lars thalmann - uppsala university · 2010. 4. 23. · assignmen t logic lars thalmann a...

UPPSALA THESES IN COMPUTING SCIENCE34

Term-Modal Logic

and

Quanti�er-free

Dynamic Assignment Logic

Lars Thalmann

Uppsala University

Information Technology

Computing Science Department

Thesis for the Degree of

Doctor of Philosophy

UPPSALA 2000

Term-Modal Logic

and

Quanti�er-free

Dynamic Assignment Logic

Lars Thalmann

A Dissertation submitted in partial ful�llment of the requirements for theDegree of Doctor of Philosophy at Computing Science Department,

Information Technology, Uppsala University.

Computing Science DepartmentInformation TechnologyUppsala University

Box 337, SE{751 05 Uppsala, Sweden

Uppsala Theses in Computing Science 34ISSN 0283{359X

ISBN 91{506{1443{6

Dissertation for the Degree of Doctor of Philosophy in Computing Sciencepresented at Uppsala University in 2001

Abstract

Thalmann, Lars 2000: Term-Modal Logic and Quanti�er-free Dynamic Assign-

ment Logic. Uppsala Theses in Computing Science 34. 140 pp. Uppsala. ISSN

0283{359X, ISBN 91{506{1443{6.

In this dissertation, we present two new sorts of computer science logics.

Many powerful logics exist today for reasoning about multi-agent systems,but in most of these it is hard to reason about an in�nite or indeterminatenumber of agents. Also the naming schemes used in the logics often lackexpressiveness to name agents in an intuitive way.

To obtain a more expressive language for multi-agent reasoning and a betternaming scheme for agents, we introduce in the �rst part of the dissertation afamily of logics called term-modal logics. A main feature of our logics is theuse of modal operators indexed by the terms of the logics. Thus, one canquantify over variables occurring in modal operators. In term-modal logicsagents can be represented by terms, and knowledge of agents is expressedwith formulas within the scope of modal operators.

This gives us a exible and uniform language for reasoning about the agentsthemselves and their knowledge. We give examples of the expressiveness ofthe languages and provide sequent-style and tableau-based proof systemsfor the logics. Furthermore, we give proofs of soundness and completenesswith respect to the possible world semantics.

In the second part of the dissertation, we treat another problem in reasoningabout multi-agent systems, namely the problem of information updating.We develop a dynamic logic of assignments with a scoping operator insteadof quanti�ers. Function, relation symbols and logic variables are all rigidlyinterpreted in our semantics, while program variables are non-rigid. Thescoping operator is used to distinguish between the value of a programvariable before and after the execution of a program.

We provide a tableau proof system for the logic. First, the system is provedcomplete without the star operator, and then with the star operator using anomega rule. The full logic is shown to be undecidable, while some interestingfragments are decidable.

Lars Thalmann, Computing Science Department, Information Technology,Uppsala University, Box 337, SE{751 05 Uppsala, Sweden.

c Lars Thalmann 2000 www.LarsThalmann.com

ISSN 0283{359XISBN 91{506{1443{6

Printed by Nina Tryckeri HB, Uppsala 2000

To my parents and my sister

Acknowledgments

I would �rst of all like to thank my advisor, Prof. Andrei Voronkov, forhis advise and guidance, �rst during the years at Uppsala University, andlater during my visits to Manchester University. His suggestions and com-ments have been of utmost importance for completing the research made inthis dissertation and for getting to know what characterize good computerscience.

From the summer of 1998, until late 1999, I spent a year visiting Prof. MelvinFitting at the City University of New York. His suggestions and encour-agement were key ingredients in formulating and carrying out the workespecially behind the second part of the thesis. The many discussions wehave had, have been both fun and interesting, much due to Mel's ability todiscuss complicated things in a simple way.

During the work at Uppsala University, Faron Moller has shown me ways toprove things rigorously as well as structured. Our many discussions aboutcomputer science, as well as teaching, has taught me a lot.

My appreciation also goes to the present and past members of the Com-puting Science Department and other departments at Uppsala University:Anatoli, Anders, Arne, Cons, Evgeny, Greger, G�oran, Happi, H�akan, He-lena, Hessmo, Jan, Joel, Kostis, Margus, Marianne, Marko, Mikael, Monika,Sergei, Sven-Olof, Thomas, Peder, Per, Pierangelo, Plopp, Rafal, Richard,Roland, and all other I have forgotten to mention.

Finally, I would especially like to thank my family and all my friends, for allthe great times, at work as well as o� work. Special thanks also to Andrei,Carin, Maria and Rafal for proofreading the dissertation.

Contents

1 Introduction 1

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Term-Modal Logic . . . . . . . . . . . . . . . . . . . . . . . . 31.4 Quanti�er-free Dynamic Assignment Logic . . . . . . . . . . . 4

2 Related Work 7

I Term-Modal Logic 11

3 Introduction 13

3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4 Syntax 15

5 Semantics 19

5.1 Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195.2 First-order modal structures . . . . . . . . . . . . . . . . . . . 20

6 Proof Systems 25

6.1 Sequent calculi . . . . . . . . . . . . . . . . . . . . . . . . . . 256.2 Tableau systems . . . . . . . . . . . . . . . . . . . . . . . . . 29

7 Soundness 33

8 Completeness 35

8.1 Model existence . . . . . . . . . . . . . . . . . . . . . . . . . . 368.2 The completeness theorem . . . . . . . . . . . . . . . . . . . . 45

9 Free-variable Tableaux 47

9.1 Example refutation . . . . . . . . . . . . . . . . . . . . . . . . 53

vii

viii

10 Conclusion and Future Work 55

II Quantifier-free Dynamic Assignment Logic 57

11 Syntax 59

11.1 Basic syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5911.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6011.3 Extended syntax . . . . . . . . . . . . . . . . . . . . . . . . . 6111.4 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

12 Semantics 65

12.1 Basic semantics . . . . . . . . . . . . . . . . . . . . . . . . . . 6512.2 Extended semantics . . . . . . . . . . . . . . . . . . . . . . . 70

13 Tableau calculi 77

13.1 Derivable rules . . . . . . . . . . . . . . . . . . . . . . . . . . 8013.2 Example proofs . . . . . . . . . . . . . . . . . . . . . . . . . . 80

14 Undecidability 87

15 Substituitivity 93

15.1 Substituitivity in terms . . . . . . . . . . . . . . . . . . . . . 9315.2 Substituitivity in formulas and programs . . . . . . . . . . . . 95

16 Soundness 99

17 Completeness without the star operator 103

17.1 Associated structure . . . . . . . . . . . . . . . . . . . . . . . 10317.2 Key fact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10717.3 Completeness theorem . . . . . . . . . . . . . . . . . . . . . . 109

18 Completeness with the star operator 111

19 Conclusion and Future Work 115

19.1 Completeness without omega rule . . . . . . . . . . . . . . . . 11519.2 Some open problems . . . . . . . . . . . . . . . . . . . . . . . 116

Concluding remarks 119

Bibliography 121

Index 127

List of Figures

5.1 Negation normal form transformation . . . . . . . . . . . . . 23

6.1 Sequent calculi . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6.2 The correspondence between the uniform notation and rulesof sequent calculi for L . . . . . . . . . . . . . . . . . . . . . 29

6.3 Tableau calculi . . . . . . . . . . . . . . . . . . . . . . . . . . 31

9.1 Free-variable tableau with constraints calculi . . . . . . . . . 49

9.2 Example refutation in the free-variable calculus . . . . . . . 54

12.1 Countermodel of a = b � (ha := cia = c � hb := cia = c) . . . 70

13.1 The basic tableau system . . . . . . . . . . . . . . . . . . . . 79

13.2 Proof of f�x b: [a := b]x = ag . . . . . . . . . . . . . . . . 80

13.3 Proof of f�x a: [a := f(a)]f�y a: y = f(x)gg andf�x a: ha := f(a)if�y a: y = f(x)gg. . . . . . . . . . . . 81

13.4 Proof of f�x a: [SWAP(a; b)]x = bg . . . . . . . . . . . . . 82

13.5 Proof of [a := t [ b := t]P � ha := t [ b := tiP . . . . . . . . . 82

13.6 Proof of f�x a: [b := t]x = ag � (f�x a: [b :=t]P (x)g � [b := t]P (a)). . . . . . . . . . . . . . . . . . . . . . 83

13.7 Proofs of f�x t1: [a := t1][b := t2]a = xg and f�x t1: ha := t1ihb := t2ia = xg. . . . . . . . . . . . . . . . . . . . 84

13.8 Proof of f�x a: h(a := f(a))�ia = f(f(x))g . . . . . . . . . 85

ix

x

14.1 Worlds w1; : : : ; w2m . . . . . . . . . . . . . . . . . . . . . . . 90

17.1 Simple branch conditions . . . . . . . . . . . . . . . . . . . . 105

18.1 An in�nite proof . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 1

Introduction

This dissertation shows two things. Firstly, it shows how modal logic canbe extended with modal operators indexed by terms. Variables can occurin the term indexes, which makes it possible to quantify over modal op-erators. Secondly, it presents a dynamic logic whose expressive power liesbetween propositional and �rst-order dynamic logic. Predicates have thesame interpretation in every state, but program variables change interpre-tation between states. The two logics introduced, the term-modal logic andthe quanti�er-free dynamic assignment logic, are presented separately in thetwo main parts of the dissertation.

We have di�erent motivation for the di�erent logics. For the �rst logic,by introducing term-indexed modal operators, we get an expressive logic,in which we can quantify over an in�nite set of modalities and name thesemodalities in an intuitive way. The main motivation is to describe epistemicsystems of dynamic societies with in�nite sets of agents. Since the logic isvery general, several other applications of the logic are possible, e.g. forplanning systems.

For the second logic, our goal is to treat complex actions for state change.This motivates us to look into dynamic �rst-order logic. In any �rst-orderlogic, the quanti�ers are a main reason for the undecidability. The sys-tem presented here, uses a scoping operator, instead of quanti�ers, whichpreserves much of the expressibility, while providing a more e�ective proofsystem. In the logic, the predicate and function symbols are interpretedrigidly, while program variables are non-rigid. The logic can be used inseveral systems replacing �rst-order dynamic logic.

Our treatment of the logics proceed in roughly the same way in the twoparts of the dissertation. Firstly, we describe the syntax or what formulasare well-formed in the logic. Secondly, we introduce the semantics or mean-ing of formulas. Thirdly, we de�ne what constitutes a proof in the logic.For the term-modal logics, we present three di�erent proof systems | a se-quent calculus, a tableau calculus and a free-variable tableau calculus. For

2 Introduction

the quanti�er-free dynamic assignment logic, we present a tableau calculus.Lastly, we show that all calculi are sound and complete.

We summarize the main results for each part of the dissertation.

� Part I: Term-Modal Logic

1. A family of expressive �rst-order logics with term-indexed modaloperators.

2. Some examples showing that properties of multi-agent systemscan be expressed in this logic.

3. Sequent and tableau calculi.

4. Free-variable tableau calculus.

5. Proof of soundness and completeness of all calculi.

� Part II: Quanti�er-free Dynamic Assignment Logic

6. A quanti�er-free dynamic logic of assignments.

7. Proof that the validity problem for the logic is undecidable.

8. A sound tableau calculus for the logic.

9. Proof of completeness of the calculus. First for the star-freefragment of the logic, and then for the system resulting fromadding an omega-rule for the star operator.

1.1 BACKGROUND

Logic is a formalization of language and reasoning. Traditionally, logic wasused to formalize natural languages. Today, logics are used as abstractionsof computer languages, and computer programs are formalized and analyzedusing logic. The research in this �eld is vast, and various logics have beendeveloped for specifying, verifying and implementing numerous computersystems.

Propositional logic is the logic of sentences; true or false. First-order logicreasons about objects and properties of objects. Modal logic is the logic oftruth-variance. Something can be true in one context, but false in another.The context might be time-dependent, dependent on the beliefs or opinionsof people, or something else.

The study of logic started with Aristotle, continued with Leibniz, and �rst-order logic was �rst formulated by Frege (1879). For the rest of the disserta-tion, we will assume that the reader is familiar with propositional, �rst-orderand modal logic. There are a lot of books on the topic, e.g. (Shoen�eld 1967),(Gallier 1986), (van Orman Quine 1974), and (Fitting 1996a) for an intro-duction on propositional and �rst-order logic. (Hughes and Cresswell 1984),

1.3. Overview 3

(Hughes and Cresswell 1996), (Hughes and Cresswell 1968), (Chellas 1980),and (Fitting 1983) are all good for an introduction on propositional modallogic. And, for �rst-order modal logic, see (Fitting and Mendelsohn 1998).

There are many versions of modal logic. Temporal logic deals with time,epistemic with knowledge, dynamic logic is the logic of programs, alethicdeals with necessity and possibility, deontic with obligations and permis-sions, and doxastic with belief. Modal logic can in a general sense be inter-preted as the logic of adverbials, see e.g. (Fitting and Mendelsohn 1998).The term-modal logics could be used as epistemic, deontic, or doxastic log-ics, while the quanti�er-free dynamic assignment logic is a dynamic logic ofprograms.

Using modal logic instead of classical logic has many advantages. In manysituations, it is easier and more intuitive to express properties using modaloperators, compared to using �rst-order logic, in which one often has toaugment predicates with extra arguments for the context, i.e. time, agents,etc.

1.2 OVERVIEW

After examining some related work in Chapter 2, the dissertation contin-ues with the main two parts. Part I introduces the term-modal logics, andPart II, the quanti�er-free dynamic assignment logic. The parts are inde-pendent and can be read separately. No de�nitions or propositions fromPart I are used in Part II, and vice versa.

A short version of the term-modal logic part of this dissertation was pre-sented at Tableaux 2000 (Fitting, Thalmann and Voronkov 2000), anda longer version has been accepted to Studia Logica (Fitting, Thalmannand Voronkov 2001). The part on quanti�er-free dynamic assignment logicawaits submission.

1.3 TERM-MODAL LOGIC

We describe a new family of modal logics, namely the �rst-order term-modal logics, where we by term-modal mean that any term can be used as amodality. The speci�c logics we discuss are the term-modal versions of themodal logics K;D;T;K4;D4, and S4. Sequent-style and tableau-style proofsystems for the logics are given, and their soundness and completeness areshown.

Many researchers have been interested in the use of multi-modal logics forknowledge representation (see e.g. Halpern 1993, Fagin, Halpern, Mosesand Vardi 1995, Meyer and van der Hoek 1995), although most of themhave investigated the use of a �nite set of modalities, indexed by the �rst

4 Introduction

n natural numbers, usually denoted either [1]; [2]; : : : ; [n] or K1;K2; : : : ;Kn.Each number is here naming some agent. By agent we mean any system,e.g. a human or a computer program, to which we can ascribe knowledge.When we instead use an in�nite set of modalities we can reason about adynamic society of agents, where some agents might vanish and new agentsmay appear.

In the family of multi-modal logics presented in the �rst part of the disser-tation, any term can denote an agent. This makes naming of agents easyand the logics expressive. The use of complex names for agents, possiblyinvolving variables, makes it easy to model a society of agents, and givenames to new agents by their relationship to already existing agents. Forexample, to express that the agent mother(x) thinks (or knows, or believes)that the agent x is good, we can write [mother(x)]good(x).

The standard multi-modal logics allow us to reason about beliefs of par-ticular agents, but provide very limited facilities to reason about beliefs ofgroups of agents or the agents themselves. In our language, we can dis-tinguish a group of agents by specifying their properties. For example, toexpress that every Christian believes in the existence of God, we can write8x(christian(x) � [x]9yGod(y)).

An example of a society of agents is the collection of computer processes onsome system. Here the logic with its in�nite complex naming mechanismcan be used to specify requirements of the system as a whole, and the proofsystem can be used to check that these requirements are satis�ed.

When the computer processes spawn new processes, the society of agents(i.e. the number of processes) grows, and the naming mechanism can beused to refer to the newly created processes. As the number of processesspawned by the program need not be known beforehand, it is convenient tohave an unlimited set of names for these new agents.

Many researchers have investigated multi-modal logic with a �nite set ofmodalities, and many have discussed naming. We here combine these twoaspects into one general family of logics, the family of term-modal logics.

1.4 QUANTIFIER-FREE DYNAMIC ASSIGNMENT LOGIC

Propositional dynamic logic (or propositional modal logic of programs, asit was called then) was introduced by Fischer and Ladner (1977), (1979),following ideas of Pratt (1976).

In this dissertation, we present a variant of dynamic logic, quanti�er-freedynamic assignment logic, which contrary to propositional dynamic logic

1.4. Quantifier-free Dynamic Assignment Logic 5

has variables,1 and contrary to �rst-order dynamic logic, is quanti�er-free,but has a scoping operator.

In the logic we can reason about the values of program variables before andafter a program has been executed. An example formula, which we canexpress in the logic, is

ha := tiP (a):

The intended meaning is that after the assignment a := t has been executed,P (a) is true. Without specifying which a we are referring to in P (a), it isambiguous what is actually meant by that. Do we mean the value of abefore the program a := t has been executed or the value of a after theexecution?

In our semantics, we have made the choice that a in P (a) refers to the valueof a after execution. If we instead want to talk about the value of a beforeexecution of a := t, we use a scoping operator � and write

f�x a: ha := tiP (x)g:

The position of �x in the formula determines which value of a we are refer-ring to. In the formula above, �x stands before the modal operator ha := ti,so by x in the subformula P (x), we mean the value of a before the programa := t has been executed.

Since our logic use standard dynamic logic constructs, we may express manystandard programs. As a simple example, swapping two program variablesa and b, can be expressed by the program (a0 := a; a := b; b := a0). Heresemicolon is the composition of programs. Similarly, we have dynamic con-structs for choice, tests and iteration.

As an example of iteration and the use of equality in the logic, we expressthat there exists an execution of (a := f(a))�, such that the �nal value of aequal the value of f(f(x)), where x is the starting value of a:

f�x a: h(a := f(a))�ia = f(f(x))g:

We present a tableau proof system for the logic and show that it is sound andcomplete. We also prove that the logic with the star operator is undecidable.

1Actually of two sorts | program and logic variables.

Chapter 2

Related Work

The current trend in modal and description logics is to de�ne expressive,but still decidable, logics. The term-modal logics are undecidable sincethey contain �rst-order classical logic. Moreover, the expressiveness of theterm-modal logics is, in a way, higher than that of the standard �rst-ordermodal logics, since �rst-order modal logics can be interpreted in term-modallogic, by using a single constant in modal operators (at least for cumulativedomains, but our results can be extended to the constant domain versionsof the logics as well). Logics with modalities indexed by terms were studiedby Grove and Halpern (1991), (1995). These logics are more expressive insome aspects and less expressive in other aspects than the term-modal logics,since these logics can handle equality and agents with special properties.However, there are restrictions on how formulas can be built in these logics,so some well-formed formulas of our logics can not be used as formulasin (Grove and Halpern 1991, Grove 1995). For example, the formula [x]P (x)is not a valid formula in (Grove 1995), since in Grove's framework x in [x]must be of the agent sort, but the formula P (x) in the scope of [x] mustnot have free variables of the agent sort.

Another related framework is the modal logics with names, see (Passyand Tinchev 1985, Passay and Tinchev 1991, Gargov and Goranko 1993,Blackburn 1993). In these logics a second sort of atomic formula is intro-duced (these are called names or nominals) and it is stipulated that sucha formula is satis�ed at a speci�c world of the model. Intuitively, a nomi-nal names the world in which it is satis�ed. Hybrid logics take this a stepfurther. In these logics, nominals are treated as variables open to binding,see e.g. the work by Blackburn and Seligman (1993), Blackburn and Tza-kova (1998) and Areces, Blackburn and Marx (2000). A tableau calculusfor hybrid logics was presented by Tzakova (1999). The main di�erencebetween the logics of our paper and hybrids logics is that in hybrid logicone quanti�es over state variables naming worlds, while in this dissertation,we quantify over variables naming accessibility relations.

8 Related Work

Propositional dynamic logic (or, as it was called, propositional modal logicof programs) was introduced in (Fischer and Ladner 1977, Fischer andLadner 1979), following ideas of (Pratt 1976). Completeness of propositionaldynamic logic is proven in (Parikh 1978) and (Kozen and Parikh 1981). Aninteresting thing to notice is that the proof in (Parikh 1978) includes tests,while (Kozen and Parikh 1981) does not. Tableau procedures for proposi-tional dynamic logic are given in (Pratt 1980) and (Pratt 1978). These areextended by Massacci (1998) to include the converse operator.

First-order dynamic logic appears in e.g. (Harel 1979) and (Kozen andTiuryn 1989). Dynamic logic is a logic with complex modalities just asthe term-modal logics. The main di�erence between term-modal and dy-namic logic is the structure of the indexes. In dynamic logic modal oper-ators are indexed by programs, either atomic or composed of subprogramsor subformulas joined by modal connectives ; ;[; �, or ?. In term-modallogic the modal operators are indexed with terms. There is a close syntac-tic connection between the logics. Term-modal logic can be translated intodynamic logic, by translating every modal operator [t] into [x := t] wherex is a dummy programming variable. (It is not possible to translate it intoquanti�er-free dynamic assignment logic, since logic variables can not oc-cur in assignment programs in this logic.) The semantics of the logics aredi�erent though. In dynamic logic, the program x := t is usually determin-istic, while in the term-modal logic framework, we are interested in havingseveral worlds reachable through by term t. The simpli�ed semantics ofthe term-modal logic also let us develop the proof theory further. In thisdissertation, we provide a free-variable tableau calculus for the term-modallogics.

Modal action logics, see e.g. (Ryan, Fiadeiro and Maibaum 1991), is anexample application for the term-modal logics. In (Ryan et al. 1991) a logicfor actions is given, but without any proof procedure.

In general, the term-modal logic approach contrasts to other approaches,by considering a simple logic with terms in modal operators and developa complete free-variable proof system, while other authors either limit theexpressibility or fail to provide a complete proof procedure.

Fitting (1983) proves soundness and completeness of (single-)modal logics.In this dissertation we introduce some new de�nitions, and extend the proofsfor term-modal logics.

Fagin et al. (1995), van der Hoek and Meyer (1997) all use modal logicsto describe multi-agent systems. Their approaches are based on a �niteset of agents, and they also discuss the use of common and distributedknowledge. By using the logic presented in this dissertation, their workmight be extended to handle dynamic agent societies with a simple namingmechanism, where quanti�cation over agents is possible.

2.0. 9

The basic idea of predicate abstraction was introduced into modal logic byStalnaker and Thomason (1968), and continued in (Thomason and Stalnaker1968). (Bressan 1972) gave an extensive development. Other modal appli-cations of predicate abstraction appear in e.g. (Fitting 1972, Fitting 1973,Fitting 1975), and more recently in (Fitting 1991, Fitting 1996b, Fittingand Mendelsohn 1998).

Part I

Term-Modal Logic

11

Chapter 3

Introduction

In this part, we describe a new family of modal logics, namely the �rst-orderterm-modal logics, where we by term-modal mean that any term can be usedas a modality. The speci�c logics we discuss are the term-modal versionsof the modal logics K;D;T;K4;D4, and S4. Sequent-style and tableau-styleproof systems for the logics are given, and their soundness and completenessare shown.

3.1 OVERVIEW

Part I is structured as follows: Chapter 4 de�nes the syntax of term-modallogics, and Chapter 5 covers their semantics. In Chapter 6 we introducetwo di�erent types of proof systems, in Section 6.1, sequent calculi andin Section 6.2, tableau calculi for these logics. In Chapter 7 we establishsoundness of the sequent calculi. In Chapter 8 we give the completenessproof. The proof is rather lengthy and split between two sections. In Sec-tion 8.1 we de�ne the main technical tool used for the completeness proof,the so-called consistency property, and prove a Model Existence Theoremfor consistency properties. Using this theorem, we establish completenessof the sequent calculi in Section 8.2. Soundness and completeness of the se-quent calculi implies soundness and completeness of the tableau calculi forterm-modal logics. As a step toward automated reasoning in term-modallogic in Chapter 9 we introduce free-variable versions of tableau calculi forterm-modal logics. In Section 9.1 we give an example refutation in sucha calculus, in order to illustrate some distinctive features of free-variablecalculi for term-modal logics.

Chapter 4

Syntax

The term-modal logics are obtained from the standard predicate modallogics by adding modal operators indexed by terms. In this chapter we givea formal de�nition of the syntax of term-modal logics.

We assume a signature � consisting of three disjoint sets of constants, func-tion symbols and relation symbols. Usually, the signature is assumed to be�xed, but in some situations we will vary it for technical convenience. In ad-dition to the symbols of �, we will use various in�nite sets P of parametersdisjoint from the symbols in �. In some situations parameters will behaveas new constants, in others as elements of a domain on which formulas areevaluated. The signature is not necessarily �nite or countable. For everysignature �, we denote by �� the signature obtained from � by omittingall constants and function symbols.

De�nition 1 (Term) Suppose P is a set of parameters and V a set ofvariables disjoint from the set of parameters. The set of terms of the sig-nature � with parameters in P and variables in V , denoted T (� [ P; V ) isde�ned inductively as follows.

1. Each constant in � is a term.

2. Each variable in V is a term.

3. Each parameter in P is a term.

4. If t1; : : : ; tn are terms and f is an n-ary function symbol,then f(t1; : : : ; tn) is a term.

In this part, we can restrict ourselves to a �xed set of variables, however theset of parameters (and sometimes the signature) will vary. So we will use asimpler notation T (�[P ). A term is called ground if it has no occurrencesof variables.

16 Syntax

De�nition 2 (Formula) Let P be a set of parameters. The set of formulasof the signature � with parameters in P , denoted F(� [ P ), is de�nedinductively as follows.

1. If R is a relation symbol of arity n and t1; : : : ; tn are terms in T (�[P ),then R(t1; : : : ; tn) is an atomic formula. Any atomic formula is aformula.

2. If A and B are formulas, then so are (A ^ B), (A _ B), (A � B) and:A.

3. If A is a formula and t is a term in T (� [ P ), then [t]A and htiA areformulas.

4. If A is a formula and x is a variable, then 8xA and 9xA are formulas.

The notions of free and bound occurrences of variables are de�ned as usual,with the exception of the following item:

� The free occurrences of variables in [t]A and htiA are all occurrencesof variables in t plus all free occurrences of variables in A.

A formula is called closed , or a sentence if it has no free occurrences ofvariables (but note that it may contain parameters). An 9-formula is anyformula 9xA. A literal is either an atomic formula A or its negation :A.Literals A and :A are said to be complementary to each other.

Intuitively, when interpreting the formulas in a multi-agent context, themeaning of the formula [t]A is that the agent denoted by the term t knows(believes etc.) the information represented by the formula A. The formulahtiA intuitively means that the agent denoted by t considers it possible thatA holds, i.e. it is not the case that the agent knows the contrary (which canalso be expressed by :[t]:A).

In the proof systems introduced later we make no assumptions about thekind of knowledge expressed. The knowledge could in fact be only beliefs,i.e. an agent might believe something which is false.

It is easy to add axioms of knowledge, if one is interested in describinga speci�c kind of knowledge. An example of this is the knowledge axiom,[x]A � A, which intuitively means that if an agent x knows something, thenit is true. More about di�erent epistemic interpretations of modal logic canbe found in e.g. the books by Hintikka (1962) or Lenzen (1978).

The distinctive feature of our logics is the possibility to express knowledgeof agents and properties of agents themselves in one language. For example,we can write

4.0. 17

8x(human(x) � [x]good(x))

to express that everyone knows that he/she is good. Note the use of quan-ti�cation over agents.

Notation 3 For the rest of Part I, we will denote

� variables by x; y; z; u; v;

� parameters by p;

� terms by s; t;

� domain elements by d (i.e. elements in the set D, which is de�nedlater);

� formulas by A;B;C;

� sets of formulas by S, ;

� sets of parameters of the language by P ;

� literals by L;

� logics K;D;T;K4;D4; S4 by the generic symbol L.

We write A(x) to denote a formula A with zero or more free occurrencesof the variable x and write A(t) to denote the replacement of all free oc-currences of x by a term t. Before the replacement, we rename in A(x) allbound occurrences of variables that have free occurrences in t.

Chapter 5

Semantics

In this chapter, we describe a possible world semantics for the logics. Thesemantics is de�ned through the notions of frames and structures. It di�ersfrom the standard semantics of �rst-order modal logics by the treatmentof the reachability relation on worlds: the reachability relation is indexedby elements of the domain. We assume all de�nitions be given w.r.t. anonempty set D, called the domain.

5.1 FRAMES

De�nition 4 (Frame) A frame over D is a triple hW ;D;�!i, where

1. W is a non-empty set, called the set of possible worlds .

2. D is a mapping from W to the set of subsets of D. The set D(w) isdenoted by Dw and called the domain of w.

3. �! is a relation on W �D �W , called the accessibility relation. If�! (w1; d; w2), then we say that w2 is d-reachable from w1 and write

w1d�! w2.

We require the monotonicity condition to be satis�ed in all frames:

If w1d�! w2 then Dw1 � Dw2 :

1

The monotonicity condition corresponds to cumulative domains (e.g. Wallen1990) and nested domains (e.g. Garson 1984).

1The monotonicity condition can be replaced by a weaker condition:

If w1d�! w2 and d 2 w1 then Dw1 � Dw2 :

The reason is that the �rst-order language can not express properties of worlds d-reachablefrom w, when d 62 Dw.

20 Semantics

De�nition 5 (L-frame) We specialize the concept of frames to six di�er-ent classes:

K. All frames are K-frames .

D. If for all d and w there exists w0 such that wd�! w0 (i.e. the accessi-

bility relation is serial in its 1st and 3rd arguments) then the frameis a D-frame.

T. If wd�! w holds for all w and d (i.e. the accessibility relation is

re exive in its 1st and 3rd arguments), then the frame is a T-frame.

K4. If, from wd�! w0 and w0

d�! w00 it follows that w

d�! w00 for all d

and w;w0; w00 2 W , (i.e. the accessibility relation is transitive in its1st and 3rd arguments) then it is a K4-frame.

D4. If the accessibility relation is both serial and transitive in its 1st and3rd arguments, then the frame is a D4-frame.

S4. If the accessibility relation is both re exive and transitive in its 1stand 3rd arguments, then the frame is an S4-frame.

5.2 FIRST-ORDER MODAL STRUCTURES

The �rst-order modal (Kripke) structures are introduced in the standardway, except for the case of modal operators.

De�nition 6 (Structure for L) Let L be one of K, D, T, K4, D4, S4. A�rst-order modal structure for L, or simply L-structure over a domain D isa tuple S = hW ;D;�!; I; i, where

1. hW ;D;�!i is a L-frame over D.

2. is a binary relation between worlds and atomic sentences in F(��[D). (Note that elements ofD are treated as parameters in F(��[D).)

3. I , called the interpretation function, is a mapping that maps everyconstant c of � to an element of D and every function symbol f of� of arity n to an n-place function on D. The corresponding elementof D and function on D are called the interpretations of c and f re-spectively. We require the interpretation of any constant and functionsymbol to be totally de�ned in every world: this means that I(c) be-longs to Dw for every world w 2 W and for every d1; : : : ; dn 2 Dw wehave I(f)(d1; : : : ; dn) 2 Dw.

5.2. First-order modal structures 21

Note that is only de�ned for formulas without function symbols or con-stants, but with parameters in D.

We call a valuation V in a structure S any mapping V : P ! D from a setof parameters to the domain D of S. Any valuation V can be extended tothe set of all ground terms by de�ning

V (c) = I(c);V (f(t1; : : : ; tn)) = I(f)(V (t1); : : : ; V (tn)):

Now we can give the central notion of satis�ability of formulas in structures.

Given a �rst-order modal structure hW ;D;�!; I; i, we change the relation into a ternary relation between worlds inW , valuations, and sentences inF(�[D) as given below. We write S; w; V A when this relation holds onw; V;A and denote by 1 the complement of . When we use this notation,we can omit one or both of S; V , when they are clear from the context.

De�nition 7 (Relation ) Given S and V , we de�ne the relation asfollows.

1. w; V R(t1; : : : ; tn) if w R(V (t1); : : : ; V (tn)).

2. w; V A ^ B if w; V A and w; V B.

3. w; V A _ B if w; V A or w; V B.

4. w; V A � B if w; V 1 A or w; V B.

5. w; V :A if w; V 1 A.

6. w; V [t]A if for all w0 such that wV (t)�! w0 we have w0; V A.

7. w; V htiA if there exists w0 such that wV (t)�! w0 and w0; V A.

8. w; V 8xA(x) if w; V A(d), for all d 2 Dw.

9. w; V 9xA(x) if w; V A(d), for some d 2 Dw.

De�nition 8 (Truth, satis�ability) Let S = hW ;D;�!; I; i be astructure. We say a formula A is true, or holds , or is locally satis�ed inS at a world w 2 W under a valuation V if S; w; V A. A formula A isglobally satis�ed in a structure S under a valuation V if it is locally satis�edat every world of S under V . A formula A is called locally (respectively,globally) satis�able in S if it is locally (respectively, globally) satis�ed in Sunder some valuation. If A is locally satis�able in S we also say that S isa model of A.

22 Semantics

Note that the truth of a formula A under a valuation V only depends onthe value of V on the parameters occurring in A. Thus, if A is a sentencein F(�), its truth does not depend on the valuation at all.

De�nition 9 (Model, validity) Let L be one of K, D, T, K4, D4, S4.We call a model hW ;D;�!; I; i of a formula A an L-model if its framehW ;D;�!i is an L-frame. A formula A is called L-satis�able if it has anL-model. A formula A is called L-valid if it is true in every world of everyL-structure under every valuation.

It is not hard to argue that satis�ability and validity are dual notions in thefollowing sense: a formula A is unsatis�able if and only if :A is valid. Inview of this duality we will formulate our results in terms of (un)satis�abilityonly.

When we speak of a logic L in this part, we understand the set of L-validformulas. So, we will speak of logics K, D, T, K4, D4, S4. Another standardway of introducing a logic is to de�ne a suitable calculus deriving validformulas in this logic. In the next section we introduce such calculi for allthese logics.

Formulas A and B are called L-equivalent if the formulas A � B and B �A are L-valid. It is evident that in any context when we speak aboutworlds, structures, valuations, and satis�ability, we can replace formulas byequivalent ones.

We will now introduce the negation normal form of formulas, which willsimplify our proofs considerably.

De�nition 10 (Negation normal form) A formula A is said to be innegation normal form if it is constructed from literals using ^, _, 8, 9, [t]and hti. A formula B is called a negation normal form of a formula A, if Bis in negation normal form and B is equivalent to A.

Lemma 11 Every formula A has a negation normal form.

Proof. It is not hard to argue that one can reduce A to its negationnormal form by means of the transformations shown in Figure 5.1. Thesetransformations replace, in any order, subformulas of A on the left of )by the corresponding subformulas on the right, until no transformation isapplicable. 2

5.2. First-order modal structures 23

B � C ) :B _ C::B ) B

:(B _ C) ) :B ^ :C:(B ^ C) ) :B _ :C:8xB ) 9x:B:9xB ) 8x:B:[t]B ) hti:B:htiB ) [t]:B

Figure 5.1: Negation normal form transformation

Chapter 6

Proof Systems

6.1 SEQUENT CALCULI

In this section we de�ne sequent calculi for the family of term-modal logics.There are several essentially equivalent notions of sequent giving rise to dif-ferent calculi. The original de�nition of Gentzen (1934) de�nes sequents asexpressions A1; : : : ; An ! B1; : : : ; Bm, where A1; : : : ; An; B1; : : : ; Bm areformulas. Smullyan (1963) represents such a sequent as a collection of for-mulas A1; : : : ; An;:B1; : : : ;:Bm or a collection T A1; : : : ; T An; F B1; : : : ;

F Bm of signed formulas with the intended meaning that all formulas Ai

are true and all formulas Bj are false and introduces a uniform notationto group together inference rules with similar behavior. We will use theapproach formulated by Sch�utte (1960). Instead of using arbitrary formu-las we will use only formulas in negation normal form. Every rule in theuniform notation corresponds to an inference rule introducing a particularconnective on formulas in negation normal form. Then we do not need theunifying notation anymore, since we can label inference rules by the corre-sponding connectives. We will use parameters instead of free variables, andtherefore only deal with sentences.

De�nition 12 (Sequent) A sequent is a set of sentences. Let S be asequent and S be a structure. We say that a sequent S is locally satis�edin S at a world w 2 W under a valuation V if S; w; V A for all A 2 S.A sequent S is globally satis�ed in a structure S under a valuation V if S islocally satis�ed at every world of S under V . A sequent S is called locally(respectively, globally) satis�able in S if it is locally (respectively, globally)satis�ed in S under some valuation. If S is locally satis�able in S we alsosay that S is a model of S.

Thus, a sequent is understood as a (possibly in�nite) conjunction of itsmembers.

26 Proof Systems

For a formula A and a set of formulas S we use A;S or S;A to denote theset S [ fAg. Likewise, we write S1; S2 to denote the union of two sequentsS1 [ S2.

Sequent calculi for logics K, D, T, K4, D4, S4 are shown in Figure 6.1. S[t]

is a generalization of the notation used in (Fitting 1983). Semantically,S[t] denotes the set of formulas which must hold in every world that isV (t)-reachable from the world in which S holds. Depending on the logic,semantic restrictions on the frame make the de�nition of S[t] vary betweenlogics.

In the rule (ax), A is atomic. We can generalize the calculus for non-atomic axioms in the standard way, but the calculus is complete with atomicaxioms.

De�nition 13 (Inference, derivation, refutation) The inference rulesof the sequent calculi are shown in Figure 6.1. We call an inference anyparticular instance of an inference rule. The premises of any inference orinference rule are the sequents above the bar; its conclusion is the sequentbelow the bar. An axiom is any conclusion of (ax). A derivation of a sequentS is a tree made of inferences and having S as the root. A derivation iscalled a refutation if all leaves in it are axioms.

We use the term refutation instead of the term proof because the sequentcalculi used in this part establish unsatis�ability rather than validity.

Example 14 Suppose that we wish to establish K-validity of the sentence

8z([z]8xR(x) � 8y[z]R(y)):

We turn this formula into its negation

:8z([z]8xR(x) � 8y[z]R(y))

and establish the unsatis�ability of the latter. To this end, we transformthis formula into its negation normal form

9z([z]8xR(x) ^ 9yhzi:R(y))

and try to �nd a refutation in the sequent calculus for K. An examplerefutation is as follows.

6.1. Sequent calculi 27

For all logics (K;D;T;K4;D4; S4):

S;A;:A(ax)

S;A S;B

S;A _ B(_)

S;A;B

S;A ^B(^)

S;A(p)

S; 9xA(x)(9)�

S;8xA(x); A(t)

S;8xA(x)(8)

S[t]; A

S; htiA(hti)

For serial logics (D, D4):

S[t]

S([t])

For re exive logics (T, S4):

S;A

S; [t]A([t])

Logic L De�nition of S[t]

K, D, T S[t] = fA j [t]A 2 SgK4, D4 S[t] = fA j [t]A 2 Sg [ f[t]A j [t]A 2 SgS4 S[t] = f[t]A j [t]A 2 Sg

� The rule (9) satis�es the parameter condition: p is a parameter having nooccurrences in the conclusion of the rule.

Figure 6.1: Sequent calculi

28 Proof Systems

8xR(x); R(q);:R(q)(ax)

8xR(x);:R(q)(8)

[p]8xR(x); hpi:R(q)(hpi)

[p]8xR(x); 9yhpi:R(y)(9)

[p]8xR(x) ^ 9yhpi:R(y)(^)

9z([z]8xR(x) ^ 9yhzi:R(y))(9)

This refutation is also a valid refutation in D and T.

To obtain a refutation in K4 and D4, we have to modify the top part of thisrefutation because of the di�erence in the de�nition of S[t]:

[p]8xR(x);8xR(x); R(q);:R(q)(ax)

[p]8xR(x);8xR(x);:R(q)(8)


A refutation in S4 follows a di�erent strategy because of the di�erence inthe ([t]) rule:

8xR(x); R(q);:R(q)(ax)

8xR(x);:R(q)(8)

[p]8xR(x);:R(q)([p])


Since every formula has a negation normal form, we can restrict ourselvesto negation normal forms. Moreover, using the fact that a formula and itsnegation normal form obtained by the transformation of Figure 5.1 have,in a sense, similar structure, it is not hard to change sequent calculi intro-duced below for formulas in negation normal forms, into calculi for arbitraryformulas or signed formulas. For example, consider the transformation

B � C ) :B _ C:

Using the similarity between � and _, we can turn a sequent calculus in-ference rule for _

S;A S;B

S;A _ B(_)

into a structurally similar sequent calculus rule for �:

6.2. Tableau systems 29

Uniform rule notation Our notation

(�) (^)(�) (_)( ) (8)(Æ) (9)(�) ([t])(�) (hti)

Figure 6.2: The correspondence between the uniform notation and rules

of sequent calculi for L

S;:A S;B

S;A � B(�):

or a structurally similar sequent calculus rule for T � in the system forsigned formulas:

S; F A S; T B

S; T A � B(T �):

So, we will not concern ourselves with arbitrary formulas anymore, butrather deal with formulas in negation normal form.

The correspondence between our rules and the uniform notation of Smullyan(1963) used in (Fitting 1983, Fitting 1996a) and (Wallen 1990) is given inFigure 6.2.

We will augment the logics de�ned above with so-called global assumptions.Let be a set of sentences and L be one of the logics de�ned above. Wecall a sequent calculus for L with global assumptions the calculus obtainedfrom L by adding the rule

S;A

S();

where A 2 .

6.2 TABLEAU SYSTEMS

Tableau systems formalize proof-search in sequent calculi. Tableaux areoften introduced as trees of formulas, with inference rules on tableaux for-mulated in terms of branches. To simplify the presentation, we introducetableaux as multisets of branches.

30 Proof Systems

De�nition 15 (Tableau, branch, empty branch) A tableau is a �nitemultiset S1; : : : ; Sn of sequents, denoted S1 j � � � j Sn. The empty tableau isdenoted by #. Every sequent Si is called a branch of this tableau.

The tableau calculus for each logic studied in this paper can be obtained bya simple transformation of the corresponding sequent calculus. For everyinference rule

S1 � � � SnS

of the sequent calculus, the corresponding tableau rule has the form

S j T

S1 j � � � j Sn j T

where T is any tableau. Note the reverse order of the sequents. The tableaucalculus rules have the following intuitive meaning: suppose that we searchfor a refutation of S and all sequents in T . Then, since there is a sequentcalculus rule reducing S to the sequents S1; : : : ; Sn, it is enough to �nd arefutation of S1; : : : ; Sn and all sequents in T . To �nd a refutation for aformula A, we begin with a tableau consisting of one branch A and try toapply the tableau rules until no (unrefuted) branches remain.

Formally, the tableau calculi for L are shown in Figure 6.3.

Theorem 16 (Equivalence of tableau calculi and sequent calculi)A sequent S has a refutation in the sequent calculus for L (with globalassumptions ) i� a derivation of # from S exists in the tableau calculusfor L (with the global assumptions ).

6.2. Tableau systems 31


S;A;:A j T

Tjaxj

S;A _ B j T

S;A j S;B j Tj_j

S;A ^B j T

S;A;B j Tj^j

S; 9xA(x) j T

S;A(p) j Tj9j�

S;8xA(x) j T

S;8xA(x); A(t) j Tj8j

S; htiA j T

S[t]; A j Tjhtij


S j T

S[t] j Tj[t]j


S; [t]A j T

S;A j Tj[t]j

For systems with global assumptions :

S j T

S;A j Tjj�

Here S[t] is de�ned in the same way as for the sequent calculi.

� The rule j9j satis�es the parameter condition: p is a parameter having nooccurrences in the premise of the rule. In the rule jj, A 2 .

Figure 6.3: Tableau calculi

Chapter 7

Soundness

The aim of this chapter is to prove soundness of the introduced sequentcalculi. Soundness of the tableau calculi will immediately follow by Theo-rem 16.

Theorem 17 (Soundness of sequent calculi) If a sequent has a refuta-tion in the sequent calculus for L, then it is L-unsatis�able.

Proof. The proof is by induction on the number of inferences in the refu-tation. The smallest refutations are simply the axioms S;A;:A. Evidently,this sequent has no model. Take any longer refutation and consider thebottom inference of this refutation

S1 � � � SnS

: (7.1)

If we prove that any L-model of S is also a L-model for some Si, then weare done, since all Si have shorter refutations than S and by the inductionhypothesis can not have L-models.

So we now assume that S is a L-model of S and prove that it is also a modelof some Si. The proof is by the case analysis on the inference rule used ininference (7.1). The proof is standard for most cases, so we only considertwo rules ([t]) and (hti). In the proof, let [t]S denote the set f[t]A j A 2 Sg.

Case : rule (hti) for logics K, D and T. The rule has the form

S2; A

S1; [t]S2; htiA(hti)

for some S1; S2. We assume that there exists a structure S and valuationV under which for some world w we have w S1; [t]S2; htiA and show thatthe sequent S2; A is satis�able in S. Since w htiA, there exists a world

w0 such that wV (t)�! w0 and w0 A. By w [t]S2 and w

V (t)�! w0 we also

have w0 S2, and therefore w0 S2; A.

34 Soundness

Case : rule ([t]) for logic D4. The rule has the form

S2; [t]S2

S1; [t]S2(hti)

We assume that there exists a D4-structure S, world w and valuation Vsuch that under S and V we have w S1; [t]S2 and show that the sequentS2; [t]S2 is satis�able in S.

Since S is a D4-structure, there exists a world w0 such that wV (t)�! w0. By

w [t]S2 and wV (t)�! w0 we have w0 S2.

Consider any world w00 such that w0V (t)�! w00. Since S is a D4-structure,

we have wV (t)�! w00. This together with w [t]S2 gives us w

00 S2. Since

w00 was an arbitrary world satisfying w0V (t)�! w00, we get w0 [t]S2. Thus,

w0 S2; [t]S2.

2

Chapter 8

Completeness

Now our aim is to prove completeness of the sequent calculi.

Theorem 18 (Completeness of sequent calculi) Let S be a set of sen-tences. If S has no refutation in the sequent calculus for L with the globalassumptions , then there exists an L-structure S and a valuation V underwhich S is locally satis�ed and all formulas in are globally satis�ed.

We will build a L-model for a sequent with no refutation using the con-struction of Fitting (1983). The construction is roughly as follows. Firstwe de�ne an abstract property capturing the syntactic counterpart of sat-is�ability, called the consistency property. Then we show that the family ofnon-refutable sets of formulas is such a consistency property. The complete-ness is �nally proved by showing that each set of formulas in this consistencyproperty must be satis�able. This means that every non-refutable sequenthas a model. We will also establish a stronger form of completeness for cal-culi with global assumptions : in the constructed L-model all formulas in will be satis�ed globally, i.e. in every world. Our construction di�ers fromthat of Fitting (1983) in several respects. Firstly, the new modal operatorsrequire a special treatment. Secondly, our logic has function symbols whichwere not treated in (Fitting 1983). Thirdly, we simpli�ed the constructionof Fitting (1983) in several respects.

We will use the fact that valuations do not change in di�erent worlds, andprove the existence of a special kind of model: a structure in which (i)the domain consists of all ground terms in T (� [ P ), where P is a set ofparameters, and (ii) each term is evaluated to itself. We call such structuresHerbrand structures.

De�nition 19 (Herbrand structure) Let S = hW ;D;�!; I; i be astructure over a domain D of a signature �. Then S is called a Herbrandstructure if (i) D is the set of ground terms of T (� [ P ) for some set ofparameters P and (ii) for the interpretation function I the following holds

36 Completeness

1. for every constant c, I(c) = c;

2. for every function symbol f and terms t1; : : : ; tn, I(f)(t1; : : : ; tn) =f(t1; : : : ; tn);

Note the following two properties of Herbrand structures.

1. The requirement on functions to be totally de�ned in a world has aconsequence on the structure of the worlds for Herbrand structures:if the domain Dw of a world w contains parameters p1; : : : ; pn, it alsocontains all terms built using the function symbols of � and parame-ters p1; : : : ; pn.

2. If a valuation V in a Herbrand structure is the identity function onthe set of parameters, i.e. V (p) = p for all p, then also V (t) = t forevery ground term t 2 T (� [ P ).

8.1 MODEL EXISTENCE

In the proof of the Model Existence Theorem below we will construct aHerbrand structure.

In the proofs below we will assume that we have a set of parameters P ,which has the same cardinality as the set of closed formulas of �. If, forinstance, the number of constants, function symbols and relation symbolsare all countable, then we also assume the set P to be countable.

De�nition 20 (Consistency property) A set of sequents C is called a(�rst-order) L-consistency property if, for each S 2 C,

(A) S contains no atomic formula A and its negation :A.

(^) If A ^ B 2 S, then S [ fA;Bg 2 C.

(_) If A _ B 2 S, then S [ fAg 2 C or S [ fBg 2 C.

(hti) If htiA 2 S, then S[t] [ fAg 2 C.

([t]) (a) For logics K and K4 no other conditions.

(b) For T and S4, if [t]A 2 S, then S [ fAg 2 C.

(c) For D and D4, if S 2 C, then S[t] 2 C.

(8) If 8xA(x) 2 S, then S [ fA(t)g 2 C for every ground term t.

(9) If 9xA(x) 2 S, then S [ fA(t)g 2 C for some ground term t.

Let be a set of sentences of the signature �. A consistency propertyC is called -compatible if

8.1. Model existence 37

() For every S 2 C and A 2 we have S [ fAg 2 C.

We will simply say consistency property instead of L-consistency property,when it causes no ambiguity. Note that we only speak of -compatibleconsistency properties when formulas in use no parameters. Also notethat the notion of consistency property depends on the signature and pa-rameters used in formulas, because the (8)-condition requires a property tobe satis�ed for every ground term. So if a set of sequents is a consistencyproperty in a language with parameters P , it may violate the (8)-conditionconsidered in a language with more parameters.

The main theorem of this section is the following.

Theorem 21 (Model existence) LetC be a -compatibleL-consistencyproperty and S 2 C be a set of sentences in the signature �. Then thereexists a Herbrand structure S and a valuation V in S under which S islocally and is globally satis�ed.

The proof will be given after a series of lemmas.

The �rst three lemmas (22, 25 and 27) are applied to the consistency prop-erty to close it under subsets, add all parameter variants to it, and add allsets constructed from �nite subsets already in it. The three lemmas aresummarized as Proposition 28.

The �rst step in our attempt to build a model is to close the consistencyproperty under subsets.

Lemma 22 (Subsets closure) Let C be a -compatible L-consistencyproperty and C0 consist of the subsets of all S 2 C. Then C0 is also a-compatible L-consistency property and C0 is closed under subsets.

Proof. We consider only one case, the other cases are similar.

(^) Suppose S0 2 C0 and A^B 2 S0. We have to show S0 [ fA;Bg 2 C0.Since C0 consists of the subsets of sets in C, for some S 2 C we haveS0 � S. Then A ^ B 2 S, and by the (^)-condition on consistencyproperties S[fA;Bg 2 C. Evidently, S0[fA;Bg � S[fA;Bg, henceS0 [ fA;Bg 2 C0.

2

Now, the conditions on consistency properties re ect both the de�nition oftruth of formulas in structures and the rules of the sequent calculi, but with

38 Completeness

one exception. The (9)-condition is in the spirit of the de�nition of truth (if9xA(x) is true, then A(p) is true for some p). However, the correspondingsequent calculus rule is

S;A(p)

S; 9xA(x)(9);

where p is a new parameter. We want to make the notion of consistencyproperty re ect this rule, so we will change the (9)-condition of consistencyproperties.

De�nition 23 (Alternate L-consistency property) Let C be a set ofsequents. We say that C meets the new parameter condition if for eachS 2 C, if 9xA(x) 2 S, then S[fA(p)g 2 C for every parameter p that doesnot occur in S. If C satis�es all conditions for a (-compatible) consistencyproperty except that the (9)-condition is replaced by the new parametercondition, then C is called an alternate L-consistency property .

The condition that A(p) 2 S for every parameter p that does not occur inS is not restrictive. Since p does not occur in S (and, being a parameter,does not occur in either), there is from the viewpoint of S no di�erencebetween p and any other new parameter.

An alternate consistency property is not necessarily a consistency property.S may already contain all parameters. We will overcome this problem byan iterative construction of consistency properties, adding more parametersinto the language at every iteration step.

De�nition 24 (Parameter substitution, parameter variant) Anyfunction � : P ! T (�[P ) is called a parameter substitution. For a sentenceA, �(A) denotes the result of replacing every parameter in A by its imageunder �. Similarly, � is extended to sets of sentences. The formula �(A)and the set �(S) are called the parameter variants of A and S, respectively.

Lemma 25 (Parameter variants extension) Suppose that C0 is a -compatible L-consistency property closed under subsets. De�ne C00 by:S 2 C00 if �(S) 2 C0 for some parameter substitution �. Then C00 extendsC0 and is a -compatible alternate L-consistency property closed undersubsets.

Proof. We will only verify that C00 satis�es the new parameter condition,all other conditions are not diÆcult to prove.

Suppose S 2 C00, 9xA(x) 2 S and p is a parameter that does not occur inS. We have to show that S [ fA(p)g 2 C00.


Since S 2 C00, there is a parameter substitution � such that �(S) 2 C0.Note that �(9xA(x)) 2 �(S). Denote �(A(x)) by B(x). Since C0 is a L-consistency property and 9xB(x) 2 �(S), there exists a term t such that�(S)[fB(t)g 2 C0. De�ne �0 to behave exactly as � except that �0(p) = t.Using the fact that p does not occur in S, it is not hard to argue that�0(S [ fA(p)g) = �(S)[ fB(t)g. Thus S [ fA(p)g is a parameter variant ofa sequent in C0, and hence it is a member of C00. 2

Next, we would like the consistency property to satisfy the �nite characterproperty de�ned below.

De�nition 26 (Finite character) A collection C of sets is said to be of�nite character if for every set S, S belongs to C if and only if each �nitesubset of S belongs to C.

Lemma 27 (Finite character extension) Suppose C00 is a -compati-ble alternate L-consistency property closed under subsets. Let C000 consistof those sequents S all whose �nite subsets are in C00. Then C000 is again a-compatible alternate L-consistency property, which extends C00 and is of�nite character.

Proof. As usual, we will only check some conditions on alternate consis-tency properties.

(_) Let S 2 C000 and A _B 2 S. We have to prove that either S [ fAg 2C000 or S [ fBg 2 C000. Suppose, by contradiction, S [ fAg 62 C000

and S [ fBg 62 C000. By the de�nition of C000, there are �nite setsF1 � S [ fAg and F2 � S [ fBg such that F1; F2 62 C00. Considerthe �nite set F = (F1 � fAg) [ (F2 � fBg) [ fA _ Bg. Then F is a�nite subset of S, hence F 2 C00. By the condition (_) on C00, eitherF [fAg 2 C00 or F [fBg 2 C00. We show that in either case we obtaina contradiction. Suppose F [ fAg 2 C00 (the second case is similar).It is not hard to argue that F1 � F [ fAg. Since C00 is closed undersubsets, F1 2 C

00. Contradiction.

(9) Let S 2 C000 and 9xA(x) 2 S. We have to prove that for each pa-rameter p not occurring in S we have S [ fA(p)g 2 C000. Suppose, bycontradiction S [ fA(p)g 62 C000. By the de�nition of C000, there is a�nite set F � S [ fA(p)g such that F 62 C00. Consider the �nite setF 0 = (F � fA(p)g) [ f9xA(x)g. Then F 0 is a �nite subset of S, soF 0 2 C00. Note that p does not occur in F 0, then by the condition (9)on C00 we have F 0 [ fA(p)g 2 C00. Evidently, F � F 0 [ fA(p)g. SinceC00 is closed under subsets, F 2 C00. Contradiction.

40 Completeness

It is easy to see that C000 is of �nite character. 2

Let us summarize the results obtained so far:

Proposition 28 LetC be a -compatible L-consistency property. ThenCcan be extended to a set C� that is a -compatible alternate L-consistencyproperty of �nite character.

Let us now state two lemmas about alternate consistency properties of �-nite character. Lemma 30 says that a restriction of an alternate consistencyproperty of �nite character to certain sublanguages gives us an alternateconsistency property of �nite character. It will be helpful when we needto add new parameters in order to satisfy the (9)-condition on consistencyproperties. Lemma 33 asserts the existence of maximal elements in sets of�nite character, which will be used as possible worlds in the model con-struction.

De�nition 29 (Section) Let P be a set of parameters and C be a set ofsequents. By the P -section of C, denoted C�P , we mean

fS 2 C j each parameter occurring in S is a member of Pg:

The following lemma is straightforward.

Lemma 30 (Section restriction) SupposeC is a -compatible alternateL-consistency property of �nite character in the language with parametersP and P0 � P . Then the P0-section of C is a -compatible alternate L-consistency property of �nite character in the language with parametersP0.

Note that this lemma does not hold when alternate consistency proper-ties are replaced by consistency properties. Consider e.g. that while C =ff9xA(x)g; f9xA(x); A(p)gg is a consistency property, C�; is not.

The following lemma has a straightforward proof by trans�nite inductionon ordinals.

Lemma 31 Let C be a collection of sets of �nite character. Then

1. Each member of C is contained in a maximal member;

2. The union of any chain of members is a member.


Now we give a de�nition closely related to witness formulas A(p) for 8xA(x),and then proceed to the proof of Model Existence Theorem 21.

De�nition 32 (Downward saturated set) Suppose C� is a -compati-ble alternate L-consistency property of �nite character and P is a set ofparameters. Let S be a set of sentences in F(�[P ). We say S is downwardsaturated in C��P if

1. S is maximal in the alternate L-consistency property C��P .

2. If 9xA(x) 2 S, then A(p) 2 S for some p 2 P .

Lemma 33 (9-completion) Suppose C� is a -compatible alternate L-consistency property of �nite character in the language with parameters P0,where P0 has the same cardinality as F(�). Suppose also that P;Q � P0are disjoint sets of parameters of the same cardinality as F(�). If S 2 C��P ,then S may be extended to a set that is downward saturated in C��P[Q.

Proof. Since Q is in�nite, it can be partitioned into countably manypairwise disjoint sets Q1; Q2; : : :, all of the same cardinality as Q itself.Note that the sets of 9-sentences in the sets F(�), F(�[P ), F(�[P [Q),and F(� [ P [Q1 [Q2 [ � � � [Qn) are all of the same cardinality as P .

Now, suppose S 2 C��P . Then S 2 C��P[Q1

. Well-order the members ofQ1 as q0; q1; : : : ; q�; : : : and the 9-sentences of S: 9xA0(x), 9xA1(x), : : :,9xA�(x), : : : in such a way that for every ordinal �, the set of parametersoccurring in A�(x) is a subset of fq� j � < �g.

Consider the set S[fA�(q�) j � = 0; 1; : : : ; �; : : :g. We claim it is a memberof C��P[Q1

. Suppose the contrary, then there is the smallest ordinal � suchthat S[fA�(q�) j � < �g 2 C��P[Q1

but S[fA�(q�) j � � �g 62 C��P[Q1.

Note that q� does not occur in any member of S [ fA�(q�) j � < �g 2C��P[Q1

. By Lemma 30, C��P[Q1is an alternate L-consistency property,

so by the (9)-condition of alternate consistency properties

S [ fA�(q�) j � < �g [ fA�(q�)g 2 C��P[Q1

:

But this set is exactly S [ fA�(q�) j � � �g, so we have a contradiction.

We have proved that S [ fA�(q�) j � = 0; 1; : : : ; �; : : :g is a member ofC��P[Q1

. By Lemma 31, it can be extended to a maximal member S1.Now S1 has a \witness parameter" q for every sentence 9xA(x) that usesonly parameters in P , i.e. such that A(q) 2 S1. However, our construc-tion does not imply that S1 contains a witness for 9-formulas containingparameters in Q1.

42 Completeness

To overcome this problem, we iterate the construction again, this time usingS1 instead of S and Q2 instead of Q1. Further iterations give us a sequenceof sets

S � S1 � S2 � � � �

such that

(8.1) each Sn is maximal in C��P[Q1[��[Qn;

(8.2) if 9xA(x) 2 Sn, then for some q 2 Qn+1 we have A(q) 2 Sn+1.

De�ne S� =Sn Sn. By Lemma 31, C� is closed under chains, so S� 2 C�.

Note that all parameters occurring in S� are in Q, thus S� 2 C��P[Q. Weclaim that S� is a maximal member of C��P[Q. This amounts to showingthat for every sentence B 2 F(� [ P [Q), if S� [ fBg 2 C��P[Q, we haveB 2 S�. Since B can contain only a �nite number of parameters, thenB 2 F(�[ P [Q1 [ � � � [Qn) for some n. Since S [ fBg 2 C��P[Q, whichis of �nite character, hence closed under subsets, Sn [ fBg 2 C��P[Q. Itfollows that Sn [ fBg 2 C��P[Q1[��[Qn

, hence by maximality of Sn wehave B 2 Sn, and since Sn � S� also B 2 S�.

Using (8.2), one may show that if 9xA(x) 2 S�, then A(q) 2 S� for someq 2 Q. Thus S� is downward saturated in C��P[Q. 2

Now we have the background to prove the Model Existence Theorem.

Proof (of Theorem 21). Recall that, given a -compatible L-consistencyproperty C and a set of sentences S 2 C in the signature �, we are goingto build a Herbrand structure S and a valuation V in S under which S islocally and is globally satis�ed.

Using Proposition 28 extend C to an alternate L-consistency property C�

that is also -compatible. We take a set P of parameters of the samecardinality as F(�) and split it in countably many mutually disjoint setsP1; P2; : : :, each of them of the same cardinality as P itself. We will de�neour structure S = hW ;D;�!; I; i over a domain D as follows.

The domain D is the set of all ground terms of � with parameters in P .We put a set S inW if S is downward saturated in C��P1[��[Pn for some n.The domain of any such world S is the subset of D consisting of terms withparameters in P1[� � �[Pn. Since we want S to be a Herbrand structure, wede�ne the interpretation function I as in De�nition 19. Now we de�ne thevaluation V as the identity mapping. By our remarks after the de�nitionof Herbrand structures we have V (t) = t for every ground term t of thesignature � [ P .


De�ne the reachability relation �! on W as follows: St�! S0 if S[t] � S0

and DS � DS0 .

Now we de�ne the relation on S as follows. For any atomic sentence Awe let S A if A 2 S. Thus, the structure S and valuation V are de�ned.We prove the following:

(8.3) S is a L-structure.

First, we note the following useful facts:

(8.4) For any choice of logic L, if S1 � S2, then S1[t] � S2

[t].

(8.5) For S4 we have S[t] = S[t][t] and S[t] � S.

(8.6) For K4 and D4 we have S[t] � S[t][t].

Now we verify (8.3) for each particular logic L.

Case : L = K. There is nothing to verify since every structure is a K-structure.

Case : L = T. We have to prove St�! S, i.e. S[t] � S. Take any A 2 S[t],

then [t]A 2 S. Since C� is an alternate T-consistency property, S [ fAg 2C�. But S is maximal in a section of C� containing all parameters in A,hence A 2 S. Since A was arbitrary, S[t] � S.

The condition on the domains DS � DS is obvious. This condition will beobvious for all other cases, so we do not verify it henceforth.

Case : L = D. Suppose S 2 W , we have to �nd S0 2 W such that St�!

S0, i.e. S[t] � S0. Since C� is an alternate D-consistency property, S[t] 2 C�.Take S0 to be a maximal member extending S[t] in any language containingall parameters in S, then S[t] � S0.

Case : L = K4. Suppose S1[t] � S2 and S2

[t] � S3. We have to prove

S1[t] � S3. By (8.4) above, S1

[t][t] � S2[t]. Then by (8.6) above, S1

[t] � S2[t],

this and S2[t] � S3 implies S1

[t] � S3.

Case : L = D4. Seriality is proved by the same argument as for D aboveand transitivity by the same argument as for K4.

Case : L = S4. Showing re exivity reduces to S[t] � S, which followsfrom (8.5) above. Transitivity is proved by the same argument as for K4.

We proved (8.3), i.e. that S is a L-structure. Next, we prove:

44 Completeness

(8.7) Let A be a sentence and S 2 C�. If A 2 S, then S A.

The proof is by induction on the structure of A. We take any S 2 C�.Suppose S is downward saturated in C��P1[��[Pn and A 2 S.

Case : A is atomic. Then S A by the de�nition of in S.

Case : A is a negative literal :B. By de�nition of consistency propertywe have B 62 S. Then by the de�nition of in S we have S 1 B, and henceS A.

Case : A is A1 ^ A2. By the de�nition of consistency property we haveS [ fA1; A2g 2 C�. Since S is maximal, this implies A1; A2 2 S. By theinduction hypothesis, S A1 and S A2, hence S A1 ^A2.

Case : A is A1 _ A2. By the de�nition of consistency property, either S[fA1g 2 C� or S [ fA2g 2 C�. Since S is maximal, this implies that eitherA1 2 S or A2 2 S. By the induction hypothesis, either S A1 or S A2,hence S A1 _ A2.

Case : A is 8xB(x). By Lemma 30, C��P1[��[Pn is an alternate consis-tency property in the signature � [ P1 [ � � � [ Pn. Then for every termt 2 T (�[P1[ � � �[Pn) we have S[fB(t)g 2 C��P1[��[Pn . By maximality,S contains all formulas B(t). By the induction hypothesis S B(t) for allsuch t. But T (� [ P1 [ � � � [ Pn) is the domain of S, hence S 8xB(x).

Case : A is 9xB(x). Since S is downward saturated, S contains B(t) forsome t 2 T (� [ P1 [ � � � [ Pn), therefore S B(t). But t belongs to thedomain of S, hence S 9xB(x).

Case : A is htiB. For every choice of logic L we have S[t] [ fBg 2 C�.Take any downward saturated S0 in a signature containing �[P1 [ � � � [Pnsuch that S[t] [ fBg. By our construction we have S

t�! S0. By the

induction hypothesis S0 B, hence S htiB.

Case : A is [t]B. We take any S0 such that S[t] � S0 and S0 contains allparameters in S and claim B 2 S0, then by the induction hypothesis S0 B.Consider two cases.

Subcase : L = S4. By the de�nition of S[t] for S4, if [t]B 2 S, then[t]B 2 S[t], hence [t]B 2 S0. By the de�nition of consistency property forS4, since [t]B 2 S0, then S0 [ fBg 2 C�. Since S0 is maximal, B 2 S0.

Subcase : L is any other logic. By the de�nition of S[t] for L, if [t]B 2S, then B 2 S[t], hence B 2 S0.

So (8.7) is proved. We return to the proof of the Model Existence Theorem.Recall that we intend to prove that under S and V all formulas occurring

8.2. The completeness theorem 45

in any member of C are locally satis�ed and all formulas in are globallysatis�ed.

1. Take any A 2 S 2 C. Extend S to a downward saturated S0 2 C�

(Proposition 28 and Lemma 33). Then S0 is a world in S and A 2 S0.By (8.7), A is satis�ed in this world.

2. Take any A 2 and S 2 W . Let S be downward saturated inC��P1[��[Pn . By Lemma 30, C

��P1[��[Pn is a -compatible alternateL-consistency property, hence S [ fAg 2 C��P1[��[Pn . Since S ismaximal, A 2 S. By (8.7), A is satis�ed in the world S. Since S wasarbitrary, A is satis�ed in every world of S.

The proof of the Model Existence Theorem is completed. 2

8.2 THE COMPLETENESS THEOREM

The Completeness Theorem 18 can now be proved using the Model Exis-tence Theorem 21 in a rather straightforward way.

Proof (of Theorem 18). Take an in�nite set of parameters P and considerthe following set C of sequents of the signature �: we put S in C if S usesonly a �nite number of parameters and S has no refutation in L with globalassumptions . We claim

(8.8) C is a -compatible L-consistency property.

We consider only some conditions of L-consistency property, others arerather straightforward. Take any S 2 C.

(A) We prove: S contains no atomic formula A and its negation :A.Indeed, if S contains A and :A, it is an axiom of L, hence has arefutation.

(^) We prove: if A ^ B 2 S, then S [ fA;Bg 2 C. Suppose A ^ B 2 S.Consider the inference

S;A;B

S;A ^ B(^):

If S [ fA;Bg had a refutation, so would S [ fA ^ Bg = S, henceS [ fA;Bg has no refutation. By the de�nition of C, we have S [fA;Bg 2 C.

46 Completeness

(hti) We prove: if htiA 2 S, then S[t] [ fAg 2 C. Suppose htiA 2 S.Consider the inference

S[t]; A

S; htiA(hti):

If S[t][fAg had a refutation, so would S[fhtiAg = S, hence S[t][fAghas no refutation. By the de�nition of C, we have S[t] [ fAg 2 C.

(9) We prove: if 9xA(x) 2 S, then S [fA(t)g 2 C for some ground termt. Suppose 9xA(x) 2 S. Consider the inference

S;A(p)

S; 9xA(x)(9):

If S [ fA(p)g had a refutation, so would S [ f9xA(x)g = S, henceS[fA(p)g has no refutation. By the de�nition of C, since we have anin�nite number of parameters and S uses only a �nite number of them,we can always choose a new parameter p so that S [ fA(p)g 2 C.

() We prove: if S 2 C and A 2 , then S [ fAg 2 C. Suppose S 2 Cand A 2 . Consider the inference

S;A

S():

If S[fAg had a refutation, so would S, hence S[fAg has no refutation.By the de�nition of C, we have S [ fAg 2 C.

Now take S that has no refutation. By our construction, S 2 C. By ModelExistence Theorem 21 there exists a L-structure and valuation V in it underwhich S is locally satis�ed and every formula A 2 globally satis�ed. 2

Chapter 9

Free-variable Tableaux

In this chapter we change the tableau systems introduced in Section 6.2 intofree-variable tableau systems. We will use the de�nitions introduced so far,except that we now allow free variables to occur in sequents, and hence intableaux as well.

To avoid problems with the parameter condition in the (8)-rules, we in-troduce so-called occurrence constraints similar to those used in (Voronkov1996) and in (Voronkov 2001). Note that we could use the \dynamic skolem-ization" technique introduced in (Fitting 1988) as well.

In this section we assume knowledge of the standard notions of substitu-tions and (idempotent, most general) uni�ers (see, e.g., Eder 1985). Theapplication of a substitution � to a term or formula E is denoted E�. Asusual, we may need to rename bound variables in a formula before we applya substitution to it. Any idempotent most general uni�er of n expressionsE1; : : : ; En is denoted by mgu(E1; : : : ; En). The set of free variables of anyexpression E (e.g. formula or set of formulas) is denoted by vars(E).

De�nition 34 (Occurrence constraint) A simple occurrence constraintis either ? or an expression p 62 X , where p is a parameter and X is a �niteset of variables. An occurrence constraint is a conjunction of zero or moresimple occurrence constraints. A conjunction of zero simple occurrenceconstraints is denoted by >.

For any substitution � and simple occurrence constraint C = (p 62 X), wedenote by C� the following simple occurrence constraint:

C� =

�?; if p occurs in X�;p 62 vars(X�); otherwise:

When C is a conjunction C1 ^ � � � ^ Cn of simple occurrence constraints, wedenote by C� the following occurrence constraint:

48 Free-variable Tableaux

C� =

�?; if Ci = ? for some i;C1� ^ � � � ^ Cn�; otherwise:

An occurrence constraint C is called satis�able if C is not ?. A solutionto an occurrence constraint C is any substitution � such that C� 6= ? andx� is ground for every variable x occurring in C. Evidently, an occurrenceconstraint C is satis�able if and only if it has a solution: indeed, one can takeas a solution any substitution mapping all variables of C into any groundterm not containing parameters in C.

We call a constrained tableau any pair consisting of a tableau T and con-straint C, denoted T � C. Let L be one of the logics K;D;T;K4;D4 and S4.The free-variable tableau calculi for L are shown in Figure 9.1.

We claim

Theorem 35 (Equivalence of free-variable and sequent calculi)Let S be a set of sentences of the signature �. Then S has a refutation inthe sequent calculus for L (with global assumptions ) if and only if thereexists a derivation of # � C from S � > in the tableau calculus for L (withthe global assumptions ) such that C is satis�able.

In order to prove this theorem, we will prove two results showing bisimula-tion between tableau derivations and free-variable tableau derivations.

Let T � C be a constrained tableau and � be a substitution. We call thetableau T � the �-instance of T �C if C� is satis�able. A tableau T 0 is calledan instance of T � C if it is a �-instance of T � C for some �.

The following lemma establishes a simulation of free-variable tableau deriva-tions by tableau derivations.

Lemma 36 Suppose there exists a derivation of T2 � C from T1 � > in thefree-variable tableau calculus for L with global assumptions . Then anyinstance of T2 � C has a derivation from T1 in the tableau calculus for L withthe global assumptions .

Proof. The proof is by induction on the length of derivations in the free-variable tableau calculus. When the derivation is of length 0, the claim isobvious, since T1 is the only instance of T1 �>, when T1 has no free variables.For derivations with at least one inference, consider the last inference of thederivation. We will consider only two cases, other cases are similar.

Case : the last inference is jaxj.

9.0. 49


S;A(�s);:A(�t) j T � C

T mgu(�s; �t) � Cmgu(�s; �t)jaxj

S;A _ B j T � C

S;A j S;B j T � Cj_j

S;A ^ B j T � C

S;A;B j T � Cj^j

S; 9xA(x) j T � C

S;A(p) j T � C ^ p 62 vars(S; 9xA(x))j9j�

S;8xA(x) j T � C

S;8xA(x); A(y) j T � Cj8j�

S; htiA j T � C

S[t1]; : : : ; S[tn]; A j T � � C�jht; t1; : : : ; tnij�


S j T � C

S[t1]; : : : ; S[tn] j T � � C�j[t1; : : : ; tn]j

�


S; [t]A j T � C

S;A j T � Cj[t]j

For logics with global assumptions :

S j T � C

S;A j T � Cjj�

� In the rule jht; t1; : : : ; tnij, � = mgu(t; t1; : : : ; tn). In the rule j[t1; : : : ; tn]j,� = mgu(t1; : : : ; tn). In the rule j9j, p is new parameter, not occurringin the premise. In the rule j8j, y is a new variable, not occurring in thepremise. In the rule jj, A 2 .

Figure 9.1: Free-variable tableau with constraints calculi


S;A(�s);:A(�t) j T � C

T � � C�jaxj;

where � = mgu(�s; �t).

Take any instance of T � � C�, then this instance has the form T �� for somesubstitution � such that C�� is satis�able. We have to prove that T �� isderivable from T1.

We claim that the following is a valid inference in the tableau calculus:

(S;A(�s);:A(�t) j T )��

T ��jaxj: (9.1)

Indeed, since � is a uni�er of �s and �t, then A(�s)� = A(�t)�, hence A(�s)�� =A(�t)�� .

Since C�� is satis�able, we get that (S;A(�s);:A(�t) j T )�� is a �� -instanceof S;A(�s);:A(�t) j T � C. By the induction hypothesis, this instance hasa derivation from T1. Add to this derivation the inference (9.1), then weobtain a required derivation of T �� .

Case : the last inference is j9j.

S; 9xA(x) j T � C

S;A(p) j T � C ^ p 62 vars(S; 9xA(x))j9j:

Take any instance of S;A(p) j T �C^p 62 vars(S; 9xA(x)), then this instancehas the form S�;A(p)� j T � for some substitution � such that (C ^ p 62vars(S; 9xA(x)))� is satis�able. We have to prove that S�;A(p)� j T � isderivable from T1.

Since (C ^ p 62 vars(S; 9xA(x)))� is satis�able, by de�nition of constraintsatis�ability, C� is satis�able and p does not occur in S�; 9xA(x)� . Sincep does not occur in S�; 9xA(x)� , the following is a valid inference in thetableau calculus:

S�; 9xA(x)� j T �

S�;A(p)� j T �j9j: (9.2)

By the induction hypothesis, every instance of S; 9xA(x) j T � C has aderivation from T1. Since C� is satis�able, we can take its � -instanceS�; 9xA(x)� j T � , this instance has a derivation from T1. Add to this deriva-tion inference (9.2) and we obtain a required derivation of S�;A(p)� j T �from T1.

9.0. 51

2

Now we want to prove a simulation result in the inverse direction. If wede�ned a sequent as a multiset of formulas, we could use an argument simi-lar to the previous lemma. The use of sets instead of multisets causes sometechnical problems because the notion of instance does not work properlyany more. To avoid these technical problems we give a de�nition of gen-eralization that is nearly inverse to the notion of instance but takes intoaccount some speci�c problems in the inverse simulation proof.

Let T = S1 j � � � j Sn and T 0 = S01 j � � � j S0n be two tableaux. We write

T v T 0 if (i) for every i = 1 : : : n we have Si � S0i and (ii) each parameteroccurring in some T 0 also occurs in T . Let T � C be a constrained tableauand T 0 a tableau. We call T � C a �-generalization of T 0 if T 0 v T � and C�is satis�able. We call T �C a generalization of T 0 if T �C is a �-generalizationof T 0 for some �.

Lemma 37 Suppose there exists a derivation of T2 from T1 in the tableaucalculus for L with global assumptions . Then some generalization of T2has a derivation from T1 � > in the free-variable tableau calculus for L withthe global assumptions .

Proof. The proof is by induction on the length of derivations in the tableaucalculus. When the derivation is of length 0, the claim is obvious, since T1 �>is a generalization of T1. For derivations with at least one inference, considerthe last inference of the derivation. We will consider only two cases, othercases are similar.

Case : the last inference is jaxj.

S;A;:A j T

Tjaxj:

By the induction hypothesis, some �-generalization of S;A;:A j T is deriv-able from T1 �>. Then this generalization has a form S0; A0;:B0 j T 0 �C suchthat A0� = A, B0� = A, T v T 0� and C� is satis�able. Then � is a uni�erof A0 and B0, therefore, there exists a most general uni�er � of A0 and B0

and a substitution Æ such that �Æ = �. Consider the following inference inthe free-variable tableau calculus.

S0; A0;:B0 j T 0 � C

T 0� � C�jaxj:

We claim that the conclusion of this inference is a generalization of T , whichwill complete the proof of this case. To prove the claim, we have to �nd


a substitution Æ0 such that (i) T v T 0�Æ0 and (ii) C�Æ0 is satis�able. Well,take Æ0 to be Æ, then both (i) and (ii) follow from �Æ = �.

Case : the last inference is j9j.

S; 9xA(x) j T

S;A(p) j Tj9j (9.3)

By the induction hypothesis, some �-generalization of S; 9xA(x) j T isderivable from T1 � >. Then this generalization has form S0; 9xA0(x) j T 0 � Csuch that (i) S � S0�, (ii) every parameter occurring in (S0; 9xA0(x))� alsooccurs in S; 9xA(x) j T , (iii) 9xA0(x)� = 9xA(x), (iv) T v T 0�, and (v)C� is satis�able.

Consider the following inference in the free-variable tableau calculus.

S0; 9xA0(x) j T 0 � C

S0; A0(p) j T 0 � C ^ p 62 vars(S0; 9xA0(x))j9j:

Let us check that the parameter condition is satis�ed. Suppose, by contra-diction, that p occurs in S0; 9xA0(x) j T 0, then it also occurs in (S0; 9xA0(x) jT 0)�, hence also in S; 9xA(x) j T . This violates the parameter condition of(9.3).

We claim that the conclusion of this inference is a generalization of S;A(p) jT , which will complete the proof of this case. We actually claim thatthe conclusion is the �-generalization of S;A(p) j T . All conditions on�-generalization except for constraint satisfaction immediately follow from(i){(iv) above. It remains to verify that (C ^ p 62 vars(S0; 9xA0(x)))� issatis�able. C� is satis�able by (v) above, so it remains to check that p doesnot occur in (S0; 9xA0(x))�. If p occurred in (S0; 9xA0(x))�, then by (ii)above p would also occur in S; 9xA(x) j T , but this is impossible becauseof the parameter condition in (9.3).

2

Now we can prove soundness and completeness of the free-variable calculi.

Proof (of Theorem 35).

1. Suppose S has a refutation in the sequent calculus for L with globalassumptions . Then by Theorem 16 there exists a derivation of #from S in the tableau calculus for L with the global assumptions .Hence, by Lemma 37 there exists a derivation of some generalizationof # from S � > in the free-variable tableau calculus for L. But anygeneralization of # has the form # � C for a satis�able C.

9.1. Example refutation 53

2. Suppose there exists a derivation of # � C from S � > in the tableaucalculus for L with the global assumptions such that C is satis�-able. By Lemma 36 any instance of # � C has a derivation from S

in the tableau calculus for L with the global assumptions . Obvi-ously, # is such an instance, so it is derivable from S as well. ByTheorem 16 S has a refutation in the sequent calculus for L with theglobal assumptions .

2

9.1 EXAMPLE REFUTATION

Consider the following formula valid in term-modal K. (For better readabil-ity, we will omit parenthesis in terms like f(x) and write fx instead.)

8x9y([y]R(y; y) ^ [fy](R(fy; fy) � R(y; fy)) � [fx]R(x; fx)):

We will establish the validity of this formula, i.e. unsatis�ability of its nega-tion using the free-variable tableau calculus for K. First, we negate theformula and transform it into its negation normal form:

9x8y([y]R(y; y) ^ [fy](:R(fy; fy) _ R(y; fy)) ^ hfxi:R(x; fx));

and then show its refutation. The refutation is given in Figure 9.2. In therefutation we do not show the constraint, since it always has the form p 62 ;and is satis�able. For better readability, we denote the inference steps by!followed by the name of the inference rule. We also group similar inferencesinto one. For example, by j8j� we denote a sequence of j8j inferences, andby j^j� a sequence of j^j inferences.


9x8y([y]R(y; y) ^ [fy](:R(fy; fy) _ R(y; fy)) ^ hfxi:R(x; fx)) ! j9j

8y([y]R(y; y)^ [fy](:R(fy; fy) _ R(y; fy)) ^ hfpi:R(p; fp))! j8j�

8y([y]R(y; y)^ [fy](:R(fy; fy) _ R(y; fy)) ^ hfpi:R(p; fp));[z]R(z; z)^ [fz](:R(fz; fz)_ R(z; fz)) ^ hfpi:R(p; fp);[u]R(u; u) ^ [fu](:R(fu; fu)_ R(u; fu)) ^ hfpi:R(p; fp)! j^j�

8y([y]R(y; y)^ [fy](:R(fy; fy) _ R(y; fy)) ^ hfpi:R(p; fp));[z]R(z; z);[fz](:R(fz; fz)_R(z; fz));hfpi:R(p; fp);[u]R(u; u);[fu](:R(fu; fu)_ R(u; fu))! jhfp; z; fuij

R(fp; fp);:R(p; fp);:R(fp; fp) _ R(p; fp)! j_j

R(fp; fp);:R(p; fp);:R(fp; fp) jR(fp; fp);:R(p; fp); R(p; fp)! jaxj�

#

Figure 9.2: Example refutation in the free-variable calculus

Chapter 10

Conclusion and Future

Work

A complete sequent calculus was presented for a logic in which it is possibleto quantify over modalities. We note that even though we have restrictedourselves to the logics K;D;T;K4;D4; and S4, other logics can be includedamong the term-modal logics.

Term-modal logic can be used to reason about epistemic multi-agent sys-tems or to develop action logics. Interesting future work includes joiningepistemic term-modal logic with dynamic logic for actions, e.g. knowledgeupdates.

There are several interesting fragments of the term-modal logic, which mightbe interesting to study. We suggest some of the possibilities.

1. Restricting all predicate symbols to arity zero.

2. Restricting modal indexes to variables, instead of arbitrary terms.

3. Various fragments of the logic without function symbols.

Part II

Quantifier-free Dynamic

Assignment Logic

57

Chapter 11

Syntax

We de�ne the syntax of quanti�er-free dynamic assignment logic. The Basicsyntax (Section 11.1) is the language used to express various propertiesabout programs. The Extended syntax (Section 11.3) is the language usedto prove the properties.

We will, for Part II, denote equality with =, syntactic identity with � andde�nitional equality with =

def.

11.1 BASIC SYNTAX

Assume pairwise disjoint sets for relation symbols R =deffP;Q; : : :g, function

symbols F =defff; g; : : :g, program variables P = fa; b; : : :g, and logic vari-

ables V =deffx; y; z; : : :g. The triple � = hR;F ;Pi is called the signature of

the logic. Each relation and function symbol has an associated arity n. Thesubset of the function symbols with arity 0 are called constant symbols , andwill be denoted c; d; : : :. Program variables have arity 0.1

The syntactic components of the logic are de�ned by2

Formulas '; ::= P (t1; : : : ; tn) j t1 = t2 j

(' ^ ) j :' j hpi' j f�x t: '(x)g

Programs p; q ::= a := t j (p; q) j (p [ q) j p� j '?

Terms t ::= a j c j x j f(t1; : : : ; tn)

where a is a program variable, c is a constant symbol, x is a logic variable,f is a function symbol, P is a relation symbol and t is a term. Programsof the form a := t are called atomic programs , and formulas of the formP (t1; : : : ; tn) or t1 = t2 are called atomic formulas . The term t in the

1We could also introduce program variables of higher arity, thereby introducing arraysinto the logic. But, in order to keep the presentation simple, we have chosen not to.

2Note that Fitting and Mendelsohn (1998) only allow logic variables in atomic formulasP (x1; : : : ; xn), while we allow arbitrary terms in atomic formulas P (t1; : : : ; tn).

60 Syntax

program a := t has to be ground , i.e. it has to be a term which do notcontain any logic variables. Note that the logic is quanti�er-free.

The formula hpi' intuitively says that ' is a possible outcome when runningprogram p. The program p; q is the composition of program p and program q.Intuitively this means that p is executed �rst, and q second. The programp [ q is the choice of programs p and q, i.e, non-deterministically one ofthem is executed. The star-program p� means that p is executed any non-deterministic number of times. The program '? is a test checking that theformula ' holds.

When verifying programs, it is important to distinguish between the valueof a program variable before program execution and the value of the pro-gram variable after program execution. Consider, for instance, the formulaha := tiP (a). In our semantics, the a in P (a) refers to the value of a afterexecution. If we instead want to talk about the value of a before executionof a := t, we need to use the scoping operator � and write the abstractionformula

f�x a: ha := tiP (x)g:

The position of �x in the formula determines which value of a we are re-ferring to. In the formula above, �x stands before the modal operatorha := ti, so by x in the subformula P (x), we mean the value of a beforeprogram a := t has been executed.

A formula is called closed if every logic variable occurrence x is bound bya scoping operator �x. A logic variable x is free in a formula, if x occursnon-bound in the formula. We write f�x; y t1; t2: 'g as an abbreviationof f�x t1: f�y t2: 'gg. Other connectives are de�ned in the usual way,i.e. [p]' =

def:hpi:', ('_ ) =

def:(:'^: ) and (' � ) =

def:('^: ). Any

formula ('^:') or :t = t can be abbreviated by ? and :? is abbreviated>.

Also, (p1; (p2; (� � � (pn�1; pn) � � �))) is abbreviated by (p1; p2; � � � pn�1; pn) andsimilarly for [.

11.2 EXAMPLES

More complex programming constructs can be de�ned using the above prim-itive dynamic constructs. We can, for instance, express the following tradi-tional programs as dynamic programs.

SKIP =def

>?IF (') THEN (p1) ELSE (p2) =

def(('?; p1) [ (:'?; p2))

WHILE (') DO (p) =def

(('?; p)�;:'?)

11.3. Extended syntax 61

Swapping two program variables a and b, SWAP(a; b), can be expressed bythe program (a0 := a; a := b; b := a0).

It is well-known that everything expressible in Hoare logic (Hoare 1969) canbe expressed in dynamic logic, see e.g. (Kozen and Tiuryn 1989). The totalcorrectness formula of p with respect to precondition ' and postcondition , sometimes written f'gpf g, is written in dynamic logic as

' � [p] :

We can express that there exists an execution of (a := f(a))�, such that the�nal value of a equal the value of f(f(x)), where x denotes the initial valueof a:

f�x a: h(a := f(a))�ia = f(f(x))g:

If a term t is locally rigid with respect to a program p (i.e. the value oft is the same before and after p has been executed), then the abstractionoperator and the box operator commute, in the following sense (a specialcase of this formula is proved in Example 70, Page 81)

f�x t: [p]x = tg � (f�x t: [p]'(x)g � [p]f�x t: '(x)g):

Since there is no need to use the scoping operator in modal-free subformulas,if '(x) is an atomic formula P (x), then we can write

f�x t: [p]x = tg � (f�x t: [p]P (x)g � [p]P (t)):

We can express \if a and b are di�erent, then no number of applications off on both a and b can make them denote the same value", by the formula

:(a = b) � :h(a := f(a); b := f(b))�ia = b:

This formula is not generally true in our logic, since function symbols haveno �xed meaning in the logic. The function f could e.g. be interpreted as aconstant function, which would make the formula false.

11.3 EXTENDED SYNTAX

We introduce pre�xes to name states.

De�nition 38 (Pre�x) A pre�x is a sequence [a1 := t1] � � � [an := tn]where n � 0, each ai is a program variable, and each ti is a ground term.The empty sequence is denoted � and is called the empty pre�x .

62 Syntax

The intuition is that � names the initial state, i.e. the state before anyprogram has been executed. The state named [a := t] intuitively denotesthe state after the initial state, when a has been assigned t.

De�nition 39 (Subscripted, �xed, subscript-free) A subscripted termis a term in which program variables can be subscripted with a pre�x. A�xed term is a subscripted term in which every program variable has a pre-�x as subscript.3 A formula, program, or subscripted term is subscript-freeif it contains no �xed program variables.

The set of subscripted terms includes all terms introduced in Section 11.1.

From this point on, we will allow formulas and programs to con-tain subscripted terms, instead of only the terms de�ned in Sec-tion 11.1.

The �xed program variable a� intuitively stands for the value of a in thestate named � . Note that a ground term can be either �xed (e.g. a� ) ornon-�xed (e.g. a), and a �xed term can be either ground (e.g. f(a� )) or non-ground (e.g. f(x)). As we will later see, there is a di�erence between theprogram variable a �xed by the empty pre�x � (that is a�), and the subscript-free program variable a. The �rst means that a should be interpreted inthe state named by the empty pre�x, while the latter provides no means todetermine what state it should be interpreted in.

De�nition 40 (t@�) If � is a pre�x and t is a subscripted term, we denoteby t@� the �xed term resulting from subscripting every non-�xed programvariable in t with � . We say that the term t is �xed by pre�x � in the termt@� .

For any function symbol f with arity n � 1, we have

f(t1; : : : ; tn)@� = f(t1@�; : : : ; tn@�):

De�nition 41 (Pre�xed formula) A pre�xed formula is an expressionof the form � : ', where � is a pre�x and ' is a formula.

The pre�xed formula � : ' intuitively means that ' is true in the statenamed by pre�x � . The pre�xed formula � : hpi' intuitively means that 'is true in a state resulting from executing the program in the state named� . The pre�xed formula � : [p]' similarly means that ' is true in everystate resulting from executing p in the state named � .

3Fitting and Mendelsohn (1998) calls �xed terms grounded.

11.4. Substitution 63

11.4 SUBSTITUTION

Substitution is de�ned in the usual way, see e.g. (Eder 1985). The conceptof free substitutions is used much in the same way as in (Kleene 1952)and (Fitting 1996a, Fitting 1999).

De�nition 42 (Substitution) A substitution is a mapping � from the setof logic variables V to the set of subscripted terms, such that there is onlya �nite number of variables x such that �(x) 6= x.

We will write [x1 7! t1; : : : ; xn 7! tn] for the substitution mapping each xito ti, and all other variables to themselves.

De�nition 43 (Free substitution) A substitution [x1 7! t1; : : : ; xn 7!tn] is free for ' (or p) if for every xi 2 fx1; : : : ; xng, there is no free occur-rence of xi in ' (or p) within the scope of a �y, such that y occurs in ti.Let � = [x1 7! t1; : : : ; xn 7! tn] be a substitution free for '. Then by '� wedenote the formula in which every free occurrence of variable xi has beenreplaced by the term ti. Similarly for t� and p�.

We will write '(x1; : : : ; xn) for a formula with zero or more occurrencesof variables x1; : : : ; xn. When later writing '(t1; : : : ; tn), we mean the for-mula resulting from applying the substitution [x1 7! t1; : : : ; xn 7! tn] to'(x1; : : : ; xn). We require this substitution to be free for the formula. Ifit is not, then we rename bound variables in the formula before applyingthe substitution. This can always be done so that the substitution becomesfree for the formula. We use the same convention for programs, writingp(t1; : : : ; tn) for the program resulting from applying the free substitution[x1 7! t1; : : : ; xn 7! tn] to p(x1; : : : ; xn).

In computer science, program variables are considered to have two values,the l-value and the r-value, see e.g. (Aho, Sethi and Ullman 1985). Ther stands for `right', indicating that this is the value we are interested inwhen the program variable occurs on the right hand side of an assignment,and similarly l stands for `left'. The r-value is the actual value of theprogram variable, and the l-value is the \storage location". When a programvariable occurs on the left hand side of an assignment, we are not interestedin the actual value of it, but rather its storage location, or name. Thiscan be compared with the ideas of Frege (1892), where a distinction ismade between sense (Sinn) and reference (Bedeutung) of names. The sensecorresponds to the r-value, and the reference to the l-value.

In our logic, program variables have both r-values and l-values. Two distinctprogram variables a and b might have the same r-value (i.e. a = b), butdi�erent l-values (a := c and b := c have di�erent meaning). Consider, as

64 Syntax

an example of this, the following formula, which is not generally true (acountermodel of the formula is presented in Example 53, p. 70.)

a = b � (ha := cia = c � hb := cia = c):4

In classical logic, there is a principle of substitution. If two constants havethe same value, it is possible to substitute one for the other in a formulawithout changing the meaning of the formula. For program variables in ourlogic, this is not the case. A program variable is not generally substitutablefor another, even if they have the same value.5 Consider e.g. the formulaa = b � [p]a = b. Even though a and b might have the same value in thecurrent state, they might have di�erent values in a later state (i.e. after phas been executed).

Consider the formula ha := ti'. Fixing a by � in the assignment does notmake sense. Fixing t by � in the assignment is intuitively more reasonable,but introduces complications. As we will later see, the proof procedurewill �x program variables in formulas, but never when they occur in anassignment program. This is a consequence of the requirement that every tin an assignment program a := t has to be ground.

4If we want to be explicit about program variable interpretation (more about this inSection 12.1), we can write the formula in the following way:

f�x; y a; b: x = yg � (ha := cif�x; y a; c: x = yg � hb := cif�x; y a; c: x = yg):

Use of the scoping operator in modal-free subformulas is redundant though.5What is allowed, though, is to replace every occurrence of a program variable by a

program variable not occurring in the formula. This corresponds to the principle thatnames of program variables are not important and can be changed without a�ecting themeaning of the program.

Chapter 12

Semantics

The logic presented is a dynamic logic. Traditional dynamic logic use modalconnectives �, ;, [, and ?. The program p� has the same meaning as non-deterministically repeating p, h(p; q)i' means the same as hpihqi', and sim-ilarly for choice, test and assignment.

In our framework we use only one type of atomic programs, the assignment.Furthermore, a scoping operator � is used instead of quanti�ers.

In Section 12.1, we introduce semantics of subscript-free formulas and pro-grams, and in Section 12.2 we introduce semantics for formulas and pro-grams containing subscripted terms.

12.1 BASIC SEMANTICS

We start with two introductory concepts. Firstly, we de�ne the meaning oflogic variables, program variables, relation and function symbols. Secondly,we present how this meaning can be updated.

Assume a set of logic variables V , a signature � = hR;F ;Pi, and two non-empty sets, D and W , called the domain and the set of worlds or states ,respectively. We now de�ne the semantics.

De�nition 44 (Valuation) A valuation (of logic variables) is a function� from the set of logic variables to the domain, � : V ! D.

De�nition 45 (Interpretation) An interpretation I of relation symbols,function symbols and program variables over hW ;Di is a function that as-signs

1. to every relation symbol of arity n � 0, a subset of Dn,

2. to every function symbol of arity n � 0, a function Dn ! D, and

66 Semantics

3. to every world w 2 W , a function P ! D, from program variables toelements of the domain.

We will write I(w; a) for I(w)(a). Note that when I is applied to onlyone argument, I(w) is a function taking each program variable in P to anelement of D.

De�nition 46 (Interpretation of terms) Given a valuation � and aninterpretation I, an interpretation of terms (� ? I) is de�ned by

(� ? I)(w; t) =def

8>>>><>>>>:

�(t); if t is a logic variableI(w; t); if t is a program variableI(f)((� ? I)(w; t1); if t � f(t1; : : : ; tn)

: : : ;

(� ? I)(w; tn));

We de�ne update operations for valuations and interpretations. The update�[x 7! tw] is like � except that x is mapped to the value of t in world w, andthe update I(w)[a 7! t] is like I(w) except that a is mapped to the value oft in world w.1

De�nition 47 (Update operations) Let � be a valuation and I an in-terpretation. Then, for any logic variable x, program variables a; b andterm t, let �[x 7! tw] be a valuation V ! D de�ned by:

�[x 7! tw](y) =def

�(� ? I)(w; t); if y � x�(y); if y 6� x

And let I(w)[a 7! t] be a function P ! D, de�ned by:

I(w)[a 7! t](b) =def

�(� ? I)(w; t); if b � aI(w; b); if b 6� a

Note that �[x 7! tw] and I(w)[a 7! t] are both dependent on (� ? I), sincet may contain both logic and program variables. The notation �[x 7! tw]will be used unambiguously in any case, since we will only use it in thecontext of some structure in which I is �xed. Similarly, I(w)[a 7! t] willonly be used in the context of some �, or when t does not contain any logicvariables.

De�nition 48 (Structure) A (�rst-order dynamic) structure is a tupleM = hW ;D; Ii, where

1In (Fitting and Mendelsohn 1998) the update �[x 7! tw ] is called \the x-variant of�, such that �(x) = (� ? I)(w; t)".

12.1. Basic semantics 67

1. W and D are arbitrary (non-empty and disjoint) sets, and

2. I is an interpretation over hW ;Di, such that for every world w1 2 W ,program variable a 2 P , and domain element d 2 D, there exists aworld w2 2 W , such that I(w2; a) = d and for each b 6� a, we haveI(w2; b) = I(w1; b).

The set D is called the domain of the structure, and the set W is called theset of worlds or states. The requirement on the interpretation is called theseriality condition, and enforces that all assignment programs are executablein every state.

De�nition 49 (Interpretation of programs, truth relation) Given astructureM = hW ;D; Ii, we de�ne the interpretation of subscript-free pro-grams (�)M;� and the truth relation of subscript-free formulas simultane-ously. For any valuation � and w 2 W :

1. M; w; � P (t1; : : : ; tn) i� h(� ? I)(w; t1); : : : ; (� ? I)(w; tn)i 2 I(P )

2. M; w; � (' ^ ) i�M; w; � ' andM; w; �

3. M; w; � :' i� it is not the case thatM; w; � '

4. M; w; � hpi' i� there exists w0 2 W such that hw;w0i 2 (p)M;� andM; w0; � '

5. M; w; � f�x t: '(x)g i�M; w; �[x 7! tw] '(x)

6. M; w; � t1 = t2 i� (� ? I)(w; t1) = (� ? I)(w; t2)

7. (a := t)M;� =deffhw1; w2i j I(w2) = I(w1)[a 7! t]g

8. (p [ q)M;� =def

(p)M;� [ (q)M;�

9. (p; q)M;� =def

(p)M;� Æ (q)M;� = fhw;w00i j 9w0:hw;w0i 2 (p)M;� ^hw0; w00i 2 (q)M;�g

10. (p�)M;� =def

the re exive and transitive closure of (p)M;�

11. ('?)M;� =deffhw;wi j M; w; � 'g

The interpretation of programs (�)M;� and the truth relation are bothcompletely determined by the structureM and valuation �.

In modal logic, an accessibility relation between worlds is often explicitlyde�ned for every modal operator. Here, we can instead extract an accessi-bility relation from De�nition 49 by stating that a world w2 is p-accessiblefrom w1 if hw1; w2i 2 (p)M;� . It easy to see that the (a := t)-accessibilityrelation is serial because of the seriality condition.

We state some simple properties of the truth relation.

68 Semantics

Proposition 50

1. M; w; � (' _ ) i�M; w; � ' orM; w; � .

2. M; w; � [p]' i� for all w0 such that hw;w0i 2 (p)M;� ,M; w0; � '.

3. M; w; � hp; qi' i�M; w; � hpihqi'.

4. M; w; � hp [ qi' i�M; w; � (hpi' _ hqi').

5. M; w; � h ?i' i�M; w; � ( ^ ').

Proof. Most properties are trivial to prove. We prove 2 and 3.

2. M; w; � [p]' i�M; w; � :hpi:' i� we do not have thatM; w; �

hpi:' i� there exists no w0 such that hw;w0i 2 (p)M;� andM; w0; �

:' i� for all w0 such that hw;w0i 2 (p)M;� we haveM; w0; � '.

3. M; w; � hp; qi' holds i� there exists a w00, such that hw;w00i 2(p; q)M;� and M; w00; � '. This is true i� there exists w0 and w00

such that hw;w0i 2 (p)M;� and hw0; w00i 2 (q)M;� andM; w00; � '.Which is the same as that there exists w0 such that hw;w0i 2 (p)M;�

andM; w0; � hqi', which holds i�M; w; � hpihqi'.

2

Generalizing Propositions 50:3 and 50:4, we get the following equivalences.

M; w; � hp1; � � � ; pni' i� M; w; � hp1i � � � hpni':M; w; � hp1 [ � � � [ pni' i� M; w; � (hp1i' _ � � � _ hpni'):

Note that there is still a need for complex modal connectives to retain the ex-pressibility of the language, since formulas such as hp?�i' and h(p; q)�i' cannot be expressed without using operators for test, choice etc, see (Bermanand Paterson 1981).

De�nition 51 (Truth, satis�ability, validity, model, countermodel)LetM = hW ;D; Ii be a structure and let ' be a subscript-free formula.

1. ' is true, holds , or is locally satis�ed in world w 2 W under valuation� ifM; w; � '.

2. ' is locally satis�able inM if it is locally satis�ed in some world ofMunder some valuation. Is it locally satis�able if there exists a structurein which it is locally satis�able.

12.1. Basic semantics 69

3. M is a model of ' if ' is locally satis�able inM.

4. M is a countermodel of ' if there exists a world w in M and avaluation �, such thatM; w; � ' does not hold.

5. ' is valid if it is true in every world in every structure under everyvaluation.

It is easy to see that a subscript-free formula ' is valid i� no countermodelexists for ', and it can be shown, that ' is locally satis�able i� :' isnon-valid.

Example 52 (Model) Consider the valid formula2

f�x a: ha0 := aiha := bihb := a0ix = bg;

in signature � = h;; ;; fa; b; a0gi. We consider a particular modelM of theformula, and show that the formula holds in a world w1. Let

M = hfw1; : : : ; w9g; f1; 2g; Ii3

where

I(w1) = f(a; 1); (b; 2); : : :g I(w2) = f(a; 1); (b; 2); (a0; 1)gI(w3) = f(a; 2); (b; 2); (a0; 1)g I(w4) = f(a; 2); (b; 1); (a0; 1)gI(w5) = : : : (not interesting for the example)

Let � be an arbitrary valuation, and let �0 =def�[x 7! aw1 ]. We show thatM

is a model of the formula.

M; w1; � f�x a: ha0 := aiha := bihb := a0ix = bg ifM; w1; �

0 ha0 := aiha := bihb := a0ix = b ifM; w2; �

0 ha := bihb := a0ix = b ifM; w3; �

0 hb := a0ix = b ifM; w4; �

0 x = b

Which is true, since we have (�0 ? I)(w4; x) = �0(x) = �[x 7! aw1 ](x) =(� ? I)(w1; a) = I(w1; a) = 1 = I(w4; b) = (�0 ? I)(w4; b).

2The formula intuitively says: \After the program SWAP(a; b) has been executed, bhas the same value as a had before execution of the program."

3The seriality condition implies thatM has at least 9 worlds, since we have 2 domainelements and 3 program variables. In general, the number of states of a structure is thenumber of domain elements raised to the power of the number of program variables. Forour example, only 4 states of the structure are interesting though.

70 Semantics

rw1 (a = b 6= c)

a := c :

b := c z

r

w2

(a = c 6= b)

r

w3(b = c 6= a)

Figure 12.1: Countermodel of a = b � (ha := cia = c � hb := cia = c)

Example 53 (Countermodel) Consider the formula

a = b � (ha := cia = c � hb := cia = c)

in signature � = h;; fcg; fa; bgi. The following is a countermodel of theformula.

M = hfw1; : : : ; w4g; f1; 2g; Ii; where I(c) = 2 and

I(w1) = f(a; 1); (b; 1)g I(w2) = f(a; 2); (b; 1)g

I(w3) = f(a; 1); (b; 2)g I(w4) = f(a; 2); (b; 2)g

A picture of the countermodel is given in Figure 12.1 (not all transitionsand worlds are shown). It is easy to see for any valuation �, thatM; w1; �

a = b andM; w1; � ha := cia = c, butM; w1; � hb := cia = c does nothold.

12.2 EXTENDED SEMANTICS

The interpretations of relation symbols, function symbols, program variablesand terms are extended to subscripted terms, and we de�ne satis�ability forsets of pre�xed formulas.

De�nition 54 (Pre�x mapping) LetM = hW ;D; Ii be a structure. Apre�x mapping for M is any total mapping � from pre�xes to W such thatfor any two pre�xes � and � [a := t],

I(�(� [a := t])) = I(�(�))[a 7! t]:

It is easy to see that for any pre�x mapping � forM, pre�xes � , � [a := t]and valuation �, we have h�(�); �(� [a := t])i 2 (a := t)M;� .

De�nition 55 (Extended interpretation) Let M = hW ;D; Ii be astructure. Then the extended interpretation with respect to a pre�x map-ping � forM and interpretation I, is the function I� from relation symbols,

12.2. Extended semantics 71

function symbols and hw; ai-pairs (where w is a world and a is a subscriptedprogram variable), to the domain D, such that

1. I�(P ) = I(P ), for each relation symbol P 2 R,

2. I�(f) = I(f), for each function symbol f 2 F ,

3. I�(w; a) = I(w; a), for each non-�xed program variable a 2 P , and

4. I�(w; a� ) = I(�(�); a), for each �xed program variable a� , where a 2P .

The interpretation of subscripted terms (� ? I�) is de�ned by

(� ? I�)(w; t) =def

8>>>>>><>>>>>>:

�(t); if t is a logic variableI�(w; t); if t is a (�xed or non-�xed)

program variableI�(f)((� ? I�)(w; t1); if t � f(t1; : : : ; tn) and n � 0

: : : ;

(� ? I�)(w; tn));

Updates of extended interpretations are de�ned similarly to updates of in-terpretations. For any non-�xed program variable a and subscript-free termt, let I�(w)[a 7! t] be the function from the set of subscripted program vari-ables to the domain D, de�ned by:

I�(w)[a 7! t](b) =def

8<:

(� ? I�)(w; t); if b � aI�(w; b); if b 6� aI�(w; b); if b is a �xed program variable

For any �xed program variable b� (including a� ), we have I�(w)[a 7! t](b� ) =I(�(�); b).

If we have an extended interpretation which in two di�erent worlds agree onall program variables, then so does the interpretation of subscripted termson all terms.

Proposition 56 Suppose that M = hW ;D; Ii is a structure, � is a pre-�x mapping for M, and w1; w2 2 W . If I�(w1) = I�(w2), then for anyvaluation � and subscripted term t, (� ? I�)(w1; t) = (� ? I�)(w2; t).

Proof. By induction on the structure of t.

a. If t is a non-�xed program variable a, then (�?I�)(w1; a) = I�(w1; a) =I�(w2; a) = (� ? I�)(w2; a).

72 Semantics

a� . If t is a �xed program variable a� , then (�?I�)(w1; a� ) = I�(w1; a� ) =I�(�(�); a) = I�(w2; a� ) = (� ? I�)(w2; a� ).

x. If t is a logic variable x, then (� ? I�)(w1; x) = �(x) = (� ? I�)(w2; x).

f . If t is a subscripted term f(t1; : : : ; tn), with n � 0, then

(�?I�)(w1; f(t1; : : : ; tn)) = I�(f)((�?I�)(w1; t1); : : : ; (�?I

�)(w1; tn));

which by the induction hypothesis is equal to

I�(f)((�?I�)(w2; t1); : : : ; (�?I�)(w2; tn)) = (�?I�)(w2; f(t1; : : : ; tn)):

2

The interpretation of a subscripted term t in world �(�), is the same asthe interpretation of t@� in any world, which we state as the followingproposition.

Proposition 57 Suppose thatM = hW ;D; Ii is a structure and that � isa pre�x mapping for M. Then, for any subscripted term t, pre�x � , andworld w 2 W , we have (� ? I�)(w; t@�) = (� ? I�)(�(�); t).

Proof. By induction on the structure of t.

a. If t is a non-�xed program variable a, then (� ? I�)(w; a@�) = (� ?I�)(w; a� ) = I�(w; a� ) = I�(�(�); a) = (� ? I�)(�(�); a).

a� 0 . If t is a �xed program variable a� 0 , then (� ? I�)(w; a� 0@�) = (� ?I�)(w; a� 0) = I�(w; a� 0) = I�(�(� 0); a) = I�(�(�); a� 0 ), which, �nally,is equal to (� ? I�)(�(�); a� 0 ).

x. If t is a logic variable x, then (� ? I�)(w; x@�) = (� ? I�)(w; x) =�(x) = (� ? I�)(�(�); x).

f . If t is a subscripted term f(t1; : : : ; tn), where n � 0, then

(� ? I�)(w; f(t1; : : : ; tn)@�) =I�(f)((� ? I�)(w; t1@�); : : : ; (� ? I�)(w; tn@�))


I�(f)((� ? I�)(�(�); t1); : : : ; (� ? I�)(�(�); tn)) =(� ? I�)(�(�); f(t1; : : : ; tn)):

2


De�nition 58 (Interpretation of programs, truth relation) Given astructureM = hW ;D; Ii and a pre�x mapping � forM, we de�ne a newinterpretation of programs (�)M;�;� and a new truth relation � for formulasand programs in the same way as and (�)M;� are de�ned for subscript-free formulas and programs in De�nition 49, except that every occurrenceof (�?I) is replaced by (�?I�), every by �, and every (�)M;� by (�)M;�;�.

For any subscript-free formula ', it is easy to see that M; w; � ' i�M; w; � � ' (by induction on '). But if ' contains �xed program variables,then the interpretation of these program variables is dependent on the pre�xmapping �.

Note that � is a relation between structures, worlds, valuations and for-mulas. To express that the pre�xed formula � : ' holds in structure Munder valuation � and pre�x mapping �, we writeM; �(�); � � '.

Proposition 59 Suppose that I is an interpretation in some structureMand that � is a pre�x mapping forM. Then, I�(w1) = I�(w2) implies thatfor any expression E (formula or program) and valuation �, we have

1. if E is a formula, thenM; w1; � � E impliesM; w2; � � E, and

2. if E is a program, then for all worlds w01 inM, if hw1; w01i 2 (E)

M;�;�,then there exists a w02, such that hw2; w

02i 2 (E)M;�;�, and I�(w01) =

I�(w02).

Proof. By induction on the structure of E. Most cases are trivial. Weshow the most interesting ones. (The case for = is similar to P . Cases ^,:, �, ;, and [ are all trivial applications of the induction hypothesis.)

P . M; w1; � � P (t1; : : : ; tn) i� h(� ? I�)(w1; t1); : : : ; (� ? I�)(w1; tn)i 2I(P ). By Proposition 56, we have for each i, that (� ? I�)(w1; ti) =(� ? I�)(w2; ti), which gives usM; w2; � � P (t1; : : : ; tn).

�. M; w1; � � hpi' i� there exists w01 2 W such that hw1; w01i 2 (p)

M;�;�

andM; w01; � � '. By the induction hypothesis, there exists a worldw2 such that hw2; w

02i 2 (p)M;�;� and I�(w01) = I

�(w02). Then, byapplying the induction hypothesis again, we getM; w02; � � '. ThusM; w2; � � hpi'.

:=. Suppose hw1; w01i 2 (a := t)M;�;�. Then I�(w01) = I�(w1)[a 7! t].

But, since I�(w1) = I�(w2), we have I�(w1)[a 7! t] = I�(w2)[a 7! t].Then, there exists w02 (namely w

01), such that hw2; w

02i 2 (a := t)M;�;�

and I�(w01) = I�(w02).

74 Semantics

�. Suppose hw1; wn1 i 2 (p�)

M;�;�. Then there exists a sequence of worldsw1; w

11 ; : : : ; w

n1 , such that each pair of consecutive worlds in the se-

quence is a member of the relation (p)M;�;�. Using the inductionhypothesis, we get that there exists a world w1

2 , such that hw2; w12i 2

(p)M;�;� and I�(w11) = I

�(w12). Continuing in the same fashion n� 1

times, we get that hw2; wn2 i 2 (p�)

M;�;� and I�(wn1 ) = I

�(wn2 ).

?. Suppose hw1; w01i 2 ('?)

M;�;�. Then w1 = w01 andM; w1; � � '. Bythe induction hypothesis, we getM; w2; � � '. Then, there exists aw02 (namely w2), such that hw2; w

02i 2 ('?)

M;�;� and I�(w01) = I�(w02).

2

We de�ne when a set of pre�xed formulas is satis�able.

De�nition 60 (Satis�ability, validity for set of pre�xed formulas)Let S be a set of pre�xed formulas. Then S is satis�able in structure Munder valuation � if there exists a pre�x mapping � forM, such that

for every � :' 2 S; we have M; �(�); � � ':

S is satis�able in structure M if there exists a valuation under which S issatis�able inM. S is satis�able if it is satis�able in some structure.

S is valid if for every structure M, valuation � and pre�x mapping � forM, we have

for every � :' 2 S; that M; �(�); � � ':

There is a close correspondence between De�nition 51 and De�nition 60,which we formulate in the following proposition.

Proposition 61 Let ' be a subscript-free formula. Then, ' is locally sat-is�able i� f� : 'g is satis�able, and ' is valid i� f� : 'g is valid.

Proof. When a subscript-free formula ' is locally satis�able, there existsstructureM, world w inM, and valuation �, such thatM; w; � '. Takeany pre�x mapping � forM such that �(�) = w.4 Then it is easy to proveby induction, thatM; w; � ' i�M; �(�); � � '. For the other direction,let w = �(�).

4It is easy to construct such a pre�x mapping for any structure M. Let �(�) = w.For any pre�x of the form [a := t], let �([a := t]) be any world w0 such that I(w0) =I(w)[t 7! a]. The world w0 must exist in M, since M satis�es the seriality condition.Continue inductively in the same way for longer pre�xes.


A subscript-free formula ' is valid i� :' is not locally satis�able. By theprevious paragraph, :' is not locally satis�able i� f� : :'g is not satis�able.By De�nition 60 above, f� : :'g is not satis�able i� f� : 'g is valid. 2

Chapter 13

Tableau calculi

We introduce a calculus for the logic.

De�nition 62 (Branch extension rule, premise, conclusion) Thebranch extension rules are given in Figure 13.1. They are all of the form

S1 � � �SnT1 j � � � j Tm

where the Si's are pre�xed formulas, and the Tj 's are sets of pre�xed for-mulas. The Si's are called the premises of the rule and the Tj 's are calledthe conclusions of the rule.

The intuition behind the extension rules is that whenever every premise Siis satis�able, then so are all formulas of some conclusion Tj .

The propositional rules and the rules for composition, test and choice arestandard. The scoping rules are the same as in (Fitting and Mendelsohn1998). The conclusion of the assignment rules is a pre�xed formula, sayingthat ' (or :') holds in the new state named � [a := t].

For equality we have the substituitivity rules. In these rules every occurrenceof the �xed term t1 is replaced with the �xed term t2.

There are two axioms. The �rst tells us that the value of a in state � [a := t]is the value t had in state � . The second is a persistency axiom. It saysthat an assignment to a program variable b does not a�ect the values of anyother program variables.

De�nition 63 (Tableau derivation, branch) A tableau derivation, orsimply tableau for a closed pre�xed formula � : ', is a (possibly in�nite)tree of pre�xed formulas, constructed in the following way.

1. First, add � : ' to the tree. This will be called the root node.

78 Tableau calculi

2. Then, take any leaf node in the tree, such that the pre�xed formulasS1; : : : ; Sn belong to the path from this leaf to the root and that thereexists a branch extension rule of the form

S1 � � �SnT1 j � � � j Tm

and add T1; : : : ; Tm as linear paths of formulas anchored at the node.

We will identify a branch B of a tableau with the set of pre�xed formulasin it. When we have a pre�xed formula � : ' 2 B, we say that � : ' occursin branch B.

The following proposition is easily proved by induction on the length of thederivation.

Proposition 64 If � : ' is a closed pre�xed formula, then every pre�xedformula in a tableau derivation for � : ' is closed too.

De�nition 65 (Closed tableau, tableau proof) A tableau branch B isclosed if there exists either

1. a formula ', such that both � : ' and � : :' occur in B, or

2. a pre�xed formula � : :t = t in B.

A branch is open if it is not closed. A tableau is closed if every branch in itis closed. A closed tableau for a closed pre�xed formula � : ' is also calleda tableau proof of ', or simply a proof.

It is easy to see that any tableau proof can be transformed into a tableauproof with �nite branches. Then, since every branch of the new proof is �niteand every rule in Figure 13.1 is �nitely branching, by K�onig's Lemma, thenew proof must be �nite.

So, if there exists a tableau proof using the rules of Figure 13.1, then thereexists a �nite proof.

De�nition 66 (New, present) A pre�x � is present in a branch B if thereexists a formula ' such that � : ' 2 B. A pre�x � is new for a branch B ifit is not present.

13.1. 79

Propositional rules

� : (' ^ )� : '� :

(^) � : :(' ^ )� : :' j � : :

(:^)� : ::'� : '

(::)

Rules for composition, test and choice

� : hp; qi'� : hpihqi'

(;)� : h ?i'� : '� :

(?) � : hp [ qi'� : hpi' j � : hqi'

([)

� : :hp; qi'� : :hpihqi'

(:;)� : :h ?i'

� : : j � : :'(:?)

� : :hp [ qi'� : :hpi'� : :hqi'

(:[)

Scoping rules

� : f�x t: '(x)g� : '(t@�)

(�)� : :f�x t: '(x)g

� : :'(t@�)(:�)

Assignment rules

� : ha := ti'� [a := t] : '

(3)� : :ha := ti'� [a := t] : :'

(:3)

Equality rules

� : t1 = t2 � : '(t1)� : '(t2)

(=L) where t1 and t2 are �xed.

� : t2 = t1 � : '(t1)� : '(t2)

(=R) where t1 and t2 are �xed.

Axioms

� : a� [a:=t] = t@�(=1) � : a� [b:=t] = a�

(=2) where a 6� b.

Fix rules

� : P (t1; : : : ; tn)� : P (t1@�; : : : ; tn@�)

(P@)� : :P (t1; : : : ; tn)

� : :P (t1@�; : : : ; tn@�)(:P@)

� : t1 = t2� : t1@� = t2@�

(=@)� : :t1 = t2

� : :t1@� = t2@�(:=@)

Star rules

� : hp�i'� : ' j

j� : :'

� : hp�ihpi'

(�)� : :hp�i'� : :'

� : :hp�ihpi'

(:�)

Figure 13.1: The basic tableau system

80 Tableau calculi

(1) � : :f�x b: :ha := bi:x = ag (assumed)(2) � : ::ha := bi:b� = a (from 1 by (:�))(3) � : ha := bi:b� = a (from 2 by (::))(4) �1 : :b� = a (from 3 by (3))(5) � : a�1 = b� (by (=1))(6) � : :b� = a�1 (from 4 by (=@))(7) � : :b� = b� (from 5 and 6 by (=L))

� (closed by 7)

where �1 � [a := b].

Figure 13.2: Proof of f�x b: [a := b]x = ag

13.1 DERIVABLE RULES

Any branch containing � : :> or � : ? can be extended to a closed branch.In the future we will use the rules below, but it is easy to see that anyproof using these rules can be re-written to a proof using only the rules ofFigure 13.1.

� : (' _ )� : ' j � :

(_)� : :(' _ )� : :'� : :

(:_)

� : (' � )� : :' j � :

(�)� : :(' � )

� : '� : :

(:�)

13.2 EXAMPLE PROOFS

Example 67 (Fundamental properties of assignments) Whenever aprogram variable is assigned to another, the value of the updated programvariable is equal to the value the other program variable had before theassignment

f�x b: [a := b]x = ag:

Since [p]' is an abbreviation of :hpi:', we prove, in Figure 13.2, the formulaf�x b: :ha := bi:x = ag. We continue to study the assignment, and givein Figure 13.3 proofs of

1. f�x a: [a := f(a)]f�y a: y = f(x)gg, and

2. f�x a: ha := f(a)if�y a: y = f(x)gg.

The use of the scoping operator �y in these formulas is redundant.

13.2. Example proofs 81

(1) � : :f�x a: :ha := f(a)i:f�y a: y = f(x)gg (assumed)(2) � : ::ha := f(a)i:f�y a: y = f(a�)g (from 1 by (:�))(3) � : ha := f(a)i:f�y a: y = f(a�)g (from 2 by (::))(4) �1 : :f�y a: y = f(a�)g (from 3 by (3))(5) �1 : :a�1 = f(a�) (from 4 by (:�))(6) � : :a�1 = f(a�) (from 5 by (:=@))(7) � : a�1 = f(a�) (by (=1))

� (closed by 6 and 7)

(1) � : :f�x a: ha := f(a)if�y a: y = f(x)gg (assumed)(2) � : :ha := f(a)if�y a: y = f(a�)g (by (:�))(3) �1 : :f�y a: y = f(a�)g (from 2 by (:3))

...�

The second proof continues similarly to the �rst proof, recognizing thatstep 3 is the same as step 4 of the �rst proof. We use �1 � [a := f(a)] inboth proofs.

Figure 13.3: Proof of f�x a: [a := f(a)]f�y a: y = f(x)gg and

f�x a: ha := f(a)if�y a: y = f(x)gg.

Example 68 (Swap) We prove that swapping two variables change thevalue of one to the value of the other before the swap, i.e.

f�x a: [SWAP(a; b)]x = bg;

(using the de�nition of SWAP from Page 61). Since [p] abbreviates :hpi:,we actually prove f�x a: :hSWAP(a; b)i:x = bg. The proof is given inFigure 13.4.

Example 69 (Boxes and diamonds) In Figure 13.5, we prove the for-mula [a := t [ b := t]P � ha := t [ b := tiP .

We make some remarks. The formula ha := t[b := tiP � [a := t[b := t]P isnot provable, but for any atomic program a := t, both ha := ti' � [a := t]'and [a := t]' � ha := ti' are.

Example 70 (Commutation) We study a special case of the formulagiven on Page 61, which expresses that [p] and �x commute in the for-mula f�x a: [p]P (x)g, provided a is a locally rigid program variable, i.e.the program does not change the value of a,

f�x a: [p]x = ag � (f�x a: [p]P (x)g � [p]P (a)):

82 Tableau calculi

(1) � : :f�x a: :ha0 := a; a := b; b := a0i:x = bg (assumed)(2) � : ::ha0 := a; a := b; b := a0i:a� = b (from 1 by (:�))(3) � : ha0 := a; a := b; b := a0i:a� = b (from 2 by (::))(4) � : ha0 := aiha := b; b := a0i:a� = b (from 3 by (;))(5) �1 : ha := b; b := a0i:a� = b (from 4 by (3))(6) � : a0�1 = a� (by (=1))(7) �1 : ha := bihb := a0i:a� = b (from 5 by (;))(8) �2 : hb := a0i:a� = b (from 7 by (3))(9) � : a�2 = b�1 (by (=1))(10) �3 : :a� = b (from 8 by (3))(11) � : b�3 = a0�2 (by (=1))(12) � : :a� = b�3 (from 10 by (=@))(13) � : :a� = a0�2 (from 11 and 12 by (=L))(14) � : a0�2 = a0�1 (by (=2))(15) � : a0�2 = a� (from 6 and 14 by (=L))(16) � : :a� = a� (from 13 and 15 by (=L))

� (closed by 16)

where �1 � [a0 := a], �2 � [a0 := a][a := b], and�3 � [a0 := a][a := b][b := a0].

Figure 13.4: Proof of f�x a: [SWAP(a; b)]x = bg

(1) � : :(:ha := t [ b := ti:P � ha := t [ b := tiP ) (assumed)(2) � : :ha := t [ b := ti:P (from 1 by derived rule (:�))(3) � : :ha := t [ b := tiP (from 1 by derived rule (:�))(4) � : :ha := ti:P (from 2 by (:[))(5) � : :hb := ti:P (from 2 by (:[))(6) � : :ha := tiP (from 3 by (:[))(7) � : :hb := tiP (from 3 by (:[))(8) �1 : ::P (from 4 by (:3))(9) �1 : P (from 8 by (::))(10) �1 : :P (from 6 by (:3))


where �1 = [a := t].

Figure 13.5: Proof of [a := t [ b := t]P � ha := t [ b := tiP


(1) � : ::(' ^ : ) (assumed)(2) � : (' ^ : ) (from 1 by (::))(3) � : f�x a: :hb := ti:x = ag (from 2 by (^))(4) � : :(f�x a: :hb := ti:P (x)g � (from 2 by (^))

:hb := ti:P (a))(5) � : ::(f�x a: :hb := ti:P (x)g^ (4 without abbreviations)

::hb := ti:P (a))(6) � : f�x a: :hb := ti:P (x)g^ (from 5 by (::))

::hb := ti:P (a)(7) � : f�x a: :hb := ti:P (x)g (from 6 by (^))(8) � : ::hb := ti:P (a) (from 6 by (^))(9) � : :hb := ti:P (a�) (from 7 by (�))(10) � : hb := ti:P (a) (from 8 by (::))(11) �1 : :P (a) (from 10 by (3))(12) � : :P (a�1) (from 11 by (:P@))(13) �1 : ::P (a�) (from 9 by (:3))(14) �1 : P (a�) (from 13 by (::))(15) � : a�1 = a� (by (=2))(16) � : :P (a�) (from 12 and 15 by (=L))(17) � : P (a�) (from 14 by (P@))


where �1 = [b := t].

Figure 13.6: Proof of f�x a: [b := t]x = ag � (f�x a: [b :=

t]P (x)g � [b := t]P (a)).

This is true for any program p. We choose here to prove it for the atomicprogram b := t (where b 6� a). After substituting this program for p above,expanding the [p]-abbreviation and negating the formula, we get:

:( f�x a: :hb := ti:x = ag �(f�x a: :hb := ti:P (x)g � :hb := ti:P (a)) ):

This formula is of the form :(' � ), which is an abbreviation of ::(' ^: ). The proof is given in Figure 13.6.

Example 71 (Persistence) If a program variable a is assigned a value,then a should still have this value after another assignment has been made,provided that the new assignment is to another program variable. We provef�x t1: [a := t1][b := t2]a = xg, and f�x t1: ha := t1ihb := t2ia = xgin Figure 13.7.

Example 72 (Repeated assignment) In Figure 13.8, we prove the for-mula f�x a: h(a := f(a))�ia = f(f(x))g.

84 Tableau calculi

(1) � : :f�x t1: :ha := t1i::hb := t2i:a = xg (assumed)(2) � : ::ha := t1i::hb := t2i:a = t1@� (from 1 by (:�))(3) � : ha := t1i::hb := t2i:a = t1@� (from 2 by (::))(4) �1 : ::hb := t2i:a = t1@� (from 3 by (3))(5) �1 : hb := t2i:a = t1@� (from 4 by (::))(6) �2 : :a = t1@� (from 5 by (3))(7) � : :a�2 = t1@� (from 6 by (:=@))(8) � : a�1 = t1@� (by (=1))(9) � : a�2 = a�1 (by (=2))(10) � : :a�1 = t1@� (from 7 and 9 by (=L))(11) � : :t1@� = t1@� (from 8 and 10 by (=L))

� (closed by 11)

(1) � : :f�x t1: ha := t1ihb := t2ia = xg (assumed)(2) � : :ha := t1ihb := t2ia = t1@� (from 1 by (:�))(3) �1 : :hb := t2ia = t1@� (from 2 by (:3))(4) �2 : :a = t1@� (from 3 by (:3))

...

The second proof continues similarly to the �rst, recognizing that step 4 isthe same as step 6 of the �rst proof.In both proofs, �1 = [a := t1] and �2 = [a := t1][b := t2].

Figure 13.7: Proofs of f�x t1: [a := t1][b := t2]a = xg and f�x

t1: ha := t1ihb := t2ia = xg.


(1)

�:

:f�x a:h(a:=f(a))�ia=f(f(x))g

(assumed)

(2)

�:

:h(a:=f(a))�ia=f(f(a�)

(from1by(:�))

(3)

�:

:a=f(f(a�))

(from2by(:�))

(4)

�:

:h(a:=f(a))�iha:=f(a)ia=f(f(a�))

(from2by(:�))

(5)

�:

:ha:=f(a)ia=f(f(a�))

(from4by(:�))

(6)

�:

:h(a:=f(a))�iha:=f(a)iha:=f(a)ia=f(f(a�))

(from4by(:�))

(7)

�:

:ha:=f(a)iha:=f(a)ia=f(f(a�))

(from6by(:�))

(8)

�:

:h(a:=f(a))�iha:=f(a)iha:=f(a)iha:=f(a)ia=f(f(a�))

(from6by(:�))

(9)

� 1:

:ha:=f(a)ia=f(f(a�))

(from7by(:3))

(10)

� 2:

:a=f(f(a�))

(from9by(:3))

(11)

�:

:a�2

=f(f(a�))

(from10by(:=@))

(12)

�:

a�1

=f(a�)

(by(=1))

(13)

�:

a�2

=f(a�1)

(by(=1))

(14)

�:

:f(a�1)=f(f(a�))

(from11and13by(=L))

(15)

�:

:f(f(a�))=f(f(a�))

(from12and14by(=L))

�

(closedby15):

where� 1�[a:=f(a)]and� 2�[a:=f(a)][a:=f(a)].

Figure13.8:Proofoff�x

a:h(a:=f(a))�ia=f(f(x))g

Chapter 14

Undecidability

First-order logic is undecidable. In some sense the dynamic assignmentlogic introduced here is weaker, since it is quanti�er-free. Despite this, thevalidity problem for the logic is undecidable. We show this by consideringPost's correspondence problem, see e.g. (Hopcroft and Ullman 1979). Ourpresentation is slightly di�erent compared to (Hopcroft and Ullman 1979)to make our proofs easier to follow.

De�nition 73 (PCP) An instance of Post's correspondence problem con-sists of two sequences A = A1; : : : ; Ak and B = B1; : : : ; Bk of words oversome alphabet F = ff1; : : : ; fng. The instance is denoted PCP(A;B).PCP(A;B) has a solution if there exists a non-empty sequence of numbersi1; : : : ; im, such that

Ai1 � � �Aim = Bi1 � � �Bim ;

where Ai1 � � �Aim denotes the concatenation of the words Ai1 ; : : : ; Aim andsimilarly for Bi1 � � �Bim .

To express an instance PCP(A;B) in quanti�er-free dynamic assignmentlogic, we need to introduce a translation of words into terms. We want everyword A to have a unique term representation in the signature h;;F [ fcg; ;i,where F is the alphabet of PCP(A;B) (now considered to be unary functionsymbols) and c a constant symbol (not in F). Any word A = f1 � � � fn, istranslated into fn(� � � (f1(c)) � � �). Note that the order of symbols in the termis reversed compared to the word, and that the empty word " is translatedto the constant symbol c. Note that every word A is translated to a uniqueterm.

If A = f1 � � � fn and t is a term, we will write A(t) as an abbreviation ofthe term fn(� � � (f1(t)) � � �). Concatenation of two words A = f 01 � � � f

0n and

B = f 001 � � � f00m, i.e. AB = f 01 � � � f

0nf

001 � � � f

00m is written

f 00m(� � � (f001 (f

0n(� � � (f

01(c)) � � �))) � � �)

in the term representation.

88 Undecidability

For every PCP-instance, we de�ne a formula in the quanti�er-free dynamicassignment logic, and show that the formula is valid i� the correspondinginstance has a solution.

De�nition 74 (PCP-formula) For any instance PCP(A;B) with A =A1; : : : ; Ak and B = B1; : : : ; Bk, we de�ne the formula PCPF(A;B) to bethe following formula (where a and b are program variables not occurringin F [ fcg):

ha := bihpihp�ia = b

where

p � ((a := A1(a); b := B1(b)) [ � � � [ (a := Ak(a); b := Bk(b))):

Before proving the undecidability theorem, we prove a lemma.

Lemma 75 The following implications hold.

1. If i 2 f1; : : : ; ng, then

M; w; � hpii' impliesM; w; � hp1 [ � � � [ pni':

2. If fpi1 ; : : : pimg � fp1; : : : png, then

M; w; � hpi1i � � � hpimi' impliesM; w; � h(p1 [ � � � [ pn)�i':

3. M; w; � h(p1 [ � � � [ pn)�i' implies that there exists a (possiblyempty) sequence of programs pi2 ; : : : ; pim , such that fpi2 ; : : : pimg �fp1; : : : png andM; w; � hpi2 i � � � hpimi'.

Proof.

1. Assume that M; w; � hpii' for some i 2 f1; : : : ; ng. Then thereexists w0 such that hw;w0i 2 (pi)

M;� and M; w0; � '. But thismeans that hw;w0i 2 (p1)M;�[� � �[(pi)M;�[� � �[(pn)M;� , so thereforeM; w; � hp1 [ � � � [ pni'.

2. If M; w0; � hpi1i � � � hpimi', then there exists worlds w1; : : : ; wmsuch that hwj�1; wji 2 (pij )

M;� for all j 2 f1; : : : ;mg andM; wm; �

'. But then hw0; wmi must be in the re exive and transitive closure of(p1)

M;�[� � �[(pn)M;� (since fpi1 ; : : : pimg � fp1; : : : png), so thereforeM; w0; � h(p1 [ � � � [ pn)�i'.

14.0. 89

3. If M; w; � h(p1 [ � � � [ pn)�i', then there exists a wm such thathw;wmi 2 ((p1 [ � � � [ pn)�)M;� and M; wm; � '. This meansthat hw;wmi is in the re exive transitive closure of (p1 [ � � � [ pn)M;� ,which implies that there exists a sequence of worlds w = w1; : : : ; wmsuch that hwj�1; wji 2 (p1 [ � � � [ pn)

M;� , for every j 2 f2; : : : ;mg.

This, in turn, implies that for each of these pairs hwj�1; wji, thereexists an index ij 2 f1; : : : ; ng, such that hwj�1; wji 2 (pij )

M;� . But,then the formula M; w; � hpi2i � � � hpimi' holds too, since for anyj 2 f1; : : : ;mg, we haveM; wj ; � hpij+1 i � � � hpimi'.

2

Theorem 76 (Undecidability) The validity problem for quanti�er-freedynamic assignment logic is undecidable.

Proof. Since PCP is undecidable (Hopcroft and Ullman 1979), it isenough to prove that for any PCP(A;B)-instance, PCP(A;B) is solvablei� PCPF(A;B) is valid.

()) Suppose that PCP(A;B) has a solution i1; : : : ; im. We show thatPCPF(A;B) is valid.

We need to demonstrate for any structureM = hW ;D; Ii, valuation� and world w 2 W , that

M; w; � ha := bihpihp�ia = b

(where p is given in De�nition 74).

By the seriality condition (De�nition 48), there exists a world w0 2 W ,such that for each b 6� a, we have I(w0; a) = I(w; b) and I(w0; b) =I(w; b). This means that I(w0) = I(w)[a 7! b], so M; w; � ha :=bihpihp�ia = b is true ifM; w0; � hpihp�ia = b is.

By Lemma 75:1 and 75:2, M; w0; � hpihp�ia = b is implied byM; w0; � hpi1i � � � hpinia = b (provided fpi1 ; : : : ping � fp1; : : : ; pngand fpi1 ; : : : ping contains at least one program). It remains to showM; w0; � hpi1i � � � hpinia = b.

Suppose, for now, that there exists a sequence of worlds w1; : : : ; w2m 2W satisfying the conditions of Figure 14.1. We need to demonstratethat M; w2m; � a = b. From the speci�cation of the sequence ofworlds, it follows that

I(w2m)(a) = I(w0)[a 7! Aim � � �Ai1(a)](a), and

I(w2m)(b) = I(w0)[b 7! Bim � � �Bi1(b)](b).

90 Undecidability

r

wj

a := b

r

w0

j

a := Ai1 (a)

r

w1

j

b := Bi1 (b)

r

w2

p p p r

w2m�2

j

a := Aim (a)

r

w2m�1

j

b := Bim (b)

r

w2m

(a) I(wj) = I(wj�1)[a 7! Aidj=2e(a)], if j 2 f1; 3; : : : ; 2m� 1g.

(b) I(wj) = I(wj�1)[b 7! Bidj=2e(b)], if j 2 f2; 4; : : : ; 2mg.

Figure 14.1: Worlds w1; : : : ; w2m

We know that the words Ai1 � � �Aim and Bi1 � � �Bim are equal (sincei1; : : : ; im is a solution to PCP(A;B)), so the two terms Ain � � �Ai1 (a)and Bin � � �Bi1(b) must have exactly the same function symbols. Letus call these functions symbols f1; : : : ; fl. We need to demonstratethat

I(w2m; a) = I(f1)(I(f2)(� � � (I(fl)(I(w0; a))) � � �))

is equal to

I(w2m; b) = I(f1)(I(f2)(� � � (I(fl)(I(w0; b))) � � �)):

But this is trivial since I(w0) = I(w)[a 7! b] gives us that I(w0; a) =I(w0; b).

It remains to show that the worlds w1; : : : ; w2m actually exist inM.But this is easily shown by induction, using the seriality condition ofstructures. We leave this to the reader.

(() Suppose that PCPF(A;B) is valid. We show that PCP(A;B) has asolution.

If PCPF(A;B) is valid, then it holds in every world in every structureunder any valuation �. Thus we can speci�cally consider a structurein which terms are interpreted by words. We considerM = hW ;D; Ii,where:

1. D is the set of all words constructible from the alphabet F ,

2. W is the set of all pairs of words constructible from F , and

3. I(w; a) is the �rst component of the pair w, I(w; b) is the secondcomponent of the pair w, I(c) is the empty word ", and, for anyf 6� c, we have that I(f)(t) is the concatenation of the wordrepresented by t and the single-letter word f .

(Two examples: (1) If (� ? I)(w; t) = f1f2, then I(f3)(t) =f1f2f3. (2) If (� ? I)(w; t) = ", then I(f1)(t) = "f1 = f1.)

Let w = h"; "i. Since PCPF(A;B) is valid, we have

M; w; � ha := bihpihp�ia = b:

14.0. 91

We will now show that this implies that there exists a sequence ofworlds, which could be pictured in the following way.

r

wj

a := b

r

wj

pi1r

w1

j

pi2r

w2

p p p r

wm�1

j

pimr

wm

So, we know that M; w; � ha := bihpihp�ia = b, but also thatI(w) = I(w)[a 7! b]. Thus M; w; � hpihp�ia = b. Since p is achoice construct of the form p1 [ � � � [ pn, there must exist a worldw1 and an index i 2 f1; : : : ; ng, such that hw;w1i 2 (pi)

M;� andM; w1; � hp�ia = b. Set i1 to be this index i.

Expanding p�, we now know thatM; w1; � h(p1 [ � � � [ pn)�i'. ByLemma 75:3, there exists a sequence of programs pi2 ; : : : ; pim , suchthat fpi2 ; : : : ; pimg � fp1; : : : ; png and M; w1; � hpi2i � � � hpimi'.Then it is easy to see that there must exist worlds w2; : : : ; wm, suchthat hwj�1; wji 2 (pij )

M;� for all j 2 f2; : : : ;mg andM; wm; � a =b.

For any j 2 f2; : : : ;mg, we have that I(wj)(a) is Aij concatenatedwith I(wj�1)(a). And similarly for b. We get that Ai1 � � �Aim =I(wm; a) = I(wm; b) = Bi1 � � �Bim . Therefore, a solution exists toPCP(A;B), namely i1; : : : ; im.

2

Note that the formula PCPF(A;B) in the proof is in signature h;;F ; fa; bgi,implying that the validity is undecidable using only two program variablesand two function symbols. (It is easy to encode any word into the binaryrepresentation of it, thus needing only two letters, i.e. function symbols.)

Chapter 15

Substituitivity

Our next concern is substituitivity of terms in formulas. We start by con-sidering substituitivity of terms in terms.

15.1 SUBSTITUITIVITY IN TERMS

In this section, we will use the following lemma, which is easily proved byinduction on t.

Lemma 77 Let � be a pre�x mapping for a structure M = hW ;D; Ii.Then, for any subscripted term t and valuations �0, �00, if �0(z) = �00(z) forall logic variables z in t, then (�0 ? I�)(w; t) = (�00 ? I�)(w; t) for all worldsw 2 W .

If �0 and �00 agree on all logic variables in t, and if t0 and t00 have the samemeaning under both �0 and �00, then t00 can be substituted for t0 in the termt. We state it formally in the following Lemma.

Lemma 78 (Substitution in terms) LetM = hW ;D; Ii be a structure,and let �0 = [y 7! t0] and �00 = [y 7! t00] be two substitutions. Then, for anysubscripted term t, valuations �0; �00, and extended interpretation I� (where� is a pre�x mapping forM), we have that the following two premises

1. for every logic variable z 6� y in t, we have �0(z) = �00(z), and,

2. for every w 2 W , we have (�0 ? I�)(w; t0) = (�00 ? I�)(w; t00),

imply that

for every w 2 W , we have (�0 ? I�)(w; t�0) = (�00 ? I�)(w; t�00).

94 Substituitivity

Proof. By induction on t.

a; x: Suppose t is a program variable a or a logic variable x 6� y. Thent�0 � t � t�00, so the lemma holds by Lemma 77.

y: Suppose t is the logic variable y. Then t�0 � t0 and t�00 � t00, so thelemma holds by premise 2.

f: Suppose t is a subscripted term f(t1; : : : ; tn), with n � 0. Then, forany w,

(�0 ? I�)(w; f(t1; : : : ; tn)�0) =(�0 ? I�)(w; f(t1�

0; : : : ; tn�0)) =

I�(f)((�0 ? I�)(w; t1�0); : : : ; (�0 ? I�)(w; tn�0))


I�(f)((�00 ? I�)(w; t1�00); : : : ; (�00 ? I�)(w; tn�00)) =(�00 ? I�)(w; f(t1�00; : : : ; tn�00)) =(�00 ? I�)(w; f(t1; : : : ; tn)�00):

2

We make a remark on the second premise to provide some intuition as towhy it is required to hold for every world.

Example 79 Consider the following partial picture of a structureM.

rw1(a = b 6= c)a := c

z rw2(a = c 6= b)

In this picture a and b have the same meaning in world w1, but di�erentmeanings in world w2, i.e.

1. (� ? I�)(w1; a) = (� ? I�)(w1; b), but

2. (� ? I�)(w2; a) 6= (� ? I�)(w2; b).

So, if premise 2 would hold for only one world (w1), the conclusion wouldnot follow for all worlds (especially not w2).

15.2. Substituitivity in formulas and programs 95

15.2 SUBSTITUITIVITY IN FORMULAS AND PROGRAMS

In the next proposition, we generalize Lemma 78 to formulas and programs.

Proposition 80 (Substitution in formulas and programs) Let �0 =[y 7! t0] and �00 = [y 7! t00] be two substitutions free for an expression E(either a formula or a program). Then, for any structure M = hW ;D; Ii,pre�x mapping � forM, and valuations �0; �00, we have that the followingtwo premises

1. For every logic variable z 6� y in E, we have �0(z) = �00(z).

2. For every w 2 W , we have (�0 ? I�)(w; t0) = (�00 ? I�)(w; t00).

imply that

(M; w; �0 � E�

0 i� M; w; �00 � E�00; if E is a formula

(E�0)M;�0;� = (E�00)M;�00;�; if E is a program.

Proof. Proof by induction on E.

P . SupposeM; w; �0 � P (t1; : : : ; tn)�0. Then we have thatM; w; �0 �

P (t1�0; : : : ; tn�

0). Thus, h(�0 ? I�)(w; t1�0); : : : ; (�0 ? I�)(w; tn�0)i 2I(P ). By Term Substitution Lemma 78, (�0 ? I�)(w; ti�0) = (�00 ?I�)(w; ti�00), for each ti.

So, h(�00 ? I�)(w; t1�00); : : : ; (�00 ? I�)(w; tn�00)i 2 I(P ). And thusM; w; �00 � P (t1�

00; : : : ; tn�00) giving usM; w; �00 � P (t1; : : : ; tn)�

00.

=. Suppose M; w; �0 � (t1 = t2)�0. Then (�0 ? I�)(w; t1�0) = (�0 ?

I�)(w; t2�0). Then, by applying Term Substitution Lemma 78 twice,we get (�00 ? I�)(w; t1�00) = (�0 ? I�)(w; t1�0) = (�0 ? I�)(w; t2�0) =(�00 ? I�)(w; t2�00), so (�00 ? I�)(w; t1�00) = (�00 ? I�)(w; t2�00), givingusM; w; �00 � (t1 = t2)�

00.

The cases for ^ and : are trivial and left to the reader.

�. Suppose M; w; �0 � (hpi')�0. Then there exists a world w0 suchthat hw;w0i 2 (p�0)M;�0;� and M; w0; �0 � '�0. By the induc-tion hypothesis, (p�0)M;�0;� = (p�00)M;�00;�, so hw;w0i 2 (p�00)M;�00;�.The induction hypothesis also gives us M; w0; �00 � '�00. ThusM; w; �00 � (hpi')�00.

�. Assume M; w; �0 � (f�x t: '(x)g)�0, i.e. M; w; �0 � f�x t�0: '(x)�0g. ThenM; w; �0[x 7! (t�0)

w] � '(x)�

0. Provided we canshow the following two facts

96 Substituitivity

1. for every logic variable z 6� y in '(x), we have

�0[x 7! (t�0)w](z) = �00[x 7! (t�00)

w](z); and;

2. for every w0 2 W , we have

(�0[x 7! (t�0)w] ? I�)(w0; t0) = (�00[x 7! (t�00)

w] ? I�)(w0; t00);

then the induction hypothesis would give us M; w; �00[x 7! t�00w] �

'(x)�00, and thusM; w; �00 � (f�x t: '(x)g)�00.

But, fact 1 is immediate from the �rst premise when z 6� x. Andwhen z � x, we have that �0[x 7! (t�0)

w](z) = (�0 ?I�)(w; t�0) = (�00 ?

I�)(w; t�00) = �00[x 7! (t�00)w](z), by Term Substitution Lemma 78.

Fact 2 follows from premise 2, since x does not occur in either t0 ort00. (Recall that both �0 or �00 are free substitutions for E, and thatx is bound in E.)

:=. Trivial. Since assignment programs do not contain any logic vari-ables, (a := t)�0 � a := t � (a := t)�00, so ((a := t)�0)M;�0;� =((a := t)�00)M;�0;�.

;. ((p; q)�0)M;�0;� = (p�0)M;�0;� Æ (q�0)M;�0;�, which by the inductionhypothesis is equal to (p�00)M;�00;� Æ (q�00)M;�00;� = ((p; q)�00)M;�00;�.

[. Similar to previous case.

�. Immediate, since ((p�)�0)M;�0;� is the re exive and transitive closureof (p�0)M;�0;� which is equal to (p�00)M;�00;� by the induction hypoth-esis.

?. (('?)�0)M;�0;� = fhw;wi j M; w; �0 � '�0g, which by the induction

hypothesis is equal to fhw;wi j M; w; �00 � '�00g = (('?)�00)M;�00;�.

2

We study an example of the second premise.

Example 81 Consider the picture in Example 79. Let �0(x) = �00(x) andlet '(x) � ha := cihx = c?i>. Then consider the formulas '(a) and '(b).In world w1, the �rst formula holds, but the second is false. This shows usthat substituting a or b for x in a formula '(x) might change the truth valueof the formula even though a and b denote the same value in one world.

Two special cases of the proposition are especially noteworthy. They arelater used in the proof of the Rule Correctness Lemma 84.

In the �rst corollary we have the same valuation � for both terms.

15.2. Substituitivity in formulas and programs 97

Corollary 82 (Substitution, same valuation) For any structureM =hW ;D; Ii, formula '(x), program p(x), pre�x mapping � for M, and val-uation �, such that (� ? I�)(w; t0) = (� ? I�)(w; t00) holds in every worldw 2 W , and no logic variable occurring in t0 or t00 is bound in '(x) or p(x),we have that

1. M; w; � � '(t0) i�M; w; � � '(t

00), and

2. (p(t0))M;�;� = (p(t00))M;�;� :

Proof. Immediate from Proposition 80. 2

In the second corollary we note that the logic variable x in an updatedvaluation has the same meaning as the subscripted term t@� .

Corollary 83 (Substitution, �xed term) For any structure M, pre�x� , pre�x mapping � for M, and valuation �, the following holds for anyground term t:

M; �(�); �[x 7! t�(�)] � '(x) i� M; �(�); � � '(t@�):

Proof. We consider the expression E � '(x). Let �0 be the identitymapping and �00 =

def[x 7! t@� ]. The identity substitution is free for any

expression, and �00 is free for E, since t (and thus t@�) does not containany logic variables.

Furthermore, let �0 =def�[x 7! t�(�)], �00 =

def�, t0 � x, and t00 � t@� . Then

the result follows from Proposition 80, since the two premises are satis�ed.

The �rst premise is satis�ed, since for any z 6� x, we have

�0(z) = (�[x 7! t�(�)] ? I�)(z) = �[x 7! t�(�)](z) = �(z) = �00(z):

The second premise is satis�ed, since for every w 2 W , we have

(�0 ? I�)(w; t0) =(�[x 7! t�(�)] ? I�)(w; x) =

�[x 7! t�(�)](x) =(� ? I�)(�(�); t) = 1

(� ? I�)(w; t@�) =(�00 ? I�)(w; t00):

2

1By Proposition 57.

Chapter 16

Soundness

We start by proving that each branch extension rule of the basic tableausystem is correct with respect to the semantics.

Lemma 84 (Rule correctness) All branch extension rules of Figure 13.1preserves satis�ability (under the same valuation, in the same structure).

Proof. We assume that a branch B is satis�able in some structureM undervaluation � (and pre�x mapping � forM). We show that if B contains thepremises of a rule, then adding the set of formulas of some conclusion of therule to B still produces a set of pre�xed formulas satis�able inM under �.

It is easy to show that the Lemma holds for the propositional rules (^),(:^), and (::), so we skip these cases of the proof.

For rules (:;); (;); (:?); (?); (:[), and ([), we use the fact that

3. M; w; � � hp; qi' i�M; w; � � hpihqi',

4. M; w; � � hp [ qi' i�M; w; � � (hpi' _ hqi'), and

5. M; w; � � h ?i' i�M; w; � � ^ '.

(Propositions 50:3, 50:4 and 50:5). We show only one case, the other casesare similar.

([) Suppose M; �(�); � � hp [ qi'. Proposition 50:4, gives us thatM; �(�); � � (hpi' _ hqi'), and by Proposition 50:1, we get thateitherM; �(�); � � hpi' orM; �(�); � � hqi'.

The case for rule (�) is straightforward using Corollary 83.

(�) SupposeM; �(�); � � f�x t: '(x)g. ThenM; �(�); �[x 7! t�(�)] �

'(x). Note that t is ground by Proposition 64. We getM; �(�); � �

'(t@�) by Corollary 83.

100 Soundness

The case for (:�) uses similar reasoning. The rest of the cases follow.

(3) SupposeM; �(�); � � ha := ti'. We showM; �(� [a := t]); � � '.

By our assumption, there exists a world w0 2 W such that h�(�); w0i 2(a := t)M;�;� andM; w0; � � '.

But, h�(�); w0i 2 (a := t)M;�;� implies that I�(w0) = I�(�(�))[t 7! a].And, since � is a pre�x mapping for M, we have I�(� [a := t]) =I�(�(�))[t 7! a]. But then, I�(w0) = I�(� [a := t]), so Proposition 59gives usM; �(� [a := t]); � � '.

(:3) SupposeM; �(�); � � :ha := ti'. We showM; �(� [a := t]); � � :'.

By our assumption, for every world w0 2 W such that h�(�); w0i 2(a := t)M;�;�, we have thatM; w0; � � ' does not hold, which meansthatM; w0; � � :' holds. Since � is a pre�x mapping forM, we havethat h�(�); �(� [a := t])i 2 (a := t)M;�;�, soM; �(� [a := t]); � � :'.

(=L) SupposeM; �(�); � � t1 = t2,M; �(�); � � '(t1) and that t1 and t2are �xed. We need to showM; �(�); � � '(t2).

Using (� ? I�)(�(�); t1) = (� ? I�)(�(�); t2), the fact that t1 � t1@�and t2 � t2@� (since t1 and t2 are �xed), and Proposition 57, we getfor any world w, that (� ? I�)(w; t1) = (� ? I�)(w; t2).1 Then, byCorollary 82,M; �(�); � � '(t2).

The case for (=R) is similar.

(=1) We need to showM; �(�); � � a� [a:=t] = t@� . Using Proposition 57,we have

(� ? I�)(�(�); a� [a:=t]) = I�(�(�); a� [a:=t]) =I(�(� [a := t]); a) = I(�(�))[a 7! t](a) =(� ? I)(�(�); t) = 2 (� ? I�)(�(�); t) =(� ? I�)(�(�); t@�):

The case for (=2) is similar. The cases for (P@), (:P@), (=@), and (:=@)all use similar reasoning. We show the case for (P@).

(P@) SupposeM; �(�); � � P (t1; : : : ; tn).

Then h(� ? I�)(�(�); t1); : : : ; (� ? I�)(�(�); tn)i 2 I(P ). Proposition 57gives us (� ? I�)(�(�); t1) = (� ? I�)(�(�); t1@�). So, using this on ev-ery ti, we get h(� ? I�)(�(�); t1@�); : : : ; (� ? I�)(�(�); tn@�)i 2 I(P ),which gives usM; �(�); � � P (t1@�; : : : ; tn@�).

1(� ? I�)(w; t1) = (� ? I�)(w; t1@�) = (� ? I�)(�(�); t1) = (� ? I�)(�(�); t2) = (� ?

I�)(w; t2@�) = (� ? I�)(w; t2).2Since t occurs in a pre�x, it must be subscript-free.

16.0. 101

(�) Suppose M; �(�); � � hp�i'. Then there exists a world w0 suchthat h�(�); w0i 2 (p�)M;�;� and M; w0; � � '. Then there exists asequence of worlds �(�) = w1; : : : ; wn = w0, such thatM; wn; � � '

and hwi; wi+1i 2 (p)M;�;�, whenever 0 < i < n Let w1; : : : ; wn be aminimal such sequence.

If n = 1, then wn = �(�), soM; �(�); � � '.

If n > 1, then M; �(�); � � :', since if not, then the sequencewould not be minimal. Also, we have that M; wn�1; � � hpi' andhw1; wn�1i 2 (p�)M;�;�, soM; �(�); � � hp�ihpi'.

(:�) Suppose M; �(�); � � :hp�i'. Then there exists no world w suchthat h�(�); wi 2 (p�)M;�;� and M; w; � � '. We need to showM; �(�); � � :' andM; �(�); � � :hp�ihpi'.

Since (p�)M;�;� is re exive, we have h�(�); �(�)i 2 (p�)M;�;�. ThusM; �(�); � � :'.

Consider any two worlds w1 and w2, such that h�(�); w1i 2 (p�)M;�;�

and hw1; w2i 2 (p)M;�;�. Then, since the relation (p�)M;�;� includes(p)M;�;�, we have hw1; w2i 2 (p�)M;�;�. And, since (p�)M;�;� is tran-sitive, we get h�(�); w2i 2 (p�)M;�;�. Then, M; w2; � � ' does nothold. Since w1 and w2 were chosen arbitrarily, we get M; �(�); � �

:hp�ihpi'.

2

Theorem 85 (Soundness) If a (subscript-free) formula is provable in thebasic tableau system (Figure 13.1), then it is valid.

Proof. Assume that some formula ' is provable, but non-valid. Since itis non-valid, then f� : :'g must be satis�able. Then, according to the RuleCorrectness Lemma 84, some branch of the proof of ' must be satis�able.But a satis�able branch can not be closed, since any set containing both� : ' and � : :' is unsatis�able in all structures, and so is any set containing� : t 6= t. So, the branch must be open, which contradicts the assumptionthat ' is provable. 2

Chapter 17

Completeness without

the star operator

We prove that every valid formula is provable in the basic tableau system.This is sometimes called weak completeness or deductive completeness . Wewill simply call it complete.

A system is strongly complete or has consequence completeness if for anyset of formulas, one can check whether a formula is a consequence of thatset or not. Our tableau system is not strongly complete, since it is notcompact, for the same reason that no strongly complete system exists forpropositional dynamic logic. Consider the in�nite set

f:hp�i'; '; hpi'; hp; pi'; : : :g:

This set is �nitely satis�able, i.e. every �nite subset of it is satis�able, butit is not itself satis�able. It is impossible by any �nite means to prove thatthis set is unsatis�able.

Propositional dynamic logic was proved (weakly) complete by Parikh (1978).Kozen and Parikh (1981) gives a simple proof. In (Massacci 1998), there isa proof of completeness for propositional dynamic logic with the converseoperator.

We now prove that our system is complete without the star operator. Thesystem with the star operator is considered in Chapter 18.

17.1 ASSOCIATED STRUCTURE

Our aim is to consider a branch B of a fair tableau derivation and constructa structureMB in which all formulas of the branch are true.

De�nition 86 (Fairness) A tableau derivation is fair if for every branchof the tableau derivation we have that either

104 Completeness without the star operator

1. the branch is closed, or

2. for every rule of Figure 13.1, if all formulas in the premise of the ruleoccur in the branch, then all formulas of some conclusion to the rulealso occur in the branch.1

For any pre�xed formula � : ', a fair derivation exists. Furthermore, whena proof exists for a pre�xed formula � : ', then any strategy for creating afair derivation of � : ' will result in a proof of � : '.

We continue by de�ning the domain of the structureMB.

De�nition 87 (Domain) Let T be the set of �xed terms of the languagewith respect to a branch B of a fair derivation, i.e. let T be the smallest setsatisfying

1. If a is a program variable occurring in B, and � any pre�x constructiblefrom the signature, then a� 2 T .

2. If f is a function symbol of arity n occurring in B, and t1; : : : ; tn 2 T ,then f(t1; : : : ; tn) 2 T .

Let:= be the smallest relation T � T closed under re exivity, transitivity

and symmetry satisfying

1. t1:= t2, if � : t1 = t2 occurs in B (and both t1 and t2 are �xed),

2. f(t1; : : : ; tn):= f(t01; : : : ; t

0n), if t1

:= t01; : : : ; tn

:= t0n.

For any �xed term t 2 T , let jtj be the equivalence class of t with respect to:=, i.e. jtj =

defft0 j t0

:= tg. Let D be the set of equivalence classes of T with

respect to:=, i.e. D =

deffjtj j t 2 T g. If D is empty, then add one element to

it.

Proposition 88 (Branch conditions) The following holds for any openbranch B in any fair tableau derivation.

1. The pre�xed formulas � : ' and � : :' can not both occur in B (sinceB is open), and all simple branch conditions given in Figure 17.1 holds.

2. For any two pre�xes � and � [a := t] in the branch, we have that� : a� [a:=t] = t@� occurs in the branch.

1This speci�cally means that every instance of the conclusions to the axiom rules,(=1) and (=2), occurs in the branch.

17.1. Associated structure 105

If this occurs in B: Then this occurs in B:

� : (' ^ ) � : ' and � : � : :(' ^ ) � : :' or � : : � : ::' � : '

� : :hp; qi' � : :hpihqi'� : hp; qi' � : hpihqi'� : :h ?i' � : : or � : :'� : h ?i' � : and � : '

� : :hp [ qi' � : :hpi' and � : :hqi'� : hp [ qi' � : hpi' or � : hqi'

� : f�x t: '(x)g � : '(t@�)� : :f�x t: '(x)g � : :'(t@�)

� : ha := ti' � [a := t] : '� : :ha := ti' � [a := t] : :'

Figure 17.1: Simple branch conditions

3. For any two pre�xes � and � [b := t] in the branch and any programvariable a 6� b occurring in B, we have � : a� [b:=t] = a� in B.

4. For any �xed terms t01 and t0n, if � : '(t01) occurs in B and t01:= t0n,

then also � : '(t0n) occurs in B.

Proof. Conditions 1{3 are immediate from the property of fairness (De�-nition 86). We prove condition 4.

Suppose � : '(t01) occurs in B.

We have, in fact, that:= is the congruence closure of all pre�xed atomic

equality formulas of the form � : t1 = t2 present in the branch. (Note thatpre�xed equality formulas of the form � : a� [a:=t] = t@� and � : a� [b:=t] = a�corresponding to the equalities a� [a:=t]

:= t@� and a� [b:=t]

:= a� of Def-

inition 87 are also present in the branch by Branch Conditions 88:2 and88:3.)

Let E =defft1 = t2 j � : t1 = t2 2 B and t1, t2 are �xed.g. Then the relation

:= is equal to the congruence closure of fht1; t2i j t1 = t2 2 Eg. Furthermore,

let us de�ne a relationt1;t2 !, by the following:

� t01t1;t2 ! t02 i� there exists an equality t1 = t2 2 E and a term t such

that either

1. t0 � t(t1) and t00 � t(t2), or

2. t0 � t(t2) and t00 � t(t1).


By Birkho�'s Theorem (Birkho� 1944), we have that if t01:= t0n, then there

must exist a sequence of subscripted terms t01; : : : ; t0n, such that t01

t1;t2 !

� � �tn�1;tn ! t0n where ti = ti+1 2 E, whenever 1 � i < n.

But this means that each � : ti = ti+1 occurs in the branch. Then, byapplying the rules (=L) and (=R) in total n � 1 times, we get a sequenceof pre�xed formulas � : '(t01); � : '(t

02); : : :, and �nally � : '(t0n). Since B is

a branch of a fair derivation, we have that all these formulas must alreadybe in the branch, so speci�cally we have � : '(t0n) in the branch. 2

De�nition 89 (Associated structure) Let B be a branch of a fair deriva-tion of a closed pre�xed formula � : :'. Then the associated structure is atupleMB = hW ;D; Ii where

1. W is the set of all pre�xes constructible from the signature.

2. D is de�ned as in De�nition 87.

3. For every relation symbol P , let:

I(P ) =def

fhjt1@�j; : : : ; jtn@�ji j � : P (t1; : : : ; tn) occurs in Bg:

4. For every w 2 W and function symbol f of arity n � 0, let I(f) bethe function mapping sequences jt1j; : : : ; jtnj 2 D to jf(t1; : : : ; tn)j.2

5. I(�; a) =defja� j, for every program variable a occurring in B.

For this to be a structure by De�nition 48 we require that for any world� , program variable a, and d 2 D, there exists a world w0 2 W , such thatI(w0; a) = d and for each b 6� a, we have I(w0; b) = I(�; b). We simply addall worlds needed to satisfy this condition to the set of worlds W .

Lemma 90 For any two pre�xes � and � [a := t] occurring in B, we haveI(� [a := t]) = I(�)[a 7! t].

Proof. We need to show that for any program variable b 2 P , we haveI(� [a := t]; b) = I(�)[a 7! t](b). There are two cases.

1. Suppose b � a. Then, since a� [a:=t]:= t@� , we get I(� [a := t])(a) =

ja� [a:=t]j = jt@� j = I(�)[a 7! t](a).

2. Suppose b 6� a. Then, since b� [a:=t]:= b� , we get I(� [a := t])(b) =

jb� [a:=t]j = jb� j = I(�)[a 7! t](b).

2

2It is easy to verify that I(f), as de�ned here, is a function.

17.2. Key fact 107

17.2 KEY FACT

We show that all formulas occurring in an open branch B in a fair derivation,are true in the constructed structure MB by induction on a well-orderingof the formulas.

De�nition 91 Let < be the least transitive relation on formulas satisfying

1. ' < (' ^ ), and < (' ^ ),

2. '(t@�) < f�x t: '(x)g,

3. ' < hpi',

4. hpihqi' < hp; qi',

5. hpi' < hp [ qi' and hqi' < hp [ qi',

6. ' < h'?i and < h'?i ,

7. ' < :',

8. :' < :(' ^ ) and : < :(' ^ ),

9. :'(t@�) < :f�x t: '(x)g,

10. :' < :hpi',

11. :hpihqi' < :hp; qi',

12. :hpi' < :hp [ qi' and :hqi' < :hp [ qi',

13. :' < :h'?i and : < :h'?i ,

14. hpi � � � hpi' < hp�i'.

It is easy to see that < is well-founded. We show that every star-free pre�xedformula occurring in a branch B holds in the corresponding structureMB.

Fact 92 (Key fact, star-free fragment) Let � be the identity mapping.Then, for every valuation �, pre�xed star-free formula � : ', and openbranch B in a fair derivation,

if � : ' occurs in B, thenMB; �; � � ':

Proof. By Lemma 90, we have that � is a pre�x mapping forMB. Theproof continues by well-founded induction on <. The Branch ConditionsProposition 88 is used repeatedly in this proof without further comment.

The cases for ^, :^, ::, (p; q), :(p; q), (p [ q), :(p [ q), '?, and :'? aretrivial and left to the reader.


P . If � : P (t1; : : : ; tn) occurs in B, then so does � : P (t1@�; : : : ; tn@�).Then hjt1@� j; : : : ; jtn@� ji 2 I(P ), by De�nition 89. Since no ti con-tains logic variables (Proposition 64), (� ? I�)(�; ti) = jti@� j. ThusMB; �; � � P (t1; : : : ; tn).

:P . If � : :P (t1; : : : ; tn) occurs in B, then so does � : :P (t1@�; : : : ; tn@�).We need to show thatMB; �; � � P (t1; : : : ; tn) does not hold. Sup-pose it did.

Since no ti contains logic variables (Proposition 64), (� ? I�)(�; ti) =jti@� j, which gives us that hjti@� j; : : : ; jti@� ji 2 I(P ).

But this could only be, if there exists a formula � : P (t01; : : : ; t0n) in B,

such that t0i@� 2 jti@� j, whenever 1 � i � n. This in turn, impliesthat t0i@�

:= ti@� .

Since � : P (t01; : : : ; t0n) occurs in B, then so does � : P (t01@�; : : : t

01@�).

Then by n applications of Proposition 88:4, � : P (t1@�; : : : ; tn@�) alsooccurs in B.

But, this would mean that the branch is closed, which would be acontradiction. So, MB; �; � � P (t1; : : : ; tn) can not hold, and thusMB; �; � � :P (t1; : : : ; tn).

=. If � : t1 = t2 occurs in B, then so does � : t1@� = t2@� , whichimplies that jt1@� j = jt2@� j. Since (� ? I�)(�; ti) = jti@� j, we getMB; �; � � t1 = t2.

: =. If � : :t1 = t2 occurs in B, then so does � : :t1@� = t2@� . We needto show thatMB; �; � � t1 = t2 does not hold. Suppose it did.

Then (� ? I�)(�; t1) = (� ? I�)(�; t2), i.e. jt1@� j = jt2@� j, and thust1@�

:= t2@� . Then by Proposition 88:4, we get that � : :t2@� = t2@�

occurs in the branch.

But, this would mean that the branch is closed. Contradiction. So,we must have that MB; �; � � t1 = t2 does not hold, which impliesMB; �; � � :t1 = t2.

�. If � : f�x t: '(x)g occurs in B, then so does � : '(t@�). Byinduction,MB; �; � � '(t@�). By Corollary 83,MB; �; �[x 7! t� ] �

'(x), and thusMB; �; � � f�x t: '(x)g.

:�. If � : :f�x t: '(x)g occurs in B, then so does the pre�xed for-mula � : :'(t@�). By induction, we have MB; �; � � :'(t@�), soMB; �; � � '(t@�) does not hold. Then, by Corollary 83, neitherdoesMB; �; �[x 7! t� ] � '(x). So,MB; �; �[x 7! t� ] � :'(x) holds,and thusMB; �; � � :f�x t: '(x)g.

a:=t. If � : ha := ti' occurs in B, then so does � [a := t] : '. By induc-tion, MB; � [a := t]; � � '. By Lemma 90, we have h�; � [a := t]i 2(a := t)MB;�;�, soMB; �; � � ha := ti'.

17.3. Completeness theorem 109

:a:=t. Suppose � : :ha := ti' occurs in B. We need to show that for everyw0 such that h�; w0i 2 (a := t)MB;�;�, we haveMB; w

0; � � :'.

We know that � [a := t] : :' occurs in B, so by induction, we getMB; � [a := t]; � � :'. By Lemma 90, I�(� [a := t]) = I�(�)[t 7! a].Then, Proposition 59 tells us that, for any worldw0, such that I�(w0) =I�(�)[t 7! a], we haveMB; w

0; � � :'.

Thus,MB; �; � � :ha := ti'.

2

17.3 COMPLETENESS THEOREM

Theorem 93 (Completeness, star-free fragment) For all valid star-free subscript-free formulas ', the pre�xed formula � : ' is provable inthe tableau calculus.

Proof. We show the contrapositive, i.e. if there is no proof, then we havea structure in which � : ' does not hold. If there is no proof, then any fairderivation of � : ' must have at least one open branch B. We constructa structure MB for the branch B using De�nition 89. The branch B issatis�ed inMB (Key Fact 92). Since � : :' is in the branch, we have that' does not hold in world � of structure MB under any valuation. Thus 'is not valid. 2

We make a remark. In the proof of the Key Fact 92, we only use Propo-sition 88:4 for pre�xed atomic formulas of the form � : P (t1; : : : ; tn) and� : :t1 = t2. Since the equality rules (=L) and (=R) of our system

� : t1 = t2 � : '(t1)� : '(t2)

(=L) (where t1 and t2 are �xed)

� : t2 = t1 � : '(t1)� : '(t2)

(=R) where t1 and t2 are �xed.

is not used except in the proof of Proposition 88:4, we could actually restrictthese rules by saying that the pre�xed formula � : ' should be of the form� : P (t1; : : : ; tn) or � : :t1 = t2, without compromising completeness of thetableau calculus.

Chapter 18

Completeness with the

star operator

To create a complete tableau calculus for the quanti�er-free dynamic assign-ment logic, we add an omega rule. We prove completeness by modifyingthe proofs of Chapter 17.

� : hp�i'� : ' j � : hpi' j � : hpihpi' j � � �

(!)

Derivations, proofs, closed branches etc. are all de�ned in the same way asearlier, with the exception that derivations can now be in�nitely branching.

Example 94 (Commuting programs) Any program p commutes withp�. We here prove one direction of commutation for the special case whenp is the program a := t, namely

h(a := t)�iha := ti' � ha := tih(a := t)�i':

The proof is given in Figure 18.1. Note that each branch is �nite.

We establish soundness in the same way as before. First we need to checkthat the new omega rule is correct.

Lemma 95 (Correctness of omega-rule) The omega rule preserve sat-is�ability (under the same valuation, in the same structure).

Proof. We assume that a branch B is satis�able in some structure Munder valuation � (and pre�x mapping �). We show that if B contains thepremises of a rule, then adding one set of conclusions of the rule to B stillproduces a set of pre�xed formulas satis�able inM under �.

112 Completeness with the star operator

(1)

�:

:(hp�ihpi'�hpihp�i')

(assumed)

(2)

�:

hp�ihpi'

(from1by(:�))

(3)

�:

:hpihp�i'

(from1by(:�))

(4)

�1:

:hp�i'

(from3by(:3))

�

�

��

U

��

(1:1)

�:

hpi'

(1:2)

�1:

:'

(1:3)

�1:

:hp�ihpi'

(1:4)

�1:

'

�

(2:1)

�:

hpihpi'

(2:2)

�1:

:'

(2:3)

�1:

:hp�ihpi'

(2:4)

�1:

:hpi'

(2:5)

�1:

:hp�ihpihpi'

(2:6)

�1:

hpi'

�

��

(i:1)

�:

hpihpi��hpi'

(from2by(!))

(i:2)

�1:

:'

(from4by(:�))

(i:3)

�1:

:hp�ihpi'

(from4by(:�))

...

(i:2i)

�1:

:hpi��hpi'

(fromi:2i�1by(:�))

(i:2i+1)

�1:

:hp�ihpi��hpi'

(fromi:2i�1by(:�))

(i:2i+2)

�1:

hpi��hpi'

(fromi.1by(3))

�

��

wherep�(a:=t)and�1�[a:=t].

Figure18.1:Anin�niteproof

18.0. 113

(!) SupposeM; �(�); � � hp�i'. Then there exists a world w, such thath�(�); wi 2 (p�)M;�;� and M; w; � � hp�i'. Then, since (p�)M;�;�

is the re exive, transitive closure of (p)M;�;�, we get that h�(�); wi 2(p)M;�;� Æ � � � Æ (p)M;�;�. for some number of (p)M;�;�. It is then easyto see thatM; �(�); � � hpi � � � hpi', with the same number of hpi.

2

Theorem 96 (Soundness) If a subscript-free formula is provable in thebasic tableau calculus (Figure 13.1) with the omega-rule, then it is valid.

Proof. Similar to the proof of Theorem 85, but using both Lemmas 84and 95. 2

We note that every open branch in a fair derivation containing a formula ofthe form � : :hp�i' is in�nite.

Proposition 97 (Branch conditions) The following holds for any opensaturated branch B constructed in the systematic tableau construction.

5. If � : hp�i' is in B, then so is � : hpi � � � hpi' for some number of hpi's.

6. If � : :hp�i' is in B, then so is � : :hpi � � � hpi', for every number ofhpi's.

We show that all formulas occurring in a saturated open branch B are truein the constructed structureMB by induction on the well-ordering < of theformulas (De�nition 91).

Fact 98 (Key fact) For every valuation �, pre�x � , formula ', and opensaturated branch B,

if � : ' occurs in B, thenMB; �; � � ':

Proof. By well-founded induction on <. Most cases are given in the proofof the Key Fact 92.

p�. If � : hp�i' occurs in B, then so does � : hpi � � � hpi' for some numberof hpi, according to the Branch Conditions (Proposition 97). Then,by induction,MB; �; � � hpi � � � hpi', Then there exists a world w inMB, such that h�; wi 2 (p)MB;�;� Æ� � �Æ(p)MB;�;�, andMB; w; � � ',But also h�; wi 2 (p�)MB;�;�, soMB; �; � � hp�i'.

114 Completeness with the star operator

:p�. Suppose � : :hp�i' occurs in B. We want to showMB; �; � � :hp�i'.To show this, we have to show that :' holds in every world wn, suchthat h�; wni 2 (p�)MB;�;�. But h�; wni 2 (p�)MB;�;� only holds if thereexists a sequence of worlds � = w1; : : : ; wn, such that hwi; wi+1i 2(p)MB ;�;� whenever 1 � i < n.

By the Branch Conditions (Proposition 97), we know that the pre�xedformula � : :hpi � � � hpi' occurs in B with any number n of hpi's. Byinduction, we getMB; �; � � :hpi � � � hpi', which implies that ' cannot hold in wn. We leave the details to the reader.

2

Theorem 99 (Completeness) For all valid subscript-free formulas ', thepre�xed formula � : ' is provable in the tableau calculus with the omegarule.

Proof. Similar to the proof of Theorem 93. 2

Chapter 19

Conclusion and Future

Work

We have presented the semantics and a tableau calculus for the quanti�er-free dynamic assignment logic. We have shown that

� The star-free calculus is complete;

� The calculus with the omega rule is complete;

� The validity problem for the logic is undecidable.

Several interesting results emerge if we restrict the language. The systemwith neither the star operator nor function symbols is decidable, but whatis even more interesting is that the system without the star operator, butwith function symbols, is also decidable. This was, however, discovered justa couple of days before the deadline of the dissertation, so the proof is notincluded here.

19.1 COMPLETENESS WITHOUT OMEGA RULE

We leave it as an open problem whether full quanti�er-free dynamic assign-ment logic can be formalized in a complete calculus without omega-rule orsimilar in�nite constructs.

There are complete �nitary tableau systems for propositional dynamic logic,see e.g. (Massacci 1998).1 Tableau approaches for propositional dynamiclogic and temporal logics, generally work in the following way. First an

1In his thesis, Massacci actually shows that a tableau system for propositional dynamiclogic with converse is complete. The converse of a program p, denoted p�, intuitivelymeans that the program p is run backwards. The formula [p�]' means that ' musthold before the program p is run. Using the converse, preconditions of programs can beexpressed.

116 Conclusion and Future Work

and-or graph is created (the tableau), and then the corresponding pseudo-model is model-checked deleting nodes with unful�lled eventualities.

This technique uses history variables introduced by Manna and Pnueli(1995). These were also used for modal �-calculus in (Stirling 1996). Therules for interaction combines pre�xed tableau with the ideas of Stirling andWalker (1991) and Stirling (1996) for model checking �xpoints in the modal�-calculus.

What is it then, that makes the standard proofs of completeness of a tableaucalculus for propositional dynamic logic not generalizable to dynamic assign-ment logic? The problem is the terms of our logic. We give an example.Consider the pre�xed formula � : h(a := f(a))�i'. This pre�xed formula,means that either � : ' or � : ha := f(a)ih(a := f(a))�i' holds. A rule,similar to the one below, is used in several tableau proof systems for propo-sitional dynamic logic.

� : hp�i'� : ' j � : :'

j � [p] : hp�i'

The completeness proof is carried out by identifying states satisfying thesame set of formulas. That is, consider all formulas pre�xed by � and allformulas pre�xed by � [p]. If these two sets of formulas are the same, weconclude that the two states named by � and � [p] are actually identical,and the branch is completed, i.e. there is no need to search further in thisbranch. (This is, of course, a rather simpli�ed description. There is also aneed to check that all possible formulas pre�xed by � have been inferred,i.e. that the branch is saturated in some sense.)

The problem is that, in our logic, the interpretation of a non-�xed programvariable in a pre�xed formula is dependent on the pre�x. Our example for-mula above could generate a branch with pre�xed formulas � : '(a); � [a :=f(a)] : '; � [a := f(a)][a := f(a)] : ', etc. In this branch the interpretationof a in the pre�xed formulas varies, making it impossible to identify statesnamed, for example, � and � [a := f(a)], just because they satisfy the sameset of formulas. An even simpler example might be the following pre�xedformulas: � : a = b and � [a := b] : a = b. Here the second formula is valid,while the �rst one is not. Even though the two pre�xes label the sameformulas, they are still di�erent.

19.2 SOME OPEN PROBLEMS

In general, there are two di�erent ways to handle the semantics of atomicprograms in dynamic logic.

19.2. Some open problems 117

The �rst choice is to say that atomic programs are always possible to executeand, they always terminate. This semantically means that some serialitycondition has to be satis�ed by every structure. In the dissertation, wehave chosen this approach, since our atomic programs are assignments andin most programming languages, assignments are always possible.2

The other choice is to have no requirements on the atomic programs, andthus drop the seriality condition of structures. To get the correspond-ing tableau system, we could introduce the following requirements to ourtableau calculus.

1. The rule (3) is only allowed, if the pre�x � [a := t] is already presentin the branch.

2. The rule (:3) is only allowed, if the pre�x � [a := t] is new for thebranch.

Another open problem is that of having program variables of arity greaterthat 0, i.e. having assignments to function symbols. This would make itpossible to prove properties of arrays, like correctness of sorting algorithmsetc.

2With some imagination, one can consider programming languages with commu-nication to be an exception of this. Consider two processes A = � � � ; send(X); � � �,B = � � � ; receive(X); � � �, where message X is being sent from A to B. The receive(X)in B can be seen as an implicit assignment X :=? in B. When reaching receive(X),process B suspends until X has been sent by A. This suspension restricts execution ofthe implicit assignment statement X :=? in B, until X has been sent from A.

Concluding remarks

We have presented the term-modal logics and the quanti�er-free dynamicassignment logic. Several directions for future research can be outlined.

The combination of term-modal logic and quanti�er-free dynamic assign-ment logic is an interesting enterprise. Using the scoping operator insteadof the quanti�ers in term-modal logic, should lead to many interesting de-cidable fragments of term-modal logic. Also adding some kind of updates,maybe in the form of assignments, to term-modal logic would result in astrong multi-agent logic.

Various people have suggested embedding term-modal logic into �rst-orderdynamic logic. The idea would be to use a dynamic operator ha := ti foreach term-modal operator hti. It is, however, not possible to embed term-modal logic into dynamic assignment logic, since in this logic the modaloperator ha := ti may not contain any logic variables. One of the main ad-vantages of the term-modal logics is to have logic variables in the modalities,to be able to quantify over modal operators.

Extending dynamic assignment logic with logic variables in assignment pro-grams is interesting, but leads to problems. In the resulting logic, we wouldbe able to express formulas like

:a = b � f�x b: hb := aiha := xi:a = bg:

The resulting language is very expressive. We could then, for instance,parameterize programs by using logic variables in programs. This can beused to prove meta-properties about programs. An example of this is toprove that some re-use of program variables is harmless, i.e., using thesame program variable in two sections of the code has the same meaningas the program using two di�erent variables. This is important in compilertechnology, since minimizing the number of program variables maximizesutilization of processor registers, thereby speeding up program execution.

119

120 Concluding remarks

But to de�ne the semantics of this logic, we need to de�ne pre�xes andsubscripted terms by mutual induction. We would then require that

a[a:=t@� 0] = a[a:=t@� 00]:

whenever (�?I)(�(� 0); t) = (�?I)(�(� 00); t), which would complicate things.

Bibliography

Aho, A. V., Sethi, R. and Ullman, J. D.: 1985, Compilers: Principles,Techniques and Tools, Addison-Wesley Publishing.

Areces, C., Blackburn, P. and Marx, M.: 2000, The computational complex-ity of hybrid temporal logics, Logic Journal of the IGPL 8(5), 653{679.

Berman, F. and Paterson, M.: 1981, Propositional dynamic logic is weakerwithout tests, Theoretical Computer Science 16(3), 321{328.

Birkho�, G.: 1944, Subdirect unions in universal algebras, Bull. Amer.Math. Soc. 50, 764{768.

Blackburn, P.: 1993, Nominal tense logic, Notre Dame Journal of FormalLogic 34(1), 56{83.

Blackburn, P. and Seligman, J.: 1993, Hybrid languages, Journal of Logic,Language, and Information 4(3), 251{272.

Blackburn, P. and Tzakova, M.: 1998, Hybrid completeness, Logic Journalof the IGPL 6(4), 625{650.

Bressan, A.: 1972, A General Interpreted Modal Calculus, Yale UniversityPress.

Chellas, B.: 1980, Modal Logic, an Introduction, Cambridge UniversityPress, Cambridge.

Eder, E.: 1985, Properties of substitutions and uni�cations, Journal ofSymbolic Computations 1(1), 31{48.

Fagin, R., Halpern, J., Moses, Y. and Vardi, M.: 1995, Reasoning aboutKnowledge, The MIT Press, Cambridge.

121

122 Bibliography

Fischer, M. J. and Ladner, R. E.: 1977, Propositional modal logic of pro-grams, Ninth Annual ACM Symposium on Theory of Computing, ACM,New York, N.Y., pp. 286{294.

Fischer, M. J. and Ladner, R. E.: 1979, Propositional dynamic logic of reg-ular programs, Journal of Computer and System Sciences 18(2), 194{211.

Fitting, M.: 1983, Proof methods for modal and intuitionistic logics, Vol.169 of Synthese Library, Reidel Publ. Comp.

Fitting, M.: 1988, First-order modal tableaux, Journal of Automated Rea-soning 4, 191{213.

Fitting, M.: 1996a, First Order Logic and Automated Theorem Proving,Graduate Texts in Computer Science, 2nd edn, Springer Verlag, NewYork. 1st ed., 1990.

Fitting, M.: 1999, Types, Tableaus and G�odels God, Unpublishedmanuscript.

Fitting, M. C.: 1972, An epsilon-calculus system for �rst-order S4, inW. Hodges (ed.), Conference in Mathematical Logic, London `70,pp. 103{110. Springer Lecture Notes in Mathematics, No. 255.

Fitting, M. C.: 1973, A modal logic analog of Smullyan's fundamental the-orem, Zeitschrift f�ur mathematische Logik und Gr�undlagen der Mathe-matik 19, 1{16.

Fitting, M. C.: 1975, A modal logic epsilon-calculus, Notre Dame Journalof Formal Logic 16, 1{16.

Fitting, M. C.: 1991, Modal logic should say more than it does, in J.-L.Lassez and G. Plotkin (eds), Computational Logic, Essays in Honor ofAlan Robinson, MIT Press, Cambridge, MA, pp. 113{135.

Fitting, M. C.: 1996b, A modal Herbrand theorem, Fundamenta Informat-icae 28, 101{122.

Fitting, M. and Mendelsohn, R. L.: 1998, First-Order Modal Logic, Vol. 277of Synthese Library, Kluwer Academic Publishers, Dordrecht.

Fitting, M., Thalmann, L. and Voronkov, A.: 2000, Term-Modal Logics, inR. Dyckho� (ed.), Tableaux 2000, Vol. 1847 of Lecture Notes in Arti�cialIntelligence, Springer-Verlag, Berlin Heidelberg, pp. 220{236.

Fitting, M., Thalmann, L. and Voronkov, A.: 2001, Term-Modal Logics,Studia Logica . To appear.

Bibliography 123

Frege, G.: 1879, Begri�schrift, eine der Arithmetischen NachgebildeteFormalsprache des Reinen Denkens, Halle. Reprinted in (Frege andAngelelli 1966); English translation in (van Heijenoort 1967).

Frege, G.: 1892, �Uber Sinn und Bedeutung, Zeitschrift fur Philosophie undphilosophische Kritik 100, 25{50. \On Sense and Reference" translatedin (Frege 1952).

Frege, G.: 1952, Translations from the Philosophical Writings of GottlobFrege, Basil Blackwell, Oxford. P. Geach and M. Black editors.

Frege, G. and Angelelli, I.: 1966, Begri�schrift und Andere Aufs�atze, Olms,Hildesheim.

Gallier, J. H.: 1986, Logic for Computer Science: Foundations of AutomaticTheorem Proving, Vol. 5 of Computer Science and Technology Series,Harper & Row, New York.

Gargov, G. and Goranko, V.: 1993, Modal logic with names, Journal ofPhilosophical Logic 22(6), 607{636.

Garson, J.: 1984, Quanti�cation in modal logic, in D. Gabbay and F. Guen-ther (eds), Handbook in Philosophical Logic, Vol. II, D. Reidel Publish-ing Company, chapter II.5, pp. 249{307.

Gentzen, G.: 1934, Untersuchungen �uber das logische Schlie�en, Mathemat-ical Zeitschrift 39, 176{210, 405{431. Translated as (Gentzen 1969).

Gentzen, G.: 1969, Investigations into logical deduction, in M. Szabo (ed.),The Collected Papers of Gerhard Gentzen, North Holland, Amsterdam,pp. 68{131. Originally appeared as (Gentzen 1934).

Grove, A.: 1995, Naming and identity in epistemic logics part II: A �rst-order logic for naming, Arti�cial Intelligence 74, 311{350.

Grove, A. and Halpern, J.: 1991, Naming and identity in a multi-agentepistemic logic, in J. Allen, R. Fikes and E. Sandewall (eds), KR'91.Proc. of the 2nd International Conference on Principles of KnowledgeRepresentation and Reasoning, Morgan Kaufmann, Cambridge, Mas-sachusets, pp. 301{312.

Halpern, J. Y.: 1993, Reasoning about knowledge: a survey circa 1991, inA. Kent and J. G. Williams (eds), Encyclopedia of Computer Scienceand Technology, Volume 27 (Supplement 12), Marcel Dekker, New York.

Harel, D.: 1979, First-Order Dynamic Logic, Vol. 68 of LNCS, Springer.

Hintikka, J.: 1962, Knowledge and Belief, Cornell University Press, Ithaca,New York.

124 Bibliography

Hoare, C. A. R.: 1969, An axiomatic basis for computer programming,Communications of the ACM 12(10), 576{580.

Hopcroft, J. and Ullman, J. D.: 1979, Introduction to Automata Theory,Language, and Computation, Addison{Wesley, Reading, MA.

Hughes, G. and Cresswell, M.: 1968, An Introduction to Modal Logic,Methuen, London.

Hughes, G. and Cresswell, M.: 1984, A companion to modal logic, Methuen.

Hughes, G. and Cresswell, M.: 1996, A New Introduction to Modal Logic,Routledge, London.

Kleene, S. C.: 1952, Introduction to Metamathematics, D. van Nostrand,Princeton, New Jersey.

Kozen, D. and Parikh, R.: 1981, An elementary proof of the completenessof PDL, Theoretical Computer Science 14(1), 113{118.

Kozen, D. and Tiuryn, J.: 1989, Logics of programs, in J. van Leeuwen(ed.), Handbook of Theoretical Computer Science, North Holland, Am-sterdam.

Lenzen, W.: 1978, Recent work in epistemic logic, Vol. 30 of Acta Philo-sophica Fennica, North-Holland, Amsterdam.

Manna, Z. and Pnueli, A.: 1995, Temporal Veri�cation of Reactive Systems:Safety, Springer-Verlag, New York.

Massacci, F.: 1998, EÆcient Approximate Deduction and an Application toComputer Security, PhD thesis, Dottorato in Ingegneria Informatica,Universit�a di Roma I \La Sapienza", Dipartimento di Informatica eSistemistica.

Meyer, J.-J. C. and van der Hoek, W.: 1995, Epistemic Logic for AI andComputer Science, number 41 in Cambridge Tracts in Theoretical Com-puter Science, Cambridge University Press.

Moller, F. and Birtwistle, G. M.: 1996, Logics for concurrency: struc-ture versus automata, Vol. 1043 of Lecture Notes in Computer Science,Springer-Verlag Inc., New York, NY, USA.

Parikh, R.: 1978, The completeness of propositional dynamic logic, inJ. Winkowski (ed.), Proceedings of the 7th Symposium on Mathemati-cal Foundations of Computer Science, Vol. 64 of LNCS, Springer, Za-kopane, Poland, pp. 403{415.

Passay, S. and Tinchev, T.: 1991, An essay in combinatory dynamic logic,Information and Computation 93(2), 263{332.

Bibliography 125

Passy, S. and Tinchev, T.: 1985, Quanti�ers in combinatory PDL: com-pleteness, de�nability, incompleteness, in L. Budach (ed.), 5th Interna-tional Conference on Fundamentals of Computation Theory, Vol. 199of Lecture notes in computer science, Springer-Verlag, Cottbus, GDR,pp. 512{519.

Pratt, V. R.: 1976, Semantical Considerations on Floyd-Hoare Logic,17th Annual Symposium on Foundations of Computer Science, IEEE,pp. 109{121.

Pratt, V. R.: 1978, A practical decision method for propositional dynamiclogic, ACM Symposium on Theory of Computing (STOC '78), ACMPress, New York, pp. 326{337.

Pratt, V. R.: 1980, A near optimal method for reasoning about action,Journal of Computer and System Sciences 2, 231{254.

Ryan, M., Fiadeiro, J. and Maibaum, T.: 1991, Sharing actions and at-tributes in modal action logic, in T. Ito and A. R. Meyer (eds), The-oretical Aspects of Computer Software, Vol. 526 of Lecture Notes inComputer Science, Springer-Verlag, pp. 569{593.

Sch�utte, K.: 1960, Beweistheorie (in German), Springer Verlag.

Shoen�eld, J. R.: 1967, Mathematical Logic, Addison-Wesley, Reading.

Smullyan, R.: 1963, A unifying principle in quanti�cation theory, Proc. Nat.Acad. Sci. U.S.A., Vol. 49, pp. 828{832.

Stalnaker, R. and Thomason, R.: 1968, Abstraction in �rst-order modallogic, Theoria 34, 203{207.

Stirling, C.: 1996, Modal and temporal logics for processes. In Moller andBirtwistle (Moller and Birtwistle 1996).

Stirling, C. and Walker, D.: 1991, Local model checking in the modal mu-calculus, Theoretical Computer Science 89(1), 161{177.

Thomason, R. and Stalnaker, R.: 1968, Modality and reference, Nous2, 359{372.

Tzakova, M.: 1999, Tableau calculi for hybrid logics, in N. V. Murray (ed.),Proceedings of the International Conference on Automated Reasoningwith Analytic Tableaux and Related Methods (TABLEAUX-99), Vol.1617 of LNAI, Springer, Berlin, pp. 278{292.

van der Hoek, W. and Meyer, J.-J. C.: 1997, A complete epistemic logicfor multiple agents{combining distributed and common knowledge, in

126 Bibliography

M. Bacharach, L. Gerard-Varet, P. Mongin and H. Shin (eds), Epis-temic Logic and the Theory of Games and Decisions, Kluwer AcademicPublishers, Dordrecht, pp. 35{68.

van Heijenoort, J. (ed.): 1967, From Frege to G�odel, a Source Book inMathematical Logic, Harvard University Press, Cambridge.

van Orman Quine, W.: 1974,Mathematical Logic, 2 edn, Harvard UniversityPress, Cambridge.

Voronkov, A.: 1996, Proof search in intuitionistic logic based on constraintsatisfaction, in P. Miglioli, U. Moscato, D. Mundici and M. Ornaghi(eds), Theorem Proving with Analytic Tableaux and Related Methods.5th International Workshop, TABLEAUX '96, Vol. 1071 of LectureNotes in Arti�cial Intelligence, Terrasini, Palermo Italy, pp. 312{329.

Voronkov, A.: 2001, Proof-search in intuitionistic logic based on constraintsatisfaction and related complexity problems, Logic Journal of IGPL .To appear.

Wallen, L.: 1990, Automated Deduction in Nonclassical Logics, The MITPress.

Index

Symbols(9) | sequent calculus rule . . . .27(8) | sequent calculus rule . . . .27(� ? I) | interpretation . . . . . . . 66(� ? I�) | interpretation . . . . . . 71(_) | sequent calculus rule . . . .27(^) | sequent calculus rule . . . .27E� | application of � to E . . . 47[p]' | formula . . . . . . . . . . . . . . . . 60[t]A | formula . . . . . . . . . . . . . . . . 16C� | occurrence constraint . . . .47-compatible . . . . . . . . . . . . . . . . . .36� | signature . . . . . . . . . . . . .15, 59�� | signature . . . . . . . . . . . . . . . 15 | truth relation . . . . . . . . 20, 67 � | truth relation . . . . . . . . . . . 73�! | accessibility relation . . . .19(^) | tableau calculus rule . . . .79(=1) | tableau calculus rule . . 79(=@) | tableau calculus rule . . 79([) | tableau calculus rule . . . .79(:^) | tableau calculus rule . . 79(=2) | tableau calculus rule . . 79(:=@) | tableau calculus rule 79

(:[) | tableau calculus rule . . 79(::) | tableau calculus rule . . 79(:P@) | tableau calculus rule .79(:3) | tableau calculus rule . . 79(:�) | tableau calculus rule . . 79(:;) | tableau calculus rule . . . 79(:�) | tableau calculus rule . . .79(:?) | tableau calculus rule . . .79? | false . . . . . . . . . . . . . . . . . . . . . 60? | occurrence constraint . . . . 47(P@) | tableau calculus rule . . 79(3) | tableau calculus rule . . . 79(�) | tableau calculus rule . . . .79

(;) | tableau calculus rule . . . . .79(�) | tableau calculus rule . . . . 79(=L) | tableau calculus rule . . 79(=R) | tableau calculus rule . . 79(?) | tableau calculus rule . . . . 79S[t] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27# | empty tableau . . . . . . . . . . . 30� | empty pre�x . . . . . . . . . . . . . . 619-formula . . . . . . . . . . . . . . . . . . . . . .16� | scoping operator . . . . . . . . . .60t1;t2 ! | Birkho� relation . . . . . .1051 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21� | valuation of logic variables 65

P -section . . . . . . . . . . . . . . . . . . . . . . 40htiA | formula . . . . . . . . . . . . . . . .16hpi' | formula . . . . . . . . . . . . . . . . 59(ax) | the axiom rule . . . . . . . . . 27

w1d�! w2 . . . . . . . . . . . . . . . . . . . . . 19

C�P | P -section of C . . . . . . . . .40([t]) | sequent calculus rule . . . 27(hti) | sequent calculus rule . . .27� | substitution . . . . . . . . . . . . . . 63�-generalization . . . . . . . . . . . . . . . 51�-instance . . . . . . . . . . . . . . . . . . . . . 48�(A) . . . . . . . . . . . . . . . . . . . . . . . . . . 38v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51S; w; V A . . . . . . . . . . . . . . . . . . . 21T � C | constrained tableau . . . 48j^j | tableau calculus rule . . . . 31jaxj | the tableau axiom rule . 31j9j | tableau calculus rule . . . . 31j8j | tableau calculus rule . . . . 31j[t]j | tableau calculus rule . . . .31> | true . . . . . . . . . . . . . . . . . . . . . .60j_j | tableau calculus rule . . . . 31jhtij | tableau calculus rule . . . 31

127

128 Index

" | empty word . . . . . . . . . . . . . . .87(�)M;�;� | interpretation . . . . . . 73(�)M;� | interpretation . . . . . . . .67I | interpretation . . . . . . . . . . . . 65I� | extended interpretation . .70PCP(A;B) . . . . . . . . . . . . . . . . . . . . 87� | pre�x mapping . . . . . . . . . . . 70I(w)[a 7! t] | update of I . . . . 66I�(w)[a 7! t] | update of I� . . 71�[x 7! tw] | update of � . . . . . . 66@ | �x operator . . . . . . . . . . . . . . 62

Aabstraction formula f�x a: 'g 60accessibility relation . . . . . . . . . . . 19alternate L-consistency property 38

associated structureMB . . . . . 106atomic formula . . . . . . . . . . . . . . . . 16atomic formulas . . . . . . . . . . . . . . . 59atomic programs . . . . . . . . . . . . . . .59axiom . . . . . . . . . . . . . . . . . . . . . . . . . 26

BB | tableau branch . . . . . . . . . . . 78bound occurrence of variable . . .16branch . . . . . . . . . . . . . . . . . . . . .30, 78

closed . . . . . . . . . . . . . . . . . . . . 78open . . . . . . . . . . . . . . . . . . . . . .78

branch extension rule . . . . . . . . . .77

Cclosed

branch . . . . . . . . . . . . . . . . . . . .78formula . . . . . . . . . . . . . . . . . . .60tableau . . . . . . . . . . . . . . . . . . . 78

closed formula . . . . . . . . . . . . . . . . . 16complementary . . . . . . . . . . . . . . . . 16complete . . . . . . . . . . . . . . . . . . . . . 103conclusion . . . . . . . . . . . . . . . . . 26, 77consequence completeness . . . . 103consistency property . . . . . . . . . . .36constant symbols . . . . . . . . . . . . . . 59constrained tableau . . . . . . . . . . . .48countermodel . . . . . . . . . . . . . . . . . .69cumulative domains . . . . . . . . . . . 19

DDw | domain of world w . . . . . .19D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

free-variable calculus for . . 49sequent calculus for . . . . . . .27tableau calculus for . . . . . . . 31

D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19D-frame . . . . . . . . . . . . . . . . . . . . . . . 20D4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22


D4-frame . . . . . . . . . . . . . . . . . . . . . . 20deductive completeness . . . . . . .103derivation . . . . . . . . . . . . . . . . . . . . . 26domain . . . . . . . . . . . . . . . . . . . . 19, 65domain of world . . . . . . . . . . . . . . . 19downward saturated . . . . . . . . . . . 41

EE | formula or program . . . . . . 95E | set of equalities . . . . . . . . . 105empty pre�x � . . . . . . . . . . . . . . . . . 61empty tableau . . . . . . . . . . . . . . . . . 30extended interpretation I� . . . . .70extension rule . . . . . . . . . . . . . . . . . 77

FF(� [ P ) . . . . . . . . . . . . . . . . . . . . . .16F | set of function symbols . . .59fair derivation . . . . . . . . . . . . . . . . 103�nite character . . . . . . . . . . . . . . . . 39�rst-order modal structure . . . . .20�xed

by pre�x � . . . . . . . . . . . . . . . .62term . . . . . . . . . . . . . . . . . . . . . .62

formula . . . . . . . . . . . . . . . . . . . .59, 62closed . . . . . . . . . . . . . . . . . . . . 16of � with parameters in P 16

pre�xed . . . . . . . . . . . . . . . . . . 62frame . . . . . . . . . . . . . . . . . . . . . . . . . .19free logic variable . . . . . . . . . . . . . .60free occurrence of variable . . . . . 16free substitution . . . . . . . . . . . . . . . 63free-variable tableau calculus . . 48function symbol . . . . . . . . . . . . . . . 59

Ggeneralization . . . . . . . . . . . . . . . . . 51global assumption . . . . . . . . . . . . . 29globally satis�able

sentence . . . . . . . . . . . . . . . . . . 21

Index 129

sequent . . . . . . . . . . . . . . . . . . .25globally satis�ed

sentence . . . . . . . . . . . . . . . . . . 21sequent . . . . . . . . . . . . . . . . . . .25

ground . . . . . . . . . . . . . . . . . . . . . . . . 60ground term . . . . . . . . . . . . . . . . . . .15

HHerbrand structure . . . . . . . . . . . . 35holds . . . . . . . . . . . . . . . . . . . . . . 21, 68

Iinference . . . . . . . . . . . . . . . . . . . . . . 26inference rule . . . . . . . . . . . . . . . . . . 26instance

of constrained tableau . . . . 48interpretation . . . . . . . . . . . . . . . . . .20

I . . . . . . . . . . . . . . . . . . . . . . . . . 65I� . . . . . . . . . . . . . . . . . . . . . . . .70of programs (�)M;�;� . . . . . . 73of programs (�)M;� . . . . . . . .67of subscripted terms (�?I�) 71of terms (� ? I) . . . . . . . . . . .66

interpretation function . . . . . . . . .20

KK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22


K-frame . . . . . . . . . . . . . . . . . . . . . . . 20K4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22


K4-frame . . . . . . . . . . . . . . . . . . . . . . 20

LL-consistency property . . . . . . . . 36L-equivalent . . . . . . . . . . . . . . . . . . .22L-model . . . . . . . . . . . . . . . . . . . . . . . 22L-satis�able . . . . . . . . . . . . . . . . . . . 22L-structure . . . . . . . . . . . . . . . . . . . . 20L-valid . . . . . . . . . . . . . . . . . . . . . . . . 22literal . . . . . . . . . . . . . . . . . . . . . . . . . 16locally satis�able

sentence . . . . . . . . . . . . . . . . . . 21sequent . . . . . . . . . . . . . . . . . . .25

locally satis�ed

sentence . . . . . . . . . . . . . . . . . . 21sequent . . . . . . . . . . . . . . . . . . . 25

locally satis�ed formula . . . . . . . .68logic . . . . . . . . . . . . . . . . . . . . . . . . . . .22logic variable . . . . . . . . . . . . . . . . . . 59

MM | structure . . . . . . . . . . . . . . . .66MB | associated structure . . 106mgu(E1; : : : ; En)

most general uni�er . . . . . . .47model . . . . . . . . . . . . . . . . . . . . . . . . . 69

of sentence . . . . . . . . . . . . . . . 21of sequent . . . . . . . . . . . . . . . . 25

monotonicity condition . . . . . . . . 19

Nnegation normal form . . . . . . . . . .22nested domains . . . . . . . . . . . . . . . . 19new for a branch . . . . . . . . . . . . . . 78new parameter condition . . . . . . .38

Ooccur in a branch . . . . . . . . . . . . . .78occurrence constraint . . . . . . . . . . 47

satis�able . . . . . . . . . . . . . . . . .48open branch . . . . . . . . . . . . . . . . . . . 78

Pp-accessible . . . . . . . . . . . . . . . . . . . .67P | set of program variables . .59parameter . . . . . . . . . . . . . . . . . . . . . 15parameter condition . . . . . . . 27, 31parameter substitution . . . . . . . . .38parameter variant . . . . . . . . . . . . . 38possible worlds . . . . . . . . . . . . . . . . 19Post's correspondence problem .87postcondition . . . . . . . . . . . . . . . . . .61precondition . . . . . . . . . . . . . . . . . . . 61pre�x . . . . . . . . . . . . . . . . . . . . . . . . . .61pre�x mapping � . . . . . . . . . . . . . . 70pre�xed formula . . . . . . . . . . . . . . . 62premise . . . . . . . . . . . . . . . . . . . .26, 77present in a branch . . . . . . . . . . . . 78program . . . . . . . . . . . . . . . . . . .59, 62program variable . . . . . . . . . . . . . . 59proof

tableau . . . . . . . . . . . . . . . . . . . 78

130 Index

RR | set of relation symbols . . . 59reachable . . . . . . . . . . . . . . . . . . . . . . 19re exive . . . . . . . . . . . . . . . . . . . . . . . 20refutation . . . . . . . . . . . . . . . . . . . . . 26relation symbol . . . . . . . . . . . . . . . .59

SS4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22


S4-frame . . . . . . . . . . . . . . . . . . . . . . 20satis�able

locally satis�ed formula . . 21,68

set of pre�xed formulas . . . 74satis�able occurrence constraint 48

scoping operator � . . . . . . . . . . . . .60sentence . . . . . . . . . . . . . . . . . . . . . . . 16sequent . . . . . . . . . . . . . . . . . . . . . . . .25sequent calculus . . . . . . . . . . . . . . . 26

with global assumptions 29

serial . . . . . . . . . . . . . . . . . . . . . . . . . . 20seriality condition . . . . . . . . . . . . . 67set of states . . . . . . . . . . . . . . . . . . . 65set of worlds . . . . . . . . . . . . . . . . . . .65signature � . . . . . . . . . . . . . . . .15, 59signed formulas . . . . . . . . . . . . . . . .25simple occurrence constraint . . . 47solution of PCP(A;B) . . . . . . . . . 87solution to occurrence constraint 48strongly complete . . . . . . . . . . . . 103structure . . . . . . . . . . . . . . . . . . . . . . 20

dynamicM . . . . . . . . . . . . . . 66Herbrand . . . . . . . . . . . . . . . . . 35

subscript-free . . . . . . . . . . . . . . . . . .62subscripted term . . . . . . . . . . . . . . .62substitution . . . . . . . . . . . . . . . . . . . 63

free . . . . . . . . . . . . . . . . . . . . . . .63

TT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22


T (� [ P; V ) . . . . . . . . . . . . . . . . . . . 15T (� [ P ) . . . . . . . . . . . . . . . . . . . . . .15T-frame . . . . . . . . . . . . . . . . . . . . . . . 20

tableau . . . . . . . . . . . . . . . . . . . . 30, 77closed . . . . . . . . . . . . . . . . . . . . 78derivation . . . . . . . . . . . . . . . . 77proof . . . . . . . . . . . . . . . . . . . . . 78

tableau calculus . . . . . . . . . . . . . . . 30free-variable . . . . . . . . . . . . . . 48

term . . . . . . . . . . . . . . . . . . . . . . . . . . .59�xed . . . . . . . . . . . . . . . . . . . . . .62ground . . . . . . . . . . . . . . . . . . . 15subscripted . . . . . . . . . . . . . . . 62

terms of � with parameters in P 15

total correctness formula . . . . . . .61transitive . . . . . . . . . . . . . . . . . . . . . . 20true . . . . . . . . . . . . . . . . . . . . . . . 21, 68truth relation . . . . . . . . . . . . . . . 67truth relation � . . . . . . . . . . . . . . 73

Uuniform notation . . . . . . . . . . . . . . 25

VV | set of logic variables . . . . . .59valid . . . . . . . . . . . . . . . . . . . . . . . . . . .69

set of pre�xed formulas . . . 74valuation . . . . . . . . . . . . . . . . . . . . . . 21

of logic variables . . . . . . . . . .65vars(E) . . . . . . . . . . . . . . . . . . . . . . . 47variable . . . . . . . . . . . . . . . . . . . . . . . 15

WW . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19weak completeness . . . . . . . . . . . 103

lars thalmann - uppsala university · 2010. 4. 23. · assignmen t logic lars thalmann a...

Documents