D</sup> <sup>O</sup> <sup>C</sup>.

Subsumption (and thus also equivalence) between ELHR<sup>+</sup> -concepts w.r.t. arbitrary ELHR<sup>+</sup> -ontologies can be decided in polynomial time [8]. In the context of unification, a recursive characterization of subsumption turns out to be useful, which for ELHR<sup>+</sup> was first given in [5], and later reformulated in [3]. In this paper we use the one given in [3], but before we can formulate this characterization, we must introduce the *role hierarchy* induced by an ELHR<sup>+</sup> -ontology <sup>O</sup>: given role names r, s, we say that <sup>r</sup> is a *subrole* of <sup>s</sup> (written <sup>r</sup> -<sup>O</sup> <sup>s</sup>) if <sup>r</sup><sup>I</sup> <sup>⊆</sup> <sup>s</sup><sup>I</sup> holds for all models <sup>I</sup> of <sup>O</sup>. It is easy to see that the relation -O is the reflexive-transitive closure of the explicitly stated subrole relationships {(r, s) <sup>|</sup> <sup>r</sup> <sup>s</sup> ∈ O}. We call a role name <sup>r</sup> *transitive* if <sup>r</sup> ◦ <sup>r</sup> <sup>r</sup> ∈ O.

The characterization of subsumption in [3] uses the notion of *structural subsumption*: given atoms C, D, we say that C *is structurally subsumed by* D w.r.t. an ELHR<sup>+</sup> -ontology <sup>O</sup> (written <sup>C</sup> <sup>s</sup> <sup>O</sup> <sup>D</sup>) if one of the following cases applies:


**Lemma 1** [3]. *Let* <sup>O</sup> *be an* ELHR<sup>+</sup> *-ontology and* <sup>C</sup>1,...,Cn, D1,...,D<sup>m</sup> *atoms. Then,* <sup>C</sup><sup>1</sup> -···- <sup>C</sup><sup>n</sup> <sup>O</sup> <sup>D</sup><sup>1</sup> -···-<sup>D</sup><sup>m</sup> *iff for every* <sup>j</sup> ∈ {1,...,m}*:*

	- *(a) At*<sup>1</sup> -···- *At*<sup>k</sup> <sup>O</sup> *At , (b) for every* ∈ {1,...,k} *there exists* <sup>i</sup> ∈ {1,...,n} *with* <sup>C</sup><sup>i</sup> <sup>s</sup> <sup>O</sup> *At* -*, and*
	- *(c) At* <sup>s</sup> <sup>O</sup> <sup>D</sup><sup>j</sup> *.*

If O is empty, then the second case in the definition of structural subsumption can be modified to require that <sup>r</sup> <sup>=</sup> <sup>s</sup> and <sup>C</sup> <sup>∅</sup> <sup>D</sup> , whereas the third case in the same definition as well as the second case in Lemma 1 can be removed. This then yields the characterization of subsumption in EL of [16]. Since ELH− <sup>R</sup><sup>+</sup> is a fragment of ELHR<sup>+</sup> , this characterization also applies to subsumption between ELH− <sup>R</sup><sup>+</sup> -concepts w.r.t. ELH− <sup>R</sup><sup>+</sup> -ontologies. However, in this setting, the case k = 0 in 2. cannot occur. This is a direct consequence of the following result.

**Lemma 2.** *If* O *is an* ELH− <sup>R</sup><sup>+</sup> *-ontology and At an atom of* <sup>O</sup>*, then* <sup>O</sup> *At .*

#### **2.3 Unification in** *ELHR***<sup>+</sup> and** *ELH−- R***<sup>+</sup>**

When defining unification, we assume that the set of concept names is partitioned into a set N<sup>C</sup> of concept constants and a set N<sup>V</sup> of concept variables. Given a DL L ∈ {ELHR<sup>+</sup> , ELH− <sup>R</sup><sup>+</sup> }, an <sup>L</sup>*-substitution* <sup>σ</sup> is a mapping from a finite subset of <sup>N</sup><sup>V</sup> to the set of <sup>L</sup>-concepts. The application of <sup>σ</sup> to an arbitrary <sup>L</sup>-concept is defined inductively in the usual way. A concept (ontology) is *ground* if it does not contain variables. A substitution σ is ground if σ(X) is ground for all variables X that have an image under σ.

**Definition 1.** *Let* O *be a ground ontology. An* L-unification problem *w.r.t.* O *is of the form* <sup>Γ</sup> <sup>=</sup> {C<sup>1</sup> ? <sup>D</sup>1,...,C<sup>n</sup> ? <sup>D</sup>n}*, where* <sup>C</sup>1, D1,...,Cn, D<sup>n</sup> *are* <sup>L</sup>*-concepts. An* <sup>L</sup>*-substitution* <sup>σ</sup> *is an* <sup>L</sup>-unifier *of* <sup>Γ</sup> *w.r.t.* <sup>O</sup> *if* <sup>σ</sup>(Ci) <sup>O</sup> <sup>σ</sup>(Di) *for all* <sup>i</sup> ∈ {1,...,n}*. The unification problem* <sup>Γ</sup> *is called* <sup>L</sup>*-*unifiable *w.r.t.* <sup>O</sup> *if it has an* L*-unifier w.r.t.* O*.*

The following example illustrates that unifiability of a given unification problem may depend on the considered DL L and on the presence of a non-empty ontology.

*Example 1.* Let O = ∅ and consider the following unification problem:

$$F\_1 := \{ \exists r. A \sqsubseteq^? X, \quad \exists u. B \sqsubseteq^? Y, \quad \exists s. X \sqcap A \sqsubseteq^? Y \}.$$

Viewed as an ELHR<sup>+</sup> -unification problem, it has the unifier <sup>σ</sup> with <sup>σ</sup>(X) = <sup>σ</sup>(<sup>Y</sup> ) = . However, <sup>Γ</sup><sup>1</sup> does not have an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>O</sup> <sup>=</sup> <sup>∅</sup>. To see this, suppose that δ is such a unifier. Using Lemma 1 for the special case of an empty ontology, we can deduce from <sup>∃</sup>u.B <sup>∅</sup> <sup>δ</sup>(<sup>Y</sup> ) that every top-level atom of δ(Y ) is an existential restriction for the role u. However, we can also deduce from <sup>∃</sup>s.δ(X) - <sup>A</sup> <sup>∅</sup> <sup>δ</sup>(<sup>Y</sup> ) that every top-level atom of <sup>δ</sup>(<sup>Y</sup> ) is either <sup>A</sup> or an existential restriction for the role s. Since not both is possible, δ(Y ) cannot have any top-level atoms, and thus must be , contradicting our assumption that <sup>δ</sup> is an ELH− <sup>R</sup><sup>+</sup> -unifier. If we define <sup>O</sup> := {<sup>B</sup> ∃r.A, u <sup>s</sup>}, then the ELH− <sup>R</sup><sup>+</sup> -unifiability status of <sup>Γ</sup><sup>1</sup> changes to unifiable since <sup>δ</sup> with <sup>δ</sup>(X) = <sup>∃</sup>r.A and <sup>δ</sup>(<sup>Y</sup> ) = <sup>∃</sup>s.∃r.A is an ELH− <sup>R</sup><sup>+</sup> -unifier of <sup>Γ</sup><sup>1</sup> w.r.t. <sup>O</sup> .

In the next section we will show how to decide unifiability of an ELH− <sup>R</sup><sup>+</sup> unification problem w.r.t. a cycle-restricted ELH− <sup>R</sup><sup>+</sup> -ontology.

**Definition 2.** *An* ELHR<sup>+</sup> *-ontology* O *is called* cycle-restricted *if there is no sequence of* n > <sup>0</sup> *role names* <sup>r</sup>1,...,r<sup>n</sup> <sup>∈</sup> <sup>N</sup><sup>R</sup> *and* ELHR<sup>+</sup> *-concept* <sup>C</sup> *such that* <sup>C</sup> <sup>O</sup> <sup>∃</sup>r1.∃r2. ···∃rn.C*.*

As stated in [5] (and proved in [6]), one can test in polynomial time whether a given ELHR<sup>+</sup> -ontology is cycle-restricted or not.

According to [5,18], we can without loss of generality assume that the given ontology and the unification problem are *flat*. An ELH− <sup>R</sup><sup>+</sup> -atom is flat if it is a concept name or of the form <sup>∃</sup>r.A for a concept name <sup>A</sup>. A GCI <sup>C</sup>1-···-<sup>C</sup><sup>n</sup> <sup>D</sup> or subsumption constraint <sup>C</sup><sup>1</sup> -···-<sup>C</sup><sup>n</sup> ? <sup>D</sup> is flat if <sup>C</sup>1,...,C<sup>n</sup> and <sup>D</sup> are flat ELH− <sup>R</sup><sup>+</sup> -atoms. Finally, an ELH− <sup>R</sup><sup>+</sup> -ontology or ELH− <sup>R</sup><sup>+</sup> -unification problem is flat if all it elements are flat.

The following result for flat, cycle-restricted ELHR<sup>+</sup> -ontologies will turn out to be quite useful in the next section. It basically follows from the proof of Lemma 8 in [4].

**Lemma 3.** *Let* <sup>O</sup> *be a flat, cycle-restricted* ELHR<sup>+</sup> *-ontology,* <sup>A</sup> <sup>∈</sup> <sup>N</sup><sup>C</sup> *and* <sup>∃</sup>r.C *an* ELHR<sup>+</sup> *-atom. Then,* <sup>A</sup> <sup>O</sup> <sup>∃</sup>r.C *iff there exists* <sup>∃</sup>u.B <sup>∈</sup> *Ats*(O) *such that* <sup>B</sup> <sup>O</sup> <sup>C</sup>*, and*


#### **3 The Unification Algorithm for** *ELH−- R***<sup>+</sup>**

In the following, we assume that O is a flat and cycle-restricted ELH− <sup>R</sup><sup>+</sup> -ontology and <sup>Γ</sup> is a flat ELH− <sup>R</sup><sup>+</sup> -unification problem. We introduce an algorithm that can test whether <sup>Γ</sup> has an ELH− <sup>R</sup><sup>+</sup> -unifier and needs only polynomial space for this task. This algorithm follows the approach developed in [18] for unification in EL−, but must take the ontology into account, which means that it must deal with a considerably more complex characterization of subsumption (see Lemma 1 and our remarks on how the characterization can be simplified if O = ∅).

Before presenting our new approach, we briefly sketch the one employed in [18]. The original NP procedure for unification in EL [16] is based on the (non-trivial) observation that an EL-unification problem <sup>Γ</sup> has a unifier iff it has a *local unifier*, i.e., one that is built using only atoms occurring in the unification problem. The procedure guesses an appropriate representation of a local substitution, and then checks by EL reasoning whether it really is a unifier. Basically, to guess a local substitution σ, one must guess for every variable X and non-variable atom <sup>C</sup> of <sup>Γ</sup> whether <sup>σ</sup>(X) <sup>∅</sup> <sup>σ</sup>(C) is supposed to hold. A *subsumption mapping* τ describing a local unifier σ more generally guesses for every pair C, D of atoms whether <sup>σ</sup>(C) <sup>∅</sup> <sup>σ</sup>(D) is supposed to hold. The restrictions imposed on such subsumption mappings ensure that the local substitution induced by such a mapping is indeed an EL-unifier of <sup>Γ</sup> [18], i.e., the subsequent EL reasoning testing this can be dispensed with. The local unifier obtained from a subsumption mapping <sup>τ</sup> need not be an EL−-unifier. To test for the existence of an EL−-unifier related to <sup>τ</sup> , the subsumption mapping <sup>τ</sup> together with the original unification problem Γ is then used to construct a new unification problem ΔΓ,τ , in which only variables can occur on the right-hand side of subsumption constraints. Existence of an EL−-unifier of <sup>Δ</sup>Γ,τ that is compatible with τ is then reduced in [18] to the existence of an admissible solution of a corresponding set IΓ,τ of linear language inclusions. The latter problem can in turn be reduced in polynomial time to checking emptiness of alternating finite automata with ε-transitions [18], which is a PSpace-complete problem [23].

In this section we show how this approach can be extended from EL− to ELH− <sup>R</sup><sup>+</sup> w.r.t. cycle-restricted ontologies. We start by introducing subsumption mappings and the induced unification problems of the form ΔΓ,τ .

#### **3.1 The Subsumption Mapping**

Let *Ats*(Γ, <sup>O</sup>) be the set of atoms occurring in <sup>Γ</sup> or <sup>O</sup>. Due to the third case in the definition of structural subsumption, we also need to consider certain atoms that are not explicitly present in the input:

$$Ats\_{tr}(\Gamma, \mathcal{O}) := Ats(\Gamma, \mathcal{O}) \cup \{ \exists t. C \mid \exists s. C \in Ats(\Gamma, \mathcal{O}), \ t \triangleleft\_{\mathcal{O}} s, \ t \text{ is transitive} \}.$$

<sup>A</sup> *non-variable atom* is an atom in *Atstr* (Γ, <sup>O</sup>) that is not a variable. We denote the set of all such atoms as *Atnv* (Γ, <sup>O</sup>). A mapping of the form <sup>τ</sup> : *Atstr* (Γ, <sup>O</sup>)<sup>×</sup> *Atstr* (Γ, <sup>O</sup>) → {0, <sup>1</sup>} induces an assignment <sup>S</sup><sup>τ</sup> that maps variables in <sup>Γ</sup> to sets of non-variable atoms in *Atstr* (Γ, <sup>O</sup>):

$$S^\tau(X) := \{ D \in At\_{nv}(\Gamma, \mathcal{O}) \mid \tau(X, D) = 1 \}.$$

This assignment induces the relation

$$1 >\_{S^\tau} := \{(X, Y) \in \operatorname{Vars}(\varGamma) \times \operatorname{Vars}(\varGamma) \mid Y \text{ occurs in an atom of } S^\tau(X)\}.$$

We say that S<sup>τ</sup> is *acyclic* if the transitive closure of >S<sup>τ</sup> is irreflexive, and thus a strict partial order, which we denote as ><sup>τ</sup> . If S<sup>τ</sup> is acyclic, then it induces a substitution σ<sup>τ</sup> , defined by induction on ><sup>τ</sup> :


The conditions imposed on a subsumption mapping τ ensure that the induced substitution <sup>σ</sup><sup>τ</sup> is an ELHR<sup>+</sup> -unifier of <sup>Γ</sup>. In order to simplify the definition of these conditions, we introduce the following notation (for atoms <sup>∃</sup>r.C, <sup>∃</sup>s.D):

<sup>F</sup>(∃r.C, <sup>∃</sup>s.D) := {<sup>D</sup> <sup>|</sup> if <sup>r</sup> -<sup>O</sup> <sup>s</sup>} ∪ {∃t.D <sup>|</sup> <sup>r</sup> -<sup>O</sup> <sup>t</sup> -<sup>O</sup> s, t transitive}.

Basically, this set collects all concepts <sup>F</sup> such that <sup>C</sup> <sup>O</sup> <sup>F</sup> implies <sup>∃</sup>r.C<sup>s</sup> <sup>O</sup> <sup>∃</sup>s.D (see the second and third case in the definition of <sup>s</sup> O).

**Definition 3.** *The mapping* <sup>τ</sup> : *Atstr* (Γ, <sup>O</sup>) <sup>×</sup> *Atstr* (Γ, <sup>O</sup>) → {0, <sup>1</sup>} *is called a* subsumption mapping for <sup>Γ</sup> w.r.t. <sup>O</sup> *if it satisfies the following conditions:*

	- *(a)* <sup>τ</sup> (D, D)=1*, for each* <sup>D</sup> <sup>∈</sup> *Atstr* (Γ, <sup>O</sup>)*.*
	- *(b) For all* <sup>D</sup>1, D2, D<sup>3</sup> <sup>∈</sup> *Atstr* (Γ, <sup>O</sup>)*, if* <sup>τ</sup> (D1, D2) = <sup>τ</sup> (D2, D3)=1 *then* τ (D1, D3)=1*.*
	- *(c)* <sup>τ</sup> (C, D)=1 *iff* <sup>C</sup> <sup>O</sup> <sup>D</sup>*, for all ground atoms* C, D <sup>∈</sup> *Atstr* (Γ, <sup>O</sup>)*.*
	- *(d) For each concept constant* <sup>A</sup> <sup>∈</sup> *Ats*(Γ, <sup>O</sup>)*, role name* <sup>r</sup>*, and variable* <sup>X</sup> *with* <sup>∃</sup>r.X <sup>∈</sup> *Atstr* (Γ)*:*
		- *i.* <sup>τ</sup> (A, <sup>∃</sup>r.X)=1 *iff* <sup>5</sup> *there is an atom* <sup>∃</sup>u.B *of* <sup>O</sup> *such that* <sup>τ</sup> (B,X) = 1*, and*
			- *–* <sup>A</sup> <sup>O</sup> <sup>∃</sup>u.B *and* <sup>u</sup> -<sup>O</sup> <sup>r</sup>*, or*
			- *–* <sup>A</sup> <sup>O</sup> <sup>∃</sup>t.B *for a transitive role* <sup>t</sup> *with* <sup>u</sup> -<sup>O</sup> <sup>t</sup> -<sup>O</sup> <sup>r</sup>*.*
		- *ii.* <sup>τ</sup> (∃r.X, A)=1 *iff*

*– there are atoms* <sup>∃</sup>r1.A1,..., <sup>∃</sup>rk.A<sup>k</sup> *of* <sup>O</sup> *(*<sup>k</sup> <sup>≥</sup> <sup>0</sup>*) and atoms* <sup>F</sup>- ∈ <sup>F</sup>(∃r.X, <sup>∃</sup>r-.A-) *(*<sup>1</sup> <sup>≤</sup> <sup>≤</sup> <sup>k</sup>*) such that:*

$$
\tau(\stackrel{\smile}{X}, F\_{\ell}) = 1 \ (1 \le \ell \le k) \quad \text{and} \quad \exists r\_1. A\_1 \sqcap \dots \sqcap \exists r\_k. A\_k \sqsubseteq\_{\mathcal{O}} A.
$$

	- *there exists* <sup>F</sup> ∈ F(∃r.C, <sup>∃</sup>s.D) *such that* <sup>τ</sup> (C, F)=1*, or*
	- *there are atoms* <sup>∃</sup>r1.A1,..., <sup>∃</sup>rk.Ak, <sup>∃</sup>u.B *of* <sup>O</sup> *(*<sup>k</sup> <sup>≥</sup> <sup>0</sup>*), atoms* <sup>F</sup>- ∈ <sup>F</sup>(∃r.C, <sup>∃</sup>r-.A-) *(*<sup>1</sup> <sup>≤</sup> <sup>≤</sup> <sup>k</sup>*), and an atom* <sup>F</sup> ∈ F(∃u.B, <sup>∃</sup>s.D)*, such that:* τ (C, F-) = 1 (1 <sup>≤</sup> <sup>≤</sup> <sup>k</sup>), <sup>∃</sup>r1.A<sup>1</sup> - ··· -<sup>∃</sup>rk.A<sup>k</sup> <sup>O</sup> <sup>∃</sup>u.B, τ (B,F)=1.

<sup>5</sup> This condition is justified by Lemma 3.

	- *(a) If* <sup>D</sup> *is a non-variable atom, then either* <sup>τ</sup> (Ci, D)=1 *for some* <sup>i</sup> <sup>∈</sup> {1,...,n}*, or there are atoms At*1,..., *At*k, *At of* <sup>O</sup> *(*<sup>k</sup> <sup>≥</sup> <sup>0</sup>*) such that: – At*<sup>1</sup> -···- *At*<sup>k</sup> <sup>O</sup> *At , – for each* ∈ {1,...,k} *there is* <sup>i</sup> ∈ {1,...,n} *s.t.* <sup>τ</sup> (Ci, *At* -)=1*, and –* τ (*At* , D)=1*.*
	- *(b) If* <sup>D</sup> *is a variable and* <sup>τ</sup> (D, C)=1 *for a non-variable atom* <sup>C</sup> <sup>∈</sup> *Atnv* (Γ, <sup>O</sup>)*, then* <sup>C</sup><sup>1</sup> -···-<sup>C</sup><sup>n</sup> ? <sup>C</sup> *must satisfy the previous case.*

By using the close relationship between this definition and the characterization of subsumption in Lemma 1, one can show that <sup>Γ</sup> has an ELHR<sup>+</sup> -unifier w.r.t. <sup>O</sup> iff there is a subsumption mapping for <sup>Γ</sup> w.r.t. <sup>O</sup>. In the proof of the ifdirection, one shows that the substitution induced by the subsumption mapping is indeed a unifier. For the other direction, one takes a unifier σ and shows that the mapping <sup>τ</sup> satisfying <sup>τ</sup> (C, D) = 1 iff <sup>σ</sup>(C) <sup>O</sup> <sup>σ</sup>(D) is a subsumption mapping for <sup>Γ</sup> w.r.t. <sup>O</sup>.

However, using subsumption mappings to characterize unifiability in ELH− R<sup>+</sup> requires more effort. Together with the unification problem Γ, a subsumption mapping <sup>τ</sup> yields a simpler unification problem <sup>Δ</sup>Γ,τ := <sup>Δ</sup><sup>Γ</sup> <sup>∪</sup> <sup>Δ</sup><sup>τ</sup> , where

$$\Delta\_{\Gamma} := \{C\_1 \sqcap \dots \sqcap C\_n \sqsubseteq^? X \in \Gamma \mid X \in \mathbb{N}\mathbb{V}\} \quad \text{and} \quad \Delta\_{\Gamma} := \{C \sqsubseteq^? X \mid \tau(C, X) = 1\}.$$

In addition, any substitution σ induces an assignment S<sup>σ</sup> of the form:

$$S^{\sigma}(X) := \{ D \in At\_{nv}(\Gamma, \mathcal{O}) \mid \sigma(X) \sqsubseteq\_{\mathcal{O}} \sigma(D) \}.$$

We write <sup>S</sup><sup>τ</sup> <sup>≤</sup> <sup>S</sup><sup>σ</sup> if <sup>S</sup><sup>τ</sup> (X) <sup>⊆</sup> <sup>S</sup><sup>σ</sup>(X) holds for all variables <sup>X</sup>. In this case we say that σ is *compatible* with τ .

The following result gives a characterization of the existence of an ELH− <sup>R</sup><sup>+</sup> unifier w.r.t. an ELH− <sup>R</sup><sup>+</sup> -ontology.

**Proposition 1.** *Let* O *be a flat and cycle-restricted* ELH− <sup>R</sup><sup>+</sup> *-ontology and* <sup>Γ</sup> *<sup>a</sup> flat* ELH− <sup>R</sup><sup>+</sup> *-unification problem. Then,* <sup>Γ</sup> *has an* ELH− <sup>R</sup><sup>+</sup> *-unifier w.r.t.* <sup>O</sup> *iff there exists a subsumption mapping* <sup>τ</sup> *for* <sup>Γ</sup> *w.r.t.* <sup>O</sup> *such that* <sup>Δ</sup>Γ,τ *has an* ELH− <sup>R</sup><sup>+</sup> *-unifier* <sup>γ</sup> *w.r.t.* <sup>O</sup> *that is compatible with* <sup>τ</sup> *.*

*Example 2.* Let O = ∅ and consider the following unification problem:

$$F\_2 := \{ \exists r. B \sqsubseteq^? \exists r. Y, \quad \exists s. X \sqcap \exists r. A \sqsubseteq^? Y \}.$$

Due to Condition 3 in Definition 3 and the fact that O is empty, any subsumption mapping <sup>τ</sup> must satisfy <sup>τ</sup> (∃r.B, <sup>∃</sup>r.Y ) = 1. Condition 1e then implies that τ (B,Y ) = 1 must hold as well. We can conclude that, for any subsumption mapping <sup>τ</sup> , the set <sup>Δ</sup><sup>Γ</sup>2,τ contains at least the subsumption constraints <sup>B</sup> ? <sup>Y</sup> and <sup>∃</sup>s.X -<sup>∃</sup>r.A ? <sup>Y</sup> . Using an argument similar to the one employed in Example 1, one can show that such a set <sup>Δ</sup>Γ2,τ cannot have an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>∅</sup>.

Definition 3 also tells us that Condition 3b does not apply to the constraints <sup>B</sup> ? <sup>Y</sup> and <sup>∃</sup>s.X -<sup>∃</sup>r.A ? <sup>Y</sup> as long as there is no non-variable atom <sup>C</sup> with τ (Y,C) = 1. Hence, it is easy to see that there also is a subsumption mapping τ that has only these two constraints in ΔΓ2,τ since the only other mandatory values 1 are the ones required by 1a. For the ontology <sup>O</sup> <sup>=</sup> {<sup>B</sup> ∃r.A}, the set <sup>Δ</sup>Γ2,τ then has an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>O</sup>, which maps <sup>Y</sup> to <sup>∃</sup>r.A. This unifier is compatible with τ since the subsumption mapping τ that yields value 1 only if required satisfies <sup>S</sup><sup>τ</sup> (X) = <sup>S</sup><sup>τ</sup> (<sup>Y</sup> ) = <sup>∅</sup>. Thus, by Lemma 1, <sup>Γ</sup><sup>2</sup> has an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>O</sup>. Note that this unifier is not <sup>σ</sup><sup>τ</sup> since <sup>σ</sup><sup>τ</sup> in this case assigns to <sup>X</sup> and <sup>Y</sup> .

#### **3.2 Translation into Language Inclusions**

Linear language inclusions are a special case of the linear language equations considered in [17] in the context of unification in the DL FL0. In contrast to the general case, where solvability is an ExpTime-complete problem [17], the linear language inclusions introduced in [18] in the context of unification in EL− have a PSpace-complete solvability problem [18].

**Definition 4.** *Let* X1,...,X<sup>n</sup> *be a finite set of* indeterminates*. A* linear language inclusion *over this set of indeterminates and the alphabet* N<sup>R</sup> *is an expression of the form*

$$X\_i \subseteq L\_0 \cup L\_1 X\_1 \cup \dots \cup L\_n X\_n,$$

*where* <sup>i</sup> ∈ {1,...,n} *and each* <sup>L</sup><sup>j</sup> ⊆ {ε}∪N<sup>R</sup> *(*<sup>0</sup> <sup>≤</sup> <sup>j</sup> <sup>≤</sup> <sup>n</sup>*). As usual, the symbol* <sup>ε</sup> *denotes the empty word. A solution* θ *of such an inclusion assigns sets of words* <sup>θ</sup>(Xi) <sup>⊆</sup> <sup>N</sup><sup>R</sup> <sup>∗</sup> *to each indeterminate* <sup>X</sup><sup>i</sup> *such that* <sup>θ</sup>(Xi) <sup>⊆</sup> <sup>L</sup><sup>0</sup> <sup>∪</sup> <sup>L</sup>1·θ(X1) ∪···∪ <sup>L</sup>n·θ(Xn), *where "*·*" denotes concatenation of languages. The solution* <sup>θ</sup> *is* finite *if* <sup>θ</sup>(Xi) *is a finite set for all* <sup>i</sup> ∈ {1,...,n}*.*

Checking whether <sup>Δ</sup>Γ,τ has an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>O</sup> that is compatible with a given subsumption mapping τ can be reduced to solving a system I<sup>O</sup> Γ,τ of such linear language inclusion. The basic idea is that, for each concept variable X and concept constant A, we introduce an indeterminate XA. Intuitively, the system I<sup>O</sup> Γ,τ is constructed such that the following holds:

– if <sup>γ</sup> is an ELH− <sup>R</sup><sup>+</sup> -unifier of <sup>Δ</sup>Γ,τ compatible with <sup>τ</sup> , then there is an assignment <sup>θ</sup><sup>γ</sup> satisfying <sup>θ</sup>γ(XA) = {<sup>w</sup> | ∃w.A <sup>∈</sup> *Part*(γ(X))} that is a finite solution of the system I<sup>O</sup> Γ,τ .

Since <sup>γ</sup> is an ELH− <sup>R</sup><sup>+</sup> -unifier, of which we can assume without loss of generality that it is ground [19], the solution θ<sup>γ</sup> satisfies an additional property: for every variable <sup>X</sup> there is a concept constant <sup>A</sup> such that <sup>θ</sup>γ(XA) <sup>=</sup> <sup>∅</sup>. We call a solution of I<sup>O</sup> Γ,τ satisfying this property *admissible*. Conversely, finite, admissible solutions of I<sup>O</sup> Γ,τ yield an appropriate unifier of <sup>Δ</sup>Γ,τ :

– if I<sup>O</sup> Γ,τ has a finite, admissible solution, then it has such a solution <sup>θ</sup> that yields an ELH− <sup>R</sup><sup>+</sup> -unifier <sup>γ</sup><sup>θ</sup> of <sup>Δ</sup>Γ,τ that is compatible with <sup>τ</sup> . This unifier is defined similarly to σ<sup>τ</sup> , but using particles provided by θ for padding:

• if <sup>X</sup> is minimal w.r.t. <sup>&</sup>gt;<sup>τ</sup> , then

$$\gamma\_{\theta}(X) := \bigcap\_{D \in S^{\tau}(X)} D \sqcap \bigcap\_{A \in \mathbb{N}\_{\mathbb{C}}} \bigcap\_{w \in \theta(X\_A)} \exists w. A,$$

• if <sup>γ</sup>θ(<sup>Y</sup> ) has already been defined for all <sup>Y</sup> such that X ><sup>τ</sup> <sup>Y</sup> , then

$$\gamma\_{\theta}(X) := \bigcap\_{D \in S^{\tau}(X)} \gamma\_{\theta}(D) \sqcap \bigcap\_{A \in \mathbb{N}\_{\mathbb{C}}} \bigcap\_{w \in \theta(X\_A)} \exists w. A.$$

Basically, to define the linear language inclusions in I<sup>O</sup> Γ,τ , we consider the following situation: given a particle <sup>∃</sup>w.A <sup>∈</sup> *Part*(γ(X)) and a constraint <sup>C</sup><sup>1</sup> -···- <sup>C</sup><sup>n</sup> ? <sup>X</sup> <sup>∈</sup> <sup>Δ</sup>Γ,τ , we know (by Lemma 2 in [18]) that <sup>γ</sup>(C1)-· · ·<sup>γ</sup>(Cn) <sup>O</sup> <sup>∃</sup>w.A holds. Hence, the idea is to encode, within the inclusions in I<sup>O</sup> Γ,τ , whether a conjunction of atoms and a particle satisfy the characterization of subsumption in Lemma 1.

For the case of an empty ontology, the construction of the system I<sup>∅</sup> Γ,τ is relatively straightforward since the characterization of subsumption is quite simple in this case. As described in [18], for each concept constant <sup>A</sup> <sup>∈</sup> <sup>N</sup><sup>C</sup> and each subsumption constraint <sup>s</sup> <sup>=</sup> <sup>C</sup><sup>1</sup> -···- <sup>C</sup><sup>n</sup> ? <sup>X</sup> in <sup>Δ</sup>Γ,τ , a linear inclusion <sup>i</sup>A(s) of the following form is added to I<sup>∅</sup> Γ,τ :

$$X\_A \subseteq f\_A(C\_1) \cup \dots \cup f\_A(C\_n), \text{ where } f\_A(C) := \begin{cases} \{r\} f\_A(C') & \text{if } C = \exists r. C', \\ Y\_A & \text{if } C = Y \in \mathbb{N}\_{\mathbb{V}}, \\ \{\varepsilon\} & \text{if } C = A, \\ \emptyset & \text{if } C \in \mathbb{N}\_{\mathbb{C}} \ \{A\}. \end{cases}$$

*Example 3.* Consider the system <sup>Δ</sup><sup>Γ</sup>2,τ <sup>=</sup> {<sup>B</sup> ? Y, <sup>∃</sup>s.X -<sup>∃</sup>r.A ? Y,...} from Example 2. The first subsumption constraint yields the language inclusions <sup>Y</sup><sup>A</sup> ⊆ ∅ and <sup>Y</sup><sup>B</sup> ⊆ {ε}, and the second yields <sup>Y</sup><sup>A</sup> ⊆ {s}X<sup>A</sup> ∪ {r}{ε} and <sup>Y</sup><sup>B</sup> <sup>⊆</sup> {s}X<sup>B</sup> ∪ {r}∅. There are no language inclusions constraining <sup>X</sup><sup>A</sup> or <sup>X</sup>B. Any solution θ of I<sup>∅</sup> <sup>Γ</sup>2,τ thus must satisfy <sup>θ</sup>(YA) = <sup>∅</sup>. If <sup>θ</sup> is admissible, then <sup>θ</sup>(YB) must be non-empty. The first inclusion for Y<sup>B</sup> says that θ(YB) consists of the empty word, whereas the second says that every element of θ(YB) must start with the letter s. Thus, I<sup>∅</sup> <sup>Γ</sup>2,τ cannot have an admissible solution.

To take a non-empty ontology into account, the right-hand sides of the language inclusions must be extended. Our new translation yields linear language inclusions i ∗ <sup>A</sup>(s) of the form

$$X\_A \subseteq f\_A^\*(C\_1) \cup \dots \cup f\_A^\*(C\_n) \cup \mathcal{U}\_A(\mathfrak{s}),\tag{1}$$

where f <sup>∗</sup> <sup>A</sup>(C) differs from <sup>f</sup>A(C) in the way existential restrictions are treated:

$$f\_A^\*(\exists r. C') := L\_r f\_A(C') \text{ where } L\_r := \{ s \in \mathbb{N}\_{\mathbb{R}} \mid r \triangleleft\_{\mathcal{O}} s \}.$$

This modification of f<sup>A</sup> to f <sup>∗</sup> <sup>A</sup> takes care of the role hierarchy.

*Example 4.* For instance, if in the system of Example <sup>3</sup> we replace <sup>B</sup> ? <sup>Y</sup> with <sup>∃</sup>u.X ? <sup>Y</sup> , then the language inclusions corresponding to this constraint are <sup>Y</sup><sup>A</sup> ⊆ {u}X<sup>A</sup> and <sup>Y</sup><sup>B</sup> ⊆ {u}XB. The new system again does not have an admissible solution. However, if we consider an ontology <sup>O</sup> containing <sup>u</sup> <sup>s</sup>, then the new translation yields the language inclusions <sup>Y</sup><sup>A</sup> ⊆ {u, s}X<sup>A</sup> and <sup>Y</sup><sup>B</sup> ⊆ {u, s}X<sup>B</sup> for this constraint. Consequently, the new system of language inclusions has a finite, admissible solution, which reflects the fact that the system of subsumption constraints has an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>O</sup>.

The GCIs and transitivity axioms of the ontology are taken care of by the additional term UA(s) in (1). This term uses additional types of indeterminates whose meaning is encoded using additional language inclusions. Indeterminates of the form <sup>Z</sup><sup>B</sup>→<sup>A</sup>, where A, B are concept constants occurring in <sup>Γ</sup> or <sup>O</sup>, are supposed to represent languages containing only words <sup>w</sup> such that <sup>B</sup> <sup>O</sup> <sup>∃</sup>w.A. This intuition is formalized by the set of linear inclusions IO, which consists of one language inclusion for each indeterminate <sup>Z</sup><sup>B</sup>→<sup>A</sup> having the following form:

$$Z\_{B \to A} \subseteq L \cup \bigcup\_{(r, B') \in I(B)} \{r\} Z\_{B' \to A},\tag{2}$$

where <sup>I</sup>(B) := {(r, B ) <sup>∈</sup> <sup>N</sup><sup>R</sup> <sup>×</sup> (*Ats*(O) <sup>∩</sup> <sup>N</sup>C) <sup>|</sup> <sup>B</sup> <sup>O</sup> <sup>∃</sup>r.B } and <sup>L</sup> := {ε} if <sup>B</sup> <sup>O</sup> <sup>A</sup>, and <sup>L</sup> := <sup>∅</sup> otherwise. The set of linear inclusions <sup>I</sup><sup>O</sup> captures subsumptions of the form <sup>B</sup> <sup>O</sup> <sup>∃</sup>w.A in the following sense.

**Lemma 4.** *Let* O *be a flat, cycle-restricted* ELHR<sup>+</sup> *-ontology.*


*Example 5.* Consider again the system <sup>Δ</sup><sup>Γ</sup>2,τ of Example 3, but replace <sup>B</sup> ? <sup>Y</sup> with <sup>∃</sup>r.B ? <sup>Y</sup> . The language inclusions corresponding to this constraint are <sup>Y</sup><sup>A</sup> ⊆ {r}∅ and <sup>Y</sup><sup>B</sup> ⊆ {r}{ε}. The new system again does not have an admissible solution. However, if we consider the ontology <sup>O</sup> <sup>=</sup> {<sup>B</sup> <sup>A</sup>}, then there are solutions <sup>θ</sup> of <sup>I</sup><sup>O</sup> that satisfy <sup>ε</sup> <sup>∈</sup> <sup>θ</sup>(Z<sup>B</sup>→<sup>A</sup>). Thus, if we extend the inclusion <sup>Y</sup><sup>A</sup> ⊆ {r}∅ obtained from <sup>∃</sup>r.B ? <sup>Y</sup> to <sup>Y</sup><sup>A</sup> ⊆ {r}∅ ∪ {r}Z<sup>B</sup>→<sup>A</sup>, then the new system has a solution <sup>θ</sup> such that <sup>r</sup> <sup>∈</sup> <sup>θ</sup>(YA) since the other inclusion for <sup>Y</sup><sup>A</sup> is <sup>Y</sup><sup>A</sup> ⊆ {s}X<sup>A</sup> ∪ {r}{ε}. This implies that there is an admissible solution since there are no language inclusions constraining X<sup>A</sup> or XB.

To deal with transitivity axioms, we introduce additional indeterminates of the form XA,t, which are constrained by the following linear language inclusions: <sup>i</sup>A,t(s) = <sup>X</sup>A,t <sup>⊆</sup> <sup>f</sup>A,t(C1) ∪···∪ <sup>f</sup>A,t(Cn) ∪ UA,t(s) where

$$f\_{A,t}(C) := \begin{cases} f\_A(C') & \text{if } C = \exists r. C' \land r \nsubseteq\_{\mathcal{O}} t, \\ Y\_{A,t} & \text{if } C = Y \in \mathsf{N}\_{\mathsf{V}}, \\ \emptyset & \text{otherwise}. \end{cases}$$

Intuitively, the difference between i ∗ <sup>A</sup>(s) and iA,t(s) is that, given a particle <sup>∃</sup>t.∃w.A satisfying <sup>σ</sup>(C1)-···<sup>σ</sup>(Cn) <sup>O</sup> <sup>∃</sup>t.∃w.A, the right-hand side of <sup>i</sup>A,t(s) is designed to recognize w instead of tw.

*Example 6.* Assume that

$$\Delta\_{\Gamma,\tau} = \{ \exists r. B \sqsubseteq^? Y, \exists s. X \sqcap \exists r. A \sqsubseteq^? Y, \exists t. B \sqsubseteq^? X \}.$$

In addition, consider the ontology <sup>O</sup> <sup>=</sup> {<sup>s</sup> t, t <sup>r</sup>}. Since <sup>∃</sup>r.B ? <sup>Y</sup> yields the language inclusion <sup>Y</sup><sup>A</sup> ⊆ {r}∅, any solution <sup>θ</sup> of <sup>I</sup><sup>O</sup> Γ,τ must satisfy <sup>θ</sup>(YA) = <sup>∅</sup>. Hence, if <sup>θ</sup> is admissible, then <sup>θ</sup>(YB) <sup>=</sup> <sup>∅</sup>. In the presence of <sup>O</sup>, the new translation also yields the inclusions:

$$Y\_B \subseteq \{r\} \{\varepsilon\}, \ Y\_B \subseteq \{s, t, r\} X\_B \cup \{r\} \emptyset \text{ and } \ X\_B \subseteq \{t, r\} \{\varepsilon\}.$$

Together with <sup>θ</sup>(YB) <sup>=</sup> <sup>∅</sup>, the first of these inclusions yields <sup>θ</sup>(YB) = {r}. Thus, the second inclusion implies that <sup>ε</sup> <sup>∈</sup> <sup>θ</sup>(XB), and thus <sup>θ</sup> does not solve the third inclusion. Thus, I<sup>O</sup> Γ,τ cannot have an admissible solution, corresponding to the fact that <sup>Δ</sup>Γ,τ does not have an ELH− <sup>R</sup><sup>+</sup> -unifier w.r.t. <sup>O</sup>.

However, if we add the transitivity axiom <sup>t</sup> ◦ <sup>t</sup> <sup>t</sup> to <sup>O</sup>, then <sup>Δ</sup>Γ,τ has an ELH− <sup>R</sup><sup>+</sup> -unifier <sup>γ</sup> with <sup>γ</sup>(X) = <sup>∃</sup>t.B and <sup>γ</sup>(<sup>Y</sup> ) = <sup>∃</sup>r.B w.r.t. this ontology. The inclusion <sup>i</sup>B,t(s) = <sup>X</sup>B,t ⊆ {ε}, obtained from <sup>s</sup> <sup>=</sup> <sup>∃</sup>t.B ? <sup>X</sup>, admits solutions <sup>θ</sup> with <sup>θ</sup>(XB,t) = {ε}. Hence, if we extend the language inclusion <sup>Y</sup><sup>B</sup> ⊆ {s, t, r}X<sup>B</sup> ∪ {r}∅ to the new one

$$Y\_B \subseteq \{s, t, r\}\\ X\_B \cup \{r\} \emptyset \cup \{r\}\\ X\_{B, t}$$

that takes transitivity of t into account, then the new system of language inclusions has an admissible solution with <sup>θ</sup>(YB) = {r} and <sup>θ</sup>(XB) = {t}, which corresponds to the unifier γ.

Since the definitions of the terms UA(s) and UA,t(s) are quite long and technical, we refer to [9] for exact definitions and detailed explanations motivating them. Let I<sup>O</sup> Γ,τ be the system of linear language inclusions consisting of I<sup>O</sup> and the inclusions i ∗ <sup>A</sup>(s) and <sup>i</sup>A,t(s) for every subsumption constraint <sup>s</sup> in <sup>Δ</sup>Γ,τ . Note that the definition of these language inclusions does not only depend on ΔΓ,τ , but also on τ itself (see Definition 4.17 in [9] for the exact definition).

**Proposition 2.** *Let* <sup>τ</sup> *be a subsumption mapping for* <sup>Γ</sup> *w.r.t.* <sup>O</sup>*. The unification problem* <sup>Δ</sup>Γ,τ *has an* ELH− <sup>R</sup><sup>+</sup> *-unifier* <sup>γ</sup> *w.r.t.* <sup>O</sup> *that is compatible with* <sup>τ</sup> *iff the system of linear language inclusions* I<sup>O</sup> Γ,τ *has a finite, admissible solution.*

The proof of the only-if direction of this proposition makes use of the fact that we can assume without loss of generality that γ is a simple unifier. In fact, this is already taken into account in the definition of I<sup>O</sup> Γ,τ (see [9]).

**Definition 5.** *The* ELH− <sup>R</sup><sup>+</sup> *-unifier* <sup>γ</sup> *of* <sup>Δ</sup>Γ,τ *w.r.t.* <sup>O</sup> *is called* simple *if, for all* <sup>C</sup><sup>1</sup> -···-<sup>C</sup><sup>n</sup> ? <sup>X</sup> <sup>∈</sup> <sup>Δ</sup>Γ,τ *and* <sup>∃</sup>w.A <sup>∈</sup> *Part*(γ(X))*, the following holds:*

	- *(a)* <sup>C</sup><sup>i</sup> *is a ground atom and* <sup>C</sup><sup>i</sup> <sup>s</sup> <sup>O</sup> <sup>∃</sup>w.A*, or*
	- *(b)* <sup>C</sup><sup>i</sup> <sup>=</sup> <sup>Y</sup> *is a variable and* <sup>∃</sup>w.A <sup>∈</sup> *Part*(γ(Ci))*, or*
	- *(c)* <sup>C</sup><sup>i</sup> <sup>=</sup> <sup>∃</sup>r.Y *for a variable* <sup>Y</sup> *,* <sup>w</sup> <sup>=</sup> sw *for some* <sup>s</sup> <sup>∈</sup> <sup>N</sup><sup>R</sup> *and* <sup>w</sup> <sup>∈</sup> <sup>N</sup><sup>R</sup> ∗*, and –* <sup>∃</sup>w .A <sup>∈</sup> *Part*(γ(<sup>Y</sup> )) *and* <sup>r</sup> -<sup>O</sup> <sup>s</sup>*, or*
		- *–* <sup>∃</sup>t.∃w .A <sup>∈</sup> *Part*(γ(<sup>Y</sup> )) *for a transitive role* <sup>t</sup> *s.t.* <sup>r</sup> -<sup>O</sup> <sup>t</sup> -<sup>O</sup> <sup>s</sup>*; or*
	- *(a) At*<sup>1</sup> -···- *At*<sup>k</sup> <sup>O</sup> *At ,*
	- *(b) for all* ∈ {1,...,k}*, there exists* <sup>i</sup> ∈ {1,...,n} *s.t.* <sup>τ</sup> (Ci, *At* -)=1*, and (c) At* <sup>s</sup> <sup>O</sup> <sup>∃</sup>w.A*.*

**Lemma 5.** *If* <sup>Γ</sup> *is an* ELH− <sup>R</sup><sup>+</sup> *-unification problem that is unifiable w.r.t.* <sup>O</sup>*, then there exists a subsumption mapping* <sup>τ</sup> *for* <sup>Γ</sup> *w.r.t.* <sup>O</sup> *such that* <sup>Δ</sup>Γ,τ *has a* simple ELH− <sup>R</sup><sup>+</sup> *-unifier* <sup>σ</sup> *w.r.t.* <sup>O</sup> *that is compatible with* <sup>τ</sup> *.*

#### **3.3 The PSpace Algorithm**

Using the results described in the previous two subsections, we can construct an NPSpace decision procedure for unification in ELH− <sup>R</sup><sup>+</sup> w.r.t. cycle-restricted ELH− <sup>R</sup><sup>+</sup> -ontologies. Due to Savitch's theorem [26], this implies that the problem is also in PSpace.

Given an input consisting of an ELH− <sup>R</sup><sup>+</sup> -unification problem and a cyclerestricted ELH− <sup>R</sup><sup>+</sup> -ontology, the algorithm transforms the ontology and the unification problem into flat ones, which we denote as <sup>Γ</sup> and <sup>O</sup>. It then proceeds as follows:


Flattening can be done in polynomial time and preserves unifiability [5,18]. A mapping <sup>τ</sup> : *Atstr* (Γ, <sup>O</sup>) <sup>×</sup> *Atstr* (Γ, <sup>O</sup>) → {0, <sup>1</sup>} can be guessed in nondeterministic polynomial time, and checking whether it satisfies the properties of a subsumption mapping (see Definition 3) can clearly also be realized within polynomial space, as can the translations into ΔΓ,τ and I<sup>O</sup> Γ,τ . Finally, as shown in [18], testing for the existence of a finite, admissible solution of I<sup>O</sup> Γ,τ can be reduced in polynomial time to checking emptiness of alternating finite automata with ε-transitions, which is a PSpace-complete problem [23]. This shows that the introduced algorithm really is an NPSpace algorithm. Its correctness is an immediate consequence of Propositions 1 and 2. Since PSpace-hardness already holds for the special case of an empty ontology, we thus have shown the following main result of this paper.

**Theorem 1.** *Deciding unifiability of* ELH− <sup>R</sup><sup>+</sup> *-unification problems w.r.t. cyclerestricted* ELH− <sup>R</sup><sup>+</sup> *-ontologies is PSpace-complete.*

#### **4 Conclusion**

We have shown that the approach for obtaining a PSpace decision procedure for EL−-unification without a background ontology [18] can be extended to unification w.r.t. a cycle-restricted ELHR<sup>+</sup> -ontology, i.e., an ontology that may contain general concept inclusions (GCIs) formulated in EL− as well as role inclusion and transitivity axioms, but does not entail a cyclic subsumption of the form <sup>C</sup> <sup>O</sup> <sup>∃</sup>r1.∃r2. ···∃rn.C (<sup>n</sup> <sup>≥</sup> 1). As explained in the introduction, both considering concept descriptions not containing the top concept and considering GCIs and role axioms is motivated by the expressivity employed in the medical ontology SNOMED CT. Dealing with such a background ontology not only makes the approach more complicated due to the more involved characterization of subsumption (see Lemma 1 and Definition 3, compared to the much simpler versions in [18]). It also requires the development of new notions, such as simple unifiers and the extension of the system of linear language inclusions with new indeterminates and corresponding inclusions.

With SNOMED CT in mind, it would be interesting to see whether results on unification (with or without top) can be further extended to ontologies additionally containing so-called right-identity rules, i.e., role axioms of the form <sup>r</sup>◦<sup>s</sup> <sup>r</sup>, since they are also needed to get rid of the SEP-triplet encoding mentioned in the introduction. However, extending the characterization of subsumption to this setting is probably a non-trivial problem. From a theoretical point of view, the big open problem is whether one can dispense with the requirement that the ontology must be cycle-restricted. Even for pure EL, decidability of unification w.r.t. unrestricted ontologies is an open problem.

From a practical point of view, the next step is to develop an algorithm that replaces non-deterministic guessing by a more intelligent search procedure. Since the unification problem is PSpace-complete, a polynomial translation of the whole problem into SAT is not possible (unless NP = PSpace). However, one could try to delegate the search for a subsumption mapping to a SAT solver, which interacts with a solver for the additional condition on such a mapping (existence of a finite, admissible solution of I<sup>O</sup> Γ,τ ) in an SMT-like fashion [21].

**Acknowledgments.** This work was partially supported by the German Federal Ministry of Education and Research (BMBF, SCADS22B) and the Saxon State Ministry for Science, Culture and Tourism (SMWK) by funding the competence center for Big Data and AI "ScaDS.AI Dresden/Leipzig". The authors would like to thank Stefan Borgwardt and Francesco Kriegel for helpful discussions on the form of the definitions and axioms used in the current version of SNOMED CT.

#### **References**

1. Baader, F., Binh, N.T., Borgwardt, S., Morawska, B.: Unification in the description logic EL without the top concept. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS (LNAI), vol. 6803, pp. 70–84. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22438-6 8


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Confluence of Logically Constrained Rewrite Systems Revisited

Jonas Schöpf(B) , Fabian Mitterwallner , and Aart Middeldorp

Department of Computer Science, University of Innsbruck, Innsbruck, Austria {jonas.schoepf,fabian.mitterwallner,aart.middeldorp}@uibk.ac.at

Abstract. We show that (local) confluence of terminating logically constrained rewrite systems is undecidable, even when the underlying theory is decidable. Several confluence criteria for logically constrained rewrite systems are known. These were obtained by replaying existing proofs for plain term rewrite systems in a constrained setting, involving a nontrivial effort. We present a simple transformation from logically constrained rewrite systems to term rewrite systems such that critical pairs of the latter correspond to constrained critical pairs of the former. The usefulness of the transformation is illustrated by lifting the advanced confluence results based on (almost) development closed critical pairs as well as on parallel critical pairs to the constrained setting.

# 1 Introduction

Logically constrained rewrite systems (LCTRSs) [12] are a natural extension of plain term rewrite systems (TRSs) with native support for constraints that are handled by SMT solvers. The latter makes LCTRSs suitable for program analysis [3–5,22]. In this paper we are concerned with confluence techniques for LCTRSs. Numerous techniques exist to (dis)prove confluence of TRSs. For LCTRSs much less is known. Kop and Nishida [12] established (weak) orthogonality as sufficient confluence criteria for LCTRSs. Joinability of critical pairs for terminating systems is implicit in [22]. Very recently, strong closedness for linear LCTRSs and (almost) parallel closedness for left-linear LCTRSs were established [17]. The proofs of these results were obtained by *replaying* existing proofs for TRSs in a constrained setting, involving a non-trivial effort. For more advanced confluence criteria, this is not feasible.

In particular, the conclusion in [12] that LCTRSs "are *flexible*: common analysis techniques for term rewriting extend to LCTRSs without much effort" is not accurate. On the contrary, in Sect. 3 we show that (local) confluence of terminating LCTRSs is undecidable, even for a decidable fragment of the theory of integers.

In Sect. 4 we present a simple transformation from LCTRSs to TRSs which allows us to relate results for the latter to the former. We use the transformation to extend two advanced confluence criteria based on (parallel) critical

c The Author(s) 2024

This research is funded by the Austrian Science Fund (FWF) project I5943.

C. Benzmüller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 298–316, 2024. https://doi.org/10.1007/978-3-031-63501-4\_16

pairs from TRSs to LCTRSs: In Sect. 5 we prove that (almost) development closed left-linear LCTRSs are confluent by *reusing* the corresponding result for TRSs obtained by van Oostrom [15] and in Sect. 6 we lift the result of Toyama [20] based on parallel critical pairs from TRSs to LCTRSs. Both results are employed in state-of-the-art confluence provers for TRSs (ACP [2], CSI [14], Hakusan [19]) and have only recently been formally verified in the Isabelle proof assistant [7,10,11].

For the LCTRS extension of the result of Toyama [20] we observed a subtle problem in the definition of the equivalence relation on constrained terms, which goes back to [12] and has been used in subsequent work on LCTRSs [5,17,22]. We briefly discuss the issue at the end of the next section, after recalling basic notions for LCTRSs. For space reasons some of the more technical proofs are only available in an extended version of this paper [18]. The results in Sect. 4 and Sect. 5 were first announced in [13].

# 2 Preliminaries

We assume familiarity with the basic notions of term rewriting. In this section we recall a few key notions for LCTRSs. For more background information we refer to [12,17,22]. We assume a many-sorted signature F = Fte∪Fth with a term and theory part. For every sort <sup>ι</sup> in <sup>F</sup>th we have a non-empty set <sup>V</sup>al<sup>ι</sup> ⊆ Fth of value symbols, such that all <sup>c</sup> ∈ Val<sup>ι</sup> are constants of sort <sup>ι</sup>. We demand <sup>F</sup>te∩Fth ⊆ Val where <sup>V</sup>al <sup>=</sup> - <sup>ι</sup> <sup>V</sup>al<sup>ι</sup>. In the case of integers this results in an infinite signature with <sup>Z</sup> ⊆ Val ⊆ Fth. A term in <sup>T</sup> (Fth, <sup>V</sup>) is called a *logical* term. Ground logical terms are mapped to values by an interpretation J : [[f(t1,...,tn)]] = f<sup>J</sup> ([[t1]],..., [[tn]]). We assume a bijection between value symbols and elements in the domain of <sup>J</sup> , e.g., for integers: [[0]] = 0, [[−1]] = <sup>−</sup>1, [[1]] = 1 and so on. Logical terms of sort bool are called *constraints*. A constraint <sup>ϕ</sup> is *valid* if [[ϕγ]] = for all substitutions <sup>γ</sup> such that <sup>γ</sup>(x) ∈ Val for all <sup>x</sup> ∈ Var(ϕ). A *constrained rewrite rule* is a triple → r [ϕ] where , r ∈ T (F, V) are terms of the same sort such that root() ∈ Fte \ Fth and <sup>ϕ</sup> is a constraint. We denote the set <sup>V</sup>ar(ϕ)∪(Var(r)\Var()) of *logical* variables in <sup>→</sup> <sup>r</sup> [ϕ] by LVar( <sup>→</sup> <sup>r</sup> [ϕ]). A constrained rewrite rule is left-linear (right-linear) if non-logical variables in the left-hand side (right-hand side) occur at most once. If a rule is left-linear and right-linear then it is called linear. An LCTRS is a set of constrained rewrite rules.

A substitution σ is said to *respect* a rule → r [ϕ], denoted by σ - → r [ϕ], if <sup>D</sup>om(σ) ⊆ Var() ∪ Var(r) ∪ Var(ϕ), <sup>σ</sup>(x) ∈ Val for all <sup>x</sup> ∈ LVar( <sup>→</sup> <sup>r</sup> [ϕ]), and [[ϕσ]] = . Moreover, a constraint ϕ is respected by σ, denoted by σ - <sup>ϕ</sup>, if <sup>σ</sup>(x) ∈ Val for all <sup>x</sup> ∈ Var(ϕ) and [[ϕσ]] = . We call <sup>f</sup>(x1,...,xn) <sup>→</sup> <sup>y</sup> [<sup>y</sup> <sup>=</sup> <sup>f</sup>(x1,...,xn)] with a fresh variable <sup>y</sup> and <sup>f</sup> ∈ Fth \ Val <sup>a</sup> *calculation rule*. Calculation rules are not part of the rules of an LCTRS R. The set of all calculation rules induced by the signature Fth of an LCTRS R is denoted by Rca and we abbreviate R∪Rca to Rrc. An LCTRS is called linear (left-linear, right-linear) if all its rules in R are linear (left-linear, right-linear). A rewrite step s →<sup>R</sup> t satisfies s|<sup>p</sup> = σ and t = s[rσ]<sup>p</sup> for some position p, constrained rewrite rule → r [ϕ] in Rrc, and substitution σ such that σ - → r [ϕ]. We drop the subscript R from →<sup>R</sup> when no confusion arises. An LCTRS R is confluent if there exists a term v with t →<sup>∗</sup> v <sup>∗</sup>← u whenever t <sup>∗</sup>← s →<sup>∗</sup> u, for all terms s, t and u. For confluence analysis we need to rewrite constrained terms.

A *constrained term* is a pair s [ϕ] consisting of a term s and a constraint ϕ. Two constrained terms s [ϕ] and t [ψ] are *equivalent*, denoted by s [ϕ] ∼ t [ψ], if for every substitution γ <sup>ϕ</sup> with <sup>D</sup>om(γ) = <sup>V</sup>ar(ϕ) there is some substitution δ <sup>ψ</sup> with <sup>D</sup>om(δ) = <sup>V</sup>ar(ψ) such that sγ <sup>=</sup> tδ, and vice versa. Let s [ϕ] be a constrained term. If s|<sup>p</sup> = σ for some constrained rewrite rule <sup>ρ</sup>: <sup>→</sup> <sup>r</sup> [ψ] ∈ Rrc, position <sup>p</sup>, and substitution <sup>σ</sup> such that <sup>σ</sup>(x) ∈ Val <sup>∪</sup> <sup>V</sup>ar(ϕ) for all <sup>x</sup> ∈ LVar(ρ), <sup>ϕ</sup> is satisfiable and <sup>ϕ</sup> <sup>⇒</sup> ψσ is valid then <sup>s</sup> [ϕ] <sup>→</sup><sup>R</sup> s[rσ]<sup>p</sup> [ϕ]. The rewrite relation → ∼ <sup>R</sup> on constrained terms is defined as ∼·→<sup>R</sup> · ∼ and s [ϕ] → ∼ <sup>p</sup> t [ψ] indicates that the rewrite step in → ∼ <sup>R</sup> takes place at position p. Similarly, we write s [ϕ] → ∼ <sup>p</sup> t [ψ] if the position in the rewrite step is below position p. Note that in our definition of →<sup>R</sup> the constraint is not modified. This equals [5, Definition 2.15], but is different from [12,17] where calculation steps s[f(v1,...,vn)]<sup>p</sup> [ϕ] → s[v]<sup>p</sup> [ϕ∧v = f(v1,...,vn)] modify the constraint. However, the relation → <sup>∼</sup> can simulate the relation →<sup>R</sup> from [12,17] as exemplified below.

*Example 1.* Consider the constrained term <sup>x</sup> <sup>+</sup> 1 [x > 3]. Calculation steps as defined in [12,17] permit <sup>x</sup> <sup>+</sup> 1 [x > 3] <sup>→</sup> <sup>z</sup> [<sup>z</sup> <sup>=</sup> <sup>x</sup> <sup>+</sup> 1 <sup>∧</sup> x > 3]. In our setting, an initial equivalence step is required to introduce the fresh variable z and the corresponding assignment needed to perform a calculation: <sup>x</sup> <sup>+</sup> 1 [x > 3] <sup>∼</sup> <sup>x</sup> <sup>+</sup> 1 [<sup>z</sup> <sup>=</sup> <sup>x</sup> <sup>+</sup> 1 <sup>∧</sup> x > 3] <sup>→</sup> <sup>z</sup> [<sup>z</sup> <sup>=</sup> <sup>x</sup> <sup>+</sup> 1 <sup>∧</sup> x > 3].

Our treatment allows for a much simpler definition of parallel and multi-step rewriting since we do not have to merge different constraints.

#### Equivalence on Constrained Terms

The equivalence on constrained terms ∼ used in this paper also differs from the equivalence relation used in [12,17], which we will denote by ∼ . In ∼ the domain of substitutions is not restricted, i.e., s [ϕ] ∼ t [ψ] if and only if for all substitutions γ ϕ there exists a substitution δ where δ ψ and sγ = tδ. Intuitively, constrained terms are equivalent with respect to ∼ if their sets of "allowed" instances are equivalent, while for ∼ we only instantiate variables appearing in the constraints and therefore representing some value. We have <sup>∼</sup> - ∼ . This can be seen as follows. First of all, any substitution γ with γ ϕ can be split into <sup>γ</sup><sup>1</sup> and <sup>γ</sup><sup>2</sup> such that <sup>γ</sup> <sup>=</sup> <sup>γ</sup><sup>1</sup> <sup>∪</sup>γ<sup>2</sup> <sup>=</sup> <sup>γ</sup>1γ<sup>2</sup> with <sup>D</sup>om(γ1) = <sup>V</sup>ar(ϕ) and γ<sup>1</sup> <sup>ϕ</sup>. From <sup>s</sup> [ϕ] <sup>∼</sup> <sup>t</sup> [ψ] we obtain a substitution <sup>δ</sup><sup>1</sup> where <sup>D</sup>om(δ1) = <sup>V</sup>ar(ψ), δ<sup>1</sup> ψ and sγ<sup>1</sup> = tδ1. Hence also sγ = sγ1γ<sup>2</sup> = tδ1γ<sup>2</sup> = tδ for δ = δ1γ2, which implies <sup>s</sup> [ϕ] <sup>∼</sup> <sup>t</sup> [ψ]. However, <sup>∼</sup> ⊆ ∼ does not hold since <sup>x</sup> [true] <sup>∼</sup> <sup>y</sup> [true] and <sup>x</sup> [true] <sup>∼</sup> <sup>y</sup> [true].

The change is necessary, since we have to differentiate (non-logical) variables in constrained terms from one another, to keep track of them through rewrite sequences. Take the (LC)TRS <sup>R</sup> consisting of the rule f(x, y) <sup>→</sup> <sup>x</sup>. When rewriting unconstrained terms we have <sup>f</sup>(x, y) <sup>→</sup><sup>R</sup> <sup>x</sup> and <sup>f</sup>(x, y) <sup>→</sup><sup>R</sup> <sup>y</sup>. When rewriting on constrained terms with respect to ∼ , however, we have f(x, y) [true] <sup>∼</sup> ·→·∼ <sup>x</sup> [true] and <sup>f</sup>(x, y) [true] <sup>∼</sup> ·→·∼ <sup>y</sup> [true], losing any information connecting the resulting variable to the initial term. This is especially problematic in our analysis of parallel critical pairs in Sect. 6, where keeping track of variables through rewrite sequences is essential. Note that f(x, y) [true] <sup>→</sup> <sup>∼</sup> <sup>x</sup> [true] but not f(x, y) [true] <sup>→</sup> <sup>∼</sup> <sup>y</sup> [true].

# 3 Undecidability

Confluence is a decidable property of finite terminating TRSs, a celebrated result of Knuth and Bendix [9] which forms the basis of completion. For LCTRSs matters are more complicated.

Theorem 1. *Local confluence is undecidable for terminating* LCTRS*s.*

*Proof.* We use a reduction from PCP [16]. Let P = {(α1, β1),...,(α<sup>N</sup> , β<sup>N</sup> )} with <sup>α</sup>1,...,α<sup>N</sup> , β1,...,β<sup>N</sup> ∈ {0, <sup>1</sup>}<sup>+</sup> be an instance of PCP, where we assume that α<sup>i</sup> = β<sup>i</sup> for at least one i ∈ {1,...,N }. This entails no loss of generality, since instances that violate this assumption are trivially solvable. We encode candidate strings over {1,...,N } as natural numbers where the empty string  is represented by []=0, and a non-empty string i0i<sup>1</sup> ···i<sup>k</sup> is represented by [i0i<sup>1</sup> ···ik] = <sup>N</sup> · [i<sup>1</sup> ···ik] + <sup>i</sup>0. So [i0i<sup>1</sup> ···ik] = <sup>i</sup><sup>0</sup> <sup>+</sup> <sup>i</sup><sup>1</sup> · <sup>N</sup> <sup>+</sup> ··· <sup>+</sup> <sup>i</sup><sup>k</sup> · <sup>N</sup><sup>k</sup>. For instance, assuming N = 3, the number 102 encodes the candidate string 3313 since 102 = 3 · 33 + 3, 33 = 3 · 10 + 3, 10 = 3 · 3+1 and 3=3 · 0+3. Conversely, the candidate string <sup>112</sup> is mapped to 22 = 1 + 1 · <sup>3</sup><sup>1</sup> + 2 · <sup>3</sup><sup>2</sup>. It is not difficult to see that this results in a bijection between N and candidate strings, for each N > 0.

The LCTRS <sup>R</sup><sup>P</sup> that we construct is defined over the theory Ints, with theory symbols <sup>F</sup>th <sup>=</sup> {>, <sup>+</sup>, ·, <sup>=</sup>,∧} ∪ Val and values <sup>V</sup>al <sup>=</sup> <sup>B</sup> <sup>∪</sup> <sup>Z</sup>, with the additional sorts PCP and String and the following term signature:


The LCTRS R<sup>P</sup> consists of the following rules:

start <sup>→</sup> test(alpha(n), beta(n)) [n > 0] test(e, e) → test(0(x), 0(y)) <sup>→</sup> test(x, y) test(0(x), 1(y)) → ⊥ test(1(x), 1(y)) <sup>→</sup> test(x, y) test(1(x), 0(y)) → ⊥ test(0(x), e) → ⊥ test(e, 0(y)) → ⊥ test(1(x), e) → ⊥ test(e, 1(y)) → ⊥

$$\mathsf{a1} \mathsf{path}(0) \to \mathsf{e} \qquad\qquad\qquad\qquad\mathsf{beta}(0) \to \mathsf{e}$$

and, for all i ∈ {1,...,N },

$$\begin{aligned} \mathsf{a}\mathsf{l}\mathsf{p}\mathsf{ha}(n) &\to \alpha\_{i}(\mathsf{a}\mathsf{l}\mathsf{p}\mathsf{ha}(m)) & [N\cdot m + i = n \wedge n > 0] \\ \mathsf{b}\mathsf{eta}(n) &\to \beta\_{i}(\mathsf{b}\mathsf{eta}(m)) & [N\cdot m + i = n \wedge n > 0] \end{aligned}$$

Here, for a string <sup>γ</sup> ∈ {0, <sup>1</sup>}<sup>∗</sup> and a term <sup>t</sup> : String, <sup>γ</sup>(t) : String is defined as

$$\gamma(t) = \begin{cases} t & \text{if } \gamma = \epsilon \\ \mathbf{0}(\gamma'(t)) & \text{if } \gamma = 0\gamma' \\ \mathbf{1}(\gamma'(t)) & \text{if } \gamma = 1\gamma' \end{cases}$$

Note that in the constraints n and m are variables, while N and i are values. Hence all constraints are in the decidable fragment of linear integer arithmetic and the rewrite relation →<sup>R</sup>*<sup>P</sup>* is computable.

We claim that R<sup>P</sup> is locally confluent if and only if P has no solution. The LCTRS R<sup>P</sup> admits the constrained critical pair

$$\mathsf{test}(\mathsf{alpha}(n), \mathsf{beta}\mathsf{eta}(n)) \approx \mathsf{test}(\mathsf{alpha}(m), \mathsf{beta}(m)) \quad [n > 0 \land m > 0]$$

with <sup>n</sup> <sup>=</sup> <sup>m</sup>. The rules with left-hand sides alpha(n) and beta(n) give rise to further constrained critical pairs but these are harmless since for all n, N > 0 there are unique numbers i and m satisfying the constraint [N ·m+i = n∧n > 0].

By construction of the rules for test, test(alpha(n), beta(n)) <sup>→</sup><sup>∗</sup> if <sup>n</sup> represents a solution of <sup>P</sup> and test(alpha(n), beta(n)) <sup>→</sup><sup>∗</sup> <sup>⊥</sup> if <sup>n</sup> does not represent a solution of P. Since we assume that P is non-trivial, the latter happens for some n > 0. Hence all instances of the constrained critical pairs can only be joined if test(alpha(n), beta(n)) <sup>→</sup><sup>∗</sup> <sup>⊥</sup> for all n > <sup>0</sup>. Hence <sup>R</sup><sup>P</sup> is locally confluent if and only if P has no solution.

The LCTRS R<sup>P</sup> is terminating by the recursive path order [12] with the precedence start <sup>&</sup>gt; test <sup>&</sup>gt; alpha <sup>&</sup>gt; beta <sup>&</sup>gt; 1 <sup>&</sup>gt; 0 <sup>&</sup>gt; e <sup>&</sup>gt; <sup>&</sup>gt; <sup>⊥</sup> and the wellfounded order Int on integers where x Int y if and only if x>y and x 0. The key observation is that the constraint [N · m + i = n ∧ n > 0] in the recursive rules for alpha and beta ensure n>m since N > <sup>0</sup> and <sup>i</sup> <sup>1</sup>.

A key difference between TRSs and LCTRSs leading to this undecidability result can be seen in the first rule: start <sup>→</sup> test(alpha(n), beta(n)) [n > 0]. Plain TRSs usually do not allow variables appearing only in the right-hand side of a rule, as is the case for n here, because then termination never holds. However, in LCTRSs such variables are useful, since they can be used to model computations on arbitrary values which are often used to represent user input in program analysis. For R<sup>P</sup> this leads to infinitely many possible steps starting from the term start and in turn to infinitely many critical pairs, breaking decidability.

# 4 Transformation

In this section we present a simple transformation from LCTRSs to possibly infinite TRSs, which exactly corresponds to the intuition behind LCTRSs. This allows us to lift results on TRSs more easily to LCTRSs than previously possible.

Definition 1. *Given an* LCTRS <sup>R</sup>*, the* TRS <sup>R</sup> *consists of the following rules:* τ → rτ *for all* ρ: → r [ϕ] ∈ Rrc *with* τ <sup>ρ</sup> *and* <sup>D</sup>om(<sup>τ</sup> ) = LVar(ρ)*.*

Note that R typically consists of infinitely many rules.

Lemma 1. *The rewrite relations of* <sup>R</sup> *and* <sup>R</sup> *are the same. Moreover* <sup>→</sup>p,<sup>R</sup> <sup>=</sup> <sup>→</sup>p,<sup>R</sup> *for all positions* <sup>p</sup>*.*

*Proof.* We first show <sup>→</sup>p,<sup>R</sup> ⊆ →p,R. Assume <sup>s</sup> <sup>→</sup>p,<sup>R</sup> <sup>t</sup>. We have <sup>s</sup> <sup>=</sup> <sup>s</sup>[σ]<sup>p</sup> <sup>→</sup> s[rσ]<sup>p</sup> = t for some ρ: → r [ϕ] ∈ Rrc and σ ρ. We split σ into two substitutions <sup>τ</sup> <sup>=</sup> {<sup>x</sup> → <sup>σ</sup>(x) <sup>|</sup> <sup>x</sup> ∈ LVar(ρ)} and <sup>δ</sup> <sup>=</sup> {<sup>x</sup> → <sup>σ</sup>(x) <sup>|</sup> <sup>x</sup> ∈ Var() \ LVar(ρ)}. From σ ρ we infer τ <sup>ρ</sup> and thus <sup>τ</sup> (x) ∈ Val for all <sup>x</sup> ∈ LVar(ρ). Hence <sup>σ</sup> <sup>=</sup> <sup>τ</sup> <sup>∪</sup> <sup>δ</sup> <sup>=</sup> τ δ. We have τ <sup>→</sup> rτ <sup>∈</sup> <sup>R</sup>. Hence <sup>s</sup> <sup>=</sup> <sup>s</sup>[τ δ]<sup>p</sup> <sup>→</sup>p,<sup>R</sup> <sup>s</sup>[rτδ]<sup>p</sup> <sup>=</sup> <sup>t</sup> as desired. To show the reverse inclusion <sup>→</sup>p,<sup>R</sup> ⊆ →p,<sup>R</sup> we assume <sup>s</sup> <sup>→</sup>p,<sup>R</sup> <sup>t</sup>. Otherwise <sup>s</sup> <sup>=</sup> <sup>s</sup>[μν]<sup>p</sup> <sup>→</sup>p,<sup>R</sup> <sup>s</sup>[rμν]<sup>p</sup> for some rule <sup>ρ</sup>: <sup>→</sup> <sup>r</sup> [ϕ] ∈ R with <sup>μ</sup> ρ. Let <sup>σ</sup> <sup>=</sup> μν. Since <sup>μ</sup>(x) ∈ Val for all <sup>x</sup> ∈ LVar(ρ), we have xσ <sup>=</sup> xμ for all <sup>x</sup> ∈ LVar(ρ). Hence <sup>σ</sup> ρ and thus s = s[σ]<sup>p</sup> →p,<sup>R</sup> s[rσ]<sup>p</sup> = t.

Since →<sup>R</sup> and →<sup>R</sup> coincide, we drop the subscript in the sequel. We write EVar( <sup>→</sup> <sup>r</sup> [ϕ]) for the set <sup>V</sup>ar(r) \ (Var() ∪ Var(ϕ)) of extra variables of a rule. In the computation of constrained critical pairs these variables of the overlapping rules would lose the property of being a logical variable without adding trivial constraints. Given a constrained rewrite rule ρ, we write EC<sup>ρ</sup> for {<sup>x</sup> <sup>=</sup> <sup>x</sup> <sup>|</sup> <sup>x</sup> ∈ EVar(ρ)}. The set of positions in a term <sup>s</sup> is denoted by <sup>P</sup>os(s). We write  for the root position and <sup>P</sup>os<sup>F</sup> (s) for the set of positions of function symbols in s.

Definition 2. *An* overlap *of an* LCTRS <sup>R</sup> *is a triple* ρ1, p, ρ2 *with rules* ρ<sup>1</sup> : <sup>1</sup> → r<sup>1</sup> [ϕ<sup>1</sup> ] *and* ρ<sup>2</sup> : <sup>2</sup> → r<sup>2</sup> [ϕ<sup>2</sup> ]*, satisfying the following conditions: (1)* ρ<sup>1</sup> *and* ρ<sup>2</sup> *are variable-disjoint variants of rewrite rules in* Rrc*, (2)* p ∈ <sup>P</sup>os<sup>F</sup> (2)*, (3)* <sup>1</sup> *and* 2|<sup>p</sup> *unify with mgu* <sup>σ</sup> *such that* <sup>σ</sup>(x) ∈ Val ∪ V *for all* <sup>x</sup> ∈ LVar(ρ1) ∪ LVar(ρ2)*, (4)* <sup>ϕ</sup>1<sup>σ</sup> <sup>∧</sup> <sup>ϕ</sup>2<sup>σ</sup> *is satisfiable, and (5) if* <sup>p</sup> <sup>=</sup> *then* <sup>ρ</sup><sup>1</sup> *and* <sup>ρ</sup><sup>2</sup> *are not variants, or* <sup>V</sup>ar(r1) <sup>V</sup>ar(1)*. In this case we call* 2σ[r1σ]<sup>p</sup> <sup>≈</sup> r2σ [ϕ1σ ∧ ϕ2σ ∧ ψσ] *a* constrained critical pair *obtained from the overlap* ρ1, p, ρ2*. Here* ψ = EC<sup>ρ</sup><sup>1</sup> ∧ EC<sup>ρ</sup><sup>2</sup> *. The peak* 2σ[r1σ]<sup>p</sup> [Φ] ← 2σ [Φ] → r2σ [Φ] *with* Φ = (ϕ<sup>1</sup> ∧ ϕ<sup>2</sup> ∧ ψ)σ*, from which the constrained critical pair originates, is called a* constrained critical peak*. The set of all constrained critical pairs of* R *is denoted by* CCP(R)*. A constrained critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] *is* trivial *if* sσ <sup>=</sup> tσ *for every substitution* σ *with* σ ϕ*.*

A key ingredient of our approach is to relate critical pairs of the transformed TRS to constrained critical pairs of the original LCTRS.

Theorem 2. *For every critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> *of* <sup>R</sup> *there exists a constrained critical pair* s ≈ t [ϕ ] *of* R *and a substitution* γ *such that* s = s γ*,* t = t γ *and* γ ϕ *.*

*Proof.* Let s ≈ t be a critical pair of R, originating from the critical peak 2μσ[r1νσ]<sup>p</sup> ← 2μσ = 2μσ[1νσ]<sup>p</sup> → r2μσ with variants ρ<sup>1</sup> : <sup>1</sup> → r<sup>1</sup> [ϕ<sup>1</sup> ] and ρ<sup>2</sup> : <sup>2</sup> → r<sup>2</sup> [ϕ<sup>2</sup> ] of rules in Rrc without shared variables. Let ψ<sup>i</sup> = ECρ*<sup>i</sup>* for <sup>i</sup> ∈ {1, <sup>2</sup>}. Furthermore we have <sup>D</sup>om(ν) = LVar(ρ1), <sup>D</sup>om(μ) = LVar(ρ2), ν ϕ<sup>1</sup> ∧ ψ1, μ <sup>ϕ</sup><sup>2</sup> <sup>∧</sup> <sup>ψ</sup>2, <sup>p</sup> ∈ Pos<sup>F</sup> (2μ), and <sup>σ</sup> is an mgu of 2μ|<sup>p</sup> and 1ν. Moreover, if p =  then 1ν → r1ν and 2μ → r2μ are not variants. Define <sup>τ</sup> <sup>=</sup> <sup>ν</sup> <sup>μ</sup>. We have <sup>D</sup>om(<sup>τ</sup> ) = LVar(ρ1) ∪ LVar(ρ2). Let <sup>ϕ</sup> <sup>=</sup> <sup>ϕ</sup><sup>1</sup> <sup>∧</sup> <sup>ϕ</sup><sup>2</sup> <sup>∧</sup> <sup>ψ</sup><sup>1</sup> <sup>∧</sup> <sup>ψ</sup>2. Clearly, 1τ = 1ν, r1τ = r1ν, 2τ = 2μ, r2τ = r2μ and τ ϕ. Hence the given peak can be written as 2τσ[r1τσ]<sup>p</sup> ← 2τσ = 2τσ[1τσ]<sup>p</sup> → r2τσ and τ ϕ. Since 2|pτσ = 1τσ there exists an mgu δ of 2|<sup>p</sup> and 1, and a substitution γ such that δγ = τσ. Let s = 2δ[r1δ]<sup>p</sup> and t = r2δ. We claim that ρ1, p, ρ2 is an overlap of R, resulting in the constrained critical pair s ≈ t [ϕδ]. Condition (1) of Definition 2 is trivially satisfied. For condition (2) we need to show <sup>p</sup> ∈ Pos<sup>F</sup> (2). This follows from <sup>p</sup> ∈ Pos<sup>F</sup> (2μ), <sup>μ</sup>(x) ∈ Val for every <sup>x</sup> ∈ Dom(μ), and root(2μ|p) = root(1ν) ∈F\Val. For condition (3) it remains to show that <sup>δ</sup>(x) ∈ Val ∪ V for all <sup>x</sup> ∈ LVar(ρ1) ∪ LVar(ρ2). Suppose to the contrary that root(δ(x)) ∈ F \Val for some <sup>x</sup> ∈ LVar(ρ1)∪ LVar(ρ2). Then root(δ(x)) = root(γ(δ(x))) = root(σ(<sup>τ</sup> (x))) ∈F \Val, which contradicts <sup>τ</sup> ϕ. Condition (4) follows from the identity δγ = τσ together with τ ϕ which imply δγ ϕ and thus ϕδ is satisfiable. Hence also ϕ1δ∧ϕ2δ is satisfiable. It remains to show condition (5), so let p =  and further assume that ρ<sup>1</sup> and ρ<sup>2</sup> are variants. So there exists a variable renaming π such that ρ1π = ρ2. In particular, 1π = <sup>2</sup> and <sup>r</sup>1<sup>π</sup> <sup>=</sup> <sup>r</sup>2. Let <sup>x</sup> ∈ Var(1). If <sup>x</sup> ∈ LVar(ρ1) = <sup>D</sup>om(ν) then <sup>τ</sup> (x) = <sup>ν</sup>(x) ∈ Val. Moreover, <sup>π</sup>(x) ∈ LVar(ρ2) = <sup>D</sup>om(μ) and thus <sup>τ</sup> (π(x)) = <sup>μ</sup>(π(x)) ∈ Val. Since 1<sup>τ</sup> and 2<sup>τ</sup> are unifiable, <sup>π</sup>(<sup>τ</sup> (x)) = <sup>τ</sup> (x) = <sup>τ</sup> (π(x)). If x /∈ LVar(ρ1) then <sup>τ</sup> (x) = <sup>x</sup>, <sup>π</sup>(x) ∈ LV / ar(ρ2) and similarly <sup>τ</sup> (π(x)) = <sup>π</sup>(x) = <sup>π</sup>(<sup>τ</sup> (x)). All in all, 1τπ <sup>=</sup> 1πτ <sup>=</sup> 2<sup>τ</sup> . Now, if <sup>V</sup>ar(r1) ⊆ Var(1) then we obtain r1τπ = r1πτ = r2τ , contradicting the fact that 1ν → r1ν and 2μ → r2μ are not variants. We conclude that s ≈ t [ϕδ] is a constrained critical pair of R. So we can take ϕ = ϕδ. Clearly, s = s γ and t = t γ. Moreover, γ ϕ since ϕ γ = ϕτσ = ϕτ and τ ϕ.

The converse does not hold in general.

*Example 2.* Consider the LCTRS <sup>R</sup> consisting of the single rule a <sup>→</sup> <sup>x</sup> [<sup>x</sup> = 0] where the variable x ranges over the integers. Since x appears on the right-hand side but not the left, we obtain a constrained critical pair x ≈ x [x = 0∧x = 0]. Since the constraint uniquely determines the values of x and x , the TRS R consists of the single rule a <sup>→</sup> <sup>0</sup>. Obviously <sup>R</sup> has no critical pairs.

The above example also shows that orthogonality of R does not imply orthogonality of R. However, the counterexample relies somewhat on a technicality in condition (5) of Definition 2. It only occurs when the two rules <sup>1</sup> → r<sup>1</sup> [ϕ<sup>1</sup> ] and <sup>2</sup> → r<sup>2</sup> [ϕ<sup>2</sup> ] involved in the critical pair overlap at the root and have instances 1τ<sup>1</sup> → r1τ<sup>1</sup> and 2τ<sup>2</sup> → r2τ<sup>2</sup> in R which are variants of each other. By dealing with such cases separately we can prove the following theorem.

Theorem 3. *For every constrained critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] *of* <sup>R</sup> *and every substitution* σ *with* σ ϕ*, (1)* sσ = tσ *or (2) there exist a critical pair* u ≈ v *of* R *and a substitution* δ *such that* sσ = uδ *and* tσ = vδ*.*

*Proof.* Let s ≈ t [ϕ] be a constrained critical pair of R originating from the critical peak s = 2θ[r1θ]<sup>p</sup> ← 2θ[1θ]<sup>p</sup> → r2θ = t with variants ρ<sup>1</sup> : <sup>1</sup> → r<sup>1</sup> [ϕ<sup>1</sup> ] and ρ<sup>2</sup> : <sup>2</sup> → r<sup>2</sup> [ϕ<sup>2</sup> ] of rules in Rrc, and an mgu θ of 2|<sup>p</sup> and <sup>1</sup> where <sup>p</sup> ∈ Pos<sup>F</sup> (2). Moreover <sup>θ</sup>(x) ∈ Val ∪ V for all <sup>x</sup> ∈ LVar(ρ1) ∪ LVar(ρ2), and ϕ = ϕ1θ ∧ ϕ2θ ∧ ψθ with ψ = EC<sup>ρ</sup><sup>1</sup> ∧ EC<sup>ρ</sup><sup>2</sup> . Let σ be a substitution with σ ϕ. Hence θσ <sup>ϕ</sup>1∧ϕ2∧<sup>ψ</sup> and further <sup>σ</sup>(θ(x)) ∈ Val for all <sup>x</sup> ∈ LVar(ρ1)∪LVar(ρ2). We split θσ into substitutions <sup>τ</sup>1, <sup>τ</sup><sup>2</sup> and <sup>π</sup> as follows: <sup>τ</sup>i(x) = xθσ if <sup>x</sup> ∈ LVar(ρi) and <sup>τ</sup>i(x) = <sup>x</sup> otherwise, for <sup>i</sup> ∈ {1, <sup>2</sup>}, and <sup>π</sup>(x) = xθσ if <sup>x</sup> ∈ Dom(θσ) \ (LVar(ρ1) ∪ LVar(ρ2)) and <sup>π</sup>(x) = <sup>x</sup> otherwise. From θσ ϕ<sup>1</sup> ∧ ϕ<sup>2</sup> ∧ ψ and <sup>V</sup>ar(ϕi) ⊆ LVar(ρi) we infer <sup>τ</sup><sup>i</sup> <sup>ϕ</sup><sup>i</sup> for <sup>i</sup> ∈ {1, <sup>2</sup>}. Since <sup>D</sup>om(τi) = LVar(ρi), iτ<sup>i</sup> → riτ<sup>i</sup> ∈ R for i ∈ {1, 2}. Furthermore, τiπ = τ<sup>i</sup> ∪ π for i ∈ {1, 2}. Hence 2|pτ2π = 2|pθσ = 1θσ = 1τ1π, implying that 2|pτ<sup>2</sup> and 1τ<sup>1</sup> are unifiable. Let γ be an mgu of these two terms. There exists a substitution δ such that γδ <sup>=</sup> <sup>π</sup>. Clearly <sup>p</sup> ∈ Pos<sup>F</sup> (2τ2). If <sup>p</sup> <sup>=</sup>  or 1τ<sup>1</sup> <sup>→</sup> <sup>r</sup>1τ<sup>1</sup> and 2τ<sup>2</sup> <sup>→</sup> <sup>r</sup>2τ<sup>2</sup> are not variants, then u ≈ v with u = 2τ2γ[r1τ1γ]<sup>p</sup> and v = r2τ2γ is a critical pair of R. Moreover tσ = r2θσ = r2τ2π = r2τ2γδ = vδ, and similarly sσ = uδ. Thus option (2) is satisfied. If p =  and 1τ<sup>1</sup> → r1τ<sup>1</sup> and 2τ<sup>2</sup> → r2τ<sup>2</sup> are variants then sσ = r1τ1γδ = r2τ2γδ = tσ, fulfilling (1).

A TRS (LCTRS) is weakly orthogonal if it is left-linear and all its (constrained) critical pairs are trivial. Since R is left-linear if and only if R is leftlinear, a direct consequence of Theorem 3 is that weak orthogonality of R implies weak orthogonality of R.

Our transformation is not only useful for confluence analysis.

*Example 3.* For the LCTRS R<sup>P</sup> in the proof of Theorem 1 the TRS R<sup>P</sup> consists of all unconstrained rules of R<sup>P</sup> together with f(v1,...,vn) → [[f(v1,...,vn)]] for all <sup>f</sup> ∈ Fth\Val and <sup>v</sup>1,...,v<sup>n</sup> ∈ Val, start <sup>→</sup> test(alpha(n), beta(n)) for all n > <sup>0</sup>, alpha(n) <sup>→</sup> <sup>α</sup>i(alpha(m)) and beta(n) <sup>→</sup> <sup>β</sup>i(beta(m)) for all <sup>i</sup> ∈ {1,...,N }, n > 0 and m 0 such that N · m + i = n. Termination of the infinite TRS R<sup>P</sup> is easily shown by LPO or dependency pairs.

# 5 Development Closed Critical Pairs

Using Theorem 2 we can easily transfer confluence criteria for TRSs to LCTRSs. Rather than reproving the confluence results reported in [12,17,22], in this section we illustrate this by extending the result of van Oostrom [15] concerning (almost) development closed critical pairs from TRSs to LCTRSs. This result subsumes most critical-pair based confluence criteria, as can be seen in Fig. 2 in the concluding section.

Definition 3. *Let* <sup>R</sup> *be an* LCTRS*. The multi-step relation* −→◦ *on terms is defined inductively as follows: (1)* x −→◦ x *for all variables* x*, (2)* f(s1,...,sn) −→◦ f(t1,...,tn) *if* s<sup>i</sup> −→◦ t<sup>i</sup> *with* 1 i n*, (3)* σ −→◦ rτ *if* → r [ϕ] ∈ Rrc*,* σ - → r [ϕ] *and* σ −→◦ τ *, where* σ →◦ τ *denotes* σ(x) −→◦ τ (x) *for all variables* <sup>x</sup> ∈ Dom(σ)*.*

Definition 4. *A critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> *is* development closed *if* <sup>s</sup> −→◦ <sup>t</sup>*. It is* almost development closed *if it is not an overlay and development closed, or it is an overlay and* s −→ · ◦ <sup>∗</sup>← t*. A* TRS *is called (almost) development closed if all its critical pairs are (almost) development closed.*

The following result from [15] has recently been formalized in Isabelle [10,11].

Theorem 4. *Left-linear almost development closed* TRS*s are confluent.*

We define multi-step rewriting on constrained terms.

Definition 5. *Let* <sup>R</sup> *be an* LCTRS*. The multi-step relation* −→◦ *on constrained terms is defined inductively as follows:*


*Here* <sup>σ</sup> [ϕ] −→◦ <sup>τ</sup> [ϕ] *denotes* <sup>σ</sup>(x) [ϕ] −→◦ <sup>τ</sup> (x) [ϕ] *for all variables* <sup>x</sup> ∈ Dom(σ)*. The relation* <sup>∼</sup> −→◦ *on constrained terms is defined as* ∼ · −→·∼ ◦ *.*

*Example 4.* Consider the following LCTRS R over the theory Ints with the rules:

$$\mathsf{max}(x,y) \to x \; [x \rhd y] \qquad\qquad\qquad \mathsf{max}(x,y) \to y \; [y \rhd x] \;\mathsf{max}$$

Rewriting the term max(1 <sup>+</sup> 2, 3 <sup>+</sup> 2) to its normal form 5 requires three single steps. These steps can be combined into a single multi-step max(1+2, <sup>3</sup>+2) →◦ 5.

The constrained term max(1 <sup>+</sup> x, 3 <sup>+</sup> <sup>y</sup>) [x > 3 <sup>∧</sup> <sup>y</sup> <sup>=</sup> 1] rewrites in a single multi-step to its normal form <sup>z</sup> [<sup>z</sup> <sup>=</sup> 1 <sup>+</sup> <sup>x</sup> <sup>∧</sup> x > 3]. This involves the following parts of Definition 5. Let <sup>ϕ</sup> be x > 3 <sup>∧</sup> <sup>y</sup> <sup>=</sup> 1 <sup>∧</sup> <sup>z</sup> <sup>=</sup> 1 <sup>+</sup> <sup>x</sup> <sup>∧</sup> <sup>z</sup> <sup>=</sup> <sup>3</sup> <sup>+</sup> <sup>y</sup>. Case (3) gives <sup>1</sup> <sup>+</sup> <sup>x</sup> [ϕ] −→◦ <sup>z</sup> [ϕ] and <sup>3</sup> <sup>+</sup> <sup>y</sup> [ϕ] −→◦ <sup>z</sup> [ϕ]. Using this we obtain max(<sup>1</sup> <sup>+</sup> x, <sup>3</sup> <sup>+</sup> <sup>y</sup>) [ϕ] −→◦ max(z, z ) [ϕ] by case (2). A final application of case (3) yields max(z, z ) [ϕ] −→◦ z [ϕ]. Together with the equivalences

$$\begin{aligned} \mathsf{max}(\mathbf{1} + x, \mathbf{3} + y) \; [x > \mathbf{3} \land y = \mathbf{1}] \sim \mathsf{max}(\mathbf{1} + x, \mathbf{3} + y) \; [\varphi] \\ z \; [\varphi] \sim z \; [z = 1 + x \land x > 3] \end{aligned}$$

we obtain max(1 <sup>+</sup> x, 3 <sup>+</sup> <sup>y</sup>) [x > 3 <sup>∧</sup> <sup>y</sup> <sup>=</sup> 1] <sup>∼</sup> −→◦ z [z =1+ x ∧ x > 3].

Definition 4 is extended to LCTRSs as follows.

Definition 6. *A constrained critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] *is* development closed *if* s ≈ t [ϕ] <sup>∼</sup> −→◦ -<sup>1</sup> u ≈ v [ψ] *for some trivial* u ≈ v [ψ]*. A constrained critical pair is* almost development closed *if it is not an overlay and development closed, or it is an overlay and* s ≈ t [ϕ] <sup>∼</sup> −→◦ -1 · → ∼ ∗ -<sup>2</sup> u ≈ v [ψ] *for some trivial* u ≈ v [ψ]*. An* LCTRS *is called (almost) development closed if all its constrained critical pairs are (almost) development closed.*

Similar to [17,22], the symbol ≈ is treated as a fresh binary function symbol, resulting in constrained equations whose positions are addressed in the usual way. Therefore positions below 1 in s ≈ t [ϕ] refer to subterms of s.

Figure 1 conveys the idea how the main result (Theorem 5) in this section is obtained. For every critical pair in the transformed TRS R there exists a corresponding constrained critical pair in the original LCTRS R (Theorem 2). Almost development closure of the constrained critical pair implies almost development closure of the critical pair (Lemma 4). Since the rewrite relations of R and R coincide (Lemma 1), we obtain the confluence of almost development closed leftlinear LCTRSs from the corresponding result in [15].

Fig. 1. Proof idea for Theorem 5.

We now present a few technical results that relate rewrite sequences and multi-steps on (constrained) terms. These prepare for the use of Theorem 2 to obtain the confluence of (almost) development closed LCTRSs. The proofs of the following two lemmata can be found in [18].

Lemma 2. *Suppose* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] <sup>→</sup> ∼ ∗ <sup>p</sup> u ≈ v [ψ] *with* γ ϕ *and position* p*. If* p = 1q *for a position* q *then* sγ →<sup>∗</sup> <sup>q</sup> uδ *and* tγ = vδ *for some substitution* δ *with* δ ψ*. If* p = 2q *for a position* q *then* sγ = uδ *and* tγ → ∼ ∗ <sup>q</sup> vδ *for some substitution* δ *with* δ ψ*.*

Lemma 3. *If* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] <sup>∼</sup> −→◦ -<sup>1</sup> u ≈ v [ψ] *then for all substitutions* σ ϕ *there exists* δ ψ *such that* sσ −→◦ uδ *and* tσ = vδ*.*

Lemma 4. *If a constrained critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] *is almost development closed then for all substitutions* σ *with* σ ϕ *we have* sσ −→ · ◦ <sup>∗</sup>← tσ*.*

*Proof.* Let s ≈ t [ϕ] be an almost development closed constrained critical pair, and σ ϕ some substitution. From Definition 6 we obtain

$$s \approx t \left[ \varphi \right] \stackrel{\sim}{\twoheadrightarrow}\_{\geqslant 1} u' \approx v' \left[ \psi' \right] \stackrel{\sim}{\twoheadrightarrow}\_{\geqslant 2}^\* u \approx v \left[ \psi \right] \tag{1}$$

where uτ = vτ for all τ ψ for some constrained term u ≈ v [ψ ]. We apply Lemma 3 to the first step in (1). This yields a substitution δ where sσ −→◦ u δ, tσ = v δ and δ ψ . For the second part of (1) we use Lemma 2 and obtain v δ →<sup>∗</sup> vγ, u δ = uγ for some γ ψ. Moreover we have uγ = vγ. Hence sσ −→◦ u δ = uγ = vγ <sup>∗</sup>← v δ = tσ.

# Theorem 5. *If an* LCTRS <sup>R</sup> *is almost development closed then so is* <sup>R</sup>*.*

*Proof.* Take any critical pair s ≈ t from R. From Theorem 2 we know that there exists a constrained critical pair s ≈ t [ϕ] in R where s σ = s and t σ = t for some σ ϕ. Since the constrained critical pair must be almost development closed, Lemma 4 yields s = s σ −→ · ◦ <sup>∗</sup>← t σ = t if it is an overlay and s = s σ −→◦ t σ = t otherwise. This proves that R is almost development closed.

Interestingly, the converse does not hold, as seen in the following example.

*Example 5.* Consider the LCTRS R over the theory Ints with the rules

$$\begin{aligned} \mathsf{f}(x) &\to \mathsf{g}(x) \\ \mathsf{f}(x) &\to \mathsf{h}(x) \text{ [1} \leqslant x \leqslant 2] \end{aligned} \qquad \begin{aligned} \mathsf{g}(x) &\to \mathsf{h}(2) \left[ x = 2z \right] \\ \mathsf{g}(x) &\to \mathsf{h}(1) \left[ x = 2z + 1 \right] \end{aligned}$$

The TRS R consists of the rules

$$\begin{array}{ccc} \mathbf{f}(x) \to \mathbf{g}(x) & \mathbf{f}(1) \to \mathsf{h}(1) & \mathbf{g}(n) \to \mathsf{h}(1) & \text{for all odd } n \in \mathbb{Z} \\ & & \mathbf{f}(2) \to \mathsf{h}(2) & \mathbf{g}(n) \to \mathsf{h}(2) & \text{for all even } n \in \mathbb{Z} \end{array}$$

and has two (modulo symmetry) critical pairs g(1) <sup>≈</sup> h(1) and g(2) <sup>≈</sup> h(2). Since <sup>g</sup>(1) −→◦ <sup>h</sup>(1) and <sup>g</sup>(2) −→◦ <sup>h</sup>(2), <sup>R</sup> is almost development closed. The constrained critical pair g(x) <sup>≈</sup> h(x) [1 <sup>x</sup> 2] is not almost development closed, since it is a normal form with respect to the rewrite relation on constrained terms.

This also makes intuitive sense, since a rewrite step s ≈ t [ϕ] → <sup>∼</sup> u ≈ v [ψ] implies that the same step can be taken on all instances sσ ≈ tσ where σ ϕ. However it may be the case, like in the above example, that different instances of the constrained critical pair require different steps to obtain a closing sequence, which cannot directly be modeled using rewriting on constrained terms.

Since left-linearity of R is preserved, the following corollary is obtained from Theorems <sup>4</sup> and 5. In fact <sup>R</sup> only has to be linear in the variables x /∈ LVar, since that is sufficient for R to be linear.

# Corollary 1. *Left-linear almost development closed* LCTRS*s are confluent.*

*Example 6.* The LCTRS <sup>R</sup> over the theory Ints with the rules

$$\begin{aligned} \mathsf{f}(x,y) &\to \mathsf{h}(\mathsf{g}(y,2\cdot2)) \; [x \leqslant y \land y=2] & & \mathsf{g}(x,y) \to \mathsf{g}(y,x) & & \mathsf{h}(x) \to x\\ \mathsf{f}(x,y) &\to \mathsf{c}(\mathsf{4},x) \; [y \leqslant x] & & \mathsf{c}(x,y) \to \mathsf{g}(\mathsf{4},2) \; [x \neq y] \end{aligned}$$

admits the two constrained critical pairs (with simplified constraints)

$$\mathsf{h}(\mathsf{g}(y,\mathsf{2}\cdot\mathsf{2})) \approx \mathsf{c}(\mathsf{4},x) \,\,[\varphi] \qquad\qquad\qquad\mathsf{c}(\mathsf{4},x) \approx \mathsf{h}(\mathsf{g}(y,\mathsf{2}\cdot\mathsf{2})) \,\,[\varphi]$$

Both are almost development closed:

$$\begin{array}{llll} \mathsf{h}(\mathsf{g}(y,2\cdot2)) \approx \mathsf{c}(\mathsf{4},x) \,\,[\varphi] & \mathsf{c}(\mathsf{4},x) \approx \mathsf{h}(\mathsf{g}(y,2\cdot2)) \,[\varphi] \\\ \widetilde{\mathsf{s}} \stackrel{\scriptstyle \widetilde{\Rightarrow}\_{\geqslant 1}}{\geqslant 1} \,\,\mathsf{g}(\mathsf{4},2) \approx \mathsf{c}(\mathsf{4},x) \,[x=2] & \widetilde{\Leftrightarrow}\_{\geqslant 1} \,\,\mathsf{g}(\mathsf{4},2) \approx \mathsf{h}(\mathsf{g}(y,2\cdot2)) \,[y=2] \\\ \widetilde{\Rightarrow}\_{\geqslant 2} \,\,\,\mathsf{g}(\mathsf{4},2) \approx \mathsf{g}(\mathsf{4},2) \,[\mbox{true}] & \widetilde{\Rightarrow}\_{\geqslant 2}^{\*} \,\,\,\,\mathsf{g}(\mathsf{4},2) \approx \mathsf{g}(\mathsf{4},2) \,[\mbox{true}] \end{array}$$

Here <sup>ϕ</sup> is the constraint <sup>x</sup> <sup>=</sup> <sup>y</sup> <sup>∧</sup> <sup>y</sup> <sup>=</sup> 2. Hence <sup>R</sup> is almost development closed. Since R is left-linear, confluence follows by Corollary 1.

# 6 Parallel Critical Pairs

In this section we extend the confluence result by Toyama [20] based on parallel critical pairs to LCTRSs. Recently there is a renewed interest in this result; Shintani and Hirokawa proved in [19] that it subsumes Toyama's later confluence result in [21]. The latter was already lifted to LCTRSs in [17] and is also subsumed by Corollary 1. The result of Toyama [20] is a proper extension of the confluence criterion on parallel critical pairs by Gramlich [6]. In the sequel we mainly follow the notions from [19].

Definition 7. *Let* <sup>R</sup> *be an* LCTRS*. The parallel rewrite relation* → *on terms is defined inductively as follows:*


*We extend* → *to constrained terms inductively as follows:*


*The parallel rewrite relation* <sup>∼</sup> → *on constrained terms is defined as* ∼ · →·∼ *.*

Let <sup>s</sup> be a term and <sup>P</sup> ⊆ Pos(s) be a set of parallel positions. Given terms t<sup>p</sup> for p ∈ P, we denote by s[tp]<sup>p</sup>∈<sup>P</sup> the simultaneous replacement of the terms at position p ∈ P in s by tp. We recall the definition of parallel critical pairs for TRSs.

Definition 8. *Let* <sup>R</sup> *be a* TRS*,* <sup>ρ</sup>: <sup>→</sup> <sup>r</sup> *a rule in* <sup>R</sup>*, and* <sup>P</sup> ⊆ Pos<sup>F</sup> () *<sup>a</sup> non-empty set of parallel positions. For every* p ∈ P *let* ρ<sup>p</sup> : <sup>p</sup> → r<sup>p</sup> *be a variant of a rule in* R*. The peak* σ[rpσ]<sup>p</sup>∈<sup>P</sup> → σ →,<sup>R</sup> rσ *forms a* parallel critical pair σ[rpσ]<sup>p</sup>∈<sup>P</sup> ≈ rσ *if the following conditions are satisfied:*

*1.* <sup>V</sup>ar(ρ1) ∩ Var(ρ2) = <sup>∅</sup> *for different rules* <sup>ρ</sup><sup>1</sup> *and* <sup>ρ</sup><sup>2</sup> *in* {ρ}∪{ρ<sup>p</sup> <sup>|</sup> <sup>p</sup> <sup>∈</sup> <sup>P</sup> }*, 2.* σ *is an mgu of* {<sup>p</sup> ≈ |<sup>p</sup> | p ∈ P }*, 3. if* P = {} *then* ρ *is not a variant of* ρ*.*

*The set of all constrained parallel critical pairs of* <sup>R</sup> *is denoted by* PCP(R)*.*

We lift this notion to the constrained setting and define it for LCTRSs.

Definition 9. *Let* <sup>R</sup> *be an* LCTRS*,* <sup>ρ</sup>: <sup>→</sup> <sup>r</sup> [ϕ] *a rule in* <sup>R</sup>rc*, and* <sup>P</sup> <sup>⊆</sup> <sup>P</sup>os<sup>F</sup> () *a non-empty set of parallel positions. For every* <sup>p</sup> <sup>∈</sup> <sup>P</sup> *let* <sup>ρ</sup><sup>p</sup> : <sup>p</sup> <sup>→</sup> r<sup>p</sup> [ϕ<sup>p</sup> ] *be a variant of a rule in* Rrc*. Let* ψ = EC<sup>ρ</sup> ∧ <sup>p</sup>∈<sup>P</sup> EC<sup>ρ</sup>*<sup>p</sup> and* <sup>Φ</sup> <sup>=</sup> ϕσ ∧ ψσ ∧ <sup>p</sup>∈<sup>P</sup> <sup>ϕ</sup>pσ*. The peak* σ[rpσ]<sup>p</sup>∈<sup>P</sup> [Φ] → σ [Φ] →,<sup>R</sup> rσ [Φ] *forms a* constrained parallel critical pair σ[rpσ]<sup>p</sup>∈<sup>P</sup> ≈ rσ [Φ] *if the following conditions are satisfied:*


*A constrained peak forming a constrained parallel critical pair is called a* constrained parallel critical peak*. The set of all constrained parallel critical pairs of* <sup>R</sup> *is denoted by* CPCP(R)*.*

For a term <sup>t</sup> and a set of parallel positions <sup>P</sup> in <sup>t</sup>, we write <sup>V</sup>ar(t, P) to denote - <sup>p</sup>∈<sup>P</sup> <sup>V</sup>ar(t|p). For a set of parallel positions <sup>P</sup> we denote by → <sup>P</sup> that each rewrite step obtained in case (3) of Definition 7 is performed at a position p ∈ P and no two steps share a position. Moreover, for a set of parallel positions <sup>P</sup> and a position <sup>q</sup> we denote by → <sup>P</sup> <sup>q</sup> that p q for all p ∈ P.

Definition 10. *A critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> *is* 1-parallel closed *if* <sup>s</sup> → · <sup>∗</sup><sup>←</sup> <sup>t</sup>*. A* TRS *is 1-parallel closed if all its critical pairs are 1-parallel closed. A parallel critical pair* σ[rpσ]<sup>p</sup>∈<sup>P</sup> ≈ rσ *originating from the peak* σ[rpσ]<sup>p</sup>∈<sup>P</sup> → σ → rσ *is* 2 parallel closed *if there exists a term* v *and a set of parallel positions* Q *such that* σ[rpσ]<sup>p</sup>∈<sup>P</sup> <sup>→</sup><sup>∗</sup> <sup>v</sup> <sup>Q</sup> → rσ *with* <sup>V</sup>ar(v,Q) ⊆ Var(σ, P)*. A* TRS *is 2-parallel closed if all its parallel critical pairs are 2-parallel closed. A* TRS *is parallel closed if it is 1-parallel closed and 2-parallel closed.*

The following result from [20] has recently been formalized in Isabelle [7].

# Theorem 6. *Left-linear parallel closed* TRS*s are confluent.*

In the remainder of this section we extend this result to LCTRSs. To this end we introduce the notion T Var(t, ϕ) = <sup>V</sup>ar(t) \ Var(ϕ) denoting the set of nonlogical variables in term t with respect to the logical constraint ϕ. We restrict this to non-logical variables in subterms below a set of parallel positions P in t: T Var(t, ϕ, P) = - <sup>p</sup>∈<sup>P</sup> T Var(t|p, ϕ).

Definition 11. *A constrained critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] *is* 1-parallel closed *if* <sup>s</sup> <sup>≈</sup> t [ϕ] <sup>∼</sup> → -1 · → ∼ ∗ -<sup>2</sup> u ≈ v [ψ] *for some trivial* u ≈ v [ψ]*. An* LCTRS *is 1-parallel closed if all its constrained critical pairs are 1-parallel closed. A constrained parallel critical pair* σ[rpσ]<sup>p</sup>∈<sup>P</sup> ≈ rσ [ϕ] *is* 2-parallel closed *if there exists a set of parallel positions* Q *such that*

$$\ell \sigma [r\_p \sigma]\_{p \in P} \approx r \sigma \ [\varphi] \ \Vdash\_{\geqslant 2}^Q \cdot \xrightarrow{\sim}\_{\geqslant 1}^\* u \approx v \ [\psi] \ \tau$$

*for some trivial* <sup>u</sup> <sup>≈</sup> <sup>v</sup> [ψ] *and* T Var(v,ψ,Q) ⊆TVar(σ, ϕ, P)*. An* LCTRS *is 2-parallel closed if all its constrained parallel critical pairs are 2-parallel closed. An* LCTRS *is parallel closed if it is 1-parallel closed and 2-parallel closed.*

Recall from Sect. 2 that our definition of ∼ differs from the equivalence relation ∼ defined in [12,17]. The change is necessary for the variable condition of 2-parallel closedness to make sense, as illustrated in the following example.

*Example 7.* Consider the (LC)TRS consisting of the rules

$$\mathbf{f}(\mathbf{g}(x), y) \to \mathbf{f}(\mathbf{b}, y) \qquad \qquad \mathbf{g}(x) \to \mathbf{a} \qquad \qquad \mathbf{f}(\mathbf{a}, x) \to x \qquad \qquad \mathbf{f}(\mathbf{b}, x) \to x$$

The peak f(a, y) [true] {1} → f(g(x), y) [true] <sup>→</sup> f(b, y) [true] gives rise to the (constrained) parallel critical pair f(a, y) <sup>≈</sup> f(b, y) [true]. Using <sup>∼</sup> we have

$$\mathsf{rf}(\mathsf{a}, y) \approx \mathsf{f}(\mathsf{b}, y) \text{ [true]} \; \mathsf{true} \; \mathsf{e} \; \mathsf{i} \stackrel{\{\epsilon\}}{\geqslant} \; \mathsf{d} \; \mathsf{i} \; \mathsf{y} \approx y \; \mathsf{[true]} \; \mathsf{/} \; \mathsf{true} \; \mathsf{e} \; \mathsf{x} \; \mathsf{[true]}$$

and the variable condition T Var(x,true, {}) ⊆TVar(f(g(x), y),true, {1}) holds. Since the system has no logical constraints it can also be analyzed in the TRS setting. Following Definition 10 we would have to check the variable condition <sup>V</sup>ar(y, {}) ⊆ Var(f(g(x), y), {1}), which does not hold. Using <sup>∼</sup> resolves this difference, since <sup>y</sup> <sup>≈</sup> <sup>y</sup> [true] <sup>∼</sup> <sup>x</sup> <sup>≈</sup> <sup>x</sup> [true]. So the conditions in Definition <sup>11</sup> reduce to the ones in Definition 10 for TRSs.

In Theorem 2 in Sect. 4 we related critical pairs of the transformed TRS to constrained critical pairs of the originating LCTRS. The following theorem does the same for parallel critical pairs.

Theorem 7. *For every parallel critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> *of* <sup>R</sup> *there exists a constrained parallel critical pair* s ≈ t [ϕ ] *of* R *and a substitution* γ *such that* s = s γ*,* t = t γ *and* γ ϕ *.*

*Proof.* Let s ≈ t be a parallel critical pair of R, originating from the parallel critical peak μσ[rpνpσ]<sup>p</sup>∈<sup>P</sup> → μσ = μσ[pνpσ]<sup>p</sup>∈<sup>P</sup> → rμσ with variants ρ: → r [ϕ] and ρ<sup>p</sup> : <sup>p</sup> → r<sup>p</sup> [ϕ<sup>p</sup> ] for p ∈ P of rules in Rrc without shared variables, <sup>ψ</sup> <sup>=</sup> EC<sup>ρ</sup> and <sup>ψ</sup><sup>p</sup> <sup>=</sup> EC<sup>ρ</sup>*<sup>p</sup>* for <sup>p</sup> <sup>∈</sup> <sup>P</sup>. Furthermore, <sup>D</sup>om(νp) = LVar(ρp) for <sup>p</sup> <sup>∈</sup> <sup>P</sup>, <sup>D</sup>om(μ) = LVar(ρ), <sup>ν</sup><sup>p</sup> ϕ<sup>p</sup> ∧ ψ<sup>p</sup> for p ∈ P, μ <sup>ϕ</sup> <sup>∧</sup> <sup>ψ</sup>, <sup>p</sup> ∈ Pos<sup>F</sup> (μ), and σ is an mgu of {μ|<sup>p</sup> ≈ pν<sup>p</sup> | p ∈ P }. Moreover, if P = {} then ν → rν [ϕν ] and μ → rμ [ϕμ] are not variants. Define the substitution τ as - {ν<sup>p</sup> | p ∈ P } μ. Clearly, pτ = pν<sup>p</sup> and rpτ = rpν<sup>p</sup> for p ∈ P, τ = μ, rτ = rμ, τ ϕ ∧ ψ and τ ϕ<sup>p</sup> ∧ ψ<sup>p</sup> for all p ∈ P. Hence the given peak can be written as τσ[rpτσ]<sup>p</sup>∈<sup>P</sup> → τσ = τσ[pτσ]<sup>p</sup>∈<sup>P</sup> → rτσ with τ ϕ where

$$\varphi'' = \varphi \wedge \mathcal{EC}\_{\rho} \wedge \bigwedge\_{p \in P} (\varphi\_p \wedge \mathcal{EC}\_{\rho\_p})$$

Since |pτσ = pτσ for all p ∈ P there exists an mgu δ of {|<sup>p</sup> = <sup>p</sup> | p ∈ P } and a substitution γ such that δγ = τσ. Let s = δ[rpδ]<sup>p</sup>∈<sup>P</sup> and t = rδ. We claim that this results in the constrained parallel critical pair s ≈ t [ϕδ]. Condition (1) of Definition <sup>9</sup> is trivially satisfied. We obtain <sup>P</sup> ⊆ Pos<sup>F</sup> () because <sup>P</sup> ⊆ Pos<sup>F</sup> (μ), <sup>μ</sup>(x) ∈ Val for every <sup>x</sup> ∈ Dom(μ), and root(μ|p) = root(pν) ∈ F \Val for all <sup>p</sup> <sup>∈</sup> <sup>P</sup>. For condition (2) it remains to show that <sup>δ</sup>(x) ∈ Val ∪ V for all <sup>x</sup> ∈ LVar(ρ) <sup>∪</sup> - <sup>p</sup>∈<sup>P</sup> LVar(ρp). Suppose to the contrary that root(δ(x)) ∈F\ <sup>V</sup>al for some <sup>x</sup> ∈ LVar(ρ)<sup>∪</sup> - <sup>p</sup>∈<sup>P</sup> LVar(ρp). Then root(δ(x)) = root(γ(δ(x))) = root(σ(<sup>τ</sup> (x))) ∈F\Val, which contradicts <sup>τ</sup> ϕ. Condition (3) follows from the identity δγ = τσ together with τ ϕ which imply δγ ϕ and thus ϕδ is satisfiable. Hence also ϕδ ∧ <sup>p</sup>∈<sup>P</sup> <sup>ϕ</sup>p<sup>δ</sup> is satisfiable. It remains to show condition (4), so let P = {} and further assume that ρ and ρ are variants. So there exists a variable renaming π such that ρπ = ρ. In particular, π = and <sup>r</sup><sup>π</sup> <sup>=</sup> <sup>r</sup>. We show <sup>τ</sup> (π(x)) = <sup>π</sup>(<sup>τ</sup> (x)) for all <sup>x</sup> ∈ Var(). Let <sup>x</sup> ∈ Var(). If <sup>x</sup> ∈ LVar(ρ) = <sup>D</sup>om(ν) then <sup>τ</sup> (x) = <sup>ν</sup>(x) ∈ Val. Moreover, <sup>π</sup>(x) ∈ LVar(ρ) = <sup>D</sup>om(μ) and thus <sup>τ</sup> (π(x)) = <sup>μ</sup>(π(x)) ∈ Val. Since <sup>τ</sup> and τ are unifiable, <sup>π</sup>(<sup>τ</sup> (x)) = <sup>τ</sup> (x) = <sup>τ</sup> (π(x)). If x /∈ LVar(ρ) then <sup>τ</sup> (x) = <sup>x</sup>, <sup>π</sup>(x) ∈ LV / ar(ρ) and similarly τ (π(x)) = π(x) = π(τ (x)). All in all, τπ = πτ = τ . Now, if <sup>V</sup>ar(r) ⊆ Var() then we obtain <sup>r</sup>τπ <sup>=</sup> <sup>r</sup>πτ <sup>=</sup> rτ , contradicting the fact that ν → rν and μ → rμ are not variants. We conclude that s ≈ t [ϕδ] is a constrained parallel critical pair of R. So we can take ϕ = ϕδ. Clearly, s = s γ and t = t γ. Moreover, γ ϕ since ϕ γ = ϕτσ = ϕτ and τ ϕ.

The proofs of the following lemmata are given in [18].

Lemma 5. *If* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] <sup>∼</sup> → <sup>P</sup> -<sup>1</sup> u ≈ v [ψ] *then for all substitutions* σ ϕ *there exists a substitution* δ *such that* δ <sup>ψ</sup>*,* sσ → <sup>P</sup> uδ *and* tσ <sup>=</sup> vδ*.*

Lemma 6. *If a constrained critical pair* <sup>s</sup> <sup>≈</sup> <sup>t</sup> [ϕ] *is 1-parallel closed then* sσ → · <sup>∗</sup>← tσ *for all substitutions* σ *with* σ ϕ*.*

Lemma 7. *If a constrained parallel critical pair* s = σ [rpσ ]<sup>p</sup>∈<sup>P</sup> ≈ rσ = t [ϕ] *is 2-parallel closed then there exist a term* v *and a set* Q *of parallel positions such that* sσ <sup>→</sup><sup>∗</sup> <sup>v</sup> <sup>Q</sup> → tσ *and* <sup>V</sup>ar(v,Q) ⊆ Var(σ σ, P) *for all substitutions* σ *with* σ ϕ*.*

Theorem 8. *If an* LCTRS <sup>R</sup> *is parallel closed then* <sup>R</sup> *is parallel closed.*

*Proof.* Let R be a parallel closed LCTRS. First consider an arbitrary critical pair <sup>s</sup> <sup>≈</sup> <sup>t</sup> <sup>∈</sup> CP(R). From Theorem <sup>2</sup> we know that there exist a constrained critical pair s ≈ t [ϕ] <sup>∈</sup> CCP(R) and a substitution <sup>σ</sup> such that <sup>s</sup> σ = s, t σ = t and σ ϕ. Since the constrained critical pair is 1-parallel closed, Lemma 6 yields s → · <sup>∗</sup>← t. Hence R is 1-parallel closed.

Next consider an arbitrary parallel critical pair <sup>s</sup> <sup>≈</sup> <sup>t</sup> <sup>∈</sup> PCP(R). Theorem 7 yields a constrained parallel critical pair s = σ [rpσ ]<sup>p</sup>∈<sup>P</sup> ≈ rσ = t [ϕ] in CPCP(R) and a substitution <sup>σ</sup> such that <sup>s</sup> σ = s, t σ = t and σ ϕ. Since the constrained parallel critical pair is 2-parallel closed, by Lemma 7 there exist a term <sup>v</sup> and a set of parallel positions <sup>Q</sup> such that <sup>s</sup> <sup>→</sup><sup>∗</sup> <sup>v</sup> <sup>Q</sup> → <sup>t</sup> and <sup>V</sup>ar(v,Q) <sup>⊆</sup> <sup>V</sup>ar(σ σ, P). Hence R is 2-parallel closed.

Since left-linearity of R is preserved in R and left-linear, parallel closed TRSs are confluent by Theorem 6, we obtain the following corollary via Theorems 7 and 8. Again, <sup>R</sup> only has to be left-linear in the variables x /∈ LVar, since that is sufficient for R to be left-linear.

# Corollary 2. *Every left-linear parallel closed* LCTRS *is confluent.*

We illustrate the corollary on a concrete example.

*Example 8.* Consider the LCTRS R over the theory Ints with the rules

$$\mathsf{f}(\mathsf{a}) \to \mathsf{g}(\mathsf{4}, \mathsf{4}) \qquad \mathsf{a} \to \mathsf{g}(\mathsf{1} + 1, \mathsf{3} + 1) \qquad \mathsf{g}(x, y) \to \mathsf{f}(\mathsf{g}(z, y)) \ [z = x - 2]$$

The constrained (parallel) critical pair f(g(1+1, 3+1)) <sup>≈</sup> g(4, 4) [true] originating from the peak f(g(1+1, 3+1)) [true] {1} → <sup>f</sup>(a) [true] <sup>→</sup> <sup>g</sup>(4, <sup>4</sup>) [true] is 2-parallel closed:

$$\begin{aligned} \mathsf{f}(\mathsf{g}(1+1,3+1)) &\approx \mathsf{g}(4,4) \text{ [true] } \xrightarrow[\geq 1]{} \mathsf{f}(\mathsf{g}(2,4)) \approx \mathsf{g}(4,4) \text{ [true]}\\ &\xrightarrow[\underset{\geqslant 2}{\rightleftharpoons} 2]{} \mathsf{f}(\mathsf{g}(2,4)) \approx \mathsf{f}(\mathsf{g}(2,4)) \text{ [true]} \end{aligned}$$

Note that the condition T Var(f(g(2, 4)),true, {2}) ⊆TVar(f(a),true, {1}) is trivially satisfied. One easily checks that the corresponding constrained critical pair is 1-parallel closed. Since the only other remaining constrained critical pair is trivial, we conclude confluence by Corollary 2.

# 7 Conclusion

We presented a left-linearity preserving transformation from LCTRSs to TRSs such that (parallel) critical pairs in the latter correspond to constrained (parallel) critical pairs in the former. As a consequence, confluence results for TRSs based on restricted joinability conditions easily carry over to LCTRSs. This was illustrated by generalizing the advanced confluence results of van Oostrom [15] and Toyama [20] from TRSs to LCTRSs. We also proved that (local) confluence of terminating LCTRSs over a decidable theory is undecidable in general.

Figure 2 relates the confluence criteria in this paper to the earlier ones from [12,17]. The acronyms stand for weak orthogonality (WO, [12, Theorem 4]),

Fig. 2. Relating confluence criteria for LCTRSs.

strong closedness (SC, [17, Theorem 2]), almost parallel closedness (APC, [17, Theorem 4]), almost development closedness (ADC, Corollary 1), and parallel closedness of (parallel) critical pairs (PCP, Corollary 2). All areas are inhabited and the numbers refer to examples in this paper.

The confluence results of [12,17] have been implemented in crest. <sup>1</sup> The tool is currently under heavy development, not only to incorporate the results in this paper but also termination and completion techniques. Confluence of LCTRSs is a new category in the upcoming edition of the Confluence Competition<sup>2</sup> and we expect to present experimental results obtained with crest at the conference.

For TRSs numerous other confluence techniques, not based on restricted joinability conditions of critical pairs, as well as sufficient conditions for nonconfluence are known [1,8,19,23]. We plan to investigate which techniques generalize to LCTRSs with our transformation. The transformation also makes the formal verification of confluence criteria for LCTRSs in a proof assistant a more realistic goal.

Acknowledgments. The detailed feedback of the reviewers improved the presentation.

Disclosure of Interests. The authors have no competing interests to declare that are relevant to the content of this article.

<sup>1</sup> http://cl-informatik.uibk.ac.at/software/crest/.

<sup>2</sup> https://project-coco.uibk.ac.at/2024/.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Equational Anti-unification over Absorption Theories**

Mauricio Ayala-Rinc´on<sup>1</sup> , David M. Cerna2(B) , Andr´es Felipe Gonz´alez Barrag´an<sup>1</sup> , and Temur Kutsia<sup>3</sup>

<sup>1</sup> Universidade de Bras´ılia, Bras´ılia, Brazil ayala@unb.br, andres.felipe@aluno.unb.br <sup>2</sup> Czech Academy of Sciences Institute of Computer Science, Prague, Czechia dcerna@cs.cas.cz <sup>3</sup> Research Institute for Symbolic Computation, Johannes Kepler University, Linz, Austria

kutsia@risc.jku.at

**Abstract.** Interest in anti-unification, the dual problem of unification, is rising due to various new applications. For example, anti-unificationbased techniques have been used recently in software analysis and related areas such as clone detection and automatic program repair. While syntactic forms of anti-unification have found many interesting uses, some aspects of modern applications are more appropriately modeled by reasoning modulo an equational theory. Thus, extending existing antiunification methods to deal with important equational theories is the natural step forward. This paper considers anti-unification modulo pure absorption theories, i.e., where some function symbols are associated with a special constant satisfying the axiom <sup>f</sup>(x, ε*<sup>f</sup>* ) <sup>f</sup>(ε*<sup>f</sup>* , x) ε*<sup>f</sup>* . We provide a sound and complete rule-based algorithm for such theories. Furthermore, we show that anti-unification modulo absorption is infinitary. Despite this, our algorithm terminates and produces a finitary algorithmic representation of the minimal complete set of solutions.

**Keywords:** Anti-unification · Generalization · Equational Theories

# **1 Introduction**

Anti-unification (AU) is a fundamental operation for reasoning about generalizations of formal objects. It is the dual operation to unification. The seminal works of Plotkin and Reynolds, introducing the area, were published more than fifty years ago [27,28]. Recent applications renewed the interest in this technique. This current tendency is mainly due to the significance of generalization operations within frameworks crucial for software analysis and related areas [19].

In contrast to unification, where identifying the equivalence classes induced by a set of expressions is the main objective, AU methods search for the least general commonalities induced by a set of expressions. Investigations have exploited AU methods for various applications such as the implementation of efficient parallel compilers [8], plagiarism detection and code cloning [33,35,36], automated bug detection and fixing [7,24,32,34], and indexing/compression/library learning [15,26], just to name a few. Anti-unification has been studied for several mathematical and computational structures such as term-graphs [13], higherorder terms [12,20,25], unranked (variadic) languages [10,21], nominal terms [11,29,30], modulo approximations [5,22,23] and background (first-order) equational theories, which is also the subject of this paper. Some of these algorithms have been implemented and can be accessed online [2,9].

Syntactic AU algorithms [27,28] compute the *least general generalizations* (*lgg*). In the equational case, the given terms do not necessarily have a single *lgg*. Problems are instead characterized by their *minimal complete sets of generalizations* (*mcsg*), which leads to the classification of theories depending on the existence and cardinality of such sets: If the *mcsg* does not exist for some problem in the given theory, then the theory has the nullary AU type. Otherwise, theories may have unitary (all problems have a singleton *mcsg*, i.e., a single *lgg*), finitary (all problems have a finite *mcsg*, at least one of which is not a singleton), or infinitary (there is a problem with the infinite *mcsg*) AU type.

There have been quite a few developments concerned with AU modulo equational theories. For example, Burghardt [14] considered AU modulo an arbitrary equational theory using grammars. Most other authors studied AU over fundamental algebraic properties and their combinations, e.g., associative (A), commutative (C), AC, idempotent (I) operators, or operators with unit (U) elements. An early work by Baader [6] studied AU over so-called "commutative theories", covering commutative monoids (ACU), commutative idempotent monoids (ACUI), and Abelian groups. In a restricted setting, he showed that AU in such theories is unitary. Alpuente et al. [1,3] studied AU over combinations of A, C, and U operators in an order-sorted setting, providing complete AU algorithms, and proving that all studied problems are finitary. Cerna and Kutsia [18] showed that some results depend on the number of symbols that satisfy the associated equational axioms. For instance, they proved the nullarity of theories containing more than one equational symbol: U<sup>&</sup>gt;<sup>1</sup>,(AU)<sup>&</sup>gt;<sup>1</sup>(CU)<sup>&</sup>gt;<sup>1</sup>,(ACU)<sup>1</sup>, and (AU)(CU). They also show that I, AI,CI are infinitary [17], and Cerna proved that (UI)<sup>&</sup>gt;<sup>1</sup>,(AUI)<sup>&</sup>gt;<sup>1</sup>,(CUI)<sup>&</sup>gt;<sup>1</sup>,(ACUI)<sup>&</sup>gt;<sup>1</sup>, and semirings are nullary [16].

This paper extends the state-of-the-art on equational anti-unification by providing an algorithm to solve first-order AU problems in which collapsing symbols may occur. These are symbols that are associated with an *absorption constant* such that <sup>f</sup>(ε<sup>f</sup> , x) <sup>ε</sup><sup>f</sup> f(x, ε<sup>f</sup> ). Such properties often appear in syntactic, logical, and algebraic frameworks (e.g., 0 <sup>×</sup> <sup>x</sup> - <sup>0</sup>, false <sup>∧</sup> <sup>p</sup> false). They are an instance of the *subterm-collapsing* property. Concerning applications, one could consider such operations as modeling exception handling and other methods of flagging errors in software development, where much of the context is discarded when the error handling code is triggered. In such cases, like absorption theories, the state before triggering the error handling code is not precisely captured by the resulting context and, in a sense, can be abstracted away.

In this paper, we provide a detailed study of anti-unification in absorption theories: investigating its type (which turns out to be infinitary), coming up with a finitary algorithmic representation of the potentially infinite *mcsg*, developing an algorithm that computes such a representation, and studying its properties. Moreover, our work opens a way toward characterizing anti-unification for a bigger class of subterm-collapsing equational theories, where techniques introduced in this paper can be useful. We leave this as a future work.

*Plan of the Paper.* After defining the notions (Sect. 2), we introduce an algorithm for anti-unification over absorption theories (Sect. 3), prove its soundness and completeness (Sect. 4), show that anti-unification over absorption theories is of type infinitary and provide a brief complexity analysis (Sect. 5). Some proofs and explanatory examples can be found in [4].

# **2 Preliminaries**

Let V be a countable set of variables and F a set of function symbols with a fixed arity. Additionally, we assume F contains a special constant , referred to as the *wild card*. The set of terms derived from F and V is denoted by T (F, V), whose members are constructed using the grammar <sup>t</sup>::<sup>=</sup> <sup>x</sup> <sup>|</sup> <sup>f</sup>(t1,...,tn), where <sup>x</sup> <sup>∈</sup> <sup>V</sup> and <sup>f</sup> <sup>∈</sup> <sup>F</sup> with arity <sup>n</sup> <sup>≥</sup> 0. When <sup>n</sup> <sup>=</sup> 0, <sup>f</sup> is called a *constant*. Constant and function symbols, terms, and variables are denoted by lower-case letters of the first, second, third, and fourth quarter of the alphabet (a, b, . . .; f, g,...; r, s, . . .; x, y, . . .). The set of variables occurring in t is denoted by *var* (t). The *size* of a term is defined inductively as: *size*(x) <sup>=</sup> 1, and *size*(f(t1,...,tn)) <sup>=</sup> <sup>1</sup> <sup>+</sup> n <sup>i</sup> <sup>=</sup> <sup>1</sup> *size*(ti). The *depth* of a term <sup>t</sup> is defined inductively as dep(x) <sup>=</sup> 1 for variables and dep(f(t1,...,tn)) <sup>=</sup> max{dep(t1), . . . , dep(tn)} <sup>+</sup> 1 otherwise.

The set of *positions* of a term t, denoted by *pos*(t), is a set of strings of positive integers, defined as *pos*(f(t1,...,tn)) <sup>=</sup> {} <sup>∪</sup> <sup>n</sup> <sup>i</sup> <sup>=</sup> <sup>1</sup>{i.p <sup>|</sup> <sup>p</sup> <sup>∈</sup> *pos*(ti)}, where <sup>f</sup> <sup>∈</sup> <sup>F</sup>, <sup>t</sup>1,...,t<sup>n</sup> are terms, and denotes the empty string. For example, the term at position 1.2 of <sup>g</sup>(f(x, a)) is <sup>a</sup>. Given a term <sup>t</sup> and <sup>p</sup> <sup>∈</sup> *pos*(t), then <sup>t</sup>|<sup>p</sup> denotes the subterm of <sup>t</sup> at position <sup>p</sup>. Given a term <sup>t</sup> and p, q <sup>∈</sup> *pos*(t), we write <sup>p</sup> <sup>⊑</sup> <sup>q</sup> if <sup>q</sup> <sup>=</sup> p.q and <sup>p</sup> <sup>⊏</sup> <sup>q</sup> if <sup>p</sup> <sup>⊑</sup> <sup>q</sup> and <sup>p</sup> <sup>≠</sup> <sup>q</sup>. The *set of subterms of a term* <sup>t</sup> is defined as *sub*(t) <sup>=</sup> {t|<sup>p</sup> <sup>|</sup> <sup>p</sup> <sup>∈</sup> *pos*(t)}. The *head* of a term <sup>t</sup> is defined as *head*(x) <sup>=</sup> <sup>x</sup> and *head*(f(t1,...,tn)) <sup>=</sup> <sup>f</sup>, for <sup>n</sup> <sup>≥</sup> 0.

<sup>A</sup> *substitution* is a function <sup>σ</sup> : V→T (F, <sup>V</sup>) such that <sup>σ</sup>(x) <sup>≠</sup> <sup>x</sup> for only finitely many variables. The set of the variables that are not mapped to themselves is called the *domain* of σ, denoted as *dom*(σ). The *range* of σ, denoted *ran*(σ), is the set of terms {σ(x) <sup>|</sup> <sup>x</sup> <sup>∈</sup> *dom*(σ)}. We refer to a *ground* term <sup>t</sup> if *var* (t) = ∅ and a ground substitution <sup>σ</sup> if for all <sup>t</sup> <sup>∈</sup> *ran*(σ), <sup>t</sup> is ground. Substitutions are extended to terms in the usual manner. We use the postfix notation for substitution application to terms and write tσ instead of σ(t).

Substitutions can be described as sets of *bindings* of variables in their domains into terms in their ranges, e.g., we represent a substitution <sup>σ</sup> as the set {<sup>x</sup> <sup>↦</sup> xσ <sup>|</sup> <sup>x</sup> <sup>∈</sup> *dom*(σ)}. Lowercase Greek letters denote substitutions except for the identity substitution that we denote by id. The set of variables occurring in the terms of *ran*(σ) is denoted as *rvar* (σ). The *composition* of substitutions σ and ρ is written σρ and is defined by (σρ)(x) <sup>=</sup> (xσ)<sup>ρ</sup> for each <sup>x</sup> <sup>∈</sup> <sup>V</sup>. The *restriction of a substitution* σ to a set of variables V , denoted by σ|<sup>V</sup> , is a substitution defined as <sup>σ</sup>|<sup>V</sup> (x) <sup>=</sup> <sup>σ</sup>(x) for all <sup>x</sup> <sup>∈</sup> <sup>V</sup> and <sup>σ</sup>|<sup>V</sup> (x) <sup>=</sup> <sup>x</sup> otherwise.

In this work, we focus on equational anti-unification. Thus, we refrain from presenting syntactic variants of the concepts discussed below. For such details, we refer to the recent survey on the topic [19].

**Definition 1 (Equational theory** [31]**).** *An equational theory* T<sup>E</sup> *is a class of algebraic structures that hold a set of equational axioms* E *over* T (F, V)*.*

The relation {(s, t) <sup>∈</sup> <sup>T</sup> (F, <sup>V</sup>) <sup>×</sup> <sup>T</sup> (F, <sup>V</sup>) <sup>|</sup> <sup>E</sup> <sup>⊧</sup> (s, t)} induced by a set of equalities E gives the set of equalities satisfied by all structures in the theory of <sup>E</sup>. We will use the notation <sup>s</sup> -<sup>E</sup> t for (s, t) belonging to this set. Also, we will identify T<sup>E</sup> with the set of axioms E. Groups, monoids, and semirings are examples of equational theories.

**Definition 2 (**E**-generalization,** <sup>⪯</sup>E**).** *The generalization relation of the theory induced by* <sup>E</sup> *holds for terms* r, s <sup>∈</sup> <sup>T</sup> (F, <sup>V</sup>)*, written* <sup>r</sup> <sup>⪯</sup><sup>E</sup> <sup>s</sup>*, if there exists a substitution* <sup>σ</sup> *such that* rσ -<sup>E</sup>*. In this case, we say that* r *is more general than* <sup>s</sup> *modulo* <sup>E</sup>*. If* <sup>r</sup> <sup>⪯</sup><sup>E</sup> <sup>s</sup> *and* <sup>r</sup> <sup>⪯</sup><sup>E</sup> <sup>t</sup>*, we say that* <sup>r</sup> *is an* <sup>E</sup>*-generalization of* <sup>s</sup> *and* <sup>t</sup>*. The set of all* <sup>E</sup>*-generalizations of* <sup>s</sup> *and* <sup>t</sup> *is denoted as* <sup>G</sup>E(s, t)*. By* <sup>≺</sup><sup>E</sup> *and* E*, we denote the strict and equivalence relations induced by* <sup>⪯</sup>E*, respectively.*

*Example 1.* Consider the equational theory Abs <sup>=</sup> {f(ε<sup>f</sup> , x) <sup>ε</sup><sup>f</sup> , f(x, ε<sup>f</sup> ) ε<sup>f</sup> }, and the terms <sup>s</sup> <sup>=</sup> <sup>ε</sup><sup>f</sup> and <sup>t</sup> <sup>=</sup> <sup>f</sup>(f(b, c), a). Then <sup>f</sup>(f(b, x), a) is an Abs-generalization of <sup>s</sup> and <sup>t</sup>. Indeed, <sup>σ</sup> <sup>=</sup> {<sup>x</sup> <sup>↦</sup> <sup>ε</sup><sup>f</sup> } and <sup>ρ</sup> <sup>=</sup> {<sup>x</sup> <sup>↦</sup> <sup>c</sup>} satisfy <sup>f</sup>(f(b, x), a)<sup>σ</sup> <sup>=</sup> <sup>f</sup>(f(b, ε<sup>f</sup> ), a) -Abs <sup>ε</sup><sup>f</sup> and <sup>f</sup>(f(b, x), a)<sup>ρ</sup> <sup>=</sup> <sup>f</sup>(f(b, c), a).

**Definition 3 (Minimal complete set of** E**-generalizations).** *The* minimal complete set of E-generalizations *of the terms* s *and* t*, denoted as mcsg*E(s, t)*, is a subset of* GE(s, t) *satisfying:*

*1. For each* <sup>r</sup> <sup>∈</sup> <sup>G</sup>E(s, t) *there exists* <sup>r</sup> <sup>∈</sup> *mcsg*E(s, t) *such that* <sup>r</sup> <sup>⪯</sup><sup>E</sup> <sup>r</sup> *. 2. If* r, r <sup>∈</sup> *mcsg*E(s, t) *and* <sup>r</sup> <sup>⪯</sup><sup>E</sup> <sup>r</sup> *, then* <sup>r</sup> <sup>=</sup> <sup>r</sup> *(minimality).*

*Example 2.* For Example 1, the minimal complete set of Abs-generalizations is *mcsg*Abs(ε<sup>f</sup> , f(f(b, c), a)) <sup>=</sup> {f(f(x, c), a), f(f(b, x), a), f(f(b, c), x)}.

**Definition 4 (Anti-unification type).** *The anti-unification type of an equational theory* E *may have one of the following forms:*


*– Nullary: for some* s, t <sup>∈</sup> <sup>T</sup> (F, <sup>V</sup>)*, mcsg*E(s, t) *does not exist.*

*Example 3.* From the introduction: Syntactic AU is *unitary* [27,28], AU over associative (A) and commutative (C) theories is *finitary* [1], AU over idempotent theories is *infinitary* [16], and AU with multiple unital equations is *nullary* [18].

# **3 Anti-unification in Absorption Theories**

Absorption is one of the fundamental properties used in various algebraic structures. For example, in semirings, rings, and Boolean algebras, the additive identity is the absorption constant for multiplication. Concrete examples are the product operation and 0 in number fields and the intersection operation and <sup>∅</sup> in set theory. So far, investigations on anti-unification over absorption theories have only considered equational theories defining more elaborate algebraic structures (*semirings* [16]). In this work, we study pure absorption theories as part of a general study on the anti-unification of subterm-collapsing theories.

*Remark 1.* We only consider anti-unification of ground terms. Given that the generalization of two distinct variables is a fresh variable and the generalization of a variable with itself is the same variable, we can treat variables in the input problem as constants.

For a binary function symbol <sup>f</sup> <sup>∈</sup> <sup>F</sup> and a constant <sup>ε</sup><sup>f</sup> <sup>∈</sup> <sup>F</sup>, the absorption property Abs(f,ε<sup>f</sup> ) is given by the axioms {f(x, ε<sup>f</sup> ) <sup>ε</sup><sup>f</sup> , f(ε<sup>f</sup> , x) ε<sup>f</sup> }. An absorption theory is induced by a finite union of absorption axiom sets Abs(f1, ε<sup>f</sup><sup>1</sup> ) <sup>∪</sup> ··· <sup>∪</sup> Abs(fn, ε<sup>f</sup>*<sup>n</sup>* ), <sup>n</sup> <sup>≥</sup> 1, such for all 1 <sup>≤</sup> <sup>i</sup> <sup>≠</sup> <sup>j</sup> <sup>≤</sup> <sup>n</sup>, <sup>f</sup><sup>i</sup> <sup>≠</sup> <sup>f</sup><sup>j</sup> and <sup>ε</sup><sup>f</sup>*<sup>i</sup>* <sup>≠</sup> <sup>ε</sup><sup>f</sup>*<sup>j</sup>* . Each pair <sup>f</sup>i, ε<sup>f</sup>*<sup>i</sup>* is called a pair of *related absorption symbols*. When the concrete symbols are not relevant or if they are clear from the context, we refer to an absorption theory simply as Abs.

An *anti-unification triple* (AUT) is a triple of the form <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>, where <sup>x</sup> <sup>∈</sup> <sup>V</sup>, called the *label of the AUT*, and s, t <sup>∈</sup> <sup>T</sup> (F, <sup>V</sup>). Given a set <sup>A</sup> of AUTs, *labels*(A) <sup>=</sup> {<sup>x</sup> <sup>|</sup> <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>A</sup>} and *size*(A) <sup>=</sup> - s ≜*x*t∈A *size*(s) <sup>+</sup> *size*(t) . A set of AUTs is *valid* if its labels are pairwise disjoint. An AUT is referred to as *wild* if either the left or right side is the wild card.

**Definition 5 (Solved AUT).** *An AUT* <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> *is* solved *over an absorption theory* Abs *if head*(s) <sup>=</sup>/ *head*(t)*, head*(s) *and head*(t) *are not related absorption symbols, and* <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> *is not wild.*

Intuitively, *solved* means the label of the AUT is the lgg of the two terms.

#### **3.1 Generalization Procedure for** Abs **Theories**

We present a set of inference rules (Table 1), which, when applied exhaustively (AUnif procedure), return a set of objects from which Abs-generalizations of the input AUTs may be derived. The inference rules of the AUnif procedure work on *configurations*, defined below.

**Definition 6 (Configuration).** *A configuration is a quadruple of the form* A; S; D; θ*, where:*


*All terms occurring in a configuration are in their* Abs*-normal forms: an absorption constant does not occur as the argument to its absorption symbol.*

The rules in the Table <sup>1</sup> will be referred to as follows: Decompose (*Dec* <sup>=</sup>⇒), Solve ( *Sol* <sup>=</sup>⇒), Expansions for Left Absorption, (*ExpLA1* <sup>=</sup><sup>⇒</sup> and *ExpLA2* <sup>=</sup><sup>⇒</sup> ), Expansions for Right Absorption (*ExpRA1* <sup>=</sup><sup>⇒</sup> and *ExpRA2* <sup>=</sup><sup>⇒</sup> ), Expansion Absorption in Both sides (*ExpBA1* <sup>=</sup><sup>⇒</sup> ) and (*ExpBA2* <sup>=</sup><sup>⇒</sup> ), and Merge (*Mer* <sup>=</sup>⇒). By <sup>C</sup> <sup>=</sup>⇒ C we denote the application of some inference rule of Table 1 to C resulting in C . By <sup>C</sup> <sup>=</sup>⇒<sup>∗</sup> <sup>C</sup> we denote a finite sequence of inference rule applications starting at C and ending with C . In both cases we say C is *derived* from C. An initial configuration is a configuration of the form A; <sup>∅</sup>; <sup>∅</sup>;ι, where <sup>ι</sup> <sup>=</sup> {fA(x) <sup>↦</sup> <sup>x</sup> <sup>|</sup> <sup>x</sup> <sup>∈</sup> *labels*(A)} with <sup>f</sup><sup>A</sup> : <sup>V</sup>→(<sup>V</sup> <sup>∖</sup> *labels*(A)) being a bijection. A configuration C is referred to as *final* if no inference rule is applicable to C. We denote the set of final configurations finitely derived from an initial configuration C by AUnif(C).

**Lemma 1 (Preservation).** *If* <sup>C</sup> *is a configuration and* <sup>C</sup> <sup>=</sup>⇒ C *, then* C *is a configuration.*

*Proof.* According to the rules in Table 1, we can have the following two cases:


In both cases, the properties of a configuration are preserved. 

*Remark 2.* For the rest of the paper, we will only consider configurations derived from initial configurations.

**Theorem 1 (Termination).** *Let* C *be a configuration. Then* AUnif(C) *is computable in a finite number of steps.*


**Table 1.** Inference rules for the AUnif procedure for Abs theory.

*Proof.* Let <sup>C</sup> <sup>=</sup> A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup>. We define *size*(C) : <sup>=</sup> (*size*(A), *size*(S)) and compare these pairs lexicographically. This ordering is well-founded since the size of a set of AUTs is a natural number. Observe that if <sup>C</sup> <sup>=</sup>⇒ C then size(C) <sup>&</sup>gt; size(C ). Thus, every sequence of rule applications terminates. Furthermore, any configuration can be transformed by rules from Table 1 in finitely many ways. Thus, by K¨onig's Lemma, AUnif(C) is finite and finitely computable. 

Let ∅, S, D, θ <sup>∈</sup> AUnif(A; <sup>∅</sup>; <sup>∅</sup>;ι), where A; <sup>∅</sup>; <sup>∅</sup>;ι is an initial configuration. We will show that for any AUT <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>A</sup>, xθ <sup>∈</sup> <sup>G</sup>Abs(s, t). Moreover, we can construct additional generalizations by considering the AUTs in the delayed sets. We discuss this process in the next section.

#### **3.2 Abstraction Set and Substitutions**

We construct the *abstraction set* and *abstraction substitutions* from the store and delayed sets of the final configurations derived using AUnif procedure. Let {<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι be an initial configuration and ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι). While xθ may be more specific than the syntactic generalization of s and t, any use of the absorption theory while computing xθ is completely dependent on the presence of absorption symbols and constants within s and t. Absorption theories allow the introduction of additional structure beyond what is present in the initial AUTs. For example, AUnif computes the generalization f(x, y) for the terms ε<sup>f</sup> and f(h(ε<sup>f</sup> ), h(h(ε<sup>f</sup> ))), yet Abs allows a more specific generalization, f(x, h(x)). In more extreme cases, infinitely many more specific generalizations may exist.

**Definition 7 (Abstraction set).** *Let* t *be a ground term in* Abs*-normal form, and* σ *be a substitution whose range is in* Abs*-normal form. The abstraction set of* t *with respect to* σ *is the set*

$$\uparrow(t,\sigma) := \{ r \mid r\sigma \text{ } \bowtie\_{\mathbf{A}\mathbf{b}\mathbf{a}} t, \text{ } r \text{ is in } \mathbf{A}\mathbf{b}\mathbf{s}\text{-normal form, and } var(r) \subseteq dom(\sigma) \}. $$

Observe that <sup>t</sup> ∈ ↑(t, σ) since *var* (t) =∅⊆ *dom*(σ) and tσ <sup>=</sup> <sup>t</sup>. To obtain an <sup>r</sup> ∈ ↑(t, σ), we abstract some occurrences of some xσ's in <sup>t</sup> by <sup>x</sup>, where <sup>x</sup> <sup>∈</sup> *dom*(σ); this is the origin of the term "abstraction set".

*Example 4.* Let <sup>t</sup> <sup>=</sup> <sup>g</sup>(ε<sup>f</sup> , f(h(a), b)) and <sup>σ</sup> <sup>=</sup> {<sup>x</sup> <sup>↦</sup> a, y <sup>↦</sup> <sup>f</sup>(h(a), b), z <sup>↦</sup> <sup>b</sup>}. Then the abstraction set of t with respect to σ is

$$\gamma(t,\sigma) = \{t, \ g(\varepsilon\_f, y), \ g(\varepsilon\_f, f(h(x), b)), \ g(\varepsilon\_f, f(h(a), z)), \ g(\varepsilon\_f, f(h(x), z))\}.$$

Now, consider <sup>t</sup> <sup>=</sup> <sup>h</sup>(ε<sup>f</sup> ) and <sup>σ</sup> <sup>=</sup> {<sup>y</sup> <sup>↦</sup> a, v <sup>↦</sup> <sup>ε</sup><sup>f</sup> }. Then <sup>↑</sup>(t, σ) is infinite:

$$\begin{aligned} \uparrow(t,\sigma) &= \{h(\varepsilon\_f), \, h(v)\} \cup \{h(f(v,s)) \mid s \in \mathcal{T}(\mathcal{F}, \{y,v\})\} \cup \\ &\quad \{h(f(s,v)) \mid s \in \mathcal{T}(\mathcal{F}, \{y,v\})\} \cup \\ &\quad \{h(f(f(v,s),r)) \mid s, r \in \mathcal{T}(\mathcal{F}, \{y,v\})\} \cup \dotsb \end{aligned}$$

Let us consider a particular configuration C. Observe that all AUTs occurring in the delayed set of <sup>C</sup> are *wild*, i.e., of the form <sup>≜</sup><sup>x</sup> <sup>t</sup> or <sup>t</sup> <sup>≜</sup><sup>x</sup> where <sup>t</sup> is ground and is a constant, indicating that the particular term occurring in the AUT at this position is irrelevant. We produce more specific generalizations by composing *abstraction substitutions* with the anti-unifier of C. Essentially, *abstraction substitutions* are anti-unifiers of AUTs in the delayed set of C constructed from an interpretation of the *wild cards* as particular terms. The variables occurring in the range of an *abstraction substitution* are restricted to labels of the store of C. In Sect. 4, we show that this restriction does not influence completeness.

**Definition 8 (Abstraction substitutions).** *Let* <sup>C</sup> <sup>=</sup> A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> *be a configuration such that* <sup>D</sup> ≠ ∅*. A substitution* <sup>τ</sup> *is called an* abstraction substitution *of* <sup>C</sup> *if dom*(<sup>τ</sup> ) <sup>=</sup> *labels*(D)*, and for each* <sup>y</sup> <sup>∈</sup> *dom*(<sup>τ</sup> ) *we have* yτ ∈ ↑y(D, S)*, where*

$$\uparrow\_y(D,S) := \begin{cases} \uparrow(t, \{x \mapsto r \mid l \triangleq\_x r \in S, \text{ for some } l\}) & \text{if } \star \models\_y t \in D, \\ \uparrow(s, \{x \mapsto l \mid l \triangleq\_x r \in S, \text{ for some } r\}) & \text{if } \; s \models\_y \star \in D. \end{cases}$$

*The set of abstraction substitutions of* C *is denoted by* Ψ(D, S)*.*

**Corollary 1.** *Let* A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> *be a configuration such that* <sup>D</sup> ≠ ∅*. Then for any* <sup>y</sup> <sup>∈</sup> *labels*(D) *and* <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S)*, var* (yτ ) <sup>⊆</sup> *labels*(S)*.*

The following example illustrates the computation of final configurations using AUnif and the construction of the abstraction sets.

*Example 5.* Applying AUnif to <sup>g</sup>(ε<sup>f</sup> , f(a, h(ε<sup>f</sup> ))) <sup>≜</sup><sup>x</sup> <sup>g</sup>(f(h(ε<sup>f</sup> ), a), ε<sup>f</sup> ), we get the following four derivations that lead to four final configurations:

**Derivation** 1 : {g(ε<sup>f</sup> , f(a, h(ε<sup>f</sup> ))) <sup>≜</sup><sup>x</sup> <sup>g</sup>(f(h(ε<sup>f</sup> ), a), ε<sup>f</sup> )}; <sup>∅</sup>; <sup>∅</sup>;ι *Dec* =⇒ {ε<sup>f</sup> <sup>≜</sup>w<sup>1</sup> <sup>f</sup>(h(ε<sup>f</sup> ), a), f(a, h(ε<sup>f</sup> )) <sup>≜</sup>w<sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; <sup>∅</sup>; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(w1, w2),...} *ExpLA1* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), f(a, h(ε<sup>f</sup> )) <sup>≜</sup><sup>w</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup><sup>v</sup><sup>1</sup> <sup>a</sup>}; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), w2),...} *ExpRA1* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), a <sup>≜</sup><sup>u</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup><sup>v</sup><sup>1</sup> a, h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}*Sol*×<sup>2</sup> <sup>=</sup><sup>⇒</sup> ∅; {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), a <sup>≜</sup><sup>u</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; { <sup>≜</sup><sup>v</sup><sup>1</sup> a, h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}.

Then <sup>D</sup> <sup>=</sup> { <sup>≜</sup><sup>v</sup><sup>1</sup> a, h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> } and <sup>S</sup> <sup>=</sup> {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), a <sup>≜</sup><sup>u</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }. For the variable <sup>v</sup>1, <sup>↑</sup><sup>v</sup><sup>1</sup> (D, S) = ↑(a, {u<sup>1</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> ), u<sup>2</sup> <sup>↦</sup> <sup>ε</sup><sup>f</sup> }) <sup>=</sup> {a}. For the variable <sup>v</sup>2, <sup>↑</sup><sup>v</sup><sup>2</sup> (D, S) = ↑(h(ε<sup>f</sup> ), {u<sup>1</sup> <sup>↦</sup> <sup>ε</sup><sup>f</sup> , u<sup>2</sup> <sup>↦</sup> <sup>a</sup>}) is an infinite set

$$\begin{aligned} \{h(\varepsilon\_f), h(u\_1)\} \cup \{h(f(u\_1, s)) \mid s \in \mathcal{T}(\mathcal{F}, \{u\_1, u\_2\})\} \\ \cup \{h(f(s, u\_1)) \mid s \in \mathcal{T}(\mathcal{F}, \{u\_1, u\_2\})\} \\ \cup \{h(f(f(u\_1, s), t)) \mid s, t \in \mathcal{T}(\mathcal{F}, \{u\_1, u\_2\})\} \cup \dotsb \end{aligned}$$

The set of abstraction substitutions Ψ(D, S) is an infinite set including {{v<sup>1</sup> <sup>↦</sup> a, v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> )}, {v<sup>1</sup> <sup>↦</sup> a, v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(u1)}, {v<sup>1</sup> <sup>↦</sup> a, v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(f(u1, a))},...}. From the final configuration, we get an infinite set Abs-generalizations of the initial AUT, including, e.g., g(f(u1, a), f(u2, h(ε<sup>f</sup> ))), g(f(u1, a), f(u2, h(u1))), g(f(u1, a), f(u2, h(f(u1, a)))), etc.

**Derivation** 2 : {g(ε<sup>f</sup> , f(a, h(ε<sup>f</sup> ))) <sup>≜</sup><sup>x</sup> <sup>g</sup>(f(h(ε<sup>f</sup> ), a), ε<sup>f</sup> )}; <sup>∅</sup>; <sup>∅</sup>;ι *Dec* =⇒ {ε<sup>f</sup> <sup>≜</sup><sup>w</sup><sup>1</sup> <sup>f</sup>(h(ε<sup>f</sup> ), a), f(a, h(ε<sup>f</sup> )) <sup>≜</sup><sup>w</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; <sup>∅</sup>; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(w1, w2),...}*ExpLA1* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), f(a, h(ε<sup>f</sup> ))≜<sup>w</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; {≜<sup>v</sup><sup>1</sup> <sup>a</sup>}; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), w2),...}*ExpRA2* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup><sup>v</sup><sup>1</sup> a, a <sup>≜</sup><sup>u</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}*Sol*×<sup>2</sup> <sup>=</sup><sup>⇒</sup> ∅; {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; { <sup>≜</sup><sup>v</sup><sup>1</sup> a, a <sup>≜</sup><sup>u</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}.

Then <sup>D</sup> <sup>=</sup> { <sup>≜</sup><sup>v</sup><sup>1</sup> a, a <sup>≜</sup><sup>u</sup><sup>2</sup> } and <sup>S</sup> <sup>=</sup> {ε<sup>f</sup> <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }. Thus, <sup>↑</sup><sup>v</sup><sup>1</sup> (D, S) <sup>=</sup> <sup>↑</sup>(a, {u<sup>1</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> ), v<sup>2</sup> <sup>↦</sup> <sup>ε</sup><sup>f</sup> }) <sup>=</sup> {a}, and <sup>↑</sup><sup>u</sup><sup>2</sup> (D, S) = ↑(a, {u<sup>1</sup> <sup>↦</sup> <sup>ε</sup><sup>f</sup> , v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> )}) <sup>=</sup> {a}. This leads to the generalization g(f(u1, a), f(a, v2)).

**Derivation** 3 : {g(ε<sup>f</sup> , f(a, h(ε<sup>f</sup> ))) <sup>≜</sup><sup>x</sup> <sup>g</sup>(f(h(ε<sup>f</sup> ), a), ε<sup>f</sup> )}; <sup>∅</sup>; <sup>∅</sup>;ι *Dec* =⇒ {ε<sup>f</sup> <sup>≜</sup>w<sup>1</sup> <sup>f</sup>(h(ε<sup>f</sup> ), a), f(a, h(ε<sup>f</sup> )) <sup>≜</sup>w<sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; <sup>∅</sup>; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(w1, w2),...} *ExpLA2* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup>v<sup>1</sup> a, f(a, h(ε<sup>f</sup> )) <sup>≜</sup>w<sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup>u<sup>1</sup> <sup>h</sup>(ε<sup>f</sup> )}; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), w2),...} *ExpRA1* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup>v<sup>1</sup> a, a <sup>≜</sup>u<sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup>u<sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), h(ε<sup>f</sup> ) <sup>≜</sup>v<sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}*Sol*×<sup>2</sup> <sup>=</sup><sup>⇒</sup> ∅; {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> a, a <sup>≜</sup><sup>u</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; { <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}.

Then <sup>D</sup> <sup>=</sup> { <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> } and <sup>S</sup> <sup>=</sup> {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> a, a <sup>≜</sup><sup>u</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }. Thus, we get

$$\begin{aligned} \uparrow\_{u\_1}(D,S) &= \uparrow(h(\varepsilon\_f), \{v\_1 \leftrightarrow a, u\_2 \leftrightarrow \varepsilon\_f\}) = \\ &\quad \{h(\varepsilon\_f), \ h(u\_2)\} \cup \{h(f(u\_2,s)) \mid s \in \mathcal{T}(\mathcal{F}, \{v\_1, u\_2\})\} \cup \cdots \text{, and} \\ \uparrow\_{v\_2}(D,S) &= \uparrow(h(\varepsilon\_f), \{v\_1 \leftrightarrow \varepsilon\_f, u\_2 \leftrightarrow a\}) = \\ &\quad \{h(\varepsilon\_f), \ h(v\_1)\} \cup \{h(f(v\_1,s)) \mid s \in \mathcal{T}(\mathcal{F}, \{v\_1, u\_2\})\} \cup \cdots \end{aligned}$$

Then <sup>Ψ</sup>(D, S) is infinite, it contains, e.g., the substitutions {u<sup>1</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> ), v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> )}, {u<sup>1</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> ), v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(v1)}, {u<sup>1</sup> <sup>↦</sup> <sup>h</sup>(u2), v<sup>2</sup> <sup>↦</sup> <sup>h</sup>(ε<sup>f</sup> )}, etc. This leads to infinitely many generalizations of the initial AUT, including, e.g., g(f(h(ε<sup>f</sup> ), v1), f(u2, h(ε<sup>f</sup> ))), g(f(h(ε<sup>f</sup> ), v1), f(u2, h(v1))), etc.

**Derivation** 4 : {g(ε<sup>f</sup> , f(a, h(ε<sup>f</sup> ))) <sup>≜</sup><sup>x</sup> <sup>g</sup>(f(h(ε<sup>f</sup> ), a), ε<sup>f</sup> )}; <sup>∅</sup>; <sup>∅</sup>;ι *Dec* =⇒ {ε<sup>f</sup> <sup>≜</sup><sup>w</sup><sup>1</sup> <sup>f</sup>(h(ε<sup>f</sup> ), a), f(a, h(ε<sup>f</sup> )) <sup>≜</sup><sup>w</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; <sup>∅</sup>; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(w1, w2)} *ExpLA2* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> a, f(a, h(ε<sup>f</sup> )) <sup>≜</sup><sup>w</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> )}; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), w2),...} *ExpRA2* <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> a, h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; { <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), a <sup>≜</sup><sup>u</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}*Sol*×<sup>2</sup> <sup>=</sup><sup>⇒</sup> ∅; {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> a, h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; { <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), a <sup>≜</sup><sup>u</sup><sup>2</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(u1, v1), f(u2, v2)),...}.

Then <sup>D</sup> <sup>=</sup> { <sup>≜</sup><sup>u</sup><sup>1</sup> <sup>h</sup>(ε<sup>f</sup> ), a <sup>≜</sup><sup>u</sup><sup>2</sup> } and <sup>S</sup> <sup>=</sup> {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> a, h(ε<sup>f</sup> ) <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }. This leads to infinitely many generalizations f the initial AUT, including, e.g., g(f(h(ε<sup>f</sup> ), v1), f(a, v2)), g(f(h(v2), v1), f(a, v2)), g(f(h(f(v2, a)), v1), f(a, v2)), etc., since

$$\begin{aligned} \uparrow\_{u\_1}(D,S) &= \uparrow(h(\varepsilon\_f), \{v\_1 \leftrightarrow a, v\_2 \leftrightarrow \varepsilon\_f\}) = \\ &\{h(\varepsilon\_f), h(v\_2)\} \cup \{h(f(v\_2,s)) \mid s \in \mathcal{T}(\mathcal{F}, \{v\_1, v\_2\})\} \cup \cdots \text{ and} \\ \uparrow\_{u\_2}(D,S) &= \uparrow(a, \{v\_1 \leftrightarrow \varepsilon\_f, v\_2 \leftrightarrow h(\varepsilon\_f)\}) = \{a\}. \end{aligned}$$

*Example 6.* To generalize g(ε<sup>f</sup> , ε<sup>f</sup> , a) and g(ε<sup>f</sup> , b, ε<sup>f</sup> ), the AUnif procedure generates two derivations, which differ from each other only in the last step:

$$\begin{array}{ll} \textbf{Derivation 1}: & \langle \{g(\varepsilon\_{f}, \varepsilon\_{f}, a) \triangleq\_{x} g(\varepsilon\_{f}, b, \varepsilon\_{f})\}; \mathcal{Q}; \mathcal{Q}; \iota \rangle \stackrel{\textit{Dec}}{\Longrightarrow} \\ & \langle \{\varepsilon\_{f} \triangleq\_{y\_{1}} \varepsilon\_{f}, \varepsilon\_{f} \triangleq\_{y\_{2}} b, a \triangleq\_{y\_{3}} \varepsilon\_{f}\}; \mathcal{Q}; \mathcal{Q}; \{x \mapsto g(y\_{1}, y\_{2}, y\_{3}), \ldots\} \rangle \stackrel{\textit{Sol}:2}{\Longrightarrow} \\ & \langle \{\varepsilon\_{f} \triangleq\_{y\_{1}} \varepsilon\_{f}\}; \{\varepsilon\_{f} \triangleq\_{y\_{2}} b, a \triangleq\_{y\_{3}} \varepsilon\_{f}\}; \mathcal{Q}; \{x \mapsto g(y\_{1}, y\_{2}, y\_{3}), \ldots\} \rangle \stackrel{\textit{Exponential}}{\Longrightarrow} \\ \langle \mathcal{Q}; \{\varepsilon\_{f} \triangleq\_{y\_{2}} b, a \triangleq\_{y\_{3}} \varepsilon\_{f}\}; \{\star \triangleq\_{u\_{1}} \varepsilon\_{f}, \varepsilon\_{f}\not\triangleq\_{u\_{2}} \star\_{\cdot}\}; \{x \mapsto g(f(u\_{1}, u\_{2}), y\_{2}, y\_{3}), \ldots\} \rangle. \end{array}$$

Here, for the store S and the delayed set D in the last configuration, we get

$$\begin{split} \uparrow\_{u\_1}(D,S) &= \uparrow(\varepsilon\_f, \{y\_2 \mapsto b, y\_3 \mapsto \varepsilon\_f\}) = \\ &\{\varepsilon\_f, y\_3\} \cup \{f(y\_3, s) \mid s \in \mathcal{T}(\mathcal{F}, \{y\_2, y\_3\})\} \cup \{f(s, y\_3) \mid s \in \mathcal{T}(\mathcal{F}, \{y\_2, y\_3\})\} \cup \{\cdot\} \\ &\{f(f(y\_3, s), t) \mid s, t \in \mathcal{T}(\mathcal{F}, \{y\_2, y\_3\})\} \cup \cdots \\ \uparrow\_{u\_2}(D,S) &= \uparrow(\varepsilon\_f, \{y\_2 \mapsto \varepsilon\_f, y\_3 \mapsto a\}) = \\ &\{\varepsilon\_f, y\_2\} \cup \{f(y\_2, s) \mid s \in \mathcal{T}(\mathcal{F}, \{y\_2, y\_3\})\} \cup \{f(s, y\_2) \mid s \in \mathcal{T}(\mathcal{F}, \{y\_2, y\_3\})\} \cup \cdots \\ &\{f(f(y\_2, s), t) \mid s, t \in \mathcal{T}(\mathcal{F}, \{y\_2, y\_3\})\} \cup \cdots \end{split}$$

From these, we get an infinite set of generalizations that includes, among others, e.g., g(ε<sup>f</sup> , y2, y3), g(f(y3, y2), y2, y3), g(f(f(y3, y3), y2), y2, y3), etc.

**Derivation** 2 : {g(ε<sup>f</sup> , ε<sup>f</sup> , a) <sup>≜</sup><sup>x</sup> <sup>g</sup>(ε<sup>f</sup> , b, ε<sup>f</sup> )}; <sup>∅</sup>; <sup>∅</sup>;ι *Dec* =⇒ {ε<sup>f</sup> <sup>≜</sup><sup>y</sup><sup>1</sup> <sup>ε</sup><sup>f</sup> , ε<sup>f</sup> <sup>≜</sup><sup>y</sup><sup>2</sup> b, a <sup>≜</sup><sup>y</sup><sup>3</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; <sup>∅</sup>; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(y1, y2, y3)} *Sol*×<sup>2</sup> <sup>=</sup><sup>⇒</sup> {ε<sup>f</sup> <sup>≜</sup><sup>y</sup><sup>1</sup> <sup>ε</sup><sup>f</sup> }; {ε<sup>f</sup> <sup>≜</sup><sup>y</sup><sup>2</sup> b, a <sup>≜</sup><sup>y</sup><sup>3</sup> <sup>ε</sup><sup>f</sup> }; <sup>∅</sup>; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(y1, y2, y3)} *ExpBA2* <sup>=</sup><sup>⇒</sup> ∅; {ε<sup>f</sup> <sup>≜</sup><sup>y</sup><sup>2</sup> b, a <sup>≜</sup><sup>y</sup><sup>3</sup> <sup>ε</sup><sup>f</sup> }; {ε<sup>f</sup> <sup>≜</sup><sup>v</sup><sup>1</sup> , <sup>≜</sup><sup>v</sup><sup>2</sup> <sup>ε</sup><sup>f</sup> }; {<sup>x</sup> <sup>↦</sup> <sup>g</sup>(f(v1, v2), y2, y3),...}.

Again, taking S and D from the last configuration, we get

$$\begin{split} \uparrow\_{v\_{1}}(D,S) &= \uparrow(\varepsilon\_{f}, \{y\_{2}\mapsto\varepsilon\_{f}, y\_{3}\mapsto a\}) = \\ & \{\varepsilon\_{f}, y\_{2}\} \cup \{f(y\_{2},s) \mid s \in \mathcal{T}(\mathcal{F}, \{y\_{2},y\_{3}\})\} \cup \{f(s,y\_{2}) \mid s \in \mathcal{T}(\mathcal{F},\{y\_{2},y\_{3}\})\} \cup \\ & \{f(f(y\_{2},s),t) \mid s,t \in \mathcal{T}(\mathcal{F},\{y\_{2},y\_{3}\})\} \cup \cdots \\ \uparrow\_{v\_{2}}(D,S) &= \uparrow(\varepsilon\_{f}, \{y\_{2}\mapsto b, y\_{3}\mapsto \varepsilon\_{f}\}) \\ & \{\varepsilon\_{f}, y\_{3}\} \cup \{f(y\_{3},s) \mid s \in \mathcal{T}(\mathcal{F},\{y\_{2},y\_{3}\})\} \cup \{f(s,y\_{3}) \mid s \in \mathcal{T}(\mathcal{F},\{y\_{2},y\_{3}\})\} \cup \\ & \{f(f(y\_{3},s),t) \mid s,t \in \mathcal{T}(\mathcal{F},\{y\_{2},y\_{3}\})\} \cup \cdots \end{split}$$

From these, we get an infinite set of generalizations that includes, among others, e.g., g(ε<sup>f</sup> , y2, y3), g(f(y2, y3), y2, y3), g(f(f(y2, y2), y3), y2, y3), etc.

# **4 Soundness and Completeness**

Preserving the stated properties of configurations (Definition 6) is essential to both the soundness and completeness proofs as these properties enforce consistency with respect to the use of the labels.

**Theorem 2 (Soundness).** *Consider* A0; <sup>S</sup>0; <sup>D</sup>0; <sup>θ</sup>0 <sup>=</sup>⇒<sup>∗</sup> ∅; <sup>S</sup>n; <sup>D</sup>n; <sup>θ</sup>n*, a derivation to a final configuration. Then for all* <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>A</sup><sup>0</sup> <sup>∪</sup>S0*,* xθ<sup>n</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t)*.*

*Proof.* We proceed by induction over the derivation length.

**Basecase**. If the derivation has length 0, then it starts with a final configuration implying that <sup>A</sup><sup>0</sup> = ∅ and for all <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>S</sup>0, xθ<sup>0</sup> <sup>=</sup> <sup>x</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t). **Stepcase.** Now consider a derivation having the following form:

$$
\langle A\_0; S\_0; D\_0; \theta\_0 \rangle \implies \langle A\_1; S\_1; D\_1; \theta\_1 \rangle \implies^n \langle \mathcal{O}; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle \tag{1}
$$

We assume for the induction hypothesis (IH) that for derivations of the form

$$
\langle A\_1; S\_1; D\_1; \theta\_1 \rangle \Longrightarrow^n \langle \otimes; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle,
$$

the theorem holds and show that the theorem holds for derivations of the form presented in Derivation 1. We continue the proof considering the various options for the transition from A0; S0; D0; θ0 to A1; S1; D1; θ1.

1. **(Dec)**. Assume that the derivation is of the form:

$$\begin{aligned} \langle \{ f(s\_1, \ldots, s\_m) \triangleq\_y f(t\_1, \ldots, t\_m) \} \cup A'; S\_0; D\_0; \theta\_0 \rangle \stackrel{Dec}{\Longrightarrow} \\ \langle \{ s\_1 \triangleq\_{x\_1} t\_1, \ldots, s\_m \triangleq\_{x\_m} t\_m \} \cup A'; S\_1; D\_1; \theta\_1 \rangle \stackrel{\sim}{\Longrightarrow} ^n \langle \mathcal{Q}; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle \end{aligned}$$

where <sup>θ</sup><sup>1</sup> <sup>=</sup> <sup>θ</sup>0{<sup>y</sup> <sup>↦</sup> <sup>f</sup>(x1,...,xm)}. By the IH, we know that for all 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>m</sup>, <sup>x</sup>iθn+<sup>1</sup> <sup>∈</sup> <sup>G</sup>Abs(si, ti) implying that

$$f(x\_1, \ldots, x\_m) \theta\_{n+1} \in \mathcal{G}\_{\mathsf{Abz}}(f(s\_1, \ldots, s\_m), f(t\_1, \ldots, t\_m)).$$

2. **(Sol)**. Assume that the derivation is of the form:

$$\langle \{ s \triangleq\_y t \} \cup A'; S\_0; D\_0; \theta\_0 \rangle \stackrel{Sol}{\Longrightarrow} \langle A'; S\_1; D\_0; \theta\_0 \rangle \implies^n \langle \emptyset; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle,$$

where <sup>S</sup><sup>1</sup> <sup>=</sup> {<sup>s</sup> <sup>≜</sup><sup>y</sup> <sup>t</sup>} <sup>∪</sup> <sup>S</sup>0. By IH, <sup>θ</sup>n+<sup>1</sup> generalizes all the AUTs with labels in <sup>S</sup>1. Thus, yθn+<sup>1</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t).

3. **(ExpLA1)**. Assume that the derivation is of the form:

$$\begin{aligned} \langle \{ \varepsilon\_f \triangleq\_y f(s, t) \} \cup A'; S\_0; D\_0; \theta\_0 \rangle \stackrel{ExpLA1}{\Longrightarrow} \\ \langle \{ \varepsilon\_f \triangleq\_{x\_1} s \} \cup A'; S\_1; D\_1; \theta\_1 \rangle \Longrightarrow \prescript{n}{}{\langle \mathcal{O}; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle} \end{aligned}$$

where <sup>D</sup><sup>1</sup> <sup>=</sup> { <sup>≜</sup><sup>x</sup><sup>2</sup> <sup>t</sup>}∪D<sup>0</sup> and <sup>θ</sup><sup>1</sup> <sup>=</sup> <sup>θ</sup>0{<sup>y</sup> <sup>↦</sup> <sup>f</sup>(x1, x2)}. By the IH, all the AUTs in {ε<sup>f</sup> <sup>≜</sup><sup>x</sup><sup>1</sup> <sup>s</sup>} <sup>∪</sup> <sup>A</sup> are generalized by the substitution <sup>θ</sup>n+1, thus, <sup>x</sup>1θn+<sup>1</sup> <sup>∈</sup> <sup>G</sup>Abs(ε<sup>f</sup> , s). Furthermore, since <sup>x</sup><sup>2</sup> <sup>∈</sup> *labels*(D) then <sup>x</sup>2θn+<sup>1</sup> <sup>=</sup> <sup>x</sup><sup>2</sup> and <sup>x</sup><sup>2</sup> <sup>⪯</sup>Abs <sup>t</sup>. We can build the generalization yθn+<sup>1</sup> <sup>=</sup> <sup>f</sup>(x1θn+1, x2θn+1). Observe that <sup>f</sup>(x1θn+1, x2θn+1) <sup>=</sup> <sup>f</sup>(x1θn+1, x2) <sup>∈</sup> <sup>G</sup>Abs(f(ε<sup>f</sup> , t), f(s, t)) and since <sup>f</sup>(ε<sup>f</sup> , t) -Abs ε<sup>f</sup> , we get that yθn+<sup>1</sup> belongs to GAbs(ε<sup>f</sup> , f(s, t)).

4. The analysis of other one-side expansion rules is analogous to the previous one.

5. **(ExpBA1)**. Assume that the derivation is of the form:

$$\begin{aligned} \langle \{ \varepsilon\_f \triangleq\_y \varepsilon\_f \} \cup A'; S\_0; D\_0; \theta\_0 \rangle & \stackrel{ExpBA}{\Longrightarrow} \\ \langle A'; S\_1; D\_1; \theta\_1 \rangle & \Longrightarrow ^n \langle \varpi; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle \end{aligned}$$

where <sup>D</sup><sup>1</sup> <sup>=</sup> {ε<sup>f</sup> <sup>≜</sup>x<sup>1</sup> , <sup>≜</sup>x<sup>2</sup> <sup>ε</sup><sup>f</sup> } <sup>∪</sup> <sup>D</sup><sup>0</sup> and <sup>θ</sup><sup>1</sup> <sup>=</sup> <sup>θ</sup>0{<sup>y</sup> <sup>↦</sup> <sup>f</sup>(x1, x2)}. Notice, <sup>x</sup>iθn+<sup>1</sup> <sup>=</sup> <sup>x</sup><sup>i</sup> and <sup>x</sup><sup>i</sup> <sup>⪯</sup>Abs <sup>ε</sup><sup>f</sup> , for <sup>i</sup> <sup>∈</sup> {1, <sup>2</sup>}. This implies that yθn+<sup>1</sup> <sup>=</sup> <sup>f</sup>(x1θn+1, <sup>x</sup>2θn+1) <sup>=</sup> <sup>f</sup>(x1, x2) <sup>∈</sup> <sup>G</sup>Abs(ε<sup>f</sup> , ε<sup>f</sup> ). The case **(ExpBA2)** is analogous.

6. **(Mer)** Assume that the derivation is of the form:

$$\begin{aligned} \langle \mathcal{Q}; \{s \triangleq\_y t, s \triangleq\_z t\} \cup S'; D\_0; \theta\_0 \rangle \stackrel{Mer}{\Longrightarrow} \\ \langle \mathcal{Q}; \{s \triangleq\_z t\} \cup S'; D\_1; \theta\_1 \rangle \Longrightarrow ^n \langle \mathcal{Q}; S\_{n+1}; D\_{n+1}; \theta\_{n+1} \rangle . \end{aligned}$$

Notice that <sup>θ</sup><sup>1</sup> <sup>=</sup> <sup>θ</sup>0{<sup>y</sup> <sup>↦</sup> <sup>z</sup>}, where <sup>z</sup> is the label of the AUT {<sup>s</sup> <sup>≜</sup><sup>z</sup> <sup>t</sup>} <sup>∈</sup> <sup>S</sup>0. By IH, zθn+<sup>1</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t) implying that yθn+<sup>1</sup> <sup>=</sup> <sup>y</sup>{<sup>y</sup> <sup>↦</sup> <sup>z</sup>}θn+<sup>1</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t). 

While the soundness theorem covers the construction of generalizations of AUTs present in a given configuration, it does not consider the abstraction set or the construction of more specific generalizations when generalizing over an absorption theory. The abstraction set allows us to consider generalizations between a given term and an arbitrary term.

**Lemma 2.** *Let* A0; <sup>S</sup>0; <sup>D</sup>0; <sup>θ</sup>0 <sup>=</sup>⇒<sup>∗</sup> ∅; <sup>S</sup>n; <sup>D</sup>n; <sup>θ</sup>n *be a derivation. Then for all* <sup>≜</sup><sup>u</sup> <sup>t</sup> <sup>∈</sup> <sup>D</sup><sup>n</sup> *(resp. for all* <sup>s</sup> <sup>≜</sup><sup>u</sup> <sup>∈</sup> <sup>D</sup>n*) and* <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(Dn, Sn)*, there exists a term* <sup>r</sup> *such that* uτ <sup>∈</sup> <sup>G</sup>Abs(r, t) *(resp.* uτ <sup>∈</sup> <sup>G</sup>Abs(r, s)*).*

*Proof.* Let <sup>η</sup> be a ground substitution with *dom*(η) <sup>=</sup> *var* (uτ ). Then <sup>r</sup> <sup>=</sup> uτη. 

Intuitively, Lemma <sup>2</sup> formalizes the following observation: if <sup>≜</sup><sup>u</sup> <sup>t</sup> <sup>∈</sup> <sup>D</sup>n, then uτ ∈ ↑u(Dn, Sn) implies uτ ∈ ↑(t, {<sup>x</sup> <sup>↦</sup> <sup>t</sup> <sup>|</sup> <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>S</sup><sup>n</sup> for some <sup>s</sup>}). From this, we can deduce that uτ <sup>⪯</sup>Abs <sup>t</sup>. Thus, for every AUT in the set <sup>D</sup>n, the wild card can be interpreted as <sup>r</sup> and uτ <sup>⪯</sup>Abs <sup>r</sup>. We can now prove the following:

**Theorem 3.** *Let* A0; <sup>S</sup>0; <sup>D</sup>0; <sup>θ</sup>0 <sup>=</sup>⇒<sup>∗</sup> ∅; <sup>S</sup>n; <sup>D</sup>n; <sup>θ</sup>n *be a derivation to a final configuration and* <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> <sup>∈</sup> <sup>A</sup><sup>0</sup> <sup>∪</sup>S0*. Then for all* <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(Dn, Sn)*,* xθn<sup>τ</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t)*.*

*Proof.* From Theorem 2, xθ<sup>n</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t). Furthermore, every <sup>u</sup> <sup>∈</sup> *labels*(Dn) is unique, only occurs once in xθn, and uθn<sup>τ</sup> <sup>=</sup> uτ . Considering these facts together with Lemma 2 and u being an Abs-generalization of the respective subterms in <sup>s</sup> and <sup>t</sup>, we deduce that xθn<sup>τ</sup> <sup>∈</sup> <sup>G</sup>Abs(s, t). 

**Theorem 4 (Completeness).** *Let* <sup>r</sup> <sup>∈</sup> <sup>G</sup>Abs(t1, t2)*. Then for all configurations* A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> *such that* <sup>t</sup><sup>1</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup> *there exist a final configuration* ∅; <sup>S</sup> ; D ; θ ∈ AUnif(A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup>) *and* <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D , S ) *such that* <sup>r</sup> <sup>⪯</sup>Abs xθ τ *.*

*Proof.* The proof is by structural induction over r.

#### **Basecase**

	- (a) If *head*(t1) <sup>=</sup> *head*(t2), then from A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> such that <sup>t</sup><sup>1</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup>, we can reach A ; S; D; θ by decomposition so that *head*(xθ ) <sup>=</sup> *head*(t1) <sup>=</sup> *head*(t2). Thus, for any final configuration ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S; D; θ ), <sup>r</sup> <sup>⪯</sup>Abs xθ as <sup>θ</sup> can only be more specific than <sup>θ</sup> .
	- (b) If *head*(t1) <sup>=</sup> *head*(t2) are absorption constants, w.l.o.g, <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>ε</sup><sup>f</sup> , then from A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> such that <sup>t</sup><sup>1</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup>, we can reach A ; S; D; θ by (ExpBA1) so that *head*(xθ ) <sup>=</sup> <sup>f</sup>. Thus, for any final configuration ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S; D; θ ), <sup>r</sup> <sup>⪯</sup>Abs xθ as <sup>θ</sup> can only be more specific than <sup>θ</sup> .
	- (c) W.l.o.g, if <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>ε</sup><sup>f</sup> and <sup>t</sup><sup>2</sup> <sup>=</sup> <sup>f</sup>(s1, s2), then from A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> such that <sup>t</sup><sup>1</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup>, we can reach A ; S ; D ; θ using *ExpLA1* such that *head*(xθ ) = *head*(t2). Thus, for any final configuration ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S ; D ; θ ), <sup>r</sup> <sup>⪯</sup>Abs xθ as <sup>θ</sup> is more specific than <sup>θ</sup> .
	- (d) Otherwise, if *head*(t1) <sup>=</sup>/ *head*(t2), then from A; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> with <sup>t</sup><sup>1</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>A</sup>, we reach A ; S ; <sup>D</sup>; <sup>θ</sup> using *Solve* where <sup>t</sup><sup>1</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup><sup>2</sup> <sup>∈</sup> <sup>S</sup>. Thus, for any final configuration ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S ; <sup>D</sup>; <sup>θ</sup>), we get <sup>r</sup> -Abs xθ. In all four cases <sup>r</sup> <sup>⪯</sup>Abs xθ and by Theorem <sup>3</sup> we get <sup>r</sup> <sup>⪯</sup>Abs xθ τ .

#### **Stepcase**

	- (i) There does not exist a position <sup>p</sup> <sup>∈</sup> *pos*(t1) <sup>∩</sup> *pos*(t2) such that <sup>s</sup><sup>∗</sup> <sup>≜</sup><sup>z</sup> <sup>t</sup> ∗ where <sup>s</sup><sup>∗</sup> <sup>=</sup> <sup>t</sup>1|<sup>p</sup> and <sup>t</sup> <sup>∗</sup> <sup>=</sup> <sup>t</sup>2|p. In other words, <sup>z</sup> generalizes terms which are absorbed during Abs-normalization of rσ and rρ, where rσ -Abs t<sup>1</sup> and rρ -Abs t2; this implies that replacing occurrences of z by ε<sup>f</sup> (for the appropriate absorption symbol f) within r results in a more specific generalization r . For the remainder of this proof, we can consider r to be the generalization resulting from replacing all such variables in R by the appropriate absorption constant ε<sup>f</sup> .
	- (ii) There exists a position <sup>p</sup> <sup>∈</sup> *pos*(t1)∩*pos*(t2) such that <sup>s</sup><sup>∗</sup> <sup>≜</sup><sup>z</sup> <sup>t</sup> <sup>∗</sup> where <sup>s</sup><sup>∗</sup> <sup>=</sup> t1|<sup>p</sup> and t <sup>∗</sup> <sup>=</sup> <sup>t</sup>2|p. Notice that <sup>z</sup> is structurally smaller than <sup>r</sup> and thus, by the IH, there exists a final configuration ∅; <sup>S</sup>∗; <sup>D</sup>∗; <sup>θ</sup><sup>∗</sup> <sup>∈</sup> AUnif({s<sup>∗</sup> <sup>≜</sup><sup>z</sup> t <sup>∗</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) and <sup>τ</sup> <sup>∗</sup> <sup>∈</sup> <sup>Ψ</sup>(D∗, S∗) such that <sup>z</sup> <sup>≤</sup> <sup>x</sup> θ∗τ <sup>∗</sup>. We will use θ∗τ <sup>∗</sup> to guarantee variables occurring in multiple <sup>r</sup>i, for 0 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>, are replaced by the same term in the generalizations resulting from the IH.

By the induction hypothesis, there exists a final configuration ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S ; D ; θ ) and <sup>τ</sup><sup>i</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S) such that <sup>r</sup><sup>i</sup> <sup>⪯</sup>Abs <sup>y</sup>iθτ<sup>i</sup> where <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>. Note, we can choose the same configuration ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> for all AUTs t <sup>i</sup> <sup>≜</sup>y*<sup>i</sup>* <sup>t</sup> <sup>i</sup> as the procedure produces all combinations of solutions to the subproblems. Furthermore, we can choose ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> such that <sup>S</sup><sup>∗</sup> <sup>⊆</sup> <sup>S</sup> and <sup>D</sup><sup>∗</sup> <sup>⊆</sup> <sup>D</sup> modulo label renaming as <sup>s</sup><sup>∗</sup> and <sup>t</sup> <sup>∗</sup> are subterms of t<sup>1</sup> and t2, respectively, modulo absorption symbol introduction. Now, we define γ<sup>i</sup> as the substitution such that <sup>r</sup>iγ<sup>i</sup> -Abs yiθτi. By the above construction, we can safely assume for all <sup>z</sup> <sup>∈</sup> *var* (r1)∩*var* (r2) such that <sup>z</sup> has not been replaced by an absorption constant, that zγ<sup>i</sup> -Abs zθ∗τ <sup>∗</sup> as there exist AUTs corresponding to S<sup>∗</sup> and D<sup>∗</sup> in S and D, respectively.

Now let μ be a substitution and r <sup>i</sup> (1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>) be terms such that for all <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>, <sup>r</sup><sup>i</sup> <sup>=</sup> <sup>r</sup> <sup>i</sup>μ and g(r 1,...,r <sup>n</sup>) <sup>⪯</sup>Abs <sup>g</sup>(y1θ,...,ynθ). If <sup>μ</sup> is the identity substitution, then we are done. Otherwise, we can use <sup>μ</sup> to construct a <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S). Additionally, we need to consider the <sup>τ</sup><sup>i</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S) derived above for each <sup>r</sup>i, where 1 <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>n</sup>, and the corresponding substitutions <sup>γ</sup>i. Thus, r <sup>i</sup><sup>μ</sup> <sup>⪯</sup>Abs <sup>y</sup>iθτ<sup>i</sup> and <sup>r</sup> <sup>i</sup>μγ<sup>i</sup> -Abs yiθτi.

Now let μ<sup>1</sup> <sup>i</sup> and μ<sup>2</sup> <sup>i</sup> be substitutions such that μγ<sup>i</sup> <sup>=</sup> (μ<sup>1</sup> <sup>i</sup> μ<sup>2</sup> <sup>i</sup> )|*dom*(μγ*i*) and r iμ1 i -Abs yiθ. This is possible given the assumption that g(r 1,...,r <sup>n</sup>) <sup>⪯</sup>Abs g(y1θ, ··· , ynθ). Note that r iμ1 i -Abs <sup>y</sup>iθ implies that for every <sup>x</sup> <sup>∈</sup> *dom*(μ<sup>2</sup> i ) there exists a <sup>z</sup> <sup>∈</sup> *dom*(τi) such that zτ<sup>i</sup> -Abs xμ<sup>2</sup> i .

We now construct <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S) using the <sup>μ</sup><sup>2</sup> <sup>i</sup> , that is for all 1 <sup>≤</sup> <sup>j</sup> <sup>≤</sup> <sup>n</sup> and <sup>x</sup> <sup>∈</sup> *dom*(μ<sup>2</sup> <sup>j</sup> ) there exists a <sup>z</sup> <sup>∈</sup> *dom*(<sup>τ</sup> ) such that zτ -Absxμ<sup>2</sup> <sup>j</sup> . It now follows that <sup>r</sup>i⪯Abs <sup>y</sup>iθ<sup>τ</sup> holds for all 1≤i≤<sup>n</sup> and thus we have shown that <sup>g</sup>(r1,...,rn)⪯Abs g(y1, ··· , yn)θτ .

2. <sup>r</sup> <sup>=</sup> <sup>f</sup>(r1, r2), where <sup>f</sup> is an absorption symbol and, w.l.o.g, <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>ε</sup><sup>f</sup> and <sup>t</sup><sup>2</sup> <sup>=</sup> f(s1, s2). Then from A; S; D; θ we can derive a configuration A ; S ; D ; θ using the *ExpLA1* rule such that <sup>≜</sup><sup>y</sup><sup>2</sup> <sup>s</sup><sup>2</sup> <sup>∈</sup> <sup>D</sup> and <sup>ε</sup><sup>f</sup> <sup>≜</sup><sup>y</sup><sup>1</sup> <sup>s</sup><sup>1</sup> <sup>∈</sup> <sup>A</sup> . Now let ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S ; D ; θ ) be a final configuration.

By the induction hypothesis we know that <sup>r</sup><sup>1</sup> <sup>⪯</sup>Abs <sup>y</sup>1θτ<sup>1</sup> for some <sup>τ</sup><sup>1</sup> <sup>∈</sup> <sup>Ψ</sup>(S, D). Let <sup>μ</sup> be a substitution such that <sup>r</sup>1μ -Abs <sup>y</sup>1θτ<sup>1</sup> and <sup>R</sup><sup>2</sup> <sup>⊆</sup> *var* (r) such that <sup>R</sup><sup>2</sup> <sup>∩</sup> *var* (r1) = ∅. Using <sup>R</sup><sup>2</sup> we define a bijective renaming <sup>ν</sup> such that for all <sup>z</sup> <sup>∈</sup> <sup>R</sup>2, zν /∈ ∈ *var* (r1μ ) <sup>∪</sup> *var* (r1).

We will now consider the term rνμ <sup>=</sup> <sup>f</sup>(r1μ , r2νμ ). Note that for all variables <sup>z</sup> <sup>∈</sup> *var* (r1)∩*var* (r2ν), it must be the case that zμ <sup>⪯</sup>Abs zμ<sup>∗</sup> where <sup>r</sup>1μ<sup>∗</sup> -Abs s<sup>1</sup> and <sup>r</sup>2μ<sup>∗</sup> -Abs <sup>s</sup>2. Thus, observe that <sup>r</sup>2νμ <sup>⪯</sup>Abs <sup>s</sup>2.

Now let γ be a substitution such that *dom*(γ ) <sup>=</sup> *var* (r2νμ ), r2νμ <sup>γ</sup> -Abs s2, and r1μ <sup>γ</sup> -Abs s1. Now consider R <sup>2</sup> <sup>=</sup> {<sup>z</sup> <sup>|</sup> <sup>z</sup> <sup>∈</sup> *dom*(γ ) <sup>∧</sup> z /∈ ∈ *var* (r1μ )} and <sup>ν</sup> <sup>=</sup> {<sup>z</sup> <sup>↦</sup> <sup>l</sup> <sup>|</sup> <sup>z</sup> <sup>∈</sup> <sup>R</sup> <sup>2</sup> <sup>∧</sup> zγ <sup>=</sup> <sup>l</sup>}. Note that <sup>r</sup>2νμ <sup>ν</sup> <sup>⪯</sup>Abs <sup>s</sup><sup>2</sup> and there exists t <sup>∗</sup> ∈ ↑<sup>y</sup><sup>2</sup> (D, S) such that <sup>r</sup>2νμ <sup>ν</sup> -Abs t <sup>∗</sup> by the definition of the *abstraction set*. For terms in <sup>↑</sup><sup>y</sup><sup>2</sup> (D, S) we know how to build a <sup>τ</sup><sup>2</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S).

Now let μ <sup>1</sup> and μ <sup>2</sup> be substitutions such that <sup>r</sup>1μ -Abs r 1μ 1μ <sup>2</sup> and for all <sup>z</sup> <sup>∈</sup> *dom*(μ <sup>2</sup>) there exists <sup>y</sup> <sup>∈</sup> *dom*(τ1) such that zμ 2 -Abs yτ1. Notice we can apply the same rewriting to r2νμ ν that is r 2μ 1μ 2 -Abs r2νμ ν . We are free to choose the *dom*(ν ) such that it does not compose with the range of μ . Thus for variables <sup>z</sup> <sup>∈</sup> *var* (r 1μ <sup>1</sup>) ∩ *var* (r 2μ <sup>1</sup> ) such that <sup>z</sup> <sup>∈</sup> *dom*(μ <sup>2</sup> ), there exists <sup>y</sup> <sup>∈</sup> *dom*(τ2) such that zμ 2 -Abs yτ<sup>2</sup> and zμ 2 -Abs yτ1. We can safely assume that the *dom*(τ2) <sup>∩</sup> *var* (*ran*(τ1)) = ∅, thus we can choose <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S) such that <sup>τ</sup> <sup>=</sup> <sup>τ</sup>1τ<sup>2</sup> as the required substitution; So, <sup>r</sup> <sup>⪯</sup>Abs <sup>f</sup>(y1, y2)θ<sup>τ</sup> .

3. <sup>r</sup> <sup>=</sup> <sup>f</sup>(r1, r2), where <sup>f</sup> is an absorption symbol and, <sup>t</sup><sup>1</sup> <sup>=</sup> <sup>ε</sup><sup>f</sup> and <sup>t</sup><sup>2</sup> <sup>=</sup> <sup>ε</sup><sup>f</sup> . Then from A; S; D; θ we can derive a configuration A ; S ; D ; θ using, w.l.o.g, the *ExpBA1* rule such that <sup>ε</sup><sup>f</sup> <sup>≜</sup>y<sup>1</sup> , <sup>≜</sup>y<sup>2</sup> <sup>ε</sup><sup>f</sup> <sup>∈</sup> <sup>D</sup> . Now let ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif(A ; S ; D ; θ ) be a final configuration. Because <sup>y</sup>1, y<sup>2</sup> <sup>∈</sup> *labels*(D ), <sup>y</sup>1θ <sup>=</sup> <sup>y</sup><sup>1</sup> and <sup>y</sup>2θ <sup>=</sup> <sup>y</sup>2. Thus, there exist <sup>t</sup><sup>1</sup> ∈ ↑<sup>y</sup><sup>1</sup> (D, S), <sup>t</sup><sup>2</sup> ∈ ↑<sup>y</sup><sup>2</sup> (D, S), a renaming <sup>ν</sup>, and <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S) such that <sup>r</sup>1<sup>ν</sup> -Abs <sup>y</sup>1<sup>τ</sup> and <sup>r</sup>2<sup>ν</sup> -Abs y2τ ; this follows from the abstraction set containing all terms Abs-equivalent to ε<sup>f</sup> under the substitution derived from S. The substitution ν is required to rename variables in r by the appropriate variables in *labels*(S). 

Given the complexity of the construction used in this theorem, the extended version contains examples that illustrate it [4]. We also show there that completeness would not hold if the Merge rule were applied to T.

# **5 Anti-unification Type, Complexity**

Here we show that the complete set of generalizations produced by AUnif is minimal. Merging the set of final configurations and then showing that constructible generalizations are incomparable play an important role in the proof.

**Definition 9 (Merged configurations).** *Let* s *and* t *be terms. We refer to* AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) *as* merged *if for all* ∅; <sup>S</sup>0; <sup>D</sup>0; <sup>θ</sup>0,∅; <sup>S</sup>1; <sup>D</sup>1; <sup>θ</sup>1 <sup>∈</sup> AUnif( {<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) *and* <sup>s</sup> <sup>≜</sup><sup>y</sup><sup>1</sup> <sup>t</sup> <sup>∈</sup> <sup>S</sup>0*,* <sup>s</sup> <sup>≜</sup><sup>y</sup><sup>2</sup> <sup>t</sup> <sup>∈</sup> <sup>S</sup><sup>1</sup> *iff* <sup>y</sup><sup>1</sup> <sup>=</sup> <sup>y</sup>2*.*

A merged set of final configurations can be obtained by an appropriate renaming of the store labels and applying this renaming to the final substitutions.

**Lemma 3.** *Let* <sup>s</sup> *and* <sup>t</sup> *be terms and* ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι)*. Then for all* <sup>s</sup> <sup>≜</sup><sup>y</sup> <sup>t</sup> <sup>∈</sup> <sup>S</sup> *and any non-variable term* <sup>r</sup>*,* xθ{<sup>y</sup> <sup>↦</sup> <sup>r</sup>} <sup>∈</sup>/ <sup>G</sup>Abs(s, t)*.*

*Proof.* Given that <sup>s</sup> <sup>≜</sup><sup>y</sup> <sup>t</sup> <sup>∈</sup> <sup>S</sup>, we know that *head*(s ) <sup>=</sup>/ *head*(<sup>t</sup> ) and, *head*(s ) and *head*(t ) are not related absorption symbols. In xθ{<sup>y</sup> <sup>↦</sup> <sup>r</sup>}, the non-variable term r replaces y which was a generalization of s and t , but by this replacement, *head*(r) will clash with *head*(s ), *head*(t ), or both. Hence, it cannot be a generalization of s and t , which implies xθ{<sup>y</sup> <sup>↦</sup> <sup>r</sup>} <sup>∈</sup>/ <sup>G</sup>Abs(s, t). 

**Definition 10.** *Let* <sup>s</sup> *and* <sup>t</sup> *be terms and* AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) *merged. We define the set* <sup>C</sup>AUnif(s, t) *as* <sup>C</sup>AUnif(s, t) <sup>=</sup> {xθτ | ∅; <sup>S</sup>; <sup>D</sup>; <sup>θ</sup> <sup>∈</sup> AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) <sup>∧</sup> <sup>τ</sup> <sup>∈</sup> <sup>Ψ</sup>(D, S)}.

**Lemma 4.** *For any* s, t*,* CAUnif(s, t) *is their complete set of* Abs*-generalizations.*

*Proof.* The lemma follows from the completeness of AUnif (Theorem 4). 

**Lemma 5.** *For all terms* s, t*, and* <sup>r</sup>0, r<sup>1</sup> <sup>∈</sup> <sup>C</sup>AUnif(s, t)*, if* <sup>r</sup><sup>0</sup> <sup>≠</sup> <sup>r</sup><sup>1</sup> *then neither* <sup>r</sup><sup>0</sup> <sup>⪯</sup>Abs <sup>r</sup><sup>1</sup> *nor* <sup>r</sup><sup>1</sup> <sup>⪯</sup>Abs <sup>r</sup><sup>0</sup> *holds.*

*Proof.* By Corollary 1, *var* (r0) <sup>⊆</sup> *labels*(S0) and *var* (r1) <sup>⊆</sup> *labels*(S1) for some final configurations ∅; <sup>S</sup>0; <sup>D</sup>0; <sup>θ</sup>0,∅; <sup>S</sup>1; <sup>D</sup>1; <sup>θ</sup>1 <sup>∈</sup> AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) as r<sup>0</sup> and r<sup>1</sup> are derived via the composition of the anti-unifiers of the associated final configurations with an abstraction substitution. By Lemma 3, w.l.o.g., for <sup>x</sup> <sup>∈</sup> *labels*(S0) we have <sup>r</sup>0{<sup>x</sup> <sup>↦</sup> <sup>r</sup>} <sup>∈</sup>/ <sup>G</sup>Abs(s, t) when <sup>r</sup> is not a variable. If <sup>r</sup> is a variable and <sup>r</sup> <sup>∈</sup> *labels*(S0)∪*labels*(S1), then <sup>r</sup>0{<sup>x</sup> <sup>↦</sup> <sup>r</sup>} <sup>∈</sup>/ <sup>G</sup>Abs(s, t) because labels in *labels*(S0)∪*labels*(S1) are assigned to unique AUTs (due to merging of AUnif) and thus <sup>x</sup> and <sup>r</sup> generalize different terms. Thus, r /<sup>∈</sup> *labels*(S0) <sup>∪</sup> *labels*(S1) implying neither <sup>r</sup><sup>0</sup> <sup>⪯</sup>Abs <sup>r</sup><sup>1</sup> nor <sup>r</sup><sup>1</sup> <sup>⪯</sup>Abs <sup>r</sup><sup>0</sup> hold. 

**Theorem 5.** *For all terms* s, t*,* CAUnif(s, t) *is actually mcsg*Abs(s, t)*.*

*Proof.* Lemma 4 shows completeness. Minimality follows from Lemma 5. 

**Corollary 2.** *Anti-unification modulo* Abs *theories is of type infinitary.*

*Proof.* By Theorem 5, the set of Abs-generalizations computed in Example 5 is an *mcsg*, which is infinite since **Configuration 1** produces infinitely many.

Theorem 5 shows contrast to idempotent anti-unification [17]: another infinitary anti-unification problem where the algorithm produces a finitely representable complete set of generalizations which should be further minimized to get an *mcsg*. In our case, AUnif directly gives a finitely represented *mcsg*.

Finally, we briefly comment on the complexity of AUnif in terms of the number of final configurations produced.

**Definition 11 (Absorption positions).** *An* absorption position of terms s and <sup>t</sup> *is a position* <sup>p</sup> <sup>∈</sup> pos(s) <sup>∩</sup> pos(t) *such that* {ε<sup>f</sup> , f} <sup>=</sup> {head(s|p), head(t|p)} *for some* <sup>f</sup> <sup>∈</sup> Abs<sup>f</sup> *, and* head(s|q) <sup>=</sup> head(t|q) *for all* <sup>q</sup> <sup>⊏</sup> <sup>p</sup>*. The set of absorption positions of* s *and* t *is denoted as* ap(s, t)*.*

Absorption positions are disjoint from each other. If <sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup> is an initial AUT and <sup>p</sup> <sup>∈</sup> ap(s, t), after finitely many steps the AUnif algorithm will generate an AUT <sup>s</sup>|<sup>p</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>|p, that is, an AUT whose side heads form an absorption pair. To each such AUT, two inference rules from AUnif are applicable, i.e., this is a branching point in the algorithm. No other pair of joint positions causes branching. Hence, AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>;ι) contains more than one final configuration iff ap(s, t) <sup>=</sup>/ <sup>∅</sup>. Each absorption position may lead to at most max{*size*(s), *size*(t)} branches due to nested f's below absorption positions (as, e.g., in <sup>ε</sup><sup>f</sup> <sup>≜</sup><sup>x</sup> <sup>f</sup>(f(a, b), c)); they resurface after applying the expansion rules and create new AUTs between terms whose heads are absorption pairs (ε<sup>f</sup> and f). It implies the following:

**Theorem 6.** *Let* s *and* t *be terms and* n *be the cardinality of* ap(s, t)*. Then the cardinality of* AUnif({<sup>s</sup> <sup>≜</sup><sup>x</sup> <sup>t</sup>}; <sup>∅</sup>; <sup>∅</sup>; <sup>θ</sup>) *is bounded by* max{*size*(s), *size*(t)}<sup>n</sup>*.*

If we fix the number of absorbing positions in the input terms, the set of final configurations has a polynomial size. Moreover, note that computing one final configuration requires a linear number of steps since each rule eliminates at least one pair of symbols from the set of AUTs to be transformed.

# **6 Conclusion**

We introduced a rule-based algorithm that computes generalizations for problems modulo absorption symbols and proved its soundness and completeness. Furthermore, the algorithm finitely computes a finite set of final configurations from which we can extract a minimal complete set of generalizations. This set can be infinite, implying that Abs-anti-unification is of type infinitary.

In contrast to other grammar-based approaches, our algorithm is generalizable to similar subterm-collapsing theories, which would allow a finite representation of the minimal complete set of generalizations. Therefore, studying extensions of our method for such theories would be a natural next step.

For future work, we will consider how to combine our algorithm with algorithms for computing generalizations in other equational theories, similar to [3]. It would also be interesting to see how generalization techniques in such (combined) theories can be used in practice as part of methods for software analysis.

**Acknowledgements.** This work was supported by the Czech Science Foundation Grant 22-06414L; the Austrian Science Fund (FWF) project P 35530; Cost Action CA20111 EuroProofNet; the Brazilian agency CNPq, Grant Universal 409003/21-2, and RG 313290/21-0; the Brazilian Federal District Research Foundation FAPDF, Grant DE 00193-00001175/2021-11; and the Georgian Rustaveli National Science Foundation, project FR-21-16725. The Brazilian Higher Education Council (CAPES) supported the Brazilian-Austrian cooperation through the program PrInt.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# The Benefits of Diligence

Victor Arrial1(B) , Giulio Guerrieri<sup>2</sup> , and Delia Kesner<sup>1</sup>

<sup>1</sup> Université Paris Cité, CNRS, IRIF, Paris, France {arrial,kesner}@irif.fr <sup>2</sup> Department of Informatics, University of Sussex, Brighton, UK g.guerrieri@sussex.ac.uk

Abstract. This paper studies the strength of embedding Call-by-Name (dCBN) and Call-by-Value (dCBV) into a unifying framework called the Bang Calculus (dBANG). These embeddings enable establishing (static and dynamic) properties of dCBN and dCBV through their respective counterparts in dBANG. While some specific static properties have been already successfully studied in the literature, the dynamic ones are more challenging and have been left unexplored. We accomplish that by using a standard embedding for the (easy) dCBN case, while a novel one must be introduced for the (difficult) dCBV case. Moreover, a key point of our approach is the identification of dBANG diligent reduction sequences, which eases the preservation of dynamic properties from dBANG to dCBN/dCBV. We illustrate our methodology through two concrete applications: confluence/factorization for both dCBN and dCBV are respectively derived from confluence/factorization for dBANG.

# 1 Introduction

Call-by-Name (CBN) and Call-by-Value (CBV) stand as two foundational evaluation strategies inspiring distinct techniques and models of computation in the theory of programming languages and proof assistants [46]. Notably, most theoretical studies in the λ-calculus still continues to focus on its CBN variant, while CBV, the cornerstone of operational semantics for most programming languages and proof assistants, has been less extensively explored. This is due in particular to the CBV stipulation that an argument can be passed to a function only when it is a *value* (*i.e.* variable or abstraction), making the reasoning notably challenging to grasp. Consequently, some fundamental concepts in the theory of the λ-calculus (e.g. denotational semantics, contextual equivalence, solvability, Böhm trees) make subtle –and not entirely understood– distinctions between CBN and CBV, sometimes resulting in completely ad-hoc scenarios for CBV, not being uniform with the corresponding notion in CBN. This is for example the case of CBV Böhm trees [33] or the notion of substitution in [23].

*Unifying Frameworks.* Reynolds [47] (quoted by Levy [37]) advocated for a unifying framework for CBN and CBV. This not only minimizes their arbitrariness, but also avoids developing and proving distinct and independent concepts and properties for them from scratch. Indeed, both paradigms can be encompassed into broader foundational frameworks [1,16,17,21,24,37,38,40,49] that explicitly differentiate values by marking them with a distinguished constructor. While multiple such frameworks exist, our focus lies on the Bang Calculus [18,22,30]. Inspired by Girard's Linear Logic (LL) [28] and Ehrhard's interpretation [21] of Levy's Call-by-Push-Value [37] into LL, the Bang Calculus is obtained by enriching the λ-calculus with two distinguished modalities ! and der. The modality ! plays a twofold role: it marks what can be duplicated or erased during evaluation (*i.e.* copied an arbitrary number of times, including zero), and it freezes the evaluation of subterms (called *thunks*). The modality der annihilates the effect of !. Embedding CBN or CBV into the Bang Calculus just consists in decorating λ-terms with ! and der, thus forcing one model of computation or the other one. Thanks to these two modalities, the Bang Calculus eases the identification of shared behaviors and properties of CBN and CBV, encompassing both syntactic and semantic aspects of them, within a unifying and simple framework.

*Adequate Models of Computation.* Both CBN and CBV were originally defined on *closed* terms (without occurrences of free variables), that are enough to model execution of programs. However, evaluation in proof assistants must be performed on possibly *open* terms, that is, with free variables. While open terms are harmless to CBN, the theory of the CBV λ-calculus on open terms turns out to be much more subtle and trickier (see [6–8] for a detailed discussion). In particular, Plotkin's original CBV [46] is not *adequate* for open terms, as there exist terms that may be both *irreducible* and *meaningless/unsolvable*. The non-adequacy problem in Plotkin's CBV calculus can be repaired by introducing a form of sharing implemented by *explicit substitutions (ES)*, together with a notion of *reduction at a distance* [9,10], like in the Value Substitution Calculus [11] (here called dCBV), a CBV variant of Accattoli and Kesner's linear substitution calculus [2,3] (generalizing in turn Milner's calculus [35,41]). Adequacy also fails for the version of the Bang Calculus studied in [25,30], for the same reasons as in CBV. It can be repaired again via ES and distance, resulting in the Distant Bang Calculus dBANG [18,19]. It is then natural to also integrate ES and distance in the CBN specification: this gives rise to CBN substitution calculi at a distance [9,10], here we call dCBN the one in [2], which is adequate as the usual CBN. In summary, we focus in this paper on a CBN calculus dCBN, an adequate CBV calculus dCBV, and the adequate unifying Distant Bang Calculus dBANG.

*Static and Dynamic.* The literature has shown that some *static* properties of CBN and CBV, including normal forms [36], quantitative typing [18], tight typing [19,36], inhabitation [12], and denotational semantics [30], can be inferred from their corresponding counterparts in the (Distant) Bang Calculus by exploiting suitable CBN and CBV encodings. However, retrieving *dynamic* properties from the Bang Calculus into CBN or CBV turns out to be a more intricate task, especially in their *adequate* (distant) variant [18,19,25,30]. Indeed, it is easy to obtain *simulation* (a CBN or CBV reduction sequence is always embedded into a dBANG reduction sequence), *but* the converse, known as *reverse simulation*, fails: a dBANG reduction sequence from a term in the image of the CBN or CBV embedding may not correspond to a valid reduction sequence in CBN or CBV (counterexample in Fig. 1). Up to these days, there are no embeddings in the literature enjoying reverse simulation for an adequate CBV calculus, so that it is impossible to export dynamic properties from dBANG to both dCBN and dCBV.

*Contributions.* We first revisit and *extend* the existing static and dynamic preservation results relating dCBN and dBANG, including simulation and reverse simulation, exploiting the embedding used in [18,19]. However, our primary and most significant contribution is a new *methodology* to deal with the (adequate) calculus dCBV. Indeed, we define a *novel embedding* from dCBV into dBANG, *refining* the one of [18,19], that finely decorates terms with the modalities ! and der. To avoid redundant decorations, as ! and der annihilate each other, a dedicated d! reduction step is then applied *on the fly* by the embedding, as in [18,19]. But our new dCBV embedding not only preserves static and dynamic properties, but also satisfies *reverse simulation*, an essential property that was previously lacking. This achievement is realized by the second ingredient of our new methodology, given by the notion of *diligent sequence* in dBANG, a concept standing independently of the embeddings. Indeed, a challenge at this point is to prove that the earlier mentioned d!-reductions have a purely *administrative* nature, and additionally, that they can be treated *diligently*, by executing all of them as soon as possible. We call this method *diligent administration*: we consistently address all administrative steps before proceeding with any other *computational* steps. A further challenge is then to establish that working with administrative diligence does not alter the CBN or CBV nature of evaluation.

As explained above, reverse simulation is crucial to derive properties for dCBN and dCBV from their respective properties in dBANG. We provide two main illustrative *applications* of this by studying the cases of *confluence* and *factorization*. Confluence is a well-known property, and factorization is crucial to prove important results in (or via) rewriting [2,4,5,15,26,27,29,32,42,45,51,53]: we say that a reduction enjoys factorization when every reduction sequence can be rearranged so that some specific external steps (head in dCBN, weak in dCBV, surface in dBANG) are performed first. In the two last sections, we use confluence/factorization for dBANG as a basis to easily deduce confluence/factorization for dCBN and dCBV. This is done by exploiting the CBN and CBV embeddings back and forth, via reduction simulation and reverse simulation. Just one proof is enough for three confluence/factorization results: it's a three-for-one deal! The fact that dCBN and dCBV confluence/factorizations can be *easily* derived from dBANG confluence/factorization in essentially the *same* way is another achievement, attained thanks to having introduced good tools, such as diligence and the new dCBV embedding.

We actually provide a first proof of factorization for dBANG, another major contribution of this paper. Factorizations in dCBN and dCBV were already proved in [2] and [11], respectively, but their proofs are not trivial, even when applying some abstract approach [2]. Deducing from dBANG the same dCBN/dCBV factorizations as in [2,11] shows that our methodology is robust and not ad-hoc.

*Road Map.* Section 2 recalls dBANG and introduces diligence. The dCBN/dCBV calculi and their embeddings are presented in Sect. 3, together with their corresponding (static and dynamic) preservation results. Sect. 4 derives dCBN/dCBV confluence from that of dBANG. Section 5 proves a factorization result for dBANG, and deduces factorization for dCBN and dCBV by projection. Section 6 discusses future and related work and concludes. Proofs can be found in [13], the long version of this paper.

#### 1.1 Basic Notions Used All Along the Paper

An abstract rewriting system (ARS) E is a set E with a binary relation →<sup>E</sup> on E, called reduction. We write u <sup>E</sup> ← t if t →<sup>E</sup> u, and we denote by <sup>→</sup><sup>+</sup> <sup>E</sup> (resp. <sup>→</sup><sup>∗</sup> <sup>E</sup> ) the transitive (resp. reflexive-transitive) closure of <sup>→</sup><sup>E</sup> . Given <sup>t</sup> <sup>∈</sup> <sup>E</sup>, <sup>t</sup> is an <sup>E</sup>-normal form (E-NF) if there is no <sup>u</sup> <sup>∈</sup> <sup>E</sup> such that <sup>t</sup> <sup>→</sup><sup>E</sup> <sup>u</sup>; t is E-terminating if there is no infinite →<sup>E</sup> reduction sequence starting at t. Reduction →<sup>E</sup> is terminating if every t ∈ E is E-terminating; →<sup>E</sup> is diamond if for any t, u1, u<sup>2</sup> ∈ E such that u<sup>1</sup> <sup>E</sup> ← t →<sup>E</sup> u<sup>2</sup> and u<sup>1</sup> = u2, there is s ∈ E such that u<sup>1</sup> →<sup>E</sup> s<sup>E</sup> ← u2; →<sup>E</sup> is confluent if →<sup>∗</sup> <sup>E</sup> is diamond.

All reductions in this paper will be defined by a set of rewrite rules R, closed by a set of contexts E. A term being an instance of the left-hand side of a rewrite rule R ∈ <sup>R</sup> is called a <sup>R</sup>-redex. Given a rule R ∈ <sup>R</sup>, and a context <sup>E</sup> <sup>∈</sup> <sup>E</sup>, we use <sup>→</sup><sup>E</sup>R to denote the reduction of the <sup>R</sup>-redex under the context <sup>E</sup>. The reduction <sup>→</sup><sup>E</sup>R is the union of reductions <sup>→</sup><sup>E</sup>R over *all* contexts <sup>E</sup> <sup>∈</sup> <sup>E</sup>. In other words, <sup>→</sup><sup>E</sup>R is the closure of the rule <sup>R</sup> under all the contexts in <sup>E</sup>.

# 2 The Distant Bang Calculus dBANG

We introduce the term syntax of dBANG [18]. Given a countably infinite set <sup>X</sup> of variables x, y, z, . . . , the set Λ! of terms is defined inductively as follows:

$$\{\text{Terms}\}\qquad t, u, s \implies x \in \mathcal{X} \mid tu \mid \lambda x.t \mid !t \mid \mathsf{der}(t) \mid t[x \backslash u]$$

The set Λ! includes variables x, abstractions λx.t, applications tu, closures t[x\u] representing a pending explicit substitution (*ES*) [x\u] on t, bangs !t and derelictions der(t) (their operational meaning is explained below).

Abstractions λx.t and closures t[x\u] bind the variable x in their body t. The set of free variables fv(t) of a term t is defined as expected, in particular fv(λx.t) := fv(t) \ {x} and fv(t[x\u]) := fv(u)∪(fv(t) \ {x}). The usual notion of α-conversion [15] is extended to the whole set Λ!, and terms are identified up to α-conversion, *e.g.* y[y\λx.x] = z[z\λy.y]. We denote by t{x\u} the usual (capture avoiding) meta-level substitution of u for all free occurrences of x in t.

Full contexts (<sup>F</sup> <sup>∈</sup> <sup>F</sup>), surface contexts (<sup>S</sup> <sup>∈</sup> <sup>S</sup>) and list contexts (<sup>L</sup> <sup>∈</sup> <sup>L</sup>), which can be seen as terms with exactly one hole , are inductively defined by:

$$\begin{array}{l} \text{(Full Contents)} \quad \mathbf{F} ::= \diamond | \; \mathbf{F} \; t \; | \; t \mathbf{F} \; | \; \lambda x. \mathbf{F} \; | \; \mathbf{F} \; | \; \mathsf{der}(\mathbf{F}) \; | \; t[x \; \mathsf{F}] \\ \text{(Surface Contexts)} \quad \mathbf{S} ::= \diamond | \; \mathbf{S} \; t \; | \; t \mathbf{S} \; | \; \lambda x. \mathbf{S} \; | \; \mathsf{der}(\mathbf{S}) \; | \; \mathsf{S}[x \; t] \; | \; t[x \; \mathsf{S}] \\ \text{(List } \mathbf{C} \text{ontects)} \quad \mathbf{L} ::= \diamond | \; \mathsf{L}[x \; t] \end{array}$$

L and S are special cases of F: the hole may occur everywhere in F, while in S it cannot appear under a !. List contexts L are arbitrary lists of ES, used to implement reduction at a distance [9,10]. We write <sup>F</sup><sup>t</sup> for the term obtained by replacing the hole in F with the term t (possibly capturing the free variables of t).

The following rewrite rules are the base components of our reductions.

$$\mathsf{L}\langle\lambda x.t\rangle u \longmapsto\_{\mathsf{dB}} \mathsf{L}\langle t[x\backslash u] \rangle \qquad t[x\backslash \mathsf{L}\langle !u\rangle] \longmapsto\_{\mathsf{s}\mathtt{!}} \mathsf{L}\langle t\{x\backslash u\} \rangle \qquad \mathsf{der}(\mathsf{L}\langle !t\rangle) \longmapsto\_{\mathsf{d}\mathtt{!}} \mathsf{L}\langle t\rangle$$

Rule dB (resp. s!) is assumed to be capture-free, so no free variable of u (resp. t) is captured by the context L. The rule dB fires a β-redex, generating an ES. The rule s! fires an ES provided that its argument is duplicable, *i.e.* is a bang. The rule d! uses der to erase a !. In all of these rewrite rules, the reduction acts *at a distance* [9,10]: the main constructors involved in the rule can be separated by a finite—possibly empty—list L of ES. This mechanism unblocks desired computations that otherwise would be stuck, *e.g.* (λx.x)[y\w]!z →dB x[x\!z][y\w].

Reductions are defined, as specified in Sect. 1.1, by taking the set of rewrite rules {dB, <sup>s</sup>!, <sup>d</sup>!} and the sets of contexts <sup>S</sup> and <sup>F</sup>. Surface reduction is the relation →<sup>S</sup> :=→<sup>S</sup>dB ∪ →<sup>S</sup>s! ∪ →<sup>S</sup>d!, while full reduction is the relation <sup>→</sup><sup>F</sup> :=→<sup>F</sup>dB ∪ →<sup>F</sup>s! ∪ →<sup>F</sup>d!. For example, for <sup>S</sup><sup>1</sup> <sup>=</sup> ∈ <sup>S</sup> and <sup>F</sup><sup>1</sup> =! ∈ <sup>F</sup> \ <sup>S</sup>: (λx.!der(!x))!<sup>y</sup> <sup>→</sup><sup>S</sup>1dB (!der(!x))[x\!y] <sup>→</sup><sup>S</sup>1s! !der(!y) <sup>→</sup><sup>F</sup>1d! !y. The first two steps are →<sup>S</sup>- and also →<sup>F</sup>-steps, while the last one is a →<sup>F</sup>-step but not a <sup>→</sup><sup>S</sup>-step. More generally, <sup>→</sup><sup>S</sup> -<sup>→</sup><sup>F</sup>. For instance, !(der(!y)) is a <sup>S</sup>-NF but not a <sup>F</sup>-NF since !(der(!y)) <sup>→</sup><sup>F</sup>!y, while !<sup>y</sup> is a <sup>F</sup>-NF (and hence a <sup>S</sup>-NF too).

The ! modality plays a twofold role. First, it marks the only subterms that can be substituted (*i.e.* erased or arbitrarily copied): the s!-rule fires an ES only if there is a ! in its argument (up to a list context). Second, it freezes (surface) evaluation of the term under the scope of !: surface reduction →<sup>S</sup> does not reduce under !. In full reduction →<sup>F</sup>, the ! modality looses its freezing behavior.

*Diligent Administration.* While reductions →<sup>F</sup>dB and →<sup>F</sup>s! are actual *computational* steps, reduction →<sup>F</sup>d! is rather *administrative* in nature. As we use dBANG to simulate other calculi, we need to align with the *implicit nature* of these administrative steps: this can be achieved by executing them as soon as possible. We thus introduce a *diligent process* that reorders some reduction steps to ensure that administrative steps are always performed as soon as there is a d!-redex.

To begin, we formally introduce the concept of diligent administrative reduction sequence, characterizing sequences where each *computational* step (dB or s!) can be performed only *after* all *administrative* steps (d!) have been executed.

Definition 1 (Diligent Administrative Reduction). *The* diligent administrative surface *(resp.* full*) reduction* →Sad *(resp.* →Fad*) is a subset of the surface (resp. full) reduction obtained by restricting* dB*- and* <sup>s</sup>!*-steps to* <sup>S</sup>d! *-normal forms (resp.* <sup>F</sup>d! *-normal forms). More precisely, it is defined as follows:*

$$\begin{split} \mathop{\rightarrow}\_{\mathsf{Eval}} & \coloneqq \left( \mathop{\rightarrow}\_{\mathsf{S}\langle \mathsf{d}\mathsf{B} \rangle} \cap \mathbb{S}\langle \mathsf{d}! \rangle \cdot \mathsf{NF} \times \Lambda\_{!} \right) \quad \cup \quad \left( \mathop{\rightarrow}\_{\mathsf{S}\langle \mathsf{s}! \rangle} \cap \mathbb{S}\langle \mathsf{d}! \cdot \mathsf{NF} \rangle \times \Lambda\_{!} \right) \quad \cup \quad \rightarrow\_{\mathsf{S}\langle \mathsf{d}! \rangle} \\ \mathop{\rightarrow}\_{\mathsf{F}\mathsf{ad}} & \coloneqq \left( \mathop{\rightarrow}\_{\mathsf{F}\langle \mathsf{d}\mathsf{B} \rangle} \cap \mathbb{F}\langle \mathsf{d}! \rangle \cdot \mathsf{NF} \times \Lambda\_{!} \right) \quad \cup \quad \left( \mathop{\rightarrow}\_{\mathsf{F}\langle \mathsf{s}! \rangle} \cap \mathbb{F}\langle \mathsf{d}! \cdot \mathsf{NF} \rangle \times \Lambda\_{!} \right) \quad \cup \quad \rightarrow\_{\mathsf{F}\langle \mathsf{d}! \rangle} \end{split}$$

*Example 2.* Consider the two surface reduction sequences der(!x)[x\!y] <sup>→</sup>Ss! der(!y) <sup>→</sup><sup>S</sup>d! <sup>y</sup> and der(!x)[x\!y] <sup>→</sup><sup>S</sup>d! <sup>x</sup>[x\!y] <sup>→</sup><sup>S</sup>s! <sup>y</sup>. The first one is not diligent administrative, as the step <sup>→</sup><sup>S</sup>s! is performed in a term that is not <sup>S</sup>d! -NF. But the second one is diligent administrative: der(!x)[x\!y] <sup>→</sup><sup>S</sup>ad <sup>x</sup>[x\!y] <sup>→</sup><sup>S</sup>ad <sup>y</sup>.

To show that every reduction sequence can be transformed into a diligent one (Lemma 3), we first observe that it is possible to perform *all* administrative steps from any term: indeed, reductions →<sup>F</sup>d! and →<sup>S</sup>d! are *terminating*, because each administrative step erase two constructors, der and !, so the term size decreases.

Some reduction sequences can be made diligent, as in Example 2, but this is not the case for all reduction sequences. For instance der(!x)[x\!y] <sup>→</sup><sup>S</sup> der(!y) but der(!x)[x\!y] →<sup>S</sup>ad der(!y). Therefore, we focus solely on reduction sequences reaching terms that are normal for d!. Under these conditions and by commuting computational steps with administrative ones, we obtain the following results:

Lemma 3 (Diligence Process). *Let* t, u ∈ Λ! *be terms.*

*– (Surface) If* t →<sup>∗</sup> <sup>S</sup> <sup>u</sup> *and* <sup>u</sup> *is a* <sup>S</sup>d! *-*NF*, then* <sup>t</sup> <sup>→</sup><sup>∗</sup> <sup>S</sup>ad u*.*

*– (Full) If* t →<sup>∗</sup> <sup>F</sup> <sup>u</sup> *and* <sup>u</sup> *is a* <sup>F</sup>d! *-*NF*, then* <sup>t</sup> <sup>→</sup><sup>∗</sup> <sup>F</sup>ad u*.*

# 3 Call-by-Name and Call-by-Value Embeddings

In this section we present the call-by-name dCBN (Sect. 3.1) and call-by-value dCBV (Sect. 3.2) calculi, as well as their embeddings into dBANG, which preserve static properties (Corollaries 7.2 and 9.2 for dCBN, 13.2 and 14.2 for dCBV) and dynamic ones (Corollaries 7.3 and 9.3 for dCBN, 13.3 and 14.3 for dCBV).

Both dCBN [2,9,10] and dCBV [11] are specified using ES and action at a distance, as explained in Sect. 1, and they share the same term syntax. The sets Λ of terms and Υ of values are inductively defined below.

$$\{\text{Terms}\}\\_{t,u} ::= \ v\mid t\,u\mid t[x\backslash u] \qquad\qquad \{\text{Values}\}\\_{v}\\_{::=\,v}\mid \lambda x.t\,v$$

Note that the syntax contains neither der nor !. The distinction between terms and values is irrelevant in dCBN but crucial in dCBV. The two calculi also share the same full contexts F and list contexts L, which can be seen as terms with exactly one hole and are inductively defined below. The differences between dCBN and dCBV are in the definitions of *surface* contexts and *rewrite rules*.

> (List Contexts) <sup>L</sup> ::= | <sup>L</sup>[x\t] (Full Contexts) <sup>F</sup> ::= | <sup>F</sup> <sup>t</sup> <sup>|</sup> <sup>t</sup> <sup>F</sup> <sup>|</sup> λx.<sup>F</sup> <sup>|</sup> <sup>F</sup>[x\t] <sup>|</sup> <sup>t</sup>[x\F]

#### 3.1 The Call-by-Name Calculus dCBN and Its Embedding to dBANG

In dCBN, surface contexts <sup>S</sup><sup>N</sup> <sup>∈</sup> <sup>S</sup><sup>N</sup> are defined below: the hole cannot be in the argument of an application or ES. To align the notations, in dCBN full contexts are denoted by <sup>F</sup><sup>N</sup> <sup>∈</sup> <sup>F</sup><sup>N</sup> and list contexts by <sup>L</sup><sup>N</sup> <sup>∈</sup> <sup>L</sup>N.

$$\text{(\textbf{d}\textbf{C}\textbf{N}\textbf{u}\textbf{f}x\textbf{f}x\textbf{C}\textbf{O}x\textbf{t}\textbf{t}\textbf{s})}\qquad\qquad\mathsf{S}\_{\textbf{N}} ::= \diamond \mid \mathsf{S}\_{\textbf{N}} \, t \mid \lambda x.\mathsf{S}\_{\textbf{N}} \mid \mathsf{S}\_{\textbf{N}}[x\,\!\vert x\rangle]$$

As explained in Sect. 1.1, reductions in dCBN are defined by taking the set of rewrite rules {dB, <sup>s</sup>} defined below and the sets of contexts <sup>S</sup><sup>N</sup> and <sup>F</sup>N.

$$\mathsf{L}\_{\mathsf{N}}\langle\lambda x.t\rangle u \longmapsto\_{\mathsf{dB}} \mathsf{L}\_{\mathsf{N}}\langle t[x\backslash u]\rangle \qquad\qquad\qquad t[x\backslash u] \longmapsto\_{\mathsf{s}} t\{x\backslash u\}.$$

Rule dB is capture-free: no free variable of u is captured by the context LN. The dCBN surface reduction is the relation <sup>→</sup><sup>S</sup><sup>N</sup> :=→<sup>S</sup>NdB ∪ →<sup>S</sup>Ns, while the dCBN full reduction is the relation <sup>→</sup><sup>F</sup><sup>N</sup> :=→<sup>F</sup>NdB ∪ →<sup>F</sup>Ns. *E.g.*, for <sup>F</sup><sup>N</sup> <sup>=</sup> λz., <sup>t</sup><sup>0</sup> <sup>=</sup> λz.((λx.yxx)(zz)) →FNdB t<sup>1</sup> = λz.((yxx)[x\zz]) →FNs t<sup>2</sup> = λz.(y(zz)(zz)).

The dCBN surface reduction is nothing but (a non-deterministic but diamond variant of) the well-known *head* reduction.

*Embedding* dCBN *into* dBANG *.* The dCBN embedding · <sup>n</sup> : <sup>Λ</sup> <sup>→</sup> <sup>Λ</sup>! from dCBN to dBANG, introduced in [18,19] and presented below, extends Girard's one [22] to ES.

$$x^{\mathfrak{n}} := x \qquad (\lambda x.t)^{\mathfrak{n}} := \lambda x.t^{\mathfrak{n}} \qquad (tu)^{\mathfrak{n}} := t^{\mathfrak{n}} ! u^{\mathfrak{n}} \qquad (t[x \backslash u])^{\mathfrak{n}} := t^{\mathfrak{n}} [x \backslash u^{\mathfrak{n}}].$$

As an example, (yx)[y\z] <sup>n</sup> = (y!x)[y\!z]. Note that · <sup>n</sup> never introduces der, hence t <sup>n</sup>, and every term it reduces to, are always a <sup>F</sup>d! -NF (this does not hold for the dCBV embedding, Sect. 3.2). In every application and ES, · <sup>n</sup> puts a ! in front of their argument, which shows the two roles—called *duplicability* and *accessibility*—played by ! in this embedding: dCBN duplicability means that any argument can be duplicated (or erased), dCBN accessibility means that surface reduction cannot take place inside arguments. Indeed, the ! seals all subterms in argument position.

The embedding is trivially extended to dCBN contexts by setting <sup>n</sup> <sup>=</sup> .

The static properties of this embedding have already been partially discussed in [18,19]. We will revisit and refine them (Corollaries 7, 9 and 23), but our main focus lies in the preservation of the dynamics of dCBN within dBANG. For that, we first extend the embedding to rule names, by defining dB<sup>n</sup> := dB and s<sup>n</sup> := s!.

The reduction of a dCBN redex can be effectively simulated in dBANG by reducing the corresponding redex occurring at the translated location/context.

Lemma 4 (dCBN One-Step Simulation). *Let* t, u <sup>∈</sup> <sup>Λ</sup> *and* <sup>F</sup><sup>N</sup> <sup>∈</sup> <sup>F</sup><sup>N</sup> *and* R∈{dB, <sup>s</sup>}*. If* <sup>t</sup> <sup>→</sup>FNR <sup>u</sup> *then* <sup>t</sup> <sup>n</sup> <sup>→</sup>Fn <sup>N</sup>R*n* <sup>u</sup><sup>n</sup>*.*

*Example 5.* Consider the dCBN reductions <sup>t</sup><sup>0</sup> <sup>→</sup>FNdB <sup>t</sup><sup>1</sup> and <sup>t</sup><sup>1</sup> <sup>→</sup>FNs <sup>t</sup><sup>2</sup> seen above with <sup>F</sup><sup>N</sup> <sup>=</sup> λz.. Since <sup>F</sup><sup>n</sup> <sup>N</sup> = λz., we have t n <sup>0</sup> = λz.((λx.y!x!x)!(z!z)) →Fn <sup>N</sup>R*n* λz.((y !x!x)[x\!(z!z)]) = t n <sup>1</sup> and t n <sup>1</sup> →Fn <sup>N</sup>s! λz.(y!(z!z)!(z!z)) = t n 2.

So, every dCBN reduction step is simulated by the corresponding dBANG reduction step, without the need for any administrative step. Simulation of dCBV (Lemma 11) is instead more involved, requiring some further administrative steps.

The following property, which effectively reverses the simulation process, extends the one holding for the original Bang Calculus (without distance) [30].

Lemma 6 (dCBN One-Step Reverse Simulation). *Let* <sup>t</sup> <sup>∈</sup> <sup>Λ</sup>*,* <sup>u</sup> <sup>∈</sup> <sup>Λ</sup>!*,* <sup>F</sup> <sup>∈</sup> <sup>F</sup> *and* <sup>R</sup> ∈ {dB, <sup>s</sup>!, <sup>d</sup>!}*.*

$$t^{\mathfrak{n}} \to\_{\mathbb{F}\langle \mathfrak{R}' \rangle} u' \quad \Longrightarrow \quad \left\{ \begin{array}{ll} \exists \ u \in \mathcal{A}, & u^{\mathfrak{n}} = u' \\ \exists \ \mathcal{R} \in \{\mathsf{dB}, \mathsf{s}\}, \ \mathcal{R}^{\mathfrak{n}} = \mathcal{R}' \\ \exists \ \mathsf{F}\_{\mathsf{N}} \in \mathsf{F}\_{\mathsf{N}}, & \mathsf{F}\_{\mathsf{N}}^{\mathfrak{n}} = \mathsf{F} \end{array} \right\} \quad such \ that \ t \to\_{\mathsf{F}\mathfrak{a}/\mathfrak{N}} u.$$

Lemma 6 states that any dBANG step from the image t <sup>n</sup> of a dCBN term t (which is necessarily diligent, because t <sup>n</sup> is a <sup>F</sup>d! -NF) actually simulates a dCBN step from t. In Example 5, t n <sup>0</sup> dB-reduces in the context <sup>F</sup> <sup>=</sup> λz. to λz.((y !x!x)[x\!(z!z)]), which is indeed equal to t n <sup>1</sup>, and t<sup>0</sup> →FNdB t<sup>1</sup> in the context <sup>F</sup><sup>N</sup> <sup>=</sup> λz. as well, with <sup>F</sup><sup>n</sup> <sup>N</sup> = F. Note that Lemma 6 is vacuously true for <sup>R</sup> <sup>=</sup> <sup>d</sup>!, since there is no term <sup>t</sup> such that der occurs in <sup>t</sup> <sup>n</sup>. Lemmas 4 and 6 have some significant consequences:

Corollary 7. *Let* t, u ∈ Λ *and* s ∈ Λ!*.*


These results deserve some comments. Point 1 states that the image of the dCBN embedding is *stable under reduction*. However, it is not stable under expansion. For instance, der(!x) <sup>→</sup>*<sup>S</sup>* <sup>x</sup> <sup>=</sup> <sup>x</sup><sup>n</sup>, although der(!x) does not belong to the embedding's image, which only contains terms without der. Point 2 guarantees the *preservation of normal forms* in both directions. Finally, Point 3 concerns the *preservation of reduction sequences*. It is worth highlighting that this is an equivalence, enabling to inject reduction sequences from dCBN into dBANG and project them back from dBANG into dCBN. This is a key property allowing in particular to infer confluence and factorization for dCBN from that for dBANG.

The reader may wonder whether similar preservation results hold for surface reduction. Since it is a subreduction of full reduction, Corollary 7.1 already implies stability for surface reduction. However, it does not imply preservation of surface normal forms, and only yields back and forth simulation of surface reduction via full reduction, which is not exactly what we want: t <sup>n</sup> <sup>→</sup><sup>∗</sup> <sup>F</sup> <sup>u</sup><sup>n</sup> if <sup>t</sup> <sup>→</sup><sup>∗</sup> <sup>S</sup><sup>N</sup> u, and t →<sup>∗</sup> <sup>F</sup><sup>N</sup> u if t <sup>n</sup> <sup>→</sup><sup>∗</sup> <sup>S</sup> u<sup>n</sup>. So let us come back to analyze the situation for the *one-step* simulation and reverse simulation. Since surface contexts are special cases of full contexts, then t →SNR u implies t <sup>n</sup> <sup>→</sup>Sn <sup>N</sup>R*n* <sup>u</sup>*<sup>n</sup>* by Lemma 4. To prove that this simulating step is actually a surface step, we need an additional property: that dCBN surface contexts are translated into dBANG surface contexts (Lemma 8.1). A more subtle analysis will be required for surface reverse simulation: positions of dBANG surface *redexes* are always in the image of dCBN surface contexts:

#### Lemma 8.


Thanks to Lemma 8, one-step simulation and reverse simulation (Lemmas 4 and 6) can be iterated to obtain the following results about *surface* reduction.

Corollary 9. *Let* t, u ∈ Λ *and* s ∈ Λ!*.*


Our results for dCBN notably extend the ones in [18,19], where it was only shown that N-NF translates to S-NF, and that dCBN surface reduction is simulated by dBANG surface reduction: we went further by encompassing their converses.

#### 3.2 The Call-by-Value Calculus dCBV and Its Embedding into dBANG

In dCBV, surface contexts <sup>S</sup><sup>V</sup> <sup>∈</sup> <sup>S</sup><sup>V</sup> are defined below: the hole cannot be under an abstraction. To align the notations, in dCBV full contexts are denoted by <sup>F</sup><sup>V</sup> <sup>∈</sup> <sup>F</sup><sup>V</sup> and list contexts by <sup>L</sup><sup>V</sup> <sup>∈</sup> <sup>L</sup>V.

```
(dCBV Surface Contexts) SV ::=  | SV t | t SV | SV[x\t] | t[x\SV]
```
As explained in Corollary1.1, reductions in dCBV are defined by taking the set of rewrite rules {dB, sV} defined below and the sets of contexts <sup>S</sup><sup>V</sup> and <sup>F</sup>V.

$$\mathsf{L}\_{\mathsf{V}}\langle\lambda x.t\rangle\ u \longmapsto\_{\mathsf{dB}} \mathsf{L}\_{\mathsf{V}}\langle t[x\backslash u]\rangle \qquad\qquad\qquad t[x\backslash \mathsf{L}\_{\mathsf{V}}\langle v\rangle] \mapsto\_{\mathsf{s}\mathsf{V}} \mathsf{L}\_{\mathsf{V}}\langle t\{x\backslash v\}\rangle$$

Rule dB (resp. sV) is capture-free: no free variable of u (resp. t) is captured by context <sup>L</sup>V. The dCBV surface reduction is the relation <sup>→</sup><sup>S</sup><sup>V</sup> :=→<sup>S</sup>VdB ∪ →<sup>S</sup>VsV, while the dCBV full reduction is the relation <sup>→</sup><sup>F</sup><sup>V</sup> :=→<sup>F</sup>VdB ∪ →<sup>F</sup>VsV.

The calculi dCBN and dCBV differ in that dCBN can always fire an ES (rule s), while dCBV only does when the ES argument is a value, possibly wrapped by a finite list of ES (rule sV). So *e.g.*, for <sup>S</sup><sup>V</sup> = (yxx)[x\], we have:

$$\begin{aligned} u\_0 &= (\lambda x.yxx)((\lambda z.z)y) \rightarrow\_{\diamond \langle dB \rangle} u\_1 = (yxx)[x \rangle (\lambda z.z)y] \\ \rightarrow\_{\mathsf{S} \langle \mathsf{dB} \rangle} u'\_1 &= (yxx)[x \langle z \langle z \rangle y]] \rightarrow\_{\mathsf{S} \langle \mathsf{s} \mathsf{V} \rangle} u\_2 = (yxx)[x \langle y \rangle] \rightarrow\_{\diamond \langle \mathsf{s} \mathsf{V} \rangle} u\_3 = yyy \end{aligned} \tag{1}$$

Reduction at a distance in dCBV fires redexes that are blocked in Plotkin's CBV [46]. For instance, given δ := λz.zz, the term t := (λy.δ)(xx)δ is a normal form in Plotkin's CBV, but is non-terminating in dCBV: <sup>t</sup> <sup>→</sup>S<sup>V</sup> <sup>δ</sup>[y\xx]<sup>δ</sup> <sup>→</sup>S<sup>V</sup> (zz)[z\δ][y\xx] →S<sup>V</sup> (δδ)[y\xx] →<sup>∗</sup> <sup>S</sup><sup>V</sup> (δδ)[y\xx], as one would expect, since t is observationally equivalent to the diverging term δδ in CBV [6,8,20,44,48].

The dCBV surface reduction is nothing but the well-known *weak* reduction that does not evaluate under abstractions.

*Embedding* dCBV *into* dBANG*.* Values (*i.e.*, variables and abstractions) are the erasable and duplicable terms of dCBV. Girard's CBV encoding (used in [22,30], noted (·)v1 here) is built upon this insight, placing a bang in front of each variable xv1 =!x and abstraction (λx.t)v1 =!λx.tv1 . The encoding of an application is (tu)v1 = der(t v1 )uv1 , where the der is used to enable a d!-step if t (the left-hand side of the application) is a value, so as to restore its functional role. However, as highlighted in [18,19], such a definition fails normal forms preservation: a dCBV normal form is not necessarily encoded by a dBANG normal form, for example given the normal term t<sup>0</sup> = xy we have t v1 <sup>0</sup> <sup>=</sup> der(!x) !<sup>y</sup> which is not normal. Consequently, [18,19] proposed an alternative encoding (noted (·)v2 here, whose details are omitted for lack of space), based on the same principle, but with an additional *super-development*: all d!-redexes appearing during the encoding on the left of an application are eliminated *on the fly*, so that the embedding (·)v2 preserves normal forms (*e.g.*, <sup>t</sup> v2 <sup>0</sup> <sup>=</sup> <sup>x</sup> !y, which is normal in dBANG). But, as shown in Fig. 1, (·)v2 breaks reverse simulation with respect to surface reduction.

$$\begin{array}{ccc} (\lambda x.(\lambda y.y)z)z & \dashv \flat\_{\mathbb{S}\_{\mathbb{V}}} & (\lambda x.y[y\backslash z])z\\ \Uparrow & \sharp \cdot & \sharp \cdot \\ (\lambda x.(\lambda y.\upharpoonright y)!z)!z & \to\_{\mathbb{S}} & (\lambda x.(!y)[y\backslash z])!z \end{array}$$

Fig. 1. Counterexample to dCBV reverse simulation using the embedding *·* v2

We introduce a *new* dCBV embedding that preserves normal forms and fulfills simulation *and* reverse simulation (this is one of our main contributions).

Definition 10. *The* dCBV *embedding* · <sup>v</sup> : <sup>Λ</sup> <sup>→</sup> <sup>Λ</sup>! *is defined as follows:*

$$\begin{array}{ll} x^{\mathsf{v}} := !x\\ (\lambda x.t)^{\mathsf{v}} := !\lambda x.!t^{\mathsf{v}}\\ (t[x \upharpoonright u])^{\mathsf{v}} := t^{\mathsf{v}}[x \upharpoonright \mathsf{d}\mathsf{e}(t^{\mathsf{v}})\,u^{\mathsf{v}}) \end{array} \longmapsto \begin{cases} \mathsf{der}(\mathsf{L}\langle\mathsf{s}\rangle u^{\mathsf{v}}) & \mbox{if } t^{\mathsf{v}} = \mathsf{L}\langle!s\rangle;\\ \mathsf{der}(\mathsf{der}(t^{\mathsf{v}})\,u^{\mathsf{v}}) & \mbox{otherwise};\\ \mathsf{t}^{\mathsf{v}}[x \upharpoonright u] \end{cases}$$

Note that, thanks to super-development, t <sup>v</sup> is always a <sup>F</sup>d! -NF. For instance, (λz.z)<sup>v</sup> = !λz.!!z and (yxx)<sup>v</sup> = der der(der(y!x))!x , whereas ((λx.yxx)(II))<sup>v</sup> = der λx.!der(der(der(y!x))!x) der((λz.!!z)!λz.!!z) where I = λz.z.

As in the dCBN embedding, the modality ! plays a *twofold* role in our new dCBV embedding. First, · <sup>v</sup> marks with ! subterms to be considered as values, *i.e.* potentially *erasable* or *duplicable*. This induces the use of super-developments in the case of applications to avoid some administrative steps that would otherwise affect preservation of normal forms. Second, · <sup>v</sup> marks the positions where surface reduction must not occur: inside values; thus it introduces a *second* (internal) ! in the encoding of abstractions to encapsulate its body and shield it from surface computation. Additionally, to restore access to the abstraction's body when it is applied, a second (external) der is added to the encoding of applications. These two principles highlights the dual role of ! in dBANG: enabling duplication (and erasure) as well as isolating subterms from surface computation processes.

The dCBV embedding is extended to rule names, by defining dB<sup>v</sup> := dB and sV<sup>v</sup> := s!. Similarly to dCBN, we have the fundamental simulation result below.

Lemma 11 (dCBV One-Step Simulation). *Let* t, u <sup>∈</sup> <sup>Λ</sup>!*, and* R∈{dB, sV}*. If* <sup>t</sup> <sup>→</sup>FVR <sup>u</sup> *then there is* <sup>F</sup> <sup>∈</sup> <sup>F</sup> *such that* <sup>t</sup> <sup>V</sup> <sup>→</sup><sup>F</sup>RV→<sup>∗</sup> <sup>F</sup>d! <sup>u</sup><sup>v</sup>*, where* <sup>F</sup> *and all contexts used for the steps in* →<sup>∗</sup> <sup>F</sup>d! *can be specified using* <sup>F</sup><sup>v</sup> <sup>V</sup>, R *and* t*.*

Let us see how <sup>F</sup> and the contexts used in the steps <sup>→</sup><sup>∗</sup> <sup>F</sup>d! are constructed: it highlights the difference between Lemma 11 for dCBV and Lemma 4 for dCBN.

– Additional administrative steps (→<sup>∗</sup> <sup>F</sup>d!) may be needed at the end. For example, for the dCBV steps <sup>u</sup><sup>0</sup> <sup>→</sup><sup>F</sup>VdB <sup>u</sup><sup>1</sup> and <sup>u</sup><sup>2</sup> <sup>→</sup><sup>F</sup>VsV <sup>u</sup><sup>3</sup> seen in (1), we have:

$$\begin{split} u\_0^v &= \mathsf{der}\left(\left(\lambda x.\mathsf{lder}\left(\mathsf{der}\left(y!x\right)\right)!x\right)\right)\mathsf{der}\left(\left(\lambda z.\mathsf{l}!z\right)!y\right)\right) \\ &\to\_{\mathbb{F}\left(\mathsf{dB}\right)} \mathsf{der}\left(\left(\mathsf{lder}\left(\mathsf{der}\left(y!x\right)\right)!x\right)\left[x\right\mathsf{der}\left(\left(\lambda z.\mathsf{l}!z\right)!y\right)\right]\right) = s' \\ &\to\_{\mathbb{F}\left(\mathsf{d}!\right)} \mathsf{der}\left(\mathsf{der}\left(\mathsf{der}\left(y!x\right)\right)!x\right)\left[x\right\mathsf{der}\left(\left(\lambda z.\mathsf{l}!z\right)!y\right)\right] = u\_1^\mathsf{v} \\ u\_2^v &= \mathsf{der}\left(\mathsf{der}\left(\mathsf{der}\left(y!x\right)\right)!x\right)\left[x\right\mathsf{l}\left(y!\right)\right] \to\_{\mathbb{F}\left(\mathsf{d}!\right)} \mathsf{der}\left(\mathsf{der}\left(y!y\right)\right)!y\right) = u\_3^\mathsf{v} \end{split} \tag{2}$$

	- dB-steps require to add a dereliction to the translated context: for example, the dB-redex position in <sup>t</sup> = (λx.x)<sup>y</sup> needs to be translated to the redex position der() in <sup>t</sup> <sup>v</sup> = der((λx.!x)!y).
	- sV-steps may need to remove a dereliction from the translated context: for instance, the sV-redex position <sup>y</sup> in <sup>t</sup> = (λz.x)[x\y] <sup>y</sup> is translated to the redex position der( !y) in <sup>t</sup> <sup>v</sup> <sup>=</sup> der((λz.!x)[x\!y] (!y)). The context translation anticipates the super-development used in t v.

Note that both situations can be detected by case-analysis on R and t, where the target context translation is a slight variation over the original one.

While the dCBV embedding · v2 used in [18,19] successfully enables the simulation of dCBV into dBANG, it falls short when it comes to reverse simulation, as shown in Fig. 1. Therefore, · v2 cannot be used to transfer dynamic properties from dBANG back to dCBV, thus failing in particular to derive dCBV factorization from dBANG (Sect. 5). Our new embedding instead satisfies reverse simulation.

Lemma 12 (dCBV One-Step Reverse Simulation). *Let* <sup>t</sup> <sup>∈</sup> <sup>Λ</sup>*,* <sup>u</sup> <sup>∈</sup> <sup>Λ</sup>!*,* <sup>F</sup> <sup>∈</sup> <sup>F</sup> *and* <sup>R</sup> ∈ {dB, <sup>s</sup>!, <sup>d</sup>!}*. If* <sup>u</sup> *is a* <sup>F</sup>d! *-*NF*, then*

$$t^{\mathbf{v}} \to\_{F\langle \mathcal{R}'\rangle} \to\_{\mathbb{F}\langle \mathbf{d}'\rangle}^{\*} u' \implies \left\{ \begin{aligned} &\exists \, u \in A, \\ &\exists \, \mathcal{R} \in \{\mathbf{dB}, \mathbf{s} \mathbf{V}\}, \, \mathcal{R}^{\mathbf{v}} = \mathcal{R}' \\ &\exists \, \mathbf{F}\_{\mathbf{V}} \in \mathbf{F}\_{\mathbf{V}}, \end{aligned} \right\} \text{ such that } t \to\_{\mathbb{F}\mathbf{v}\langle \mathcal{R}\rangle} u.$$

Lemma 12 states that any dBANG diligent step from the image t <sup>v</sup> of a dCBV term t actually simulates a dCBV step from t. As expected, the same subtleties encountered in the dCBV one-step simulation (Lemma 11) apply in this last result, in particular regarding the construction of FV. In the dCBN case, the absence of administrative steps renders all sequences from images of dCBN terms diligent, making stability, normal form preservation and simulations direct consequences of one-step simulation (Lemma 4) and reverse simulation (Lemma 6). This is not the case for dCBV, due to the presence of administrative steps in the simulation process. Indeed, when simulating dCBV reduction within dBANG (Lemma 11), administrative steps are performed as soon as they become available, thus constructing a diligent sequence. Conversely, projecting a reduction step from dBANG to dCBV (Lemma 12) requires a diligent step. However, in the case of sequences, in contrast to one-steps, there is no requirement for administrative steps to be correctly synchronized, and this may lead to deviations from the embedding's image, significantly complicating reverse simulation. Fortunately, the diligence presented in dBANG (Lemma 3) resynchronizes administrative steps yielding sequences that are easy to project.

Corollary 13. *Let* t, u ∈ Λ *and* s ∈ Λ!*.*


As in dCBN, we may wonder whether similar preservation results hold for surface reductions. Such results cannot be entirely derived out from Corollary 13 alone. Still, as with dCBN, the dCBV one-step simulation and reverse simulation properties (Lemmas 11 and 12) already encompass the surface case. However, even though surface redexes positions are mutually mapped by the embedding, it does not yet imply surface stability, preservation of normal forms, and simulations. As previously explained, diligence is required to deal with administrative steps. Fortunately, the surface fragment admits a diligence process, as illustrated in Lemma 3, which can then be leveraged to obtain the following results.

Corollary 14. *Let* t, u ∈ Λ *and* s ∈ Λ!*.*


Stability statements in dCBV (Corollary 13.1 and 14.1) require the reached term s to be normal for d!, otherwise stability does not hold (*e.g.*, s in (2) before is not in the image of · <sup>v</sup>), This is not required in the dCBN stability statements (Corollary 7.1 and 9.1) since every term to which t <sup>n</sup> reduces is der-free and so normal for d!.

Proving simulation and reverse simulation requires a considerable effort. But this initial investment, made once and for all, lays the groundwork for numerous benefits without extra costs. For example, in Sects. 4 and 5, we demonstrate that typically challenging tasks like proving confluence and factorization in dCBN and dCBV can be easily achieved by deriving them from dBANG through simulation and reverse simulation, essentially for free. This approach not only unifies the proofs but also minimizes the workload for future proofs.

# 4 Confluence

Confluence is a crucial property in λ-calculi, ensuring that every term can reduce to at most one normal form, regardless of the chosen reduction path. In this section, we examine confluence of different reductions (surface and full) in the three calculi we considered: dCBN, dCBV, and dBANG. We specifically leverage simulation and reverse simulation properties to project these results from dBANG to dCBN and dCBV, providing a comprehensive solution across three frameworks.

Surface confluence is usually proved by showing that surface reduction is diamond, as for example in [18,19]. Full confluence is more complex, since full reduction is not diamond, as one can easily see in dBANG with the term (xx)[x\!(II)] where I := λz.z. Alternative techniques [43,52] can establish full reduction's confluence, albeit often requiring numerous commutation diagrams and possibly non-trivial decreasing measures.

#### Theorem 15 (dBANG Confluence).


#### *Proof.* (Surface) See [18,19]. (Full) See [34].

These proofs are typically highly technical, requiring a significant amount of time to write and of cases to verify, and are prone to errors. Therefore, it is extremely beneficial to have a method to streamline them, especially when mechanizing proofs. With the robust preservation of dCBN reductions in the dBANG, we can actually project dCBN confluences directly from those of dBANG.

#### Corollary 16 (dCBN Confluence).

*1. (Surface) The reduction* →<sup>S</sup><sup>N</sup> *is diamond and confluent. Moreover, any two surface reduction paths from a given term to a* SN*-normal form have the same length and same number of* dB *and* s*-steps.*

*2. (Full) The reduction* →F<sup>N</sup> *is confluent.*

*Proof.* (Surface) See Fig. 2. (Full) Following the same reasoning as Fig. 3.

Fig. 2. Schematic proof of Corollary 16.1

Fig. 3. Schematic proof of Corollary 17.2

The same technique can be used for dCBV, with the additional help of *diligence* (Corollary 13.1 and 14.1). Thus, we get the following results for free.

#### Corollary 17 (dCBV Confluence).


*Proof.* (Surface) Following the same reasoning as Fig. 2. (Full) See Fig. 3.

#### 5 Factorization

In λ-calculi, reduction is a relation, so different reduction steps are possible starting from the same term. Some steps (*e.g.* head steps) are more significant than others, and they may occur in the middle of a reduction sequence. Factorization is the process of disentangling the significant steps from the "superfluous" ones, bringing the former forward and leaving the start and end terms unchanged.

This section is devoted to the factorization property for dBANG, dCBN and dCBV. We start by revisiting an abstract factorization theorem [2]. We first apply this abstract method to dBANG, thus obtaining a new result of factorization not previously appearing in the literature. Then, we use the properties of simulation and reverse simulation proved in Sect. 3 to project the factorization result for dBANG into dCBN and dCBV. Although these two results can be directly derived from the abstract factorization theorem [2], our approach circumvents the numerous commutation properties required by the abstract approach. Also, it provides a tangible illustration of how the simulation and reverse simulation properties discussed in Sects. 3.1 and 3.2 can be applied in concrete cases.

*Abstract Factorization.* We recall an abstract factorization method from [2] that relies on local rewrite conditions given by the notion of *square factorization system* (SFS). While its original presentation concerns only two subreductions, we (straightforwardly) extend the notion of SFS to a *family* of subreductions, as in dBANG the reduction consists of more than two subreductions.

Definition 18. *Let* R = (R, →R) *be an abstract rewriting system The family* →R◦ *<sup>k</sup>* ,→R• *k <sup>k</sup>*∈*<sup>K</sup> of paired reduction relations is a square factorization system (SFS) for* R *if it covers the reduction relation (i.e.* →<sup>R</sup> = *<sup>k</sup>*∈*<sup>K</sup>* → R*<sup>k</sup> where* → R*<sup>k</sup>* :=→R◦ *<sup>k</sup>* ∪ →R• *<sup>k</sup> ) and satisfies the following conditions:*


The symbol ◦ tags *significant* (also called *external*) steps, while • is used for *irrelevant* (also called *internal*) ones. The commutations required in an SFS are sufficient to achieve factorization, which consists in rearranging a reduction sequence to prioritize significant steps →R◦ over irrelevant steps →• R.

Proposition 19 ([2]). *Let* R = (R,→R) *be an abstract rewriting system and* (→R◦ *<sup>k</sup>* ,→R• *<sup>k</sup>* )*<sup>k</sup>*∈*<sup>K</sup> be an* SFS *for* R*. Then the reduction relation factorizes, that is,* →<sup>∗</sup> <sup>R</sup> ⊆ →<sup>∗</sup> ◦→<sup>∗</sup> • *where* →◦:= *<sup>k</sup>*∈*<sup>K</sup>* →R◦ *<sup>k</sup> and* →•:= *<sup>k</sup>*∈*<sup>K</sup>* →R• *k .*

*Factorization in* dBANG *.* In dBANG we claim that surface reduction is the significant part of full reduction, and our goal is to factor it out. To exploit the abstract method, we first formally identify the irrelevant subreduction of full reduction, called here *internal*, as reduction under the scope of a !. Internal contexts <sup>I</sup> <sup>∈</sup> <sup>I</sup> are full contexts <sup>F</sup> for which the hole is placed under a bang. Formally,

# (dBANG Internal Contexts) <sup>I</sup> ::= !<sup>F</sup> <sup>|</sup> <sup>S</sup><sup>∗</sup><sup>I</sup> with <sup>S</sup><sup>∗</sup> <sup>∈</sup> <sup>S</sup> \ {}

Clearly, <sup>I</sup> <sup>=</sup> <sup>F</sup> \ <sup>S</sup>. As usual, <sup>→</sup><sup>I</sup>R is the closure of the rewrite rules R ∈ {dB, <sup>s</sup>!, <sup>d</sup>!} over all contexts <sup>I</sup> <sup>∈</sup> <sup>I</sup>. The dBANG internal reduction is the relation →<sup>I</sup> :=→<sup>I</sup>dB ∪ →<sup>I</sup>s! ∪ →<sup>I</sup>d!. For example, (λx.!) y is an internal context while is not. Thus, (λx.!(z[z\x])) y →<sup>I</sup>s! (λx.!x) y →<sup>I</sup> (!x)[x\y]. We can now show that surface and internal reductions enjoy the abstract properties of an SFS.

# Lemma 20. *The family* (→SR,→IR)R∈{dB*,*s!*,*d!} *is an SFS for* (Λ!,→*<sup>F</sup>* )*.*

This immediately gives the following novel factorization result for the Distant Bang Calculus, by applying Proposition 19 and Lemma 20.

#### Corollary 21 (dBANG Factorization). *We have that* <sup>→</sup><sup>∗</sup> <sup>F</sup> = →<sup>∗</sup> <sup>S</sup>→<sup>∗</sup> I *.*

*Example 22.* Take t = (xy)[y\!(I!!(Iw))] where I = λz.z. Then, the factorization of the first sequence starting at t below, is given by the second one:

$$\begin{aligned} t \mapsto\_{\mathbb{F}} (x y)[y \backslash (z[z \backslash !! (I w)])] &\to\_{\mathbb{B}} x (z[z \backslash !! (I w)]) \to\_{\mathbb{B}} x (z[z \backslash (z[z \backslash w])]) \to\_{\mathbb{B}} x (z[z \backslash w]) \\ t &\to\_{\mathbb{B}} x (I !! (I w)) \quad \to\_{\mathbb{B}} x (z[z \backslash (I w)]) \quad \to\_{\mathbb{B}} x (I ! w) \to\_{\mathbb{B}} x (z[z \backslash w]) \end{aligned}$$

Fig. 4. Schematic proof of Corollary 16.1 Fig. 5. Schematic proof of Corollary 17.2

*Factorizations in* dCBN *and* dCBV *.* To achieve factorization in dCBN and dCBV via the abstract method, we need to establish the existence of an SFS in each case. This requires validating multiple commutations. We bypass these lengthy proofs by adopting a simpler projection approach from dBANG.

As in dBANG, we claim that surface reduction is the significant part of full reduction in dCBN/dCBV, and we consequently identify the irrelevant subreduction, called here *internal*. The dCBN (resp. dCBV) internal contexts <sup>I</sup><sup>N</sup> <sup>∈</sup> <sup>I</sup><sup>N</sup> (resp. <sup>I</sup><sup>V</sup> <sup>∈</sup> <sup>I</sup>V) are full contexts whose hole is in an argument (resp. under a <sup>λ</sup>). Formally,

#### (dCBN Internal Contexts) <sup>I</sup><sup>N</sup> ::= <sup>t</sup> <sup>F</sup><sup>N</sup> <sup>|</sup> <sup>t</sup>[x\FN] <sup>|</sup> <sup>N</sup>∗NI<sup>N</sup> with <sup>S</sup><sup>∗</sup> <sup>N</sup> <sup>∈</sup> <sup>S</sup><sup>N</sup> \ {} (dCBV Internal Contexts) <sup>I</sup><sup>V</sup> ::= λx.F<sup>V</sup> <sup>|</sup> <sup>S</sup><sup>∗</sup> <sup>V</sup>I<sup>V</sup> with <sup>S</sup><sup>∗</sup> <sup>V</sup> <sup>∈</sup> <sup>S</sup><sup>V</sup> \ {}

The dCBN (resp. dCBV) internal reduction <sup>→</sup><sup>I</sup><sup>N</sup> (resp. <sup>→</sup><sup>I</sup><sup>V</sup> ) is the closure over all internal contexts <sup>I</sup><sup>N</sup> <sup>∈</sup> <sup>I</sup><sup>N</sup> (resp. <sup>I</sup><sup>V</sup> <sup>∈</sup> <sup>I</sup>V) of the rewrite rules dB and <sup>s</sup> (resp.dB and sV). For example, (λx.x) is a dCBN internal context, while is not, thus (λx.x)((λy.z)t) <sup>→</sup><sup>I</sup><sup>N</sup> (λx.x)<sup>z</sup> →<sup>I</sup><sup>N</sup> <sup>z</sup>. And (λx.)<sup>z</sup> is a dCBV internal context while is not, thus (λx.(λy.y)z)z →<sup>I</sup><sup>V</sup> (λx.y[y\z])z →<sup>I</sup><sup>V</sup> (λx.z)z →<sup>I</sup><sup>V</sup> z[x\z].

As in the surface case, the one-step simulation and reverse simulation (Lemmas 4 and 6 for dCBN, Lemmas 11 and 12 for dCBV) can be specialized to the internal case. This allows us to show in particular the following property.

Corollary 23. *Let* t, u ∈ Λ *and* s ∈ Λ!*.*


Via Corollaries 9, 14 and 23, we can project factorization from dBANG back to dCBN/dCBV.

Theorem 24 (dCBN*/*dCBV Factorizations). <sup>→</sup><sup>∗</sup> <sup>F</sup><sup>N</sup> =→<sup>∗</sup> SN →IN *and* →<sup>∗</sup> <sup>F</sup><sup>V</sup> = →<sup>∗</sup> SV →<sup>∗</sup> IV *.*

*Proof.* The proof for dCBN is depicted in Fig. 4. In particular, since t <sup>n</sup> <sup>→</sup><sup>∗</sup> <sup>S</sup> s , one deduces using Corollary <sup>9</sup> that there exists <sup>s</sup> <sup>∈</sup> <sup>Λ</sup> such that <sup>s</sup><sup>n</sup> <sup>=</sup> <sup>s</sup> .

The proof for dCBV is depicted in Fig. 5. In particular, by construction u<sup>v</sup> is a <sup>F</sup>d! -NF and by induction on the length of <sup>s</sup> <sup>→</sup><sup>∗</sup> <sup>I</sup> <sup>u</sup><sup>V</sup>, one has that <sup>s</sup> is a <sup>S</sup>d! -NF. Using Corollary 14, one deduces that there exists <sup>s</sup> <sup>∈</sup> <sup>Λ</sup> such that <sup>s</sup><sup>v</sup> <sup>=</sup> <sup>s</sup> .

#### 6 Conclusion and Related Work

Our first contribution is to revisit and extend several properties concerning the encoding of dCBN into dBANG. The second contribution, more significant, consists in introducing a new embedding from dCBV to dBANG, which is conservative with respect to previous results in the literature [18,19], but also (and this is a novelty) allows us to establish the essential reverse simulation property, achieved through the non-trivial concept of diligent sequence. We illustrate the strength of our methodology by means of an example, namely factorization. For that, we first prove a factorization theorem for dBANG, another major contribution of the paper, and we then deduce factorization for dCBN and dCBV by projecting that for dBANG.

In [25], factorization for the (non-distant) Bang Calculus has been proved and from that, factorizations results for standard (non distant) CBN λ-calculus and Plotkin's original CBV λ-calculus has been deduced. But the (non-distant) Bang Calculus and Plotkin's CBV are *not adequate*, in the sense explained in Sect. 1, thus decreasing the significance of those preliminary results.

When taking *adequate* versions of the Bang Calculus, by adding ES and distance, or σ-reduction [22,31], the CBV encodings in the literature [18,19,22, 25,30] fail to enjoy reverse simulation, thus preventing one deducing dynamic properties from the Bang Calculus into CBV. Other CBN and CBV encodings into a unifying framework appear in [14], but there is no reverse simulation property, so that no concrete application of the proposed encoding to export properties into CBN and CBV. The same occurs in [24]. The only exceptions are [12,36] —where only *static* properties are obtained—, and [25,30] —where the Bang and CBV calculi are not adequate in the sense explained in Sect. 1.

Sabry and Wadler [50] showed that simulation and reverse simulation between two calculi are for free when their back and forth translations give rise to an adjoint. One of the difficulties to achieve our results is that our CBN and CBV embeddings, as well as the ones used in [18,19,22,25,30], do not form an adjoint. This is basically due to the fact that a CBN/CBV term can be decorated by ! and der so as that administrative steps performed in the (Distant) Bang Calculus do not correspond to anything in CBN or CBV. Our contribution is precisely to achieve simulation and reverse simulation without the need for any adjoint.

As discussed at the end of Sect. 3, proving simulation and reverse simulation requires a considerable effort. But this initial investment lays the groundwork for numerous benefits without extra costs, as we showed in Sects. 4 and 5.

In addition to the tangible contributions presented in this paper, we believe our methodology enhances the understanding of the semantic aspects of CBV, especially concerning untyped and typed approximants. This remains a topic that, while gradually gaining attention in the literature [12,33,39], is yet to be thoroughly explored. Our novel CBV embedding would also suggest a logical counterpart (a new encoding of intuitionistic logic into linear logic), which remains to be investigated. Moreover, we aim to further leverage our technique to explore other crucial dynamic properties of dCBN and dCBV, such as standardization, normalization, genericity as well as some specific deterministic strategies.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **A Dependency Pair Framework for Relative Termination of Term Rewriting**

Jan-Christoph Kassing(B) , Grigory Vartanyan , and J¨urgen Giesl

RWTH Aachen University, Aachen, Germany {kassing,giesl}@cs.rwth-aachen.de, grigory.vartanyan@rwth-aachen.de

**Abstract.** *Dependency pairs* are one of the most powerful techniques for proving termination of term rewrite systems (TRSs), and they are used in almost all tools for termination analysis of TRSs. Problem #106 of the RTA List of Open Problems asks for an adaption of dependency pairs for *relative termination*. Here, infinite rewrite sequences are allowed, but one wants to prove that a certain subset of the rewrite rules cannot be used infinitely often. Dependency pairs were recently adapted to *annotated dependency pairs (ADPs)* to prove almost-sure termination of probabilistic TRSs. In this paper, we develop a novel adaption of ADPs for relative termination. We implemented our new ADP framework in our tool AProVE and evaluate it in comparison to state-of-the-art tools for relative termination of TRSs.

#### **1 Introduction**

Termination is an important topic in program verification. There is a wealth of work on automatic termination analysis of term rewrite systems (TRSs) which can also be used to analyze termination of programs in many other languages. Essentially all current termination tools for TRSs (e.g., AProVE [13], NaTT [36], MU-TERM [15], TTT2 [27], etc.) use *dependency pairs (DPs)* [1,11,12,16,17].

A combination of two TRSs (a *main* TRS R and a *base* TRS B) is "*relatively terminating*" if there is no rewrite sequence that uses infinitely many steps with rules from R (whereas rules from B may be used infinitely often). Relative termination of TRSs has been studied since decades [8], and approaches based on relative rewriting are used for many applications, e.g., in complexity analysis [3,6,7,29,37], for proving confluence [19,25], for certifying confluence proofs [30], for proving termination of narrowing [20,31,34], and for proving liveness [26].

However, while techniques and tools for analyzing ordinary termination of TRSs are very powerful due to the use of DPs, a direct application of standard DPs to analyze relative termination is not possible. Therefore, most existing approaches for automated analysis of relative termination are quite restricted

c The Author(s) 2024

Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - 235950644 (Project GI 274/6-2) and DFG Research Training Group 2236 UnRAVeL.

C. Benzm¨uller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 360–380, 2024. https://doi.org/10.1007/978-3-031-63501-4\_19

in power. Hence, one of the largest open problems regarding DPs is Problem #106 of the RTA List of Open Problems [5]: *Can we use the dependency pair method to prove relative termination?* A first major step towards an answer to this question was presented in [21] by giving criteria for R and B that allow the use of ordinary DPs for relative termination.

Recently, we adapted DPs to analyze probabilistic innermost term rewriting, by using so-called *annotated dependency pairs (ADPs)* [23] or *dependency tuples (DTs)* [22] (which were originally proposed for innermost complexity analysis of TRSs [32]).<sup>1</sup> In these adaptions, one considers all *defined* function symbols in the right-hand side of a rule at once, whereas ordinary DPs consider them separately.

In this paper, we show that considering the defined symbols on right-hand sides separately (as for classical DPs) does not suffice for relative termination. On the other hand, we do not need to consider all of them at once either (i.e., we do not have to use the notions of ADPs or DTs from [22,23,32]). Instead, we introduce a new definition of ADPs that is suitable for relative termination and develop a corresponding ADP framework for automated relative termination proofs of TRSs. Moreover, while ADPs and DTs were only applicable for *innermost* rewriting in [22,23,32], we now adapt ADPs to *full* (relative) rewriting, i.e., we do not impose any specific evaluation strategy. So while [21] presented conditions under which the *ordinary classical* DP framework can be used to prove relative termination, in this paper we develop the first *specific* DP framework for relative termination.

**Structure:** We start with preliminaries on relative rewriting in Sect. 2. In Sect. 3 we recapitulate the core processors of the DP framework and show that classical DPs are unsound for relative termination in general. Moreover, we state the main results of [21] on criteria when ordinary DPs may nevertheless be used for relative termination. Afterwards, we introduce our novel notion of *annotated dependency pairs* for relative termination in Sect. 4 and present a corresponding new ADP framework in Sect. 5. We implemented our framework in the tool AProVE and in Sect. 6, we evaluate our implementation in comparison to other state-of-the-art tools. All proofs can be found in [24].

### **2 Relative Term Rewriting**

We assume familiarity with term rewriting [2] and regard (finite) TRSs over a (finite) signature Σ and a set of variables V.

*Example 1.* Consider the following TRS <sup>R</sup>divL, where divL(x, *xs*) computes the number that results from dividing x by each element of the list *xs*. As usual, natural numbers are represented by the function symbols 0 and s, and lists

<sup>1</sup> As shown in [23], using ADPs instead of DTs leads to a more elegant, more powerful, and less complicated framework, and to completeness of the underlying *chain criterion*.

are represented via nil and cons. Then divL(s<sup>24</sup>(0), cons(s<sup>4</sup>(0), cons(s<sup>3</sup>(0), nil))) evaluates to s<sup>2</sup>(0), because (24/4)/3 = 2. Here, s<sup>2</sup>(0) stands for s(s(0)), etc.

$$\mathsf{minus}(x,\mathsf{0}) \to x \qquad \qquad \text{(1)} \qquad \mathsf{div}(\mathsf{s}(x),\mathsf{s}(y)) \to \mathsf{s}(\mathsf{div}(\mathsf{minus}(x,y),\mathsf{s}(y))) \tag{4}$$

$$\mathsf{minus}(\mathsf{s}(x),\mathsf{s}(y)) \to \mathsf{minus}(x,y) \tag{2} \qquad \qquad \mathsf{div}\mathsf{L}(x,\mathsf{nil}) \to x \tag{5}$$

$$\mathsf{div}(\mathsf{0},\mathsf{s}(y)) \to \mathsf{0} \qquad \qquad \qquad \text{(3)} \quad \mathsf{div}\mathsf{L}(x,\mathsf{cons}(y,xs)) \to \mathsf{div}\mathsf{L}(\mathsf{div}(x,y),xs) \tag{6}$$

A TRS R induces a *rewrite relation* →<sup>R</sup> ⊆ T (Σ, V) × T (Σ, V) on terms where s →<sup>R</sup> t holds if there is a π ∈ Pos(s), a rule → r ∈ R, and a substitution <sup>σ</sup> such that <sup>s</sup>|<sup>π</sup> <sup>=</sup> σ and <sup>t</sup> <sup>=</sup> <sup>s</sup>[rσ]π. For example, minus(s(0),s(0)) <sup>→</sup>RdivL minus(0, <sup>0</sup>) <sup>→</sup>RdivL <sup>0</sup>. We call a TRS <sup>R</sup> *terminating* (abbreviated SN, for "strongly normalizing") if →<sup>R</sup> is well founded. Using the DP framework, one can easily prove that RdivL is SN (see Sect. 3.1). In particular, in each application of the recursive divL-rule (6), the length of the list in divL's second argument is decreased by one.

In the relative setting, one considers two TRSs R and B. We say that R is *relatively terminating* w.r.t. B (i.e., R/B is SN) if there is no infinite (→<sup>R</sup> ∪ →B) rewrite sequence that uses an infinite number of →R-steps. We refer to R as the *main* and B as the *base* TRS.

*Example 2.* Let RdivL be the *main* TRS. Since the order of the list elements does not affect the termination of RdivL, this algorithm also works for multisets. To abstract lists to multisets, we add the *base* TRS Bmset = {(7)}.

$$\mathsf{cons}(x,\mathsf{cons}(y,zs)) \to \mathsf{cons}(y,\mathsf{cons}(x,zs))\tag{7}$$

Bmset is non-terminating, since it can switch elements in a list arbitrarily often. However, RdivL/Bmset is SN as each application of Rule (6) still reduces the list length. Indeed, termination of RdivL/Bmset can also be shown via the approach of [21], because it allows us to apply (standard) DPs in this example, see Example 13.

However, if Bmset is replaced by the base TRS Bmset<sup>2</sup> with the rule

$$\mathsf{div}\mathsf{L}(z,\mathsf{cons}(x,\mathsf{cons}(y,zs))) \to \mathsf{div}\mathsf{L}(z,\mathsf{cons}(y,\mathsf{cons}(x,zs))),\tag{8}$$

then RdivL/Bmset<sup>2</sup> remains terminating, but the approach of [21] is no longer applicable, see Example 14. In contrast, with our new DP framework in Sects. 4 and 5, termination of such examples can be proved automatically.<sup>2</sup>

We will use the following four examples to illustrate the problems that one has to take into account when analyzing relative termination. So these examples show why a naive adaption of dependency pairs does not work in the relative

<sup>2</sup> To ease the presentation, the rule (8) only switches the first two elements in a list. Our approach also succeeds on a more complicated variant where the elements of lists in divL's second argument can be permuted arbitrarily. We included such an example in the benchmark collection that we used for our evaluation in Sect. 6.

setting and why we need our new notion of *annotated dependency pairs*. The examples represent different types of infinite rewrite sequences that can lead to non-termination in the relative setting: *redex-duplicating*, *redex-creating* (or "-emitting"), and *ordinary infinite sequences*.

*Example 3 (Redex-Duplicating).* Consider the TRSs <sup>R</sup><sup>1</sup> <sup>=</sup> {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and <sup>B</sup><sup>1</sup> <sup>=</sup> {f(x) <sup>→</sup> <sup>d</sup>(f(x), x)} from [21, Example 4]. <sup>R</sup>1/B<sup>1</sup> is not SN due to the infinite rewrite sequence <sup>f</sup>(a) <sup>→</sup>B<sup>1</sup> <sup>d</sup>(f(a), <sup>a</sup>) <sup>→</sup>R<sup>1</sup> <sup>d</sup>(f(a), <sup>b</sup>) <sup>→</sup>B<sup>1</sup> <sup>d</sup>(d(f(a), <sup>a</sup>), <sup>b</sup>) <sup>→</sup>R<sup>1</sup> <sup>d</sup>(d(f(a), <sup>b</sup>), <sup>b</sup>) <sup>→</sup>B<sup>1</sup> ... The reason is that <sup>B</sup><sup>1</sup> can be used to duplicate an arbitrary R1-redex infinitely often.

*Example 4 (Redex-Creating on Parallel Position).* Next, consider <sup>R</sup><sup>2</sup> <sup>=</sup> {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and <sup>B</sup><sup>2</sup> <sup>=</sup> {<sup>f</sup> <sup>→</sup> <sup>d</sup>(f, <sup>a</sup>)}. <sup>R</sup>2/B<sup>2</sup> is not SN as we have the infinite rewrite sequence <sup>f</sup> <sup>→</sup><sup>B</sup><sup>2</sup> <sup>d</sup>(f, <sup>a</sup>) <sup>→</sup><sup>R</sup><sup>2</sup> <sup>d</sup>(f, <sup>b</sup>) <sup>→</sup><sup>B</sup><sup>2</sup> <sup>d</sup>(d(f, <sup>a</sup>), <sup>b</sup>) <sup>→</sup><sup>R</sup><sup>2</sup> <sup>d</sup>(d(f, <sup>b</sup>), <sup>b</sup>) <sup>→</sup><sup>B</sup><sup>2</sup> ... Here, <sup>B</sup><sup>2</sup> can create an <sup>R</sup>2-redex infinitely often (where in the right-hand side <sup>d</sup>(f, <sup>a</sup>) of <sup>B</sup>2's rule, the <sup>B</sup>2-redex <sup>f</sup> and the created <sup>R</sup>2-redex <sup>a</sup> are on parallel positions).

*Example 5 (Redex-Creating on Position Above).* Let <sup>R</sup><sup>3</sup> <sup>=</sup> {a(x) <sup>→</sup> <sup>b</sup>(x)} and <sup>B</sup><sup>3</sup> <sup>=</sup> {<sup>f</sup> <sup>→</sup> <sup>a</sup>(f)}. <sup>R</sup>3/B<sup>3</sup> is not SN as we have <sup>f</sup> <sup>→</sup><sup>B</sup><sup>3</sup> <sup>a</sup>(f) <sup>→</sup><sup>R</sup><sup>3</sup> <sup>b</sup>(f) <sup>→</sup><sup>B</sup><sup>3</sup> <sup>b</sup>(a(f)) <sup>→</sup><sup>R</sup><sup>3</sup> <sup>b</sup>(b(f)) <sup>→</sup><sup>B</sup><sup>3</sup> ..., i.e., again <sup>B</sup><sup>3</sup> can be used to create an <sup>R</sup>3-redex infinitely often. In the right-hand side <sup>a</sup>(f) of <sup>B</sup>3's rule, the position of the created <sup>R</sup>3-redex <sup>a</sup>(...) is above the position of the <sup>B</sup>3-redex <sup>f</sup>.

*Example 6 (Ordinary Infinite).* Finally, consider <sup>R</sup><sup>4</sup> <sup>=</sup> {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and <sup>B</sup><sup>4</sup> <sup>=</sup> {<sup>b</sup> <sup>→</sup> <sup>a</sup>}. Here, the base TRS <sup>B</sup><sup>4</sup> can neither duplicate nor create an <sup>R</sup>4-redex infinitely often, but in combination with the main TRS R<sup>4</sup> we obtain the infinite rewrite sequence <sup>a</sup> <sup>→</sup><sup>R</sup><sup>4</sup> <sup>b</sup> <sup>→</sup><sup>B</sup><sup>4</sup> <sup>a</sup> <sup>→</sup><sup>R</sup><sup>4</sup> <sup>b</sup> <sup>→</sup><sup>B</sup><sup>4</sup> ... Thus, <sup>R</sup>4/B<sup>4</sup> is not SN.

# **3 DP Framework**

We first recapitulate dependency pairs for ordinary (non-relative) rewriting in Sect. 3.1 and summarize existing results on DPs for relative rewriting in Sect. 3.2.

#### **3.1 Dependency Pairs for Ordinary Term Rewriting**

We recapitulate DPs and the two most important processors of the DP framework, and refer to, e.g., [1,11,12,16,17] for more details. As an example, we show how to prove termination of RdivL without the base Bmset. We decompose the signature Σ = CD of a TRS R such that f ∈ D if f = root() for some rule → r ∈ R. The symbols in C and D are called *constructors* and *defined symbols* of R, respectively. For every f ∈ D, we introduce a fresh *annotated* (or "marked") symbol <sup>f</sup># of the same arity. Let <sup>D</sup># denote the set of all annotated symbols, and let <sup>Σ</sup># <sup>=</sup> <sup>Σ</sup> D#. To ease readability, we often use capital letters like <sup>F</sup> instead of <sup>f</sup>#. For any term <sup>t</sup> <sup>=</sup> <sup>f</sup>(t1,...,tn) ∈ T (Σ, <sup>V</sup>) with <sup>f</sup> ∈ D, let t # <sup>=</sup> <sup>f</sup>#(t1,...,tn). For each rule <sup>→</sup> <sup>r</sup> and each subterm <sup>t</sup> of <sup>r</sup> with defined root symbol, one obtains a *dependency pair* # <sup>→</sup> <sup>t</sup> #. Let DP(R) denote the set of all dependency pairs of the TRS R.

*Example 7.* For RdivL from Example 1, we obtain the following five dependency pairs.

$$\mathsf{M}(\mathsf{s}(x), \mathsf{s}(y)) \to \mathsf{M}(x, y) \qquad\qquad\qquad\text{(9)}\qquad\mathsf{DL}(x, \mathsf{cons}(y, xs)) \to \mathsf{D}(x, y) \tag{12}$$

$$\mathsf{D}(\mathsf{s}(x), \mathsf{s}(y)) \to \mathsf{M}(x, y) \qquad \qquad (10) \qquad \mathsf{D}\mathsf{L}(x, \mathsf{cons}(y, xs)) \to \mathsf{D}\mathsf{L}(\mathsf{div}(x, y), xs) \quad (13)$$

$$\mathsf{D}(\mathsf{s}(x), \mathsf{s}(y)) \to \mathsf{D}(\mathsf{m}(x, y), \mathsf{s}(y)) \quad (11)$$

The DP framework operates on *DP problems* (P, R) where P is a (finite) set of DPs, and R is a (finite) TRS. A (possibly infinite) sequence <sup>t</sup>0, t1, t2,... with <sup>t</sup><sup>i</sup> <sup>ε</sup> →<sup>P</sup> ◦ →<sup>∗</sup> <sup>R</sup> <sup>t</sup><sup>i</sup>+1 for all <sup>i</sup> is a (P, <sup>R</sup>)-*chain*. Here, <sup>ε</sup> → are rewrite steps at the root. A chain represents subsequent "function calls" in evaluations. Between two function calls (corresponding to steps with P, called **p**-steps) one can evaluate the arguments using arbitrary many steps with R (called **r**-steps). So **r**-steps are rewrite steps that are needed in order to enable another **p**-step at a position above later on. Hence, DL(s(0), cons(s(0), nil)), DL(s(0), nil) is a (DP(RdivL), <sup>R</sup>divL)-chain, as DL(s(0), cons(s(0), nil)) <sup>ε</sup> <sup>→</sup>DP(RdivL) DL(div(s(0),s(0)), nil) <sup>→</sup><sup>∗</sup> <sup>R</sup>divL DL(s(0), nil).

A DP problem (P, R) is called *terminating (SN)* if there is no infinite (P, R) chain. The main result on DPs is the *chain criterion* which states that a TRS R is SN iff (DP(R), R) is SN. The key idea of the DP framework is a *divideand-conquer* approach which applies *DP processors* to transform DP problems into simpler sub-problems. A *DP processor* Proc has the form Proc(P, R) = {(P1, R1),...,(P<sup>n</sup>, R<sup>n</sup>)}, where P,P1,...,P<sup>n</sup> are sets of DPs and R, R1,..., R<sup>n</sup> are TRSs. Proc is *sound* if (P, R) is SN whenever (P<sup>i</sup>, R<sup>i</sup>) is SN for all 1 ≤ i ≤ n. It is *complete* if (P<sup>i</sup>, R<sup>i</sup>) is SN for all 1 ≤ i ≤ n whenever (P, R) is SN.

So for a TRS R, one starts with the initial DP problem (DP(R), R) and applies sound (and preferably complete) DP processors until all sub-problems are "solved" (i.e., processors transform them to the empty set). This allows for modular termination proofs, as different techniques can be applied on each sub-problem.

One of the most important processors is the *dependency graph processor*. The (P, R)*-dependency graph* indicates which DPs can be used after each other in chains. Its set of nodes is P and there is an edge from s<sup>1</sup> → t<sup>1</sup> to s<sup>2</sup> → t<sup>2</sup> if there are substitutions σ1, σ<sup>2</sup> with t1σ<sup>1</sup> →<sup>∗</sup> <sup>R</sup> <sup>s</sup>2σ2. Any infinite (P, <sup>R</sup>)-chain corresponds to an infinite path in the dependency graph, and since the graph is finite, this infinite path must end in a strongly connected component (SCC).<sup>3</sup> Hence, it suffices to consider the SCCs of this graph independently.

**Theorem 8 (Dep. Graph Processor).** *For the SCCs* P1,...,P<sup>n</sup> *of the* (P, R)*-dependency graph,* ProcDG(P, R) = {(P1, R),...,(P<sup>n</sup>, R)} *is sound and complete.*

<sup>3</sup> Here, a set <sup>P</sup> of dependency pairs is an *SCC* if it is a maximal cycle, i.e., it is a maximal set such that for any s<sup>1</sup> → t<sup>1</sup> and s<sup>2</sup> → t<sup>2</sup> in P there is a non-empty path from s<sup>1</sup> → t<sup>1</sup> to s<sup>2</sup> → t<sup>2</sup> which only traverses nodes from P- .

While the exact dependency graph is not computable in general, there are several techniques to over-approximate it automatically [1,12,16]. The (DP(RdivL), RdivL)-dependency graph for our example is on the right. Here, ProcDG(DP(RdivL),RdivL) yields - {(9)},RdivL , - {(11)},RdivL , and - {(13)},RdivL .

The second crucial processor adapts classical reduction orders to DP problems. A *reduction pair* (-, ) consists of two relations on terms such that is reflexive, transitive, and closed under contexts and substitutions, and is a wellfounded order that is closed under substitutions but does not have to be closed under contexts. Moreover, and must be compatible, i.e., - ◦ ◦ - ⊆ . The *reduction pair processor* requires that all rules and dependency pairs are weakly decreasing, and it removes those DPs that are strictly decreasing.

**Theorem 9 (Reduction Pair Processor).** *Let* (-, ) *be a reduction pair such that* P∪R ⊆ -*. Then* ProcRPP(P, R) = {(P\ , R)} *is sound and complete.*

For example, one can use reduction pairs based on polynomial interpretations [28]. A *polynomial interpretation* Pol is a Σ#-algebra which maps every function symbol <sup>f</sup> <sup>∈</sup> <sup>Σ</sup># to a polynomial <sup>f</sup>Pol <sup>∈</sup> <sup>N</sup>[V]. Pol(t) denotes the *interpretation* of a term t by the Σ#-algebra Pol. Then Pol induces a reduction pair (-, ) where t<sup>1</sup> t<sup>2</sup> (t<sup>1</sup> t2) holds if the inequation Pol(t1) ≥ Pol(t2) (Pol(t1) > Pol(t2)) is true for all instantiations of its variables by natural numbers.

For the three remaining DP problems - {(9)}, RdivL , - {(11)}, RdivL , and - {(13)}, RdivL in our example, we can apply the reduction pair processor using the polynomial interpretation which maps 0 and nil to 0, s(x) to x+1, cons(y, *xs*) to *xs* + 1, DL(x, *xs*) to *xs*, and all other symbols to their first arguments. Since (9), (11), and (13) are strictly decreasing, ProcRPP transforms all three remaining DP problems into DP problems of the form (∅,...). As ProcDG(∅,...) = ∅ and all processors used are sound, this means that there is no infinite chain for the initial DP problem (DP(RdivL), RdivL) and thus, RdivL is SN.

#### **3.2 Dependency Pairs for Relative Termination**

Up to now, we only considered DPs for ordinary termination of TRSs. The easiest idea to use DPs in the relative setting is to start with the DP problem (DP(R∪B), R∪B). This would prove termination of R∪B, which implies termination of R/B, but ignores that the rules in B do not have to terminate. Since termination of DP problems is already defined via a relative condition (finite chains can only have finitely many **p**-steps but there may exist rewrite sequences with infinitely many **r**-steps that are no chains), another idea for proving termination of R/B is to start with the DP problem (DP(R), R∪B), which only considers the DPs of R. However, this is unsound in general.

*Example 10.* The only defined symbol of <sup>R</sup><sup>2</sup> from Example <sup>4</sup> is <sup>a</sup>. Since the right-hand side of R2's rule does not contain defined symbols, we would get the DP problem (∅, <sup>R</sup><sup>2</sup> ∪ B2), which is SN as it has no DP. Thus, we would falsely conclude that R2/B<sup>2</sup> is SN. Similarly, this approach would also falsely "prove" SN for Examples 3 and 5. Thus, the standard notion of DPs is unsound for relative termination.

In [21], it was shown that under certain conditions on R and B, starting with the DP problem (DP(R∪Ba), R∪B) for a subset B<sup>a</sup> ⊆ B is sound for relative termination.<sup>4</sup> The two conditions on the TRSs are *dominance* and being *nonduplicating*. We say that R *dominates* B if defined symbols of R do not occur in the right-hand sides of rules of B. A TRS is *non-duplicating* if no variable occurs more often on the right-hand side of a rule than on its left-hand side.

**Theorem 11 (First Main Result of** [21]**, Sound and Complete).** *Let* R *and* B *be TRSs such that* B *is non-duplicating and* R *dominates* B*. Then the DP problem* (DP(R), R∪B) *is SN iff* R/B *is SN.*

**Theorem 12 (Second Main Result of** [21]**, only Sound).** *Let* R *and* B = B<sup>a</sup> B<sup>b</sup> *be TRSs. If* B<sup>b</sup> *is non-duplicating,* R∪B<sup>a</sup> *dominates* B<sup>b</sup>*, and the DP problem* (DP(R∪B<sup>a</sup>), R∪B) *is SN, then* R/B *is SN.*

*Example 13.* For the main TRS RdivL from Example 1 and base TRS Bmset from Example 2 we can apply Theorem 11 and consider the DP problem (DP(RdivL), RdivL ∪ Bmset), since Bmset is non-duplicating and RdivL dominates Bmset. As for (DP(RdivL),RdivL), the DP framework can prove that (DP(RdivL), <sup>R</sup>divL∪Bmset) is SN. In this way, the tool NaTT which implements the results of [21] proves that RdivL/Bmset is SN. Note that sophisticated techniques like DPs are needed to prove SN for RdivL/Bmset because classical (simplification) orders already fail to prove termination of RdivL.

*Example 14.* As mentioned in Example 2, if we consider Bmset<sup>2</sup> with the rule

$$\mathsf{div}\mathsf{L}(z,\mathsf{cons}(x,\mathsf{cons}(y,zs))) \to \mathsf{div}\mathsf{L}(z,\mathsf{cons}(y,\mathsf{cons}(x,zs)))\tag{8}$$

instead of Bmset as the base TRS, then RdivL/Bmset<sup>2</sup> is still terminating, but we cannot use Theorem 11 since RdivL does not dominate Bmset2. If we try to split <sup>B</sup>mset<sup>2</sup> as in Theorem 12, then <sup>∅</sup> <sup>=</sup> <sup>B</sup><sup>a</sup> ⊆ Bmset<sup>2</sup> implies <sup>B</sup><sup>a</sup> <sup>=</sup> <sup>B</sup>mset2, but <sup>B</sup>mset<sup>2</sup> is non-terminating. Therefore, all previous tools for relative termination fail in proving that RdivL/Bmset<sup>2</sup> is SN. In Sect. 4 we will present our novel DP framework which can prove relative termination of relative TRSs like RdivL/Bmset2.

As remarked in [21], Theorems 11 and 12 are unsound if one only considers *minimal* chains, i.e., if for a DP problem (P, R) one only considers chains t0, t1,..., where all t<sup>i</sup> are R-terminating. In the DP framework for ordinary rewriting, the restriction to minimal chains allows the use of further processors, e.g., based on *usable rules* [12,17] or the *subterm criterion* [17]. As shown in [21], usable rules and the subterm criterion can nevertheless be applied if B is *quasi-terminating* [4], i.e., {t | s →<sup>∗</sup> <sup>B</sup> <sup>t</sup>} is finite for every term <sup>s</sup>. This restriction would also be needed to integrate processors that rely on minimality into our new framework in Sect. 4.

<sup>4</sup> As before, for the construction of DP(R∪B*a*), only the root symbols of left-hand sides of R∪B*<sup>a</sup>* are considered to be "defined".

#### **4 Annotated Dependency Pairs for Relative Termination**

As shown in Sect. 3.2, up to now there only exist criteria [21] that state when it is sound to apply *ordinary* DPs for proving relative termination, but there is no *specific* DP-based technique to analyze relative termination directly. For ordinary termination, we create a separate DP for each occurrence of a defined symbol in the right-hand side of a rule (and no DP is created for rules without defined symbols in their right-hand sides). This would work to detect *ordinary infinite* sequences like the one in Example 6 in the relative setting, i.e., such an infinite sequence would give rise to an infinite chain. However, as shown in Example 10, this would not suffice to detect infinite redex-creating sequences as in Examples 4 and 5. Thus, ordinary DPs are unsound for analyzing relative termination.

To solve this problem, we now adapt the concept of *annotated dependency pairs* (ADPs) for relative termination. ADPs were introduced in [23] to prove innermost almost-sure termination of probabilistic term rewriting. In the relative setting, we can use similar dependency pairs as in the probabilistic setting, but with a different rewrite relation −→ to deal with non-innermost steps. Compared to [21], we (a) remove the requirement of dominance, which will be handled by the dependency graph processor, and (b) allow for ADP processors that are specifically designed for the relative setting before possibly moving to ordinary DPs.

The requirement that B must be non-duplicating remains, since relative nontermination because of duplicating rules is not necessarily due to the relation between the left-hand side and the subterms with defined root symbols in the right-hand side of a rule. Therefore, this cannot be captured by (A)DPs, i.e., DPs do not help in analyzing redex-duplicating sequences as in Example 3, where the crucial redex a is not generated from a "function call" in the right-hand side of a rule, but it just corresponds to a duplicated variable. To handle TRSs R/B where Bdup ⊆ B is duplicating, one can move the duplicating rules to the main TRS R and try to prove relative termination of (R∪Bdup)/(B\Bdup) instead, or one can try to find a reduction pair (-, ) where is closed under contexts such that R∪B⊆ and Bdup ⊆ . Then it suffices to prove relative termination of (R\ )/(B\ ) instead.

We will now define a notion of DPs that can detect infinite redex-creating sequences as in Example <sup>4</sup> with <sup>R</sup><sup>2</sup> <sup>=</sup> {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and <sup>B</sup><sup>2</sup> <sup>=</sup> {<sup>f</sup> <sup>→</sup> <sup>d</sup>(f, <sup>a</sup>)}: <sup>f</sup> <sup>→</sup><sup>B</sup><sup>2</sup> <sup>d</sup>(f, <sup>a</sup>) <sup>→</sup><sup>R</sup><sup>2</sup> <sup>d</sup>(f, <sup>b</sup>) <sup>→</sup><sup>B</sup><sup>2</sup> <sup>d</sup>(d(f, <sup>a</sup>), <sup>b</sup>) <sup>→</sup><sup>R</sup><sup>2</sup> ... To this end, (1) we need a DP for the rule <sup>a</sup> <sup>→</sup> <sup>b</sup> to track the reduction of the created <sup>R</sup>2-redex <sup>a</sup>, although <sup>b</sup> is a constructor. Moreover, (2) both defined symbols f and a in the right-hand side of the rule <sup>f</sup> <sup>→</sup> <sup>d</sup>(f, <sup>a</sup>) have to be considered simultaneously: We need <sup>f</sup> to create an infinite number of <sup>R</sup>2-redexes, and we need <sup>a</sup> since it is the created <sup>R</sup>2-redex. Hence, for rules from the base TRS B2, we have to consider all possible pairs of defined symbols in their right-hand sides simultaneously.<sup>5</sup> This is not needed for

<sup>5</sup> For relative termination, it suffices to consider *pairs* of defined symbols. The reason is that to "track" a non-terminating reduction, one only has to consider a single

the main TRS <sup>R</sup>2, i.e., if the <sup>f</sup>-rule were in the main TRS, then the <sup>f</sup> in the righthand side could be considered separately from the a that it generates. Therefore, we distinguish between *main* and *base ADPs* (that are generated from the main and the base TRS, respectively).

As in [23], we now annotate defined symbols directly in the original rewrite rule instead of extracting annotated subterms from its right-hand side. In this way, we may have terms containing several annotated symbols, which allows us to consider pairs of defined symbols in right-hand sides simultaneously. At the same time, an ADP maintains the information on the positions of the subterms in the original right-hand side. (This information will be needed for the "completeness" of the chain criterion in Theorem 23, i.e., it allows us to obtain an *equivalent* characterization of relative termination via chains of ADPs.<sup>6</sup>)

**Definition 15 (Annotations).** *For* t ∈ T - <sup>Σ</sup>#, <sup>V</sup> *and* X ⊆ <sup>Σ</sup># ∪ V*, let* Pos<sup>X</sup> (t) *be the set of all positions of* t *with symbols or variables from* X *. For* Φ ⊆ PosD∪D# (t)*,* #Φ(t) *is the variant of* t *where the symbols at positions from* Φ *are annotated and all other annotations are removed. Thus,* PosD# (#Φ(t)) = Φ*, and* #∅(t) *removes all annotations from* t*, where we often write* (t) *instead of* #∅(t)*. Moreover, for a singleton* {π}*, we often write* #<sup>π</sup> *instead of* #{π}*. We write* t <sup>π</sup> # s *if* π ∈ PosD# (s) *and* t = (s|<sup>π</sup>) *(i.e.,* t *results from a subterm of* s *with annotated root symbol by removing its annotations). We also write* # *instead of* <sup>π</sup> # *if* π *is irrelevant.*

*Example 16.* If <sup>f</sup> ∈ D, then we have #1(f(f(x))) = #1(F(F(x))) = <sup>f</sup>(F(x)) and (F(F(x))) = f(f(x)). Moreover, we have f(x) <sup>1</sup> # <sup>f</sup>(F(x)).

While in [23] all defined symbols on the right-hand sides of rules were annotated, we now define our novel variant of *annotated dependency pairs* for relative rewriting. As explained before Definition 15, we have to track (at most) two redexes for base ADPs and only one redex for main ADPs.

**Definition 17 (Annotated Dependency Pair).** *A rule* → r *with* ∈ T (Σ, V) \ V*,* r ∈ T - <sup>Σ</sup>#, <sup>V</sup> *, and* V(r) ⊆ V() *is called an* annotated dependency pair (ADP)*. Let* <sup>D</sup> *be the defined symbols of* R∪B*, and for* <sup>n</sup> <sup>∈</sup> <sup>N</sup>*, let* A<sup>n</sup>( → r) = { → #Φ(r) | Φ ⊆ PosD(r), |Φ| = min(n, |PosD(r)|)}*. The* canonical main ADPs *for* R *are* A1(R) = →r∈R A1(→r) *and the* canonical base ADPs *for* B *are* A2(B)= →r∈B A2(→r)*.*

So the left-hand side of an ADP is just the left-hand side of the original rule. The right-hand side results from the right-hand side of the original rule by replacing certain defined symbols f with f#.

redex plus possibly another redex of the base TRS which may later create a redex of the main TRS again.

<sup>6</sup> This is the main advantage of ADPs over related formalisms like *dependency tuples* [22,32] where this information on the positions is lost. Therefore, as shown in [23] for almost-sure termination analysis of probabilistic term rewriting, using ADPs instead of DTs leads to a more elegant, more powerful, and less complicated framework.

*Example 18.* The canonical ADPs of Example <sup>4</sup> are <sup>A</sup>1(R2) = {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and <sup>A</sup>2(B2) = {<sup>f</sup> <sup>→</sup> <sup>d</sup>(F,A)} and for Example <sup>5</sup> we get <sup>A</sup>1(R3) = {a(x) <sup>→</sup> <sup>b</sup>(x)} and <sup>A</sup>2(B3) = {<sup>f</sup> <sup>→</sup> <sup>A</sup>(F)}. For <sup>R</sup>divL/Bmset<sup>2</sup> from Examples <sup>1</sup> and 14, the ADPs A1(RdivL) are

$$
\mathsf{minus}(x, \mathsf{0}) \to x \qquad \qquad \text{(14)} \qquad \mathsf{div}(\mathsf{s}(x), \mathsf{s}(y)) \to \mathsf{s}(\mathsf{D}(\mathsf{minus}(x, y), \mathsf{s}(y))) \quad \text{(18)}
$$

$$\mathsf{minus}(\mathsf{s}(x), \mathsf{s}(y)) \to \mathsf{M}(x, y) \quad \text{(15)} \qquad \mathsf{div}(\mathsf{s}(x), \mathsf{s}(y)) \to \mathsf{s}(\mathsf{div}(\mathsf{M}(x, y), \mathsf{s}(y))) \qquad \text{(19)}$$

$$\mathsf{div}(\mathsf{0}, \mathsf{s}(y)) \to \mathsf{0} \tag{16} \quad \mathsf{div}\mathsf{L}(x, \mathsf{cons}(y, xs)) \to \mathsf{DL}(\mathsf{div}(x, y), xs) \tag{20}$$

$$\mathsf{div}\mathsf{Val}(x,\mathsf{nil}) \to x \qquad\qquad\qquad\text{(17)}\\\mathsf{div}\mathsf{Val}(x,\mathsf{cons}(y,xs)) \to \mathsf{div}\mathsf{Val}(\mathsf{D}(x,y),xs) \qquad\qquad\text{(21)}$$

$$\text{and } \mathcal{A}\_2(\mathcal{B}\_{\text{mat}2}) \text{ contains } \text{div}\mathsf{L}(z, \mathsf{cons}(x, \mathsf{cons}(y, zs))) \to \mathsf{DL}(z, \mathsf{cons}(y, \mathsf{cons}(x, zs))) \tag{22}$$

In [23], ADPs were only used for innermost rewriting. We now modify their rewrite relation and define what happens with annotations inside the substitutions during a rewrite step. To simulate redex-creating sequences as in Example 5 with ADPs (where the position of the created redex a(...) is above the position of the creating redex f), ADPs should be able to rewrite above annotated arguments without removing their annotation (we will demonstrate that in Example 25). Thus, for an ADP → r with a variable |<sup>π</sup> = x, we use a *variable reposition function (VRF)* to indicate which occurrence of x in r should keep the annotations if one rewrites an instance of where the subterm at position π is annotated. So a VRF maps positions of variables in the left-hand side of a rule to positions of the same variable in the right-hand side.

**Definition 19 (Variable Reposition Function).** *Let* → r *be an ADP. A function* ϕ : Pos<sup>V</sup> () → Pos<sup>V</sup> (r) {⊥} *is called a* variable reposition function (VRF) *for* → r *iff* |<sup>π</sup> = r|<sup>ϕ</sup>(π) *whenever* ϕ(π) = ⊥*.*

*Example 20.* For the ADP <sup>a</sup>(x) <sup>→</sup> <sup>b</sup>(x) for <sup>R</sup><sup>3</sup> from Example 5, if <sup>x</sup> on position 1 of the left-hand side is instantiated by F, then the VRF ϕ(1) = 1 indicates that this ADP rewrites <sup>A</sup>(F) to <sup>b</sup>(F), while <sup>ϕ</sup>(1) = <sup>⊥</sup> means that it rewrites <sup>A</sup>(F) to b(f).

With VRFs we can define the rewrite relation for ADPs w.r.t. full rewriting.

**Definition 21 (**−→<sup>P</sup> **).** *Let* <sup>P</sup> *be a set of ADPs. A term* <sup>s</sup> ∈ T - <sup>Σ</sup>#, <sup>V</sup> *rewrites to* <sup>t</sup> *using* <sup>P</sup> *(denoted* s −→<sup>P</sup> <sup>t</sup>*) if there are an ADP* <sup>→</sup> <sup>r</sup> ∈ P*, a substitution* <sup>σ</sup>*, a position* <sup>π</sup> <sup>∈</sup> PosD∪D# (s) *such that* (s|<sup>π</sup>) = σ*, a VRF* <sup>ϕ</sup> *for* <sup>→</sup> <sup>r</sup>*, and*<sup>7</sup>

$$\begin{array}{ccc} t = s[\#\_{\Phi}(r\sigma)]\_{\pi} & \quad \acute{t}f\pi \in \operatorname{Pos}\_{\mathcal{D}^{\#}}(s) & \quad (\mathbf{pr})\\ t = s[\#\_{\Psi}(r\sigma)]\_{\pi} & \quad \acute{t}f\pi \in \operatorname{Pos}\_{\mathcal{D}}(s) & \quad (\mathbf{r}) \end{array}$$

<sup>7</sup> In [23] there were two additional cases in the definition of the corresponding rewrite relation. One of them was needed for processors that restrict the rules applicable for **r**-steps (e.g., based on usable rules), and the other case was needed to ensure that the innermost evaluation strategy is not affected by the application of ADP processors. This is unnecessary here since we consider full rewriting. On the other hand, VRFs are new compared to [23], since they are not needed for innermost rewriting.

*with* Ψ ={ϕ(ρ).τ | ρ∈Pos<sup>V</sup> (), ϕ(ρ) =⊥, ρ.τ ∈PosD# (s|π)} *and* Φ = PosD# (r) ∪ Ψ*.*

So Ψ considers all positions of annotated symbols in s|<sup>π</sup> that are below positions ρ of variables in . If the VRF maps ρ to a variable position ρ in r, then the annotations below π.ρ in s are kept in the resulting subterm at position π.ρ after the rewriting.

Rewriting with P is like ordinary term rewriting, while considering and modifying annotations. Note that we represent a DP resulting from a rule as well as the original rule by just one ADP. So the ADP div(s(x),s(y)) <sup>→</sup> s(D(minus(x, y),s(y))) represents both the DP resulting from div in the righthand side of the rule (4), and the rule (4) itself (by simply disregarding all annotations of the ADP).

Similar to the classical DP framework, our goal is to track specific reduction sequences. As before, there are **p**-steps where a DP is applied at the position of an annotated symbol. These steps may introduce new annotations. Moreover, between two **p**-steps there can be several **r**-steps.

A step of the form (**pr**) at position π in Definition 21 represents a **p**- or an **r**step (or both), where an **r**-step is only possible if one later rewrites an annotated symbol at a position above π. All annotations are kept during this step except for annotations of subterms that correspond to variables of the applied rule. Here, the used VRF ϕ determines which of these annotations are kept and which are removed. As an example, with the canonical ADP <sup>a</sup>(x) <sup>→</sup> <sup>b</sup>(x) from <sup>A</sup>1(R3) we can rewrite <sup>A</sup>(F) −→<sup>A</sup>1(R3) <sup>b</sup>(F) as in Example 20. Here, we have <sup>π</sup> <sup>=</sup> <sup>ε</sup>, (s|<sup>ε</sup>) = <sup>a</sup>(f) = σ, <sup>r</sup> <sup>=</sup> <sup>b</sup>(x), and the VRF <sup>ϕ</sup> with <sup>ϕ</sup>(1) = 1 such that the annotation of F in A's argument is kept in the argument of b.

A step of the form (**r**) rewrites at the position of a non-annotated defined symbol, and represents just an **r**-step. Hence, we remove all annotations from the right-hand side r of the ADP. However, we may have to keep the annotations inside the substitution, hence we move them according to the VRF. For example, we obtain the rewrite step <sup>s</sup>(D(minus(s(0),s(0)),s(0))) −→<sup>A</sup>1(RdivL) <sup>s</sup>(D(minus(0, <sup>0</sup>),s(0))) using the ADP minus(s(x),s(y)) <sup>→</sup> <sup>M</sup>(x, y) (15) and any VRF.

A *(relative) ADP problem* has the form (P, S), where P and S are finite sets of ADPs. P is the set of all main ADPs and S is the set of all base ADPs. Now we can define chains in the relative setting.

**Definition 22 (Chains and Terminating ADP Problems).** *Let* (P, S) *be an ADP problem. A sequence of terms* t0, t1,... *with* t<sup>i</sup> ∈ T - <sup>Σ</sup>#, <sup>V</sup> *is a* (P, S) chain *if we have* <sup>t</sup><sup>i</sup> −→P∪S <sup>t</sup><sup>i</sup>+1 *for all* <sup>i</sup> <sup>∈</sup> <sup>N</sup>*. The chain is called* infinite *if infinitely many of these rewrite steps use* −→<sup>P</sup> *with Case* (**pr**)*. We say that an ADP problem* (P, S) *is* terminating (SN) *if there is no infinite* (P, S)*-chain.*

Note the two different forms of relativity in Definition 22: In a finite chain, we may not only use infinitely many steps with S but also infinitely many steps with P where Case (**r**) applies. Thus, an ADP problem (P, S) without annotated symbols or without any main ADPs (i.e., where <sup>P</sup> <sup>=</sup> <sup>∅</sup>) is obviously SN. Finally, we obtain our desired chain criterion.

**Theorem 23 (Chain Criterion for Relative Rewriting).** *Let* R *and* B *be TRSs such that* B *is non-duplicating. Then* R/B *is SN iff the ADP problem* (A1(R), A2(B)) *is SN.*

*Example 24.* The infinite rewrite sequence of Example 4 can be simulated by the following infinite chain using <sup>A</sup>1(R2) = {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and <sup>A</sup>2(B2) = {<sup>f</sup> <sup>→</sup> <sup>d</sup>(F,A)}.

<sup>F</sup> −→<sup>A</sup>2(B2) <sup>d</sup>(F,A) −→<sup>A</sup>1(R2) <sup>d</sup>(F, <sup>b</sup>) −→<sup>A</sup>2(B2) <sup>d</sup>(d(F,A), <sup>b</sup>) −→<sup>A</sup>1(R2) ...

The steps with −→<sup>A</sup>2(B2) use Case (**pr**) at the position of the annotated symbol <sup>F</sup> and the steps with −→<sup>A</sup>1(R2) use (**pr**) as well. For this infinite chain, we indeed need two annotated symbols in the right-hand side of the base ADP: If A were not annotated (i.e., if we had the ADP <sup>f</sup> <sup>→</sup> <sup>d</sup>(F, <sup>a</sup>)), then the step with −→<sup>A</sup>1(R2) would just use Case (**r**) and the chain would not be considered "infinite". If F were not annotated (i.e., if we had the ADP <sup>f</sup> <sup>→</sup> <sup>d</sup>(f,A)), then we would have the step <sup>f</sup> −→<sup>A</sup>2(B2) <sup>d</sup>(f, <sup>a</sup>) which uses Case (**r**) and removes all annotations from the right-hand side. Hence, again the chain would not be considered "infinite".

*Example 25.* The infinite rewrite sequence of Example 5 is simulated by the following chain with <sup>A</sup>1(R3) = {a(x) <sup>→</sup> <sup>b</sup>(x)} and <sup>A</sup>2(B3) = {<sup>f</sup> <sup>→</sup> <sup>A</sup>(F)}.

$$\underline{\mathsf{F}} \hookrightarrow\_{\mathcal{A}\_2(\mathcal{B}\_3)} \underline{\mathsf{A}}(\mathsf{F}) \hookrightarrow\_{\mathcal{A}\_1(\mathcal{B}\_3)} \mathsf{b}(\underline{\mathsf{F}}) \hookrightarrow\_{\mathcal{A}\_2(\mathcal{B}\_3)} \mathsf{b}(\underline{\mathsf{A}}(\mathsf{F})) \hookrightarrow\_{\mathcal{A}\_1(\mathcal{B}\_3)} \mathsf{b}(\mathsf{b}(\underline{\mathsf{F}})) \hookrightarrow\_{\mathcal{A}\_2(\mathcal{B}\_3)} \dots$$

Here, it is important to use the VRF <sup>ϕ</sup>(1) = 1 for <sup>a</sup>(x) <sup>→</sup> <sup>b</sup>(x) which keeps the annotation of <sup>A</sup>'s argument <sup>F</sup> when rewriting with <sup>A</sup>1(R3), i.e., these steps must yield b(F) instead of b(f) to generate further subterms A(...) afterwards.

#### **5 The Relative ADP Framework**

Now we present processors for our novel relative ADP framework. An *ADP processor* Proc has the form Proc(P, S) = {(P1, S1),...,(P<sup>n</sup>, S<sup>n</sup>)}, where P,P1,...,P<sup>n</sup>, S1,..., S<sup>n</sup> are sets of ADPs. Proc is *sound* if (P, S) is SN whenever (P<sup>i</sup>, S<sup>i</sup>) is SN for all 1 ≤ i ≤ n. It is *complete* if (P<sup>i</sup>, S<sup>i</sup>) is SN for all 1 ≤ i ≤ n whenever (P, S) is SN. To prove relative termination of R/B, we start with the canonical ADP problem (A1(R), A2(B)) and apply sound (and preferably complete) ADP processors until all sub-problems are transformed to the empty set.

In Sect. 5.1, we present two processors to remove (base) ADPs, and in Sects. 5.2 and 5.3, we adapt the main processors of the classical DP framework from Sect. 3.1 to the relative setting. As mentioned, the soundness and completeness proofs for our processors and the chain criterion (Theorem 23) can be found in [24].

#### **5.1 Derelatifying Processors**

The following two *derelatifying* processors can be used to switch from ADPs to ordinary DPs, similar to Theorems 11 and 12. We extend to ADPs and sets of ADPs S by defining ( → r) = → (r) and (S) = { → (r) | → r ∈ S}.

If the ADPs in S contain no annotations anymore, then it suffices to use ordinary DPs. The corresponding set of DPs for a set of ADPs P is defined as dp(P) = {# <sup>→</sup> <sup>t</sup> # <sup>|</sup> <sup>→</sup> <sup>r</sup> ∈ P, t # <sup>r</sup>}.

**Theorem 26 (Derelatifying Processor (1)).** *Let* (P, S) *be an ADP problem such that* (S) = <sup>S</sup>*. Then* ProcDRP1(P, <sup>S</sup>) = <sup>∅</sup> *is sound and complete iff the ordinary DP problem* (dp(P), (P∪S)) *is SN.*

Furthermore, similar to Theorem 12, we can always move ADPs from S to P, but such a processor is only sound and not complete. However, it may help to satisfy the requirements of Theorem 26 by moving ADPs with annotations from S to P such that the ordinary DP framework can be used afterwards.

**Theorem 27 (Derelatifying Processor (2)).** *Let* (P, S) *be an ADP problem, and let* S = S<sup>a</sup>S<sup>b</sup>*. Then* ProcDRP2(P, S) = {(P∪split(S<sup>a</sup>), S<sup>b</sup>)} *is sound. Here,* split(S<sup>a</sup>) = { → #π(r) | → r ∈ S<sup>a</sup>, π ∈ posD# (r)}*.*

So if S<sup>a</sup> contains an ADP with two annotations, then we split it into two ADPs, where each only contains a single annotation.

*Example 28.* There are also redex-creating examples that are terminating, e.g., <sup>R</sup><sup>2</sup> <sup>=</sup> {<sup>a</sup> <sup>→</sup> <sup>b</sup>} and the base TRS <sup>B</sup> <sup>2</sup> <sup>=</sup> {f(s(y)) <sup>→</sup> <sup>d</sup>(f(y), <sup>a</sup>)}. Relative (and full) termination of this example can easily be shown by using the second derelatifying processor from Theorem <sup>27</sup> to replace the base ADP <sup>f</sup>(s(y)) <sup>→</sup> <sup>d</sup>(F(y),A) by the main ADPs <sup>f</sup>(s(y)) <sup>→</sup> <sup>d</sup>(F(y), <sup>a</sup>) and <sup>f</sup>(s(y)) <sup>→</sup> <sup>d</sup>(f(y),A). Then the processor of Theorem <sup>26</sup> is used to switch to the ordinary DPs <sup>F</sup>(s(y)) <sup>→</sup> <sup>F</sup>(y) and <sup>F</sup>(s(y)) <sup>→</sup> A.

#### **5.2 Relative Dependency Graph Processor**

Next, we develop a dependency graph processor in the relative setting. The definition of the dependency graph is analogous to the one in the standard setting and thus, the same techniques can be used to over-approximate it automatically.

**Definition 29 (Relative Dependency Graph).** *Let* (P, S) *be an ADP problem. The* (P, S)*-*dependency graph *has the set of nodes* P∪S *and there is an edge from* <sup>1</sup> → r<sup>1</sup> *to* <sup>2</sup> → r<sup>2</sup> *if there exist substitutions* σ1, σ<sup>2</sup> *and a term* t # r<sup>1</sup> *such that* t #σ<sup>1</sup> <sup>→</sup><sup>∗</sup> (P∪S) # <sup>2</sup> σ2*.*

So similar to the standard dependency graph, there is an edge from an ADP <sup>1</sup> → r<sup>1</sup> to <sup>2</sup> → r<sup>2</sup> if the rules of (P∪S) (without annotations) can reduce an instance of a subterm t of r<sup>1</sup> to an instance of 2, if one only annotates the roots of t and <sup>2</sup> (i.e., then the rules can only be applied below the root).

**Fig. 1.** (A1(RdivL), <sup>A</sup>2(Bmset2))-Dep. Graph **Fig. 2.** (A1(R2), <sup>A</sup>2(B2))-Dep. Graph

*Example 30.* The dependency graph for the ADP problem (A1(RdivL), A2(Bmset2)) from Example 18 is shown in Fig. 1. Here, nodes from A1(RdivL) are denoted by rectangles and the node from A2(Bmset2) is a circle.

To detect possible ordinary infinite rewrite sequences as in Example 6, we again have to regard SCCs of the dependency graph, where we only need to consider SCCs that contain a node from P, because otherwise, all steps in the SCC are relative (base) steps. However, in the relative ADP framework, nontermination can also be due to chains representing redex-creating sequences. Here, it does not suffice to look at SCCs. Thus, the relative dependency graph processor differs substantially from the corresponding processor for ordinary rewriting (and also from the corresponding processor for the probabilistic ADP framework in [23]).

*Example 31 (Dependency Graph for Redex-Creating TRSs).* For R<sup>2</sup> and B<sup>2</sup> from Example 4, the dependency graph for (A1(R2), A2(B2)) from Example 24 is in Fig. 2. Here, we cannot regard the SCC {<sup>f</sup> <sup>→</sup> <sup>d</sup>(F,A)} separately, as we need <sup>A</sup>1(R2)'s rule <sup>a</sup> <sup>→</sup> <sup>b</sup> to reduce the created redex. To find the ADPs that can reduce the created redexes, we have to regard the outgoing paths from the SCCs of S to ADPs of P.

The structure that we are looking for in the redex-creating case is a path from an SCC to a node from P (i.e., a form of a *lasso*), which is *minimal* in the sense that if we reach a node from P, then we stop and do not move further along the edges of the graph. Moreover, the SCC needs to contain an ADP with more than one annotated symbol, as otherwise the generation of the infinitely many P-redexes would not be possible. Here, it suffices to look at SCCs in the graph restricted to only S-nodes (i.e., in the ((P), S)-dependency graph). The reason is that if the SCC contains a node from P, then as mentioned above, we have to prove anyway that the SCC does not give rise to infinite chains.

**Definition 32 (**SCC(P,S) P- **,** Lasso**).** *Let* (P, S) *be an ADP problem. For any* P ⊆ P∪S*, let* SCC(P,S) P *denote the set of all SCCs of the* (P, S)*-dependency graph that contain an ADP from* P *. Moreover, let* S<sup>&</sup>gt;<sup>1</sup> ⊆ S *denote the set of all ADPs from* S *with more than one annotation. Then the set of all* minimal lassos *is defined as* Lasso <sup>=</sup> {Q ∪ {n1,...,n<sup>k</sup>}|Q∈ SCC((P),S) <sup>S</sup>*>*<sup>1</sup> , n1,...,n<sup>k</sup> *is a path in the* ((P), S)*-dependency graph such that* n<sup>1</sup> ∈ Q *and* n<sup>k</sup> ∈ (P)}*.*

We remove the annotations of ADPs which do not have to be considered anymore for **p**-steps due to the dependency graph, but we keep the ADPs for possible **r**-steps and thus, consider them as relative (base) ADPs.

# **Theorem 33 (Dep. Graph Processor).** *Let* (P, S) *be an ADP problem. Then*

ProcDG(P, S) = {( P∩Q, (S∩Q) ∪ -( (P∪S) \ Q ) ) |Q∈ SCC(P*,*S) <sup>P</sup> ∪ Lasso}

*is sound and complete.*

*Example 34.* For (A1(RdivL), A2(Bmset2)) from Example 30 we have three SCCs {(15)}, {(18)}, and {(20),(22)} containing nodes from A1(RdivL). The set {(22)} is the only SCC of ((A1(RdivL)), A2(Bmset2)) and there are paths from that SCC to the ADPs (20) and (21) of P. However, they are not in Lasso, because the SCC {(22)} does not contain an ADP with more than one annotation. Hence, we result in the three new ADP problems ({(15)}, {(22)} ∪ (A1(RdivL) \ {(15)})), ({(18)}, {(22)} ∪ (A1(RdivL) \ {(18)})), and ({(20)}, {(22)} ∪ (A1(RdivL) \ {(20)})). For the first two of these new ADP problems, we can use the derelatifying processor of Theorem 26 and prove SN via ordinary DPs, since their base ADPs do not contain any annotated symbols anymore.

The dependency graph processor in combination with the derelatifying processors of Theorems 26 and 27 already subsumes the techniques of Theorems 11 and 12. The reason is that if R dominates B, then there is no edge from an ADP of A2(B) to any ADP of A1(R) in the (A1(R), A2(B))-dependency graph. Hence, there are no minimal lassos and the dependency graph processor just creates ADP problems from the SCCs of A1(R) where the base ADPs do not have any annotations anymore. Then Theorem 26 allows us to switch to ordinary DPs. For example, if we consider Bmset instead of Bmset2, then the dependency graph processor yields the three sub-problems for the SCCs {(15)}, {(18)}, and {(20)}, where the base ADPs do not contain annotations anymore. Then, we can move to ordinary DPs via Theorem 26.

Compared to Theorems 11 and 12, the dependency graph allows for more precise over-approximations than just "dominance" to detect when the base ADPs do not depend on the main ADPs. Moreover, the derelatifying processors of Theorems 26 and 27 allow us to switch to the ordinary DP framework also for sub-problems which result from the application of other processors of our relative ADP framework. In other words, Theorems 26 and 27 allow us to apply this switch in a modular way, even if their prerequisites do not hold for the initial canonical ADP problem (i.e., even if the prerequisites of Theorems 11 and 12 do not hold for the whole TRSs).

#### **5.3 Relative Reduction Pair Processor**

Next, we adapt the reduction pair processor to ADPs for relative rewriting. While the reduction pair processor for ADPs in the probabilistic setting [23] was restricted to polynomial interpretations, we now allow arbitrary reduction pairs using a similar idea as in [18] for complexity analysis via DPs.

To find out which ADPs cannot be used for infinitely many **p**-steps, the idea is not to compare the annotated left-hand side with the whole right-hand side, but just with the set of its annotated subterms. To combine these subterms in the case of ADPs with two or no annotated symbols, we extend the signature by two fresh *compound* symbols c<sup>0</sup> and c<sup>2</sup> of arity 0 and 2, respectively. Similar to [18], we have to use c*-monotonic* and c*-invariant* reduction pairs.

**Definition 35 (**c**-Monotonic,** <sup>c</sup>**-Invariant).** *For* <sup>r</sup> ∈ T - <sup>Σ</sup>#, <sup>V</sup> *, we define* ann(r) = c<sup>0</sup> *if* r *does not contain any annotation,* ann(r) = t # *if* t # r *and* r *only contains one annotated symbol, and* ann(r) = c2(r # <sup>1</sup> , r# <sup>2</sup> ) *if* <sup>r</sup><sup>1</sup> <sup>π</sup><sup>1</sup> # <sup>r</sup>*,* <sup>r</sup><sup>2</sup> <sup>π</sup><sup>2</sup> # r*, and* π<sup>1</sup> <lex π<sup>2</sup> *where* <lex *is the (total) lexicographic order on positions.*

*A reduction pair* (-, ) *is called* <sup>c</sup>-monotonic *if* <sup>c</sup>2(s1, t) <sup>c</sup>2(s2, t) *and* <sup>c</sup>2(t, s1) <sup>c</sup>2(t, s2) *for all* <sup>s</sup>1, s2, t ∈ T - <sup>Σ</sup>#, <sup>V</sup> *with* s<sup>1</sup> s2*. Moreover, it is* <sup>c</sup>-invariant *if* <sup>c</sup>2(s1, s2) <sup>∼</sup> <sup>c</sup>2(s2, s1) *and* <sup>c</sup>2(s1, <sup>c</sup>2(s2, s3)) <sup>∼</sup> <sup>c</sup>2(c2(s1, s2), s3) *for* ∼ = - ∩ *and all* s1, s2, s<sup>3</sup> ∈ T - <sup>Σ</sup>#, <sup>V</sup> *.*

So for example, reduction pairs based on polynomial interpretations are cmonotonic and c-invariant if c2(x, y) is interpreted by x + y.

For an ADP problem (P, S), now the reduction pair processor has to orient the non-annotated rules (P∪S) weakly and for all ADPs → r, it compares the annotated left-hand side # with ann(r). In strictly decreasing ADPs, one can then remove all annotations and consider them as relative (base) ADPs again.

**Theorem 36 (Reduction Pair Processor).** *Let* (P, S) *be an ADP problem and let* (-, ) *be a* <sup>c</sup>*-monotonic and* <sup>c</sup>*-invariant reduction pair such that* (P ∪ S) ⊆ *and* # ann(r) *for all* → r ∈P∪S*. Moreover, let* P ⊆P∪S *such that* # ann(r) *for all* <sup>→</sup> <sup>r</sup> ∈ P*. Then* ProcRPP(P, <sup>S</sup>) = {(P\P,(S\P)<sup>∪</sup> (P))} *is sound and complete.*

*Example 37.* For the remaining ADP problem ({(20)}, {(22)} ∪ (A1(RdivL) \ {(20)})) from Example 34, we can apply the reduction pair processor using the polynomial interpretation from the end of Sect. 3.1 which maps 0 and nil to 0, s(x) to x + 1, cons(y, *xs*) to *xs* + 1, DL(x, *xs*) to *xs*, and all other symbols to their first arguments. Then, (20) is oriented strictly (i.e., it is in P), and (22) and all other base ADPs are oriented weakly. Hence, we remove the annotation from (20) and move it to the base ADPs. Now there is no main ADP anymore, and thus the dependency graph processor returns ∅. This proves SN for (A1(RdivL), A2(Bmset2)), hence RdivL/Bmset<sup>2</sup> is also SN.

*Example 38.* Regard the ADPs <sup>a</sup> <sup>→</sup> <sup>b</sup> and <sup>f</sup> <sup>→</sup> <sup>d</sup>(F,A) for the redex-creating Example 4 again. When using a polynomial interpretation Pol that maps c<sup>0</sup> to 0 and c2(x, y) to x + y, then for the reduction pair processor one has to satisfy Pol(A) <sup>≥</sup> 0 and Pol(F) <sup>≥</sup> Pol(F)+Pol(A), i.e., one cannot make any of the ADPs strictly decreasing.

In contrast, for the variant with the terminating base rule <sup>f</sup>(s(y)) <sup>→</sup> <sup>d</sup>(f(y), <sup>a</sup>) from Example 28, we have the ADPs <sup>a</sup> <sup>→</sup> <sup>b</sup> and <sup>f</sup>(s(y)) <sup>→</sup> <sup>d</sup>(F(y),A). Here, the second constraint is Pol(F(s(y))) <sup>≥</sup> Pol(F(y))+Pol(A). To make one of the ADPs strictly decreasing, one can set Pol(F(x)) = x, Pol(s(x)) = x+ 1, and Pol(A)=1 or Pol(A) = 0. Then the reduction pair processor removes the annotations from the strictly decreasing ADP and the dependency graph processor proves SN.

#### **6 Evaluation and Conclusion**

In this paper, we introduced the first notion of (annotated) dependency pairs and the first DP framework for relative termination, which also features suitable dependency graph and reduction pair processors for relative ADPs. Of course, further classical DP processors can be adapted to our relative ADP framework as well. For example, in our implementation of the novel ADP framework in our tool AProVE [13], we also included a straightforward adaption of the classical *rule removal processor* [11], see [24].<sup>8</sup> While the soundness proofs for the processors in the new relative ADP framework are more involved than in the standard DP framework, the new processors themselves are quite analogous to their original counterparts and thus, adapting an existing implementation of the ordinary DP framework to the relative ADP framework does not require much effort. In future work, we will investigate how to use our new form of ADPs for full (instead of innermost) rewriting also in the probabilistic setting and for complexity analysis.

To evaluate the new relative ADP framework, we compared its implementation in "*new* AProVE" to all tools that participated in the most recent *termination competition (TermComp 2023)* [14] on relative rewriting, i.e., NaTT [36], TTT2 [27], MultumNonMulta [9], and "*old* AProVE" which did not yet contain the contributions of the current paper. In *TermComp 2023*, 98 benchmarks were used for relative termination. However, these benchmarks only consist of examples where the main TRS R dominates the base TRS B (i.e., which can be handled by Theorem 11 from [21]) or which can already be solved via simplification orders directly.

Therefore, we extended the collection by 32 new "typical" examples for relative rewriting, including both RdivL/Bmset from Examples 1 and 2, and our leading example <sup>R</sup>divL/Bmset<sup>2</sup> from Examples <sup>2</sup> and <sup>14</sup> (where only *new* AProVE can prove SN). Except for RdivL/Bmset, in these examples R does not dominate B. Most of these examples adapt well-known classical TRSs from the *Termination Problem Data Base* [33] used at *TermComp* to the relative setting. Moreover, 5 of our new examples illustrate the application of relative termination for proving confluence, i.e., in these examples one can prove confluence with the approach of [19] via our new technique for relative termination proofs.

In the following table, the number in the "YES" ("NO") row indicates for how many of the 130 examples the respective tool could prove (disprove) relative termination and "MAYBE" refers to the benchmarks where the tool could not

<sup>8</sup> This processor works analogously to the preprocessing at the beginning of Sect. 4 which can be used to remove duplicating rules: For an ADP problem (P, S), it tries to find a reduction pair (-, ) where is closed under contexts such that -(P∪S) ⊆ -. Then for P ⊆ P∪S with -(P) ⊆ , the processor replaces the ADP by (P\P, S\P).


solve the problem within the timeout of 300 s per example. The numbers in brackets are the respective results when only considering our new 32 examples. "AVG(s)" gives the average runtime of the tool on solved examples in seconds.

The table clearly shows that while *old* AProVE was already the second most powerful tool for relative termination, the integration of the ADP framework in *new* AProVE yields a substantial advance in power (i.e., it only fails on 26 of the examples, compared to 57 and 69 failures of NaTT and *old* AProVE, respectively). In particular, previous tools (including *old* AProVE) often have problems with relative TRSs where the main TRS does not dominate the base TRS, whereas the ADP framework can handle such examples.

A special form of relative TRSs are *relative string rewrite systems (SRSs)*, where all function symbols have arity 1. Due to the base ADPs with two annotated symbols on the right-hand side, here the ADP framework is less powerful than dedicated techniques for string rewriting. For the 403 relative SRSs at *TermComp 2023*, the ADP framework only finds 71 proofs, mostly due to the dependency graph and the rule removal processor, while termination analysis via AProVE's standard strategy for relative SRSs succeeds on 209 examples, and the two most powerful tools for relative SRSs at *TermComp 2023* (MultumNonMulta and Matchbox [35]) succeed on 274 and 269 examples, respectively.

Another special form of relative rewriting is *equational rewriting*, where one has a set of equations E which correspond to relative rules that can be applied in both directions. In [10], DPs were adapted to equational rewriting. However, this approach requires E-unification to be decidable and finitary (i.e., for (certain) pairs of terms, it has to compute finite complete sets of E-unifiers). This works well if E are AC- or C-axioms, and for this special case, dedicated techniques like [10] are more powerful than our new ADP framework for relative termination. For example, on the 76 AC- and C-benchmarks for equational rewriting at *TermComp 2023*, the relative ADP framework finds 36 proofs, while dedicated tools for AC-rewriting like AProVE's equational strategy or MU-TERM [15] succeed on 66 and 64 examples, respectively. However, in general, the requirement of a finitary E-unification algorithm is a hard restriction. In contrast to existing tools for equational rewriting, our new ADP framework can be used for arbitrary (non-duplicating) relative rules.

For details on our experiments, our collection of examples, and for instructions on how to run our implementation in AProVE via its *web interface* or locally, see: https://aprove-developers.github.io/RelativeDTFramework/.

# **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Solving Quantitative Equations

Georg Ehling(B) and Temur Kutsia

RISC, Johannes Kepler University Linz, Linz, Austria {gehling,kutsia}@risc.jku.at

Abstract. Quantitative equational reasoning provides a framework that extends equality to an abstract notion of proximity by endowing equations with an element of a quantale. In this paper, we discuss the unification problem for a special class of shallow subterm-collapse-free quantitative equational theories. We outline rule-based algorithms for solving such equational unification problems over generic as well as idempotent Lawvereian quantales and study their properties.

Keywords: Quantitative equational reasoning · Lawvereian quantales · Equational unification

# 1 Introduction

Extending the equality predicate to a notion that expresses similarity or proximity is a task that has been addressed in various ways. While fuzzy reasoning [8,23] approaches this endeavor by equipping equations with real numbers between 0 and 1 to express the degree to which they hold true, quantitative algebraic reasoning [4,17] follows a more proximity-oriented approach, attempting to establish a notion of distance between two terms.

Recently, Gavazzo and Di Florio [12] introduced a framework of metric and quantitative equational reasoning that generalizes these approaches (with a slight modification). It is based on the idea of modeling abstract quantities in quantales [22], following Lawvere's fundamental work [16]. In this framework, equations between terms are endowed with an element of a Lawvereian quantale that expresses, in one sense or another, the degree to which they hold true. The exact meaning of this degree depends on the choice of the quantale; for instance, it could correspond to the distance of two terms in a metric space, or to the probability that the terms are equal. This approach is quite general and includes various known quantitative theories as special cases.

In recent years, quantitative and approximate techniques have become increasingly popular due to various applications. In these applications, e.g., in those related to reasoning about probabilistic computations [5], reasoning about privacy and security of systems [1,21], reasoning about resource consumption during computation [7], approximate program transformations [13], etc. equalities are replaced with their quantitative approximations to model distances between programs, processes, or systems, resulting in metric-based approximate relations. Various techniques have been used to model such metric reasoning principles, among them quantitative equational logic, discussed in [3,4,17,18].

In this paper, we address one of the central problems in equational reasoning: unification (or solving equations). We approach this problem in the framework as described in [12], studying a generalization of classical unification to solving equations in a quantitative equational theory in Lawvereian quantales.

The theories we consider in this paper are induced by shallow subtermcollapse-free equations of a special form, between terms whose arguments are the same sequence of variables, e.g. f(x1,...,xn) and g(x1,...,xn). This is a natural first step toward investigating quantitative equational unification since such quantitative equations generalize the principle of "extending proximity between function symbols to proximity between terms" of unification in the fuzzy quantale to unification in an arbitrary Lawvereian quantale. Despite their simple form, such theories still pose several challenges (originating from, e.g., tensor-based transitivity or extending proximity between arguments to whole terms), which affect the notions of completeness and minimality of unifier sets. We redefine these notions and show that unification (modulo the abovementioned theories) in arbitrary Lawvereian quantale is finitary, while for idempotent Lawvereian quantales, it becomes unitary. We develop the corresponding unification algorithms and study their properties. Due to space limitations, we refer to the more detailed technical report [10] for some of the proofs.

# 2 Preliminaries

We start by introducing the basic notions and fixing the terminology.

*Quantales.* For the notions in this part, we follow [11,12].

Definition 1 (Quantale). *A (unital)* quantale **˙** = (Ω, -, ⊗, κ) *consists of a monoid* (Ω, k, ⊗) *and a complete lattice* (Ω, -) *(with join* ∨ *and meet* ∧*) satisfying the following distributivity laws:* δ ⊗ - <sup>i</sup>∈<sup>I</sup> <sup>ε</sup><sup>i</sup> = <sup>i</sup>∈<sup>I</sup> (<sup>δ</sup> <sup>⊗</sup> <sup>ε</sup>i) *and* - <sup>i</sup>∈<sup>I</sup> <sup>ε</sup><sup>i</sup> ⊗ δ = <sup>i</sup>∈<sup>I</sup> (ε<sup>i</sup> <sup>⊗</sup> <sup>δ</sup>)*.*

The element κ is called the *unit* of the quantale, and ⊗ is called its *tensor* (or multiplication). Besides κ, we use Greek letters ε, δ, η, ζ, ι, and ω to denote elements of Ω. The *top* and *bottom* elements of a quantale are denoted by and ⊥, respectively. Quantales in which the unit κ coincides with are called *integral quantales*. A quantale is *commutative* if its underlying monoid is. It is *non-trivial* if κ = ⊥. It is *cointegral* if ε ⊗ δ = ⊥ implies either ε = ⊥ or δ = ⊥.

We assume our quantales are commutative, integral, cointegral, and nontrivial. Such quantales are called *Lawvereian*. (Note that the fuzzy quantale **I** is Lawvereian for the Gödel and product T-norms, but not for the Łukasiewicz T-norm.)

Tensors in quantales always have left and right *adjoints*. For commutative quantales, these adjoints are the same, defined as ε δ := {η | ε ⊗ η δ}.


Table 1. Correspondence between quantales **˙** (generic), **2** (Boolean), **L** (Lawvere), **L**max (strong Lawvere), and **I** (fuzzy).

An element ι ∈ Ω is an *idempotent element* (or simply an *idempotent*) of a quantale **˙** if it satisfies ι ⊗ ι = ι. A quantale is called *idempotent* if every element is idempotent. Among the quantales in Table 1, the idempotent ones are **2**, **L**max, and **I** for the minimum (Gödel) T-norm.

In any Lawvereian quantale, (i) ⊗ is monotonous: α β ⇒ α ⊗ γ β ⊗ γ (using distributivity: (α ⊗ γ)∨(β ⊗ γ)=(α∨β) ⊗ γ = β ⊗ γ); (ii) α ⊗ β α∧β (using monotonicity and integrality: α ⊗ β α ⊗ = α).

Given a quantale **˙** and ε, δ ∈ Ω, the *way-below relation* is defined as δ ε iff for every Ψ ⊆ Ω, if ε - Ψ then there exists a finite subset Ψ<sup>0</sup> ⊆ Ψ such that δ- Ψ0. A quantale **˙** is called *continuous* if ε = <sup>δ</sup><sup>ε</sup> <sup>δ</sup> for all <sup>ε</sup> <sup>∈</sup> <sup>Ω</sup>.

Definition 2 (**˙**-relations, **˙**-ternary relations). *An* **˙**-relation R *between sets* A *and* B *is a function* R: A×B → Ω*. For any set* A*, the identity* **˙***-relation* Δ<sup>A</sup> : A × A → Ω *maps the diagonal elements* (a, a) *to* κ*, and all other elements to* ⊥*. The composition* (R; S): A × C → Ω *of two* **˙***-relations* R: A × B → Ω *and* S : B × C → Ω *is defined as* (R; S)(a, c) := <sup>b</sup>∈<sup>B</sup> - R(a, b) ⊗ S(b, c) *.*

*An* **˙**-ternary relation *over* A × B *is a ternary relation* R ⊆ A × Ω × B *such that* R(a, ε, b) *implies* R(a, δ, b) *for any* δ ε*.*

*Any* **˙***-ternary relation* R *induces an* **˙***-relation* R•(a, b) := <sup>R</sup>(a,ε,b) ε*, and any* **˙***-relation* R *induces an* **˙***-ternary relation* R◦(a, ε, b) :⇐⇒ ε - R(a, b)*. Moreover, we have* R•◦ = R◦• = R*, and we can freely switch between* **˙***-ternary relations and* **˙***-relations.*

The complete lattice structure of **˙** lifts to **˙**-relations pointwise, and we can say that an **˙**-relation R on A × A is reflexive if Δ<sup>A</sup> - R; transitive if (R; R) - R; symmetric if R<sup>−</sup> - R (where R<sup>−</sup> is defined as R−(b, a) := R(a, b)). Thus, we get the notions of a preorder (i.e., reflexive and transitive) and equivalence (i.e., reflexive, transitive, and symmetric) **˙**-relation.

*Terms and Substitutions.* We assume that the reader is familiar with the standard notions of unification theory, see, e.g., [2]. A *signature* F is a set of function symbols, each equipped with a fixed nonnegative arity. The set of *terms* over a signature F and a set of variables V is denoted by T(F, V). Given a term t ∈ T(F, V), we denote by V(t) the set of variables appearing in t. A term is *ground* if it contains no variables. The notion of a *position* in a term is defined in the standard way.

The set of *leaves* of a term is defined as (e) := {e}, if e is a constant symbol or a variable, and (f(t1,...,tn)) := <sup>n</sup> <sup>i</sup>=1 (ti). (The leaves of a term t correspond to the leaves of the tree representing t.) If s is a subterm of t, then the *depth of* s *in* t as the minimal length of a position at which s occurs in t.

A *substitution* is a map σ : V → T(F, V) which maps all but finitely many variables to themselves. Greek letters σ, ϕ, ϑ, τ are used for them, while *Id* denotes the identity substitution. The set of substitutions is denoted by *Sub*. We use the set notation for substitutions, writing σ explicitly as a finite set {x → σ(x) | x = σ(x)}. The *domain* of σ is defined as *dom*(σ) := {x | x = σ(x)}. A substitution σ extends naturally to an endomorphism on T(F, V). The image of a term t under this endomorphism is denoted tσ.

# 3 Quantitative Equational Theories

We now fix a signature F, a set of variables V, and a Lawvereian quantale **˙**.

Let ≈<sup>E</sup> be an **˙**-ternary relation, assumed to be induced from a given set E of triples (t, ε, s), which we write as ε t ≈<sup>E</sup> s (called **˙**-equalities). A *quantitative equational theory* (or **˙***-equational theory*) =<sup>E</sup> is an **˙**-ternary relation generated from ≈<sup>E</sup> by the rules in Fig. 1. We call E a *presentation* of =E. Informally, we read ε t =<sup>E</sup> s as "t and s are at most ε-apart modulo E" or "t and s are equal modulo E with degree ε".

Fig. 1. Quantitative equational theory

Observe that the **˙**-relation =• <sup>E</sup> induced from =<sup>E</sup> (i.e., t =• <sup>E</sup> s := ε<sup>t</sup>=*E*<sup>s</sup> ε) is a reflexive, symmetric, transitive quantitative relation that contains ≈• <sup>E</sup> and where function symbols and substitutions behave in a non-expansive way:

$$\begin{aligned} \left(t\_1 =\_E^\bullet s\_1 \otimes \cdots \otimes t\_n =\_E^\bullet s\_n\right) & \stackrel{\bullet}{\sim} \left(f(t\_1, \ldots, t\_n) =\_E^\bullet f(s\_1, \ldots, s\_n)\right),\\ \left(t =\_E^\bullet s\right) & \stackrel{\bullet}{\sim} \left(t\sigma =\_E^\bullet s\sigma\right). \end{aligned}$$

We will often slightly abuse terminology by calling both =• <sup>E</sup> and a presentation E a quantitative equational theory.

The rules in Fig. 1 were introduced in [11] with the aim of generalizing previous approaches to quantitative reasoning [4,17]. This generalization is achieved up to a slight modification of the (NExp) rule, whose analogue in [17] would feature the join of ε1,...,ε<sup>n</sup> rather than their tensor product.<sup>1</sup>

It should further be remarked that the (Join) rule also applies to an empty hypothesis, whence ⊥ t =<sup>E</sup> s holds for any t and s. The infinitary (Arch) rule is needed to guarantee the semantic completeness of the deduction system in [17], but has no effect on =<sup>E</sup> whenever the presentation E is finite, whence it can be safely ignored in that case.

Analogous to classical equational theories, an **˙**-equation ε t = s, where s is a proper subterm of t, is called a *subterm-collapse equation*. A quantitative equational theory E is said to be *simple* (or *subterm-collapse-free*) if whenever ε t =<sup>E</sup> s with ε = ⊥ holds, the equation ε t = s is not subterm-collapsing. An equation ε t = s is called *shallow* [6] if the depth of each variable occurrence in t or in s is at most 1. An equational theory is called shallow if each equation in its presentation is shallow.

Definition 3. *Let* E *be an* **˙***-equational theory and* X *be a set of variables. A ternary relation* E,<sup>X</sup> ⊆ *Sub* × Ω × *Sub is defined as*

E,<sup>X</sup> (σ, ε, ϑ) *iff there exists a* ϕ *such that* ε xσϕ =<sup>E</sup> xϑ *for all* x ∈ X *.*

*In this case, we say that the substitution* σ is more general than ϑ modulo E on X up to ε*. We shortly write* σ E,<sup>X</sup> ,ε ϑ *and call* ϑ *an* (E, X , ε)-instance *of* σ *(or an* (E, X )*-instance with degree* ε*).*

It is not hard to see that E,<sup>X</sup> is an **˙**-ternary relation over *Sub* × *Sub*. To show this, we need to prove that σ E,<sup>X</sup> ,ε ϑ implies σ E,<sup>X</sup> ,δ ϑ for any δ ε, which follows from the definition of =E.

Lemma 1. *If* σ E,<sup>X</sup> ,ε ϑ *and* ϑ E,Y,δ ψ*, then* σ E,X ∩Y,ε⊗<sup>δ</sup> ψ*.*

*Proof.* By definition of E,<sup>X</sup> and E,<sup>Y</sup> , we have ε xσϕ<sup>1</sup> =<sup>E</sup> xϑ for all x ∈ X , and δ yϑϕ<sup>2</sup> =<sup>E</sup> yψ for all y ∈ Y. From these equalities, for all z ∈X ∩Y by the Subst rule we get ε zσϕ1ϕ<sup>2</sup> =<sup>E</sup> zϑϕ<sup>2</sup> and δ zϑϕ<sup>2</sup> =<sup>E</sup> zψ. Therefore, by ⊗-transitivity (the Trans rule) we obtain ε⊗δ zσϕ1ϕ<sup>2</sup> =<sup>E</sup> zψ for all z ∈ X ∩Y, which, by definition of E,X ∩Y , gives σ E,X ∩Y,ε⊗<sup>δ</sup> ψ.

<sup>1</sup> The reason for this modification in [11] is that (NExp) should be compatible with (Trans), which is based on the tensor rather than the join. Without it, one would obtain a system where performing various transformation steps one after the other would lead to a different distance than performing the same steps in parallel.

Corollary 1. *If* σ E,<sup>X</sup> ,ε ϑ *and* ϑ E,<sup>X</sup> ,δ ψ*, then* σ E,<sup>X</sup> ,ε⊗<sup>δ</sup> ψ*.*

Theorem 1. *Given a set of* **˙***-equalities* E *and a set of variables* X *, the* **˙** *relation* • E,<sup>X</sup> *induced by* E,<sup>X</sup> *is a preorder on Sub.*

*Proof.* We should show that • E,<sup>X</sup> is reflexive and transitive.


The equivalence relation on substitutions induced by E,<sup>X</sup> is denoted by ∼=E,<sup>X</sup> . It is an **˙**-ternary relation. We write σ ∼=E,<sup>X</sup> ,ε ϑ if ε - (σ ∼=• E,<sup>X</sup> <sup>ϑ</sup>).

*Example 1.* Let **˙** be the Lawvere quantale **L** = ([0,∞], , +, 0) and consider E = {1 a ≈ b, 1 b ≈ c}, ε = 2 and X = {x}. Let σ = {x → a}, ϑ = {x → b}, and ϕ = {x → c}. Then we have:


Hence, σ ∼=E,<sup>X</sup> ,ε ϑ, ϑ ∼=E,<sup>X</sup> ,ε ϕ, and σ ∼=E,<sup>X</sup> ,ε ϕ.

Theorem 2. *Given* E*,* X *,* t*, and* s *such that* V(t)∪ V(s) ⊆ X *, let* R *denote* =• E *and* S *denote* • E,<sup>X</sup> *. Assume* <sup>σ</sup> *and* <sup>ϑ</sup> *are substitutions such that* <sup>R</sup>(tσ, sσ) = <sup>ε</sup> *and* <sup>S</sup>(σ, ϑ) = <sup>δ</sup>*. Then* <sup>ε</sup> ⊗ ⊗<sup>n</sup>+<sup>m</sup> <sup>i</sup>=1 δ - R(tϑ, sϑ)*, where* n *and* m *are the number of occurrences of variables from* X *in* t *and* s*, respectively.*

*Proof.* From S(σ, ϑ) = δ we know that there exists ϕ such that δ - R(xσϕ, xϑ) holds for all x ∈ X . From this, by structural induction over terms, we can prove <sup>⊗</sup><sup>n</sup> <sup>i</sup>=1δ - <sup>R</sup>(tσϕ, tϑ) and <sup>⊗</sup><sup>m</sup> <sup>i</sup>=1δ - R(sσϕ, sϑ). From R(tσ, sσ) = ε we get ε - <sup>R</sup>(tσϕ, sσϕ). Applying transitivity twice we get <sup>ε</sup> ⊗ ⊗<sup>n</sup>+<sup>m</sup> <sup>i</sup>=1 δ -R(tϑ, sϑ).

*Example 2.* In the Boolean quantale **2**, this theorem implies the well-known fact that if σ is a unifier of t and s and ϑ is an instance of σ, then ϑ is also a unifier of t and s. (In that case, ε = δ = 1.)

Consider the fuzzy quantale **I** with the minimum T-norm, E = {0.5 a ≈ b, 0.7 b ≈ c}, t = f(x, x, y), s = f(y, b, c), X = {x, y}, σ = {x → b, y → b}, and ϑ = {x → a, y → c}. Then 0.5 a =<sup>E</sup> c and

$$\begin{aligned} t\sigma &= f(b, b, b), \quad s\sigma = f(b, b, c), \quad \varepsilon = 0.7, \qquad 0.7 \Vdash t\sigma =\_E s\sigma; \\ \delta &= 0.5, \qquad \sigma \lessapprox\_{E, \{x, y\}, 0.5} \vartheta \text{ (actually, } \sigma \cong\_{E, \{x, y\}, 0.5} \vartheta\text{)}; \\ t\vartheta &= f(a, a, c), \quad s\vartheta = f(c, b, c); \\ \text{Variables of } \mathcal{X} \text{ occur in } t \text{ and } s \text{ in total 4 times;} \\ \min(0.7, 0.5, 0.5, 0.5, 0.5) &= 0.5; \qquad 0.5 \Vdash t\vartheta =\_E s\vartheta. \end{aligned}$$

Now consider the Lawvere quantale **L** with E = {1 a ≈ b, 1 b ≈ c, 1 c ≈ d, 1 f(x) ≈ g(x)}, t = x, s = f(y), X = {x, y}, σ = {x → g(y)}, and ϑ = {x → g(a), y → d}. Besides, -= and we have

$$\begin{aligned} t\sigma &= g(y), \quad s\sigma = f(y), \quad \varepsilon = 1, \quad 1 \Vdash t\sigma =\_E s\sigma; \\ \delta &= 2, \qquad \sigma \overset{\rightharpoonup}{\underset{\approx}{\approx}} E, \{x, y\}, 2 \; ^0 \vartheta; \\ t\vartheta &= g(a), \quad s\vartheta = f(d); \\ \text{Variables of } \mathcal{X} \text{ occur in } t \text{ and } s \text{ in total twice;} \\ \varepsilon + 2\delta &= 5; \\ 5 \Vdash t\vartheta &= E \text{ s}\vartheta. \text{ (In fact, } \stackrel{\bullet}{=} E \text{ (}t\vartheta, s\vartheta) = 1 + 3 = 4 \text{ and } 5 \nmid 4.) \end{aligned}$$

Theorem 2 implies that if δ is an idempotent element of the quantale and it can be absorbed by ε (i.e., ε ⊗ δ = ε), then ε tϑ =<sup>E</sup> sϑ. Obviously, this will be fulfilled if δ = κ. In idempotent quantales, it will also hold when ε δ. For idempotent elements, a stronger version of transitivity holds. Namely, if ι is an idempotent element of a quantale, then we have for all E, t, s, r, X , σ, ϑ, ϕ:

– ι t =<sup>E</sup> s and ι s =<sup>E</sup> r imply ι t =<sup>E</sup> r, – σ E,<sup>X</sup> ,ι ϑ and ϑ E,<sup>X</sup> ,ι ϕ imply σ E,<sup>X</sup> ,ι ϕ.

# 4 Quantitative Equational Unification

Definition 4 (Quantitative equational unification). *A quantitative equational unification problem is formulated as follows:*

Given: *A quantale* **˙***,* ε ∈ Ω *(called the threshold) with* ε = ⊥*, a set of* **˙***-equalities* E *(a presentation of an equational theory), and two terms* t *and* s*.* Find: *A substitution* σ *such that* ε tσ =<sup>E</sup> sσ*.*

*We call this problem* (E,ε)-unification problem over **˙***. The quantale name is usually skipped when it does not cause confusion. For unification problems, we use the notation* ε t =? <sup>E</sup> s*, called a* unification equation*, where the question mark indicates that the equation is supposed to be solved. For simplicity, we write the problem as* t =? E,ε s*, and further skip* E *if it is clear from the context.*

*The substitution* σ*, if it exists, is called an* (E,ε)-unifier *of* t *and* s *(alternatively, a unifier or a solution of* t =? E,ε s*) over* **˙***. In such a case we say that the given unification problem is* solvable*, or that the terms* t *and* s *are* (E,ε) unifiable *over* **˙***. The set of all unifiers of* t =? E,ε s *is denoted by* UE,ε(t, s)*.*

For a given presentation E, a function symbol from F is called *free* if it does not appear in E. If F contains a free m-ary function symbol for some m > 1, the unification problem formulated above is equivalent to a problem of finding a solution of a system of unification equations (instead of a single equation) formulated as a constrained problem:


In such a case we can write the unification problem as a pair of a set of unification equations and a --constraint: {t<sup>1</sup> <sup>=</sup>? E,**α**<sup>1</sup> s1,...,t<sup>n</sup> =? E,**α***<sup>n</sup>* s<sup>n</sup>}; ε **α**<sup>1</sup> ⊗···⊗ **α**n, where **α**<sup>i</sup> are new metavariables whose values are also to be found alongside with variables that appear in the given t's and s's. This problem can be transformed to a single-equation problem. For instance, the constrained problem {t<sup>1</sup> <sup>=</sup>? E,**α**<sup>1</sup> s1, t<sup>2</sup> =? E,**α**<sup>2</sup> s2, t<sup>3</sup> =? E,**α**<sup>3</sup> s3}; ε **α**<sup>1</sup> ⊗ **α**<sup>2</sup> ⊗ **α**<sup>3</sup> can be transformed to f(f(t1, t2), t3) =? E,ε f(f(s1, s2), s3), where f is a free binary function symbol. The two problems are equivalent in the sense that they have exactly the same set of (E,ε)-unifiers.If the arity of f is bigger than the number of equations, the missing arguments will be filled in by fresh variables. For instance, for a quaternary f, the problem above can be encoded as f(t1, t2, t3, x) =? E,ε f(s1, s2, s3, x), where x is fresh.

In classical unification, an important property of the instantiation relation is that any substitution that is less general than a given unifier of two terms will still be a unifier. In the quantitative case, we should take into account the approximation, which complicates things. First, we have the following fact as a consequence of Theorem 2:

Fact 1. *If* σ *is an* (E,ε)*-unifier of* t *and* s *and* σ E,V(t,s),δ ϑ *for some* δ*, then* <sup>ϑ</sup> *is an* (E,ε <sup>⊗</sup> <sup>δ</sup><sup>k</sup>)*-unifier of* <sup>t</sup> *and* <sup>s</sup>*, where* <sup>k</sup> *is the total number of occurrences of variables in* t *and* s*.*

Some results become simpler for idempotent elements:

Lemma 2. *Let* ι *be an idempotent element of* **˙***, and* σ *and* ϑ *be substitutions.*


*Proof.* Part (i) is proved by structural induction, using idempotence. For (ii), as σ E,V(t,s),ι ϑ, there exists a substitution ϕ such that ι xσϕ =<sup>E</sup> xϑ holds for every variable x ∈ V(t, s). Thus, ι rσϕ =<sup>E</sup> rϑ holds for any term r ∈ T(F, V(t, s)) by (i). Hence, we have ι sϑ =<sup>E</sup> sσϕ, ε sσϕ =<sup>E</sup> tσϕ, and ι tσϕ =<sup>E</sup> tϑ. From these equalities, using ε ⊗ ι = ε, we get ε sϑ =<sup>E</sup> tϑ.

This lemma implies that (E, V(t, s), κ)-instances of (E,ε)-unifiers of t and s are still their (E,ε)-unifiers. Besides, it has the following corollary:

Corollary 2. *Let* **˙** *be an idempotent quantale, in which* σ *is an* (E,ε)*-unifier of* t *and* s*,* σ E,V(t,s),δ ϑ*, and* ε δ*. Then* ϑ *is an* (E,ε)*-unifier of* t *and* s *in* **˙***.*

These results motivate a specialized version of the notion of a minimal complete set of unifiers that we use in this paper:

Definition 5 (Minimal ι-complete set of unifiers). *Let* P *be an* (E,ε)*-unification problem over a quantale* **˙** *and signature* F*. Let* X = V(P) *be the set of all variables of* P*, and let* ι *be an idempotent element of* **˙** *such that* ε ⊗ ι = ε*. An* ι-complete set of (E,ε)-unifiers *of* P *is a set* C *of substitutions such that*

*(1)* C ⊆ <sup>U</sup>E,ε(P)*, i.e., each element of* <sup>C</sup> *is an* (E,ε)*-unifier of* <sup>P</sup>*, (2) for each* <sup>ϑ</sup> <sup>∈</sup> <sup>U</sup>E,ε(P) *there exists* <sup>σ</sup> ∈ C *such that* <sup>σ</sup> E,<sup>X</sup> ,ι <sup>ϑ</sup>*.*

*The set* C *is a* minimal ι-complete set of (E,ε)-unifiers *of* P *iff it is an* ι*-complete set that satisfies the following minimality property:*

*(3) for all* σ, σ ∈ C*, if* σ E,<sup>X</sup> ,ι σ *, then* σ = σ *.*

*We denote a minimal* ι*-complete set of* (E,ε)*-unifiers of* P *by mcsu*E,ε,ι(P)*.*

Given a unification problem with threshold ε, in order to make use of this definition, one first needs to find an idempotent element ι such that ε ⊗ ι = ε. In an arbitrary quantale, we can always take ι = κ. If ε is idempotent itself, then we can also choose ι = ε. 2

Let P be an (E,ε)-unification problem. If it is unsolvable, then for any idempotent ι with ε ⊗ ι = ε we have *mcsu*E,ε,ι(t, s) = ∅. Depending on E, ε, and ι, minimal ι-complete sets of (E,ε)-unifiers may not always exist. Even if they do, they may be infinite. When they exist, they are unique modulo the instantiation equivalence relation ∼=E,<sup>X</sup> ,ι. 3

*Example 3.* Let **˙** be the Lawvere quantale **L**, E be the set of equations E = {1 a ≈ b, 1 b ≈ c, 1 c ≈ d}, ε = 1, t = f(x, b), and s = f(c, x).

The substitutions σ = {x → b}, ϑ = {x → c} are (E,ε)-unifiers of t and s:

– tσ = f(b, b), sσ = f(c, b) and 1 f(b, b) =<sup>E</sup> f(c, b), – tϑ = f(c, b), sϑ = f(c, c) and 1 f(c, b) =<sup>E</sup> f(c, c).

In fact, {σ, ϑ} = *mcsu*E,ε,0(t, s). Note that we have σ ∼=E,<sup>X</sup> ,<sup>1</sup> ϑ, but also σ ∼=E,<sup>X</sup> ,<sup>1</sup> {x → a} and ϑ ∼=E,<sup>X</sup> ,<sup>1</sup> {x → d}. However, neither {x → a} nor {x → d} is an (E,ε)-unifier of t and s (but they are (E, 3)-unifiers of t and s).

The notion of an *occurrence cycle* will be needed later on.

Definition 6 (Occurrence cycle). *A set of unification equations* {x<sup>1</sup> <sup>≈</sup>? <sup>ε</sup><sup>1</sup> t1, ...,x<sup>n</sup> <sup>≈</sup>? <sup>ε</sup>*<sup>n</sup>* t<sup>n</sup>} *constitutes an* occurrence cycle *if* t<sup>i</sup> *is a non-variable term for at least one* i*,* x<sup>i</sup> ∈ V(t<sup>i</sup>−<sup>1</sup>) *for* 1 < i n *and* x<sup>1</sup> ∈ V(tn)*.*

<sup>2</sup> This is how it is done, e.g., for fuzzy proximity/similarity relations [9,14,15,19,20, 23].

<sup>3</sup> ∼=E,*X*,ι is a standard binary relation on *Sub* induced by the **˙**-ternary relation ∼=E,*<sup>X</sup>* for a fixed ι.

#### 4.1 Unification: Simple Shallow Theories (Special Form)

In this section, we will consider **˙**-equational theories that admit a presentation consisting of a finite number of equations of the form γ f(x1,...,xn) ≈ g(x1,...,xn), where n 0, f = g, and all x's are pairwise distinct. Also, the γ's in different equations can be different. This is the very basic form of quantitative axioms. The quantale **˙**, as said above, is an arbitrary Lawvereian quantale. In the next subsection we consider the special case of idempotent Lawvereian quantales.

The presentation is shallow. One can easily show that the theory generated from such a presentation is simple. Hence, we consider simple shallow quantitative equational theories (of a special form). We will refer to such theories by Essh. In them, it makes sense to speak about the *approximation degree of two function symbols*, which is defined as d<sup>E</sup>ssh (f,g) := - f(x1,...,xn) =• <sup>E</sup>ssh g(x1,...,xm) for an <sup>n</sup>-ary <sup>f</sup> and <sup>m</sup>-ary <sup>g</sup>. (Obviously, <sup>d</sup><sup>E</sup>ssh (f,g) = <sup>⊥</sup> if <sup>n</sup> <sup>=</sup> <sup>m</sup>.) We say that <sup>f</sup> and g are (Essh, ε)-proximal, if ε d<sup>E</sup>ssh (f,g).

*Remark 1.* Since the equational theories we consider here are finitely presented, the degree of two function symbols of the same arity can be effectively computed as <sup>d</sup><sup>E</sup>ssh (f,g) = {<sup>γ</sup> <sup>|</sup> <sup>γ</sup> <sup>f</sup>(x1,...,xn) = <sup>g</sup>(x1,...,xn) <sup>∈</sup> <sup>C</sup>}, where <sup>C</sup> is the closure of the presentation of Essh under the (Trans) and (Sym) rules.

Theorem 3. Essh*-unification is finitary in a Lawvereian quantale* **˙** *in the sense that for any* <sup>ε</sup> <sup>∈</sup> <sup>Ω</sup>*, every* (Essh, ε)*-unification problem* <sup>t</sup> <sup>=</sup>? <sup>E</sup>ssh,ε s *has a finite minimal* κ*-complete set of unifiers.*

*Proof (Sketch).* Let N<sup>E</sup>ssh,ε(r) denote an ε-neighborhood of a term r with respect to Essh, defined as the set of all terms obtained from r by replacing some function symbols by their (Essh, ε)-proximal ones. Then *mcsu*<sup>E</sup>ssh,ε,κ(t, s) ⊆ ∪<sup>t</sup>-∈T ,s-<sup>∈</sup><sup>S</sup>{*mgu*(t =? s )}, where T = N<sup>E</sup>ssh,ε(t), S = N<sup>E</sup>ssh,ε(s), and *mgu*(t =? s ) is a most general unifier of the syntactic unification problem t =? s . Since the presentation of theories of the form Essh is finite, the set N<sup>E</sup>ssh,ε(r) is finite for ε = ⊥ for any r. Hence, the set ∪<sup>t</sup>-∈T ,s-<sup>∈</sup><sup>S</sup>{*mgu*(t =? s )} is finite, which implies that *mcsu*<sup>E</sup>ssh,ε,κ(t, s) is finite as well.

*Remark 2.* In principle, the above proof already outlines an Essh-unification algorithm. However, there are several reasons for not using it: first, it would be a brute-force approach blindly replacing symbols with all their proximal ones in all possible ways. Second, it would not be sound because non-unifier answers would be returned and we would have to clean the computed set afterwards. Third, we want to keep our approach flexible, leaving equations between variables as a part of the output instead of forcing them to have only a syntactic solution.

In the following, we use bold-face upright Greek letters **α**, **β**, **γ** for metavariables that range over the domain of the quantale. The rules constituting our unification method operate on configurations whose form is stated below.

Definition 7 (Configuration). *A* configuration *is either a special symbol F or a quadruple* P; C; δ; σ*, where*


*In* C*, we also allow for the case where* n = 0*, in which the empty product on the right-hand side is* κ *by convention.*

The solving rules for a theory Essh are given below. They operate on configurations and are formulated modulo associativity and commutativity of ⊗. We use f and g to denote (not necessarily distinct) n-ary function symbols, t, t<sup>i</sup> and s<sup>i</sup> for terms and x to denote a variable symbol. The symbol Δ denotes the tensor product of finitely many metavariables.

#### Tri: Trivial

$$\{t =\_\mathfrak{a}^?t\} \uplus P; \zeta \ndot \otimes \Delta; \delta; \sigma \Longrightarrow P; \zeta \ndot \Delta; \delta; \sigma.$$

#### Dec: Decompose

$$\begin{aligned} \{f(t\_1, \ldots, t\_n) =\_\mathfrak{a}^? g(s\_1, \ldots, s\_n)\} &\uplus P; \zeta \stackrel{\scriptstyle}{\sim} \mathfrak{a} \otimes \Delta; \delta; \sigma \Longrightarrow\\ \{t\_1 =\_{\mathfrak{k}\_1}^? s\_1, \ldots, t\_n =\_{\mathfrak{k}\_n}^? s\_n\} &\cup P;\\ \mathfrak{d}\_{E\_{\text{ub}}}(f, g) \dashv \zeta \not\simeq \mathfrak{f}\_1 \otimes \cdots \otimes \mathfrak{f}\_n \otimes \Delta; \delta \otimes \mathfrak{d}\_{E\_{\text{ub}}}(f, g); \sigma, \end{aligned}$$

where **β**1,..., **β**<sup>n</sup> are new metavariables and ζ d<sup>E</sup>ssh (f,g).

#### Cla: Clash

$$\{f(t\_1, \ldots, t\_n) =\_{\mathfrak{a}}^? g(s\_1, \ldots, s\_m)\} \uplus P; \zeta \nsubseteq \mathfrak{a} \otimes \Delta; \delta; \sigma \Longrightarrow \mathbf{F}, \text{ if } \zeta \not\subset \mathfrak{d}\_{E\_{\mathfrak{a}\mathfrak{b}}}(f, g).$$

#### L-Sub: Substitute (lazy)

$$\begin{aligned} \{x =\_{\mathfrak{a}}^{?} f(s\_1, \dots, s\_n)\} \uplus P; \zeta \precsim \mathfrak{a} \otimes \Delta; \delta; \sigma \implies\\ \{x\_1 =\_{\mathfrak{b}\_1}^{?} s\_1, \dots, x\_n =\_{\mathfrak{b}\_n}^{?} s\_n\} \cup P\rho;\\ \mathfrak{d}\_{E\_{\text{ub}}}(f, g) \rightharpoonup \zeta \precsim \mathfrak{f}\_1 \otimes \dots \otimes \mathfrak{b}\_n \otimes \Delta; \delta \otimes \mathfrak{d}\_{E\_{\text{ub}}}(f, g); \sigma \rho, \end{aligned}$$

where <sup>x</sup> does not appear in an occurrence cycle in {x=? **<sup>α</sup>** f(s1,...,sn)} ∪ P, and ρ = {x → g(x1,...,xn)} with x1,...,x<sup>n</sup> being fresh variables and ζ d<sup>E</sup>ssh (f,g).

#### CCh: Cycle check

{<sup>x</sup> <sup>=</sup>? **<sup>α</sup>** t} P; C; δ; σ =⇒ F,

if <sup>x</sup> appears in an occurrence cycle in {<sup>x</sup> <sup>=</sup>? **<sup>α</sup>** t} P.

#### Ori: Orient

$$\{t =\_{\mathfrak{a}}^{?} x\} \uplus P; C; \delta; \sigma \Longrightarrow P \cup \{x =\_{\mathfrak{a}}^{?} t\}; C; \delta; \sigma, \text{ where } t \notin \mathcal{V}.$$

To solve an (Essh, ε)-unification problem between terms t and s, we create the initial configuration {<sup>t</sup> <sup>=</sup>? **<sup>α</sup>** s}; ε **α**; κ;*Id* and start applying the rules as long as possible. The equation to be transformed is chosen arbitrarily ("don't care nondeterminism"). We call the obtained algorithm QUnif.

Note that a configuration P; C; σ obtained from an (Essh, ε)-unification problem satisfies the following properties:


We will refer to such configurations as *admissible*.

To prove termination of QUnif, we introduce some terminology.

Definition 8. *Let* P *be a set of quantitative equations and let* Pst *be the set of standard equations obtained from* P *by ignoring the indices:* Pst := {t = s | ε t = s ∈ P}*. Then* DecNF<sup>E</sup>ssh (P) *denotes the decomposition normal form of* P *with respect to* Essh*, which is the set of standard equations obtained from* Pst *by applying the following version of the decomposition rule as long as possible:*

$$\{f(t\_1, \ldots, t\_n) = g(s\_1, \ldots, s\_n)\} \uplus S \Longrightarrow \{t\_1 = s\_1, \ldots, t\_n = s\_n\} \cup S,$$

*where* <sup>d</sup><sup>E</sup>ssh (f,g) <sup>=</sup> <sup>⊥</sup>*.*

It is easy to see that every equation in DecNF<sup>E</sup>ssh (P) is of the form x = s where s is an arbitrary term, or t = x where t is not a variable.

For a set of (quantitative) equations P, the *variable dependency graph* Γ(P) is constructed as follows:

	- If l is a constant, then we add an edge x →<sup>d</sup>+1 G (with weight d + 1).
	- If l is a variable y, then we add an edge x →<sup>d</sup> y (with weight d).

In this way, we obtain a directed, weighted graph Γ(P), which is acyclic (hence, a *dag*) if and only if P does not contain any occurrence cycles.

For any variable x occurring in P, we define now the level *lev* <sup>P</sup> (x) of x with respect to P as the maximal weight of a walk in Γ(P) starting in x. Here, the weight of a walk is defined as the sum of the weights of its edges. Note that *lev* <sup>P</sup> may take the value ∞ if P contains occurrence cycles.

We now consider the multiset λ(P) := {*lev* <sup>P</sup> (x) | x ∈ V(P)}. (It will be used as a component of a termination measure below.) We compare such multisets via the multiset extension >*<sup>m</sup>* of the standard order on **N** ∪ {∞}, which is wellfounded. The following lemma is the main ingredient for the termination proof. Its proof can be found in [10].

Lemma 3. *Let* C = P; C; δ; σ *be a configuration.*

*(i) If* P ; C ; δ ; σ *is obtained from* C *by L-Sub, then* λ(P) >*<sup>m</sup>* λ(P ). *(ii) If* P ; C ; δ ; σ *is obtained from* C *by Tri, Dec, or Ori, then* λ(P)*<sup>m</sup>* λ(P ).

Theorem 4 (Termination of QUnif).*For a given* (Essh, ε)*-unification problem, the algorithm* QUnif *terminates either with the configuration F (indicating failure) or with a configuration of the form* V ; C; δ; σ *(indicating success), where* V *is a set of unification equations between variables.*

*Proof.* A simple analysis of the rules of QUnif shows that all terminal configurations are of the form described above. In order to prove that the algorithm terminates, first note that the Cla and CCh rules terminate the derivation immediately, so it suffices to show that the remaining rules cannot yield an infinite derivation. For this purpose, we consider the measures λ, n<sup>2</sup> and n3, where n<sup>2</sup> is the size of P and n<sup>3</sup> is the number of equations of the form t =? **<sup>α</sup>** x in P such that t is a non-variable term. By Lemma 3, L-Sub decreases λ while all other rules do not increase it; Dec and Tri decrease n2, and Ori decreases n<sup>3</sup> while leaving n<sup>2</sup> invariant. Hence, the lexicographical combination of λ with n<sup>2</sup> and n<sup>3</sup> yields a measure that strictly decreases upon each of the aforementioned rules with respect to a well-founded order, thus proving termination.

Proceeding now to the soundness and completeness proofs for QUnif, we fix a notion of solution of a configuration.

Definition 9 (Solution of a configuration). *A substitution* τ *is a* solution *of the configuration* P; ζ **α**<sup>1</sup> ⊗ **α**<sup>2</sup> ⊗···⊗ **α**n; δ; σ *if there exists a function* μ *mapping metavariables to elements of* Ω *such that*

*(S1)* ζ μ(**α**1) ⊗ μ(**α**2) ⊗···⊗ μ(**α**n) *is valid, (S2)* μ(**β**) sτ =<sup>E</sup> tτ *holds for every equation* s =? **<sup>β</sup>** t *in* P*. (S3)* xτ = xστ *(syntactic equality) holds for every variable* x ∈ *dom*(σ)*.*

*The configuration F has no solutions.*

This definition is compatible with Definition 4 in the following sense:

Lemma 4. *Let* ε ∈ Ω*. A substitution* τ *is an* (E,ε)*-unifier of* t *and* s *if and only if* <sup>τ</sup> *is a solution for the corresponding initial configuration* {<sup>t</sup> <sup>=</sup>? **<sup>α</sup>** s}; ε **α**; κ;*Id.*

*Proof.* By definition, <sup>τ</sup> solves {<sup>t</sup> <sup>=</sup>? **<sup>α</sup>** s}; ε **α**; κ;*Id* iff there exists μ such that ε μ(**α**) and μ(**α**) tτ =<sup>E</sup> sτ , which is equivalent to ε tτ =<sup>E</sup> sτ .

The lemma below is needed to show soundness and completeness of QUnif. Its proof can be found in [10].

Lemma 5. *Let* C *be an admissible configuration.*


Theorem 5 (Soundness and completeness of QUnif). *Consider an* (Essh, ε)*-unification problem between terms* t *and* s*.*

	- *(ii)* μ(**α**i) xiϕ =<sup>E</sup>ssh yiϕ *for all* 1 i n*;*
	- *(iii)* xσϕ = xτ *for all* x ∈ V(s, t)*.*

*Proof.* For soundness, suppose that QUnif produces a derivation <sup>C</sup><sup>0</sup> <sup>=</sup><sup>⇒</sup> ... <sup>=</sup><sup>⇒</sup> <sup>C</sup>m, where <sup>C</sup><sup>0</sup> is the initial configuration {<sup>t</sup> <sup>=</sup>? **<sup>α</sup>** s}; ε **α**; κ;*Id* and C<sup>m</sup> is a terminal configuration given by V ; S; δ; σ. If τ is a solution of C<sup>m</sup> then τ is also a solution of C<sup>0</sup> (by Lemma 5(i)), and therefore, τ is an (Essh, ε)-unifier of t and s (by Lemma 4).

For completeness, suppose that τ is an (E,ε)-unifier of t and s. Then τ solves the corresponding initial configuration C<sup>0</sup> (by Lemma 4). If C<sup>0</sup> is not terminal, then there exists a rule application <sup>C</sup><sup>0</sup> <sup>=</sup><sup>⇒</sup> <sup>C</sup><sup>1</sup> and a substitution <sup>τ</sup><sup>1</sup> such that <sup>τ</sup>1|*dom*(τ) <sup>=</sup> <sup>τ</sup> and <sup>τ</sup><sup>1</sup> solves <sup>C</sup><sup>1</sup> (by Lemma 5(ii)). Iterating this argument, we obtain a derivation <sup>C</sup><sup>0</sup> <sup>=</sup><sup>⇒</sup> <sup>C</sup><sup>1</sup> <sup>=</sup><sup>⇒</sup> ... and a sequence of substitutions τ,τ1,... . After a finite number of steps, this derivation reaches a terminal configuration C<sup>m</sup> by Theorem 4, and with it, we obtain a solution τ<sup>m</sup> such that τ<sup>m</sup>|V(s,t) = τ . Since τ<sup>m</sup> solves Cm, there exist ϕ and μ satisfying (i) and (ii), as well as xσϕ = xτ<sup>m</sup> for all <sup>x</sup> ∈ V(Cm), yielding (iii).

*Remark 3.* In particular, a κ-complete set of solutions for the problem t =? <sup>ε</sup> s can be obtained by determining for every terminal configuration obtained via QUnif the set of substitutions that meet conditions (i)–(iii) above. If one is just interested in finding some solution, it suffices to compute a terminal configuration V ; ζ - Δ; δ; σ and compose σ with a substitution that maps all variables in V to a fresh variable. The value of δ corresponds to the "degree" to which such a solution τ solves the unification problem, i.e. δ = (tτ =• <sup>E</sup>ssh sτ ).

*Example 4.* Consider the unification problem f(y, g(x, x)) =? E,ε g(f(c, a), y), where **˙** = **L**, E = {1 a ≈ b, 1 b ≈ c, 1 f(x1, x2) ≈ g(x1, x2)} and ε = 5. The following derivation can be obtained by QUnif:

{f(y, g(x, x)) =? **<sup>α</sup>** g(f(c, a), y)}; 5 **α**; 0; *Id* <sup>=</sup>⇒Dec {<sup>y</sup> <sup>=</sup>? **<sup>β</sup>**<sup>1</sup> <sup>f</sup>(c, a), g(x, x) =? **<sup>β</sup>**<sup>2</sup> y}; 4 **β**<sup>1</sup> + **β**2; 1; *Id* <sup>=</sup>⇒y →f(z1,z2) L-Sub {z<sup>1</sup> <sup>=</sup>? **<sup>γ</sup>**<sup>1</sup> c, z<sup>2</sup> <sup>=</sup>? **<sup>γ</sup>**<sup>2</sup> a, g(x, x) =? **<sup>β</sup>**<sup>2</sup> f(z1, z2)}; 4 **γ**<sup>1</sup> + **γ**<sup>2</sup> + **β**2; 1; {y → f(z1, z2)} <sup>=</sup>⇒z1 →<sup>b</sup> L-Sub { <sup>z</sup><sup>2</sup> <sup>=</sup>? **<sup>γ</sup>**<sup>2</sup> a, g(x, x) =? **<sup>β</sup>**<sup>2</sup> f(b, z2)}; 3 **γ**<sup>2</sup> + **β**2; 2; {y → f(b, z2), z<sup>1</sup> → b} <sup>=</sup>⇒Dec {z<sup>2</sup> <sup>=</sup>? **<sup>γ</sup>**<sup>2</sup> a, x <sup>=</sup>? **<sup>δ</sup>**<sup>1</sup> b, x =? **<sup>δ</sup>**<sup>2</sup> z2}; 2 **γ**<sup>2</sup> + **δ**<sup>1</sup> + **δ**2; 3; {y → f(b, z2), z<sup>1</sup> → b} <sup>=</sup>⇒<sup>z</sup>2 →<sup>a</sup> L-Sub {<sup>x</sup> <sup>=</sup>? **<sup>δ</sup>**<sup>1</sup> b, x =? **<sup>δ</sup>**<sup>2</sup> a}; 2 **δ**<sup>1</sup> + **δ**2; 3; {y → f(b, a), z<sup>1</sup> → b, z<sup>2</sup> → a} <sup>=</sup>⇒<sup>x</sup> →<sup>a</sup> L-Sub {<sup>a</sup> <sup>=</sup>? **<sup>δ</sup>**<sup>2</sup> a}; 1 **δ**2; 4; {y → f(b, a), z<sup>1</sup> → b, z<sup>2</sup> → a, x → a} =⇒Tri ∅; 1 0; 4; {y → f(b, a), z<sup>1</sup> → b, z<sup>2</sup> → a, x → a}

This leads to the solution {y → f(b, a), x → a} (with degree 4). Further solutions can be obtained via different choices in the Subst steps.

*Example 5.* Consider **˙** = **L**, E = {1 f(x, y) ≈ g(x, y)}, and the E-unification problem g(a, x) =? <sup>3</sup> f(y, g(b, z)). A derivation of QUnif is given below.

$$\begin{split} & \{ g(a, x) = \stackrel{?}{!}\_{\bullet} \{ y, (g(b, z)) \}; 3 \geqslant \mathfrak{a}; 0; \operatorname{Id} \\ & \Longrightarrow\_{\mathsf{Dex}} \{ a = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} \, y, \, x = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} \, g(b, z) \}; 2 \geqslant \mathfrak{P}\_{1} + \mathfrak{P}\_{2}; 1; \operatorname{Id} \\ & \Longrightarrow\_{\mathsf{Or}} \{ y = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} \, a, \, x = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} \, g(b, z) \}; 2 \geqslant \mathfrak{P}\_{1} + \mathfrak{P}\_{2}; 1; \operatorname{Id} \\ & \Longrightarrow\_{\mathsf{L} \cdot \mathsf{Sub}}^{y \mapsto a} \{ x = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} \, g(b, z) \}; 2 \geqslant \mathfrak{P}\_{2}; 1; \{ y \mapsto a \} \\ & \Longrightarrow\_{\mathsf{L} \cdot \mathsf{Sub}}^{x \mapsto f(x\_{1}, x\_{2})} \{ x\_{1} = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}}, b, \, x\_{2} = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} z \}; 1 \geqslant \mathfrak{p}\_{1} + \mathfrak{p}\_{2}; 2; \{ y \mapsto a, x \mapsto f(x\_{1}, x\_{2}) \} \\ & \Longrightarrow\_{\mathsf{L} \cdot \mathsf{Sub}}^{x\_{1} \mapsto b} \{ x\_{2} = \stackrel{?}{\mathsf{P}}\_{\mathsf{P}} z \}; 1 \geqslant \mathfrak{p}\_{2}; 2; \{ y \mapsto a, x \mapsto f(b, x\_{2}), x\_{1} \mapsto b \} \end{split}$$

The computed terminal configuration still contains equations between variables. For any ψ such that 1 x2ψ =<sup>E</sup> zψ, the substitution {y → a, x → f(b, x2)}ψ is an (E,ε)-unifier of the given terms. In particular, unifiers that can be obtained from this configuration include, e.g., {y → a, x → f(b, u), z → u}, where u is a fresh variable (with degree 2), and also {y → a, x → f(b, f(a, a)), z → g(a, a)} (with degree 3).

#### 4.2 Idempotent Quantales

Now we consider the case where **˙** is idempotent. Under this hypothesis, we can strengthen our results and show that – with the right definitions – the unification problem is unitary, and that a simplified version of QUnif computes a most general unifier of two given terms. For the fuzzy quantale **˙** = **I**min = ([0, 1], , min), our algorithm coincides with Sessa's weak unification algorithm [23].

Note that in any integral idempotent quantale, meet and tensor coincide. As a consequence, in an idempotent quantale, α β implies β α = α.

Definition 10 (Weak mgu). *A substitution* σ *is a* weak most general (E,ε) unifier of <sup>t</sup> and <sup>s</sup>*, denoted wmgu*E,ε(t, s)*, if* <sup>U</sup>E,ε(t, s) = {<sup>τ</sup> <sup>|</sup> <sup>σ</sup> E,V(t,s),ε <sup>τ</sup>}*.*

By Lemma <sup>2</sup> (ii), <sup>σ</sup> <sup>=</sup> *wmgu*E,ε(t, s) iff <sup>σ</sup> <sup>∈</sup> <sup>U</sup>E,ε(t, s) and <sup>σ</sup> E,V(t,s),ε <sup>τ</sup> holds for every <sup>τ</sup> <sup>∈</sup> <sup>U</sup>E,ε(t, s); that is, iff {σ} <sup>=</sup> *mcsu*E,ε,ε(t, s).

In the idempotent setting, the rules L-Sub and CCh from QUnif can be replaced by simpler versions:

E-Sub: Substitute (eager)

{<sup>x</sup> <sup>=</sup>? **<sup>α</sup>** s} P; ζ **α** ⊗Δ; δ; σ =⇒ P{x → s}; ζ -Δ; δ; σ{x → s}, if x /∈ V(s). OCh: Occurrence check

$$\{x =\_{\mathfrak{a}}^{?} s\} \uplus P; C; \delta; \sigma \Longrightarrow \mathbf{F}, \quad \text{if } x \in \mathcal{V}(s) \text{ and } s \neq x.$$

Note that both of these rules constitute steps that could also be achieved by the rules from QUnif: E-Sub can be viewed as a composition of L-Sub and Dec steps, and OCh is just a restricted version of CCh. As before, we use these rules to transform the initial configuration corresponding to a given (Essh, ι) unification problem. As an output, we return Failure if F has been obtained, or σ if a terminal configuration P; C; δ; σ has been reached. We denote the resulting algorithm by QUnif-id.

In order to obtain a stronger completeness theorem than in the general case, we refine the notion of a solution of a configuration.

Definition 11 (ι-solution of a configuration). *Let* ι ∈ Ω *be idempotent. A substitution* τ *is an* ι-solution *of the configuration* P; ζ **α**<sup>1</sup> ⊗ **α**<sup>2</sup> ⊗···⊗ **α**n; δ; σ *if there exists a function* μ *mapping metavariables to elements of* Ω *such that*

*(*ι*1)* ζ μ(**α**1) ⊗ μ(**α**2) ⊗···⊗ μ(**α**n) *is valid, (*ι*2)* μ(**β**) tτ =<sup>E</sup> sτ *holds for every equation* t =? **<sup>β</sup>** s *in* P*. (*ι*3)* ι xτ =<sup>E</sup> xστ *holds for every variable* x ∈ *dom*(σ)*.*

*The configuration F has no solutions.*

Note that the only difference in comparison with Definition 9 is that (ι3) features a quantitative equality over Essh, whereas in (S3) we have a syntactic equality.

The lemmas below are needed in the proof of soundness and completeness of QUnif-id (see [10] for their proofs).

Lemma 6. *Let* **˙** *be a (not necessarily idempotent) quantale,* ι ∈ Ω *be an idempotent element of* **˙***,* τ *be a substitution, and* t *and* s *be terms.*


Lemma 7. *Let* **˙** *be an idempotent quantale,* <sup>ι</sup> <sup>∈</sup> <sup>Ω</sup>*, and* <sup>C</sup> *be a configuration obtained from an* (Essh, ι)*-unification problem in* **˙** *by applying rules from* QUnif-id*. If* C *is obtained from* C *by a rule from* QUnif-id*, then a substitution* τ *is an* ι*-solution of* C *iff it is an* ι*-solution of* C *.*

Theorem 6 (Soundness and completeness of QUnif-id). *Consider an* (Essh, ι)*-unification problem between terms* t *and* s *in an idempotent quantale* **˙***, where* <sup>ι</sup> <sup>∈</sup> <sup>Ω</sup>*. Any run of* QUnif-id *starting from* {<sup>t</sup> <sup>=</sup>? **<sup>α</sup>** s}; **α** ι; κ;*Id terminates and returns wmgu*Essh,ι(t, s) *if it exists, or fails otherwise.*

*Proof.* Termination follows from termination of QUnif (Theorem 4). For soundness and completeness, by Lemma 6(i), a substitution τ is an (Essh, ι)-unifier of t and s iff it is an ι-solution of the initial configuration C0. By Lemma 7, the latter holds iff τ is an ι-solution for any terminal configuration ∅; C; δ; σ, or equivalently, iff σ <sup>E</sup>ssh,V(t,s),ι τ (by Lemma 6(ii)), concluding the proof.

*Example 6.* We demonstrate algorithm QUnif-id for the problem f(x, c)=? **I**,0.4,E h(a, x) in the (idempotent) fuzzy quantale **I** with the min T-norm modulo E = {0.5 a ≈ b, 0.5 b ≈ c, 0.6 f(x1, x2) ≈ g(x1, x2), 0.7 g(x1, x2) ≈ h(x1, x2)}.

A derivation of QUnif-id is shown below:

$$\begin{aligned} & \{ f(x, c) =\_{\mathfrak{a}}^{?} h(a, x) \}; 0.4 \leqslant \mathfrak{a}; 1; Id \\ & \Longrightarrow\_{\mathsf{Dec}} \{ x =\_{\mathfrak{P}\_1}^{?} a, \ c =\_{\mathfrak{P}\_2}^{?} x \}; 0.4 \leqslant \min(\mathfrak{P}\_1, \mathfrak{P}\_2); 0.6; Id \\ & \Longrightarrow\_{\mathsf{L} \cdot \mathsf{Sub}}^{x \mapsto a} \{ c =\_{\mathfrak{P}\_2}^{?} a \}; 0.4 \leqslant \mathfrak{P}\_2; 0.6; \{ x \mapsto a \} \\ & \Longrightarrow\_{\mathsf{Dec}} \emptyset; 0.4 \leqslant 1; 0.5; \{ x \mapsto a \} . \end{aligned}$$

Choosing the other equation in the L-Sub step would lead to a different unifier {x → c} with the same degree 0.5. The solution {x → b} (with degree 0.5) is not computed. All three solutions are 0.5-equivalent.

# 5 Conclusion

In the quantitative setting, equality is replaced by its quantitative counterpart modeling the abstract notion of proximity between terms. A quantitative unification problem asks for finding a substitution that brings the given terms close to each other within a predefined range (with respect to this abstract proximity). However, unlike the standard unification, here it is not guaranteed that an instance of a unifier is still a unifier. The reason is that the instantiation is also quantitative, and it might move the more specific substitution "too far away" from a unifier of the given problem.

In studying quantitative unification, one has to address such and related challenges. We investigated the quantitative equational unification problem in Lawvereian quantales modulo theories presented by axioms of the form γ f(x1,...,xn) ≈ g(x1,...,xn). Our notion of a minimal complete set of unifiers takes into account two (abstract) distances: between terms to be unified and between substitutions via instantiation. We showed that our unification problems in arbitrary Lawvereian quantales are finitary, while for idempotent Lawvereian quantales, they are unitary. The corresponding algorithms were developed and their properties were studied.

The equational theories that we considered here are a special case of simple shallow theories. An interesting future work would be to extend this work to a larger class of shallow theories (which have some desirable properties in the standard case [6]). Further, the related problem of disunification in Lawvereian quantales is worth investigating.

Acknowledgments. Supported by the Austrian Science Fund (FWF) under project P 35530 (SQUEE).

Disclosure of Interests. The authors have no competing interests to declare that are relevant to the content of this article.

# References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Equivalence Checking of Quantum Circuits by Model Counting**

Jingyi Mei(B) , Tim Coopmans, Marcello Bonsangue, and Alfons Laarman

Leiden University, Leiden, The Netherlands {j.mei,t.j.coopmans,m.m.bonsangue,a.w.laarman}@liacs.leidenuniv.nl

**Abstract.** Verifying equivalence between two quantum circuits is a hard problem, that is nonetheless crucial in compiling and optimizing quantum algorithms for real-world devices. This paper gives a Turing reduction of the (universal) quantum circuits equivalence problem to weighted model counting (WMC). Our starting point is a folklore theorem showing that equivalence checking of quantum circuits can be done in the so-called Pauli-basis. We combine this insight with a WMC encoding of quantum circuit simulation, which we extend with support for the Toffoli gate. Finally, we prove that the weights computed by the model counter indeed realize the reduction. With an open-source implementation, we demonstrate that this novel approach can outperform a state-of-the-art equivalence-checking tool based on ZX calculus and decision diagrams.

**Keywords:** Quantum computing · Circuit equivalence · Satisfiability · #SAT · Weighted model counting · Pauli basis

## **1 Introduction**

Physicists and chemists regularly deal with 'quantum NP'-hard problems, for example when finding the ground state (energy) of a physical system [30] or assessing the consistency of local density matrices (the quantum analog of deciding the consistency of marginal probability distributions) [32]. Quantum computing not only holds the potential to provide a matching computational resource for tackling these challenges but also serves as a bridge to incorporate classical reasoning techniques for tackling nature's hardest problems. Quantum circuits, in particular, offer a precise view into these problems, because the quantum circuit equivalence checking problem is also 'quantum NP'-hard.

Circuit equivalence [2,4,8,22,23,52,55,56,61] also has many important applications. Since quantum computers are highly affected by noise, it is necessary to optimize the circuits to maximize the performance when running them on a real device. Furthermore, many devices can only handle shallow-depth circuits and are subject to various constraints such as connectivity, topology, and native gate sets. An essential aspect of designing and optimizing quantum circuits isverifying whether two quantum circuits implement the same quantum operation.

Equivalence checking for so-called Clifford circuits is tractable [52], which is surprising considering their wide applicability, e.g. in quantum error correction [9,48,49]. Extending the Clifford gate set with any non-Clifford gate, however, e.g. with a T or Toffoli gate, makes the problem immediately 'quantum NP'-hard, that is: NQP-hard to compute exactly [51] and QMA-hard to approximate [24], even for constant-depth circuits [25].<sup>1</sup> The exact formulation of equivalence checking allows its discretization [29], exposing the underlying combinatorial problem that classical reasoning methods excel in. Indeed, exact reasoning methods based on decision diagrams are even used to compute the approximate version of the problem (see e.g. [23,57]).

Our aim is to use reasoning tools based on satisfiability (SAT) for *exact* equivalence checking of *universal* quantum circuits. Like SAT solvers [7,16], model counters, or #SAT solvers, can handle complex constraints from industrial-scale applications [40,47], despite the #P-completeness of the underlying problem.

We propose a new equivalence-checking algorithm based on weighted model counting (WMC). To do so, we generalize the WMC encoding of quantum circuit simulation from [34], showing that it essentially only relies on expressing quantum information in the so-called Pauli basis [18], thus obviating the need for the arguably more complex stabilizer theory [20,63]. In addition, we extend the encoding with support for the (non-Clifford) Toffoli gate, allowing more efficient encodings for many circuits. We then prove that a folklore theorem on quantum circuit equivalence checking [52] enables the reduction of the problem to a sequence of weighted Boolean formulas that can be solved using existing weighted model counters (provided they support negative weights [34]).

We show how the WMC encoding satisfies the conditions of the theorem from [52] and implement the proposed equivalence checking algorithm in the opensource tool ECMC, which uses the weighted model-counting tool GPMC [50].<sup>2</sup> To assess the scalability and practicality of ECMC, we conduct experimental evaluations using random Clifford+T circuits which closely resemble quantum chemistry applications [59] and various quantum algorithms from the MQT benchmark [43], which includes important quantum algorithms such as QAOA, Wstate, and VQE among others. We compare the results of our method against that of the state-of-the-art circuit equivalence checker QCEC [8], showing that in several cases the WMC approach used by our ECMC tool is competitive.

In summary, this paper provides a many-to-many reduction of (universal) quantum circuit equivalence to weighted model counting (WMC). As a consequence, we contribute additional new benchmarks for the WMC competition: basically, each pair of universal quantum circuits can be reduced to a sequence of weighted CNF encodings that need to be solved to (dis)prove equivalence. This opens up numerous possibilities and challenges to better adapt model counters for this new application area in quantum computing.

<sup>1</sup> A similar "jump" in hardness was noted for quantum circuit simulation in [54].

<sup>2</sup> While the theorem presented in [52] already supported universal circuits, the provided tool implementation in [52] is limited to (non-universal) Clifford circuits.

#### **2 General Background**

We only provide the necessary background. For a more complete description see the full version of this paper [35].

*Quantum Computing.* We fix n as the number of qubits in the circuit(s) under consideration and write [m] for the set {1,...,m}. Qubits are numbered as [n]. We represent an n-qubit quantum state |ϕ- ∈ C2<sup>n</sup> as its *density matrix* |ϕϕ<sup>|</sup> <sup>∈</sup> C2<sup>n</sup> × C2<sup>n</sup> , where ϕ| represents the conjugate transpose |ϕ-† of |ϕ-[38].

A quantum gate G on n qubits can be expressed by a 2<sup>n</sup> ×2<sup>n</sup> complex matrix U<sup>G</sup> which is unitary, i.e. U<sup>G</sup> is invertible and satisfies U† G = U−1 <sup>G</sup> . If a quantum state is represented by a density matrix |ϕϕ|, then the density matrix after applying G is given by *conjugation* of |ϕϕ|, i.e. U<sup>G</sup> |ϕϕ|U† <sup>G</sup>. For an n-qubit quantum system, applying a single-qubit gate U on the j-th qubit is represented by <sup>U</sup><sup>j</sup> <sup>=</sup> <sup>I</sup>⊗j−<sup>1</sup> <sup>⊗</sup> <sup>U</sup> <sup>⊗</sup> <sup>I</sup>⊗n−<sup>j</sup> , (1)

$$U\_j = I^{\otimes j-1} \otimes U \otimes I^{\otimes n-j},\tag{1}$$

where I is the single-qubit identity matrix and ⊗ denotes the Kronecker product. A circuit in our text is simply a list of <sup>n</sup>-qubit unitaries, i.e., <sup>C</sup> <sup>=</sup> (G0,...,G<sup>m</sup>−<sup>1</sup>) where <sup>C</sup> can in turn be understood as unitary itself <sup>U</sup><sup>C</sup> <sup>=</sup> <sup>U</sup>Gm−<sup>1</sup> · <sup>U</sup>Gm−<sup>2</sup> ···UG<sup>0</sup> . We will sometimes refer to a gate or circuit as its unitary, and vice versa, because it is clear from context which is meant.

The gates

$$H = \frac{1}{\sqrt{2}} \begin{bmatrix} 1 & 1 \\ 1 & -1 \end{bmatrix}, \quad S = \begin{bmatrix} 1 & 0 \\ 0 & i \end{bmatrix}, \quad CZ = \begin{bmatrix} 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & -1 \end{bmatrix}$$

form the so-called Clifford (generating) set.

Though non-universal and classically simulatable [1], Clifford circuits, i.e., circuits composed of Clifford gates only, are expressive enough to describe entanglement, teleportation and superdense coding, and are used in quantum errorcorrecting codes [9,48,49] and in measurement-based quantum computation [46]. Nonetheless, even equivalence checking of Clifford circuits is in P [52]. By extending the Clifford gate set with any non-Clifford gate, such as the T = √ S, Toffoli or arbitrary rotation gates RX, R<sup>Y</sup> , R<sup>Y</sup> , we immediately obtain a universal gate set, in the sense that arbitrary unitaries can be approximated [14,30,31].

In this work, we express matrices not in the standard basis but in the Pauli basis. We define the 2 × 2 *Pauli matrices* X, Y, Z, together with identity, as: <sup>0</sup> <sup>−</sup><sup>1</sup> ] , σ[10] <sup>≡</sup> <sup>X</sup> <sup>≡</sup> [ 0 1 1 0 ] , σ[11] <sup>≡</sup> <sup>Y</sup> <sup>≡</sup> [ <sup>0</sup> <sup>−</sup>ı˙ <sup>ı</sup>˙ <sup>0</sup> ]

$$\sigma[00] \equiv I \equiv \begin{bmatrix} \begin{smallmatrix} 1 \ 0 \end{smallmatrix} \end{smallmatrix} \mid, \ \sigma[01] \equiv Z \equiv \begin{bmatrix} \begin{smallmatrix} 1 \ 0 \end{smallmatrix} \end{smallmatrix} \mid, \ \sigma[10] \equiv X \equiv \begin{bmatrix} \begin{smallmatrix} 0 \ 1 \end{smallmatrix} \end{smallmatrix} \mid, \ \sigma[11] \equiv Y \equiv \begin{bmatrix} \begin{smallmatrix} 0 \ -i \end{smallmatrix} \end{smallmatrix} \mid$$

For <sup>n</sup> qubits, we define the set of "Pauli strings" <sup>P</sup>ˆ<sup>n</sup> <sup>≜</sup> {P<sup>1</sup> <sup>⊗</sup> <sup>P</sup><sup>2</sup> <sup>⊗</sup> ... <sup>⊗</sup> <sup>P</sup><sup>n</sup> <sup>|</sup> <sup>P</sup><sup>j</sup> <sup>∈</sup> {I, X, Y, Z}}. Inheriting the properties of Pauli matrices, Pauli strings are unitary, involutory and Hermitian. It is well-known that the scaled Pauli strings { <sup>√</sup> 1 2 <sup>n</sup> · <sup>P</sup> <sup>|</sup> <sup>P</sup> <sup>∈</sup> <sup>P</sup>ˆn} form an orthonormal basis for 2<sup>n</sup> <sup>×</sup> <sup>2</sup><sup>n</sup> complex matrices [27]. Hence, we can decompose any 2<sup>n</sup> × 2<sup>n</sup> complex matrix M as M = <sup>P</sup> <sup>∈</sup>Pˆ<sup>n</sup> <sup>γ</sup><sup>P</sup> · <sup>P</sup> where the *Pauli coefficient* γ<sup>P</sup> = <sup>1</sup> <sup>2</sup><sup>n</sup> Tr(P† · M).

*In general, the coefficients* γ<sup>P</sup> *are complex numbers, but for Hermitian matrices, they are real* [18,35]*. Example 1.* The matrix <sup>M</sup> <sup>=</sup> [ 1 4+<sup>i</sup> <sup>4</sup>−<sup>i</sup> <sup>−</sup><sup>5</sup> ] is Hermitian. We calculate the coefficients:

$$\frac{1}{2^{\mathbb{Z}}}\operatorname{Tr}(I^{\dagger}M) = -2, \quad \frac{1}{2^{\mathbb{T}}}\operatorname{Tr}(Z^{\dagger}M) = 3, \quad \frac{1}{2^{\mathbb{T}}}\operatorname{Tr}(X^{\dagger}M) = 4, \quad \frac{1}{2^{\mathbb{T}}}\operatorname{Tr}(Y^{\dagger}M) = -1$$

It is straightforward to verify that these are M's Pauli *real* coefficients:

$$\begin{aligned} \text{is straightforward to verify that these are } M \text{'s Pauli real coefficients:}\\ -2I + 4X - 1Y + 3Z &= -2 \cdot \begin{bmatrix} \begin{smallmatrix} 1 \ 0 \end{smallmatrix} \end{smallmatrix} + 4 \cdot \begin{bmatrix} \begin{smallmatrix} 0 \ 1 \end{smallmatrix} \end{smallmatrix} - 1 \cdot \begin{bmatrix} \begin{smallmatrix} 0 \ -i \end{smallmatrix} \end{smallmatrix} + 3 \cdot \begin{bmatrix} \begin{smallmatrix} 1 \ 0 \end{smallmatrix} \end{bmatrix} = \begin{bmatrix} \begin{smallmatrix} 1 \ 4 \ -i \end{smallmatrix} \end{bmatrix}. \end{aligned}$$

*Weighted Model Counting (WMC).* In this work, we will encode the Pauli coefficients of specific matrices as weighted model counting: a sum of weights over all satisfying assignments of a boolean formula. We here formally describe WMC.

For boolean variables x, y <sup>∈</sup> <sup>B</sup> <sup>=</sup> {0, <sup>1</sup>}, we define a literal as e.g. <sup>x</sup> and <sup>x</sup> and write conjunctions of literals (cubes) as products, e.g., xy = x ∧ y. A clause is a disjunction of literals, e.g., x ∨ y. A formula in conjunctive normal form (CNF) is a conjunction of clauses.

Let F : B<sup>x</sup> → B be a propositional formula over boolean variables x ∈ B<sup>n</sup>. We assign weights to literals using a weight function <sup>W</sup> : {x, x <sup>|</sup> <sup>x</sup> <sup>∈</sup> x} <sup>→</sup> <sup>R</sup>. Given an assignment α ∈ B<sup>x</sup>, let W(α) = x∈<sup>x</sup> <sup>W</sup>(<sup>x</sup> <sup>=</sup> <sup>α</sup>(x)). We define *weighted model counting* [7,10,19,21] as follows.

$$MC\_W(F) \triangleq \sum\_{\alpha \in \mathbb{B}^{\vec{x}}} F(\alpha) \cdot W(\alpha)$$

*Example 2.* An example, consider a formula F =b∧c over x=(a, b, c). There exist two satisfying assignments: α<sup>1</sup> = abc and α<sup>2</sup> = abc. Suppose a weight function W is defined as follows: W(a) = −2, W(a) = 3, W(b) = 1/2, W(b) = 2, while c remains unbiased, i.e., W(c) =W(c) = 1. The weighted model counting for F with respect to <sup>W</sup> is computed as follows. MC<sup>W</sup> (F) <sup>=</sup> <sup>F</sup>(abc) · <sup>W</sup>(abc) <sup>+</sup> <sup>F</sup>(abc) · <sup>W</sup>(abc) <sup>=</sup> (−<sup>2</sup> · <sup>1</sup> <sup>2</sup> · 1) <sup>+</sup> (3 · <sup>1</sup> <sup>2</sup> · 1) <sup>=</sup> <sup>1</sup> <sup>2</sup> .

## **3 Equivalence Checking Circuits in the Pauli Basis**

In this section, we introduce (exact) equivalence checking [2,4,8,22,52,55,56,61] in Definition 1, the task we set out to solve. In this work, we will only consider circuits which consist of gates, and do not contain measurements (this is without loss of generality since measurements be deferred to the end of the circuit [38]). **Definition 1.** *Given two* <sup>n</sup>*-qubit circuits* <sup>U</sup> *and* <sup>V</sup> *where* <sup>n</sup>∈N<sup>+</sup>*,* <sup>U</sup> *is equivalent*

*to* V *, written* U ≡ V *, if there exists a complex number* c *(the global phase [38]) such that for all input states* |ψ-*, we have* U|ψ- <sup>=</sup> cV <sup>|</sup>ψ-*.*

At first sight, one might think that Definition 1 requires iterating over all quantum states. However, although the n-qubit quantum state space is continuous, it is a complex vector space of dimension 2n, so it suffices to only consider 2<sup>n</sup> basis vectors for proving U and V equivalent. In fact, the novice approach to equivalence checking is to decompose U and V in the standard basis; that is, to find U and V each by writing each of their individual gates in the standard basis and determining the full unitaries U and V by matrix multiplication, and finally checking whether the matrix entries of U equal those of V , modulo a uniform constant c. One could also perform such an approach when the individual gates in U and V are specified in a different basis, such as the Pauli basis (see Sect. 2), but this would have no a priori advantage over the use of the standard basis. Instead, we will use the following folklore result (for proof see e.g. [52]). **Theorem 1.** *Let* U, V *be two circuits on* <sup>n</sup> <sup>∈</sup> <sup>N</sup><sup>+</sup> *qubits. Then* <sup>U</sup> *is equivalent to*

V *if and only if the following condition holds (for notation* P<sup>j</sup> *see Eq. 1): For all* <sup>j</sup> <sup>∈</sup> [n] *and* <sup>P</sup> <sup>∈</sup> {X, Z}*, we have* UPjU† <sup>=</sup> V Pj<sup>V</sup> †*.*

The main advantage of using Theorem 1 instead of directly computing the (matrix entries of the) unitaries U and V is that for Clifford gates G, G it is computationally easy to update the Pauli coefficients of GPjG† to those of (GG )P<sup>j</sup> (GG )† = G G PjG† G†. This feature forms the basis for efficient simulation of Clifford circuits and has lead to efficient Clifford circuit equivalence checking [52]. Here, we will include T gates, Toffoli, and Pauli rotation gates, enabling equivalence checking of universal quantum computing (lifting the hardness of equivalence checking to quantum analogs of NP, see Sect. 1). Another advantage of Theorem 1 is that, since U is a unitary, UPjU† is Hermitian, so that its Pauli coefficients are real numbers as noted in Sect. 2, relieving us from the need to use complex numbers.

*Example 3.* Choose V = S<sup>1</sup> and U = T1T1. In order to determine whether U ≡ V , we compute the Pauli coefficients of UXU†,UZU†,V XV † and V ZV † as follows using Table 1. By Theorem 1, this implies that U and V are equivalent, which we verify by writing their unitaries in the standard basis as follows.


U = S = [ 1 0 <sup>0</sup> <sup>i</sup> ] , V <sup>=</sup> <sup>T</sup> · <sup>T</sup> <sup>=</sup> 1 0 <sup>0</sup> <sup>√</sup><sup>i</sup> · 1 0 <sup>0</sup> <sup>√</sup><sup>i</sup> = [ 1 0 <sup>0</sup> <sup>i</sup> ]

Finally, we remark that UXU†= <sup>1</sup> <sup>2</sup> (✚X✚+<sup>Y</sup> <sup>+</sup><sup>Y</sup> <sup>−</sup>✚X✚)=<sup>Y</sup> represents both constructive (Y terms add up) as well as destructive interference (X terms cancel).

We will finish this section by explaining the intuition behind Theorem 1, by rephrasing its proof from [52]. The first step in the proof is to realize that Definition 1 is equivalent to the following in density matrix representation. **Lemma 1.** *Given two* <sup>n</sup>*-qubit circuits* <sup>U</sup> *and* <sup>V</sup> *where* <sup>n</sup> <sup>∈</sup> <sup>N</sup><sup>+</sup>*,* <sup>U</sup> *is equivalent*

*to* V *iff for all* n*-qubit quantum states* |ϕ-*, we have* U |ϕϕ|U† <sup>=</sup> <sup>V</sup> <sup>|</sup>ϕϕ| V †*.*

Recall that for any unitary U, with |ψ- <sup>=</sup> <sup>U</sup>|ϕ-, the corresponding operation on the density matrix |ϕϕ| is conjugation, i.e., |ψψ<sup>|</sup> <sup>=</sup> <sup>U</sup>|ϕϕ|U†. Density matrices are 2<sup>n</sup> × 2<sup>n</sup> Hermitian matrices and can thus be expressed as a (realweighted) linear combination of Pauli strings. For this reason, we observe that if UPU† = VPV † for each Pauli string P, i.e. U and V coincide on all Pauli strings by conjugation, then U and V must also coincide on all density matrices by conjugation, and thus they are equivalent by Lemma 1.

The final step in proving Theorem 1 is to realize that for a unitary matrix, the conjugation action is completely determined by fixing its conjugation action on only all X<sup>j</sup> and Z<sup>j</sup> for j ∈[n]. This insight relies on two parts: First, each Pauli string can be written as the product of <sup>X</sup><sup>j</sup> and <sup>Z</sup><sup>j</sup> modulo a factor <sup>∈</sup>{±1, <sup>±</sup>i}. Second, for a unitary M, we have M†M = I, which implies that instead of first multiplying X<sup>j</sup> s and Z<sup>j</sup> s to construct a Pauli string, followed by conjugation, one can first conjugate and subsequently multiply to arrive at the same result.<sup>3</sup> For example, MXjM† · MZjM† <sup>=</sup> MX<sup>j</sup> IZjM† <sup>=</sup> MXjZjM†.

We observe that in Table 1, the last two non-Clifford gates yield a linear combination of Pauli strings [34] for each Pauli string (matrix). This potentially causes an explosion of the number of Pauli strings when conjugating multiple non-Clifford gates. To handle this, we will exploit the strength of model counters in Sect. 4 by representing Pauli strings Pˆ as satisfying assignments which are weighted by the coefficient γP<sup>ˆ</sup>, as explained next in Sect. 4.

# **4 Encoding Quantum Circuit Equivalence in SAT**

The previous section Sect. 3, centered around Theorem 1, explained that equivalence checking can be done by conjugating Pauli strings with unitaries, and that the required calculations for this approach are the same as in simulation of quantum circuits using a density matrix representation of the quantum state. In this section, we show how we reduce equivalence checking of universal quantum circuits to weighted model counting, which is formalized in Corollary 1 below. Our approach is based on the <sup>O</sup>(<sup>n</sup> <sup>+</sup> <sup>m</sup>)-length encoding for quantum circuit simulation provided in [34]. Finally, our encoding in this work extends [34] with Toffoli gates. For the rest of the paper, we use P for an unweighted Pauli string and we use **P** for a summation of weighted Pauli strings, e.g. <sup>√</sup> 1 <sup>2</sup><sup>X</sup> <sup>+</sup> <sup>√</sup> 1 <sup>2</sup>Y .

<sup>3</sup> The conjugation map <sup>P</sup> -→ UPU† is a group isomorphism.


**Table 1.** Lookup table for conjugating Pauli gates by Clifford+T+R*<sup>X</sup>* gates. The subscripts "c" and "t" stand for "control" and "target". Adapted from [34].

To simplify notation, we will solve a rephrased version of the equivalence checking problem from Definition 1 in Sect. 3: to check whether a unitary A is equivalent to the identity unitary I, which leaves every input unchanged. By choosing A ≜ V †U, we see that U ≡V precisely if A≡I. If U and V consist of gates <sup>U</sup> <sup>=</sup> (U0, U1,...,Um−1) and <sup>V</sup> <sup>=</sup> (V0, V1,...,V−1) for m, <sup>∈</sup> <sup>N</sup><sup>+</sup>, then a circuit for <sup>A</sup> is given as the <sup>m</sup>+ gates <sup>A</sup><sup>=</sup> (U0, U1,...,Um−1, V † −1, V † −2,...,V † <sup>0</sup> ). Following Theorem 1, our task will be as follows: Given a circuit A = G0,...,G<sup>m</sup>−1 ∈ {H<sup>j</sup> , S<sup>j</sup> ,CZjk, T<sup>j</sup> , Toffolijkl, RX(θ)<sup>j</sup> , ···| j, k, l <sup>∈</sup> [n]} <sup>m</sup>, we need to obtain **P**<sup>m</sup> = <sup>A</sup>**P**<sup>0</sup>A† from an initial **<sup>P</sup>**<sup>0</sup> <sup>∈</sup> {+Xi, <sup>+</sup>Z<sup>i</sup> <sup>|</sup> <sup>i</sup> <sup>∈</sup> [n]}, showing that **<sup>P</sup>**<sup>m</sup> <sup>=</sup> **<sup>P</sup>**<sup>0</sup>. Since **<sup>P</sup>**<sup>0</sup> is a Pauli string and thus Hermitian, so is **P**<sup>m</sup>. Our approach is to construct a boolean formula whose weighted model counts represent the terms in the Pauli decomposition of **P**<sup>m</sup>.

#### **4.1 Encoding Pauli Coefficients as Weighted Model Counts**

We first explain the encoding for circuit simulation from [34], where we encode the real-weighted sum of Pauli operators **P** and the update rules of the circuit A as weighted boolean formulas. We start with the simplest case—a Pauli string, then consider how to encode a single summand, i.e., a single weighted Pauli operator, and in the end extend this to a weighted sum of Pauli operators. <sup>i</sup>∈[n] <sup>σ</sup>[ai, bi] with <sup>a</sup>i, b<sup>i</sup> <sup>∈</sup> {0, <sup>1</sup>}, the corresponding

Given a Pauli string P = encoding is denoted as <sup>F</sup><sup>P</sup> , which is the boolean formula which only has {x<sup>1</sup> <sup>←</sup> <sup>a</sup>1, ··· , xn←an, z1←b1, ··· , zn←bn} as satisfying assignment, for example <sup>F</sup>Z⊗<sup>X</sup> <sup>=</sup> <sup>F</sup>σ[01]⊗σ[10] <sup>=</sup> <sup>x</sup>1x2z1z2. When it comes to weighted Pauli string, although the weights are never imaginary in case of a Hermitian matrix, they can still have a ± sign. A weighted Pauli operator can be therefore encoded by 2n + 1 boolean variables: two bits xi, z<sup>i</sup> for each of the n Pauli matrices and one sign bit r, such that **P** = (−1)<sup>r</sup>σ[x1, z1] ⊗ ... ⊗ σ[xn, zn]. For example, consider boolean formula F**<sup>P</sup>** = rx1z1x2z<sup>2</sup> where **P** = −Z ⊗ Y . Its one satisfying assignment is {r←1, x1←0, z1←1, x2←1, z2←1}≡−<sup>Z</sup> <sup>⊗</sup><sup>Y</sup> . We later introduce weights <sup>W</sup>(r)=−<sup>1</sup> and W(r)=1 to interpret the sign. So for a formula F(x1, z1,...,xn, zn, r), we let the satisfying assignment represent a set (linear combination) of Pauli strings. The base case is the formula <sup>F</sup>**P**<sup>0</sup> <sup>=</sup> <sup>F</sup><sup>P</sup> for a Pauli string <sup>P</sup> <sup>∈</sup> {X<sup>j</sup> , Z<sup>j</sup> <sup>|</sup> <sup>j</sup> <sup>∈</sup> [n]}. Next, we need to encode how sums of Pauli operators evolve when conjugating with the gates of the circuit, one by one. For this, our encoding duplicates the variables for all m gates (each time step) as follows (which is similar to encodings for bounded model checking [6]).

$$\vec{w}^{t} = \{x\_j^t, z\_j^t, r^t \mid j \in [n]\} \text{ for } t \in \{0, 1, \ldots, m\} \text{ and } \vec{v}^{t} = \bigcup\_{i \in [t] \cup \{0\}} \vec{w}^{i}. \tag{2}$$

For example, **P**<sup>0</sup> = X<sup>1</sup> is encoded as r<sup>0</sup>x<sup>0</sup> 1z<sup>0</sup> 1x<sup>0</sup> 2z<sup>0</sup> <sup>2</sup> ...x<sup>0</sup> nz<sup>0</sup> <sup>n</sup>. Also, the satisfying assignments of a boolean formula FA(v<sup>m</sup>) projected to variables w<sup>t</sup> represent the sum of Pauli operators after conjugating the initial <sup>t</sup> gates <sup>G</sup>0, G1,...,Gt−<sup>1</sup> of the circuit A, written:

$$F\_A(\vec{v}^m)[\vec{w}^t] = \sum\_{\alpha \in \{0, 1\}^{\vec{v}^m}} F\_A(\alpha) \cdot (-1)^{\alpha(r^t)} \cdot \bigotimes\_{j \in [n]} \sigma[\alpha(x\_j^t), \alpha(z\_j^t)]$$

The next question is how to encode gate semantics, i.e., define a constraint to get **<sup>P</sup>**<sup>1</sup> by conjugating gate <sup>G</sup><sup>0</sup> to **<sup>P</sup>**<sup>0</sup>, etc. Note that since **<sup>P</sup>**<sup>0</sup> <sup>∈</sup> {X<sup>j</sup> , Z<sup>j</sup> <sup>|</sup> <sup>j</sup> <sup>∈</sup> [n]} consists of a sum of only one Pauli operator. For Clifford circuits C, there will only be a single satisfying assignment α for all time steps t ∈ [m], since e.g. HXH† = Z (and not e.g. Z + Y ). Non-Clifford gates, like T or Toffoli, will add satisfying assignments representing summands with different weights (e.g. sums of accumulated weights of <sup>1</sup>/ <sup>√</sup><sup>2</sup> for the T gate as discussed above). To encode these weights, we introduce new variables u<sup>t</sup> , but only at time steps t with a T gate (i.e., G<sup>t</sup> = T).

When a gate T<sup>j</sup> is performed and there is a satisfying assignment with x<sup>t</sup> <sup>j</sup> <sup>=</sup>1, it means that we are conjugating a T gate on the j-th qubit set to ±X or ±Y and the result should be either TXT† = <sup>√</sup> 1 <sup>2</sup> (<sup>X</sup> <sup>+</sup> <sup>Y</sup> ) or TYT† <sup>=</sup> <sup>√</sup> 1 <sup>2</sup> (<sup>Y</sup> <sup>−</sup> <sup>X</sup>) (modulo sign). To achieve this the encoding should let <sup>z</sup><sup>t</sup>+<sup>1</sup> unconstrained and set <sup>u</sup><sup>t</sup>⇔x<sup>t</sup> j . Accordingly, we set the weights W(u<sup>t</sup> ) = <sup>√</sup> 1 <sup>2</sup> and <sup>W</sup>(u<sup>t</sup> ) = 1. Table 2 illustrates how the boolean variables w<sup>t</sup> and w<sup>t</sup>+<sup>1</sup> relate for a <sup>T</sup> gate (derived by computing TPT† for Pauli gate P).

The encoding of gate semantics can be derived similarly. For example the boolean constraint for H<sup>t</sup> <sup>j</sup> follows from Table 1 and is given by , w<sup>t</sup>+<sup>1</sup>) <sup>≜</sup> <sup>r</sup><sup>t</sup>+<sup>1</sup> <sup>⇔</sup> <sup>r</sup><sup>t</sup> <sup>⊕</sup> <sup>x</sup><sup>t</sup> j ∧ zt+1 j ∧ xt+1

$$F\_{H\_j^t}(\vec{w}^t, \vec{w}^{t+1}) \triangleq r^{t+1} \Leftrightarrow r^t \oplus x\_j^t z\_j^t \land z\_j^{t+1} \Leftrightarrow x\_j^t \land x\_j^{t+1} \Leftrightarrow z\_j^t$$

Here we omit additional constraints <sup>a</sup><sup>t</sup>+<sup>1</sup> <sup>⇔</sup> <sup>a</sup><sup>t</sup> for all unconstrained time-step<sup>t</sup> <sup>+</sup> 1 variables <sup>a</sup>, i.e., for <sup>a</sup> <sup>=</sup> <sup>x</sup><sup>t</sup>+<sup>1</sup> l , zt+1 <sup>l</sup> with <sup>l</sup> =j. Similarly, by abbreviating FG<sup>t</sup> (w<sup>t</sup> , w<sup>t</sup>+<sup>1</sup>) as <sup>G</sup><sup>t</sup> , the encoding for other Clifford+T gates are as follows: <sup>j</sup> <sup>≜</sup> <sup>r</sup><sup>t</sup>+<sup>1</sup> <sup>⇔</sup> <sup>r</sup><sup>t</sup> <sup>⊕</sup> <sup>x</sup><sup>t</sup> j ∧ zt+1

$$\begin{split} &G^{t}\_{j} \triangleq \begin{aligned} &r^{t+1}, \ldots, r^{t+1} \Leftrightarrow \stackrel{\scriptstyle \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \! \!$$

**Table 2.** Boolean variables under the action of conjugating one T gate. Here we omit the sign (−1)*<sup>r</sup>*<sup>t</sup> for all <sup>P</sup> and sign (−1)*<sup>r</sup>*t+<sup>1</sup> for all TPT†.


To this end, we can inductively define boolean constraints for each time step as F**P**<sup>t</sup> (v<sup>t</sup> ) <sup>=</sup> <sup>F</sup>**P**<sup>0</sup> (w <sup>0</sup>) <sup>∧</sup> <sup>i</sup>∈[t−1]∪{0} <sup>G</sup><sup>i</sup> (w<sup>i</sup> , w<sup>i</sup>+<sup>1</sup>) for <sup>t</sup> <sup>⊓</sup> 1, where <sup>G</sup><sup>i</sup> denotes the gate at time step i and F**P**<sup>0</sup> (v<sup>0</sup>) encodes **P**<sup>0</sup>.

*Example 4.* Reconsider the circuit <sup>U</sup>=<sup>T</sup> ·<sup>T</sup> from Example 3. Starting with **<sup>P</sup>**<sup>0</sup>=X, the formulas are F**P**<sup>0</sup> = x<sup>0</sup> z<sup>0</sup> r<sup>0</sup>, <sup>F</sup>**P**<sup>1</sup> <sup>=</sup> <sup>F</sup>**P**<sup>0</sup> <sup>∧</sup> <sup>F</sup><sup>T</sup> <sup>0</sup> , i.e.

$$\begin{aligned} F\_{\mathbf{P}^0} \wedge F\_{T\_1^0} &= x\_1^0 \overline{z\_1^0} \overline{r^0} \wedge x\_1^1 \Leftrightarrow x\_1^0 \wedge x\_1^0 \vee (z\_1^1 \Leftrightarrow z\_1^0) \wedge \overline{z\_1^1}, \\ r^1 &\Leftrightarrow r^0 \oplus x\_1^0 z\_1^0 \neg z\_1^1 \wedge u^0 \Leftrightarrow x\_1^0, \end{aligned}$$

and similarly <sup>F</sup>**P**<sup>2</sup> <sup>=</sup> <sup>F</sup>**P**<sup>1</sup> <sup>∧</sup> <sup>F</sup><sup>T</sup> <sup>1</sup> .

Formalizing the explanation above as induction over the gates proves Proposition 1, relating weighted model counting the Pauli coefficients (see Sect. 2).

**Proposition 1 (WMC computes the Pauli coefficients).** *Let* C<sup>A</sup> = (G0, ...,G<sup>m</sup>−<sup>1</sup>) *be an* <sup>n</sup>*-qubit circuit,* <sup>A</sup> <sup>=</sup> <sup>G</sup><sup>0</sup> ··· <sup>G</sup><sup>m</sup>−<sup>1</sup> *the corresponding unitary and* **<sup>P</sup>**<sup>0</sup> *a Pauli string, so that the encoding of* **<sup>P</sup>**<sup>m</sup> <sup>≜</sup> <sup>A</sup>**P**<sup>0</sup>A† *is given by* <sup>F</sup>**P**<sup>m</sup> <sup>≜</sup> <sup>F</sup>**P**<sup>0</sup> <sup>∧</sup> m−1 <sup>i</sup>=<sup>0</sup> <sup>F</sup>G<sup>i</sup> *with according weight function* <sup>W</sup>*. For any* **<sup>P</sup>**<sup>0</sup> <sup>∈</sup> {+X<sup>j</sup> , <sup>+</sup>Z<sup>j</sup> <sup>|</sup> <sup>j</sup> <sup>∈</sup> [n]} *and* <sup>P</sup> <sup>∈</sup> <sup>P</sup>ˆn*, the weighted model count of* <sup>F</sup>**P**<sup>m</sup> <sup>∧</sup> <sup>F</sup><sup>P</sup> *equals the Pauli coefficient* <sup>γ</sup><sup>P</sup> *of* **<sup>P</sup>**<sup>m</sup>*. That is,* MC<sup>W</sup> (F**P**<sup>m</sup> <sup>∧</sup> <sup>F</sup><sup>P</sup> ) <sup>=</sup> <sup>1</sup> <sup>n</sup> · Tr(P† · <sup>A</sup>**P**<sup>0</sup>A†) *for all* <sup>P</sup> <sup>∈</sup> <sup>P</sup>ˆn*.*

We emphasize the necessity for using negative weights. For example, in Example 3, we have **P**<sup>2</sup> =U**P**<sup>0</sup>U† = <sup>1</sup> (✚X✚+<sup>Y</sup> <sup>+</sup><sup>Y</sup> <sup>−</sup>✚X✚)=<sup>Y</sup> for **<sup>P</sup>**<sup>0</sup> <sup>=</sup>X, where the terms <sup>X</sup> and −X cancel each other out, while the Y terms add up. *This is why weighted model counting with negative weights is required; to reason about such constructive and destructive interference, ubiquitous to quantum computing.*

*Example 5.* Following Example 4, we have the satisfying assignments for F**P**<sup>0</sup> , F**P**<sup>1</sup> and F**P**<sup>2</sup> as:

$$\begin{split}SAT(F\_{\mathbf{P}^{0}}) &= \{x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}\}, \\ SAT(F\_{\mathbf{P}^{1}}) &= \{x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}x\_{1}^{1}\overline{z\_{1}^{1}r\_{1}^{1}}\ u^{0}, \ x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}x\_{1}^{1}z\_{1}^{1}\overline{r\_{1}^{1}}\ u^{0}\}, \\SAT(F\_{\mathbf{P}^{2}}) &= \{x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}x\_{1}^{1}\overline{z\_{1}^{1}r\_{1}^{1}}x\_{1}^{2}\overline{z\_{1}^{2}r\_{1}^{2}}\ u^{0}u^{1}, \ x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}x\_{1}^{1}\overline{z\_{1}^{1}r\_{1}^{1}}x\_{1}^{2}z\_{1}^{2}\overline{r\_{1}^{2}}u^{0}u^{1}, \\ &\qquad\qquad x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}x\_{1}^{1}z\_{1}^{1}\overline{r\_{1}^{1}}x\_{1}^{2}z\_{1}^{2}\overline{r\_{1}^{2}}u^{0}u^{1}, \ x\_{1}^{0}\overline{z\_{1}^{0}r\_{1}^{0}}x\_{1}^{1}z\_{1}^{1}\overline{r\_{1}^{1}}x\_{1}^{2}\overline{z\_{1}^{2}}r\_{1}^{2}u^{1}u^{1}\}, \end{split}$$

with the weight function W(r<sup>2</sup> <sup>1</sup>)=−1, <sup>W</sup>(r<sup>2</sup> <sup>1</sup>)=1, <sup>W</sup>(u<sup>0</sup>)=W(u<sup>1</sup>)<sup>=</sup> <sup>√</sup> 1 <sup>2</sup> and <sup>W</sup>(u<sup>0</sup>)<sup>=</sup> W(u<sup>1</sup>)=1. Each of the satisfying assignments corresponds to a term in the Pauli decomposition of **P**<sup>2</sup>, which we recall from Example 3 to be

$$\mathbf{P}^2 = \frac{1}{2}X + \frac{1}{2}Y + \frac{1}{2}Y - \frac{1}{2}X = \left(\frac{1}{2} - \frac{1}{2}\right)X + \left(\frac{1}{2} + \frac{1}{2}\right)Y = Y. \tag{3}$$

For example, the term −<sup>1</sup> <sup>2</sup>X is encoded by x<sup>0</sup> 1z<sup>0</sup> 1r<sup>0</sup> <sup>1</sup> x<sup>1</sup> 1z<sup>1</sup> 1r<sup>1</sup> <sup>1</sup> x<sup>2</sup> 1z<sup>2</sup> 1r<sup>2</sup> <sup>1</sup> u<sup>0</sup>u<sup>1</sup> because it contains x<sup>2</sup> 1z<sup>2</sup> <sup>1</sup> (corresponding to X) and its weight is W(r<sup>2</sup> <sup>1</sup>)· <sup>W</sup>(u<sup>0</sup>)· <sup>W</sup>(u<sup>1</sup>) <sup>=</sup> (−1) · <sup>√</sup> 1 <sup>2</sup> · <sup>√</sup> 1 <sup>2</sup> = −<sup>1</sup> <sup>2</sup> . We verify that the constructive interference of the Y terms in (3) (i.e. they add up) results in an aggregate Pauli coefficient γ<sup>Y</sup> of **P**<sup>2</sup> of 1:

$$MC\_W(F\_{\mathbf{P}^2} \wedge F\_Y) = \frac{1}{\sqrt{2}} \cdot \frac{1}{\sqrt{2}} + \frac{1}{\sqrt{2}} \cdot \frac{1}{\sqrt{2}} = 1 = \frac{1}{2} \text{Tr}(Y \cdot \mathbf{P}^2).$$

Similarly, we verify that destructive interference of the X terms in (3) (i.e. they cancel) results in the coefficient γ<sup>X</sup> being 0:

$$MC\_W(F\_{\mathbf{P}^2} \wedge F\_X) = \frac{1}{\sqrt{2}} \cdot \frac{1}{\sqrt{2}} - \frac{1}{\sqrt{2}} \cdot \frac{1}{\sqrt{2}} = 0 = \frac{1}{2} \text{Tr}(X \cdot \mathbf{P}^2). \tag{7}$$

**Toffoli Gate.** Similar to the way gate encodings of other non-Clifford gates were derived, we can encode the Toffoli gate. To this end, we brute forced the Toffoli gate behavior in the Pauli domain. To keep things readable, we will only present a lookup table in the Pauli basis in Table 3, like Table 1. The corresponding boolean constraint can easily be derived. To subsequently obtain a minimal (weighted) CNF formula, we applied the Quine-McCluskey algorithm [33,44].

**Table 3.** An partial lookup table for the Toffoli gate for in/output Pauli operators P and Q. The extended version of this paper [35] includes the full table.


#### **4.2 WMC-Based Algorithm for Equivalence Checking**

The previous subsection explains how to encode the Pauli coefficients of AP A†, where A is a unitary and P a Pauli string, in a boolean formula together with a weight function. We here connect this encoding to Theorem 1, which expresses that determining whether a unitary A is equivalent to the identity circuit can be done by checking if AP A† ? = <sup>P</sup> for Pauli strings <sup>P</sup> <sup>∈</sup> {X<sup>j</sup> , Z<sup>j</sup> <sup>|</sup> <sup>j</sup> <sup>∈</sup> [n]}. We use the following lemma, which expresses that for any unitary A and Pauli string P, the P-Pauli coefficient of AP A† can only become 1 if AP A† equals P.

**Lemma 2.** *Let* <sup>A</sup> *be a unitary and* <sup>P</sup> <sup>∈</sup> <sup>P</sup>ˆ<sup>n</sup> *be a Pauli string. Then* AP A† <sup>=</sup> <sup>P</sup> *if and only if* <sup>1</sup> <sup>2</sup><sup>n</sup> Tr(AP A† · <sup>P</sup>) <sup>=</sup> <sup>1</sup>*. Proof.* If APjA† <sup>=</sup> <sup>P</sup><sup>j</sup> , then Tr(APjA† · <sup>P</sup><sup>j</sup> ) <sup>=</sup> Tr(P<sup>j</sup> · <sup>P</sup><sup>j</sup> ) <sup>=</sup> Tr(I<sup>⊗</sup><sup>n</sup>) <sup>=</sup> <sup>2</sup><sup>n</sup>. For the

converse direction, we observe that Tr(APjA† ·P<sup>j</sup> ) is the Frobenius inner product U, V - ≜ Tr(U†V ) for U ≜ APjA† and V ≜ P<sup>j</sup> . It now follows from the Cauchy-Schwarz inequality |U, V -<sup>|</sup><sup>2</sup> <sup>⊔</sup> U, U-·V,V that

$$\begin{aligned} |\operatorname{Tr}(AP\_jA^\dagger \cdot P\_j)|^2 &\stackrel{\text{\tiny\$}}{\operatorname{Tr}}((AP\_jA^\dagger)^\dagger \cdot AP\_jA^\dagger) \cdot \operatorname{Tr}(P\_j^\dagger \cdot P\_j) \\ &= \operatorname{Tr}(AP\_jA^\dagger \cdot AP\_jA^\dagger) \cdot \operatorname{Tr}(P\_j^\dagger \cdot P\_j) \\ &= \operatorname{Tr}(AP\_j \cdot P\_jA^\dagger) \cdot \operatorname{Tr}(I^{\otimes n}) \\ &= \operatorname{Tr}(AA^\dagger) \cdot \operatorname{Tr}(I^{\otimes n}) \qquad \left(\begin{array}{c} A \text{ and } P\_j \text{ are unitary} \\\ \end{array}\right) \\ &= \operatorname{Tr}(I^{\otimes n}) \cdot \operatorname{Tr}(I^{\otimes n}) = 2^n \cdot 2^n = 4^n \qquad \left(\begin{array}{c} A \text{ is unitary} \end{array}\right) \end{aligned}$$

and therefore <sup>|</sup>Tr(APjA† · <sup>P</sup><sup>j</sup> )<sup>|</sup> <sup>⊔</sup> <sup>2</sup><sup>n</sup>. Since Tr(APjA† · <sup>P</sup><sup>j</sup> ) <sup>=</sup> <sup>2</sup><sup>n</sup> by assumption, the Cauchy-Schwarz inequality is tight, which only happens if U = APjA† and V = P<sup>j</sup> are linearly dependent. Thus, there exists a complex number λ such that APjA† <sup>=</sup>λP<sup>j</sup> . Substituting this expression in Tr(APjA† ·P<sup>j</sup> ) yields Tr(λP<sup>j</sup> ·P<sup>j</sup> )<sup>=</sup> <sup>λ</sup> · Tr(I⊗<sup>n</sup>) <sup>=</sup> <sup>λ</sup>2<sup>n</sup>, hence <sup>λ</sup> <sup>=</sup> 1 and APjA† <sup>=</sup> <sup>P</sup><sup>j</sup> .

Combining Lemma 2 and Proposition 1 with Theorem 1 yields Corollary 1 below, which in turn implies correctness of Algorithm 1 which reduces equivalence checking to WMC.

**Corollary 1.** *Let* <sup>A</sup> *be an* <sup>n</sup>*-qubit circuit with* <sup>m</sup> *gates and* <sup>P</sup> <sup>∈</sup>{X<sup>j</sup> , Z<sup>j</sup> <sup>|</sup> <sup>j</sup> <sup>∈</sup> [n]}*, which are encoded by* F<sup>A</sup> *and* F<sup>P</sup> *respectively, with according weight function* W*. We have* <sup>A</sup> <sup>≡</sup> <sup>I</sup> *if and only if* MC<sup>W</sup> (F<sup>P</sup> (w <sup>0</sup>) <sup>∧</sup> <sup>F</sup><sup>A</sup> (v<sup>t</sup> ) <sup>∧</sup> <sup>F</sup><sup>P</sup> (w<sup>m</sup>)) <sup>=</sup> <sup>1</sup> *for all* <sup>P</sup> <sup>∈</sup> {X<sup>j</sup> , Z<sup>j</sup> <sup>|</sup> <sup>j</sup> <sup>∈</sup> [n]}*, where* w<sup>t</sup>+<sup>1</sup> *are boolean variables encoding the quantum state in circuit* A *after the* t*-th gate of* A *(*0 ⊔ t ⊔ m − 1*) and* v<sup>t</sup> = <sup>t</sup>∈[m]∪{0} w<sup>t</sup> *as defined in Eq.* (2)*.*

*Example 6.* Consider A = V †U where =U = (T,T) and V = (S) as in Example 3. We show how to reduce the equivalence check <sup>A</sup> ? ≡ I to weighted model counting. First, we encode the check AXA† ? =<sup>X</sup> using <sup>F</sup><sup>1</sup> <sup>≜</sup> <sup>F</sup>AXA*†* <sup>∧</sup> <sup>F</sup>X:

$$\begin{array}{ll} P^0 & \overbrace{\left[\begin{array}{c} \Box \\ U \end{array}\right]}^{P^1} \cdot \left[\begin{array}{c} P^2 \\ \overline{U} \end{array}\right] \cdot \left[\begin{array}{c} S^3 \\ \overline{V} \end{array}\right] & & F\_1 & = \underbrace{x\_1^0 \overline{z\_1^0} \overline{r^0}}\_{F\_{AXA}} \wedge T\_1^0 \wedge T\_1^1 \wedge S\_1^{\dagger,2} & \wedge \underbrace{x\_1^3 \overline{z\_1^3}}\_{F\_X} \end{array}$$

**Algorithm 1.** Quantum circuit equivalence checking algorithm based on WMC. Given an <sup>n</sup>-qubit circuit <sup>A</sup> <sup>=</sup> (G<sup>0</sup>, G<sup>1</sup>,...,Gm−<sup>1</sup>), the algorithm decides whether A is equivalent to the identity circuit.


The satisfying assignments of F<sup>1</sup> are

SAT(F1) <sup>=</sup> {x<sup>1</sup> 1z<sup>1</sup> 1r<sup>1</sup> <sup>1</sup> x<sup>2</sup> 1z2 1r<sup>2</sup> <sup>1</sup> x<sup>3</sup> 1z<sup>3</sup> 1r<sup>3</sup> <sup>1</sup> u0u1, x<sup>1</sup> 1z<sup>1</sup> 1r<sup>1</sup> <sup>1</sup> x<sup>2</sup> 1z2 1r<sup>2</sup> <sup>1</sup> x<sup>3</sup> 1z<sup>3</sup> 1r<sup>3</sup> <sup>1</sup> <sup>u</sup>0u<sup>1</sup>}. so MC<sup>W</sup> (F1) = <sup>σ</sup>∈SAT(F1) <sup>W</sup>(σ(r<sup>3</sup> <sup>1</sup>))W(σ(u<sup>0</sup>))W(σ(u<sup>1</sup>)) <sup>=</sup> <sup>√</sup> 1 <sup>2</sup> · <sup>√</sup> 1 2 + √ 1 <sup>2</sup> · <sup>√</sup> 1 <sup>2</sup> <sup>=</sup> 1 .

Now we turn to the check AZA† ? = <sup>Z</sup>, obtaining the formula <sup>F</sup><sup>2</sup> <sup>≜</sup> <sup>F</sup>AZA*†* <sup>∧</sup>FZ, where <sup>F</sup>AZA*†* is the same formula from <sup>F</sup><sup>1</sup> and <sup>F</sup><sup>Z</sup> <sup>=</sup> <sup>x</sup><sup>3</sup> 1z<sup>3</sup> 1. The satisfying assignments of <sup>F</sup><sup>2</sup> are SAT(F2) <sup>=</sup> {x<sup>0</sup> 1z<sup>0</sup> 1r<sup>0</sup> 1x<sup>1</sup> 1z<sup>1</sup> 1r<sup>1</sup> 1x<sup>2</sup> 1z<sup>2</sup> 1r<sup>2</sup> 1x<sup>3</sup> 1z<sup>3</sup> 1r<sup>3</sup> <sup>1</sup>u0u<sup>1</sup>}, and MC<sup>W</sup> (F2) <sup>=</sup> W(r<sup>3</sup> <sup>1</sup>)W(u<sup>0</sup>)W(u<sup>1</sup>) <sup>=</sup> 1. Since both weighted model counts evaluate to 1, we conclude that <sup>A</sup> <sup>≡</sup> <sup>I</sup>.

#### **5 Implementation: The ECMC Tool**

We implemented our method in an open-source tool called ECMC, available at https://github.com/System-Verification-Lab/Quokka-Sharp. ECMC takes two quantum circuits in QASM format [13] as input. It encodes these circuits to a sequence of 2n weighted conjunctive normal form (CNF) formulas as explained in Sect. 4, and then uses the weighted model counter GPMC [50] to solve these constraints in parallel, terminating as soon as one returns a negative result. Here we set the number of parallel cores to be 16 as it is shown to be the optimal number of cores for our task.

We choose GPMC as it supports the negative weights in our encoding and performs the best among solvers with that capability in the model counting competition 2023 [21]. To demonstrate the effectiveness of our method, we conducted a set of broad experiments as discussed in the following.

We performed equivalence checking of quantum circuits comparing our method against the state-of-the-art tool QCEC [8], which runs different algorithms and heuristics based on ZX calculus and decision diagrams (shorted as DD) in portfolio with 16 parallel threads [60]. Similar to ECMC, QCEC also terminates earlier when one thread returns "non-equivalent". Since the ZX-calculus based method is still incomplete for universal quantum circuits, in the sense

**Fig. 1.** Equivalence check of typical random Clifford+T circuits against their optimized circuits (equivalent cases, Fig 1 & Fig 2) and optimized circuits with one random gate missing (non-equivalent cases, Fig 3 & Fig 4). (Both vertical axes are on a logarithmic scale.)

that it is only capable of proving equivalence, we use this tool under two settings: one is the default setting which uses DD and ZX calculus in portfolio; the other is to exclusively enable DD [8]. We use two families of circuits: (i) random Clifford+T circuits, which mimic hard problems arising in quantum chemistry [59] and quantum many-body physics [17]; (ii) all benchmarks from the public benchmark suite MQT Bench [43], which includes many important quantum algorithms like QAOA, VQE, QNN, Grover, etc. All experiments have been conducted on a 3.5 GHz M2 Machine with MacOS 13 and 16 GB RAM. We set the time limit to be 5 min (300 s) and include the time to read a QASM file, construct the weighted CNF and perform the model counting in all reported runtimes.

*Results.* First, to show the scalability of both methods on checking equivalence, we consider random circuits that resemble typical oracle implementations—random quantum circuits with varying qubits and depths, which comprise the CX, H, S, and T gates with appearing ratio 10%, 35%, 35%, 20% [41]. We use a ZX-calculus tool PyZX [28] to generate optimized circuits, to construct equivalent, yet very different, counterparts. To construct non-equivalent instances, we inject an error by removing one random gate from the corresponding optimized circuits. So by



construction, we know the correct answer for all equivalence checking instances in advance. The resulting runtimes can be seen in Fig. 1.

In addition to random circuits, to test structural quantum circuits, we empirically evaluated our method on the MQTBench benchmark set [43]. We also generate the optimized circuits of the circuits from MQT-bench using PyZX [28]. To generate non-equivalent instances, three kinds of errors are injected into the optimized circuits: one with a random gate removed, one where a random CNOT gate is flipped, switching control and target qubits, and one where the phase of the angle of a random rotation gate is shifted. For the last error, since many optimizations on rotation gates involve phase shifts in the rotation angles, we consider two sizes of phase shift: one with the angle of a random rotation gate

**Table 5.** Results of verifying non-equivalence of circuits from MQT bench against optimized circuits with flipped CNOT gate (Flipped) and one missing gate (1 Gate Missing). For cases within time limit, we give runtime (sec), while > 300 represents a timeout (5 min).


added by 10<sup>−</sup><sup>4</sup>, one with the angle added by 10<sup>−</sup><sup>7</sup>. We note that this experimental setup is stronger than the one used in [41], where only two errors are considered: bit flip and phase shift without giving the shifting scale. We present a representative subset of equivalence checking results in Table 4. The complete results can be found in the extended version of this paper [35]. The first three columns list the number of qubits n and gates |G| in original circuits, and the number of gates |G | in optimized circuits. Then we give the runtime of the weighted model counting tool ECMC, the decision diagram-based QCEC (DD) and the default setting of QCEC respectively. For the non-equivalent cases, we show the flipped-CNOT and one-gate-missing error in Table 5. The first three columns are the same as Table 4 and then the performance of all three tools on CNOT flipped error and one-gate-missing error respectively. Finally, Table 6 shows the performance of phase shift errors, where Shift-10<sup>−</sup><sup>4</sup> (resp. Shift-10<sup>−</sup><sup>4</sup>) denotes adding 10<sup>−</sup><sup>4</sup> (resp. 10<sup>−</sup><sup>7</sup>) to the phase of a random rotation gate.



*Discussion.* For random circuits, Fig. 1 shows that the runtime of ECMC exhibits a clear correlation with the size of the circuits. While QCEC and QCEC (DD) are very fast for small size circuits, for non-equivalent cases, both of them are less scalable and reach time limit much earlier than ECMC. For the equivalent cases, QCEC benefits from ZX calculus and outperforms the other two methods. We suspect that QCEC (DD) shows poor performance when solving random circuits because these circuits don't contain the structure found in quantum algorithms, which decision diagrams can typically exploit.

When considering structural quantum circuits, the results vary between equivalent and non-equivalent instances. For equivalent instances, QCEC (DD) significantly surpasses ECMC on Grover, QFT and QNN, primarily due to the decision diagram-based method's proficiency in handling circuits featuring repeated structures and oracles. While for those circuits featuring a large number of rotation gates with various rotation angles, like graphstate and wstate, ECMC demonstrates clear advantages. Moreover, the default QCEC is much faster than QCEC (DD) on all cases while it reports "no information" for many cases as ZX calculus method and decision diagram method give different answers.

For non-equivalent instances, since ECMC can terminate when a single out of 2n WMC calls returns a negative result, it shows better performance than checking equivalence. For example, in the case of QPE, where both tools face time constraints when checking equivalent instances, ECMC can efficiently demonstrate non-equivalence and resolve the majority of cases within the time limit, while both QCEC and QCEC (DD) still get timeout in most instances.

In all instances, ECMC outperforms both QCEC and QCEC (DD) on graph state and wstate, each featuring many rotation gates. When dealing with rotation gates, decision diagrams might suffer from numerical instability [39,41], as can be clearly observed in Table 6 for the instances with errors in the phase shift, where both QCEC and QCEC (DD) get wrong results for many benchmarks. In contrast, the WMC approach—also numerical in nature—iteratively computes a sum of products, which we think avoids numerical instability. Table 6 also demonstrates this point as ECMC yields the correct answer for most benchmarks with 10<sup>−</sup><sup>4</sup> and 10<sup>−</sup><sup>7</sup>-size error. In contrast, the default QCEC gives no answer for a large amount of cases.

#### **6 Related Work**

Bauer et al. [3] verify quantum programs by encoding the verification problem in SMT, using an undecidable theory of nonlinear real arithmetic with trigonometric expressions. An SMT theory for quantum computing was proposed in [11]. Berent et al. [4] realize a Clifford circuit simulator and equivalence checker based on a SAT encoding. The equivalence checker was superseded by the deterministic polynomial-time algorithm proposed and implemented in [52]. Using weighted model counting, universal quantum circuit simulation is realized in [34], which we extend by providing encodings for the CZ and Toffoli gates and which we apply to circuit equivalence checking according to the approach of [52]. Amy [2] uses path integrals to check equivalence of circuits, which is complete for Clifford circuits and can prove equivalence of Clifford+T and Clifford+R circuits.

Yu and Palsberg [62] use an abstract interpretation to simulate quantum circuits. Abstraqt [5] improves upon this by using the stabilizer basis. SAT solvers have proven successful in quantum compilation [53], e.g., for reversible simulation of circuits [58] and optimizing space requirements of quantum circuits [36,45].

The ZX calculus [12] offers a diagrammatic approach to manipulate and analyze quantum circuits. A circuit is almost trivially expressible as a diagram, but the diagram language is more powerful and circuit extraction is consequently #Pcomplete [15]. It has proven enormously successful in applications from equivalence checking [41,42], to circuit optimization [28] and simulation [29].

Decision diagrams [37] have been used for simulating quantum circuits, checking their equivalence [8] and synthesis [64]. Jimenez et al. use bisimulation for circuit reduction, reducing simulation time compared to DDs in some cases [26].

# **7 Conclusions**

We have shown circuit equivalence checking reduces to weighted model counting by considering quantum states in the Pauli basis, which allows for an efficient reduction of the equivalence checking problem to weighted model counting. We extended a linear-length encoding with the three-qubit Toffoli gate, so that most common non-Clifford gates are supported (previously the T, phase shift and rotation gates were already supported).

Given two n-qubit quantum circuits, their equivalence (up to global phase) can be decided by 2n calls to a weighted model counter, each with an encoding that is linear in the circuit size. Our open source implementation demonstrates that this technique is competitive to state-of-the-art methods based on a combination of decision diagrams and ZX calculus. This result demonstrates the strength of classical reasoning tools can transfer to the realm of quantum computing, despite the general 'quantum-hardness' of these problems. In future work, we plan to extract diagnostics for non-equivalent circuits from the satisfying assignments of the model counter.

# **References**


14216, pp. 199–216. Springer, Cham (2023). https://doi.org/10.1007/978-3-031- 45332-8 10


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Author Index**

#### **A**

Acclavio, Matteo II-216 Amrollahi, Daneshvar I-154 Arrial, Victor II-338 Avigad, Jeremy I-3 Ayala-Rincón, Mauricio II-317

#### **B**

Baader, Franz II-279 Balbiani, Philippe II-78 Barragán, Andrés Felipe González II-317 Barrett, Clark I-458 Bártek, Filip I-194 Berg, Jeremias I-396 Bhayat, Ahmed I-75 Biere, Armin I-284 Bonsangue, Marcello II-401 Bozec, Tanguy II-157 Bromberger, Martin I-133 Brown, Chad E. I-86 Bruni, Alessandro II-61

#### **C**

Cerna, David M. II-317 Chassot, Samuel I-304 Chvalovský, Karel I-194 Ciabattoni, Agata II-176 Coopmans, Tim II-401

#### **D**

Das, Anupam II-237 De Lon, Adrian I-105 De, Abhishek II-237 Dixon, Clare II-3

#### **E**

Ehling, Georg II-381 Einarsdóttir, Sólrún Halla I-214

#### **F**

Férée, Hugo II-43 Fernández Gil, Oliver II-279 Ferrari, Mauro II-24 Fiorentini, Camillo II-24 Frohn, Florian I-344 Froleyks, Nils I-284 Fruzsa, Krisztina II-114

#### **G**

Gao, Han II-78 Garcia, Ronald I-419 Ge, Rui I-419 Gencer, Çi ˘gdem II-78 Ghilardi, Silvio I-265 Giesl, Jürgen I-233, I-344, II-360 Giessen, Iris van der II-43 Gool, Sam van II-43 Graham-Lengrand, Stéphane I-386 Guerrieri, Giulio II-338

#### **H**

Hader, Thomas I-386 Hajdu, Márton I-21, I-115, I-154, I-214 Heisinger, Maximilian I-315, I-325 Heisinger, Simone I-315, I-325 Heljanko, Keijo I-284 Heuer, Jan I-172 Hozzová, Petra I-21, I-154 Hustadt, Ullrich II-3

#### **I**

Ihalainen, Hannes I-396 Irfan, Ahmed I-386

#### **J**

Järvisalo, Matti I-396 Johansson, Moa I-214

© The Editor(s) (if applicable) and The Author(s) 2024 C. Benzmüller et al. (Eds.): IJCAR 2024, LNAI 14740, pp. 423–424, 2024. https://doi.org/10.1007/978-3-031-63501-4

424 Author Index

#### **K**

Kaliszyk, Cezary I-86 Kassing, Jan-Christoph II-360 Kaufmann, Daniela I-386 Kesner, Delia II-338 Khalid, Zain I-53 Kotthoff, Lars I-53 Kovács, Laura I-21, I-115, I-154, I-386 Kozen, Dexter II-257 Krasnopol, Florent I-133 Kunˇcak, Viktor I-304 Kutsia, Temur II-317, II-381 Kuznets, Roman II-114

#### **L**

Laarman, Alfons II-401 Lammich, Peter I-439 Lommen, Nils I-233

#### **M**

Mei, Jingyi II-401 Meyer, Éléanore I-233 Middeldorp, Aart II-298 Mitterwallner, Fabian II-298 Möhle, Sibylle I-133 Myreen, Magnus O. I-396

#### **N**

Nalon, Cláudia II-3, II-97 Niederhauser, Johannes I-86 Nordström, Jakob I-396

#### **O**

Oertel, Andy I-396 Olivetti, Nicola II-78

#### **P**

Papacchini, Fabio II-3 Pattinson, Dirk II-97 Peltier, Nicolas II-157 Perrault, C. Raymond I-53 Petitjean, Quentin II-157 Platzer, André II-196

Poidomani, Lia M. I-265 Pommellet, Adrien I-366 Prebet, Enguerrand II-196

#### **R**

Rawson, Michael I-115 Rebola-Pardo, Adrian I-325 Ritter, Eike II-61 Rooduijn, Jan II-257 Ruess, Harald II-137

#### **S**

Scatton, Simon I-366 Schmid, Ulrich II-114 Schöpf, Jonas II-298 Schürmann, Carsten II-61 Seidl, Martina I-315, I-325 Shillito, Ian II-43 Sighireanu, Mihaela II-157 Silva, Alexandra II-257 Smallbone, Nicholas I-214 Stan, Daniel I-366 Suda, Martin I-75, I-194, I-214 Summers, Alexander J. I-419 Sutcliffe, Geoff I-30, I-53 Suttner, Christian I-53

#### **T**

Tan, Yong Kiam I-396 Tesi, Matteo II-176 Tinelli, Cesare I-458 Tsiskaridze, Nestan I-458

#### **V**

van Ditmarsch, Hans II-114 Vartanyan, Grigory II-360 Voronkov, Andrei I-21, I-115, I-154

#### **W**

Wagner, Eva Maria I-154 Waldmann, Uwe I-244 Weidenbach, Christoph I-133 Wernhard, Christoph I-172

#### **Y**

Yu, Emily I-284