nottingham · ii contents 1 introduction 1 2 background in modal logic and guarded fragments 6 2.1...

Modal Logics with Existential Modality,

Finite-iteration Modality, and Intuitionistic

Base: Decidability and Completeness

by Dmitry Shkatov, BSc

Thesis submitted to The University of Nottingham

for the degree of Doctor of Philosophy, September 2005

ii

Contents

1 Introduction 1

2 Background in modal logic and guarded fragments 62.1 Modal logic and first-order logic 62.2 Modal logic vs. first-order logic 162.3 First-order guarded logics 232.4 Higher-order guarded logics 38

3 Intuitionistic modal logic 423.1 Introduction 423.2 Two-variable monadic guarded fragment 443.3 Closure conditions 443.4 Intuitionistic modal logics 503.5 Embedding into two-variable monadic fragment 533.6 Decidability 543.7 Examples 55

4 Logics with Segerberg operator 584.1 Language 604.2 Normal logics 614.3 Logic Seg 724.4 Extensions of Seg 77

5 Logics with existential modality 825.1 Logics K#and DK# 835.2 Logic PDLpath 97

6 Conclusion 115

References 119

Abstract

This thesis investigates some modal logics that have been found to be useful in mod-

elling computational phenomena and, therefore, of interest to theoretical computer

science—namely, modal intuitionistic logics, logics with finite-iteration modality, and

logics with existential modality. We prove a number of new general results concern-

ing these logics. In particular, in chapter 3, we prove a general decidability result for

intuitionistic modal logics through embedding them into the two-variable monadic

second-order guarded fragment GF 2mon with certain conditions imposed on relations

occurring in GF 2mon-formulas. In chapter 4, we prove the analogue of Makinson theo-

rem for logics with finite-iteration modality, that is that every consistent logic in this

language is either a sublogic of the logic of a Kripke frame containing a single reflexive

point or a sublogic of the logic of a Kripke frame containing a single irreflexive point;

the by-product of the theorem is the decidability of the problem of consistency for ef-

fectively finitely axiomatizable logics with finite-iteration modality. In chapter 5, we

prove completeness of Hilbert-style axiomatizations of three logics whose language

contains an existential modality 〈#〉: the minimal normal logic with 〈#〉, K#; its

deterministic extension DK#; and the logic that is CPDL (converse PDL) with a

single nominal and 〈#〉 (this logic is known from the literature as PDLpath). Apart

from the presentation of the above-mentioned results, the thesis contains, in chapter

2, an overview of background material on modal logics and guarded fragments; this

overview can also be read as a concise survey of the field of guarded fragments.

iii

Acknowledgments

First and foremost, I am deeply indebted and profoundly grateful to my supervisor,

Natasha Alechina. Without her valuable help and support this thesis would not have

been written.

I am also grateful to my teachers at the Moscow State University Vyacheslav

Bocharov, Vladimir Markin, and Dmitry Zaitsev, who introduced me to logic and

kindled my interest in the subject.

I am profoundly grateful to Thorsten Altenkirch, Alexander Chagrov, Oleg Grig-

oriev, Roman Kontchakov, Andrei Sobolev, and Vladimir Litvinchook, who helped

me to retain my sanity over the time it took to write this thesis.

My debt and gratitude are also due to EPSRC for their financial support (grant

GR/M98050/01).

Last, but by no means least, I am deeply grateful to my parents for their support

and patience. This thesis dedicated to them.

Thank you!

iv

To my parents

v

1

Chapter 1

Introduction

This thesis is devoted to some modal logics of interest to theoretical computer science.

Although modal logic is a very well established and developed area and “standard”

modal logics have been thoroughly investigated, as can be seen from a comprehensive

monograph on the subject by A. Chagrov and M. Zakharyaschev [CZ97], the needs

of computer science often force us to consider logics with modalities that have not

yet been in the limelight of modal logicians, who have been primarily motivated

by philosophical or mathematical considerations. Quite often, computer scientists

come across computational phenomena that can be usefully modelled using modal

languages, but require modalities or structures that have not been previously studied.

In the present thesis, we consider, from different perspectives, some of the modal

logics that has arisen in various (sometimes, more than one) areas of theoretical

computer science and that has not yet been comprehensively studied: various flavours

of intuitionistic modal logics, logics with a finite iteration modality ♦∗ , and logics with

a wildcard modality 〈#〉 .

The first class of logics that we consider in this thesis is intuitionistic modal

logics— modal logics whose “underlying” logic, that is the logic of non-modal con-

nectives, is intuitionistic. Intuitionistic modal logic has recently come to the attention

of computer scientists because it can be used to model various computational phe-

nomena. In particular, a considerable interest in intuitionistic modal logic has been

generated by the work of Moggi [Mog91] on typed λ-calculus with monads. The

correspondence between typed λ-calculus and basic intuitionistic logic through the

1. introduction 2

so-called Curry-Howard isomorphism mapping λ-terms into formulas of intuitionistic

logic is very well-known. This makes intuitionistic logic a useful reasoning tool in

the field of formal semantics for functional programming languages, which is usually

constructed in terms of typed λ-calculus. Moggi augmented typed λ-calculus with

an additional construct, a monad, to model various effects in functional program-

ming languages (such as the raising of exceptions). It turned out that monads can be

logically modelled as S4-type modalities, which created a considerable interest in intu-

itionistic S4 modal logic, its proof theory, as well as its categorical and Kripke-style se-

mantics (see, for example, [BdP00], [BBdP98], [GL96], [Kob97], [Pit90], [AMdPR01],

[DP96], [DP01], [PD01]). Other applications of intuitionistic modal logic to mod-

elling computational phenomena include modelling incomplete information [Wij90],

communicating systems [Sti87], and hardware verification [Men91, FM97].

Considerations arising in different application areas led to a variety of strains

of intuitionistic modal logics, with different definitions of modalities, which stands in

sharp contrast to classical modal logic, where everybody agrees on how the modalities

should be defined. This makes it problematic to prove sufficiently general results

about intuitionistic modal logics. In particular, it makes it difficult to come up with

a sufficiently general method of proving decidability of intuitionistic modal logics.

So far, the only general method offered is that by F. Wolter and M. Zakharyaschev

(see [WZ99a], [WZ97], [WZ99b]) of embedding an intuitionistic modal logic with n

modalities into a classical modal logic with n+ 1 modalities. Their method, although

extremely powerful, has its limitations: it can be used to prove decidability of only

those intuitionistic modal logics for which the corresponding classical logic is known

to be decidable. In the third chapter of the thesis, which is based on a joint paper

with N. Alechina [AS05], we describe a general method for proving decidability of

intuitionistic modal logics based on embedding them into a monadic two-variable

fragment of first-order logic. We then obtain decidability results by generalising

the result of [GMV99] that a monadic two-variable fragment of first order logic,

where guard relations satisfy conditions that can be expressed as monadic second-

order definable closure constraints, is decidable and by showing that many of the

conditions imposed on accessibility relations in modal intuitionistic Kripke models

1. introduction 3

can be expressed as monadic second-order definable closure constraints. Our method,

needless to say, also has its limitations. In particular, it does not give a very good

decision procedure for intuitionistic modal logics, since it proceeds by reduction to

satisfiability of formulas of SkS (monadic second-order theory of trees with constant

branching factor k, [Rab69]), which is non-elementary. It does, however, provide a

rather simple way to establish decidability, before looking for a decision procedure

tailored for a particular logic.

The second class of modal logics that we consider in this thesis is logics with a

finite iteration modality ♦∗ . Our approach to logics with ♦∗ is different from that

adopted in our consideration of intuitionistic modal logics. While in the third chapter

of the thesis we consider intuitionistic modal logics defined semantically, in the fourth

chapter, we study logics with ♦∗ as a class of syntactically defined (normal modal)

logics and prove some results applicable to all members of this class, the minimal

member of which we call Seg.

The study of the extensions of Seg is of interest to theoretical computer science

because the modality ♦∗ can be used to model a wide variety of computational phe-

nomena. First, it can be used to model iteration in logics of programs (see [Pra76]).

The most well-known logic of programs, PDL (Propositional Dynamic Logic), uses

it in this way. The language of PDL has two kinds of primitive symbols: proposi-

tional parameters and atomic transitions. Atomic transitions are used to label edges

in transition systems, which usually serve as formal models of program execution.

Compound transitions of PDL are built out of the atomic ones using binary operators

◦ (composition), ∪ (union) and a unary operator ∗ (finite iteration). Although PDL

and its variants are well studied, there is no systematic study of what happens when

we add PDL-style modalities to arbitrary monomodal logics.

The en masse approach to program logics—that is the study of classes of pro-

gram logics, rather than individual logics, in the way monomodal logics are stud-

ied in [CZ97] and temporal logics are studied in a series of papers by F. Wolter

(see [Wol97b], [Wol97a], [Wol96a], [Wol96b], [Wol95])—would broaden our under-

standing of logical properties of program execution in settings where we want to

stipulate some additional properties for execution of programs. As the task of study-

1. introduction 4

ing program logics en masse sounds formidable, a useful attempt in that direction

would be an en masse study of logics with at least some of the modalities of the

language of PDL. We single out ♦∗ for such a study because it is, undoubtedly, the

most interesting of the modalities of the language of PDL.

Formal modelling of program execution is not the only area where logics with

a finite iteration modality crop up. Another area where it features prominently is

formal modelling of knowledge in multi-agent systems, where it is used to model the

so-called common knowledge (see, for example, [FHV95]).

The third group of logics we consider in the present thesis is logics with a wild-

card, or existential, modality 〈#〉 . This modality has been introduced in [AdRD03]

to reason about path constrains in query languages for semistructured data. The idea

of semistructured data has emerged out of the attempt to extend the well-developed

techniques of database theory to deal with data that is not completely unstructured

but is not as rigidly structured as databases, the prime example and the primary moti-

vation for the study of semistructured data being the world-wide-web (see [ABS00]).

Various query languages have been devised for querying semistructured data. A

prominent feature of these languages is the ability to formulate path constraints, that

is conditions on paths in an edge-labelled graphs that usually serve as formal models

of semistructured data. In [AdRD03] logic PDLpath has been proposed whose language

is rich enough for the usual path constrains of query languages for semistructured data

to be embedded into the language of PDLpath. The modality 〈#〉 has arisen since

quite often the path constrains state that a node in an edge-labelled graph should be

reachable by some edge (thinking about the application to the word-wide web, one

may want to state that there should be a link from a researcher’s page to their publi-

cations, but it may be irrelevant how this link is labelled: “Publications,” “Research,”

“Papers,” or something else). In [AdRD03], PDLpath has been presented semantically.

In the final chapter of the thesis we provide a Hilbert-style axiomatisation of PDLpath

and prove its completeness. As a warm-up to the completeness proof for PDLpath,

we prove completeness of logic K#, which is a basic multimodal logic extended with

modality 〈#〉 , and of logic DK#, which is obtained from K# by adding the axiom

of determinism.

1. introduction 5

In parts of the thesis, notably in the chapter on intuitionistic modal logics, we

prove decidability results by embedding various modal logics into (decidable) guarded

fragments of first-order or higher-order logics. Guarded fragments emerged out of

the realisation that modal and first-order languages can be viewed as alternative

languages for talking about relational structures and that, therefore, modal logic

can be viewed as a fragment of first-order logic, not as an alternative extension of

propositional logic, as it had been traditionally conceived. That, in turn, led to the

desire to extend as far as possible the “modal fragment” of first-order logic to obtain

a bigger fragment that would retain all the nice properties of the modal one, most

notably decidability. This resulted into the discovery of the guarded fragment of

the first-order logic ( [AvBN98]), which extends the what might be called the basic

modal fragment of first-order logic, that is the fragment equivalent to modal logics

with ♦-type modalities. The consideration of modal languages not embeddable into

the guarded fragment (such as logics with “until” modality) resulted in discovery of

richer guarded fragments, including guarded fragments of logics that are richer than

first-order logic, notably the guarded fragment with the least fixed point operator.

Guarded fragments are, thus, generalisations of various modal logics and can be

viewed as “the biggest modal logics.” Among other things, the embeddability of a

logic into a guarded fragment can be used as a test of whether the logic in question

can be viewed as a modal logic, or a logic with modal flavour.

The present thesis is structured as follows. In chapter 2, we present background

on modal logics and guarded fragment of first-order and some higher-order logics. In

chapter 3, which is based on the paper [AS05], we present a general decidability result

for intuitionistic modal logics. In chapter 4, we consider logics with a finite-iteration

modality and prove some general results concerning these logics. Finally, in chapter

5, we present complete Hilbert-style axiomatisations of logic PDLpath as well as two

closely related logics, K# and DK#.

6

Chapter 2

Background in modal logic and guarded

fragments

The purpose of this chapter is two-fold. First, it is intended to provide background

information on propositional modal logic and guarded fragments of first-order and

some higher-order logics that we will rely on in the subsequent chapters of the thesis.

Secondly, the current chapter attempts to provide an accessible presentation of the

ideas that led to the emergence of the field of guarded logics and a concise overview of

its main results. Whenever, in this chapter, we do not attribute a result to anybody,

it means that it is a standard modal logic result.

The chapter is structured as follows. In section 2.1, we introduce propositional

modal and classical first-order logic. Then, in section 2.2, we describe the outlook

on the relationship between the two logics that led to the ideas that gave birth to

guarded logics. Finally, section 2.3 contains the overview of the field of guarded logics.

2.1 Modal logic and first-order logic

2.1.1 Propositional modal logic

Although nowadays propositional modal logic is most extensively investigated by com-

puter scientists, it was devised by traditional logicians, scholars concerned with the

rules of correct reasoning. At its conception, propositional modal logic was thought

of as an extension of classical propositional logic, or simply the propositional logic

2. background in modal logic and guarded fragments 7

(PL for short), with the capability to reason about possibility and necessity.

From the traditional logician’s vantage point, PL is a logic for reasoning about

facts, and its machinery can justify inferences like this:

If John loves Mary but does not love Gill, then Mary loves him. Marydoes not love John. Hence, either John does not love Mary or he lovesGill.

The language of PL, the propositional language, contains an infinite stock of propo-

sitional parameters (denoted as p1, p2, . . .), which stand for atomic propositions ex-

pressing simple facts, like “John loves Mary” or “John loves Gill”, and connectives,

used to combine atomic propositions into compound ones, like “Either John does

not love Mary or he loves Gill”. The sufficient supply of connectives consists of ¬

(“not”) and ∨ (“or”). Thus, formulas of the propositional language are defined by

the following BNF expression:

ϕ := p | ¬ϕ | ϕ1 ∨ ϕ2

where p ranges over propositional parameters. For convenience, one also usually takes

aboard connectives ∧ (“and”) and → (“if . . . , then . . . ”), defining ϕ∧ψ as ¬(¬ϕ∨¬ψ)

and ϕ→ ψ as ¬ϕ ∨ ψ.

It is at times inconvenient to drag along an infinite stock of propositional param-

eters. It is, therefore, expedient to dispense with the idea of a single language for

PL, fit for all intents and purposes, and think instead of a multiplicity of proposi-

tional languages differing in their supplies of propositional parameters. This may be

likened to different dialects coexisting within the English language: “the language of

mathematicians” is similar to “the language of linguists” in its grammatical structure,

but different in the vocabulary used. Likewise, all propositional languages have the

same “grammatical structure” (connectives ¬ and ∨) in common, but differ in their

“vocabulary,” their supply of propositional parameters. Drawing on this analogy, we

call the set of propositional parameters of a propositional language its vocabulary ;

this set is usually denoted by Φ = {p1, p2, . . .}. Formulas of a propositional language

over vocabulary Φ are defined by the above BNF expression with the added proviso

that p ranges over propositional parameters in Φ.


Propositional modal logic was intended by it creators to expand the capability

of PL by providing the means for reasoning not just about facts that either are or

not are the case, but also about facts that might be (“possibility”), or have to be

(“necessity”), so. Thus, modal logic should be able to justify inferences like this:

The loss in the war may imply the separation of the country. This countrymight lose the war; hence, its separation is not impossible.

The very least that is required to achieve this end is to enrich propositional languages

with a unary connective ♦ (“it is possible that . . . ”). We could also introduce a

connective for “it is necessary that . . . ”, though this is not needed: as we will shortly

see, we can express the idea of necessity using ♦. The modal logic with connectives

¬, ∨, and ♦ is a basic modal logic (ML for short). A language of basic modal logic

over vocabulary Φ will be denoted by MLΦ.

Definition 2.1 Formulas of the modal language MLΦ over vocabulary Φ are defined

by the following BNF expression:

ϕ := p | ¬ϕ | ϕ1 ∨ ϕ2 | ♦ϕ

where p ranges over members of Φ. a

Thus, ¬p1 ∨ p2, ♦p1 ∨ ♦♦p1, and ¬(♦¬p3 ∨ ¬♦p4) are formulas of MLΦ provided

p1, p2, p3, p4 ∈ Φ. We will use lowercase Greek letters from near the end of the

alphabet, like ϕ and ψ, to stand for formulas.

To enhance readability of formulas, we adopt the above mentioned conventions

concerning ∧ and →, and also define �ϕ as ¬♦¬ϕ. Upon these conventions, �p1 → p1

and �(p1 ∧ p2) are shorthands for ¬(¬♦¬p1 ∨ p1) and ¬♦¬¬(¬p1 ∨¬p2), respectively.

To avoid tedium, we will sometimes say that �p1 → p1 and �(p1 ∧ p2) are formulas,

though in formal definitions only eligible formulas count as such.

To further enhance readability, we will use letters p, q, r, . . . to refer to arbitrary

(“particular, but unspecified,” as is usually said) members of Φ.

The semantics of MLΦ, due to Saul Kripke (and so frequently referred to as

Kripke, or Kripke-style, semantics), hinges on the idea of possibility as truth in a


possible world: ♦ϕ is true in world w if there exists world v that is possible with

respect to w where ϕ is true. Thus, to evaluate formulas of MLΦ, we need a non-

empty set of possible words W , a binary “relative possibility”, or “accessibility”,

relation R on W , and a valuation V telling which propositional parameters are true

at which possible worlds1.

Definition 2.2 A model for MLΦ, or an MLΦ-model, is a tuple M

= (W,R, V ) such that

1. W 6= ∅;

2. R ⊆ W ×W ;

3. V is a function from Φ into 2W . a

Intuitively, V (p) is a set of worlds where p is true (2W denotes the power-set of

W )2. The truth of MLΦ-formulas in a model is defined with respect to a possible

world (we will write M, w ϕ to mean that ϕ is true in model M at world w).

Definition 2.3 Let M = (W,R, V ) be an MLΦ-model, w ∈ W , and ϕ and ψ be

arbitrary MLΦ-formulas. Then,

M, w p iff w ∈ V (p);

M, w ¬ϕ iff M, w 1 ϕ;

M, w ϕ ∨ ψ iff M, w ϕ or M, w ψ;

M, w ♦ϕ iff ∃v ∈ W (wRv and M, v ϕ). a

Thus, the value of a propositional parameter at a world is entirely determined

by V ; connectives ¬ and ∨ have the same meaning as in PL; and the meaning of ♦

follows the above-explicated idea of possibility as truth is a possible world.

We also define the truth of a formula in a model (irrespective of a world) as truth

in all worlds of the model.1In applications, in particular in different areas of computer science, where Kripke structures are

treated as formal models of different phenomena of interest in those particular areas, worlds areusually abstractly referred to as “points.” We will use this terminology in the subsequent parts ofthe thesis

2Alternatively, V can be defined as a function with two arguments, p ∈ Φ and w ∈ W , and theset of values {true, false}.


Definition 2.4 Let M = (W,R, V ) be an MLΦ-model. An MLΦ-formula ϕ is true

in M (in symbols, M ϕ), if M, w ϕ for all w ∈ W . a

The basic propositional modal logic described thus far is usually referred to as

monomodal since it has only one independent (that is, not definable in terms of

the other modalities) modality. It can be slightly extended by considering several

♦-like modalities instead of one. Indeed, we might think of several distinct possi-

bilities, for example, physical (“it is physically viable that...”), epistemological (“it

does not contradict our knowledge that...”), and logical (“it is doesn’t contradict

logic that...”) possibilities. Such extension is easy to accommodate within the modal

logic framework. Instead of just one modality, ♦, we introduce into the language a

stock of modalities indexed by, say, natural numbers: 〈1〉 , . . . , 〈n〉 , . . .. Languages

with several ♦-like modalities are called multimodal. As with propositional parame-

ters, different languages may have varying repertoire of modalities; therefore, in the

context of multimodal languages, the vocabulary of a language consists of a stock of

propositional parameters Φ and a non-empty (otherwise, we simply get PL) set of

modality indices I. A multimodal language over vocabulary Φ and I is denoted by

MMLIΦ.

Definition 2.5 Formulas of the multimodal language MMLΦ over vocabulary Φ are

defined by the following BNF expression:

ϕ := p | ¬ϕ | ϕ1 ∨ ϕ2 | 〈i〉ϕ

where p ranges over propositional parameters of Φ, and i ranges over modality indices

of I. a

Thus, 〈1〉 p1∨〈2〉〈3〉 p1 and 〈2〉 (〈1〉 ¬p3∨¬〈1〉 p4) are formulas of MMLΦ provided

p1, p2, p3, p4 ∈ Φ and 1, 2, 3 ∈ I.

As in the basic modal case, we define [ i ]ϕ as ¬〈i〉 ¬ϕ. Thus, we use [ 1 ] p1 → p1

and [ 2 ] (p1 ∧ [ 3 ] p2) as shorthands for ¬(¬〈1〉 ¬p1 ∨ p1) and ¬♦¬¬(¬p1 ∨¬¬〈3〉 ¬p2),

respectively.


As before, we will use p, q, r, . . . to denote arbitrary propositional parameters.

Moreover, we will use letters a, b, c, . . . to refer to arbitrary modality indices. Thus,

we can write 〈a〉 p ∨ 〈b〉〈c〉 p and [ a ] p→ p.

To provide a multimodal language MMLIΦ with semantics, we need, instead of a

single relation R on W , a family of “accessibility relations” corresponding to indices

in I.

Definition 2.6 A model for MMLIΦ, or an MMLIΦ-model, is a tuple M

= (W, {Ri}i∈I , V ) such that

1. W 6= ∅;

2. Ri ⊆ W ×W ;


Relation Ri is used to evaluate formulas of the form 〈i〉ϕ. Thus, the evaluation

of multimodal formulas differs from the evaluation of monomodal formulas only in

that, instead of the clause

M, w ♦ϕ iff ∃v ∈ W (wRv and M, v ϕ),

we stipulate the clause

M, w 〈i〉ϕ iff ∃v ∈ W (wRiv and M, v ϕ).

It is easy to notice that monomodal logic can be viewed as a multimodal logic

with a single modal index. To make monomodal logic a special case of multimodal,

we can adopt a convention that if the only modal index of a multimodal language is

1, we write ♦ instead of 〈1〉 .

2.1.2 First-order logic

Like propositional modal logic, first-order logic (FO)—yet another child of traditional

logicians—can be conceived of as an extension of the propositional logic with the

capability to reason not only about facts, but also about individuals that participate

in the situations giving rise to facts. The typical example of first-order reasoning is:


Some New-Yorkers love this film. New-Yorkers are Americans; hence,some Americans love this film.

To refer to arbitrary, unspecified individuals, first-order languages contain an in-

finite stock of individual variables, denoted as v1, v2, . . .. Thus, a variable vi may be

read as “an individual number i”.

The crucial idea behind first-order logic is that for individuals “to participate in

situations” means to stand in some relation to other individuals; thus, the way the

individuals v1 and v2 partake in the situation expressed by the utterance “v1 loves

v2” is that they stand in the two-place relation “loves”. A special case of a relation

is a property (a one-place relation): v1 partakes in the situation “v1 is a crook” by

possessing property “is a crook”. To name relations (sometimes also referred to as

predicates), first-order languages contain predicate parameters. Relations, and hence

predicate parameters, are of different arities, an arity of a relation being a number

of individuals that can stand in the relation (thus, the arity of relation “loves” is 2).

Predicate parameters of arity n are denoted by P n1 , P n

2 , P n3 , . . . . To indicate that v1

and v2 stand in relation whose name is P 21 , we write P 2

1 (v1, v2), or even P1(v1, v2),

since the arity of P1 is clear from the number of variables enclosed in parentheses.

It is also convenient to include into first-order languages the binary predicate

constant =, equality. By custom, we write v1 = v2 instead of = (v1, v2).

Expressions such as P1(v1, v2) are not sentences since their truth value can not

be determined without supplying the value of variables. Variables are akin to such

English expressions as “this” and “that”. The truth or otherwise of the utterance “He

loves her” can not be determined without specifying what “he’ and “her” refer to.

Likewise, the truth value of P1(v1, v2) is indeterminate; however, on the assumption

that P1 stands for “loves”, once we know that v1 refers to, say John, and v2 refers to,

say, Mary, we are able to tell whether or not P1(v1, v2) is true.

As in the propositional logic, we can combine expressions like P1(v1, v2) and P3(v1)

with propositional connectives, building more complex expressions like ¬P1(v1, v2) ∨

P3(v1). Furthermore, first-order languages contain an existential quantifier, ∃ (“there

exists”), so that we can build such expressions as ∃v1P3(v1), “there exists an individ-

ual that possesses property P3”. We can, of course, use both propositional connectives


and an existential quantifier to build expressions such as ∃v1¬∃v2P1(v1, v2); assum-

ing that P1 stands for “loves”, the last expression means “somebody does not love

anybody”.

It is important to notice that the role of v1 and v2 in ∃v1¬∃v2P1(v1, v2) is dif-

ferent from their role in P1(v1, v2). In P1(v1, v2) they stand for arbitrary individuals

and are, thus, genuine variables. In ∃v1¬∃v2P1(v1, v2), on the other hand, they do

not stand for an unspecified object—they just indicate the scope of the quantifiers.

Namely, they ensure that we understand that the first quantifier refers to the first

component in the relation “loves” and the second quantifier to the second component

of the relation, thus preventing us from reading ∃v1¬∃v2P1(v1, v2) as “somebody is

not loved by anybody”. Therefore, from the point of view meaning, v1 and v2 in

∃v1¬∃v2P1(v1, v2) are not variables at all. It would be conceptually clearer to use

different kind of symbols while using quantification, but that would lead to many

technical inconveniences. Instead, we say that v1 and v2 in ∃v1¬∃v2P1(v1, v2) are

bound variables; in contrast, we say that v1 and v2 in P1(v1, v2) are free variables3.

Now we turn to the formal definition of first-order languages. While propositional

languages differ in their stocks of propositional parameters, first-order languages differ

in theirs collections of predicate parameters. Thus, in the first-order case vocabulary

will refer to the set Ψ of predicate parameters. First-order language over vocabulary

Ψ will be denoted by FOΨ.

Definition 2.7 Formulas of first-order language FOΨ over vocabulary Ψ are defined

by the following BNF expression:

ϕ := P (x1, . . . , xn) | x1 = x2 | ¬ϕ | ϕ1 ∨ ϕ2 | ∃xϕ

where P ranges over predicate parameters from Ψ of arity n, and x1, . . . , xn and x

range over individual variables. a

The superscripts of predicate parameters are always dropped in formulas, where

their arity is clear from the context. Thus, P1(v1) ∨ P2(v1), ∃v1∃v2P4(v1, v2, v4), and

3In fact, having two kinds of variables, bound and free, is like having two kinds of bachelors,married and single. Like the idea of a married bachelor, the idea of a bound variable may seemsomewhat odd. The reason for this apparent oddity is technical convenience


¬∃v1¬(¬P1(v1, v2) ∨ P2(v3)) are formulas of FOΨ provided that all predicate letters

mentioned are in Ψ.

To enhance readability of formulas, we adopt the previously used conventions

concerning ∧ and → and also define ∀viϕ as ¬∃vi¬ϕ. Thus, ∀v1(P1(v1, v2)

→ P2(v3)) is a shorthand for ¬∃v1¬(¬P1(v1, v2) ∨ P2(v3)).

To further enhance readability of formulas, we will use letters x, y, z, . . . (possibly

with subscripts) to denote arbitrary individual variables, and letters P , Q, R, . . . to

denote arbitrary predicate parameters. Thus, we can write ¬∃x¬(¬R(x, y) ∨ P (z)).

Every substring of a formula ϕ that is a formula in its own right is called a subfor-

mula of ϕ. Thus, subformulas of ∃y(P (x) ∨ ∃xR(x, y)) are P (x), R(x, y), ∃xR(x, y),

P (x) ∨ ∃xR(x, y), and ∃y(P (x) ∨ ∃xR(x, y)).

An appearance of an individual variable in a formula is referred to as its occurrence.

For example, x has three occurrences into ∃y(P (x) ∨ ∃xR(x, y)), while y has two.

Every occurrence of a variable in a formula is either bound or free. An occurrence

of variable x in formula ϕ is bound if this occurrence appears in a subformula of ϕ of

the form ∃xψ; otherwise, it is free. Thus, the second and the third occurrences of x

into ∃y(P (x)∨ ∃xR(x, y)) are bound, while the first is free. Both occurrences of y in

∃y(P (x)∨∃xR(x, y)) are bound. To cut back on verbiage, we will, somewhat sloppily,

talk about bound and free variables, not occurrences of variables. (Thus, speaking

of formula ∃y(P (x) ∨ ∃xR(x, y)), we might say that variable x is free in subformula

P (x), but bound in subformula ∃xR(x, y).)

To evaluate formulas of FOΨ, we need a set of individuals and an interpretation

of predicate parameters, telling what relation is referenced by what parameter.

Definition 2.8 A model for FOΨ, or a FOΨ-model is a tuple M = (W, I), where

1. W 6= ∅;

2. I is a function on Ψ such that I(P ni ) ⊆ W n, where W n is the n-th Cartesian

degree of W . a

Moreover, we need to know the value of variables. This job is done by assignments.


Definition 2.9 Let M = (W, I) be a FOΨ-model. Let Var be the set of individual

variables of FOΨ. An M-assignment is a function from Var into W . a

We will denote assignments with lowercase Greek letters from near the beginning of

the alphabet, like α and β.

Now we can evaluate FOΨ-formulas.

Definition 2.10 Let M = (W, I) be a FOΨ-model, let α be an M-assignment, and

let ϕ and ψ be arbitrary FOΨ-formulas. Then,

M, α P (x1, . . . , xn) iff (α(x1), . . . , α(xn)) ∈ I(P );

M, α x = y iff α(x) = α(y);

M, α ¬ϕ iff M, α 6 ϕ;

M, α ϕ ∨ ψ iff M, α ϕ or M, α ψ;

M, α ∃xϕ iff for some β 'x α, M, β ϕ.

In the last clause, β 'x α means that β is different form α no more than in the value

it assigns to x. a

Definition 2.11 Let M = (W, I) be a FOΨ-model and ϕ be a FOΨ-formula. ϕ is

satisfiable in M if, for some M-assignment α, M, α ϕ. ϕ is true in M if, for

every M-assignment α, M, α ϕ. a

Definition 2.12 A FOΨ-formula ϕ is satisfiable if it is true in some FOΨ-model.

A FOΨ-formula ϕ is valid if it is true in every FOΨ-model. a

Remark 2.13 Sometimes first-order languages are equipped, in addition to pred-

icate parameters, with individual and functional parameters, intended to stand for

designated individuals and functions, respectively. In the following parts of the thesis,

we will make a proviso whenever the first-order languages under consideration are not

meant to have any functional or individual symbols and, also, whenever we specifi-

cally need them. If neither of the above provisos is made, the presence or otherwise

of individual and functional parameters is immaterial.


2.2 Modal logic vs. first-order logic

From the traditional logician’s standpoint, ML and FO extend the propositional logic

in quite different directions. It is hardly surprising, then, that propositional modal

logic and first-order logic were for a long time considered distinct and unrelated

enterprises. All that changed when the relationship between ML and FO has been

looked at from the model-theoretic point of view.

Model-theoretic point of view is different from the traditional logician’s in the way

the relationship between the language and the structures interpreting the language

is perceived from them. For the traditional logician, the language comes first: the

primary subject matter of the traditional logic is correct reasoning, and, to make

the study of correct reasoning precise, structures are brought in to provide precise

semantics for the language in which the reasoning is conducted. For the model-

theoretician, on the other hand, structures come first: the properties of structures is

model theory’s primary subject matter, and the language is used only as a tool. Thus,

while the traditional logician asks “How I can use structures to clarify the meaning of

the language and thus to verify the correctness of reasoning?”, the model theoretician

asks “How I can use the language to better understand properties of structures?”.

If we look at the relationship between FO and ML model-theoretically, that is

from the point of view of the structures they are capable of describing, we notice that

the languages of both logics are interpreted on exactly the same kind of structures:

every Kripke model M = (W,R, V ) over Φ = {p1, . . . , pn, . . .} can be viewed as

a relational structure M = (W,R, V (p1), . . . , V (pn), . . .) with a single binary and a

collection of unary relations, and the same applies to first-order models (for languages

with the appropriate vocabulary), which can be viewed as structures M = (W, I(R),

I(P1), . . . , I(Pn), . . .).

Thus, both modal and first-order logic describe relational structures with unary

and binary relations, but they do so in different ways. FO uses unary predicate letters

to denote unary relations, and binary predicate letters to denote binary relations. ML

uses propositional parameters to denote unary relations, and modalities to talk about

binary relations.


2.2.1 Standard translation

When two languages are able to talk about the same kind of structures, it is natural

to ask which of the two languages is more powerful, that is which of the two can say

more things about the structures concerned. In this section, we will see that first-

order languages are at least as powerful as modal languages, since the formulas of the

latter can be translated into the formulas of the former using the so-called standard

translation, defined in [Ben83].

Under the standard translation, formulas of a modal language are translated into

formulas of a first-order language with one free variable, which intuitively stands for

the point at which a modal formula is evaluated in the Kripke model. All our defini-

tions pertain to monomodal, but can be easily extended to multimodal, languages.

Definition 2.14 A monomodal language MLΦ and a first-order language FOΨ are

counterparts if

• pi ∈ Φ iff Pi ∈ Ψ;

• Ψ contains a single binary predicate parameter R.

A Kripke model M = (W,R, V ) and a first-order model M′ = (W ′, I ′) for counter-

part languages MLΦ and FOΨ are counterparts if

• W ′ = W ;

• for every Pi ∈ Ψ, I ′(Pi) = V (pi);

• I ′(R) = R. a

Definition 2.15 Let MLΦ and FOΨ be counterpart languages. Define, by mutual

recursion, two functions, τx and τy, mapping formulas of MLΦ into formulas of FOΨ,

as follows. τx is defined by

• τx(pi) := Pi(x) for every pi ∈ Φ;

• τx(¬ϕ) := ¬τx(ϕ));


• τx(ϕ ∨ ψ) := τx(ϕ) ∨ τx(ψ);

• τx(♦ϕ) := ∃y(R(x, y) ∧ τy(ϕ))

τy is defined analogously, switching the roles of x and y. Finally, define the standard

translation of ϕ ∈ MLΦ to be τx(ϕ). a

In the above definition, two functions are used to keep the number of individual

variables used to the minimum.

It is clear that the standard translation clauses for the defined connectives should

look as follows:

• τx(ϕ ∧ ψ) := τx(ϕ) ∧ τx(ψ);

• τx(ϕ→ ψ) := τx(ϕ) → τx(ψ);

• τx(�ϕ) := ∀y(R(x, y) → τy(ϕ))

It is easy to prove the following theorem.

Theorem 2.16 Let ϕ be a formula of MLΦ, M = (W,R, V ), be a MLΦ-model,

and MFO be its counterpart first-order model. Then, for every w ∈ W , we have

M, w ϕ iff MFO, α τx(ϕ), where α(x) = w.

2.2.2 Bisimulations and bisimulation equivalence

Now that we know that first-order languages are at least as expressive as modal lan-

guages, it is time to ask: what about the other direction? Can everything that can be

said in a modal language be expressed in the counterpart first-order language? This

seems unlikely, but to prove this formally, we have to exactly pinpoint the source of

expressive power weakness of modal languages. To that end, we consider a number of

well-known model-theoretic constructions that preserve the truth of modal formulas,

that is the constructions that modal formulas “can not see.” We start with the most

intuitive, disjoint unions, and then, generalising the intuition underlying the forma-

tion of disjoint unions, proceed to the most general, bisimulations. Bisimulations


stretch the intuition at the base of disjoint unions as far as possible and thus tell

exactly what modal formulas can and can not see and, therefore, say.

Modal formulas are evaluated at a point in a model M, and in the process of

evaluation they can “see” only those other points of M that are accessible from them

by the relation R. Thus, if we added new points to M without connecting the points

that were previously in M to these new points , modal formulas could not detect the

addition of new points. This consideration gives rise to the following definition and

theorem.

Definition 2.17 (Disjoint unions) Let {Mi = (Wi,Ri, Vi)}i∈I be a set of MLΦ-

models such that, for every j, k ∈ I with j 6= k, Wj ∩ Wk = ∅. The disjoint union of

this set is a Φ-model⊎i∈I Mi = (W,R, V ), where (1) W =

⋃iWi; (2) R =

⋃iRi;

and (3) V (p) =⋃i Vi(p), for every p ∈ Φ. a

Theorem 2.18 Let⊎i∈I Mi = (W,R, V ) be a disjoint union of MLΦ-models {Mi =

(Wi,Ri, Vi)}i∈I and ϕ be an MLΦ formula. Then, for every Mi and every w ∈ Wi,

Mi, w ϕ iff⊎i∈I Mi, w ϕ.

Proof Straightforward induction on the complexity of ϕ. q.e.d.

Now, we can slightly generalise the intuition underlying the formation of disjoint

unions. Because modal formulas can see only “forward” along the relation R, they

fail to see not only the completely unconnected by R points that are being added to

(or removed from) the model, but also the points that can see them without being

themselves visible. This intuition gives rise to the construction known as generated

submodels.

Definition 2.19 (Submodels) Let M′ = (W ′,R′, V ′) be an MLΦ-model. A model

M = (W,R, V ) is said to be a submodel of M′, if (1) W ⊆ W ′; (2) R = W ∩ R′;

and (3) for every p ∈ Φ, V (p) = V ′(p) ∩ W . a

Definition 2.20 (Generated submodels) Let M′ = (W ′,R′, V ′) be an MLΦ-

model. A model M = (W,R, V ) is said to be a generated submodel of M′, if (1)

M is a submodel of M′; and (2) if w ∈ W and wRv, then v ∈ W . a


Theorem 2.21 Let M = (W,R, V ) be a generated submodel of an MLΦ-model

M′ = (W ′,R′, V ′) and ϕ be an MLΦ formula. Then, for every w ∈ W , we have

M, w ϕ iff M′, w ϕ.


We can generalise still further. A generated submodel M is part of its “super-

model” M′. We can generalise the intuition underlying the formation of generated

submodels to two distinct models, M and M′, one of which, M, “looks like” a gen-

erated submodel of M′. As usual in mathematics, this “looks like” relation can be

formalised as a function f mapping points of M to points of M′. Intuitively, f(w)

is the point of M′, a look-alike of w ∈ M, that belongs to a “virtual generated sub-

model” of M′ that looks like M . What conditions should such a function satisfy?

First, since f(w) is a look-alike of w, they should satisfy the same propositional pa-

rameters. Secondly, in generated submodels R ⊆ R′, that is whenever we can take

a step along the accessibility relation of the first model, we can match it with a step

along the accessibility relation of the second; thus, we should stipulate that if wRv,

then f(w)R′f(v). Lastly, in generated submodels, if w belongs to the submodel and

wR′v, then v also belongs to the submodel; thus, we should stipulate that if w′ is

within the range of f , that is w′ = f(w), and w′R′v′, then v′ is within the range

of f , too, that is v′ = f(v), for some v. These considerations give us the following

definition.

Definition 2.22 (Bounded morphisms) Let M = (W,R, V ) and M′ = (W ′,R′, V ′)

be MLΦ-models. A function f : W →W ′ is said to be a bounded morphism from M

into M′ if the following holds:

1. w ∈ V (p) iff f(w) ∈ V ′(p), for every p ∈ Φ;

2. if wRv, then f(w)R′f(v)

3. if f(w)R′v′, then there exists v ∈ W such that wRv and f(v) = v ′. a


Theorem 2.23 Let f be a bounded morphism between MLPhi-models M = (W,R, V )

and M′ = (W ′,R′, V ′). Then, for every MLΦ-formula ϕ, M, w ϕ iff M′, f(w)

ϕ.


We can generalise yet still further. We said earlier that in mathematics the rela-

tion between structures is usually formalised as a function. This is because mostly

mathematicians study the structures that are algebras. Since Kripke models are re-

lational, not algebraic, structures, we can lift the requirement that the connection

between M and M′ in the definition of bounded morphisms should be a function.

This gives the following definition.

Definition 2.24 (Bisimulations) Let M = (W,R, V ) and M′ = (W ′,R′, V ′) be

MLΦ-models. A non-empty binary relation Z ⊆ W ×W ′ is said to be a bisimulation

between M and M′ if the following holds:

1. if wZw′, then w ∈ V (p) iff f(w) ∈ V ′(p), for every p ∈ Φ;

2. if wZw′ and wRv, then there exists v′ ∈ W ′ such that w′R′v′ and vZv′;

3. if wZw′ and w′Rv′, then there exists v ∈ W such that w′R′v′ and vZv′.

M and M′ are said to be bisimilar (in symbols, M � M′) if there exists a bisim-

ulation between them. w ∈ W and w′ ∈ W ′ are said to be bisimilar (in symbols,

M, w � M′, w′) if there exists a bisimulation between M and M′ such that wZw′.a

Conditions 2 and 3 of definition 2.24 are usually collectively referred to as the back-

and-forth conditions.

Theorem 2.25 Let M = (W,R, V ) and M′ = (W ′,R′, V ′) be two MLΦ-models

such that M, w � M′, w′. Then, for every MLΦ-formula ϕ, we have M, w ϕ iff

M′, w′ ϕ.



Remark 2.26 Theorem 2.25 is widely used in modal logic since many useful model

theoretic constructions turn out to be instances of bisimulation. In virtue of the-

orem 2.25, when we want to prove that a particular model-theoretic construction

preserves the truth of modal formulas, we can show that it is an instance of bisimula-

tion. Probably the best-known example of the use of this proof-technique is the proof

that every satisfiable modal formula is satisfiable in a tree-like Kripke model (see,

for example [BdRV01], Proposition 2.15). This proof involves the use of unravelling,

which happens to be an instance of bisimulations. Later on in the thesis, we will use

a modification of unravelling in one of our completeness proofs.

Theorem 2.25 reveals the expressive-power weakness of modal formulas: they do

not distinguish between bisimilar models. It is obvious, on the other hand, that

first-order formulas can tell apart models that are bisimilar.

Example 2.27 Consider the modal language with a single propositional parameter

p and its counterpart first-order language. Let M = ({w, v, u},R = {(w, u), (w, v)},

V (p) = {w}) and M′ = ({w′, v′},R′ = {(w′, v′)}, V ′(p) = {w′}). It is obvious that

M, w � M′, w and that M, α 6 ∀y∀z(R(x, y) ∧ R(x, z) → y = z) but M′, α′

∀y∀z(R(x, y) ∧R(x, z) → y = z), where α(x) = w and α′(x) = w′. ¶

The following theorem, due to van Benthem, shows that bisimulations exactly pin-

point the expressive-power weakness of modal languages: not only modal languages

can not distinguish bisimilar models, but first-order formulas that can not either, are

equivalent to modal formulas.

Theorem 2.28 (van Benthem’s theorem) A first order formula is preserved un-

der bisimulation if, and only if, it is equivalent to the standard translation of a modal

formula.

The original proof of theorem 2.28 can be found in [Ben83]. Another proof, which

does not appeal to compactness and, thus, also applies to the case where we only

consider finite models, can be found in [Ros97].

Thus, due to theorem 2.28, if we want to show that a first order formula ϕ(x)

is not equivalent to (a translation of) any modal formula, all we have to do is find


two structures M and M′ such that M, w � M′, w′, and M, α ϕ but M, α 6 ϕ,

where α(x) = w, as has been done in example 2.27.

Theorem 2.28 draws a line under our consideration of the relationship between

propositional modal and first-order logics. This relationship underlies the idea of the

guarded fragment of first-order logic, which we consider in the next section.

2.3 First-order guarded logics

It is well-known that first order logic FO is undecidable. This motivates search for

decidable fragments of FO. One can obtain decidable fragments of FO by imposing

various syntactic restrictions on the way formulas of the first-order language are built.

Among well-known examples are the fragment of FO with only unary predicate let-

ters, the fragment with only two individual variables, and numerous fragments with

various restrictions on quantifier prefixes (see [BGG97] for a comprehensive overview

of decidable fragments of FO). These fragments vary as to their expressive power

and the complexity of their decidability problem. Some fragments also have finite

model property (if a formula is satisfiable, it is satisfiable in a finite model). Some

fragments possess useful properties of the full first order logic, such as interpolation,

Beth definability, and Los-Tarski property.

The considerations of the previous section suggest that modal perspective on first-

order logic gives us a new well-behaved fragment of FO, namely the modal fragment

containing all the translations of modal formulas under the standard translation. This

fragment naturally inherits all the good properties of modal logics, such as decidability

and finite model property. The guarded fragment can be viewed as an improvement

on this result. This improvement is two-fold. First, the guarded fragment extends

the modal fragment. Secondly, unlike the modal fragment, the guarded fragment can

be defined by imposing purely syntactic restrictions on the first-order formulas rather

than through a reference to a translation from a different language.


2.3.1 Guarded fragment of FO

Definition 2.29 Let FOΨ be a first-order language. A FOΨ-atoms are defined by

the following BNF expression:

ρ := R(x1, . . . , xn) | x = y

where R ranges over predicate parameters from Ψ of arity n, and x1, . . . , xn and x

range over individual variables. a

Henceforth in this chapter, we reserve the letter ρ to stand for atoms. We also use

x to stand for finite sequences of variables and FV (ϕ) for the set of free variables of

a first-order formula ϕ.

Definition 2.30 (Guarded fragment) The guarded fragment of first-order language

FOΨ is the smallest set GFΨ such that

1. Every FOΨ-atom belongs to GFΨ.

2. If ϕ ∈ GFΨ, then ¬ϕ ∈ GFΨ.

3. If ϕ ∈ GFΨ and ψ ∈ GFΨ, then ϕ ∨ ψ ∈ GFΨ.

4. If ρ is an FOΨ-atom, ϕ ∈ GFΨ, and x ⊆ FV (ϕ) ⊆ FV (ρ), then ∃x(ρ ∧ ϕ) ∈

GFΨ. a

It is easy to see that, if ρ is an FOΨ-atom, ϕ ∈ GFΨ, and x ⊆ FV (ϕ) ⊆ FV (ρ), then

∀x(ρ→ ϕ) is also in GFΨ. In formulas ∃x(ρ∧ϕ) and ∀x(ρ→ ϕ), ρ is called a guard,

which gives the name to the fragment.

Example 2.31 The following formulas are in GF:

• P (x, y, z) ∨ (x = y),

• ∃x∃yP (x, y, z),

• ∃x∃y, (P (x, y, z) ∧ ∀u(R(u, z) → S(u, z))),

while the following formulas are not:


• ∀xP (x, y, z),

• ∀x∀y∀z(P (x, y, z) ∧ x = y)),

• ∀x∀y∀z(R(x, y) ∧R(y, z) → R(x, z)),

• ∀x∀y∀z(R(x, y) ∧R(x, z) → y = z).

Moreover, the last two formulas (transitivity and functionality) are also not equivalent

to any guarded formula. ¶

2.3.2 Semantics

The guarded fragment can be seen as either just that — a fragment of first order logic,

— or as a new way of looking at first order logic, with its own semantics (and then we

can talk about first-order guarded logic rather than guarded fragment of first-order

logic). In this section, we give relativised first order semantics for the guarded logic,

which is akin to relativised cylindric algebras, and give a proof of decidability of the

guarded fragment (without equality) based on this semantics (the proof is based on

an unpublished proof by Andreka, van Benthem and Nemeti).

Standard vs. alternative semantics

To give the semantic account of the guarded fragment, we can either stick to the

standard first-order semantics (after all, guarded formulas are just a special kind

of first-order formulas) or to devise some kind of alternative semantics. The former

approach has the advantage of relying on the already well-developed first-order model

theory; it suffers, however, from two shortcomings. First, following it, we do not

reap benefits of not having to worry about non-guarded formulas; indeed, having

abandoned the standard first-order semantics, we could come up with, in a some

sense, more manageable class of models for guarded formulas (say, such a class M

that it is decidable, given a guarded formula ϕ, whether ϕ is true in every model in

M). Second, sticking to the standard first-order semantics does not shed any semantic

light on guarded formulas. Thus, an alternative semantics for guarded fragment


promises more benefits. While devising such semantics, we should, however, respect

the meaning of guarded formulas under the standard first-order semantics; in other

words, our alternative semantics should, as far as guarded formulas are concerned,

be faithful to the standard first-order semantics. To give the formal definition of

faithfulness, we remark that the formal analogue of “semantics” is a class of models.

Definition 2.32 Let L be a language and M and M’ be classes of models appropriate

for L. M’ is said to be faithful to M if, for all ϕ ∈ L, ϕ is true in every model in M’

if and only if ϕ is true in every model in M. a

In the context of guarded fragment, faithfulness is a desirable property since otherwise

we would be faced with an awkward question what does it mean for a guarded formula

to be valid—to be true in every standard first-order model or to be true in every

alternative model.

Guarded semantics informally

What might alternative semantics for a guarded fragment look like? Intuitively,

guarded formulas—unlike arbitrary first-order formulas that can, because of the un-

restricted quantification, speak about any object in the domain of the model—can

speak only about those individuals that are bound by some relation (including iden-

tity). This particularity of guarded formulas can be illuminated with the help of the

linguistic concepts of subject and predicate of the sentence. By the subject of the

sentence linguists mean the word or group of words that answers the question formed

by putting “what” or “who” before the verb, such as the word “New-Yorkers” in the

sentence “Some New-Yorkers love abstract art”. By the predicate of the sentence lin-

guists mean the word of group of words that says something about subject’s action,

experience, or state of being, such as “love abstract art” in “Some New-Yorkers love

abstract art”.

Guarded formulas are allowed to talk only about objects whose names are part

of their subject part. This subject part is always an atomic formula. Thus, the

alternative semantics for guarded formulas might be based on the idea of forbidding

the models to name the objects that are not connected by an atomic relation of the


model. This idea can be implemented by restricting the set of assignments available

to the model. This kind of semantics is known as relativised first-order semantics. In

the next section, we present relativised semantics, and then we use it to provide the

alternative semantics for the guarded fragment.

Relativised first-order semantics

Relativised first-order semantics is based on the idea that, given a first-order model

M = (W, I), we may consider some of M-assignments inadmissible. Thus, a, pos-

sibly proper, subset of the set of all M-assignments, is used in relativised semantics

to evaluate formulas. This set is a set of admissible assignments. When defining

relativised models, we have to explicitly specify which assignments are admissible.

(By contrast, we left the mention of assignments out of the definition of standard

first-order models since, given such a model M, the set of M-assignments can be

uniquely deduced.)

Definition 2.33 A relativised FOΨ-model is a tuple R = (W, I, A), where

1. M = (W, I) is a first-order model;

2. A is an arbitrary set of M-assignments. a

To get truth conditions for first-order formulas in relativised models, it seems

natural to simply adjust truth clauses for standard models in such a way that they

refer only to admissible assignments. Thus, clauses (1)-(4) of definition 2.10 would be

adjusted so that to be meaningful only for admissible assignments, and the existential

quantifier clause would look thus:

R, α ∃xϕ iff for some β ∈ A such that β 'x α, R, β ϕ. (2.1)

This naive approach leads, however, to unpleasant consequences. It is natural,

hence desirable, for the truth value of formula ϕ in a model R under assignment α to

depend on the values under α of only those variables that occur freely in ϕ. (Thus,

it is counterintuitive if the truth or otherwise of ∃xP (x, y) depends on the value of


variables z or x under α.) Standard first-order semantics conforms to this desirable

property that is usually referred to as locality.

Theorem 2.34 Let ϕ be a FOΨ-formula and M be a standard FOΨ-model. Let

α and β be M-assignments such that α(x) = β(x) for every x ∈ FV (ϕ). Then

M, α ϕ iff M, β ϕ.


As the following example shows, the stipulation of clause (2.1) would lead to

violation of locality for relativised models.

Example 2.35 Consider a relativised model R = (W, I, A), for the language with

a single binary predicate parameter R, with W = {a, b, c}, I(R) = {(a, b)} and

A = {α, β, γ}, where

(1) α(y) = c, α(z) = b, and α(x) = a otherwise4;

(2) β(y) = b, β(z) = b, and β(x) = b otherwise;

(3) γ(y) = a, γ(z) = b, and β(x) = a otherwise.

Then, α and β agree on all free variables of ∃yR(y, z), and under clause (2.1), R, α

∃yR(y, z) but R, β 6 ∃yR(y, z), which contravenes locality. ¶

The problem with condition (2.1) is that it takes for granted that, if there exists

an assignment α′ that agrees with α on all free variables of ∃xϕ, then there exists

assignment α′′ that disagrees with α not more than in the value of x. This assumption

is appropriate when we deal with standard first-order models—such models admit all

possible assignments, which allows us to fiddle with the values of variables other than

x and those in FV (∃xϕ). Once, however, we do away with standard models, this

assumption is unwarranted, and hence should be discarded.

We are almost ready to formally define the truth closes for relativised models.

First, though, a piece of notation.

4That is, α(x) = a for all x such that x 6= y and x 6= z.


Notational convention 2.1 Let X be a set of individual variables. β ≡X α means

that, for all x ∈ X, α(x) = β(x).

Definition 2.36 Let R = (W, I, A) be a relativised FOΨ-model, let α ∈ A, and let

ϕ and ψ be FOΨ-formulas. Then,

R, α P (x1, . . . , xn) iff (α(x1), . . . , α(xn)) ∈ I(P );

R, α x = y iff α(x) = α(y);

R, α ¬ϕ iff R, α 6 ϕ;

R, α ϕ ∧ ψ iff R, α ϕ and R, α ψ;

R, α ∃xϕ iff for some β ∈ A such that β ≡FV (∃xϕ) α, R, β ϕ.

a

Definition 2.37 Let R = (W, I, A) be a relativised FOΨ-model and ϕ be a FOΨ-

formula. ϕ is satisfiable in R if, for some α ∈ A, R, α ϕ. ϕ is true in R if, for

every α ∈ A, M, α ϕ. a

Guarded semantics formally

Equipped with the concept of relativised first-order semantics, we can formalise our

considerations of the guarded semantics. The basic idea is to allow only those first-

order assignments whose range is bound by a predicate letter, a parameter (such as

R) or a constant (that is, “=”). We call such assignments guarded.

Definition 2.38 Let M = (W, I) be a first-order model. A set X ⊆ W is said to

be guarded if (1) either X = {a} or (2) X = {a1, . . . , an} and for some predicate

parameter R, (a1, . . . , an) ∈ I(R). a

Intuitively, a subset of the domain of a model M is guarded if all its members are

connected by a relation in M. The first clause of definition 2.38 is meant to account

for the relation of equality, which connect every element of the domain to itself.

Definition 2.39 Let M be a first-order model. An M-assignment α is said to be

guarded if its range, rng(α), is a guarded set. a


Definition 2.40 A guarded model is a tuple G = (W, I, A), where

1. M = (W, I) is a first-order model;

2. A is the set of all guarded M-assignments. a

We say that a first-order model M = (W, I) is a base of a guarded model G =

(W, I, A). If we want to underscore that M is a base of G , we say that the later is a

guarded model over M and write GM rather than G .

Definition 2.41 Let G = (W, I, A) be a guarded model and ϕ be a guarded formula.

ϕ is satisfiable in G if, for some α ∈ A, G, α ϕ. ϕ is true in G if G, α ϕ

holds for every α ∈ A. ϕ is guarded-valid if it is true in every guarded model. ϕ is

guarded-satisfiable if it is true in some guarded model. a

We will next show that the semantics we presented is faithful, in the sense of

definition 2.32, to the standard first-order semantics, that is every guarded formula

ϕ is true in every guarded model if and only if it is true in every standard first-order

model. The following theorem is the cornerstone of the proof.

Theorem 2.42 A guarded formula ϕ has a guarded model if and only if it has a

standard first-order model.

Proof First, we prove the statement of the theorem right to left. Assume that there

exists a standard first-order model M = (W, I) and M-assignment α such that

M, α ϕ. Consider the guarded model GM = (W, I, A) over M. We show that

there exists α′ ∈ A such that GM, α′ ϕ. To this end, we prove, by induction on

the complexity of ϕ, that there exists α′ ∈ A such that GM, α′ ϕ if and only if

M, α ϕ.

Let ϕ be P (x1, . . . , xn). Let M, α P (x1, . . . , xn); that is, (α(x1), . . . , α(xn)) ∈

I(P ). Consider assignment α′ such that α′(x) = α(x) if x ∈ {x1, . . . , xn} and α′(x) =

α(x1) otherwise. It is clear that α′ ∈ A. Obviously, (α(x1), . . . , α(xn)) ∈ I(P )

iff (α′(x1), . . . , α′(xn)) ∈ I(P ) iff GM, α′ P (x1, . . . , xn). Case “ϕ is x = y” is

analogous.


Cases “ϕ is ¬ψ” and “ϕ is ψ ∨ χ” are straightforward.

Let ϕ be ∃x(ρ ∧ ψ), where ρ is an atom and FV (ψ) ⊆ FV (ρ). Let M, α

∃x(ρ∧ψ). Then, for some α′′ ∼=x α, M, α′′ ρ∧ψ, and so M, α′′ ρ and M, α′′ ψ.

Consider assignment α′ such that α′(z) = α′′(z) if z ∈ FV (ρ) and α′(z) = α′′(x) for

some x ∈ x otherwise. It is clear that α′ ∈ A. Obviously, M, α′ ρ, and since

FV (ψ) ⊆ FV (ρ), M, α′ ψ. Then, M, α′ ρ ∧ ψ, and in virtue of , M, α′

∃x(ρ ∧ ψ).

The left to right direction is straightforward. q.e.d.

Theorem 2.42 gives us the following corollary.

Corollary 2.43 A guarded formula ϕ is true in every guarded model if and only if

it is true in every standard first-order model.

Proof Follows from theorem 2.42 and closure of guarded formulas under negation.q.e.d.

2.3.3 Guarded bisimulations

The above consideration of the alternative semantics for guarded formulas in terms

of guarded sets naturally suggests the way to generalise bisimulations for modal lan-

guages to bisimulations for guarded formulas, or guarded bisimulations. Intuitively—

instead of a relation Z, that is a set of pairs (w, v) connecting points in Kripke

models—we need a set of functions F connecting guarded subsets of the domain of

first-order models. In the modal case, the points connected by Z have to satisfy the

same propositional parameters. If we require the functions in F to be partial iso-

morphisms between guarded subsets X and X ′, then X and X ′ will satisfy the same

predicate parameters. What would be the analogue of the back-and-forth conditions

for modal bisimulations? Instead of the accessibility relation between points we now

have to worry about any relation that may connect two guarded sets. Therefore,

if in one model we can move from a guarded set X along a connecting relation to

another guarded set Y , then in the other model we should be able to match this

move, maintaining partial isomorphism. These considerations give us the following

definition.


Definition 2.44 Let M and M′ be two first-order models with domains W and W ′,

respectively. A guarded bisimulation between M and M′ is a non-empty set F of

finite partial isomorphisms between M and M′ which satisfies, for every f ∈ F :

• for any guarded X ⊆ W there is a g ∈ F with dom(g) = X such that g and f

agree on dom(f) ∩X;

• for any guarded X ′ ⊆ W ′ there is a g ∈ F with rng(g) = X ′ such that g−1 and

f−1 agree on rng(f) ∩X ′. a

Not surprisingly, we can prove the analogue of van Benthem’s theorem for guarded

bisimulations, which gives another characterisation of the guarded fragment.

Theorem 2.45 (Andreka, van Benthem, Nemeti) A first order formula is pre-

served under guarded bisimulation iff it is equivalent to a guarded formula.

The proof of theorem 2.45 can be found in [AvBN98], [AvBN95], or [AvBN96].

2.3.4 Decidability via mosaics

Since for our purposes in this thesis the most important property of the guarded frag-

ment is its decidability, we present, in this section, the full proof of the decidability of

GF. The proof we give is essentially an unpublished proof by van Benthem, Andreka,

and Nemeti.

Definition 2.46 (Mosaics) Let ϕ(x1, . . . , xn) be a guarded formula. A ϕ-mosaic is

a tuple M = (D, I, A, M), where

1. D is a set, the domain of M , with |D| = n;

2. for each k-place predicate letter P, I(P ) ⊆ Dk;

3. A is the set of all functions s, M-assignments, from {x1, . . . , xn} to D such that

rng(s) is a guarded subset of D (that is, either rng(s) = {a} for some a ∈ D

or rng(s) = {a1, . . . , an} and (a1, . . . , an) ∈ I(P ), for some P ).


4. M is a (satisfaction) relation between M-assignments and subformulas of ϕ,

obeying the following conditions:

(V2) s M P (xi1, . . . , xik) iff (s(xi1), . . . , s(xik)) ∈ I(P ).

(V3) s M xi1 = xi2 iff s(xi1) = s(xi2).

(V4) s M ¬ψ iff M, s 6 ψ.

(V5) s M ψ ∧ χ iff s M ψ and s M χ.

(V6) s M ∃xiψ if, for some r ≡FV (∃xiψ) s, r M ψ. a

Definition 2.47 (Faults) Let M = (D, I, A, M) be a ϕ-mosaic, s ∈ A, and ∃xiψ ∈

Sub(ϕ). A pair (s, ∃xiψ) is said to be a fault in M , if s M ∃xiψ and there is no

r ≡FV (∃xiψ) s such that r M ψ. a

Definition 2.48 Let M = (D, I, A, M) and M ′ = (D′, I ′, A′, ′M) be ϕ-mosaics. M

and M ′ are said to be isomorphic, if there exists a bijection f : D → D′ such that

1. for every predicate letter P , (a1, . . . , ak) ∈ I(P ) iff (f(a1), . . . , f(ak)) ∈ I ′(P );

2. s M ψ iff (f ◦ s) M ′ ψ.

Bijection f is said to be an isomorphism between M and M ′. a

Unlike the definition of isomorphism for standard first-order models, definition 2.48

explicitly mentions relations M and ′M , since, as noted above, they are not uniquely

determined by other components of M and M ′. We write M ∼= M ′ to mean that M

and M ′ are isomorphic. If we also want to indicate that the isomorphism between M

and M ′ is f , we write f : M ∼= M ′. Obviously, if f : M ∼= M ′, then f−1 : M ′ ∼= M .

It can be checked that isomorphism is a transitive relation between mosaics:

Lemma 2.49 Let M , M ′, M ′′ be ϕ-mosaics. If f : M ∼= M ′ and g : M ′ ∼= M ′′, then

(f ◦ g) : M ∼= M ′′.

Since “isomorphic” means “structurally the same”, it comes as no surprise that

an isomorphic copy of a mosaic with a fault has a similar fault:


Lemma 2.50 Let M = (D, I, A, M) and M ′ = (D′, V ′, A′, ′M) be ϕ-mosaics, and

let f : M ∼= M ′. Then, (s, ∃xiψ) is a fault in M if and only if (f ◦ s, ∃xiψ) is a fault

in M ′.

Definition 2.51 (Compatible mosaics) ϕ-mosaics M = (D, I, A, M) and M ′ =

(D′, I ′, A′, M ′) are said to be compatible if (1) for each predicate letter P , I(P ) �

D ∩ D′ = I ′(P ) � D ∩ D′; (2) for every s : {x1, . . . , xn) → D ∩ D′ and every

ψ ∈ Sub(ϕ), s M ψ iff s M ′ ψ. a

Definition 2.52 (Correction of faults) Let M = (D, I, A, M) and M ′ = (D′, I ′,

A′, ′M) be ϕ-mosaics and let (s, ∃xiψ) be a fault in M . M ′ is said to correct (s, ∃xiψ),

if (1) M and M ′ are compatible; (2) rng(s) ⊆ D ∩ D′; and (3) (s, ∃xiψ) is not a

fault in M ′. a

Definition 2.53 (Complete sets of ϕ-mosaics) Let S be a set of ϕ(x1, . . . , xn)-

mosaics. S is said to be complete if for every M ∈ S and every fault (s, ∃xiψ) in

M such that (sic!) rng(s) < n, there exists a ϕ-mosaic M ′ such that (1) M ′ is

isomorphic to some M ′′ ∈ S; and (2) M ′ corrects (s, ∃xiψ). a

Definition 2.54 (Satisfiability in complete sets of mosaics) Let S be a com-

plete set of ϕ-mosaics and let ψ be a subformula of ϕ. ψ is said to be satisfied in S

if, for some M = (D, I, A) ∈ S and some s ∈ A, s M ψ. a

Theorem 2.55 Let ϕ be a guarded formula. It’s decidable whether there exists a

complete set of ϕ-mosaics satisfying ϕ.

Theorem 2.56 (From models to mosaics) Let ϕ(x1, . . . , xn) be a guarded for-

mula. If ϕ is guarded-satisfiable, then there exists a finite complete set of ϕ-mosaics

satisfying ϕ.

Proof Let G = (W, I, A) be a guarded model and let α ∈ A be such an assignment

that G , α ϕ. We show how to build a finite complete set S of ϕ-mosaics out of G .

Consider the set D = {D : D ⊆ W and |D| = n }. Its elements will serve as

domains for mosaics that will make up a first approximation of S. For each D ∈ D,


define a mosaic M as a tuple (D, I, A, M), where (1) for each predicate letter P ∈ ϕ,

I(P ) = I(P ) ∩ D; (2) A is the set of all functions from {x1, . . . , xn} to D whose

ranges are guarded subsets of D; (3) and M is defined by the following rule: s M ψ

iff G , β ψ, where β is any member of A that agrees with s on {x1, . . . , xn} (the

choice of a specific assignment is irrelevant since, as we know, any two sequences

agreeing on free variables of ϕ will induce the same value for any subformula of ϕ).

We claim that every M so defined is a ϕ-mosaic. To prove this we have to show that

M obeys conditions imposed on the satisfaction relation by definition 2.46. This is

a tedious but easy exercise, and we leave the details out. Let’s denote the set of all

so defined M ’s by SG .

Thus constructed SM is a complete set of mosaics satisfying ϕ. To see complete-

ness, assume that M ∈ SM and that (s, ∃xiψ) is a fault in M such that rng(s) < n.

This implies that s M ∃xiψ and, consequently, for some β with s(xi) = β(xi),

M, β ∃xiψ. Hence, for some a ∈ W − rng(s), M, βxia ψ. Since, according

to the assumption, rng(s) < n and SM contains mosaics based on every n-element

subset of W , there should be a mosaic in SM, say M ′ = (D′, V ′, A′, ′M), such that

rng(s) ∪ {a} ⊆ D′. We claim that M ′ corrects (s, ∃xiψ). First, it is obvious that

(s, ∃xiψ) is not a fault in M ′. Secondly, it is easy to see that M and M ′ are com-

patible: the definition of valuation functions for mosaics in SM implies that both

V (P ) � D ∩ D′ and V ′(P ) � D ∩ D′ are equal to I(P )(P ) � D ∩ D′, and the defini-

tion of satisfaction relation for members of SM guarantees that s M ψ iff s M ′ ψ

for every s : {x1, . . . , xn) → D ∩ D′ and every ψ ∈ Sub(ϕ). Thirdly, it is obvious

that rng(s) ⊆ D ∩ D′. Thus, SM is complete. Furthermore, SM contains a mosaic

satisfying ϕ. Indeed, consider an arbitrary mosaic, say M , in SM whose domain con-

tains {α(x1), . . . , α(xn)} and its assignment defined by s(xi) = α(xi). It is clear from

the way we defined for mosaics in SM that s M ϕ.

But what happened to our promise to come up with a finite complete set of mosaics

for ϕ? If our starting model M was infinite, then SM is infinite, too. Thus, SM is

not a felicitous choice for S. But S is within our reach. We just have to “rename”

elements of the domains of mosaics in SM so that all those domains become the same

n-element set. Formally, let’s consider the set {M = (D, V,A, M) : for some M ′ ∈


SM,M ∼= M ′ and D = {1, . . . , n} }. This set is, obviously, finite, and it will be our

sought-for S. Let’s show that it is a right choice.

Assume that M ∈ S and that (s, ∃xiψ) is a fault in M . By the construction

of S, there exists M ′ ∈ SM such that f : M ∼= M ′. According to lemma 2.50,

((f−1 ◦ s), ∃xiψ) is a fault in M ′. Now, SM is complete, and even more than that:

there exists a mosaic M ′′ that is not simply isomorphic to some member of SM, but

belongs to SM, such that ((f−1 ◦ s), ∃xiψ) is a not fault in M ′′. By its construction,

S contains an isomorphic copy of M ′′, say M∗. Thus, if we find an isomorphic copy

of M ′′ that corrects (s, ∃xiψ), we, due to lemma 2.49, will have proved that S is

complete.

Consider the isomorphic image, M ∗∗, of M ′′ under the bijection g. It is obvious

that rng(s) ⊆ D ∩ D∗∗. Furthermore, M∗∗ is compatible with M and (s, ∃xiψ), due

to lemma 2.50, is not a fault in M ∗∗. Hence, M∗∗ corrects (s, ∃xiψ) in M . Thus, S is

complete.

Finally, S satisfies ϕ. To see that, pick up a mosaic, say M , in SM and its

assignment s such that s M ϕ (such M and s exist, as we have shown earlier), and

consider their counterparts in S. They will do the job. q.e.d.

The above proof establishes the decidability of a guarded fragment of the first-

order logic whose language does not contain individual parameters. In [Gra99], the

following theorem was proved.

Theorem 2.57 (Gradel, 1999) The guarded fragment of first-order logic with in-

dividual parameters is decidable.

2.3.5 Other properties of GF

In this section, we mention some other nice properties enjoyed by GF.

Finite model property

The decidability proof above does not constitute a proof that GF has the finite model

property since the model we constructed may be infinite. In fact, the question whether


GF has the finite model property remained open for a while until solved positively

by Gradel in [Gra99].

Interpolation

A fragment F of first order logic has strong interpolation property if, for any pair of

formulas ϕ, ψ ∈ F such that ϕ → ψ is valid, there exists a formula χ ∈ F such that

both ϕ→ χ and χ→ ψ are valid and χ is built from the predicate symbols occurring

both in ϕ and ψ. A fragment F has a weak interpolation property if the above holds

only for sentences. The two variable guarded fragment GF 2 does enjoy a strong

interpolation property; however, the full guarded fragment does not ([HM02]). (For

any two ϕ, ψ ∈ GF such that ϕ→ ψ is valid a first order interpolant obviously exists,

but sometimes it is not equivalent to a guarded formula). However, if the guards in

the interpolant are not required to be in the common vocabulary, the property holds.

This interpolation property is similar to the interpolation property for multimodal

propositional logics, where the interpolant may contain modalities not in the common

vocabulary.

Beth definability

In [HM02], Hoogland and Marx showed that the above “modal” interpolation property

is sufficient to prove that Beth definability property holds for GF.

2.3.6 Loosely guarded fragment, packed fragment and clique fragment

There exist several generalisations of the first-order guarded quantification. Loosely

guarded fragment of the first-order logic was introduced by van Benthem and moti-

vated by the need to account for decidable modal logics with modalities whose truth

definitions do not have guarded form, for example, the so-called until modality U :

M, w U(ϕ, ψ) iff ∃v(wRv ∧M, v ϕ ∧ ∀u(wRu ∧ uRv → M, u ψ))

A generalisation of the loosely guarded fragment is the packed fragment introduced

by Marx in [Mar01]. Let’s say that a formula ψ packs a set of variables {x1, .., xn}


if FV (ψ) = {x1, .., xn} and ψ is a conjunction of formulas of the form yi = yj,

R(y1, ..., yk), or ∃yR(y1, ..., yk) such that for every xi 6= xj there is a conjunct in

ψ in which both xi and xj occur free. Now, the packed fragment is the smallest

set of first-order formulas containing all atomic formulas, closed off under boolean

connectives and under the following quantification: if ϕ is in the packed fragment,

then ∃x(ψ ∧ ϕ) and ∀x(ψ → ϕ) are, provided ψ packs FV (ψ) and FV (ϕ) ⊆ FV (ψ).

This considerably generalises the original guarded fragment, but still gives a decidable

fragment of FO since we have the following.

Theorem 2.58 (Marx, 2001) The packed fragment is decidable.

Other decidable generalisations of the guarded fragment are the clique fragment,

which is essentially the same as the packed fragment, introduced by Gradel in [Gra99],

and the action guarded fragment introduced in [GG00].

2.4 Higher-order guarded logics

Guarded quantification turned out to be a useful tool for obtaining decidable logics

other than first order, for example guarded fixed point logic.

2.4.1 Guarded Fixed Point Logic

Syntax and Semantics of FO(LFP)

First order logic with least fixed point operator FO(LFP) is obtained by adding to

FO a countable set of predicate variables and a least fixed point operator LFP .

Formulas of FO(LFP) are defined inductively. The clause for atomic formulas

allows to use predicate variables as well as predicate parameters to form atomic

formulas. The clauses for propositional connectives and quantifiers are the same as

in FO. The clause for the fixed point operator looks as follows. Let X be a k-ary

predicate variable, x be a tuple of k distinct variables, and ψ(X, x) be an FO(LFP)

formula where X occurs positively (that is, under an even number of negations) and

the only individual variables are x. Then [LFP Xx.ψ] is a formula of FO(LFP).


Given a model M with domain W , ψ(X, x) defines an operator ψM on k-ary

relations in W (so that we take a k-ary relation, substitute it for X in ψ and get a

new k-ary relation). Then, M, α [LFP Xx.ψ] if α(x) is in the least fixed point of

ψM.

Guarded least fixed point logic: µGF

The guarded fragment of FO(LFP), µGF , is defined analogously to the definition of

GF, with the addition of the following clause:

• If [LFP Xx.ψ] is a formula of FO(LFP), ψ(X, x) is a guarded formula, and X

is not used in guards, then [LFP Xx.ψ] is in µGF .

It turns out that µGF can express properties not expressible in FO. For example,

we can define “a node satisfying P is reachable by a reflexive, transitive closure of

R”:

[LFP Xx.(P (x) ∨ ∃y(R(x, y) ∧ P (y)))](x)

Nevertheless, µGF is decidable.

Theorem 2.59 (Gradel and Walukiewicz, 1999) µGF is decidable.

A proof that uses the tree model property of the guarded fixed point logic can be

found in [GW99]. A proof using automata can be found in [BB02].

Characterisation of µGF

Semantic characterisation of µGF as the set of guarded second order formulas invari-

ant under guarded bisimulation was established in [GHO00]. Gradel, Hirsch and Otto

extended the result of Janin and Walukiewicz which characterised modal µ-calculus

to µGF .


Other guarded fixed point logics

A guarded least fixed point logic with a more relaxed version of guarded quantification

was introduced in [McCar], motivated by game logic and database considerations.

McColm’s guarded least fixed point logic has the same expressive power as unguarded

FO(LFP) and is undecidable.

2.4.2 Transitive relations

Guarded fixed point logic does not allow fixed points in the guards. In particular,

a guard cannot be a transitive closure of a binary relation. However, there exist

decidable modal logics—for example, PDL (propositional dynamic logic)—which are

decidable and have modalities with truth conditions where transitive closure of a re-

lation occurs in a guard. For example, a PDL-formula 〈a∗〉 p has the following truth

condition: ∃y(R∗a(x, y) ∧ P (y)), where Ra is an accessibility relation correspond-

ing to the label a and R∗a is its reflexive, transitive closure. However, as we have

seen, this formula can be rewritten as a formula of the guarded fixed point logic

[LFP Xx.(P (x) ∨ ∃y(Ra(x, y) ∧ P (y)))](x).

Transitivity axioms make the guarded fragment of first order logic undecidable:

Theorem 2.60 (Gradel 1999) GF with transitivity is undecidable.

For a proof, see [Gra99].

Even restricting the fragment to just two variables does not help:

Theorem 2.61 (Ganzinger, Meyer and Veanes, 1999 [GMV99])

Two-variable guarded fragment without equality GF 2 with transitive relations is

undecidable.

In [GMV99], Ganzinger, Meyer and Veanes proved that when non-unary relations

in GF 2 are only allowed as guards, then transitive guards can be allowed without

loss of decidability. Essentially, the resulting logics corresponds to modal logics with

transitive accessibility relations.

However, if transitive relations only occur in guards, guarded fragment is decid-

able.


Theorem 2.62 (Szwast and Tendera 2003) Guarded fragment with transitive guards

is decidable.

For a proof, see [ST01].

42

Chapter 3

Intuitionistic modal logic

3.1 Introduction

In this chapter, we apply some of the ideas described in chapter 2 in a new setting,

that of intuitionistic, rather than classical, propositional modal logics. In chapter 2,

we have seen that the guarded fragment GF of the first-order logic is decidable.

This may be used to prove that all modal logics that can be embedded into GF are

decidable. This proof technique is rarely used in the classical setting since, in the

case of classical modal logics, there exists a powerful array of proof-techniques for

establishing decidability. However, decidability proofs via embedding into guarded

fragments can come in useful in the field of intuitionistic modal logics, which has not

been studied as extensively as that of classical modal logics. In this chapter, which is

largely based on paper [AS05], we present a new general way of proving decidability

of intuitionistic modal logics. This method relies on the result of Ganzinger, Meyer

and Veanes [GMV99] that a monadic two-variable guarded fragment GF 2mon of clas-

sical first-order logic, where guard relations satisfy conditions that can be expressed

as monadic second-order definable closure constraints, is decidable. Our contribution

is a generalisation of their result to account for conditions that involve more than

one guard relation, which we need to handle the conditions imposed on accessibility

relations in intuitionistic Kripke models, and a demonstration that many conditions

imposed on accessibility relations in Kripke models for intuitionistic modal logics can

be expressed as monadic second-order logic definable constrains. It looks likely that

3. intuitionistic modal logic 43

this method may turn out to be useful for intuitionistic modal logic, where there

exists a wide variety of systems, most of them defined semantically in terms of the

conditions imposed on accessibility relations in Kripke models, with various condi-

tions connecting intuitionistic and modal accessibility relations. General results on

decidability and finite model property of intuitionistic modal logic have been proved

by F. Wolter and M. Zakharyaschev in [WZ99a, WZ97, WZ99b] using an embedding

of intuitionistic modal logics with n modalities into classical modal logics with n+ 1

modalities. Their method, although extremely powerful, has its limitations: it can

be used to prove decidability of only those intuitionistic modal logics for which the

corresponding classical logic is known to be decidable.

Our method, needless to say, also has its limitations. In particular, the decidabil-

ity proof presented in this chapter does not give a very good decision procedure, since

it proceeds by reduction to satisfiability of formulas of SkS (monadic second-order

theory of trees with constant branching factor k, [Rab69]), which is non-elementary.

Better complexity bounds for the guarded fragment with transitive guards were ob-

tained in [Kie03] and [ST01]; however, their results apply only to transitivity, and it

is not clear whether they could be extended to arbitrary closure conditions, which

we need for intuitionistic modal logics. Our method does, however, provide a rather

simple way to establish decidability, before looking for a decision procedure tailored

for a particular logic.

The chapter is structured as follows. First, in section 3.2, we define two-variable

monadic guarded fragment. Next, in section 3.3, we introduce monadic second-order

definable (or, simply, mso-definable) closure conditions and prove (theorem 3.12) a

generalisation of the decidability result of [GMV99]. In section 3.4, we introduce

intuitionistic modal logics and show that many of the conditions used to semantically

define intuitionistic modal logics are mso-definable, as defined in section 3.3. In

section 3.5, we show that all intuitionistic modal logics considered in section 3.4 can

be embedded into two-variable monadic guarded fragment introduced in section 3.2.

In section 3.6, we prove our main result in this chapter (theorem 3.15), namely that

all intuitionistic logics defined by the sets of mso-definable conditions on accessibility

relations in Kripke models are decidable. Finally, in section 3.7, we give examples


of how our decidability result can be put to work to prove decidability of particular

systems.

3.2 Two-variable monadic guarded fragment

Two-variable monadic guarded fragment GF 2mon of first-order logic was introduced in

[GMV99]. It restricts the (full) guarded fragment GF of first-order logic in two ways.

First, only formulas with no more than two variables (free or bound) are allowed in

GF 2mon. Secondly, all predicate parameters whose arity is more than 1 are allowed to

occur only in guards. It is further assumed that the language of first-order logic does

not contain any individual or functional parameters (see remark 2.13), but it may

contain equality.

Definition 3.1 (GF 2mon

) The monadic two-variable guarded fragment GF 2mon of first-

order logic is the subset of the guarded fragment of first-order logic GF containing

formulas ϕ such that (i) ϕ has no more than two variables (free or bound), and (ii)

all non-unary predicate parameters of ϕ occur in guards. a

3.3 Closure conditions

In this section, we define the form of conditions on guards in GF 2mon that yield de-

cidable fragments. We generalise the notion of mso-definable closure conditions from

[GMV99] so that they can apply to more than one relation.

First, we define simple and parametrised closure operators on relations.

Definition 3.2 (Closure operators) Let W be a non-empty set. A unary function

C on 2W is a simple closure operator if, for all P,P ′ ⊆ W ,

1. P ⊆ C(P) (C is increasing),

2. P ⊆ P ′ implies C(P) ⊆ C(P ′) (C is monotone)

3. C(P) = C(C(P)) (C is idempotent).


An n + 1-ary function C on the powerset of W is a parametrised closure operator

if C(P1, . . . ,Pn,−) for any P1, . . . ,Pn ⊆ W is a simple closure operator. We use

notation CP1,...,Pn for a closure operator parametrised by P1, . . . ,Pn. a

Example 3.3 A reflexive, transitive closure operator for binary relations TC(P),

which assigns to a binary relation P its reflexive, transitive closure P ∗, is a simple

closure operator. ¶

Example 3.4 A function InclP′

(P) = P ′ ∪ P is a closure operator parametrised by

P ′. ¶

Next, we define simple and parametrised closure conditions.

Definition 3.5 (Closure conditions) A condition on relation P is a simple closure

condition if it can be expressed in the form C(P) = P, where C is a simple closure

operator.

A condition on relation P is a parametrised closure condition if it can be expressed

in the form CP1,...,Pn(P) = P, where CP1,...,Pn is a parametrised closure operator. a

Example 3.6 Reflexivity-and-transitivity is a simple closure condition, since it can

be expressed in the form TC(P) = P and we have seen in example 3.3 that TC is a

simple closure operator. ¶

Example 3.7 Condition P ′ ⊆ P is a closure condition on P parametrised by P ′,

since it can be stated as InclP′

(P) = P and we have seen in example 3.4 that InclP′

is a parametrised closure operator. ¶

Given a set of closure conditions on a set of relations S, we want to preclude

circularity while closing off relations in S.

Definition 3.8 (Acyclic sets of conditions) Let S be a finite set of relations, C

a set of closure conditions on those relations, and C(P) be all the closure conditions

on the relation P from C. C is acyclic if there is an ordering P1, . . . ,Pn of S such

that all parameters in C(Pi+1) come from P1, . . . ,Pi. a


Furthermore, we are not interested in arbitrary closure operators, but only in

those definable in monadic second-order logic. Monadic second-order logic is, es-

sentially, a first-order logic where quantification over unary predicate parameters is

allowed. Technically, this is achieved by introducing into the language of first-order

logic, among predicate parameters and predicate constants (such as equality), unary

predicate variables that can be quantified over. Thus, in the formula

∀X(X(z1) ∧ ∀x, y(X(x) ∧ P (x, y) → X(y)) → X(z2))

P is a predicate parameter and X is a predicate variable. All first-order formulas

are, by default, monadic second-order (mso, for short) formulas. So, whenever in this

chapter we talk about mso formulas, we count first-order formulas as such. Second-

order models are exactly like first-order ones; to evaluate mso formulas, all we need is

an assignment mapping predicate variables into subsets of the domain of the model.

Let M be an mso model and ϕ(x1, . . . , xn) be an mso formula. We say that an

n-tuple (w1, . . . , wn) satisfies ϕ if M, α ϕ, where α(x1) = w1, . . . , α(xn) = wn. We

use ‖ϕ(x1, . . . , xn)‖M to denote the set of n-tuples satisfying an mso formula ϕ in

model M.

Definition 3.9 (mso-definable operators) A closure operator CP1,...,Pm on n-ary

relations is mso-definable, or simply mso, if there exists a monadic second-order for-

mula CP1,...,Pm

P with predicate parameters P1, . . . , Pm and P , such that, for any model

M and any n-ary formula ϕ,

CP1,...,Pm(‖ϕ‖M) = ‖CP1,...,Pm

P (ϕ/P ))‖M.

Example 3.10 The closure operator TC is definable by the mso formula

TCP (z1, z2) = ∀X(X(z1) ∧ ∀x, y(X(x) ∧ P (x, y) → X(y)) → X(z2))

To see that TCP defines the reflexive, transitive closure of P, assume that there is a P-

chain w1Pw2 . . . wn−1Pwn, connecting w1 and wn, and that X (w1) and ∀x, y(X(x) ∧

P (x, y) → X(y)) hold. Then X (w1) implies X (w2) . . . implies X (wn); therefore,

TCP (z1, zn) is true under such α that α(z1) = w1 and α(z2) = w2. Conversely,


suppose there is no P-chain connecting w1 and wn. We can assign to X the set X

containing w1 and all the elements P-reachable from w1. Then X (wn) does not hold,

and therefore, TCP (w1, wn) false under such α that α(z1) = w1 and α(z2) = w2. ¶

Example 3.11 The closure operator InclP′

is definable by the mso (in fact, even

first-order) formula InclP′

P (z1, z2) = P ′(z1, z2) ∨ P (z1, z2). ¶

Next, we generalise the result of [GMV99] so that it applies not only to GF 2mon

with a single mso-definable closure condition imposed on relations, but also to sets

of mso-definable closure conditions.

Theorem 3.12 Let ϕ ∈ GF 2mon and C be an acyclic set of mso closure conditions on

relations in ϕ so that at most one closure condition is associated with each relation.

It is decidable whether ϕ is satisfiable in a model satisfying C.

Proof The proof is similar to the proof given in [GMV99] for non-parametrised clo-

sure conditions. In fact, it is even simpler, since in [GMV99] all relations are assumed

to be closed under equivalence (which is used to handle equality). However, closure

under equivalence is a special case of a parametrised closure condition, so we do not

need to treat it separately.

Let ϕ ∈ GF 2mon and let C be an acyclic set of mso closure conditions on relations in

ϕ. We know that ϕ is satisfiable in a model satisfying C if and only if the Skolemised

form of ϕ, say N , is satisfiable in a Herbrand model in which all conditions from C

hold. The idea of the decidability proof is to reduce the latter problem to satisfiability

of formulas of SkS (mso theory of trees with constant branching factor k), where

k is the number of Skolem function symbols in N . We construct an mso formula

MSON , in the vocabulary of SkS (an mso formula containing only unary predicate

variables, unary functional parameters and equality), such that MSON is satisfiable

in a tree model iff N has a Herbrand model satisfying closure conditions from C. The

construction proceeds in three stages: defining counterparts for predicate letters, for

clauses in N and finally for N itself.

Stage 1. For each predicate letter P in N , construct a formula ϕP in the vocab-

ulary of SkS.


Let P (t1), . . . , P (tm) be all positive literals of N containing P . Note that since

ϕ ∈ GF 2mon, each P is either a unary or a binary predicate letter; so, each positive

literal will contain at most one free variable. For each P (ti) above, a new unary

second-order variable XP (ti) is introduced. Let t[z] be the result of substituting a

variable z for the free variable of t. Then, if P is a unary predicate letter,

ϕP (z1) =

m∨

i=1

∃z(XP (ti)(z) ∧ z1 = ti[z])

and if P is a binary predicate letter,

ϕP (z1, z2) =

m∨

i=1

∃z(XP (ti1 ,ti2)(z) ∧ z1 = ti1[z] ∧ z2 = ti2[z])

Intuitively, the relation defined by ϕP is the minimal extension of P .

Next, for each predicate letter that has a closure condition imposed on it, we

define the closure ψP of ϕP with respect to the closure condition on P . For each

such P we have a single closure condition CP , which may be parametrised by other

predicates. For simplicity, assume that CP is parametrised by a single predicate P ′

that, in its own turn, has a simple closure condition CP ′. We know, then, that CP ′

is definable by an MSO formula CP ′(z1, z2) containing P ′, and CP is definable by an

MSO formula CP ′

P (z1, z2), containing P ′ and P . First, we define the closure of P ′

with respect to its simple closure condition:

ψP ′(z1, z2) = CP ′(z1, z2)[ϕP ′/P ′]

that is, we replace every occurrence of P ′ in CP ′(z1, z2) with ϕP ′.

Next, we define the closure of P with respect to its parametrised condition:

ψP (z1, z2) = CP ′

P (z1, z2)[ψP ′/P ′, ϕP/P ]

In general, for any acyclic set C of conditions on the collection of relations S,

we first define the simple closures, then the closures parametrised by relations with

simple closure conditions, etc. The acyclicity of C ensures that this procedure can

be carried out.


Stage 2. For each clause χ = {ρ1, . . . , ρl} in N , construct a formula MSOχ in

the vocabulary of SkS.

For every literal ρ in χ, a formula MSOρ is defined according to the following

rule:

MSOρ =

Xρ(x), if ρ is a non-ground atom containing x

∃zXρ(z), if ρ is a ground atom

¬ψP (t), if ρ is ¬P (t)

where ψP is the formula constructed at stage 1. Now MSOχ is defined as MSOχ =∨ρ∈χMSOρ.

Stage 3. Finally, MSON = ∃X∀x∧χ∈NMSOχ, where X are all the free second

order variables and x are all the first order variables in∧χ∈NMSOχ.

It remains to show that N has a Herbrand model satisfying the closure conditions

in C iff MSON is satisfiable in a tree. Let T be the tree corresponding to the term

algebra of the Herbrand universe of N .

First, left to right. Assume that N has a Herbrand model A satisfying closure

conditions in C. We want to show that T satisfies MSON . Fix witnesses for second-

order variables Xρ of MSON as follows:

(i) If ti is non-ground, then XP (ti) = {w : A |= P (ti[w])}.

(ii) If ti is ground, then XP (ti) is a non-empty set.

We know that for each clause χ of N , and each tuple w, A |= χ(w). This means

that for each w, there is a literal ρ in χ such that A |= ρ(w). We show that for any w

and ρ, if A |= ρ(w), then T |= MSOρ(w). Hence A |= χ(w) implies T |= MSOχ(w).

There are three cases to consider, depending on the form of ρ. The first two

(non-ground atom P (ti) and ground atom) are exactly the same as in [GMV99]. If ρ

is a negative literal ¬P (ti), we need to show that T |= ¬ψP (t)(w). It suffices to show

that ‖ψP‖A ⊆ PA. Indeed, this, together with our assumption that A |= ¬P (t)[w],

implies T |= ¬ψP (w). First, the definition of T guarantees that ‖ϕP‖A ⊆ PA. Hence,

by monotonicity of closure operators, CPA

1

P (‖ϕP‖A) ⊆ C

PA1

P (PA). By definition of ψP ,

CPA

1

P (‖ϕP‖A) = ‖ψP‖

A; furthermore, since A satisfies conditions in C, CPA

1

P (PA) =

PA; hence, ‖ψP‖A ⊆ PA.

Secondly, right to left. Assume that MSON is true in T . Define a Herbrand


model A as follows. The universe of A is the set of nodes of T , and PA = ‖ψP‖.

First, we prove that A satisfies closure conditions C. To this end, we have to show

that CP1

P (PA) = PA. Indeed, CPA

1

P (PA) = CPA

1

P (‖ψP‖) = C‖ψP1

‖

P (C‖ψP1

‖

P (‖ ϕP‖)) =

C‖ψP1

‖

P (‖ϕP‖) = ‖ψP‖ = PA.

Finally, we need to show that A satisfies all clauses in N . This part of the proof

is exactly the same as in [GMV99], so we omit it here.

3.4 Intuitionistic modal logics

One of the most interesting applications of theorem 3.12 proved in the previous sec-

tion is propositional intuitionistic modal logic. Intuitionistic modal logic is simply a

modal logic with intuitionistic, rather than classical, base. The work on intuitionistic

modal logic has several motivations: mathematical interest; preference for intuition-

istic rather than classical logic; desire to give intuitionistic account of the notions

studied in modal logic; and suitability of intuitionistic modal logic for modelling cer-

tain computational phenomena. There exists an extensive literature on intuitionistic

modal logics, for example [Fit48, Bul65a, Bul65b, Bul66, Pra65, Min68, Ono77, OS88,

Gol76, FS86, PS86, Dos85, Wij90, WZ99a, WZ97, WZ99b]. A comprehensive survey

can be found in [Sim94]; for later references, see [ZWC01] and [PD01].

The primary motivation for the study of intuitionistic modal logic by theoretical

computer scientists is that it can be used to model various computational phenomena.

A considerable strand of work in this area is based on the work by Moggi [Mog91]

who extended a typed λ-calculus style semantics for functional programming lan-

guages with an additional construct, a monad, to model effects in functional program-

ming languages (such as the raising of exceptions etc.). The correspondence between

simply-typed λ-calculus and intuitionistic propositional logic is well known; it turns

out that monads correspond to S4-type modalities. This created a considerable inter-

est in intuitionistic S4 modal logic, its proof theory and categorical and Kripke seman-

tics [BdP00, BBdP98, GL96, Kob97, Pit90, AMdPR01, DP96, DP01, PD01]. Other

applications of intuitionistic modal logic to modelling computational phenomena in-


cluded modelling incomplete information [Wij90], communicating systems [Sti87], and

hardware verification [Men91, FM97].

Intuitionistic modal languages are obtained by adding either or both of the unary

connectives ♦ (possibility) and � (necessity) to the language of propositional intu-

itionistic logic, which contains a set of propositional parameters Φ = {p1, p2, . . .}, a

unary connective ∼ (negation, “not”), and binary connectives ∧ (conjunction, “and”),

∨ (disjunction, “or”), and ⇒ (implication, “if . . . then”). For intuitionistic negation

and implication, we use different symbols from the ones used for classical negation and

implication, first, because these connectives have different meaning in intuitionistic

and classical logics and, second, because we will need to distinguish between two sets

of connectives later on in this chapter. Analogously to ∀ and ∃, in intuitionistic logic

� and ♦ are not required to be dual; thus, unlike in classical modal logic, they should

be treated as independent modalities. It comes as no surprise that in intuitionistic

modal logic some of the classically valid formulas are not valid, an obvious example

being �(ϕ∨ ∼ ϕ). More surprisingly, perhaps, in some intuitionistic modal logics,

♦(ϕ ∨ ψ) ≡ (♦ϕ ∨ ♦ψ) is not valid, either (see, for example, [Wij90]).

Kripke semantics of intuitionistic modal logics extends Kripke semantics for in-

tuitionistic propositional logic. An intuitionistic Kripke model is a structure M =

(W,R, V ) such that (i) W 6= ∅, (ii) R is a reflexive and transitive binary relation on

W , and (iii) V is a function from the set of propositional parametersΦ into the pow-

erset of W such that, for all w ∈ W and p ∈ Φ, if w ∈ V (p) and wRv, then v ∈ V (p)

(this condition is usually referred to as upward persistence for propositional vari-

ables). Elements of W are referred to as points. Truth at a point is defined as follows

(→ and ¬, as before, stand for classical implication and negation, respectively):

M, w p iff w ∈ V (p);

M, w ∼ ϕ iff ∀v(R(w, v) → ¬(M, v ϕ));

M, w ϕ ∧ ψ iff M, w ϕ and M, w ψ;


M, w ϕ⇒ ψ iff ∀v(R(w, v) → (¬(M, v ϕ) or M, v ψ);

To accommodate formulas of the form �ϕ and ♦ϕ, intuitionistic Kripke models


are augmented with binary relations R� and R♦. There is no single accepted way

of defining the meaning of � and ♦ in intuitionistic logic. The following clauses are

encountered in the literature (see chapter 3 of [Sim94] for a comprehensive survey):

(�1) M, w �ϕ iff ∀v(wR�v → M, v ϕ)

(�2) M, w �ϕ iff ∀v(wRv → ∀u(vR�u→ M, u ϕ))

(♦1) M, w ♦ϕ iff ∃v(wR♦v ∧M, v ϕ)

(♦2) M, w ♦ϕ iff ∀v(wRv → ∃u(vR♦u ∧M, u ϕ))

Observe that definition (♦2) gives rise to a modality which does not distribute

over disjunction. Accordingly, logics whose possibility operator is defined in this way

are usually referred to as non-normal intuitionistic modal logics.

On top of the requirement that R is reflexive and transitive, some additional

conditions are usually imposed on R, R�, and R♦. As a rule, these conditions

specify the way R, R�, and R♦ interact. For example, the following conditions

usually accompany truth clauses (�1) and (♦1) (see [WZ99a]):

R ◦R� ◦ R = R� (3.1)

R ◦R♦ ◦ R = R♦ (3.2)

In the conditions above, ◦ stands for relational composition, defined as follows:

R ◦R′ = { (x, y) : ∃z ((x, z) ∈ R ∧ (z, y) ∈ R′) }

and R stands for the converse relation, defined as follows:

R = { (y, x) : (x, y) ∈ R}.

Another condition occurring in the literature (see, for example, [FM97]) stipulates

that

R♦ ⊆ R (3.3)


It turns out that many of the conditions on R, R� and R♦, including conditions

(1) - (3) above, are mso-definable closure conditions as introduced in section 3.3. For

condition (3), see examples 3.4 and 3.7. The following theorem shows that (1) and

(2) are also mso-definable closure conditions.

Theorem 3.13 Any condition of the form P = P ′◦P◦P ′ is an mso-definable closure

condition, provided that P ′ is reflexive and transitive.

Proof Consider a function CompP′

(P) = P ′ ◦P ◦P ′. If P ′ is reflexive and transitive,

then P ⊆ P ′ ◦ P ◦ P ′ by the reflexivity of P ′. P ′ ◦ P ◦ P ′ is obviously monotone

in P; and CompP′

is idempotent because of the transitivity of P ′. This proves that

CompP′

is a closure operator provided that P ′ is reflexive and transitive. Conditions

of the form P ′ ◦P ◦P ′ = P can be expressed as closure conditions: CompP′

(P) = P.

This condition is mso-definable; in fact, it is definable by a first order formula:

CompP′

P (z1, z2) = ∃x∃y(P ′(z1, x) ∧ P (x, y) ∧ P ′(y, z2))

3.5 Embedding into two-variable monadic fragment

In this section, we show that every intuitionistic modal logic Λ defined semantically

with any of the truth clauses (�1) − (♦2) can be translated into GF 2mon.

As in the case of classical modal logic, we define, by mutual recursion, two trans-

lations, τx and τy, so that a first-order formula τv(ϕ) (v ∈ {x, y}) contains a sole free

variable v. The translation τx is defined by

• τx(p) := P (x);

• τx(∼ ϕ) := ∀y(R(x, y) → ¬τy(ϕ));

• τx(ϕ ∧ ψ) := τx(ϕ) ∧ τx(ψ);

• τx(ϕ ∨ ψ) := τx(ϕ) ∨ τx(ψ);

• τx(ϕ⇒ ψ) := ∀y(R(x, y) → (¬τy(ϕ) ∨ τy(ψ)));


• τx(�ϕ) := ∀y(R(x, y) → ∀x(R�(y, x) → τx(ϕ)));

• τx(♦ϕ) := ∀y(R(x, y) → ∃x(R♦(y, x) ∧ τx(ϕ)))

The translation τy is defined analogously, switching the roles of x and y. Then we say

that we consider τx(ϕ) to be the standard translation τ(ϕ) of a modal intuitionistic

formula ϕ. This translation assumes modal truth clauses (�2) and (♦2). Clauses for

(�1) and (♦1) are even simpler (and familiar from classical modal logic):

• τ ′x(�ϕ) := ∀y(R�(x, y) → τ ′y(ϕ))

• τ ′x(♦ϕ) := ∃y(R♦(x, y) ∧ τ ′y(ϕ))

Not surprisingly, since τx is a natural generalisation of the standard translation of

modal logic into classical predicate logic, the following theorem holds:

Theorem 3.14 Let ϕ be an intuitionistic modal formula and M be a class of models of

intuitionistic modal logic. Let M ∈ M. Then, M, w ϕ iff M, α τ(ϕ) with α(x) =

w (where M is taken as a model of first order logic with R,R�,R♦ interpreting

R,R�, R♦).

3.6 Decidability

From theorem 3.14 it follows that if satisfiability problem of GF 2mon over M is de-

cidable, then satisfiability problem of intuitionistic modal logic over M is decidable,

too.

We already know (see section 2.3.4) that the guarded fragment is decidable over

the class of all first order models. Decidability of GF 2mon over models with reflexive,

transitive guards is proved in [GMV99]. From this and the fact that upward per-

sistence for propositional variables occurring in ϕ is expressible in GF 2mon it follows

immediately that basic intuitionistic modal logic (with no conditions connecting R,

R�, and R♦) is decidable. The main result of this chapter is the generalisation of

this result to include classes of models defined using conditions involving interaction

between R, R� and R♦. The following is the main theorem of the chapter.


Theorem 3.15 Let M be a class of intuitionistic modal models defined by an acyclic

set of mso closure conditions on R, R�, and R♦ so that at most one closure condition

is associated with each relation, and let ϕ be an intuitionistic modal formula. Then,

it is decidable whether ϕ is satisfiable in M.

Proof Immediately follows from theorems 3.14 and 3.12. q.e.d.

3.7 Examples

In this section, we state several decidability results to illustrate the approach to

obtaining decidability for intuitionistic modal logics presented in this chapter.

Our first example is, essentially, a decidability result for several flavours of basic

intuitionistic modal logic, that is intuitionistic modal logic with no conditions imposed

on modal accessibility relations R♦ and R�, apart from the conditions stipulating

how they interact with the intuitionistic accessibility relation R. This result is by

no means a surprise, even though it may well be that it has not been proved for all

possible combinations of truth definitions for modalities, like we do below.

Theorem 3.16 An intuitionistic modal logic Λ with two modalities � and ♦, defined

by a class of models where

• R ◦ R♦ ◦ R = R♦

• R ◦ R� ◦ R = R�

and employing any of the truth definitions for modalities (�1), (�2), (♦1), (♦2) (in

any combination, e.g. (�1) with (♦2); possibly with more modalities, provided that all

truth definitions can be translated into GF 2mon), is decidable.

Proof The class of models of Λ is defined by the following closure conditions on R�,

R♦ and R:

1. R is reflexive and transitive;

2. R ◦R♦ ◦ R = R♦;


3. R ◦R� ◦ R = R�.

There is clearly at most one condition for each of the relations R, R♦ and R�, and

the set of conditions is acyclic. We have shown, in Examples 3.3 and 3.6, that the

condition on R is a closure condition and, in Example 3.10, that it is mso-definable.

By theorem 3.13, conditions on R� and R♦ are also mso-definable closure conditions.

We have shown that the class of models of Λ conforms to the conditions of theo-

rem 3.15, which proves that Λ is decidable. q.e.d.

The next example is related to a known result (decidability of PLL [FM97]), but

for a different logic (without fallible worlds):

Theorem 3.17 An intuitionistic modal logic Λ with one modality ♦, defined by a

class of models where

R♦ is reflexive and transitive;

R♦ ⊆ R

and employing the truth definition (♦2) for the modality, is decidable.

Proof The class of models of Λ is defined by the following closure conditions:

1. TC(R♦) = R♦;

2. TC(R) = R;

3. InclR♦(R) = R (see Examples 3.4 and 3.7).

This set of conditions is acyclic and each condition is mso definable. However there

are two constraints associated with R: it is required to be closed both with respect

to TC and to InclR♦ . To satisfy the conditions of Theorem 3.15, we need to combine

them into one mso definable closure condition. Observe that TC ◦ InclP′

is a closure

operator with the property that for any relation P,

TC(InclP′

(P)) = P ⇔ TC(P) = P and InclP′

(P) = P.


First of all, TC ◦ InclP′

is monotone and increasing, since both TC and InclP′

are. It

is also idempotent, because the result of applying TC ◦ InclP′

to any relation P is a

transitive relation containing P ′, and any subsequent applications of TC ◦ InclP′

are

not going to change it. So, TC ◦ InclP′

is a closure operator. To prove that closure

with respect to this operator is equivalent to closure with respect to TC and InclP′

separately, observe that one direction is immediate: if P is closed with respect to TC

and InclP′

, then it is closed with respect to TC ◦ InclP′

. For the other direction,

assume first that

TC(InclP′

(P)) = P

but P is not closed with respect to InclP′

, that is, it is a proper subset of InclP′

(P).

But since TC is increasing, P is then a proper subset of TC(InclP′

(P)), which con-

tradicts the assumption. Now assume that P is not closed with respect to TC, so

that it is a proper subset of TC(P). However, since P ⊆ InclP′

(P ), we have

TC(P) ⊆ TC(InclP′

(P ))

so P is a proper subset of TC(InclP′

(P )), which again contradicts the assumption.

This means that the conditions can be reformulated as

1. TC(R♦) = R♦;

2. TC(InclR♦(R)) = R;

and it is straightforward to show that the second condition is mso definable. q.e.d.

We wrap up by giving two non-examples. We failed to reformulate the condition

R� ◦ R ⊆ R ◦ R� defining an intuitionistic modal logic in [AMdPR01] as a closure

condition. We also could not apply our method to the logic IS4 defined in [Sim94],

since the truth conditions for IS4 formulas are defined on pairs (w, d) (where w is

a possible world and d an element from its domain), so the image of IS4 under the

standard translation is not in GF 2mon.

58

Chapter 4

Logics with Segerberg operator

In this chapter, we consider logics with the finite iteration modality ♦∗ , which we

also call Segerberg operator1. More specifically, we consider normal modal logics (in

this, and the following, chapter, the meaning of “logic” is different from how we have

used the term up until now; in the previous parts of the thesis, “logic” has meant a

logical language provided with semantics; in this and the following chapter, “logic”

has a more precise meaning; see definition 4.3 below) with Segerberg operator as a

class and prove some results applicable to all members of this class.

The minimal logic of this class we call Seg. The study of extensions of Seg is

of interest on two distinct counts: historical and application-related. Historically,

a general study of the logics with Segerberg operator is a natural outgrowth of the

previous research in modal logics. The mathematical study of modal logics dates

back to the 1910s. The father of mathematical modal logic, C.I. Lewis, investigated

(see [LL32]) what we now call monomodal logics, logics in the language containing

a single modality, such as “it is necessary that . . . ,” on a system–by–system basis

(Lewis created five systems of monomodal logic, which he called, accordingly, S1–S5).

In the ensuing decades, the project initiated by Lewis had developed in two primary

directions.

First, modal logics in more complicated languages were introduced and studied.

In the 1950s, A. Prior investigated what he called temporal logics (see, for example,

1This name for ♦∗ was suggested to us by Alexander Chagrov; it comes from Krister Segerberg,who first axiomatically described ♦∗ .

4. logics with segerberg operator 59

[Pri57]), modal logics with two independent—that is, not definable in terms of each

other, like ¬ and ∧ in the classical propositional logic—“temporal” modalities (“it

has always been the case that . . . ” and “it will always be the case that . . . ”). In the

1970s, with the emergence of theoretical computer science, V. Pratt began studying

what he called logics of programs (see [Pra76])—logics with modalities describing

“actions,” which may be thought of as computations, that can result in truth or

falsity of certain propositions, these actions being constructed out of atomic actions

with operators borrowed from the algebra of regular expressions. As it turned out,

that was only the beginning of the proliferation of modalities which the 1980s and

1990s stood to witness: almost each new application area for modal logics brought

into existence new, previously unstudied, modalities (for a comprehensive survey,

see [GKWZ03]).

Secondly, in the 1960s, the attention shifted from single modal systems to classes

of modal logics. This change in perspective, like the emergence of new modalities,

was driven by the proliferation of applications. Since different applications require

different logics, it is infeasible to confine our attention to a few modal systems; rather,

we should be able to describe properties of a logic brought about by a particular

application on the basis of what class the logic belongs to. Thus, what comes to

the fore is study of classes of modal logics. This en masse approach is, to the date,

best developed in the simplest case, as it were—in the study of monomodal logics

(see [CZ97]). Logics with more complicated modalities have been, until quite recently,

been only studied on a system–by-system basis. In the mid-1990s, Frank Wolter has

adopted an en masse approach to the study of temporal logics ([Wol97b], [Wol97a],

[Wol96a], [Wol96b], [Wol95]). The next logical step in pursuing an en masse approach

would be to apply it to the modalities of logics of programs. In this chapter, we

attempt to make a step in that direction. We single our the most interesting and

difficult to handle modality of programming logics, the finite iteration modality, or

Segerberg operator, first introduced by V. Pratt in [Pra76]. Thus, we will be studying

classes of propositional logics with two modalities—the “usual” modality ♦ and the

Segerberg operator ♦∗ .

Application-wise, the study of ♦∗ is motivated by the ubiquity of the concept of


finite iteration in various applications. Below we mention two of the most obvious

examples.

First, in the logics of programs, the Segerberg operator captures recurrent exe-

cution of programs. The most well-known programming logic, PDL (Propositional

Dynamic Logic), uses it in this way. Although PDL and its variants are well studied,

there is no systematic study of what happens when we add PDL-style modalities to ar-

bitrary monomodal logics. The en masse approach to program logics would broaden

our understanding of logical properties of program execution in settings where we

want to stipulate some additional properties for execution of programs.

Another area where the concept of finite iteration features prominently and is

studied in the framework of modal logics is formal modelling of knowledge in multi-

agent systems, where it is used to model the so-called common knowledge (see, for

example, [FHV95]).

The present chapter is structured as follows. In section 4.1, we introduce the

language and models of the logics we will be studying in this chapter. In section 4.2, we

present background material on normal modal logics we will rely on in sections 4.3 and

4.4 of the present chapter and also in chapter 5. Lastly, in section 4.3, we introduce

the minimal logic we will be interested in in this chapter and, in section 4.4, we prove

a number of results pertaining to logics with ♦∗ , the most important of which is the

analogue of Makinson’s theorem for logics with ♦∗ .

4.1 Language

4.1.1 Syntax

Language L∗Φ is a monomodal language augmented with a single modality ♦∗ , which we

call “Segerberg operator”; formulas of L∗Φ are defined by the following BNF expression:

ϕ := p |⊥| ¬ϕ | ϕ1 ∨ ϕ2 | ♦ϕ | ♦∗ ϕ,

where p ranges over the set Φ of propositional parameters, whose arbitrary members

we denote as p, q, r, . . .. For this language, we adopt all the usual conventions en-

hancing the readability of propositional formulas, and in the usual manner, define �∗ϕ


as ¬♦∗ ¬ϕ. ⊥ is a propositional constant “false”; we need it in this chapter since we

will be considering languages with empty vocabularies. Its dual, “true,” is defined as

> ↔ ¬ ⊥.

4.1.2 Semantics

The formulas of L∗Φ are interpreted on Kripke models with two accessibility relations.

Definition 4.1 An L∗Φ model M is a tuple (W,R,R∗, V ), where

1. W 6= ∅;

2. R and R∗ are binary relations on W ;


Since in this chapter our primary interest is in logics (as sets of formulas satisfying

certain closure conditions; see definition 4.3 below) rather than in models, we do

not at this point specify what the relationship between R and R∗ should be. The

appropriate condition will emerge from the consideration of the axiomatic definition

of ♦∗ .

The truth conditions for the connectives of L∗Φ are as for any other propositional

modal language; in particular,

M, w ♦∗ ϕ iff ∃v(wR∗v and M, v ϕ).

⊥ is not true at any point in the model. It is easy to see that, for any formula ϕ,

⊥↔ ϕ ∧ ¬ϕ.

4.2 Normal logics

This section contains background material on normal modal logics (along with their

representation as Hilbert calculi) that we will need in the rest of this and in the

following chapter. We also discuss canonical models of normal modal logics and

Kripke frames as a semantic framework more suitable to the study of normal modal

logics than Kripke models.


Normal modal logics

In what follows, we will need the operation on formulas that is usually referred to as

uniform substitution, which we define below for an arbitrary modal language L. We

use FmaL to refer to the set of formulas of language L and PropL to refer to the set

of propositional symbols of L. Another convention we will be using throughout this

chapter is that, given a modal language L, ∇ stands for an arbitrary ♦-like modality

of L and 4 stands for the dual of ∇. (Thus, in L∗, ∇ can stand either for ♦ or for

♦∗ , while 4 can stand either for � or for �∗ .)

Definition 4.2 (Uniform substitutions) Let L be a modal language. A (uniform)

substitution in L is a map ·σ : FmaL 7→ FmaL such that:

• for every p ∈ PropL, pσ ∈ FmaL;

• (¬ϕ)σ = ¬ϕσ,

• (ϕ ∧ ψ)σ = ϕσ ∧ ψσ,

• (∇ϕ)σ = ∇ϕσ, for every modal operator ∇ of L.

A formula ϕ′ is a substitution instance of formula ϕ if there exist a substitution ·σ

such that ϕσ = ϕ′. a

Since some definitions and facts that follow hold not only for normal modal—but

for a wider class of—logics, we first define a general notion of a logic (for our purposes

in the rest of the thesis, “a logic” is an extension of the classical propositional logic

PL).

Definition 4.3 (Logics) Let L be a (not necessarily modal) language. A logic in L

is a set Λ of formulas of L such that:

• Every classical propositional tautology belongs to Λ.

• Λ is closed under modus ponens; that is, if ϕ→ ψ ∈ Λ and ϕ ∈ Λ, then ψ ∈ Λ.

• Λ is closed under uniform substitution; that is, if ϕ ∈ Λ and ϕ′ is a substitution

instance of ϕ, then ϕ′ ∈ Λ. a


Definition 4.4 (Extensions and sublogics) Let Λ and Λ′ are logics. Λ′ is an ex-

tension of Λ, and Λ is a sublogic of Λ′, if Λ ⊆ Λ′. a

If Λ is a logic in L, we often talk of “formulas of Λ” meaning, strictly speaking,

formulas of L.

Definition 4.5 (Normal modal logics) Let L be a modal language. A normal

modal logic in L is a set Λ of formulas of L such that:

• Λ is a logic.

• For every dual modal operator 4 of L, 4(ϕ→ ψ) → (4ϕ→ 4ψ) ∈ Λ.

• Λ is closed under under generalisation; that is, for every 4 of L, if ϕ ∈ Λ, then

4ϕ ∈ Λ. a

Example 4.6 The minimal normal logic in the monomodal language ML is the

smallest set of formulas of ML containing all classical tautologies and formula �(ϕ→

ψ) → (�ϕ → �ψ), and closed under modus ponens, uniform substitution, and �-

generalisation. This logic is usually referred to as K (for Kripke).

The minimal normal logic in language L∗ is the smallest set of formulas of L∗

containing all classical tautologies as well as formulas �(ϕ→ ψ) → (�ϕ→ �ψ) and

�∗(ϕ → ψ) → (�∗ϕ → �∗ψ), and closed under modus ponens, uniform substitution,

and generalisation for both � and �∗ . We call this logic K∗. ¶

We call the least normal modal logic containing a set of formulas Γ the logical

closure of Γ, in symbols Cl`(Γ); we also denote the logical closure of Γ ∪ ∆ by Γ⊕∆.

We usually write Γ ⊕ ϕ instead of Γ ⊕ {ϕ}.

Example 4.7 Some of the better-known logics in ML are the following (in paren-

theses, we give names of the formulas mentioned for future reference):

• T = K ⊕ �ϕ→ ϕ (T );

• S4 = T ⊕ ��ϕ → �ϕ (4 );


• S5 = S4 ⊕ T . ¶

Since logics are closured under closure conditions, it makes sense to consider sets

of formulas that generate the whole logic.

Definition 4.8 (Generators) Let Λ be a logic in language L. A set Γ ⊆ FmaL is

a set of generators of Λ, and Λ is generated by Γ, if Cl`(Γ) = Λ. a

The following two pieces of terminology make talking about logics easier.

Definition 4.9 (Theorems) Let L be a language, Λ be a logic in L, and ϕ ∈ FmaL.

Then, ϕ is a theorem of Λ if ϕ ∈ Λ. If ϕ is a theorem of Λ, we write `Λ ϕ. a

Definition 4.10 (Deducibility) Let L be a language, Λ be a logic in L, Γ ⊆ FmaL,

and ϕ ∈ FmaL. Then, ϕ is deducible from Γ in Λ, symbolically Γ `Λ ϕ, if either

(1) `Λ ϕ, or (2) there exist ψ1, . . . , ψn ∈ Γ such that ψ1 ∧ . . . ∧ ψn `Λ ϕ. a

Not all logics are interesting; those containing falsehood among their theorems

are not.

Definition 4.11 (Consistent logics) Logic Λ is consistent if 0Λ⊥. a

Hilbert calculi

The foregoing description of normal modal logics as sets of formulas is rather abstract.

Sometimes, it is convenient to have a more suggestive representation of a logic. The

representation tool we will be using is Hilbert calculi.

Let Λ be a logic in a language L. A Hilbert calculus for Λ designates a subset of

FmaL, axioms of the calculus, and a number of inference rules that can be applied to

infer formulas from axioms. A calculus can designate axioms in two ways: either by

explicitly picking out formulas of L that are axioms (“Hilbert calculi with axioms”)

or by specifying formula schemata whose instances are axioms (“Hilbert calculi with

axiom schemata”). In the context of normal modal logics, it is not important which

flavour of Hilbert calculi to use, so we will use more convenient calculi with axiom

schemata.


As an example, below is a Hilbert calculus with axiom schemata HK∗ for logic

K∗.

Axiom schemata of HK∗

(A0) All tautologies of the classical propositional logic PL.

(K) �(ϕ→ ψ) → (�ϕ→ �ψ)

(K∗) �∗(ϕ→ ψ) → (�∗ϕ→ �∗ψ)

Inference rules of HK∗:

(MP ) From ϕ→ ψ and ϕ infer ψ.

(Gen�) From ϕ infer �ϕ.

(Gen�∗

) From ϕ infer �∗ϕ.

Definition 4.12 (Proofs and provable formulas) Let H be a Hilbert calculus in

language L. A proof in H is a finite, non-empty sequence ϕ1, . . . , ϕn of formulas of

L such that each ϕi either (1) is an axiom of H or (2) is obtained from the previous

members of the sequence using of the inference rules of H. A proof ϕ1, . . . , ϕn in H

is a proof of formula ϕ if ϕn is ϕ. Formula ϕ is a provable formula of H if there

exists an H-proof of ϕ. a

Definition 4.13 (Derivations) Let H be a Hilbert calculus in language L and Γ ⊆

FmaL. A derivation from Γ in H is a finite, non-empty sequence ϕ1, . . . , ϕn of for-

mulas of L such that each ϕi either (1) is an axiom of H, or (2) is a member of Γ,

or (3) is obtained from the previous members of the sequence using of the inference

rules of H. A derivation ϕ1, . . . , ϕn from Γ in H is a derivation of formula ϕ from Γ

if ϕn is ϕ. Formula ϕ is a derivable from Γin H if there exists an H-derivation of ϕ

from Γ. a

Definition 4.14 (Admissible rules) Let H be a Hilbert calculi. A rule “form

ϕ1, . . . , ϕn infer ψ” is admissible in H if ψ is a provable formula of H whenever

ψ is. a


Definition 4.15 (Normal calculi) Let L be a modal language and H be a Hilbert

calculus in L. H is normal if (1) all propositional classical tautologies are H-provable,

(2) for each 4 of L, 4(ϕ→ ψ) → (4ϕ→ 4ψ) is H-provable, (3) uniform substitu-

tion, modus ponens, and generalisation for each 4 of L are admissible in H. a

Thus, the above mentioned Hilbert calculus for K∗ is normal.

The following definition foreshadows the discussion of the next subsection.

Definition 4.16 (Calculus for a logic) Let Λ be a logic and H be a Hilbert calcu-

lus. H is a calculus for Λ if the set of provable formulas of H is Λ. a

Logics and calculi

There is transparent correspondence between normal modal logics and normal Hilbert

calculi. First, it is easy to see that provable formulas of a normal calculus H form

a normal modal logic, ΛH ; trivially, H is a calculus for ΛH . Secondly, it is easy to

check that every normal modal logic Λ induces a normal calculus, whose axioms are

generators of Λ and whose rules are closure rules for normal modal logics (as set

out in definition 4.5); since a normal modal logic may have many different sets of

generators, it can be presented with different calculi; clearly, each such calculus is a

calculus for Λ.

If Λ is a normal modal logic and HΛ is a Hilbert calculus for Λ, the notions of

a theorem of Λ and a provable formula of HΛ coincide, as coincide the notions of

deducibility and derivability from a set of formulas. Therefore, from now on, we may,

and will, use notation `Λ ϕ and Γ `Λ ϕ ambiguously—in the former case, to refer

both to theoremhood and provability; in the latter, to deducibility and derivability.

Logics can be classified according to the type of Hilbert calculi that can be asso-

ciated with them. In particular, we will find the following definition useful further on

in this chapter.

Definition 4.17 (Effectively finitely axiomatizable logics) Logic Λ is finitely

axiomatisable if there exists a Hilbert calculus for Λ with a finite number of axioms.

Λ is effectively finitely axiomatisable if there exists an algorithm that can produce a

Hilbert calculus for Λ with a finite number of axioms. a


4.2.1 Canonical models

For every consistent normal modal logic Λ, there exists a very special Kripke model,

the so-called canonical model of Λ. Canonical models are used in many proofs, in-

cluding completeness proofs.

Canonical models are built out of maximally consistent sets of formulas. The

concepts of consistent and maximally consistent set of formulas are common to all

(not necessarily modal) logics.

Definition 4.18 (Consistent sets) Let Λ be a logic and Γ be a set of formulas of

Λ. Γ is consistent in Λ (or Λ-consistent) if Γ 0Λ⊥. a

Definition 4.19 (Maximally consistent sets) Let Λ be a logic and ∆ be a set of

formulas of Λ. ∆ is maximally consistent in Λ (or maximally Λ-consistent) if ∆ is

Λ-consistent, and there is no Γ such that ∆ ⊂ Γ and Γ is Λ-consistent. a

Before going on to define canonical models, we prove a number of facts about

consistent and maximally consistent sets that we will rely on further on.

Lemma 4.20 Let Λ be a logic and Γ be a set of formulas. Γ is Λ-consistent iff every

finite subset of Γ is Λ-consistent.

Proof Straightforward, given definition 4.13. q.e.d.

Lemma 4.21 Let Λ be a logic, Γ be a Λ-consistent set, and ϕ be a formula of Λ.

Then, either Γ ∪ {ϕ} or Γ ∪ {¬ϕ} is consistent.

Proof Suppose that both Γ ∪ {ϕ} and Γ ∪ {¬ϕ} are Λ-inconsistent, that is, Γ ∪

{ϕ} `Λ⊥ and Γ ∪ {¬ϕ} `Λ⊥. Then, Γ `Λ ¬ϕ and Γ `Λ ϕ. Therefore, Γ `Λ ϕ ∧ ¬ϕ,

that is Γ `Λ⊥, and Γ is Λ-inconsistent, contrary to the assumption. q.e.d.

Lemma 4.22 Let Λ be a logic, ∆ be a maximally Λ-consistent set, and ϕ be a formula

of Λ. Then, either ϕ ∈ ∆, or ¬ϕ ∈ ∆.


Proof Suppose that ϕ /∈ ∆ and ¬ϕ /∈ ∆. Since ∆ is maximally Λ-consistent, both

∆ ∪ {ϕ} and ∆ ∪ {¬ϕ} are Λ-inconsistent. Then, by lemma 4.21, ∆ is Λ-inconsistent,

contrary to the assumption. q.e.d.

Lemma 4.23 Let Λ be a logic and ∆ be a maximally Λ-consistent set. If Γ ⊆ ∆ and

Γ `Λ ϕ, then ϕ ∈ ∆.

Proof Suppose that Γ ⊆ ∆ and Γ `Λ ϕ, but ϕ /∈ ∆. Then, by lemma 4.22, ¬ϕ ∈ ∆.

Therefore, ∆ `Λ ϕ ∧ ¬ϕ, and ∆ is Λ-inconsistent, contrary to the assumption.q.e.d.

By taking Γ to be ∅, we get the following corollary.

Corollary 4.24 Let Λ be a logic and `Λ ϕ. Then, for every maximally Λ-consistent

set ∆, ϕ ∈ ∆.

Lemma 4.25 Let Λ be a logic in language L and ∆ be a maximally Λ-consistent set.

Then, for every ϕ, ψ ∈ FmaL,

• Exactly one of ϕ and ¬ϕ is in ∆;

• ϕ ∨ ψ ∈ ∆ iff ϕ ∈ ∆ or ψ ∈ ∆.

Proof Easily follows from lemmas 4.22 and 4.23. q.e.d.

Lemma 4.26 (Lindenbaum Lemma) Let Λ be a logic and Γ be an Λ-consistent

set. Then, there exists a maximally Λ-consistent set ∆ such that Γ ⊆ ∆.

Proof Let ϕ1, ϕ2, . . . , ϕn, . . . be an enumeration of all formulas of Λ. First, we recur-

sively define the sequence ∆0,∆1, . . . ,∆n, . . . of sets of formulas of Λ:

• ∆0 = Γ;

• ∆n+1 =

{∆n ∪ ϕn if ∆n ∪ ϕn is Λ-consistent

∆n ∪ ¬ϕn otherwise

It easily follows from lemma 4.21 that each thus defined ∆i is consistent. Now, define

• ∆ =⋃i ∆i.


It follows form lemma 4.20 that ∆ is consistent. Moreover, ∆ is maximal. For suppose

that it is not; that is, there exists an Λ-consistent set Γ such that ∆ ⊂ Γ. Then, for

some formula α, α ∈ Γ, but α /∈ ∆. Now, α occupies some position in the enumeration

of formulas of Λ, hence α is ϕm for some m. Since α /∈ ∆, it follows that α /∈ ∆m+1;

hence, ¬α ∈ ∆m+1. But then, Γ `Λ α ∧ ¬α; hence, Γ is Λ-inconsistent, contrary to

the assumption. q.e.d.

The canonical model for logic Λ is built out of maximally Λ-consistent sets.

Definition 4.27 (Canonical models) Let Λ be a normal modal logic in a language

L with modalities {∇}. The canonical model for Λ is a tuple MΛ = (WΛ, {RΛ}∇,VΛ),

where

• WΛ is the set of all maximally Λ-consistent sets;

• For each ∇ of Λ, RΛ∇ is a binary relation on WΛ such that ∆RΛ

∇∆′ if, whenever

ϕ ∈ ∆′, ∇ϕ ∈ ∆;

• VΛ is a mapping from PropL into 2WΛ

such that, for every p ∈ PropL, VΛ(p) =

{∆ ∈ WΛ : p ∈ ∆ }. a

The following assertion is self-evident.

Fact 4.28 A logic is consistent iff it has a canonical model.

Canonical models are useful because of the following property: given a normal

modal logic Λ, ϕ ∈ Λ ⇐⇒ MΛ ϕ. We are now going to prove it.

Lemma 4.29 Let MΛ = (WΛ, {RΛ}∇,VΛ) be a canonical model of Λ in language L

and ϕ ∈ FmaL. Then, for every 4 of L, ∆RΛ∇∆′ iff, whenever 4ϕ ∈ ∆, ϕ ∈ ∆′.

Proof Straightforward. q.e.d.

Lemma 4.30 (Existence Lemma) Let Λ be a normal modal logic and ∆ be a max-

imally Λ-consistent set. If ∇α ∈ ∆, then there exists a maximally Λ-consistent set

∆′ such that (1) ∆RΛ∇∆′; and (2) α ∈ ∆′.


Proof Let ∆ be a maximally Λ-consistent set and ∇α ∈ ∆. Take the set Γ = {ϕ :

4ϕ ∈ ∆ } ∪ α. Γ is Λ-consistent. For if not, then {ϕ : 4ϕ ∈ ∆ } ∪ α `Λ⊥.

By lemma 4.20, for some ϕ1, . . . , ϕn ∈ {ϕ : 4ϕ ∈ ∆ }, ϕ1, . . . , ϕn, α `Λ⊥; hence,

`Λ ϕ1 ∧ . . . ∧ ϕn → ¬α. Therefore, since Λ is a normal modal logic, `Λ 4(ϕ1 ∧

. . . ∧ ϕn) → 4¬α and hence `Λ (4ϕ1 ∧ . . . ∧ 4ϕn) → 4¬α. By lemma 4.25,

4ϕ1 ∧ . . . ∧4ϕn ∈ ∆; by corollary 4.24, (4ϕ1 ∧ . . . ∧4ϕn) → 4¬α ∈ ∆; therefore,

by lemma 4.23, 4¬α ∈ ∆. But ∆ contains ∇α, that is ¬4¬α; hence, ∆ is Λ-

inconsistent, contrary to the assumption. Since Γ is consistent, by lemma 4.26, Γ ⊆ ∆′

for some maximally consistent ∆′. By lemma 4.29, ∆RΛ∇∆′, and clearly, α ∈ ∆′.q.e.d.

Lemma 4.31 (Truth Lemma) Let Λ be a consistent normal modal logic in lan-

guage L and MΛ = (WΛ, {RΛ∇},V

Λ) be its canonical model. Then, for every ∆ ∈ WΛ

and ϕ ∈ FmaL, MΛ,∆ ϕ iff ϕ ∈ ∆.

Proof Straightforward induction using lemmas 4.25 and 4.30. q.e.d.

Theorem 4.32 Let Λ be a consistent normal modal logic in language L and MΛ =

(WΛ, {RΛ}∇,VΛ) be its canonical model. Then, for every ϕ ∈ FmaL, `Λ ϕ iff MΛ

ϕ.

Proof Immediately follows from corollary 4.24 and lemma 4.31. q.e.d.

4.2.2 Kripke frames

As far as semantic analysis of normal modal logics is concerned, we can not stop at

Kripke models since not every class of Kripke models corresponds to a logic; that is,

given a class of Kripke models M, the set {ϕ : M ϕ } may not be a logic. The

cause is straightforward: models are not closed under substitution while logics are.

Since substitutions are closely related to valuations, the structures suitable for the

semantic analysis of normal modal logics can be obtained by abstracting valuations

away from models. Such valuation-less structured are called Kripke frames.

Definition 4.33 (Kripke frames) Let L be a modal language with modalities {∇}.

A Kripke frame for L is a tuple F = (W, {R}∇), where


• W is a non-empty set;

• Each R∇ is a binary relation on W ; a

For any modal language L, we denote the class of all frames for L by FL.

Definition 4.34 (Valuations) Let L be a modal language and F = (W, {R}∇) be a

Kripke frame for L. A valuation on F is a mapping V : PropL 7→ 2W . a

A Kripke frame together with a valuation is nothing but a Kripke model; thus,

every Kripke model M = (W, {R}∇, V ) can be viewed as a pair (F, V ), where F =

(W, {R}∇).

Definition 4.35 (Truth and satisfiability in frames) Let L be a modal language,

F = (W, {R}∇) be a Kripke frame for L, ϕ ∈ FmaL, and Γ ⊆ FmaL.

• ϕ is true in F, symbolically F ϕ, if for every valuation V on F, (F, V ) ϕ;

• Γ is true in F, symbolically F Γ, if for every ϕ ∈ Γ, F ϕ;

• ϕ is satisfiable in F, if for some valuation V on F and some w ∈ W , F, V, w ϕ;

• Γ is satisfiable in F, if for some valuation V on F and some w ∈ W , for every

ϕ ∈ Γ, F, V, w ϕ.

If F is a class of Kripke frames, then

• ϕ is true in F, symbolically F ϕ, if for every F ∈ F,F ϕ; the same for Γ.

• ϕ is satisfiable in F, if for some F ∈ F, ϕ is satisfiable in F; the same for Γ. a

The following lemma shows that frames are appropriate for semantic analysis of

logics.

Lemma 4.36 Let F be a class of Kripke frames. Then, the set {ϕ : F ϕ } is a

normal modal logic.



Through the concept of truth in a class of frames, a normal modal logic Λ in

language L can pick out of all frames for L exactly those in which every theorem of

Λ is true.

Definition 4.37 (Frame definability) Let L be a modal language, F be a class of

Kripke frames for L, Γ ⊆ FmaL, and ϕ ∈ FmaL. ϕ defines F within FL if, for every

Kripke frame F, F ∈ F iff F ϕ. Γ defines F within FL if, for every Kripke frame F,

F ∈ F iff F Γ. a

Example 4.38 It is easy to check that formula �ϕ→ ��ϕ defines within FML the

class of frames in which accessibility relation R is transitive. Analogously, formula

�ϕ → ϕ defines within FML the class of frames in which R is reflexive. Set {�ϕ →

��ϕ, �ϕ→ ϕ} defines within FML the class of frames in which R is both transitive

and reflexive. ¶

Now, it is well-known that K is the logic of all Kripke frames with a single binary

relation. Therefore, if a set Γ of formulas of monomodal language ML defines a class

of frames F then K⊕Γ is the logic of F. Analogously for K∗, frames with two binary

relations, and formulas of L∗.

4.3 Logic Seg

In this section, we introduce the minimal logic in L∗, logic Seg, that we will be

interested in. We also consider the class of frames definable by Seg and its non-

standard models, that is models that are not based on the frames definable by Seg.

4.3.1 Seg and Hilbert calculus for Seg

As in example 4.7 above, we could augment K∗ with arbitrary formulas of L∗ (and

then take their logical closure) to obtain normal logics in L∗. We are not, however,

interested in just any extension of K∗; we will only be considering extensions of the

following logic.


Definition 4.39 (Logic Seg) Seg = K∗ ⊕ {�∗ϕ ↔ ϕ ∧ ��∗ϕ, ϕ ∧ �∗(ϕ → �ϕ) →

�∗ϕ}. a

Formulas �∗ϕ↔ ϕ∧��∗ϕ and ϕ∧�∗(ϕ→ �ϕ) → �∗ϕ we will refer to as Segerberg

formulas2. For brevity, we will write Seg (not to be confused with Seg, the name of

a logic) instead of {�∗ϕ↔ ϕ ∧ ��∗ϕ, ϕ ∧ �∗(ϕ→ �ϕ) → �∗ϕ}.

It is easy to see that the following is a Hilbert calculus for Seg, which we refer to

as HSeg:

Axiom schemata of HSeg:

(A0) all tautologies of classical propositional logic PL.

(K) �(ϕ→ ψ) → (�ϕ→ �ψ)

(K∗) �∗(ϕ→ ψ) → (�∗ϕ→ �∗ψ)

(Seg1) �∗ϕ↔ ϕ ∧ ��∗ϕ

(Seg2) ϕ ∧ �∗(ϕ→ �ϕ) → �∗ϕ

Inference rules of HSeg:

(MP ) From ϕ→ ψ and ϕ infer ψ.

(Gen�) From ϕ infer �ϕ.

(Gen�∗

) From ϕ infer �∗ϕ.

Example 4.40 Here is a sample proof in HSeg (written in a self-evident contracted

style):

1. �∗ϕ→ ϕ – by PL from Seg1

2. ��∗ϕ→ �ϕ – by PL from 1 and K

3. �∗ϕ→ ��∗ϕ – by PL from Seg1

4. �∗ϕ→ �ϕ – from 3, 2.

Thus, �∗ϕ→ �ϕ is a provable formula of the Hilbert calculus for Seg. ¶

2For Krister Segerberg, who first introduced them.


4.3.2 Frames for Seg

It is no surprise that Seg is the logic of the class of frames where the relation inter-

preting ♦∗ is the reflexive, transitive closure of the relation interpreting ♦.

Definition 4.41 (Reflexive-transitive closure) Let R be a binary relation. A

binary relation R∗ is the reflexive-transitive closure of R if R∗ = { (x, y) : xRny, n ≥

0 }. a

In words, (a, b) is in R∗ if either (1) a = b and a is in the domain of R; or (2) b

can be reached from a alongside R in 1 or more steps. It is easy to check that thus

defined R∗ is the smallest reflexive and transitive relation containing R.

Definition 4.42 (RTC frames) An RTC frame is a Kripke frame F = (W,R,R∗),

where R∗ is the reflexive-transitive closure of R. a

Lemma 4.43 (RTC-definability) The set Seg defines within FL∗ the class of frames

in which R∗ is the reflexive-transitive closure of R.

Proof First, we have to show that each frame in FL∗ where R∗ is the reflexive-

transitive closure of R validates �∗ϕ↔ ϕ ∧ ��∗ϕ and ϕ ∧ �∗(ϕ→ �ϕ) → �∗ϕ. This is

straightforward.

Secondly, we have to prove that every frame where R∗ is not the reflexive-transitive

closure of R refutes either �∗ϕ ↔ ϕ ∧ ��∗ϕ or ϕ ∧ �∗(ϕ → �ϕ) → �∗ϕ. Suppose that

F is such a frame. There may be two causes for R∗ not being the reflexive-transitive

closure of R: either, for some points w and v, and some n ≥ 0, wRnv, but not wR∗v;

or, conversely, for some w and v, wR∗v, but for no n, wRnv.

Let’s first assume that, for some w, v, and n ≥ 0, wRnv, but not wR∗v. Take a

valuation on F such that V (p) = W \ {v}. Consider an R-chain leading from w to

v: w = x1Rx2R . . .RxnRxn+1 = v. There are two cases to consider: either (1) at

least one xi refutes �∗ϕ ↔ ϕ ∧ ��∗ϕ, or (2) every xi validates �∗ϕ ↔ ϕ ∧ ��∗ϕ. In

case (1), we are immediately done. So, let’s consider case (2). Since (F, V ), v 1 p and

F, V, v �∗ϕ↔ ϕ ∧ ��∗ϕ, then F, V, v 1 �∗p. Since xnRv, then F, V, xn 1 ��∗p. As

F, V, xn �∗ϕ↔ ϕ ∧ ��∗ϕ, we have F, V, xn−1 1 ��∗p. Going, in this way, further up


the chain, we eventually get F, V, w 1 �∗p; however, since V (p) = W \ {v} and wR∗v

does not hold, F, V, w �∗p, a contradiction.

Let’s now assume that, for some w and v, wR∗v, but for no n, wRnv. Take a

valuation on F such that V (p) = { x : for no n, xRnv }. Then, we immediately get

that F, V, w p. Furthermore, since under V , every point satisfies p → �p, trivially

F, V, w �∗(p→ �p). Finally, since F, V, v 1 p (by taking n = 0), F, V, w 1 �∗p.

Therefore, F, V, w 1 p ∧ �∗(p→ �p) → �∗p. q.e.d.

In light of lemma 4.43 it is natural to consider as the standard models of L∗the

models that are based on RTC frames.

A consequence of lemma 4.43 is that, as in the present chapter we deal only with

extensions of Seg, we will not be considering frames other than RTC-frames.

Another byproduct of lemma 4.43 is the soundness of Seg with respect to RTC

frames.

Definition 4.44 (Soundness) Let Λ be a normal modal logic in language L and F

be a class of Kripke frames for L. Λ is sound with respect to F if Λ ⊆ {ϕ : F ϕ }.a

Lemma 4.45 Logic Seg is sound with respect to the class of RTC frames.

Proof According to lemma 4.43, Seg1 and Seg2 are true on every RTC frame. It is

straightforward to check that all the other axioms of Seg are true on every Kripke

frame, hence on every RTC frame. It is equally straightforward to check that the

inference rules of Seg preserve validity on Kripke frames. Therefore, all theorems of

Seg are valid on every RTC frame. q.e.d.

The following lemma will be useful in what follows.

Lemma 4.46 Let Λ be a normal modal logic and K be a class of Kripke frames

for L. Then, Λ is sound with respect to K iff every K-satisfiable set Γ ⊆ FmaL is

Λ-consistent.



4.3.3 Non-standard models

It is tempting to think that, as Seg defines the class of RTC frames, we can confine

our attention only to the standard models of L∗, that is models based on RTC frames.

However, although formulas Seg define the class of frames where R∗ is the reflexive

transitive closure of R, they have models that are not based on such frames. The

most obvious example is the canonical model of Seg. Indeed, the set {�n♦> :

n ≥ 0 } ∪ {♦∗ ¬♦>} is obviously satisfiable in the class of RTC frames; hence, by

lemmas 4.45 and 4.46, it is Seg-consistent. Therefore, MSeg contains maximally

consistent sets ∆ and ∆′ such that ∆R∗∆′ but, for no n, ∆Rn∆′. The following class

of models accommodates MSeg.

Definition 4.47 (Non-standard models) A non-standard model for L∗ is a tuple

M = (W,R,R†, V, ) where

• W is a non-empty set;

• R ⊆ W ×W ;

• R† is a reflexive and transitive relation containing R;

• V is a mapping from PropL∗ to 2W ;

• is a truth-relation defined as for Kripke models;

• for every w ∈ W , M, w Seg. a

It is interesting to know—as far as we are aware, this question has never been

raised in the literature—whether a non-standard model can be finite. After all, the

canonical model of Seg, the motivating example for non-standard models, is uncount-

ably infinite; thus, it is conceivable that every non-standard model might be infinite.

The following example shows, however, that finite non-standard models do exist.

Example 4.48 (Finite non-standard model) Take models M and M′ depicted

on the following diagram (unlabelled arrows represent R; in M, R∗ is the reflexive


transitive closure of R; in M′, it is the reflexive transitive closure of R plus the pair

(w, u′)):

'

&

$

%

'

&

$

%rrr

rrr r

w

v

u

w

v

u u′M M′

R∗

6

6

6

6

��

where u′ and u satisfy the same parameters. Then, the relation depicted by dotted

lines is a total L∗-bisimulation between M and M′. Since M is based on an RTC

frame, by lemma 4.45, M Seg. As M and M′ are L∗-bisimilar, they satisfy the

same L∗-formulas. Hence, M′ Seg. It is then easy to see that M′ is a non-standard

model. ¶

4.4 Extensions of Seg

In this section, we prove some results concerning extensions of Seg. First, we prove

that adding Segerberg formulas to a normal modal logic Λ in monomodal language

ML gives a conservative extension of Λ. Secondly, we show that adding Segerberg

formulas to S4 gives the system that is essentially equivalent to S4. Lastly, we prove

the analogue of Makinson’s theorem for the extensions of Seg and its corollary stating

that it is decidable whether an effectively finitely axiomatisable extension of Seg is

consistent.

4.4.1 Conservativity

The first question we ask is whether the addition of Segerberg formulas Seg to a

normal modal logic Λ in the language ML is conservative; that is, whether the

addition of Seg to Λ does not generate new theorems not containing “♦∗ ”.


Definition 4.49 Let Λ and Λ′ be logics in languages L and L′, respectively, with

L ⊆ L′. Λ′ is a conservative extension of Λ if (1) Λ ⊆ Λ′, and (2) if ϕ ∈ FmaL and

0Λ ϕ, then 0Λ′ ϕ. a

Theorem 4.50 Let Λ be a normal modal logic in the language ML and Λ∗ = Λ⊕Seg.

Then, Λ∗ is a conservative extension of Λ.

Proof If Λ is inconsistent, then the statement of the theorem is trivially true; so, we

may assume that Λ is consistent.

Then, in virtue of fact 4.28, we can build a canonical model for Λ, MΛ =

(WΛ,RΛ,VΛ). Define R∗ be the reflexive-transitive closure of RΛ, and take the

model M = (WΛ,RΛ,R∗,VΛ), with the usual truth clause for formulas of the form

�∗ϕ.

We can show that all theorems of Λ∗ are true in M. First, according to theo-

rem 4.32, MΛ ϕ iff `Λ ϕ; therefore, all theorems—and hence axiom schemata—of Λ

are true in M. Secondly, as M is based on an RTC frame, by lemma 4.45, M Seg.

Thus, all axiom schemata of Λ∗ are true in M. Lastly, it is easy to check that modus

ponens and generalisation—for both “�” and “�∗”—preserve truth in M. Hence, all

theorems of Λ∗ are true in M.

On the other hand, if 0Λ ϕ, then by theorem 4.32 MΛ 6 ϕ and hence M 6 ϕ.

Thus, M validates all theorems of Λ∗ and refutes every non-theorem of Λ. Therefore,

no not-theorem of Λ is a theorem of Λ∗. q.e.d.

4.4.2 Minimal uninteresting logic

The minimal “interesting” normal logic in L∗ is Seg. What is the maximal “interest-

ing” normal logic in L∗? This question, as it is stated, is difficult to answer. But a

good approximation of the answer is to say what is the minimal uninteresting logic in

L∗. Intuitively, it should be Seg⊕S4, since S4 is the logic of reflexive and transitive

frames, that is frames whose accessibility relation R is the reflexive, transitive clo-

sure of itself; then, the addition of Seg to S4 should result in S4 with two equivalent

modalities. The following lemma confirms this intuition.


Lemma 4.51 Seg ⊕ S4 = S4 ⊕ �ϕ↔ �∗ϕ.

Proof To prove that S4⊕�ϕ ↔ �∗ϕ ⊆ Seg⊕S4, we have to show that �ϕ↔ �∗ϕ is a

theorem of Seg⊕S4. Since we already know that `Seg �∗ϕ→ �ϕ (see example 4.40),

we only have to prove the other implication.

1. �ϕ→ ϕ – axiom T

2. �ϕ→ ��ϕ – axiom 4

3. �∗(�ϕ→ ��ϕ) – from 2 by generalisation

4. �ϕ ∧ �∗(�ϕ→ ��ϕ) → �∗�ϕ – axiom Seg1

5. �ϕ→ �∗�ϕ – from 3 and 4 by PL

6. �ϕ→ (ϕ→ �ϕ) – axiom A0

7. �∗�ϕ→ �∗(ϕ→ �ϕ) – from 6 by PL and (K∗)

8. �ϕ→ �∗(ϕ→ �ϕ) – from 5 and 7 by PL

9. ϕ ∧ �∗(ϕ→ �ϕ) → �∗ϕ – axiom Seg1

10. �ϕ→ �∗ϕ – from 1, 8, and 9 by PL.

To prove that Seg ⊕ S4 ⊆ S4 ⊕ �ϕ ↔ �∗ϕ, we have to show that Segerberg

formulas are provable in the latter logic. They are since (1) �ϕ ↔ ϕ ∧ ��ϕ and

ϕ ∧ �(ϕ → �ϕ) → �ϕ are S4-theorems and (2) the replacement theorem holds for

S4 (that is, in S4, replacing any subformula of a theorem results in a theorem).q.e.d.

4.4.3 Analogue of Makinson’s theorem

Given an arbitrary extension Λ of our base logic Seg, we would like to be able

to find out whether Λ is consistent or not, because the inconsistent extensions of

Seg are not of any interest (as any inconsistent logics are, since they fail to do the

basic job of a logic, e.g. to distinguish valid formulas from non-valid ones). In the


case of monomodal logics, a useful tool in determining consistency is a well-known

Makinson’s theorem (see [Mak71]) that says that any consistent logic in ML is either

a sublogic of the logic of the frame comprising a single reflexive point or a sublogic

of the logic of the frame comprising a single irreflexive point. We know that in the

case of logics with two independent modalities the analogue of Makinson’s theorem

does not hold. Thus, it is interesting to know whether it holds for extensions of Seg,

which have two interconnected modalities. This question is not trivial since the proof

of the original Makinson’s theorem makes use of the model theoretic constructions

of generated submodels and bounded morphisms to reshape the canonical models of

consistent logics in ML; thus, the proof can not be directly turned into the proof

for logics in L∗, as the canonical models of these logics are non-standard, hence we

can not rely on the preservation of truth-values of formulas of L∗ under the instances

of bisimulations pertaining only to the accessibility relation for ♦, as we could if we

dealt with standard models for L∗.

Let’s denote by Fref the RTC frame ({u},R,R∗), where R = {(u, u)}, and by

Firref the RTC frame ({u},R,R∗), where R = ∅. Let Λref be the logic of Fref and

Λirref be the logic of Firref . We can prove the following analogue of Makinson’s

theorem.

Theorem 4.52 (Analogue of Makinson’s theorem) Let Λ be a consistent exten-

sion of Seg. Then, either Λ ⊆ Λirref or Λ ⊆ Λref .

Proof Since Λ is consistent, we can build the canonical (non-standard) model for

Λ, MΛ = (WΛ,RΛ,R†,VΛ) over the language with the empty set of propositional

parameters (but with ⊥). By lemma 4.31, every theorem of Λ in this language is true

at every point of WΛ. Now, (1) either there is such w ∈ MΛ that for no v ∈ MΛ do

we have wRΛv, or (2) for every w ∈ MΛ there exists such v ∈ MΛ that wRΛv. We

will show that in the former case Λ ⊆ Λirref while in the latter Λ ⊆ Λref .

(1) Suppose that for some w ∈ WΛ there is no v ∈ WΛ such that wRΛv. Take a

submodel Mw of MΛ generated (with respect to both RΛ and R†) by w. It is easy

to see that Mw contains only w. Indeed, by assumption, for no v ∈ WΛ, wRΛv.

Furthermore, we can show that for no v 6= w does wR†v hold. For, if otherwise, since


w and v are distinct maximally consistent sets, there would be ϕ such that ϕ ∈ v

and ¬ϕ ∈ w. Then, ♦∗ ϕ ∈ w and, since ♦∗ ϕ↔ ϕ ∨ ♦♦∗ ϕ ∈ w, ♦♦∗ ϕ ∈ w. But then, by

lemma 4.30, for some v, wRΛv, contrary to the assumption. Since Mw is a generated

submodel of MΛ, all theorems of Λ are true at w in Mw.

Now, suppose that, for the sake of a contradiction, there exists a model M =

({u},R,R∗, V ), based on Firref , such that, for some ψ ∈ Λ, M, u 1 ψ (ψ may be a

formula in an arbitrary vocabulary). Based on V , construct the formula ψ ′ out of ψ,

in the following way: for each p occurring in ψ, if u ∈ V (p), then substitute p with >;

if on the other hand, u /∈ V (p), substitute p with ⊥. It is easy to see that M, u ψ iff

M, u ψ′; hence, M, u 1 ψ′. Now, ψ′ ∈ Λ∗ (since it is obtained by substitution from

ψ), hence, by theorem 4.32, Mw, w ψ′. As Mw and M are based on isomorphic

frames and they trivially agree on all propositional symbols of ψ ′ (ψ′ does not have

any), Mw, w ψ′ iff M, u ψ′, which gives us a contradiction. Hence, Λ ⊆ Λirref .

(2) Suppose that for every w ∈ MΛ there exists v ∈ MΛ such that wRΛv. Then,

since RΛ ⊆ R†, for every w ∈ MΛ there is v ∈ MΛ such that wR†v. Take a model

Mw = ({w},R,R†, V ), where R = R† = (w,w) and V (p) = ∅ for every p. It is easy

to see that Mw is a bounded morphic image of MΛ; hence, all theorems of Λ are true

at w in Mw. By an argument analogous to that used in the previous case, no theorem

of Λ is refutable on the frame isomorphic to the frame of Mw; hence Λ ⊆ Λref .q.e.d.

Corollary 4.53 Let Λ be an effectively finitely axiomatisable consistent extension of

Seg. It is decidable whether Λ is consistent.

Proof It follows from theorem 4.52, that Λ is consistent iff either Λ ⊆ Λirref or

Λ ⊆ Λref . Thus, to check the consistency of Λ, all we have to do is check whether

axioms of Λ are true either in the frame Firref or in the frame Fref . q.e.d.

82

Chapter 5

Logics with existential modality

In this chapter, we study multimodal logics with the existential modality 〈#〉 . Intu-

itively, 〈#〉ϕ means that ϕ is true at a point accessible by some atomic accessibility

relation. As we have already mentioned in the introduction, the modal operator 〈#〉

was introduced in [AdRD03] to reason about path constrains in query languages for

semistructured data. In [AdRD03], logic PDLpath was suggested as a formal tool for

reasoning about such path constrains. In [AdRD03], formulas of PDLpath are defined

as follows:

ϕ := > | ⊥ | root | ¬ϕ | ϕ ∨ ϕ | 〈π〉ϕ

where π is an expression of the regular language augmented with the identity constant

and the converse operator. In [AdRD03], formulas of PDLpath are interpreted on

transition systems, 〈π〉ϕ being read as “transition π leads to a node where ϕ holds”;

root stands for a unique node in a transition system (so, it can not be treated as an

ordinary propositional parameter).

In [AdRD03], PDLpath was studied semantically. The main purpose of this chapter

is to provide PDLpath with the adequate Hilbert-style axiomatisation. The chapter

is structured as follows. First, in section 5.1, we present axiomatisations, and prove

their completeness, of two logics whose language contains 〈#〉 but is simpler than

the language of PDLpath, namely the language of basic multimodal logic augmented

with 〈#〉 , which we refer to as L#. This will allow us, at first, to concentrate on 〈#〉

without having to worry about all the other features of the full PDLpath. The logics

we consider in section 5.1 are the minimal normal modal logic in L#, K#, and its

5. logics with existential modality 83

deterministic extension, DK#(that is, the logic, in L#, of all deterministic frames).

Then, in section 5.2, we present the axiomatisation of the full PDLpath and prove its

completeness.

5.1 Logics K#and DK#

5.1.1 Syntax and semantics

The language L#IΦ of K# is a multimodal propositional language augmented with the

existential modality 〈#〉 ; its formulas are defined by the following BNF expression:

ϕ := p | ¬ϕ | ϕ1 ∨ ϕ2 | 〈i〉ϕ | 〈#〉ϕ,

where p ranges over the set Φ of propositional parameters, whose arbitrary mem-

bers we denote as p, q, r, . . ., and i ranges over the set I of indices, whose arbitrary

members we denote as a, b, c, . . .. We collectively call indices of I and # labels. For

this language, we adopt all the usual conventions enhancing the readability of propo-

sitional formulas, and in the usual manner, define [#]ϕ as ¬〈#〉 ¬ϕ. The intuitive

meaning of 〈#〉 is “accessible by some modality”. Subformulas of the formulas of

L# are defined in the usual way, as substrings of formulas that are formulas in their

own right; the set of all subformulas of ϕ is denoted by Sub(ϕ).

Definition 5.1 A model for L#IΦ, or an L#I

Φ-model, is a tuple M =

(W, {Ri}i∈I ,R#, V ) such that

1. W 6= ∅;

2. Ri ⊆ W ×W ;

3. R# =⋃i∈I Ri;

4. V is a function from Φ into 2W .

M is deterministic if for every w ∈ W and every i ∈ I there is no more than one v

such that wRiv. a


The truth definition for formulas of L#IΦ is essentially the same as for any other

multimodal language; in particular,

M, w 〈i〉ϕ iff ∃v ∈ W (wRiv and M, v ϕ) and

M, w 〈#〉ϕ iff ∃v ∈ W (wR#v and M, v ϕ).

It is obvious that the last clause can be reformulated as follows:

M, w 〈#〉ϕ iff ∃i ∈ I ∃v ∈ W (wRiv and M, v ϕ), which immediately

suggests the above-mentioned reading of 〈#〉 as “accessible by some modality”. It is

easy to see that, in the language L#IΦ with a finite I, # is redundant, 〈#〉ϕ being

then equal to 〈1〉ϕ∨ . . . ∨ 〈n〉ϕ, so throughout this chapter we presume that the set

of indices I is countably infinite.

The definitions of truth and satisfiability in a model and a class of models are the

same as in any propositional modal logic; the same for frames.

5.1.2 Bisimulations for L#

In this section, we define bisimulations for L# and show that the truth of formulas of

L# is preserved under so defined bisimulations. This will enable us to use, working

with L#-models, all model operations whose truth-preservation is guaranteed by their

being an instance of bisimulation.

The definition of bisimulations for L# is the same as for basic multimodal language

MML(that is, we stipulate back-and-forth conditions only for basic modalities, not

imposing any conditions on R#). This is enough to prove the following theorem.

Theorem 5.2 Let M = (W, {Ri}i∈I ,R#, V ) and M′ = (W ′, {R′i}i∈I ,R

′#, V

′) be

two L#IΦ models such that M, w � M′, w′. Then, for any L#I

Φ-formula ϕ, we have

M, w ϕ iff M′, w′ ϕ.

Proof The only interesting case is that of 〈#〉ψ. Suppose that M, w 〈#〉ψ. Then,

for some i ∈ I, wRiv and M, v ψ. Therefore, by the forth condition, there exist

such v′ ∈ W ′, that w′Riv′ and M′, v′ ψ. Hence, M′, w′ 〈#〉ψ. The other

direction is symmetrical. q.e.d.


5.1.3 Standard translation and decidability

In this section, we extend the standard translation of the language of propositional

modal logic into the language of first-order logic to L#. This immediately gives us

the decidability result for K# and all its extensions that can be defined by guarded

formulas. To this end, we will need a first-order language with individual parameters

(see remark 2.13).

Consider the first-order language FOΨ whose vocabulary Ψ includes a countable

stock of individual parameters {a1, a2, . . . , an, . . .}, a countable stock of unary predi-

cate parameters {P1, P2, . . . , Pn, . . .}, and a single ternary predicate parameter R.

Definition 5.3 Define, by mutual recursion, two functions, τ#x and τ#

y , mapping

formulas of L#IΦ into formulas of FOΨ, as follows. τ#

x is defined by

1. τ#x (pi) = Pi(x);

2. τ#x (¬ϕ) = ¬τ#

x (ϕ);

3. τ#x (ϕ ∨ ψ) = τ#

x (ϕ) ∨ τ#x (ψ);

4. τ#x (〈i〉ϕ) = ∃y(R(ai, x, y) ∧ τ#

y (ϕ));

5. τ#x (〈#〉ϕ) = ∃z∃y(R(z, x, y) ∧ τ#

y (ϕ)).

To obtain the definition of τ#y , swap x and y in the foregoing clauses 1–5. Define the

standard translation τ#(ϕ) of every ϕ in L#IΦ to be τ#

x (ϕ). a

Theorem 5.4 Let ϕ be a formula of L#IΦ, M = (W, {Ri}i∈I ,R#, V ), be an L#I

Φ-

model, and MFO be its counterpart first-order model. Then, for every w ∈ W ,

M, w ϕ iff MFO, α τ#(ϕ), where α(x) = w.


Theorem 5.5 K# and all its extensions that are defined semantically via guarded

formulas are decidable.

Proof Immediately follows from theorems 5.4 and 2.57. q.e.d.


5.1.4 Axiomatisation of K#

In this section, we formulate an axiomatisation of the validities of the language of L#

over the class of all frames underlying L#-models, which we call L#-frames (this set

of validities, which, by lemma 4.36, is a normal modal logic, we refer to as K#) and

prove its (weak) completeness. The idea of the axiomatisation is readily suggested by

the analogy between # and the existential quantifier of the first-order logic. In the

axiomatisation, we use π to stand for either an arbitrary i ∈ I or #.

The axiom schemata of K# are as follows:

(A0) All classical tautologies;

(K) [π](ϕ→ ψ) → ([π]ϕ→ [π]ψ);

(ER) 〈i〉ϕ→ 〈#〉ϕ.

The inference rules are:

(MP) From ϕ→ ψ and ϕ infer ψ;

(N) From ϕ infer [π]ϕ;

(EL) From 〈i〉ϕ→ ψ infer 〈#〉ϕ→ ψ, provided i does not occur in ψ.

Theorem 5.6 K# is sound with respect to the class of all L#-frames.

Proof All the cases except possibly (EL) are straightforward, so we only consider

this last case. Suppose that 〈i〉ϕ → ψ is valid, that is true at every point of every

model based on a L# frame. For the sake of a contradiction, assume that M, w 1

〈#〉ϕ→ ψ, where i does not occur in ψ. Then, M, w 〈#〉ϕ and M, w 1 ψ. Then,

for some j ∈ I and some v ∈ W , wRjv and M, v ϕ. Consider the model, M′,

that is like M except that, in M′, Ri = Rj (that is, to obtain M′, we change the

“interpretation” of modality i in M so that it now has the same meaning as j). Since

i does not occur in ψ, M′, w ψ. Since M′ is different from M no more than in

Ri, it is still true in M′ that, for some j ∈ I and some v ∈ W , wRjv and M, v ϕ;

and since now Ri = Rj, then wRiv, which means that M′, w 〈i〉ϕ. But then

M′, w 1 〈i〉ϕ→ ψ, which gives us a contradiction. q.e.d.


It is easy to see that theorem 5.6 can not be proved without the proviso on (EL),

which explains the rationale for the proviso.

We now turn to completeness proper. The first question to ask is whether we can

prove strong completeness of K#. As the following theorem shows, the answer is no.

Theorem 5.7 K# is not compact and hence not strongly complete with respect to

any class of structures.

Proof Consider the set Γ = { 〈#〉 p,¬〈i〉p : i ∈ I } of formulas. It is obvious that

every finite subset of Γ is satisfiable, while Γ itself is not. Thus, K# is not com-

pact, and since no non-compact logic can be strongly complete, K# is not strongly

complete. q.e.d.

In light of theorem 5.7, all we can hope for is weak completeness for K#. To prove

it, we use a completeness-via-finite-models technique (see, for example, section 4.8

of [BdRV01]).

Let’s define ∼ ϕ as follows:

∼ ϕ =

{ψ if ϕ is of the form ¬ψ

¬ψ otherwise

Definition 5.8 (Closure) Let Σ be a set of L#-formulas. The closure of Σ, CL(Σ),

is the smallest set such that

• if ϕ ∈ Σ, then Sub(ϕ) ⊆ CL(Σ);

• if ϕ ∈ CL(Σ), then ∼ ϕ ∈ CL(Σ). a

Lemma 5.9 Let Σ be a set of L#-formulas. If Σ is finite, then CL(Σ) is finite, too.


For our completeness proof, we only have to deal with finite Σ’s; thus, from now on,

we assume that all CL(Σ)’s are also finite.


Definition 5.10 (Atoms) Let Σ be a set of L#-formulas. A set of formulas A is

an atom over Σ, if (1) A ⊆ CL(Σ), (2) A is consistent, and (3) every Γ such that

A ⊂ Γ ⊆ CL(Σ) is inconsistent. a

The following series of lemmas describes some of the properties of atoms.

Lemma 5.11 If Γ ⊆ CL(Σ) is consistent and ϕ ∈ CL(Σ), then either Γ ∪ {ϕ} or

Γ ∪ {∼ ϕ} is consistent.

Proof Suppose, for the sake of a contradiction, that both Γ ∪ {ϕ} and Γ ∪

{∼ ϕ} are inconsistent. This means that Γ ∪ {ϕ} `⊥ and Γ ∪ {∼ ϕ} `⊥. But then,

by PL, Γ ` ¬ϕ and Γ ` ¬ ∼ ϕ, and again by PL, Γ ` ¬ϕ ∧ ¬ ∼ ϕ, that is Γ `⊥,

contrary to the assumption that Γ is consistent. q.e.d.

Lemma 5.12 If A is an atom over Σ and ϕ ∈ CL(Σ) then exactly one of ϕ and ∼ ϕ

belongs to A.

Proof If both ϕ and ∼ ϕ are in A then A ` ϕ∧ ∼ ϕ, hence A `⊥, which is impossible

since A is an atom.

Suppose next that ϕ /∈ A and ∼ ϕ /∈ A. Since A is an atom, both A ∪ {ϕ} and

A∪ {∼ ϕ} are inconsistent. But then, by lemma 5.11, A is inconsistent too, which is

impossible. q.e.d.

Lemma 5.13 Let Σ be a set of L#-formulas and A be an atom over Σ. Then, for

all ϕ ∨ ψ ∈ CL(Σ), ϕ ∈ CL(Σ) or ψ ∈ CL(Σ).

Proof Let ϕ ∨ ψ ∈ A, ϕ /∈ A and ψ /∈ A. Note that ϕ ∈ CL(Σ) and ψ ∈ CL(Σ), and

hence, by lemma 5.12, ∼ ϕ ∈ A and ∼ ψ ∈ A. But then A is inconsistent, which is

impossible.

Next, suppose that ϕ ∈ A, ψ ∈ A and ϕ ∨ ψ /∈ A. Since ϕ ∨ ψ ∈ CL(Σ),

and therefore ¬(ϕ ∨ ψ) ∈ CL(Σ), ¬(ϕ ∨ ψ) ∈ A. Then, A is inconsistent, which is

impossible. q.e.d.

Lemma 5.14 If ϕ ∈ CL(Σ) is K#-consistent, then there exist an atom A over Σ

such that ϕ ∈ A.


Proof Enumerate all the formulas of CL(Σ) as ψ1, . . . , ψn. Construct the sequence

B0, . . . , Bn of subsets of CL(Σ) as follows: B0 = {ϕ}, Bi+1 = Bi ∪ {ψi} if Bi ∪ {ψi}

is consistent and Bi+1 = Bi ∪ {∼ ψi} otherwise. Then, Bn is the sought-after

atom. Indeed, by lemma 5.11, Bn is consistent, and by its construction, it can not be

extended to another consistent subset of CL(Σ). q.e.d.

Now we turn to defining finite canonical models for K#. For that, we will need the

following two pieces of notation. First, for a set of formulas X, we use X to denote∧ϕ∈X ϕ; secondly, we write π ∈ Σ, where π is an index and Σ a set of formulas, to

mean that π has an occurrence in one of the formulas in Σ. Note that, given a finite

set of L#ΦI -formulas Σ, since Σ is finite and I is infinite, there is bound to be such a

that a ∈ I and a /∈ Σ.

Definition 5.15 (Finite canonical models for K#) Let Σ be a finite set of L#IΦ-

formulas and let a be an index such that a ∈ I but a /∈ Σ. The finite canonical model

over Σ, MΣ, is the triple (At(Σ), {RΣi }i∈I ,R

Σ#, V

Σ), where

1. At(Σ) is the set of all atoms over Σ;

2. ARΣi A

′ iff i ∈ Σ or i = a and A ∧ 〈i〉 A′ 0 ⊥;

3. ARΣ#A

′ iff A ∧ 〈#〉 A′ 0 ⊥;

4. For every p ∈ Φ, V Σ(p) = {A ∈ At(Σ) : p ∈ A }. a

Lemma 5.16 (Existence lemma) Let Σ be a set of L#IΦ-formulas, A be an atom

over Σ, and π is a label such that either π ∈ Σ or π = #. Then, for all 〈π〉ϕ ∈ CL(Σ),

〈π〉ϕ ∈ A iff there is an atom A′ such that ARπA′ and ϕ ∈ A′.

Proof First, left to right. Suppose that 〈π〉ϕ ∈ A. Enumerate formulas of CL(Σ)

as ψ1, . . . , ψn. Construct the sequence B0, . . . , Bn of subsets of CL(Σ) such that, for

every Bi from the sequence, A ∧ 〈π〉 Bi is consistent, as follows. Put B0 = {ϕ}.

Clearly, A∧〈π〉 B0 is consistent. Next, since φ↔ (φ∧χ)∨ (φ∧¬χ) is a propositional

tautology, and thus, due to (K), 〈π〉φ ↔ 〈π〉 (φ ∧ χ) ∨ 〈π〉 (φ ∧ ¬χ) is a theorem of


every normal modal logic; as an instance, 〈π〉 Bi ↔ 〈π〉 (Bi ∧ ψi+1)∨ 〈π〉 (Bi ∧¬ψi+1)

is a theorem, too. Therefore, either for B = Bi ∪ {ψi+1} or for B = Bi ∪ {∼ ψi+1},

A ∧ 〈π〉 B is consistent. In the first case, let Bn+1 = Bn ∪ {ψi+1}; in the second, let

Bi+1 = Bi ∪ {¬ψi+1}. Finally, let A′ = Bn. It is obvious that A′ is an atom, and

hence we are done.

Secondly, right to left. Suppose that there is an atom A′ such that ϕ ∈ A′ and

ARπA′, that is that A ∧ 〈π〉 A′ is consistent. Then, as ϕ ∈ A′ and, thus, is one of

the conjuncts of A′, A∧ 〈π〉ϕ is consistent, too. Then, as 〈π〉ϕ ∈ CL(Σ) and A is an

atom, 〈π〉ϕ ∈ A; indeed, otherwise, ¬〈π〉ϕ ∈ A, which means that A ∧ 〈π〉ϕ must

be inconsistent. q.e.d.

Lemma 5.17 (Truth lemma) Let Σ be a set of L# formulas, MΣ be the finite

canonical model over Σ, and ψ ∈ CL(Σ). Then, for every A ∈ At(Σ), MΣ, A ψ iff

ψ ∈ A.

Proof Straightforward induction on the complexity of ψ. The base case immediately

follows from definition 5.15. The other cases follow from lemmas 5.12, 5.13, and

5.16. q.e.d.

Now, lemmas 5.14 and 5.17 guarantee that every K#-consistent L#IΦ-formula ϕ

is satisfiable in the canonical model over {ϕ}, Mϕ. All we have to do to prove the

weak completeness of K# is show that finite canonical models are L#IΦ-models.

Lemma 5.18 Every finite canonical model MΣ = (At(Σ), {RΣi }i∈I ,R

Σ#, V

Σ) is an

L#-model.

Proof All we have to prove is that RΣ# =

⋃i∈I R

Σi .

First, we prove the right-to-left inclusion. Suppose, for the sake of a contradiction,

that, for some i ∈ I, ARΣi A

′ but ARΣ#A

′ does not hold. Then, by definition 5.15,

A ∧ 〈i〉 A′ 0 ⊥, but A ∧ 〈#〉 A′ ` ⊥. But then 〈#〉 A′ ` ¬A and hence, in virtue of

(ER), 〈i〉 A′ ` ¬A, which is impossible since A ∧ 〈i〉 A′ 0 ⊥.

Secondly, the left-to-right inclusion. Suppose that ARΣ#A

′. If, for some i ∈ I,

ARΣi A

′, then we are done. So, let’s assume that for no i ∈ I does ARΣi A

′ hold.


We can show that in such a case ARΣaA

′ holds. Indeed, if suppose otherwise, then

A ∧ 〈#〉 A′ 0 ⊥ and A ∧ 〈a〉 A′ ` ⊥. But then 〈a〉 A′ ` ¬A, and hence, in virtue of

(EL), which is applicable here since a /∈ Σ, 〈#〉 A′ ` ¬A, which is impossible since

A ∧ 〈#〉 A′ 0 ⊥. q.e.d.

Remark 5.19 The reason why, while building the finite canonical model MΣ, we

have added to the indices occurring in Σ a “new” index a is that otherwise we would

not have been able to prove that MΣ is an L#-model. Indeed, consider the set

Σ = {〈#〉 p ∧ ¬〈b〉 p}. Then, since 〈#〉 p ∧ ¬〈b〉 p is consistent, in MΣ there is an

atom A such that 〈#〉 p ∧ ¬〈b〉 p ∈ A. In virtue of lemmas 5.12, 5.13 and 5.16, for

some B ∈ MΣ such that p ∈ B, we have ARΣ#B, but for no index c ∈ Σ do we have

ARΣc B.

Theorem 5.20 K# is complete with respect to the class of all L# frames.

Proof Immediately follows from lemmas 5.14, 5.17, and 5.18. q.e.d.

5.1.5 Axiomatisation of DK#

In this section, we present the axiomatisation of the validities of the language L#

over the class of deterministic L#-frames, that is L#-frames satisfying the following

condition:

(D) ∀x∀y∀z(xRiy ∧ xRiz → y = z).

By lemma 4.36, these validities form a logic, which we call DK#. To get the ax-

iomatisation of DK#, we add to axiom schemata and rules of inference of the above

Hilbert-style axiomatisation of K# the following axiom schema, for every i ∈ I:

(F) 〈i〉ϕ→ [i]ϕ

The soundness of DK#is straightforward.

Theorem 5.21 DK# is sound with respect to the class of deterministic L#-frames.


Proof We only mention that the transformation of the models used in the proof of

theorem 5.6 to handle (EL) preserves determinism since if M is based on a deter-

ministic frame then Rj is deterministic and, hence, model M′ obtained from M by

putting Ri = Rj is also deterministic. q.e.d.

The completeness of DK# is not so straightforward. First, while building a finite

canonical model over a set of formulas Σ for DK#, we can not, as in the case of

K#, add to the modal indices of Σ just one “new” index since that might give us

an irreparably nondeterministic model. So, we will use all indices of I while building

the initial canonical model and then get rid of all the labels not in Σ that harm

determinism. A more fundamental problems is that, even so, if we simply replace in

the completeness proof for K# from the previous section the notion of K#-consistency

by the notion of DK#-consistency while building finite canonical models, we have

no guarantee that the resulting model is deterministic with respect to the modality

indices that are in Σ, as the following example shows.

Example 5.22 Consider the formula ϕ = p∧〈i〉 q and the finite canonical model Mϕ

over ϕ. Then, among the points of Mϕ (that is, among DK#-atoms over p∧〈i〉 q) are

A = {p, q, 〈i〉 q, p∧〈i〉 q} and A′ = {¬p, q, 〈i〉 q,¬(p∧〈i〉 q)}. Then, A∧〈i〉A 0DK#⊥

and A ∧ 〈i〉A′0DK#

⊥, which means that ARϕi A and ARϕ

i A′. ¶

Nevertheless, we will be able to show that for every ψ such that 〈i〉ψ ∈ CL(ϕ) and

every pair of atoms B,B ′ ⊆ CL(ϕ), if A ∧ 〈i〉 B 0DK#⊥ and A ∧ 〈i〉 B′ 0DK#

⊥,

then ψ ∈ B iff ψ ∈ B′. In other words, in the canonical model over ϕ, if i-accessible

points are different, ϕ cannot tell them apart. This suggests the following strategy

for building a deterministic model for a DK#-consistent formula ϕ. First, build the

finite canonical model Mϕ over {ϕ}, in the way similar to how it was done in the

completeness proof for K#. Second, get rid of all the links along indices not in Σ

that harm determinism, obtaining a model M′ϕ. Thirdly, take a submodel of M′ϕ

generated by the atom Aϕ containing ϕ and unravel this submodel into a tree-like

model with the root Aϕ. Lastly, prune the resultant tree, leaving only one Ri branch

for every i ∈ I. We will show that thus built model still satisfies ϕ, since ϕ can’t tell

apart the points on the branch we leave in the tree from the pruned ones.


We need to modify the definition of the closure used in our completeness proof of

K#. To that end, we first have to define modal depths of occurrences of subformulas

in formulas.

Definition 5.23 (Modal depth) Let ϕ be a L#IΦ-formula and ψ a subformula of

ϕ. The modal depth of an occurrence of ψ in ϕ, in symbols mdϕ(ψ), is the number of

modal connectives of ϕ whose scope includes this occurrence of ψ. a

Somewhat sloppily, we usually talk of the modal depth of subformulas of a given

formula rather than their occurrences in that formula.

Definition 5.24 (Deterministic closure) Let Σ be a set of L#-formulas. The

deterministic closure of Σ, DCL(Σ), is the smallest set such that

• CL(Σ) ⊆ DCL(Σ);

• if ϕ ∈ Σ and ψ ∈ Sub(ϕ) such that mdϕ(ψ) > 0, then for every i ∈ I that has

an occurrence in Σ, 〈i〉ψ, 〈i〉 ∼ ψ ∈ DCL(Σ). a

It is easy to see that DCL(Σ) is finite whenever Σ is finite. The reason for the second

condition of definition 5.24 will become clear when we reshape canonical models into

deterministic ones.

Definition 5.25 (Finite canonical models for DK#) Let Σ be a finite set of L#IΦ-

formulas. The finite canonical model over Σ, MΣ, is the triple (At(Σ), {RΣi }i∈I ,R

Σ#, V

Σ),

where

1. At(Σ) is the set of all atoms over Σ;

2. ARΣi A

′ iff A ∧ 〈i〉 A′ 0 ⊥;

3. ARΣ#A

′ iff A ∧ 〈#〉 A′ 0 ⊥;

4. For every p ∈ Φ, V Σ(p) = {A ∈ At(Σ) : p ∈ A }. a

Proceeding exactly as in the completeness proof for K#, we get the following two

lemmas.


Lemma 5.26 (Truth lemma) Let Σ be a set of L# formulas, MΣ be the finite

canonical model for DK# over Σ, and ψ ∈ CL(Σ). Then, for every A ∈ At(Σ),

MΣ, A ψ iff ψ ∈ A.

Proof Exactly as in the proof of lemma 5.17. q.e.d.

Lemma 5.27 Every finite canonical model MΣ = (At(Σ), {RΣi }i∈I ,R

Σ#, V

Σ) is an

L#-model.

Proof Analogous to the proof of lemma 5.18. q.e.d.

Next, we do the easy part—get rid of nondeterminism with respect to the modalities

that are not in Σ.

Lemma 5.28 Let MΣ = (At(Σ), {RΣi }i∈I ,R

Σ#, V

Σ) be a finite canonical model for

DK# over Σ. Then, there exist a model M′Σ = (At(Σ), {R′Σi }i∈I ,R

Σ#, V

Σ) such that

(1) for every i /∈ Σ and every A,B,B ′ ∈ At(Σ), if AR′Σi B and AR′Σ

i B′ then B = B′,

and (2) for every ψ ∈ CL(Σ) and every X ∈ At(Σ), M′Σ, X ψ iff MΣ, X ψ.

Proof First, let’s note that it follows from definition 5.25 that if ARΣ#B, then ARΣ

i B

holds for every i /∈ Σ. Now, enumerate all i ∈ I such that i /∈ Σ in an (infinite)

sequence ij1, . . . , ijn, . . .; also enumerate all pairs of atoms (A,B) from At(Σ) such

that ARΣ#B. Going through the second enumeration, remove all the i-links between

the n-th pair if that pair is connected by at least one a in Σ and all the i-links but

ijn if that pair is not connected by any a in Σ. It is obvious that this procedure gives

us the model with the properties required by the statement of the lemma. q.e.d.

Now, the difficult part, obtaining a model deterministic with respect to i ∈ Σ. To

that end, we need versions of tree-likeness and unravelling that are slightly different

from the standard ones. We introduce the notion of strongly tree-like models and

show that every L#-model can be unravelled into a strongly tree-like model (the

standard unravelling produces just a tree-like model).

Definition 5.29 Let M = (W, {Ri}i∈I ,R#, V ) be a L#IΦ-model. M is tree-like if

the structure (W,R#) is an irreflexive tree. M is strongly tree-like if M is tree-like

and, for every (w, v) ∈ R#, there exists exactly one i ∈ I such that (w, v) ∈ Ri. a


Now we show that every rooted L#-model can be unravelled into a strongly tree-like

model in a truth-preserving way.

Theorem 5.30 Let M = (W, {Ri}i∈I ,R#, V ) be a rooted L#IΦ-model with root w.

Then, there exists a tree-like L#IΦ-model MT = (W T , {RT

i }i∈I ,RT#, V

T ) with root w,

such that (1) MT is strongly tree-like and (2) for every L#IΦ-formula ϕ, M, w ϕ

iff MT , w ϕ.

Proof We begin by building the required model MT ; then, we prove that thus

built MT has the properties claimed by the lemma. First, consider model M′ =

(W ′, {R′i}i∈I ,R

′#, V

′), where

1. W is the set of all possible sequences of the form (w,wi11 , . . . , w

inn ), where

w1, . . . , wn≥0 ∈ W and i1, . . . , in ∈ I;

2. (w,wi11 , . . . , winn )R′

j(w,wi11 , . . . , w

inn , w

in+1

n+1 ) if wnRjwn+1 and j = in+1;

3. R′# =

⋃i∈I R

′i;

4. V ′(p) = { (w,wi11 , . . . , w

inn ) : wn ∈ V (p) }, for every p ∈ Φ.

Next, take the submodel of M′ generated by w. This submodel is the sough-after

MT . It is clear that MT is a tree-like model with root w. Thus, all that remains to

be shown is that MT has the properties (1) and (2) from the statement of the lemma.

(1) This is obvious from the way relations R′i are defined (the last member of the

sequence serving as the second argument of each R′i bears exactly one superscript).

(2) Consider the relation Z ⊆ W ×W T such that vZ(w,wi11 , . . . , w

inn ) iff wn = v.

It is easy to see that Z is a bisimulation such that wZw. Hence, by theorem 5.2,

M, w ϕ iff MT , w ϕ, for every ϕ. q.e.d.

Now, we show that, in tree-like models, for every formula ϕ, the value of ϕ at the

root does not change if we replace a point v accessible from the root in k steps is

replaced with another point v′ such that v and v′ agree on all the subformulas of ϕ

of modal depth k. (In the statement of the following lemma, we use wRk#v to mean

that there are such u1, . . . , uk−1 that wR#u1R# . . .R#uk−1R#v; in particular, wR0#v

means that w = v.)


Lemma 5.31 Let ϕ be a L#-formula, M = (W, {Ri}i∈I ,R#, V ) a tree-like L#-

model, w ∈ W , and v ∈ W such that wRk#v. Let M′ be obtained from M by

replacing the subtree generated by v by another subtree, with root v ′, such that, for

every ψ ∈ Sub(ϕ) with mdϕ(ψ) = k, M, v ψ iff M′, v′ ψ. Then, M, w ϕ iff

M′, w′ ϕ.

Proof By induction on k

Let k = 0. Then, w = v. Moreover, v and v′ agree on all ψ ∈ Sub(ϕ) with

mdϕ(ψ) = 0. As mdϕ(ϕ) = 0, w and v′ agree on ϕ.

Assume that the statement of the lemma is true for k = n. Let’s show that then

it is also true for k = n + 1. Suppose, for the sake of a contradiction, that it is not.

Then, v and v′ agree on all ψ ∈ Sub(ϕ) with mdϕ(ψ) = n + 1 and M, w ϕ, but

M′, w′1 ϕ (the other case is symmetrical). Since no changes have been made to

w itself, ϕ should have a subformula 〈i〉χ with mdϕ(〈i〉χ) = 0 such that, for some

u such that wRiu and u ∈ path(w, v), M, u χ but M′, u 1 χ (the other case is

symmetrical). Now, mdϕ(χ) = mdϕ(〈i〉χ) + 1 and Sub(χ) ⊆ Sub(ϕ); therefore, v

and v′ agree on all ψ ∈ Sub(χ) with mdχ(ψ) = n. As uRn#v, applying the inductive

hypothesis to the tree generated by u, we get M, u χ iff M′, u χ, which gives us

a contradiction. q.e.d.

Lemma 5.32 Let MϕT be a strongly tree-like model obtained from the canonical

model over ϕ, Mϕ, by unravelling the submodel of Mϕ generated by an atom Aϕ

containing ϕ. Then, for every B,B ′ ∈ MϕT such that, for some C, CRiB and

CRiB′, and every ψ such that mdϕ(ψ) > 0, we have MϕT , B ψ iff MϕT , B′ ψ.

Proof Assume, for the sake of a contradiction, that there exist B and B ′ such that

CRiB and CRiB′, MϕT , B ψ, and MϕT , B′

1 ψ. Then, MϕT , C 〈i〉ψ and

MϕT , C 〈i〉 ∼ ψ. Therefore, since by definition 5.24, 〈i〉ψ, 〈i〉 ∼ ψ ∈ DCL(ϕ), by

lemma 5.26, 〈i〉ψ, 〈i〉 ∼ ψ ∈ C. This, however, is impossible, since in virtue of axiom

(F), 〈i〉ψ, 〈i〉 ∼ ψ,`DK#⊥. q.e.d.

Now we are ready to prove the completeness theorem.


Theorem 5.33 DK# is weakly complete with respect to the class of deterministic

L#-frames.

Proof Let ϕ be a DK#-consistent formula. Build the finite canonical model Mϕ over

ϕ (see definition 5.25). There is in Mϕ an atom Aϕ such that ϕ ∈ Aϕ. By lemma 5.26,

Mϕ, Aϕ ϕ. Remove, using the construction of lemma 5.28, all the “redundant”

atomic links in Mϕ indexed by i /∈ Σ. By lemma 5.28, M′ϕ, Aϕ ϕ. Now, unravel

M′ϕ into a strongly tree-like model M′ϕT using the construction of theorem 5.30.

Then, by theorem 5.30, M′ϕT , Aϕ ϕ. Next, level by level, for every point C and

label i at level n such that C can reach several points B1, . . . , Bm by an edge labelled i,

replace all Bjs by B1. Denote the resultant model by M′ϕT′

. In virtue of lemmas 5.31

and 5.32, M′ϕT′

, Aϕ ϕ. Lastly, construct M′ϕT′′

by replacing all identical copies

of B1 produced in construction of M′ϕT′

) by a single point B1. M′ϕT′

and M′ϕT′′

are obviously bisimilar, so in virtue of theorem 5.2, M′ϕT′′

, Aϕ ϕ. It is clear that

M′ϕT′′

is deterministic. This immediately gives us the required result. q.e.d.

5.2 Logic PDLpath

The language of PDLpath is an extension of the language of PDL, propositional dy-

namic logic. The language of PDL has two kinds of primitive symbols: propositional

parameters and atomic transitions (or, as will call them, to be consistent with the

rest of this thesis, modality indices). Atomic modality indices are used to label edges

in the transition system, which can also be thought of as a Kripke model. Compound

modality indices of PDL are built out of the atomic ones using binary operators ◦

(composition), ∪ (union) and a unary operator ∗ (finite iteration). In addition to

these traditional ingredients of the language of PDL, the language of PDLpath, intro-

duced in [AdRD03], has the modal identity constant id, the unary converse operator ·

on modalities and the what in [AdRD03] is called the wildcard modality and we called

the existential modality #. Moreover, the language of PDLpath has a single nominal (a

propositional letter that is true at exactly one point of a model) root, which is meant

to mark the root of the graph. In the literature, PDL with the converse operator

is referred to as converse PDL or CPDL, while CPDL with nominals is referred


to as CPDL with nominals. Thus, PDLpath is a fragment (since we have only one

nominal) of CPDL with nominals augmented with the existential modality #.

Our main concern in this part of the thesis is to provide a sound and complete

Hilbert-style axiomatisation for PDLpath. To that end, we need to extend the language

of PDLpath as introduced in [AdRD03] with the ”at” modality @ of hybrid logics: given

a formula ϕ and a nominal r, we can form a formula @rϕ, which intuitively says that ϕ

is true at the unique point that satisfies r. We need the modality @r to axiomatically

describe the behaviour of the nominal r.

5.2.1 Syntax and semantics

Definition 5.34 Given a countable set of indices I = {i1, i2, . . . , in, . . .}, labels over

I are defined by the following BNF expression:

ΛI := I | id | # | ΛI ◦ ΛI | ΛI ∪ ΛI | Λ ∗I | ΛI a

Definition 5.35 (PDLpath-formulas) PDLpath-formulas over the set of labels ΛI are

defined as follows:

ϕ := > | ⊥ | r | ¬ϕ | ϕ ∨ ϕ | 〈ΛI〉ϕ | @rϕ a

We use the lower-case Greek letters from near the middle of the alphabet, like π, ρ, . . .,

to refer to arbitrary labels and sometimes refer to indices as “atomic labels”.

PDLpath-formulas are evaluated on path models.

Definition 5.36 (Path models) A path model M over the set of labels ΛI is a tuple

(W, {Rπ}π∈ΛI, V ), where

1. W 6= ∅;

2. V is a function assigning some {w} ⊆ W to r.1

3. {Rπ}π∈ΛIis a collection of binary relations over W satisfying the following

conditions:

1Conceptually, r is a name of a point, so we could say that V assigns to r some w ∈ W . MakingV assign a singleton set to r is technically more convenient, though.


(a) R# =⋃i∈I Ri;

(b) Rid = { (w,w) : w ∈ W } (identity relation);

(c) Rπ = Rπ (converse);

(d) Rπ1◦π2= Rπ1

◦ Rπ2(composition);

(e) Rπ1∪π2= Rπ1

∪ Rπ2(union);

(f) Rπ∗ = R∗π (reflexive-transitive closure);

(g) For every w, v ∈ W , there is a sequence of points u1, . . . , un such that

(1) w = u1, (2) v = un, and (3) for every 1 ≤ i ≤ n− 1, either, for some

i ∈ I, uiRiui+1, or, for some i ∈ I, ui+1Riui (connectedness). a

The truth of PDLpath-formulas at a point in a path model is defined as follows.

Definition 5.37 (Truth at a point) Let M = (W, {Rπ}π∈ΛI, V ) be a path model,

w, v ∈ W . Then,

M, w > always;

M, w ⊥ never;

M, w r iff V (r) = {w};

M, w ¬ϕ iff M, w 1 ϕ;


M, w 〈π〉ϕ iff for some v ∈ W,wRπv and M, v ϕ;

M, w @rϕ iff M, v ϕ and V (r) = {v}. a

The definitions of truth and satisfiability in a model and a class of models are stan-

dard; the same for frames.

5.2.2 Bisimulations for PDLpath

In this section, we define bisimulations for the language of PDLpath and show that the

truth of formulas of PDLpath is preserved under so defined bisimulations. Because

of the presence in the language of PDLpath of the converse modality π, we have

to stipulate two versions of the back-and-forth conditions: one saying that every


move forward along the accessibility relation for basic labels should be matched in

a bisimilar model, the other saying that every move backward along the accessibility

relation for basic labels should be matched in a bisimilar model.

Definition 5.38 Let M = (W, {Rπ}π∈ΛI, V ) and M′ = (W ′, {R′

π}π∈ΛI, V ′) be two

path models over ΛI . A non-empty relation Z ⊆ W ×W ′ is a bisimulation between

M and M if the following conditions are satisfied, for every i ∈ I:

1. if wZw′ then w ∈ V (r) iff w′ ∈ V ′(r);

2. if wZw′ and wRiv, then there exists v′ ∈ W ′ such that w′R′iv

′ and vZv′;

3. if wZw′ and w′R′iv

′, then there exists v ∈ W such that wRiv and vZv′;

4. if wZw′ and vRiw, then there exists v′ ∈ W ′ such that v′R′iw

′ and vZv′;

5. if wZw′ and v′R′iw

′, then there exists v ∈ W such that vRiw and vZv′. a

As the following lemma shows, the definition 5.38 ensures that the back-and-forth

conditions are satisfied for all the labels of the language of PDLpath.

Lemma 5.39 Let M = (W, {Rπ}π∈ΛI, V ) and M′ = (W ′, {R′


bisimilar path models over ΛI. Then, for every π ∈ ΛI ,

• if wZw′ and wRπv, then there exists v′ ∈ W ′ such that w′R′πv

′ and vZv′;

• if wZw′ and w′R′πv

′, then there exists v ∈ W such that wRπv and vZv′.

Proof Straightforward induction on the complexity of π. q.e.d.

Lemma 5.39 immediately gives us the following theorem.

Theorem 5.40 Let M = (W, {Rπ}π∈ΛI, V ) and M′ = (W ′, {R′


bisimilar path models over ΛI such that M, w � M′, w′ and ϕ be a PDLpath-formula

over ΛI . Then, M, w ϕ iff M′, w′ ϕ.


In view of theorem 5.40, we can use all the model-theoretic constructions on path

models that are instances of PDLpath-bisimulations without worrying about the truth-

preservation of PDLpath-formulas.


5.2.3 Standard translation and decidability

In this section, we present the standard translation of formulas of PDLpath into

guarded fixed point logic µGF described in section 2.4.1. To that end, we will,

first, add to the language of PDLpath an infinite set of propositional parameters

X1, . . . , Xn, . . . (let’s call thus obtained language LX(PDLpath)), which we will need to

translate PDLpath-formulas of the form 〈π∗〉ϕ (they will be translated into predicate

variables of µGF bound by the least fixed point operator LFP ). Secondly, since we

can’t reuse predicate variables bound by LFP , to handle nested 〈π∗〉 ’s, we will need

a family of translations τnx , where n ∈ N, rather than a single translation τx (anal-

ogously for τy). Intuitively, n indicates which of the X’s of LX(PDLpath) we should

use upon encountering the next formula of the form 〈π〉ϕ: we will stipulate that

τnx (〈π∗〉ϕ) use propositional parameter Xn. Lastly, our translation will only translate

those formulas of PDLpathX in which the converse is applied only to atomic labels or

#; as the following lemma shows, this does not result in a loss of generality.

Definition 5.41 (Normal form) A formula ϕ of the language LX(PDLpath) over

ΛI is in normal form if, in every subformula of ϕ of the form 〈π〉ψ, either π ∈ I or

π = #. a

Lemma 5.42 Every formula ϕ of the language LX(PDLpath) is equivalent to a for-

mula ϕ in a normal form.

Proof Immediately follows from the fact that the following are theorems of PDLpath:

• 〈π1 ◦ π2〉ϕ↔ 〈π1 ◦ π2〉 ϕ;

• 〈π1 ∪ π2〉ϕ↔ 〈π1 ∪ π2〉 ϕ;

• 〈π∗〉ϕ↔ 〈π∗〉ϕ. q.e.d.

Now we are ready to define the standard translation for PDLpath.

Definition 5.43 Define, by mutual recursion, two families of functions, {τ nx }n∈N and

{τny }n∈N, mapping formulas of LX(PDLpath) over the set of labels ΛI into formulas of

its counterpart FO(LFP) language, as follows. τ nx is defined by


• τnx (r) := P (x);

• τnx (Xi) := Xi(x);

• τnx (¬ϕ) := ¬τnx (ϕ);

• τnx (ϕ ∨ ψ) := τnx (ϕ) ∨ τnx (ψ);

• τnx (〈i〉ϕ) := ∃y(R(ai, x, y) ∧ τny (ϕ)), for every i ∈ I;

• τnx (〈#〉ϕ) := ∃z∃y(R(z, x, y) ∧ τny (ϕ);

• τnx (〈i〉ϕ) := ∃y(R(ai, y, x) ∧ τny ϕ), for every i ∈ I;

• τnx (〈#〉ϕ) := ∃z∃y(R(z, y, x) ∧ τny (ϕ);

• τnx (〈π1 ◦ π2〉 ϕ) := τnx (〈π1〉〈π2〉ϕ);

• τnx (〈π1 ∪ π2〉 ϕ) := τnx (〈π1〉ϕ) ∨ τnx (〈π2〉ϕ);

• τnx (〈π∗〉ϕ) = [LFP Xn y.τn+1y (ϕ ∨ 〈π〉Xn)](x)

τny is defined analogously, switching the roles of x and y. Finally, define the standard

translation of a PDLpath-formula ϕ, τ(ϕ), to be τ 0x(ϕ). a

It is easy to see that the above translation maps a PDLpath-formula into a formula of

µGF (see section 2.4.1 for the definition of µGF ). Indeed, all the quantifiers in the

above translation are guarded and we never use Xn’s in guards, which are the only

restrictions placed on FO(LFP) formulas belonging to µGF .

Theorem 5.44 Let ϕ be a PDLpath-formula, M = (W, {Rπ}π∈ΛI, V ) a path model,

and MFO(LFP) be its counterpart FO(LFP)-model. Then, for every w ∈ W , M, w

ϕ iff MFO(LFP), α τ(ϕ), where α(x) = w.


Theorems 5.44 and 2.59 (together with the result of [Gra99] on the eliminability of

individual parameters) give us the following theorem.

Theorem 5.45 PDLpath and all its extensions defined semantically via µGF formulas

are decidable.


5.2.4 Axiomatisation of PDLpath

In this section, we present the axiomatisation of PDLpath and prove its completeness.

Axioms and rules

Axiom schemata of PDLpath can be logically divided into four parts.

The first part describes the behaviour of propositional connectives and conven-

tional modal operators 〈π〉 and [ π ] :

(A0) all classical tautologies;

(K) [ π ] (ϕ→ ψ) → ([ π ] ϕ→ [ π ] ψ);

(A1) 〈π〉ϕ↔ ¬[ π ] ¬ϕ.

The second part describes the properties of the label constructs:

(A2) 〈π1 ◦ π2〉 ϕ↔ 〈π1〉〈π2〉ϕ;

(A3) 〈π1 ∪ π2〉 ϕ↔ 〈π1〉ϕ ∨ 〈π2〉ϕ;

(A4) 〈π∗〉ϕ↔ ϕ ∨ 〈π〉〈π∗〉ϕ;

(A5) [π∗](ϕ→ [ π ] ϕ) → (ϕ→ [π∗]ϕ);

(A6) ϕ→ [ π ] 〈π〉ϕ;

(A7) ϕ→ [ π ] 〈π〉ϕ;

(A8) ϕ↔ 〈id〉ϕ;

(ER) 〈i〉ϕ→ 〈#〉ϕ.

The third part describes properties of @r operator:

(A9) @r(ϕ→ ψ) → (@rϕ→ @rψ);

(A10) @rϕ↔ ¬@r¬ϕ;


(A11) r ∧ ϕ→ @rϕ;

(A12) @rr;

(A13) 〈π〉@rϕ→ @rϕ.

Finally, the following axiom pertains to connectedness:

(A14) 〈(# ∪ #)∗〉 r.

The inference rules are:

(MP) From ϕ→ ψ and ϕ infer ψ;

(N) From ϕ infer [π]ϕ;

(NN) From ϕ infer @rϕ;

(EL) From 〈i〉ϕ→ ψ infer 〈#〉ϕ→ ψ, provided i does not occur in ψ.

In addition to the above axiom schemata and rules of inference, in the course of

the following completeness proof, we will appeal to two additional rules of inference,

pertaining to the converse operator, whose derivability we establish in the following

lemma.

Lemma 5.46 The following rules of inference are derivable in PDLpath:

• from ϕ→ [ π ]¬ψ infer ψ → [π]¬ϕ;

• from ϕ→ [π]¬ψ infer ψ → [ π ]¬ϕ.

Proof The first rule can be derived as follows.

1. ϕ→ [ π ]¬ψ – premise

2. ψ – assumption

3. [ π ] (ϕ→ [ π ]¬ψ) – by (N) from 1

4. ψ → [ π ] 〈π〉ψ – (A6)


5. [ π ] 〈π〉ψ – by (MP) from 2, 4

6. [ π ] (〈π〉ψ ∧ (ϕ→ [ π ]¬ψ)) – from 3 , 5 by (K)

7. [ π ] (¬ϕ ∨ (〈π〉ψ ∧ [ π ]¬ψ)) – by PL from 6

8. [ π ]¬ϕ – by PL and (A1) from 7

9. ψ → [ π ]¬ϕ – from 2, 8.

The second rule can be derived analogously, relying on axiom (A7). q.e.d.

Completeness proof

Now, we turn to proving completeness of the above axiomatisation of PDLpath (its

soundness is straightforward). As the language of PDLpath contains 〈#〉 and 〈π∗〉 ,

both of which, as we have already seen, give rise to non-compact logics, we have

no hope of proving strong completeness. As in the completeness proofs for K# and

DK#, we are going to use completeness-via-finite-models technique to prove weak

completeness of PDLpath.

Definition 5.47 (PDLpath-closure) Let Σ be a set of PDLpath-formulas over ΛI .

The closure of Σ, CL(Σ), is the smallest set such that

• if ϕ ∈ Σ then Sub(ϕ) ⊆ CL(Σ);

• if 〈π〉ϕ ∈ Σ then [ π ] 〈π〉ϕ ∈ CL(Σ);

• if 〈π1 ◦ π2〉 ϕ ∈ CL(Σ) then 〈π1〉〈π2〉ϕ ∈ CL(Σ);

• if 〈π1 ∪ π2〉 ϕ ∈ CL(Σ) then 〈π1〉ϕ ∨ 〈π2〉ϕ ∈ CL(Σ);

• if 〈π∗〉ϕ ∈ CL(Σ) then 〈π〉〈π∗〉ϕ ∈ CL(Σ);

• if ψ ∈ CL(Σ) and ψ 6= @rχ and ψ 6= ¬@rχ, then @rψ ∈ CL(Σ);

• @rr ∈ CL(Σ);

• 〈(# ∪ #)∗〉 r ∈ CL(Σ);


• if ϕ ∈ CL(Σ), then ∼ ϕ ∈ CL(Σ). a

Lemma 5.48 Let Σ be a set of PDLpath-formulas. If Σ is finite, then CL(Σ) is finite,

too.


PDLpath-atoms are defined exactly as K#-atoms (see definition 5.10). Naturally,

PDLpath-atoms have more properties than K#-atoms.

Lemma 5.49 Let Σ be a set of PDLpath formulas and A be an atom over Σ. In

addition to the properties listed in lemmas 5.12 and 5.13, A has the following ones:

• for all 〈π〉ϕ ∈ CL(Σ), if ϕ ∈ A then [ π ] 〈π〉ϕ ∈ A;

• for all 〈π1 ◦ π2〉 ϕ ∈ CL(Σ), 〈π1 ◦ π2〉 ϕ ∈ A iff 〈π1〉〈π2〉ϕ ∈ A;

• for all 〈π1 ∪ π2〉 ϕ ∈ CL(Σ), 〈π1 ∪ π2〉 ϕ ∈ A iff 〈π1〉ϕ ∨ 〈π2〉ϕ ∈ A;

• for all 〈π∗〉ϕ ∈ CL(Σ), 〈π∗〉ϕ ∈ A iff 〈π〉〈π∗〉ϕ ∈ A;

• for all 〈id〉ϕ ∈ CL(Σ), 〈id〉ϕ ∈ A iff ϕ ∈ A.


An analogue of lemma 5.14 can be proved.

Lemma 5.50 If ϕ ∈ CL(Σ) is PDLpath-consistent, then there exist an atom A over

Σ such that ϕ ∈ A.

Proof The same as the proof of lemma 5.14. q.e.d.

Now we define the finite canonical PDLpath-model over Σ.

Definition 5.51 (Finite canonical models for PDLpath) Let Σ be a finite set of

PDLpath-formulas over the set of labels ΛI and let a be such a label that a ∈ I but

a /∈ CL(Σ). First, define a family of binary relations {Sπ} on the set At(Σ) of atoms

over Σ, as follows:


• For all atoms A,A′ ∈ At(Σ), ASπA′ iff π ∈ CL(Σ) or π = a and A∧〈π〉 A′ 0 ⊥.

Now, the finite canonical model MΣ over ΛI is a tuple (WΣ, {RΣπ}π∈ΛI

, V Σ) such that

1. W = At(Σ);

2. V (r) = {A ∈ At(Σ) : r ∈ A };

3. • for every atomic c such that c ∈ CL(Σ) or c = a, RΣa = Sa;

• RΣ# = S#;

• RΣid = { (A,A) : A ∈ At(Σ) };

• RΣρ = RΣ

ρ ;

• RΣπ1◦π2

= RΣπ1

◦ RΣπ2

;

• RΣπ1∪π2

= RΣπ1

∪ RΣπ2

;

• RΣπ∗ = (RΣ)∗π. a

At this point, we are able to prove that finite canonical models for PDLpath satisfy

conditions (3a)–(3f) required by definition 5.36 of path models (indeed, conditions

(3b)–(3f) are satisfied in virtue of definition 5.51, and condition (3a) can be shown to

be satisfied in the same way as in the proof of lemma 5.18); that is, the accessibility

relations of these models are well-structured. We can not, however, show that finite

canonical models for PDLpath satisfy condition (2), that is that they have only one

atom containing nominal r, that is only one root. Accordingly, our strategy in proving

completeness of PDLpath will be, first, to prove existence lemma and truth lemma for

finite canonical models and then show how to transform them into models with exactly

one root. In what follows, we will refer to the models satisfying conditions (3a)–(3f)

of definition 5.36 as regular ; thus, what we said above in this paragraph gives us the

following.

Lemma 5.52 Every finite canonical model for PDLpath is regular.

To prove the existence lemma for finite canonical models, we first need to show

that, for every π ∈ ΛI , Sπ ⊆ RΣπ . In the course of the proof, we will rely on the

following lemma, whose proof can be found in [BdRV01] (Lemma 4.87, pp. 244-245).


Lemma 5.53 Let π ∈ ΛI . Then, Sπ∗ ⊆ (Sπ)∗.

Now, we prove that Sπ ⊆ RΣπ .

Lemma 5.54 For every π ∈ ΛI, Sπ ⊆ RΣπ .

Proof By induction on the complexity of π.

(0) The cases π ∈ I and π = # are obvious, since for π ∈ I ∪ {#}, RΣπ = Sπ.

(1) Let π be id. Suppose that ASidB, that is A ∧ 〈id〉 B 0 ⊥. In virtue of (A8),

A∧ B 0 ⊥. Since both A and B are atoms, this is only possible if A = B. Therefore,

ARΣidB.

(2) Let π be ρ. Suppose that ASρB, that is A∧〈ρ〉B 0 ⊥. This implies B∧〈ρ〉 A 0

⊥. Indeed, if we suppose otherwise, then ` B → ¬〈ρ〉 A and hence ` B → [ ρ ]¬A.

Then, by lemma 5.46, ` A→ [ρ]¬B, which means that, contrary to the assumption,

A ∧ 〈ρ〉B ` ⊥. Thus, B ∧ 〈ρ〉 A 0 ⊥ and hence BSρA. By inductive hypothesis,

BRΣρA and therefore ARΣ

ρB, as required.

(3) Let π be π1 ◦ π2. Suppose that ASπ1◦π2B, that is A ∧ 〈π1 ◦ π2〉 B 0 ⊥. Then,

in virtue of axiom (A2), A ∧ 〈π1〉〈π2〉 B 0 ⊥. Then, we can construct an atom C

such that both A ∧ 〈π1〉 C 0 ⊥ and C ∧ 〈π2〉 B 0 ⊥. Here is how. Enumerate all the

formulas in CL(Σ) as ψ1, . . . , ψn. First, note that since A ∧ 〈π1〉〈π2〉 B 0 ⊥, we also

have A∧ 〈π1〉 (>∧〈π2〉 B) 0 ⊥. Secondly, if φ∧ 〈π1〉χ 0 ⊥, then φ∧ 〈π1〉 (χ∧ψ) 0 ⊥

or φ ∧ 〈π1〉 (χ∧ ∼ ψ) 0 ⊥ (for, otherwise, φ ∧ (〈π1〉 (χ ∧ ψ) ∨ 〈π1〉 (χ∧ ∼ ψ) ` ⊥ and

hence φ ∧ 〈π1〉 ((χ ∧ ψ) ∨ (χ∧ ∼ ψ) ` ⊥ and then φ ∧ 〈π1〉χ ` ⊥). In particular, for

every ψi ∈ CL(Σ), if A∧〈π1〉 (χ∧〈π2〉 B) 0 ⊥ then either A∧〈π1〉 (χ∧ψi∧〈π2〉 B) 0 ⊥

or A ∧ 〈π1〉 (χ∧ ∼ ψi ∧ 〈π2〉 B) 0 ⊥. Construct a sequence of formulas χ0, χ1, . . . , χn

as follows. χ0 = >. χj+1 is χj ∧ ψj+1 if A ∧ 〈π1〉 (χn ∧ ψn+1 ∧ 〈π2〉 B) 0 ⊥ and

χj+1 = χj∧ ∼ ψj+1 otherwise. It follows from the above argument that this sequence

is well-defined. Now let C be an atom containing all the conjuncts of χn. We already

know that A ∧ 〈π1〉 (C ∧ 〈π2〉 B 0 ⊥). But then A ∧ 〈π1〉 C 0 ⊥ and C ∧ 〈π2〉 B 0 ⊥,

which means that ASπ1C and CSπ2

B. Then, by inductive hypothesis, ARΣπ1C and

CRΣπ2B; hence, ARΣ

π1◦π2B, and we are done.

(4) Let π be π1 ∪ π2. Suppose that ASπ1∪π2B, that is A∧ 〈π1 ∪ π2〉 B 0 ⊥. Then,

in virtue of axiom (A3), A ∧ (〈π1〉 B ∨ 〈π2〉 B) 0 ⊥. Therefore, either A ∧ 〈π1〉 B 0 ⊥


or A ∧ 〈π2〉 B 0 ⊥. Consequently, either ASπ1B or ASπ2

B. Then, by inductive

hypothesis, either ARΣπ1B or ARΣ

π2B, and so ARΣ

π1∪π2B.

(5) Let π be ρ∗. By inductive hypothesis, Sρ ⊆ RΣρ . It is easy to check that then

(Sρ)∗ ⊆ (RΣ

ρ )∗. Then, by lemma 5.53, Sρ∗ ⊆ (RΣρ )∗. q.e.d.

Now we are able to prove the existence lemma.

Lemma 5.55 (Existence lemma) Let Σ be a set of PDLpath-formulas over ΛI , A

be an atom over Σ, and π ∈ ΛI. Then, for all 〈π〉ψ ∈ CL(Σ), 〈π〉ψ ∈ A iff there is

an atom A′ such that ARΣπA

′ and ψ ∈ A′.

Proof First, the left-to-right direction. Suppose that 〈π〉ψ ∈ A. Using the “forcing

choices” technique used in the proof of lemma 5.16, we can build an atom A′ such

that A ∧ 〈π〉 A′ 0 ⊥. Then, by lemma 5.54, ARΣπA

′.

The right-to-left direction is proved by induction on the complexity of π.

(0) π ∈ I. Suppose that there is an atom A′ such that ϕ ∈ A′ and ARπA′. Then,

by definition 5.51, ASπA′, which means that A ∧ 〈π〉 A′ 0 ⊥. Then, as ϕ ∈ A′ and,

thus, ϕ is one of the conjuncts of A′, A∧ 〈π〉ϕ 0 ⊥, too. Then, as 〈π〉ϕ ∈ CL(Σ) and

A is an atom, 〈π〉ϕ ∈ A.

(1) π = #. Analogously to (0).

(2) π = ρ. Suppose that ARΣρA

′ and ψ ∈ A′. Then, A′RΣρA. By lemma 5.49,

[ ρ ] 〈ρ〉ψ ∈ A′. But then 〈ρ〉ψ ∈ A; indeed, if we suppose otherwise then ¬〈ρ〉ψ ∈ A

and so, by inductive hypothesis, 〈ρ〉 ¬〈ρ〉ψ ∈ A′, which is impossible since then A′

would be inconsistent.

(3) π = π1 ∪ π2. Suppose that ARΣπ1∪π2

A′ and ψ ∈ A′. Then, either ARΣπ1A′ or

ARΣπ2A′. By definition 5.47, 〈π1〉ψ, 〈π2〉ψ ∈ CL(Σ); therefore, by inductive hypothe-

sis, either 〈π1〉ψ ∈ A or 〈π2〉ψ ∈ A. Then, by lemma 5.49, 〈π1 ∪ π2〉 ψ ∈ A.

(4) π = π1 ◦ π2. Suppose that ARΣπ1◦π2

A′ and ψ ∈ A′. Then, for some atom B,

ARΣπ1B and BRΣ

π2A′. By definition 5.47, 〈π2〉ψ ∈ CL(Σ) and 〈π1〉〈π2〉ψ ∈ CL(Σ);

hence, by inductive hypothesis, 〈π2〉ψ ∈ B and then 〈π1〉〈π2〉ψ ∈ A. Then, by

lemma 5.49, 〈π1 ◦ π2〉 ψ ∈ A.

(5) π = ρ∗. Suppose that ARΣρ∗A

′ and ψ ∈ A′. Then, there is a finite sequence of

atoms B1, . . . , Bn such that A = B1, Bn = A′ and BiRΣρBi+1 for 1 ≤ i ≤ n− 1. We


will show by sub-induction on n that 〈ρ∗〉ψ ∈ Bi for every 1 ≤ i ≤ n, which will give

us 〈ρ∗〉ψ ∈ A.

Base case. n = 1. This means that A = A′, hence ψ ∈ A. It follows from (A4) by

PL that ψ → 〈ρ∗〉ψ is a theorem of PDLpath; therefore, 〈ρ∗〉ψ ∈ A.

Inductive step. Suppose what is to be proved holds for n ≤ k. We have to show

that then it also holds for k + 1. Suppose that

A = B1RΣρB2, . . . , BkR

ΣρBk+1 = A′.

By inductive hypothesis, 〈ρ∗〉ψ ∈ B2, and hence, by the inductive hypothesis of the

outer induction, 〈ρ〉〈ρ∗〉ψ ∈ A. It follows from (A4) by PL that 〈ρ〉〈ρ∗〉ψ → 〈ρ∗〉ψ

is a theorem of PDLpath; therefore, 〈ρ∗〉ψ ∈ A. q.e.d.

Lemma 5.56 (Truth lemma) Let Σ be a set of PDLpath-formulas, MΣ be the finite

canonical model over Σ, and ψ ∈ CL(Σ). Then, for every A ∈ At(Σ), MΣ, A ψ iff

ψ ∈ A.

Proof Straightforward induction on the complexity of ψ. The base case immediately

follows from definition 5.51. The other cases follow from lemmas 5.49 and 5.55.q.e.d.

What remains to be done is ensure that we can reshape MΣ into a model with

exactly one root in a truth-preserving way. To that end, we will show that, given an

atom A ∈ MΣ, if we take a submodel MΣA of MΣ generated by A, then MΣ

A contains

at most one root. It is easy to see that this will be enough to prove weak completeness

of PDLpath. Indeed, if we choose A to be the atom containing the consistent formula

ϕ which model we have to build in the course of the completeness proof, then the

above procedure will give us the path model satisfying ϕ, since axiom (A14) ensures

that MΣA contains at least one root.

First, let’s note the following simple fact.

Lemma 5.57 Let M be a regular model and w ∈ M. Then, the submodel of M

generated by w is also regular.



Next, we prove that all the atoms of the submodel of MΣ generated by A agree on

formulas beginning with @r.

Lemma 5.58 Let A be an atom, MΣA be a submodel of MΣ generated by A, and B

and B′ be atoms such that B,B ′ ∈ MΣA. Then, for every @rψ ∈ CL(Σ), @rψ ∈ B iff

@rψ ∈ B′.

Proof Assume, for the sake of a contradiction, that @rψ ∈ B and @rψ /∈ B′ (the

other case is symmetrical) and, hence, by lemma 5.49, ¬@rψ ∈ B′.

Let’s notice that, for any two atoms X,X ′ ∈ MΣA, if XRΣ

i∈IX′ and @rψ ∈ X ′, then

@rψ ∈ X. Indeed, otherwise, by lemma 5.49, ¬@rψ ∈ X, which is impossible since,

on the one hand, in virtue of (A13), ¬@rψ∧〈i〉@rψ ` ⊥ and hence X∧〈i〉 X ′ ` ⊥, and

on the other, by definition 5.51, XRΣi X

′ holds only if X ∧ 〈i〉 X ′ 0 ⊥. Analogously,

for any two atoms X,X ′ ∈ MΣA, if XRΣ

i X′ and ¬@rψ ∈ X ′, then ¬@rψ ∈ X. For

otherwise, by lemma 5.49, @rψ ∈ X, which is impossible since, on the one hand, in

virtue of (A10) and (A13), @rψ ∧ 〈i〉 ¬@rψ ` ⊥ and hence X ∧ 〈i〉 X ′ ` ⊥, and on

the other, by definition 5.51, XRΣaX

′ holds only if X ∧ 〈i〉 X ′ 0 ⊥.

From the foregoing, it also follows that, for any X,X ′ ∈ MΣA such that X ′RΣ

i X,

if @rψ ∈ X ′ then @rψ ∈ X and ¬@rψ ∈ X ′ then ¬@rψ ∈ X.

Now, as MΣ, and hence, by lemma 5.57, MΣA, is regular, B ∈ MΣ

A implies that

there is a chain of atomic transitions RΣi connecting A and B (so that, to reach B

from A, we can move forward as well as backward along RΣi ’s in the chain). It follows,

then, that from @rψ ∈ B we can infer @rψ ∈ A (using the argument of the preceding

paragraphs, we “pull back” @rψ along the chain connecting A and B). Analogously,

from ¬@rψ ∈ B′ we can infer ¬@rψ ∈ A. This is impossible, though, since A is an

atom. q.e.d.

Next, we can show that MΣA has at most one root.

Lemma 5.59 Let A be an atom, MΣA be a submodel of MΣ generated by A, and B

and B′ be atoms such that (1) B,B ′ ∈ MΣA and (2) B 6= B′. Then, at most one of B

and B′ contains r.


Proof Assume, for the sake of a contradiction, that r ∈ B and r ∈ B ′. Since B 6= B′,

there is ψ ∈ CL(Σ) such that ψ ∈ B and ∼ ψ ∈ B ′. There are two cases to consider:

(1) @rψ ∈ CL(Σ) and (2) @rψ /∈ CL(Σ) and, hence, either ψ = @rχ or ψ = ¬@rχ.

(1) Suppose that @rψ ∈ CL(Σ), and hence, by definition 5.47, ¬@rψ ∈ CL(Σ).

Then, as ψ ∈ B and r ∈ B, we also have that @rψ ∈ B (due to (A11), otherwise B

would be inconsistent). Analogously, as ∼ ψ ∈ B and r ∈ B, we also have ¬@rψ ∈ B′.

However, since @rψ ∈ B, in virtue of lemma 5.58, we also have @rψ ∈ B′. This is

impossible, though, since B ′ is an atom.

(2) Suppose that @rψ /∈ CL(Σ) and, hence, either (2a) ψ = @rχ or (2b) ψ = ¬@rχ.

The case (2a) is analogous to the case (1), and the case (2b) is symmetrical.q.e.d.

Finally, we show that MΣA is a path model.

Lemma 5.60 Let A be an atom and MΣA be a submodel of MΣ generated by A.

Then, MΣA is a path model.

Proof By lemma 5.57, MΣA is regular and, by lemma 5.59, it has no more than one

root. So, all that remains to be shown is that MΣA has at least one root. Suppose, for

the sake of a contradiction, that it does not. Then, MΣA, A ¬〈(# ∪ #)∗〉 r. Since,

by definition 5.47, ¬〈(# ∪ #)∗〉 r ∈ CL(Σ), ¬〈(# ∪ #)∗〉 r ∈ A, which is impossible

since then, in virtue of (A14), A would be inconsistent. q.e.d.

Now, we can prove completeness of PDLpath.

Theorem 5.61 (Completeness of PDLpath) PDLpath is complete with respect to

the class of all path frames.

Proof Let ϕ be a PDLpath-consistent formula. We will show that then ϕ has a path

model, which immediately implies completeness. Build a finite canonical model M{ϕ}

over {ϕ}. Since ϕ is consistent, by lemma 5.50, there is an atom Aϕ ∈ M{ϕ} such

that ϕ ∈ Aϕ. By lemma 5.56, M{ϕ}, Aϕ ϕ. Next, take the submodel M{ϕ}Aϕ of

M{ϕ} generated by Aϕ. By lemma 5.60, M{ϕ}Aϕ

is a path model, and since it is a

generated submodel of M{ϕ}, we have M{ϕ}Aϕ, Aϕ ϕ. q.e.d.


5.2.5 PDLpath without connectedness

In this section, we consider what happens if we want to drop from the semantic

definition of PDLpath the requirement that the models it is interpreted on—that is,

path models—should be connected (condition (3g) of definition 5.36). It is easy to

guess that all we have to do to axiomatise PDLpath without connectedness is to drop

from the above axiomatisation of PDLpath axiom (A14). Then, we can still show that

every consistent formula has a model with exactly one root.

The only difference between the completeness proof for PDLpath and the complete-

ness proof for PDLpath without connectedness is that, in the latter case, we can not

prove the analogue of lemma 5.60, as the following example shows.

Example 5.62 Consider formula ϕ = ¬〈(# ∪ #∗〉 r. Since now path models are

allowed to be unconnected, it is consistent, and hence, there is, in the finite canonical

model M{ϕ} over {ϕ}, an atom Aϕ such that ϕ ∈ Aϕ. It is easy to see that the

submodel M{ϕ}Aϕ of M{ϕ} generated by Aϕ, does not contain an atom B such that

r ∈ B. ¶

Nevertheless, as the following lemma shows, given a finite canonical model for PDLpath

without connectedness MΣ and an atom A, we can always reshape MΣA into a path

model.

Lemma 5.63 Let A be an atom and MΣA be a submodel of MΣ generated by A such

that no X ∈ MΣA contains r. Then, there exists M′Σ

A such that (1) M′ΣA is a path

model, and (2) for every X ∈ MΣA and every ψ ∈ CL(Σ), M′Σ

A, X ψ iff MΣA, X ψ.

Proof Let’s take an arbitrary atom B ∈ MΣA and form the set Br = {χ : @rχ ∈ B }

(in virtue of lemma 5.58, it does not matter which B we take).

First, note that Br is consistent. Indeed, suppose that χ1 ∧ . . . ∧ χn ` ⊥, where

{χ1, . . . , χn} = Br. Then, ` ¬(χ1∧. . .∧χn) and hence, by (NN), ` @r¬(χ1∧. . .∧χn).

Therefore, due to (A10), ` ¬@r(χ1 ∧ . . . ∧ χn) and, due to (K) and PL, ` ¬(@rχ1 ∧

. . . ∧ @rχn), which is impossible since then B would be inconsistent. Secondly, note

that, as every X ∈ MΣA contains @rr (due to (A12)), r ∈ Br. Since Br is consistent,

by lemma 5.50, there exists an atom C such that Br ⊆ C.


Next, obtain M′ΣA by adding to MΣ

A the submodel MΣC of MΣ generated by

C. It is easy to see that M′ΣA is a disjoint union of MΣ

A and MΣC . Indeed, if for

some X ∈ MΣA, some X ′ ∈ MΣ

C , and some i ∈ I we would have either XRΣi X

′ or

X ′RΣi X, then C would be in MΣ

A, which contradicts our assumption that no atom

in MΣA contains r. Now, first, in virtue of lemma 5.59, M′Σ

A contains exactly one

atom containing r (namely, C). Moreover, as both MΣA and MΣ

C are, by lemma 5.57,

regular (since they are generated submodels of a regular model MΣ), M′ΣA, being

their disjoint union, is also regular. Therefore, M′ΣA is a path model. Secondly, as

M′ΣA is a disjoint union of M′Σ

A, for every X ∈ MΣA and every ψ ∈ CL(Σ), M′Σ

A, X ψ

iff MΣA, X ψ. q.e.d.

Theorem 5.64 (Completeness of PDLpath without connectedness) PDLpath with-

out axiom (A14) is complete with respect to the class of all (not necessarily connected)

path frames.

Proof Let ϕ be a PDLpath without connectedness consistent formula. We show that

then ϕ has a path model. Build a finite canonical model M{ϕ} over {ϕ}. Since ϕ

is consistent, by lemma 5.50, there is an atom Aϕ ∈ M{ϕ} such that ϕ ∈ Aϕ. By

lemma 5.56, M{ϕ}, Aϕ ϕ. Next, take the submodel M{ϕ}Aϕ of M{ϕ} generated

by Aϕ. By lemmas 5.52, 5.57 and 5.59, M{ϕ} is regular and has no more than one

root. Since it is a generated submodel of M{ϕ}, we have M{ϕ}, Aϕ ϕ. If it has

exactly one root, then it is a path model and, therefore, we are done. Otherwise, by

lemma 5.63, there exist a path model M′{ϕ} such that M{ϕ}, Aϕ ϕ. q.e.d.

115

Chapter 6

Conclusion

In the present conclusion, we recapitulate the main results of the thesis and also

discuss their limitations and directions for future work.

In chapter 3, we have proved a general decidability result for intuitionistic modal

logics through embedding them into the two-variable monadic second-order guarded

fragment GF 2mon with an acyclic set of mso-definable closure conditions imposed on

relations occurring in GF 2mon-formulas; the decidability of this latter fragment has

been established in chapter 3 by way of generalising the result of [GMV99] on de-

cidability of GF 2mon with single mso-definable closure conditions, rather than sets of

such conditions (sets of conditions are needed to account for multiple conditions im-

posed on accessibility relations in the Kripke-style semantics of intuitionistic modal

logics), imposed on relations occurring in GF 2mon-formulas. The result covers a consid-

erable range of intuitionistic modal logics known from the literature. In particular,

as the proofs of theorems 3.16 and 3.17 show, logics with the following conditions

imposed on their accessibility relation are covered: R ◦ R♦ ◦ R = R♦ together with

R◦R� ◦R = R� and a standalone condition R♦ ⊆ R. The method we used to estab-

lish decidability overcomes the limitation of the only previously known general decid-

ability method for intuitionistic modal logics, that used in [WZ99a, WZ97, WZ99b],

where decidability is proved through embedding of intuitionistic modal logics with n

modalities into classical modal logics with n + 1 modalities (such classical logics are

called classical counterparts of intuitionistic logics); the limitation of this method is

that decidability of only those logics can be established whose classical counterpart is

6. conclusion 116

known to be decidable. Our method does not share this limitation. It does, however,

have an important limitation of its own: to prove decidability of a given logic, we

need to be able to reformulate the conditions imposed on the accessibility relations

in its Kripke-style semantics as a set of acyclic mso-definable closure conditions. As

we mentioned in chapter 3, we failed to accomplish this for a number of well-known

intuitionistic modal logics, such as the logic IS4 defined in [Sim94] and logics with the

condition R� ◦R ⊆ R◦R�. Accordingly, the accommodation of such logics into the

framework presented in chapter 3 (that is, a successful attempt to reformulate their

semantic conditions as mso-definable closure conditions) or the generalisation of the

framework to account for such logics is the most important direction for future work.

In chapter 4, we proved the analogue of Makinson theorem, along with a number of

minor results, for the lattice of extensions of the logic Seg, which is the logic obtained

from the basic (classical) modal logic K∗ in the language with the finite-iteration

modality ♦∗ (referred to in in chapter 4 as a “Segerberg operator”) by augmenting it

with axioms describing the behaviour of ♦∗ . This result is nothing but a first step in the

investigation of the lattice of extensions of Seg. From the computer scientific point

of view, such investigation would be beneficial in increasing our understanding of the

behaviour of finite-iteration programming construct in the computational settings

where some additional conditions are satisfied by “atomic” programs. So far, the

behaviour of the finite-iteration construct has only been studied in the contexts of

the propositional dynamic logic, PDL, and its deterministic extension, that is in the

contexts where atomic programs are not required to satisfy any properties and where

the only such requirement is that every execution of a given program in a given state

may result in no more than one state. However, we might also be interested in the

study of the behaviour of the finite iteration-construct in all of the following contexts:

• if there exist executions changing state w into states v and v ′, then there also

exist executions changing both v and v′ into state w′ (in λ-calculus, this property

is called convergence);

• from every state some execution is possible;

6. conclusion 117

• every execution is reversible.

All these computational settings can be easily modeled with the help of modal lan-

guages; therefore, a general study of modal logics with ♦∗ is of great potential benefit

to theoretical computer science. This task seems daunting if the logics to be studied

are extensions of PDL; it would then be more practicable, for a start, to study the

extensions of the logic whose only modal operator, apart from the traditional modal-

ity ♦, is ♦∗ , that is extensions of Seg. In fact, even such a study seems formidable

enough; therefore, it would be reasonable to concentrate first on the tabular exten-

sions of Seg. It seems that the reasonable first step from the analogue of Makinson

theorem proved in chapter 4 would be to prove the analogue of the generalisation of

Makinson theorem proved for mono-modal logics by A. Chagrov in [Cha02]: for every

tabular extension Λ of K—except the logic of a frame consisting of a single reflexive

point and the logic of a frame consisting of a single irreflexive point—and an arbitrary

formula ϕ, it is undecidable whether the logic obtained by augmenting K with ϕ is

Λ.

In chapter 5, we proved completeness of three logics whose language contains the

existential modality 〈#〉 (that is the modality saying that something is true in a state

accessible by some atomic modality); namely, the minimal normal logic with 〈#〉 ,

K#; its deterministic extension, DK#; and logic PDLpath introduced in [AdRD01]

for the study of path constraints in the models of semistructured data. The obvious

next step in the study of logics with 〈#〉 is to prove completeness of the deterministic

PDLpath, that is the extension of PDLpath where all the atomic transitions are required

to be deterministic. Another direction for further work in this area is to find out what

properties of atomic transitions apart from determinism would be worth considering

given the intended applications of logics with 〈#〉 in the area of semistructured data

and to design complete logics corresponding to those conditions.

In conclusion, we would like to express the hope that the present thesis constitutes

a contribution, however minor, to the appreciation of relevance and significance of

modal logics for theoretic computer science. It was noted long ago that modal logic

and theoretical computer science are bound to develop together simply because the

6. conclusion 118

structures used to model modal logics, Kripke models, are essentially the structures

used by theoretical computer scientists to model computational phenomena, tran-

sition systems. Therefore, modal languages are natural formal tools to study the

properties of transition systems and, thus, of the computational phenomena those

systems are intended to model. In the present thesis we have seen that modal logics

are applicable not only to computational phenomena that has now been studied for

a long time, but also to those that only recently came to the attention of theoretical

computer scientists, such as λ-calculus with monads and semistructured data.

119

References

[ABS00] S. Abiteboul, P. Buneman, and D. Suciu. Data on the Web. Morgan

Kaufmann, 2000.

[AdRD01] N. Alechina, M. de Rijke, and S. Demri. Path constraints from a modal

logic point of view. In Proceedings of the 8th International Workshop

on Knowledge Representation meets Databases (KRDB 2001), Rome,

Italy, September 15, 2001, volume 45 of CEUR Workshop Proceedings.

Technical University of Aachen (RWTH), 2001.

[AdRD03] Natasha Alechina, Maarten de Rijke, and Stephane Demri. A modal

perspective on path constraints. Journal of Logic and Computation,

13(6):939–956, 2003.

[AMdPR01] N. Alechina, M. Mendler, V. de Paiva, and E. Ritter. Categorical and

Kripke semantics for constructive modal logics. In Laurent Fribourg, ed-

itor, Proceedings of the 15th International Workshop Computer Science

Logic, CSL 2001, volume 2142 of Lecture Notes in Computer Science,

pages 292–307. Springer, 2001.

[AS05] N. Alechina and D. Shkatov. A general method for proving decidability

of intuitionistic modal logics. Journal of Applied Logic, 2005. To appear.

[AvBN95] Hajnal Andreka, Johan van Benthem, and Istvan Nemeti. Back and

forth between modal logic and classical logic. Bulletin of the Interest

Group in Pure and Applied Logics, 3:685–720, 1995.

REFERENCES 120

[AvBN96] H. Andreka, J. van Benthem, and I. Nemeti. Modal Languages and

Bounded Fragments of Predicate Logic. Technical Report ML-96-03,

ILLC, University of Amsterdam, 1996.

[AvBN98] Hajnal Andreka, Johan van Benthem, and Istvan Nemeti. Modal log-

ics and bounded fragments of predicate logic. Journal of Philosophical

Logic, 27(3):217–274, 1998.

[BB02] Dietmar Berwanger and Achim Blumensath. Automata for guarded fixed

point logics. In E. Gradel, W. Thomas, and T. Wilke, editors, Automata,

Logics, and Infinite Games, number 2500 in LNCS, chapter 19, pages

343–355. Springer Verlag, 2002.

[BBdP98] N. Benton, G. Bierman, and V. de Paiva. Computational types from a

logical perspective. Journal of Functional Programming, 8(2):177–193,

1998.

[BdP00] G. M. Bierman and V. de Paiva. On an intuitionistic modal logic. Studia

Logica, 65(3):383–416, 2000.

[BdRV01] Patrick Blackburn, Maarten de Rijke, and Yde Venema. Modal Logic.

Cambridge University Press, 2001.

[Ben83] J. Benthem, van. Modal logic and classical logic. Bibliopolis, Naples,

1983.

[BGG97] E. Borger, E. Gradel, and Y. Gurevich. The Classical Decision Problem.

Springer-Verlag, 1997.

[Bul65a] R. A. Bull. A modal extension of intuitionistic modal logic. Notre Dame

Journal of Formal Logic, VI(2):142–146, 1965.

[Bul65b] R. A. Bull. Some modal calculi based on IC. In Formal Systems and

Recursive Functions, pages 3–7. North Holland, 1965.

REFERENCES 121

[Bul66] R. A. Bull. MIPC as the formalisation of an intuitionistic concept of

modality. Journal of Symbolic Logic, 31(4):609–616, 1966.

[Cha02] Alexander Chagrov. An algorithmic problem of the axiomatization of

tabular normal modal logics. Logical Investigations, 9, 2002. in Russian.

[CZ97] Alexander Chagrov and Michael Zakharyaschev. Modal Logic. Oxford

University Press, 1997.

[Dos85] K. Dosen. Models for stronger normal intuitionistic modal logics. Studia

Logica, 44:39–70, 1985.

[DP96] R. Davies and F. Pfenning. A modal analysis of staged computation.

In Guy Steele, Jr., editor, Proc. of 23rd POPL, pages 258–270. ACM

Press, 1996.

[DP01] R. Davies and F. Pfenning. A modal analysis of staged computation.

Journal of the ACM, 48(3):555–604, 2001.

[FHV95] Ronald Fagin, Jeseph Y. Halpern, and Moshe Vardi. Reasoning about

Knowledge. MIT Press, 1995.

[Fit48] F. B. Fitch. Intuitionistic modal logic with quantifiers. Portugaliae

Mathematicae, 7:113–118, 1948.

[FM97] M. Fairtlough and M. Mendler. Propositional lax logic. Information and

Computation, 137(1):1 – 33, 1997.

[FS86] G. Fisher Servi. On modal logics with intuitionistic base. Studia Logica,

27:533–546, 1986.

[GG00] Elisabeth Goncalves and Erich Gradel. Decidability issues for action

guarded logics. In Proceedings of 2000 International Workshop on De-

scription Logics – DL2000, pages 123–132, 2000.

REFERENCES 122

[GHO00] Erich Gradel, Colin Hirsch, and Martin Otto. Back and Forth Between

Guarded and Modal Logics. In Proceedings of 15th IEEE Symposium on

Logic in Computer Science LICS 2000, pages 217–228, Santa Barbara,

2000. See also: journal version [GHO02].

[GHO02] Erich Gradel, Colin Hirsch, and Martin Otto. Back and Forth Between

Guarded and Modal Logics. ACM Transactions on Computational Log-

ics, 3(3):418 – 463, 2002. See also: conference version [GHO00].

[GKWZ03] Dov Gabbay, Agi Kurucz, Frank Wolter, and Michael Zakharyaschev.

Many-Dimensional Modal Logics: Theory and Applications. Elsever,

2003.

[GL96] J. Goubault-Larrecq. Logical foundations of eval/quote mechanisms,

and the modal logic S4. Manuscript, 1996.

[GMV99] Harald Ganzinger, Christoph Meyer, and Margus Veanes. The two-

variable guarded fragment with transitive relations. In Proc. 14th IEEE

Symposium on Logic in Computer Science, pages 24–34. IEEE Computer

Society Press, 1999.

[Gol76] R. Goldblatt. Metamathematics of modal logic. Reports on mathematical

Logic, 6,7:31 – 42, 21 – 52, 1976.

[Gra99] Erich Gradel. On the restraining power of guards. Journal of Symbolic

Logic, 64:1719–1742, 1999.

[GW99] Erich Gradel and Igor Walukiewicz. Guarded Fixed Point Logic. In

Proceedings of 14th IEEE Symposium on Logic in Computer Science

LICS ‘99, Trento, pages 45–54, 1999.

[HM02] Eva Hoogland and Maarten Marx. Interpolation in guarded fragments.

Studia Logica, 70(3):373–409, 2002.

[Kie03] E. Kieronski. The two-variable guarded fragment with transitive guards

is 2exptime-hard. In Andrew D. Gordon, editor, Foundations of Software

REFERENCES 123

Science and Computational Structures, 6th International Conference,

FOSSACS 2003, volume 2620 of Lecture Notes in Computer Science,

pages 299–312, Warsaw, Poland, 2003. Springer.

[Kob97] S. Kobayashi. Monad as modality. Theoretical Computer Science, 175:29

– 74, 1997.

[LL32] Clarence I. Lewis and Cooper H. Langford. Symbolic Logic. Dover, 1932.

[Mak71] David C. Makinson. Some embedding theorems for modal logic. Notre

Dame Journal of Formal Logic, pages 252–254, 1971.

[Mar01] Maarten Marx. Tolerance logic. Journal of Logic, Language and Infor-

mation, 10:353–373, 2001.

[McCar] Gregory McColm. Guarded quantification in least fixed point logic.

Journal of Logic, Language and Information, to appear.

[Men91] M. Mendler. Constrained proofs: a logic for dealing with behavioural

constrains in formal hardware verification. In G. Jones and M. Sheeran,

editors, Proceedings of Workshop on Designing Correct Circuits, Oxford

1990. Springer-Verlag, 1991.

[Min68] G. Mints. Some calculi of modal logic. Trudy Matematicheskogo Instituta

imeni V.A.Steklova, 98:88–111, 1968.

[Mog91] E. Moggi. Notions of computation and monads. Information and Com-

putation, 93(1):55–92, July 1991.

[Ono77] H. Ono. On some intuitionistic modal logics. Publications of the Research

Institute for Mathematical Science, Kyoto University, 13:55–67, 1977.

[OS88] H. Ono and N.-Y. Suzuki. Relations between intuitionistic modal logics

and intermediate predicate logics. Reports on Mathematical Logic, 22:65–

87, 1988.

REFERENCES 124

[PD01] F. Pfenning and R. Davies. A judgmental reconstruction of modal logic.

Mathematical Structures in Computer Science, 11(4):511–540, 2001.

[Pit90] A.M. Pitts. Evaluation logic. In G. Birtwistle, editor, IVth Higher Order

Workshop, pages 162–189. Springer-Verlag, Banff, 1990.

[Pra65] D. Prawitz. Natural Deduction: A Proof-Theoretic Study. Almqvist and

Wiksell, 1965.

[Pra76] Vaughan R. Pratt. Semantical considerations on Floyd-Hoare logic. In

17th Annual Symposium on Foundations of Computer Science, pages

109–121, Houston, Texas, October, 25-27 1976. IEEE.

[Pri57] Arthur Prior. Time and Modality. Oxford University Press, 1957.

[PS86] G. D. Plotkin and C. P. Stirling. A framework for intuitionistic modal

logic. In J.Y. Halper, editor, Theoretical Aspects of Reasoning about

Knowledge, pages 399–406, 1986.

[Rab69] M. Rabin. Decidability of second-order theories and automata on infinite

trees. Transactions of the American Mathematical Society, 141:1–35,

1969.

[Ros97] Erich Rosen. Modal logic over finite structures. Journal of Logic, Lan-

guage and Information, 6:427–439, 1997.

[Sim94] A. K. Simpson. The Proof Theory and Semantics of Intuitionistic Modal

Logic. PhD thesis, University of Edinburgh, 1994.

[ST01] Wieslaw Szwast and Lidia Tendera. On the decision problem for the

guarded fragment with transitivity. In Proceedings of the 16th Annual

IEEE Symposium on Logic in Computer Science, LICS 2001, pages 147–

156, Boston, Massachusetts, USA, 2001. IEEE Computer Society.

[Sti87] C. P. Stirling. Modal logics for communicating systems. Theoretical

Computer Science, 49:311–347, 1987.

REFERENCES 125

[Wij90] D. Wijesekera. Constructive modal logic I. Annals of Pure and Applied

Logic, 50:271–301, 1990.

[Wol95] Frank Wolter. The finite model property in tense logic. Journal of

Symbolic Logic, 60:757–774, 1995.

[Wol96a] Frank Wolter. Properties of tense logics. Mathemaical Logic Quaterly,

42:481–500, 1996.

[Wol96b] Frank Wolter. Tense logic without tense operators. Mathematical Logic

Quarterly, 42:145–171, 1996.

[Wol97a] Frank Wolter. Completeness and decidability of tense logics closely re-

lated to logics above K4. Journal of Symbolic Logic, 62:131 – 158, 1997.

[Wol97b] Frank Wolter. A note on the interpolation property in tense logic. Jour-

nal of Philosophical Logic, 26:545–551, 1997.

[WZ97] F. Wolter and M. Zakharyaschev. On the relation between intuitionistic

and classical modal logics. Algebra and Logic, 36:121–155, 1997.

[WZ99a] F. Wolter and M. Zakharyaschev. Intuitionistic modal logics. In A. Can-

tini, E. Casari, and P. Minari, editors, Logic and Foundations of Math-

ematics, pages 227–238. Kluwer Academic Publishers, 1999.

[WZ99b] F. Wolter and M. Zakharyaschev. Intuitionistic modal logics as frag-

ments of classical bimodal logics. In E. Orlowska, editor, Logic at Work,

pages 168–186. Springer-Verlag, 1999.

[ZWC01] M. Zakharyaschev, F. Wolter, and A. Chagrov. Advanced modal logic.

In Dov Gabbay, editor, Handbook of philosophical logic, volume 3, pages

83–266. Kluwer Academic Publishers, 2001.

nottingham · ii contents 1 introduction 1 2 background in modal logic and guarded fragments 6 2.1...

Documents