UNIVERSIT� ATDESSAARLANDES

FACHBEREICHINFORMATIK

D-66041SAARBR� UCKEN

GERMANY WWW:http://js-sfbsun.cs.uni-sb.de/pub/www/

A Tableau Calculus for PartialFunctionsManfred Kerber and Michael KohlhasePublished as: In Annals of the Kurt-G�odel-Society, forthcoming

A Tableau Calculus for Partial Functions?Manfred Kerber Michael KohlhaseFachbereich Informatik, Universit�at des Saarlandes66041 Saarbr�ucken, Germany+49-681-302-f4628j4627gfkerber|kohlhaseg@cs.uni-sb.deAbstract. Even though it is not very often admitted, partial functionsdo play a signi�cant role in many practical applications of deduction sys-tems. Kleene has already given a semantic account of partial functionsusing a three-valued logic decades ago, but there has not been a satisfact-ory mechanization. Recent years have seen a thorough investigation ofthe framework of many-valued truth-functional logics. However, strongKleene logic, where quanti�cation is restricted and therefore not truth-functional, does not �t the framework directly. We solve this problemby applying recent methods from sorted logics. This paper presents atableau calculus that combines the proper treatment of partial functionswith the e�ciency of sorted calculi.Keywords: Partial functions, many-valued logic, sorted logic, tableau.1 IntroductionMany practical applications of deduction systems in mathematics and computerscience rely on the correct and e�cient treatment of partial functions. For thispurpose di�erent approaches|reaching fromworkarounds for concrete situationsto a proper general treatment|have been developed. In the following we will in-troduce the main approaches and exemplify their advantages and disadvantagesby some trivial examples from arithmetic. For a more detailed discussion of thedi�erent approaches compare [Far90].There are essentially four approaches of treating partiality. First, these ex-pressions can syntactically be excluded. Second, it is possible to disregard orbypass partiality. Third, partiality is taken serious and this is re ected in thesemantics and the calculus. Fourth, there is some mixture between options twoand three.In the �rst approach terms like x0 are treated as syntactically ill-formed,for instance, by using a sorted logic, in which the domain of the xy function isde�ned to be IR� IR� (where IR� denotes the real numbers without 0). Therebythe whole problem of partiality has been bypassed. In the cases, where such aprocedure is possible, this approach is quite adequate and re ects the usual way? This work was supported by the Deutsche Forschungsgemeinschaft (SFB 314, D2)

of handling unde�ned expressions in mathematics: to assure that all expressionsare de�ned before beginning to reason about them. It is, however, not alwayspossible to exclude such expressions from the consideration a priori. For instance,if you consider terms like 1f(x) , it would be necessary to exclude this expressionfor those x where f(x) = 0; depending on the de�nition of f , this might benot computable at all. In consequence, this approach remedies the problem ofpartiality in certain cases only and does not provide a full solution.In the second approach a value is assigned to 10 , either a �xed value (e.g.0) or an undetermined one. In both cases it is necessary to tolerate undesiredtheorems, in the �rst case, for instance, 10 = 0, or in the second case from0 �x = 0 the instance 0 � 10 = 0. This approach is not satisfying, if such theoremsare unwanted, which is normally the case in mathematics.In the third approach, terms like 10 are not de�ned and semantically eitheruninterpreted or interpreted by some error element. In the same manner, atomicformulae, containing such an unde�ned term, like 10 = 0 are not interpretedby a truth value (true or false) at all or are interpreted by a third truth value(unde�ned). As in the �rst approach, partiality is taken serious, but it is nolonger necessary to single out the unde�ned expressions a priori. The main draw-back of this approach is that classical two-valued logic is not adequate for itsmechanization. A possible formalization can be done by a three-valued logic,however. Kleene makes this approach formal, by introducing an individual ?denoting meaningless individuals and a third truth value u, standing for the\unde�ned" truth value. However, in contrast to the general framework formany-valued truth-functional logics, Kleene's quanti�ers only range over de�nedvalues, that is, not over ?, making a direct utilization of the methods developedby Carnielli [Car87, Car91], H�ahnle [H�ah92], Baaz and Ferm�uller [BF92] im-possible. Kleene's approach has been used by Tichy [Tic82], Lucio-Carrasco andGavilanes-Franco [LCGF89] to give logical systems for partial functions. Bothapproaches o�er unsorted operationalizations of the systems in sequent calculi.The fourth approach is less radical insofar as terms are treated as in thethird approach, but the problems that accompany treating a third truth valueare avoided (cf. [Bee85, Far90, Sch68, Wei89]): All atomic expressions containinga meaningless term are considered as false. This has the advantage that partialfunctions can be handled within the classical two-valued framework. However,the serious drawback is that the results of these logic systems can be unintu-itive to the working mathematician. For instance in elementary arithmetic thefollowing sentence 8x; y; z z = xy ) x = y � zis a theorem of such systems since the scope is true for the case y 6= 0 and for thecase y = 0, the formula z = x0 obtains the truth value f which in turn makes theimplication true, too. However, it is mathematical consensus that the equationshould only hold provided that y is not 0. It will turn out (cf. example 2.11)that the formula is not a theorem in our formalization, since the case y = 0 is acounterexample. 2

This paper formalizes Kleene's ideas for partial functions (the third approach)in a sorted three-valued logic, called SKL, that uses Kleene's strong interpret-ation of connectives and quanti�ers and adapts techniques from Weidenbach'ssorted logic [Wei89] to handle de�nedness information. We furthermore presenta tableau calculus TPF for partial functions that carries over the methods de-veloped in the context of resolution theorem proving for partial functions [KK94]to the tableau framework. Standard �rst-order tableaux were introduced byBeth [Bet55] and Hintikka [Hin55] and later uni�ed by Smullyan [Smu68]. Thefree variable tableau method has its origin in the work of Prawitz [Pra60] andhas further been elaborated by Reeves [Ree87] and Fitting [Fit90]. Both calculireported here are strongly in uenced by Weidenbach's tableau calculus withsorts [Wei94], which introduces reasoning with dynamic sorts to tableau calculi.We would like to thank Christian Ferm�uller, Reiner H�ahnle, and ChristophWeidenbach for comments and clarifying discussions.2 Strong Sorted Kleene Logic (SKL)In [Kle52] Kleene presents a logic, which he calls strong three-valued logic forreasoning about partial recursive predicates on the set of natural numbers. Heargues that the intuitive meaning of the third truth value should be \unde�ned"or \unknown" and introduces the truth tables shown in de�nition 2.6. SimilarlyKleene enlarges the universe of discourse by an element? denoting the unde�nednumber. In his exposition the quanti�ers only range over natural numbers, inparticular he does not quantify over the unde�ned individual (number).The approach of this paper is to make Kleene's meta-level discussion ofde�ned and unde�ned individuals explicit by structuring the universe of dis-course with the sort D for all de�ned individuals. Furthermore all functions andpredicates are strict, that is, if one of the arguments of a compound term oran atom evaluates to ?, then the term evaluates to ? or the truth value of theatom is u. Just as in Kleene's system, our quanti�ers only range over individu-als in D, that is, individuals that are not unde�ned. This is in contrast to thewell-understood framework for truth-functional many-valued logics, where theconcept of de�nedness and de�ned quanti�cation cannot be easily introduced,since quanti�cation is truth-functional and depends on the truth values for all(even the unde�ned) instantiations of the scope. Kleene's concept of boundedquanti�cation is essential for our program of representing partial functions, sincein a truth-functional approach no proper universally quanti�ed expression canevaluate to the truth value t (dually for the existential quanti�er), since allfunctions and predicates are assumed strict.In the following we present the logic system SKL, which is a sorted version ofwhat we believe to be a faithful formalization of Kleene's ideas from [Kle52]. Wetreat the sorted version here, since we need the machinery for dynamic sorts inthe calculus to be able to treat the sort D (sort techniques as that from [Wei89,Wei91] give us the bounded quanti�cation). We will call formulations of SKLwhere D is the only sort in the signature strong unsorted Kleene logic, since the3

sort D is indispensable. The further use of sorts gives the well-known advantagesof sorted logics for the conciseness of the representation and the reduction ofsearch spaces.2.1 Syntax and SemanticsDe�nition 2.1 (Signature) A signature �:= (S;V;F ;P) consists of the fol-lowing disjoint sets{ S is a �nite set of sorts including the sort D. We de�ne S� := S n fDg{ V is a set of variable symbols. Each variable x is associated with a uniquesort S, which we write in the index, i.e. xS . We assume that for each sortS 2 S there is a countably in�nite supply of variables of sort S in V.{ F is a set of function symbols.{ P is the set of predicate symbols.The sets F and P are subdivided into the sets Fk of function symbols of arity kand Pk of predicate symbols of arity k. Note that individual constants are justnullary functions. We call a signature unsorted if S� is empty, that is, if D is theonly sort.De�nition 2.2 (Terms and Formulae) We de�ne the set of terms to be theset of variables together with compound terms f(t1; : : : ; tk) for terms t1; : : : ; tkand f 2 Fk.If P 2 Pk, then P (t1; : : : ; tk) is a proper atom. If t is a term and S a sort thent<�S is a sort atom. The set of formulae contains all atoms and with formulaeA and B the formulae A ^B, A_B, A) B, :A, !A, 8xS A, and 9xS A. Herethe intended meaning of !A is that A is de�ned.We will now de�ne the three valued semantics for SKL by postulating an\unde�ned individual" ? in the universe of discourse. Note that this is similarto the classical at CPO construction [Sco70], but Kleene's interpretation oftruth values does not make u minimal. Since we are not interested in least �x-points, monotonicity does not play a role in this paper.De�nition 2.3 (Strict �-Algebra) Let � be a signature, then a pair (A; I)is called a strict �-algebra, i�1. the carrier set A is an arbitrary set that contains ?,2. the interpretation function I obeys the following restrictions:(a) For all function symbols f , the function I(f):Ak �! A is strict for ?,that is, I(f)(a1; : : : ; ak) = ?, if ai = ? for (at least) one i.(b) If P is a predicate symbol, then the relation I(P ) � Ak is strict for ?,that is, I(P )(a1; : : : ; ak) = u, if ai = ? for (at least) one i.(c) If S 6= D is a sort, then I(S) is a total and strict unary relation, that is,I(S)(a) 2 ff; tg, if a 6= ? and I(S)(?) = u.(d) I(D)(?) = f and I(D)(a) = t, if a 6= ?. Note that in contrast to allother sorts and predicates, the denotation of D is not a strict relation.4

We de�ne the carrier AS of sort S as AS := fa 2 A �� I(S)(a) = tg. Note thatin contrast to other sorted logics, it is not assumed that the AS are non-empty,in fact we do not even assume the existence of de�ned elements in the carrier.Furthermore ? =2 AS for any S 2 S.By systematically deleting ? and u from the carrier and the truth values wecan canonically transform strict �-algebras into algebras of partial functions.These are an algebraic account of the standard interpretation in mathemat-ics, where partiality of functions is directly modeled by right-unique relations.Obviously these notions of algebras have a one-to-one correspondence, so bothapproaches are equivalent.De�nition 2.4 (�-assignment) Let (A; I) be a strict �-algebra, then we calla total mapping ':V �! A a �-assignment, i� '(xS) 2 AS , provided AS is non-empty and '(xS) = ? if AS = ;. We denote the �-assignment that coincideswith ' away from x and maps x to a with '; [a=x].De�nition 2.5 Let ' be a �-assignment into a strict �-algebra (A; I) then wede�ne the value function I' from formulae to A inductively to be1. I'(f) := I(f), if f is a function or a predicate.2. I'(x) := '(x), if x is a variable.3. I'(f(t1; : : : ; tk)) := I(f)(I'(t1); : : : ; I'(tk)), if f is a function or predicate.4. I'(t<�S) := I(S)(I'(t)).Since this de�nition applies to P and F alike, we have given the semantics of allatomic formulae. The semantic status of sorts is that of total unary predicates;in particular we have I'(t<�S) = u, i� I'(t) = ? for S 6= D.De�nition 2.6 The value of a formula dominated by a connective is obtainedfrom the value(s) of the subformula(e) in a truth-functional way. Therefore itsu�ces to de�ne the truth tables for the connectives:^ f u tf f f fu f u ut f u t _ f u tf f u tu u u tt t t t ) f u tf t t tu u u tt f u t :f tu ut f !f tu ft tThe semantics of the quanti�ers is de�ned with the help of function e8 and e9from the non-empty subsets of the truth values in the truth values. We de�neI'(QxS A) := eQ(fI';[a=x](A) �� a 2 ASg)where Q 2 f8; 9g and furthermoree8(T ) :=8<: t for T = ftg or T = ;u for T = ft; ug or fugf for f 2 T e9(T ) :=8<: t for t 2 Tu for T = ff; ug or fugf for T = ffg or T = ;5

Note that with this de�nition quanti�cation is separated into a truth-functionalpart e8 and an instantiation part that only considers members of AS . Since ? isnot a member of any AS , quanti�cation never considers it and therefore cannotbe truth-functional even for the unsorted case.For lack of space we will in the following often only treat the (su�cient)subset f^;:; !; 8g of logical symbols, since all others can be de�ned from thesejust as in the classical two-valued logic.Kleene does not use the ! operator as a connective but treats it on the meta-level. While it is useful it is not necessary for the treatment. Furthermore, eventhis connective does not render SKL truth-functionally complete, since, just likethe other connectives and the quanti�ers, ! is normal, that is, when restricted toff; tg yields values in ff; tg.De�nition 2.7 (�-Model) Let A be a formula, then we call a strict �-algebraM := (A; I) a �-model for A (written M j= A), i� I'(A) = t for all �-assignments '. With this notion we can de�ne the notions of validity, (un)-satis�ability, and entailment (i.e. � j= A) in the usual way.Remark 2.8 The \tertium non datur" principle of classical logic is no longervalid, since formulae can be unde�ned, in which case they are neither true norfalse. We do, however, have a \quartum non datur" principle, that is, formulaeare either true, false, or unde�ned, which allows us to derive the validity of aformula by refuting that it is false or unde�ned. We will use this observation inour tableau calculus.The classical deduction theorem does not hold for SKL since the semanticstatus of a formula in the hypotheses is di�erent from its status in the ante-cedent of an implication. A formula in the hypotheses is assumed to evaluatesemantically to t, hence in particular it is de�ned. This leads to the followingmodi�ed deduction theorem.Theorem 2.9 (Deduction Theorem) � [ fAg j= B i� � j= A^!A) B.Proof: Let us �rst assume the �rst property and let M be a model of �[ fAgthen M is also a model of B, hence M j= A^!A ) B. That means in orderto show the second property we only have to look at interpretations which aremodels of � but not of A. For these, however, A^!A evaluates to f, hence theyare models of A^!A) B too.If the second property is given andM is a model of � thenM is also a modelof A^!A ) B. In order to prove the �rst property, only the subclass of thosemodels has to be considered which are also models of A. These are, however,also models of !A, hence models of B too.Remark 2.10 While in classical logic, the consequence relation is directly con-nected to the implication, here things are a little bit more di�cult. In particular,when proving mathematical theorems, it is quite usual to do this with respect tosome background theory (axioms and de�nitions), which can no longer simply6

be taken in the antecedent of an implication. Hence we will often consider formathematical applications so-called consequents, that is, pairs consisting of aset of formulae � and a formula A. We call a consequent � j= A valid, if A isentailed by � in all �-models.Example 2.11 Now we can come back to the example from the exposition.The assertion is not a theorem of SKL, since the instance 1 = 10 ) 1 = 0 � 1 isnot a valid formula (in any reasonable axiomatization of elementary arithmetic).While the antecedent of the implication evaluates to u, the succedent evaluatesto f, hence the whole expression to u. Thus, this theorem cannot be derived inour sound tableau calculus to be presented in section 3.Example 2.12 (Extended Example) Wewill formalize an extended examplefrom elementary algebra that shows the basic features of SKL. Here the sort IR�denotes the real numbers without zero. Note that we use the sort information toencode de�nedness information for inversion: 1x is de�ned for all x 2 IR�, since IR�is subsort of D by de�nition. Naturally, we give only a reduced formalization ofreal number arithmetic that is su�cient for our example. (For instance, we couldadd expressions like 10 6<�D.) Consider the consequent fA1;A2;A3;A4;A5g j= Twith A1 8xIR x 6= 0) x<�IR�A2 8xIR� 1x<�IR�A3 8xIR� x2 > 0A4 8xIR 8yIR x� y<�IRA5 8xIR 8yIR x� y = 0) x = yT 8xIR 8yIR x 6= y ) � 1x�y�2 > 0An informal mathematical argumentation why T is entailed by fA1; : : : ;A5gcan be as follows: In the consequent above, the Ai are assumed to be true, that is,neither false nor unde�ned. Let x and y be arbitrary elements of IR. If x = y, thepremise of T is false, hence the whole expression true (in this case the conclusionevaluates to u). If x 6= y, then the premise is true and the truth value of thewhole expression is equal to that of the conclusion � 1x�y�2 > 0. Since x 6= y weget by A5 that x� y 6= 0 and by A4 that x� y<�IR, hence by A1 x� y<�IR� andby A2 1x�y<�IR�, which �nally gives � 1x�y�2 > 0 together with A3.Note that this reasoning is not justi�ed for the implication A := A1 ^A2 ^A3^A4^A5) T, since there are hidden assumptions, for instance, the totalityof the binary predicate > on IR�IR. In fact the formulaA is not a tautology, sinceit is possible to interpret the > predicate as unde�ned for the second argumentbeing zero, so that A3 as well as T evaluate to u, while the other Ai evaluate tot, hence the whole expression evaluates to u.2.2 Relativization into Truth-Functional LogicIn this section we show that we can always systematically transform SKL for-mulae to formulae in an unsorted truth-functional three-valued logic K3 in a7

way that respects the semantics. However, we will see that this formulation willlose much of the conciseness of the presentation and enlarge the search spacesinvolved with automatic theorem proving.At �rst glance it may seem that SKL is only a sorted variant of a three-valuedinstance of the truth functional many-valued logics that were very thoroughlyinvestigated by Carnielli, H�ahnle, Baaz and Ferm�uller [BF92, Car87, Car91,H�ah92]. However, since all instances of this framework are truth-functional, thatis, the denotations of the connectives and quanti�ers only depend on the truthvalues of (certain instances of) their arguments, even unsorted Kleene logic doesnot �t into this paradigm, since quanti�cation excludes the unde�ned element.In SKL we solve the problem with the quanti�cation by postulating a sort Dof all de�ned individuals, which is a supersort of all other sorts. Therefore therelativization mapping not only considers sort information, it also has to careabout de�nedness aspects in quanti�cation.Informally K3-formulae are just �rst-order formulae (with the additionalunary connective !). While the three-valued semantics of the connectives is justthat given in de�nition 2.6, the semantics of the quanti�er uses unrestrictedinstantiation, that is,I'(8x A) := e8(fI';[a=x](A) �� a 2 Ag)De�nition 2.13 (Relativization) We de�ne transformations<S and <D, thatmap SKL-sentences to unsorted SKL-sentences and further into K3-sentences.<S is the identity on terms and atoms, homomorphic on connectives, and<S(8xS �) := 8xD S(x)) <S (�)Note that in order for these sentences to make sense in unsorted SKL we have toextend the set of predicate symbols by unary predicates S for all sort symbols S 2S�. Furthermore, for any of these new predicates we need the axiom: 8xD !S(x).The set of all these axioms is denoted by <S(�).We de�ne <D to be the identity (only dropping the sort references from thevariables) on terms and proper atoms and{ <D(t<�D): = D(t){ <D(8xD A): = 8x D(x)) <D(A)Just as above we have to extend the set of predicate symbols by a unary predicateD and need a set <D(�) of signature axioms, which contains the axioms8x1; : : : ; xn Pn(x1; : : : ; xn) _ :Pn(x1; : : : ; xn)) (D(x1) ^ : : :^D(xn))8x1; : : : ; xn D(f(x1; : : : ; xn))) (D(x1) ^ : : :^D(xn))for any predicate symbol P 2 Pn and for any function symbol f 2 Fn, togetherwith the axiom 8x D(x) _ :D(x)These axioms axiomatize the SKL notion of de�nedness in K3. In particularthe last axiom states that the predicate D is two-valued, in contrast to all other8

sort predicates which are strict and thus three-valued. The other axioms forceall functions and predicates to be interpreted strictly with respect to the Dpredicate.Theorem 2.14 (Sort Theorem) Let � be a set of sentences, then the follow-ing statements are equivalent1. � has a �-model.2. <S (�) has a � [ S�-model that satis�es <S (�).3. <D � <S (�) has a K3-model that satis�es <D(� [ S�) [ <D(<S (�)).Proof: We will only show the equivalence of 2. and 3. since the equivalence of1. and 2. can be proven with the same methods. Therefore we can restrict ourproof to unsorted SKL, where S� = ;Let M := (A; I) be a �-model for �, then we construct a K3-model M3 =(A3; I3) for <D(�). Let A3 := A, I3(f) := I(f) and I3(P ) := I(P ) where f isa function symbol and P is a predicate symbols or the sort D. Clearly, we haveM3 j=K3 <D(�), since M is a �-model, where all functions are strict and thecarrier A, de�ned as the image of I3(D), is nonempty.Furthermore let ' be a �-assignment and M j=' �, then we show by struc-tural induction that I3'(<D(�)) = I'(�) and therefore M3 j=K3' <D(�). Thisclaim is immediate for terms and proper atoms. For sort atoms we haveI3'(<D(t<�D)) = I3'(D(t)) = I3(D)(I3'(t)) = I(D)(I'(t)) = I'(t<�D)thus we have I3'(<D(A)) = I'(A) for all atoms A. For quanti�ed formulae wehave I3'(<D(8xD )) = I3'(8x D(x)) <D()) = e8(�3) ;where �3 := fI3 ((D(x)) ) <D()) �� a 2 A3g and := '; [a=x]. On the otherhand I'(8xD ) = e8fI () �� a 2 Ag = e8(�)Now I3'(<D(8xD )) = I3'(8x D(X)) <D())= e8(fI3';[a=x](D(X)) <D()) �� a 2 A3g);so we have to consider the following cases for a. If a = ?, then I3 (D(x)) = fand therefore I3 (D(x) ) <D()) = t. If a 6= ?, then by inductive hypothesisI3'(<D()) = I'() and therefore �3 = � [ ftg.I3'(<D(8xD )) = t i� �3 = � = ftg or ; i� I'(8xD ) = tI3'(<D(8xD )) = u i� �3 = � = fu; tg or fug i� I'(8xD ) = uI3'(<D(8xD )) = f i� f 2 �3 = � [ ftg i� I'(8xD ) = fSince <D is homomorphic for connectives, we have completed the induction, thusM3 j=K3 <D(�) and we have proven the necessitation direction of the theorem.9

For the proof of su�ciency let M3 := (A3; I3) be a K3-model, such thatM3 j= <D(�) [ <D(�), note that in our case <D � <S = <D. LetA := fa 2 A3 �� I3(D)(a) = tg and A? := fa 2 A3 �� I3(D)(a) = fgthen A3 = A [ A?, since 8x D(x) _ :D(x) 2 <D(�). If A? = ;, then it iseasy to construct a strict �-algebra from (A3; I3) by extending A3 with ? andinterpreting each function and predicate with the strict extension of its I3 value.So in the following we will assume that A? is nonempty. Now let �:A3 �! A?be a function that is the identity on A and �(a) = ? for all a 2 A?. AsM3 j= <D(�), we know that I3(f)(a1; : : : ; an) 2 A? if one ai 2 A?, so thefollowing de�nition is well-de�ned.I(f)(�(a1); : : : ; �(an)) := �(I3(f)(a1; : : : ; an))Now we will see that I��'(t) = �(I3'(t)) for all well-formed SKL terms t andassignments ' into M3.1. I��'(x) = � � '(x) = �(I3'(x)).2. I��'(c) = I(c) = �(I3(c)) = �(I3'(c)).3. I��'(f(t1; : : : ; tn)) = I(f)(I��'(t1); : : : ; I��'(tn))= I(f)(�(I3'(t1)); : : : ; �(I3'(tn)))= �(I3(f)(I3'(t1); : : : ; I3'(tn)))= �(I3'(f(t1; : : : ; tn)))Similarly the de�nitionI(p)(�(a1); : : : ; �(an)) := I3(p)(a1; : : : ; an)is well-de�ned, because M3 j= <D(�) and gives us I��'(A) = I3(<D(A)) forall atoms A. From this, we obtain the general result I��'(�) = I3'(<D(�))by treating quanti�ed formulae by a case analysis just as in the necessitationdirection. In particular we have I��'(�) = t, i� I3'(�) = t and thereforeM j= �,whenever M3 j= <D(�).Corollary 2.15 Let � be a set of sentences and A be a sentence, then the fol-lowing are equivalent1. � j= A in all �-models.2. <S (�) [ <S(�) j= <S(A) in all unsorted � [ S�-models.3. <D � <S (�) [ <D(� [ S�) [ <D(<S (�)) j= <D � <S (A) in all K3-models.As a consequence of the sort theorem, the standard operationalization formany-valued logics [BF92, Car87, Car91, H�ah92] can be utilized to mechan-ize strong sorted Kleene logic and in fact the system of Lucio-Carrasco andGavilanes-Franco [LCGF89] can be seen as a standard many-valued tableau op-erationalization [H�ah92, BFZ93] of the relativization of SKL. However, as theextended example shows, we can do better by using sorted methods, since re-lativization expands the size and number of input formulae and furthermore10

expands the search spaces involved in automatic theorem proving by buildingup many meaningless branches. Note that already the formulation of SKL wherewe only have the required sort D is much more concise than the relativizedversion. Furthermore we will see that the theory of de�nedness is treated goal-driven by the TPF calculus (cf. section 3). Thus the TPF calculus is closer toinformal practice than the relativization in this respect.Example 2.16 (continuing 2.12)The relativization <S � <D of the SKL-consequent fA1;A2;A3;A4;A5g j= T isthe K3-consequent �R1;R2;R3;R4;R5;RIR;RIR�;R=;R>;R�;R=;R2;D! j= RTwith the following relativized formulae:R1 8x D(x)) (IR(x)) (x 6= 0) IR�(x)))R2 8x D(x)) (IR�(x)) IR�( 1x ))R3 8x D(x)) (IR�(x)) x2 > 0)R4 8x D(x)) (IR(x)) (8y D(y)) (IR(y) ) IR(x� y))))R5 8x D(x)) (IR(x)) (8y D(y)) (IR(y) ) (x� y = 0) x = y))))RT 8x D(x)) (IR(x)) (8y D(y)) (IR(y) ) (x 6= y ) � 1x�y�2> 0))))The set of signature axioms <D(� [ S�) [ <D(<S(�)) is the following set ofK3-formulae:RIR 8x D(x))!IR(x)RIR� 8x D(x))!IR�(x)R= 8x; y (x = y _ x 6= y) ) D(x) ^D(y)R> 8x; y (x > y _ x 6> y) ) D(x) ^D(y)R� 8x; y D(x� y) ) D(x) ^D(y)R= 8x D( 1x)) D(x)R2 8x D(x2)) D(x)D! 8x D(x) _ :D(x)2.3 Model ExistenceIn this subsection we introduce an important tool for proving the completenessof calculi. The importance of model existence theorems lies in the fact thatthey abstract over the model theoretic part of various completeness proofs. Suchtheorems were �rst introduced by Smullyan (who calls them unifying principles)in [Smu63, Smu68] based on work by Hintikka and Beth.De�nition 2.17 Let r be a class of sets.1. r is called closed under subsets, i� for all sets S and T the following conditionholds: if S � T and T 2 r, then S 2 r.2. r is called compact, i� for every set S the following condition holds:S 2 r, i� every �nite subset of S is a member of r.Lemma 2.18 If r is compact, then r is closed under subsets.11

Proof: Suppose S � T and T 2 r. Every �nite subset A of S is a �nite subsetof T , and since r is compact, we know that A 2 r. Thus S 2 r.De�nition 2.19 (Labeled Formula) We will call a pair A�, where A is anSKL-formula and � 2 ff; u; tg a labeled formula. We say that a �-assignment' satis�es a set � of labeled formulae in a strict �-algebra M = (A; I), ifI'(A) = � for all A� 2 �.In the following we will use � �A as an abbreviation for �[ fAg in order toincrease the legibility.De�nition 2.20 (Abstract Consistency Class) A class r of sets of labeledformulae is called an abstract consistency class, i� it is closed under subsets, andfor all sets � 2 r the following conditions hold:1. If A is atomic, then A� 2 � for at most one � 2 ff; u; tg, furthermore for allterms t the literal (t<�D)u is not in �.2. If (:A)� 2 �, then � � A� 2 r, where � = t, if � = f; � = f, if � = t; and� = u else.3. If (!A)t 2 �, then � � A 2 r for some 2 ft; fg; if (!A)f 2 �, then� �Au 2 r. (!A)u is not in any � 2 r.4. If (A _B)� 2 �, then� = t) � �At 2 r or � �Bt 2 r.� = u) � [ fAf; Bug 2 r, or � [ fAu; Bfg 2 r, or � [ fAu; Bug 2 r.� = f) � [ fAf; Bfg 2 r5. If 8xS A 2 �, then� = t) for any term t, � � ([t=xS ]A)t 2 r or � � (t<�S)� 2 r for some� 2 ff; ug.� = u) for any term t, and any constant c that does not occur,�[f([c=xS]A)u; (c<�S)t ;Ag 2 r, where A is ([t=xS]A)t or ([t=xS]A)u or(t<�S)f or (t<�S)u .� = f) �[f([c=x]A)f; (c<�S)tg 2 r, for each constant c that does not occurin �.6. If A 2 � with 2 ff; tg, then � � (t<�D)t 2 r, for all subterms t of A.7. If (t<�S)u 2 �, then � � (t<�D)f 2 r.Theorem 2.21For each abstract consistency class r there exists an abstract consistency classr0 such that r � r0, and r0 is compact.Proof: (following [And86]) Let r0 := f� �� every �nite subset of � is in rg. Tosee that r � r0, suppose that � 2 r. r is closed under subsets, so every �nitesubset of � is in r, and thus � 2 r0.Next let us show that r0 is compact. Suppose � 2 r0 and is an arbitrary�nite subset of �. By de�nition ofr0 all �nite subsets of are inr, and therefore 2 r0. Thus all �nite subsets of � are in r0 whenever is in r0. On the other12

hand, suppose all �nite subsets of are in r0. Then by the de�nition of r0 the�nite subsets of are also in r, so � 2 r0. Thus r0 is compact.Finally we show that r0 is an abstract consistency class. By lemma 2.18 itis closed under subsets. Of the conditions for the abstract consistency class wewill only explicitly present the �rst two cases, since the proofs of the others areanalogous. Let � 2 r0 be given arbitrarily.Suppose there is an atom A, such that �A�; A� � � for � 6= �. By thede�nition of r0 we get fA�; A�g 2 r contradicting 2.20(1).Let (:A)� 2 �, and be any �nite subset of � � A� (where � and � are asin 2.20(2)) and let � := ( n fA�g) � (:A)�. � is a �nite subset of �, so � 2 r.Since r is an abstract consistency class and (:A)� 2 �, we get � �A� 2 r. Weknow that � � � A�, and r is closed under subsets, so 2 r. Thus every�nite subset of � �A� is in r, therefore by de�nition � �A� 2 r0.De�nition 2.22 (�-Hintikka Set) Letr be an abstract consistency class and� 2 r. Then H 2 r is called a r-extension of �, i� � � H. A set H is calledmaximal in r, i� for each formulaD 2 r such that H�D 2 r, we already haveD 2 H. A set H 2 r is called a �-Hintikka set for r and �, i� H is maximal inr and � � H.We now give some technical properties of �-Hintikka sets that are useful formanipulating formulae.Theorem 2.23 If r is an abstract consistency class, and H is maximal in r,then the following statements hold:1. If A is a proposition, then A� 2 H for at most one � 2 ff; u; tg. Furthermore(t<�D)u =2 H for all t.2. If (:A)� 2 H, then A� 2 H, where � = t, if � = f; � = f, if � = t; and� = u else.3. If (!A)� 2 H, then either � = t and A 2 H for 2 ff; tg or � = f andAu 2 H. In particular, there is no formula B, such that (!B)u 2 H.4. If (A _B)� 2 H, then� = t) At 2 H or Bt 2 H.� = u) Af; Bu 2 H, or Au; Bf 2 H, or Au; Bu 2 H.� = f) Af; Bf 2 H5. If 8xS A 2 H, then� = t) for any term t, [t=xS]At 2 H or (t<�S)� 2 H for some � 2 ff; ug.� = u) for any term t, there is a term s, with �[f([s=xS ]A)u; (s<�S)t;Ag 2H, where A 2 f([t=xS]A)t; ([t=xS]A)u; (t<�S)fg.� = f) there is a term t, such that ([t=x]A)f; (t<�S)t 2 H.6. If A 2 H with 2 ft; fg, then (t<�D)t 2 H, for all subterms t of A.7. If (t<�S)u 2 H, then (t<�D)f 2 H.Proof: We prove the �rst assertion by induction on the structure of A. If A isatomic, then the assertion is a simple consequence of 2.20(1).13

Let A = :B and Af; At be inH. By 2.20(2) we have Bf; Bt 2 H contradictingthe induction hypothesis. The remaining cases can be shown analogously, so wehave proven the �rst assertion.The rest of the assertions are all of the same form, and have analogous proofs,therefore we only prove the second. If (:A)f 2 H, then H � At 2 r (r is anabstract consistency class). The maximality of H now gives the assertion.Lemma 2.24 (Hintikka Lemma) If r is an abstract consistency class and His maximal in r, then there is an SKL-model M and a �-assignment ', suchthat ' satis�es H in M.Proof: We prove the assertion by constructing a model M = (A; I) for H,which is derived from the ground term algebra.Let T? be the set of closed well-formed terms together with ?. In order toconstruct the carrier A, we have to identify all elements in T? that are unde�ned((t<�D)f 2 H) and identify them with ?. Traditional proofs of the Hintikka-Lemma for total-function logics now de�ne I:F �! A to be the identity map.However this de�nition does not make I(f) strict, since I(f)(?) = f(?) 6= ?.To repair this defect we take the carrier A to be the quotient of T? with respectto the equality theory =? induced by the setE? = ft =? ? �� (t<�D)f 2 Hg [ ffk(x1; : : : ;?; : : : ; xk) = ? �� fk 2 �kgof equations. Thus A is the set of equivalence classes [[t]]? = fs �� E? j= s =? tg.The function f?: ([[t1]]?; : : : ; [[t1]]?) 7! [[f(t1; : : : ; tn)]]? is a well-de�ned function,since =? is a congruence relation. We de�ne I(f) := f? and note that the specialconstruction of E? entails the strictness of f?.For any �nite set W of variables a �-assignment ' can be restricted to asubstitution 'W = '��W . A simple induction on the structure of a term t can beused to show that I'(t) = I'Free(t)(t).For P 2 Pn let I(P ):An �! ff; u; tg with PH([[t1]]?; : : : ; [[tn]]?) = �, i�P (t1; : : : ; tn)� 2 H. Clearly PH is a partial function (cf. 2.23.1), since the de�n-ition only depends on =?-equivalence classes. With the help of 2.23.6 it is easyto see that PH is a strict function. We can extend PH to a total strict functionI(P ) by evaluating all remaining proper atoms with u and all remaining sortatoms with f. Thus sorts are everywhere de�ned (the value u is only obtainedon ?) and the strictness of the predicates is preserved.Clearly, this construction entails that for any atom A 2 H and any �-assignment ' we have I'(A) = �, i� I'Free(A)(A) 2 H. Now a simple in-duction on the number of connectives and quanti�cations, using the propertiesof 2.23 can be used to extend this property to arbitrary formulae. Thus we haveI'(A) = � for all A� 2 H, if we take ' to be the identity.We now come to the proof of the abstract extension lemma, which nearlyimmediately yields the model existence theorem.14

Theorem 2.25 (Abstract Extension Lemma) Let r be a compact abstractconsistency class, and let H 2 r be a set of propositions. Then there exists a�-Hintikka set H for r and H.Proof: We will construct H by inductively constructing a sequence of setsHi and taking H := Si2INHi 2 r. We can arrange all labeled formulae in anin�nite sequence C1; C2; : : :. For each n 2 IN we inductively de�ne a set Hn ofpropositions by1. H0 := �.2. If Hn �Cn =2 r, then Hn+1 := Hn.3. If Hn � Cn 2 r, and Cn is of the form (8xS A)� with � 2 ff; ug thenHn+1 := Hn [ fCn; [cn=x]A�; (c<�S)tg.4. Hn+1 := Hn �Cn else.Let H := Sn2INHn. Clearly each of the Hn 2 r, and therefore H 2 r, since ris compact.In order to prove the maximality of H, let A be an arbitrary proposition suchthat H�A 2 r. We know that A = Cn for some n 2 IN, so Hn �A � H�A 2 rand Hn �A 2 r, since r is closed under subsets. Hence by de�nition we knowthat A 2 Hn+1, and therefore A 2 H.Corollary 2.26 (Model Existence) Let � 2 r and r be an abstract consist-ency class, then there is an SKL-model M and a �-assignment ', such that 'satis�es � in M.Proof: Let r0 be the compact abstract consistency class of theorem 2.21 andlet H be the maximalr-extension of � guaranteed by 2.25. Furthermore let Mbe the SKL-model, and ' the �-assignment for H guaranteed by 2.24. Then 'satis�es � in M, since � � H.3 TableauNow we turn to the exposition of our tableau calculus. The case of standardtableaux for partial functions is a simple extension of �rst-order tableau methodsto SKL. Therefore we will only concern ourselves with free variable tableaux.While a labeled formulaA� means that A has the truth value �, we also makeuse of multi-indices as introduced by H�ahnle and write A�� as an abbreviationfor A� _A� (Normally, we do not have to consider three di�erent truth values,since the corresponding formulae are tautological and cannot contribute to re-futations.) As has been pointed out by H�ahnle [H�ah92], the use of multi-indicesdoes not only o�er a concise notation, but can drastically improve a calculus,when special rules for their treatment are introduced. In the following, we addcorresponding rules for handling multi-indices, where one label is u. Althoughnot necessary in principle, this treatment results in a signi�cant improvementof the search complexity of the calculus, which can thereby be reduced to thecomplexity in the two-valued case. This relationship will be made formal in the-orem 3.9. 15

De�nition 3.1 (Tableau Rules) The tableau rules consist of the traditionaltableau rules for the propositional connectives, augmented by the case of thelabel u.(A ^B)tAtBt (A ^B)uAutButAu �� Bu (A ^B)fAf �� Bf (A ^B)utAutBut (A ^B)fuAfu �� BfuSince we have special rules for the multi-indices ut and fu, we only need a splittingrule re ecting the de�nition of multi-indices as disjunctions for the remainingmulti-index ft. Note that the multi-index fut gives rise to tautologies, which cannever contribute to refutations. AftAf �� AtThe negation rules and those for ! just ip the labels in the intuitive way.(:A)tAf (:A)uAu (:A)fAt (:A)utAfu (:A)fuAutThe ! rule for the u case closes the branch (we use an explicit symbol � for that),since (!A)u is unsatis�able in SKL.(!A)tAft (!A)u� (!A)fAu (!A)utAft (!A)fuAuIn order to simplify the presentation of the examples we also (redundantly)present the rules for disjunction.(A _B)tAt �� Bt (A _B)uAfuBfuAu �� Bu (A _B)fAfBf (A _B)utAut �� But (A _B)fuAfuBfuThe quanti�er rules for the classical truth values and multi-indices are verysimilar to the standard rules1 (fxS; y1; : : : ; yng are the free variables of A andf is a new function symbol of arity n), with the exception that the sort ofthe Skolem function has to be speci�ed. The rule for the case u has a mixedexistential and universal character: for yS the value of A is unde�ned or true1 We employ the liberalized �-rule of [HS94].16

(that is there is no instance, which makes the formula false) and there is at leastone witness for the unde�nedness.(8xS A)t[yS=xS ]At (8xS A)u[f(y1; : : : ; yn)=xS ]Au[yS=xS]Aut(f(y1 ; : : : ; yn)<�S)t (8xS A)f[f(y1; : : : ; yn)=xS ]Af(f(y1; : : : ; yn)<�S)t(8xS A)ut[yS=xS ]Aut (8xS A)fu[f(y1; : : : ; yn)=xS]Afu(f(y1 ; : : : ; yn)<�S)tThe rules for connectives and quanti�ers above can now be used to reduce com-plex labeled formulae to literals. Some sort literals can further be reduced, dueto the fact that sorts are de�ned on all de�ned individuals and the predicate D isde�ned everywhere. (These rules have to be slightly generalized for multi-indices.We only display the interesting case.)(t<�D)u� (t<�S)u(t<�D)fNow we only need tableau closure rules: The cut rule and the strict ruleA�B�� �� SC(�) � C (t<�D)f� �� SC(�) �where � \ � = ;, � fftg, and � = [t1=x1S1 ]; : : : ; [tn=xnSn ] is the most generaluni�er of A and B or the most general uni�er of the term t and a subterm s of C,respectively. In both cases the sort constraint SC(�) = ((t1<�S1)^: : :^(tn<�Sn))fuinsures the correctness (in terms of the sorts) of the instantiations. We haveemployed the notation of writing the substitution � next to the tableau schema,to indicate that the whole tableau is instantiated by � during the application ofthe rule.A tableau is built up by constructing a tree with the tableau rules startingwith an initial tree without branchings. We call a tableau closed, i� all of itsbranches end in �. Note that the disjunct � in the succedent of the rules aboveis only needed, if the set of sort constraints is empty. Then this rule closes thebranch without residuating.Remark 3.2 We could also have used a generalization of the cut rule of theform A�B�A�\� �� SC(�) �17

where we employ the convention that A; = �, since this corresponds to theempty disjunction, which is unsatis�able. However, it is not straightforward tosee in which cases this variant of the cut rule is more e�cient.De�nition 3.3 (Tableau Proof) A tableau proof for a formula A is a closedtableau constructed from the initial tree consisting of the labelled formula Afu.A tableau proof for a consequent � j= A is a closed tableau constructed form�t [ �Afu.Remark 3.4 The tableau proof of a consequent � j= A essentially refutes thepossibility that A can be unde�ned or false under the assumption of all formulaein �. By the quartum non datur rule, we can then conclude that A is entailedby �.3.1 Soundness and CompletenessThe soundness of the TPF rules can be veri�ed by a tedious recourse to thesemantics of the quanti�ers and connectives. Completeness is proven by thestandard argument using the model existence theorem for SKL. For this, we �rsthave prove a lifting theorem for TPFTheorem 3.5 (Tableau Lifting) Let � j= A be a consequent and � a substi-tution, then � j= A has a closed TPF-tableau provided �(�) j= �(A) has one.Proof: Let T� be a closed tableau for �(�) j= �(A), the claim is proven by aninduction on the construction of T� constructing a tableau T for � j= A thatis tableau-isomorphic to T . Concretely we have a tree-isomorphism !: T �! T�between T� and T that respects labels and is compatible with �, that is, for anynode N in T with labeled formula A� we have !N (A) = �(A).This induction is straightforward for all TPF rules except for the cut and thestrict rules that residuate a sort constraint. In both cases, we can use a standardargument which we will only carry out for the cut case: � is a most generaluni�er of �(A) and �(B) in T�, so � � � uni�es A and B in T . So there existsa most general uni�er � of A and B, and a substitution � with � � � = � � �.Now we have � (SC(�)) = SC(� ��) = SC(� � �), so we obtain the assertion by theinductive hypothesis for �(T ) and � � �(T ) = �(T�).Theorem 3.6 (Completeness) TPF is refutation complete, that is, if � j= Ais a valid consequent, then there is a closed tableau for �t [Afu.Proof: Completeness of TPF can be proven using the model existence the-orem 2.26 by verifying that the class r of sets � that do not have closed TPFtableaux is an abstract consistency class. This can be achieved with the usualtechniques of e.g. [Fit90]: It is obvious that the TPF rules for the connectives,quanti�ers and sorts directly correspond the clauses of 2.20. We have treatedthe only case where this correspondence is nontrivial (the quanti�er case) in thetableau lifting theorem above. 18

Example 3.7 (continuing 2.12) Taking the above example we give a prooffor fA1;A2;A3;A4;A5g j= Tusing the above tableau rules. The proof is shown in �gure 1. Applying theclosure rule in the case of non-empty sort constraints, we omit the � branchfor simplicity reasons. Note that the unsorted uni�ers [c � d=uIR], [c=xIR], and[d=yIR] have to be applied to the whole tableau. For display reasons, however, weonly add the relevant formulae to the tableau instead of replacing them, that is,correctly (F8) has to replace (F3) and (F13) to replace (F9).The tableau proof can roughly be divided into three di�erent parts, �rst therepresentation of the problem, displayed above the �rst line, second some initialsimpli�cation by eliminating quanti�ers and connectives displayed between the�rst and the second line, and third the �nal refutation, below the second line.Remark 3.8 The proof in �gure 1 shows an interesting feature, namely it cor-responds in length and structure exactly to a proof of the theorem in classicaltwo-valued logic. By replacing all truth-value sets fu by the truth value f youget the corresponding two-valued proof. This correspondence is due to the cor-respondence of the tableau rules R� and R�u for � 2 ff; tg and R 2 f^;_;:; 8g.In other words using rules for truth-value sets provide proofs as short as in thetwo-valued case. If, however, truth-value sets are not used, certain parts of theproofs must be duplicated. This relationship can only hold for so-called normalproblems of course, that is, problems which do not contain any ! connective, sinceformulae containing a ! do not make any sense in classical two-valued logic.Theorem 3.9 (Correspondence Theorem) Each tableau proof for a normalproblem � j= A in SKL can be isomorphically transformed into a tableau proofin FOL.Proof: Let us prove the assumption by a case analysis on the rules applied inthe proof. At a certain formula in the SKL-tableau, its label set either containsthe u value or not. If the formula does not contain u then it is labeled by t,by f, or by ft and will be treated by the same rule R� with R 2 f^;_;:; 8gand � 2 ff; tg or the splitting rule. Note the corresponding tableau rules are thesame for FOL and SKL.In the case that � contains the truth value u, just eliminate u from the set.Since the initial problem formulation contains only the labels t and fu, for normalproblems it inductively follows that no formula with the label u can occur in atableau. The procedure of just eliminating the truth value u is correct, sincefor all connectives (with the exception of !, which may not occur in normalproblems), all quanti�er and all truth values holds, if R is a rule in SKL with atruth value set containing the truth value u, then a tableau rule of FOL can beconstructed from R by eliminating the truth value u in the rule. For instance(A ^B)utAutBut ; (A ^B)tAtBt19

s(A1) (8xIR x 6= 0) x<�IR�)t...s(A5) (8xIR 8yIR x� y = 0) x = y)ts(T) (8xIR 8yIR x 6= y) � 1x�y �2 > 0)fus(A10) (uIR 6= 0) uIR<�IR�)t 8t(A1)s(A20) ( 1vIR� <�IR�)t 8t(A2)s(A30) (w2IR� > 0)t 8t(A3)s(A40) (sIR � tIR<�IR)t 8t(A4) (2 times)s(A50) (xIR � yIR = 0) xIR = yIR)t 8t(A5) (2 times)s(T1) (c<�IR)t 8fu(T) (2 times)s(T2) (d<�IR)t 8fu(T) (2 times)s(T3) (c = d _ � 1c�d�2 > 0)fu 8fu(T) (2 times)s(T30) (c = d)fu _fu(T3)s(T300) (� 1c�d�2 > 0)fu _fu(T3)s(F1) ( 1c�d<�IR�)fu �(T300,A30)s@@ @@(F2) (c� d<�IR�)fu �(F1,A20)s(F3) (uIR = 0)t s(F4) (uIR<�IR�)t _t(A10)s������� @@@(F5) ((c� d)<�IR)fu �(F4,F2)ss(F6) (c<�IR)fu ss(F7) (d<�IR)fu �(F5,A40)� � �(F6,T1), �(F7,T2)s@@ @@(F8) (c� d = 0)t �(F3,[c� d=u])s(F9) (xIR � yIR = 0)f (F10) (xIR = yIR)t _t(A50)s������� @@@(F11) (c<�IR)fu (F12) (d<�IR)fu �(F10,T30)ss � ss � �(F11,T1), �(F12,T2)ss(F13) (c� d = 0)f �(F9,[c=x][d=y])� �(F13,F8)Fig. 1. Tableau proof with unsorted uni�cation, example 3.720

For the other cases check this relation in de�nition 3.1. This relation holds alsofor the tableau closure rule.Thus we get a FOL proof from the SKL proof by simply eliminating all truthvalues u.Remarks 3.10 Unfortunately, the converse of the above theorem does not hold.Not each FOL proof can be transformed into an SKL proof, even if there is anSKL proof. Consider for example the relation fAg j= A_ (B _:B) which holdsin SKL as well as in FOL. An FOL-proof is:s(A) (A)ts(T) (A _ (B _ :B))fs(F1) (A)f _f(T)s(F2) (B _ :B)f _f(T)s(F3) (B)f _f(F2)s(F4) (:B)f _f(F2)s(F5) (B)t :f(F4)s � �(F5,F3)Fig. 2. Counterexample to the converse correspondence theoremThis proof cannot be transferred since in SKL (T), (F1), (F2), (F3), (F4),and (F5) are labeled by the truth value u in addition, hence the closure ruledoes not apply to (F5) and (F3). This comes from the fact that B _:B is not atautology in SKL. However the other straightforward closure of the tableau byapplying the closure rule to (A) and (F1) can be applied in FOL as well as inSKL.Of course it would be nice to have the property that for each classical FOLproof there exists an SKL proof which is as short as the classical (of courseonly if the classical theorem is also an SKL theorem). The example above showsthat this property does not hold in general, for instance, replace the assumptionset fAg by a set from which A can be derived in 20 steps only. On the otherhand this example is rather arti�cial insofar as the theorem would normallynot be stated in this form in mathematics, because mathematical theorems arenormally not redundant in the way that link two true statements by an \_",on the contrary usual mathematical theorems employ preconditions as weak aspossible and consequences as strong as possible. For instance, in a mathematicalcontext we would expect theorems like A, B _:B, A^ (B _:B). While a proof21

for the �rst (from the assumptions A) can be transferred from FOL to SKL, thelatter two are not theorems in SKL. Hence we expect that for usual mathematicaltheorems the proof e�ort in SKL will not be bigger then in FOL.4 Extensions { Sorted Uni�cationEven though the TPF calculus de�ned above represents a signi�cant computa-tional improvement over a naive tableau calculus for Kleene's strong logic forpartial functions, it only makes very limited use of the sorts in SKL. This canbe improved by utilizing a rigid sorted uni�cation algorithm that takes into ac-count all the sort information present in the respective branch and uses it as alocal sort signature. This measure in e�ect restricts the set of possible uni�ers tothose that are well-sorted with respect to this (local) sort signature. This allowsto perform some of the reasoning about well-sortedness (and therefore de�ned-ness) in the uni�cation in an algorithmic way. This reasoning would otherwisebe triggered by the sort constraints in SKL and would have to be carried out inthe proof search. The methods presented in this section are heavily in uencedby Weidenbach's work on sorted tableau methods in [Wei94].In the tableau framework the extension with sorted uni�cation is simpler (butperhaps less powerful) than in the resolution framework (see for instance [Wei91,KK93]). The reason for this is the di�erence in the treatment of the disjunctionin resolution and tableau. Tableau calculi use the � rule to analyze disjuncts indi�erent branches, but pay the price with the necessity to instantiate the entiretableau. Consider, for example the formula t<�S _ t<�T stating that the term thas sort S or sort T . In the tableau method, we can investigate both situationsin separate branches (with di�erent local sets of declarations). In the resolutionmethod, we have to use one of the disjuncts for sorted uni�cation and residuatethe other as a constraint, which has to be attached to well-sorted terms, well-sorted substitutions and clauses resulting from resolutions, whenever the otherliteral is used. On the other hand, the tableau method needs to instantiate alldeclarations that are used, since they can contain variables that also appear inother branches. Consider, for example, the axiom 8xIR x > 0 ) x<�IR�, whichcan be read as a conditional declaration. This axiom will result in branchescontaining the literal (xIR > 0)f and the declaration (xIR<�IR�)t. If we use thedeclaration in sorted uni�cation to justify that 1<�IR�, then we have to refutethat (1 > 0)f in the other branch. This simple example shows that we have to use(not surprisingly in a tableau framework) a rigid variant of sorted uni�cationfor our extension.De�nition 4.1 (Rigid Sorted Uni�cation) Let D be a set of declarations,then we call a substitution � rigidly well-sorted with respect to D, i� there is asubstitution � , such that1. � � � and Dom(� ) � Free(D) [Dom(�)2. � is well-sorted with respect to � (D).22

For instance the substitution � = [f(f(xS ))=zS ] is well-sorted, but not rigidlyso, for the set D = ff(yS )<�Sg, since the declaration has to be used twice (indi�ering instances) to show that f(f(xS )) has sort S. � is, however, rigidly well-sorted with respect to D0 = ff(yS )<�S; f(vS )<�Sg, and the substitution � =[f(f(xS ))=zS ]; f(vs)=ys] is a substitution that instantiates D0 in the appropriateway.4.1 Rigid Sorted Uni�cationSorted uni�cation with term declarations was �rst considered by Schmidt-Schau�who also presents a sound and complete algorithm in [SS89]. In SKL, term de-clarations appear as sort atoms of the form t<�S, declaring all instances of t tobe of sort S. Rigid sorted uni�cation is treated in [Wei94].De�nition 4.2 (Well-Sorted Terms) Let D be a set of declarations (positivesort literals of the form (t<�S)t), then the set wsTS(D) of well-sorted terms ofsort S is inductively de�ned by1. variables xS 2 wsTS(D)2. if t<�T 2 D then t 2 wsTT (D)3. if t 2 wsTT (D) and s 2 wsTS(D) then [s=xS ]t 2 wsTT (D).We call a substitution [t1=x1S1 ]; : : : ; [t1=xnSn ] a well-sorted substitution, i� ti 2wsTSi (D). Obviously the application of well-sorted substitutions to well-sortedterms yields well-sorted terms, so wsT(D) is closed under well-sorted substitu-tions and the set of well-sorted substitutions is a monoid with function compos-ition.Remark 4.3 The de�nition above is an inductive one, not in the structure ofterms, but in the justi�cation of the well-sortedness. A simple induction on thisjusti�cation shows that the consequent D j= t<�S is valid for any term t 2wsTS(D). In particular, for any well-sorted term t 2 wsTS(D) the denotationI'(t) is in AS and therefore de�ned.Furthermore a declaration of the form xS<�T 2 D entails that wsTS(D) �wsTT (D) and AS � AT for any �-model A of D. Therefore we call declarationsof the form xS<�T 2 D subsort declarations.Since we are working in a tableau framework and our sorted uni�cation al-gorithm involves nondeterminism, we utilize the tableau search mechanism forthe search for uni�ers by representing uni�cation constraints as special dis-equality literals. This gives us a very uniform presentation of the combinedtableau procedureDe�nition 4.4 (Tableau Rules for Rigid Sorted Uni�cation)We assume the existence of a binary predicate symbol :=2 P2 and call a literal(s := t)fu a constraint literal and often abbreviate the (s := t)fu by s 6 := t, as usualwe do not distinguish between (s := t) and (t := s). We model sorted uni�cation23

as a tableau-based constraint simpli�cation calculus with the following set ofinference rules: The decomposition rulef(s1; : : : ; sn) 6 := f(t1; : : : ; tn)� �� s1 6 := t1 �� : : : �� sn 6 := tnis just the traditional decomposition transformation, known from uni�cationtheory. Again note that we only need the disjunct �, if n = 0. The subsort rule(zT<�S)txS 6 := yT� [zT=xS]; [zT=yT ]allows to eliminate variables, provided that T is a subsort of S, in which casethe instantiation [zT=xS ] is well-sorted. The intersect rule(uV<�S)t(vV<�T )txS 6 := yT� [uV =xS ]; [uV =yT ]; [uV =vV ]allows to eliminate a pair of variables that share a common subsort V . Finallya pair of variables can be eliminated for a term t, if t has sorts S and T , even ifthey do not share a common subsort (we call this situation irregular). Thereforethe following rule non-reg instantiates the variables with the least committedgeneralization of t.(f(s1; : : : ; sn)<�S)t(f(t1; : : : ; tn)<�T )txS 6 := yT� �� s1 6 := t1 �� : : : �� sn 6 := tn [f(s1; : : : ; sn)=xS ]; [f(t1; : : : ; tn)=yT ]Finally we need a rule (the imitation rule below) that allows to eliminate avariable xS for a term t, if it is an instance of a declaration in the branch above.(f(t1; : : : ; tn)<�S)txS 6 := f(s1; : : : ; sn)� �� s1 6 := t1 �� : : : �� sn 6 := tn [f(t1; : : : ; tn)=xS ]In contrast to the related set of rules for sorted uni�cation in [Wei91] or [SS89]we only eliminate solved pairs that are known to be well-sorted from the set Dof declarations. Therefore we do not need the explicit failure rules these authorsneed, since they do not test for well-sortedness of the pair before eliminating. Inour system we de�ne failure as irreducibility and non-solvedness, but we couldalso add explicit failure rules to detect failure early for a practical implementa-tion.We say that a declaration (t<�S)t is used by a uni�cation inference rule, if itappears in the antecedent of the rule. 24

Theorem 4.5 The above set of rules de�ne a sound and complete non-deter-minist uni�cation algorithm.Proof sketch: It is obvious that all inference rules maintain the propertyof well-sortedness for uni�cation problems, since all new pairs added are fromdeclarations and are therefore well-sorted by de�nition and the set of well-sortedterms is closed under well-sorted substitutions. Since the set of inference rulesis a rigid variant of that given in [SS89, p.98], we refer to the proofs given there.These only have to be modi�ed to account for rigidity. A close inspection ofthe di�erences shows that Schmidt-Schau�' rules can be obtained from ours byrenaming all declarations that are used by the uni�cation rules before applyingthe rules, and thus preventing that the declarations are used up in the process.For the proof of completeness, we construct a rigid extension � from a non-rigiduni�er by taking into account the instantiations of the declarations (in the rigidset of rules) that were circumvented in Schmidt-Schau�' rules by renaming.4.2 A Tableau Calculus for SKL using Rigid Sorted Uni�cationWe will now extend TPF with a variant of the rigid sorted uni�cation alogrithmabove. Note that the notion of substitution discussed above is still not appropri-ate for a refutation calculus, where substitutions need to have ground instances.Otherwise the tableau cut rule becomes unsound: Let S be a sort that does nothave ground terms, that is, where AS may be empty, then a branch containingthe literals (PxS)t and (PyS)f could be closed using the substitution [yS=xS ],without being unsatis�able. A well-sorted term may not have ground instances,if it contains variables of sorts that do not have ground terms. Therefore we areinterested in conditions for sorts to be non-empty.Lemma 4.6 Let D be a set of sort declarations, then the problem whether theset of ground terms of sort S is empty is decidable.Proof sketch: Let Ax(D) be the set of propositional formulae (S1^: : :^Sn))T , such that t<�T 2 D and fx1Sig are the free variables of t. Then the emptinessproblem is equivalent to the problem whether Ax(D) j= S in propositional logic,which is known to be decidable.Remark 4.7 Thus we can modify the sorted uni�cation algorithm above byallowing tableau closure � (or equivalently the rule to be appliccable) only i�the sorts of the free variables in the substitutions associated with the rules arenon-empty with respect to the set D of declarations in the branch above. Thisvariant of the sorted uni�cation algorithm only returns sorted uni�ers that havewell-sorted ground instances.Now we will present an extension TPF(�) of TPF that allows to restrictthe calculation to formulae that are well-sorted with respect to the declarationspresent on the branch above, and thereby prune branches of the proof searchthat would not lead to refutations, since they contain meaningless objects.25

De�nition 4.8 (Tableau with Sorted Uni�cation (TPF(�)))To obtain the tableau calculus TPF(�) with sorted uni�cation from TPF, wemodify the tableau closure rules and add the modi�ed (cf. 4.7) constraint variantof the constraint simpli�cation rules of sorted uni�cation. The new cut and strictrules have for form A�B�A 6 := B C (t<�D)fs 6 := twhere �\� = ;,C has a subterm s, and � ff; tg. Thus instead of using unsorteduni�cation, these rules residuate a uni�cation constraint can then be processedby the sorted uni�cation algorithm. All other TPF rules stay unchanged.Theorem 4.9 TPF(�) is sound and refutation complete.Proof sketch: The soundness of TPF(�) relies on the soundness of the sorteduni�cation algorithm, which guarantees only well-sorted instantiations. For thecompleteness proof we can again use the model existence theorem 2.26, wherewe only have to reconsider the tableau lifting theorem for TPF(�). This can beproven with the standard argumentation, since the sorted uni�cation algorithmis complete and we can abstract from the internal structure of the uni�cationderivation.As we have seen in remark 4.3 the well-sorted substitutions and thereforewell-sorted uni�cations �lter out instantiations of the tableau that contain mean-ingless objects and therefore cannot contribute to a refutation of the initialconsequent. This property yields a signi�cant pruning of the search spaces andtherefore in a gain of computational e�ciency. However the rigidity of the uni�c-ation algorithm makes it necessary to guess in advance the number of instancesof the declarations needed for a proof, since they are used up during the uni-�cation. This is especially bothersome, since in general a great multiplicity ofdeclarations is needed. In order to arrive at a more practical algorithm it willbe important to �nd variants of the uni�cation algorithm that are rigid only onthe disjunctive part of the declarations present in a consequent.Example 4.10 (continuing 3.7) Now we revisit the problem of provingfA1;A2;A3;A4;A5g j= Tusing the tableau calculus with sorted uni�cation. While the �rst two main partsof the proof in �gure 1, namely the problem setting and the initial simpli�cationremain the same, the proper refutation will be shorter, in particular only threebranches instead of �ve have to be considered. In �gure 3, we display only thelast part.The uni�cation for closing F2 with T30 is straightforward because of T1 andT2, (c<�IR)t and (d<�IR)t, while the sorted uni�cation for closing F3 and F5 makesuse of T1, T2, and the term declaration A40. For the closure of T300 and A30 theuni�cation algorithm must derive that 1c�d has the sort IR�, this is done by F6with the term declaration A20. 26

...s@@ @@s(F1) (xIR � yIR = 0)f s(F2) (xIR = yIR)t _t(A50)s � �(F2,T30)s@@ @@(F3) (c� d = 0)f �(F1,[c=x][d=y])s s(F4) (uIR<�IR�)t (F5) (uIR = 0)t _t(A10)s � �(F3,F5)ss(F6) (c� d<�IR�)t �(F4,[c� d=u])� �(T300,A30)Fig. 3. Tableau proof with sorted uni�cation5 ConclusionWe have developed a sorted three-valued logic for the formalization of informalmathematical reasoning with partial functions. This system generalizes the sys-tem proposed by Kleene in [Kle52] for the treatment of partial functions overnatural numbers to general �rst-order logic. In fact we believe that the unsor-ted version of our system without the ! operator is a faithful formalization ofKleene's ideas.If we compare SKL to the three other approaches mentioned in the introduc-tion, we see that the truth conditions coincide on valid mathematical statements,but that SKL properly excludes statements that a mathematician would rejectas having problems with de�nedness. While the �rst approach has not the ne-cessary expressiveness, the second and fourth approaches legitimate unwantedstatements as theorems.We have presented a sound and complete tableau calculus with dynamicsorts for our logic SKL, which uses the sort mechanism to capture the fact thatin Kleene's logic quanti�cation only ranges over de�ned individuals. Our calculuscan be seen as an extension of classical logic that combines methods from many-valued logics (cf. [BF92, H�ah92]) for a correct treatment of the unde�ned andsorted logics (see [Wei89, Wei91]) for an adequate treatment of the de�ned. Itdi�ers from the sequent calculus in [LCGF89] in that the use of dynamic sorttechniques greatly simpli�es the calculus, since most de�nedness preconditionscan be taken care of in the uni�cation. Thus we believe that our system is notonly more faithful to Kleene's ideas (de�nedness inference is handled in theuni�cation at a level below the calculus) but also more e�cient for the sorttechniques involved. 27

In an earlier work [KK93, KK94] we had represented a resolution calculus ofstrong sorted Kleene logic. In this work, we not only have transferred the methodsdeveloped there to the tableau framework, but have also shown that normallyproofs that keep track of the de�nedness conditions are not more complex thanthose in the classical two-valued logic. In some sense it is surprising that inspite of the advantages mentioned above, the complexity of proof search can bepreserved by the treatment of multi-indices.Of course further extensions of the system described here have to be con-sidered in order to be feasible for practical mathematics. In particular this cal-culus does not address the question of the mechanization of higher-order featuresfor the formalization of mathematical practice. Higher-order logics are especiallysuitable for formalizing partial functions, since functions are �rst class objectsof the systems, that can even be quanti�ed over. In this direction the work ofFarmer et al. [Far90, FGT93] has shown that partial functions are a very naturaland powerful tool for formalizing mathematics. We expect that our three-valuedapproach, which remedies some problems of their simpler two-valued approach(see the discussion in the introduction and in example 2.11) can be generalizedin much the same manner and will be a useful tool for formalizing mathematics.Finally, the authors believe that the merit of the idea of generalizing �rst-order logic with respect to both, the number of truth values, and the domain ofquanti�cation is not con�ned to the application to partial functions. In particularthere seem to be no obstacles against the extension of many multi-valued logicsin arti�cial intelligence (such as Belnap's four-valued paraconsistent logic) thathave only been investigated for the propositional fragment to the �rst-order caseusing our techniques.References[And86] Peter B. Andrews. An Introduction to Mathematical Logic and Type Theory:To Truth through Proof. Academic Press, 1986.[Bee85] Michael J. Beeson. Foundations of ConstructiveMathematics. Springer Ver-lag, 1985.[Bet55] E. W. Beth. Semantic entailment and formal derivability. Medelingen vonde Koninklijke Nederlandse Akademie van Wetenschappen, Afdeling Letter-kunde, 18(13):309{342, 1955.[BF92] Matthias Baaz and Christian G. Ferm�uller. Resolution for many-valuedlogics. In A. Voronkov, editor, Proceedings of LPAR, pages 107{118,St. Petersburg, Russia, 1992. Springer Verlag, LNAI 624.[BFZ93] Matthias Baaz, Christian G. Ferm�uller, and Richard Zach. Dual systemsof sequents and tableaux for many-valued logics. Technical Report TUW-E185.2BFZ.2-92, Technische Universit�at Wien, 1993.[Car87] Walter A. Carnielli. Systematization of �nite many-valued logics throughthe method of tableaux. The Journal of Symbolic Logic, 52:473{493, 1987.[Car91] Walter A. Carnielli. On sequents and tableaux for many-valued logics.Journal of Non-Classical Logic, 8(1):59{76, 1991.[Far90] William M. Farmer. A partial functions version of Church's simple theoryof types. The Journal of Symbolic Logic, 55(3):1269{1291, 1990.28

[FGT93] William M. Farmer, Joshua D. Guttman, and F. Javier Thayer. IMPS: AnInteractive Mathematical Proof System. Journal of Automated Reasoning,11(2):213{248, October 1993.[Fit90] Melvin Fitting. First-Order Logic and Automated Theorem Proving. Sprin-ger Verlag, 1990.[H�ah92] Reiner H�ahnle. Automated Theorem Proving in Multiple Valued Logics. PhDthesis, Fachbereich Informatik, Universit�at Karlsruhe, Karlsruhe, Germany,March 1992. revised version: Automated Deduction in Multiple-Valued Lo-gics, Oxford University Press, 1994.[Hin55] K. J. J. Hintikka. Form and content in quanti�cation theory. Acta Philo-sophica Fennica, 8:7{55, 1955.[HS94] Reiner H�ahnle and Peter H. Schmitt. The liberalized �-rule in free variabletableaux. Journal of Automated Reasoning, 12(2):211{222, 1994.[KK93] Manfred Kerber and Michael Kohlhase. A mechanization of strong Kleenelogic for partial functions. SEKI Report SR-93-20, Fachbereich Informatik,Universit�at des Saarlandes, Im Stadtwald, Saarbr�ucken, Germany, 1993.[KK94] Manfred Kerber and Michael Kohlhase. A mechanization of strong Kleenelogic for partial functions. In Alan Bundy, editor, Proceedings of the 12thCADE, pages 371{385, Nancy, France, 1994. Springer Verlag, LNAI 814.[Kle52] Stephen C. Kleene. Introduction to Metamathematics. Van Nostrand, 1952.[LCGF89] Francisca Lucio-Carrrasco and Antonio Gavilanes-Franco. A �rst orderlogic for partial functions. In Proceedings STACS'89, pages 47{58. SpringerVerlag, LNCS 349, 1989.[Pra60] Dag Prawitz. An improved proof procedure. Theoria, 26:102{139, 1960.[Ree87] S. Reeves. Semantic tableaux as a framework for automated theorem-proving. In J. Hallam and C. Mellish, editors, Advances in Arti�cial In-telligence, AISB-87, pages 125{139. Wiley, 1987.[Sch68] R. Schock. Logics without Existence Assumptions. Almquist & Wisell, 1968.[Sco70] Dana S. Scott. Outline of a mathematical theory of computation. TechnicalMonograph PRG-2, Oxford University Computing Laboratory, 1970.[Smu63] Raymond M. Smullyan. A unifying principle for quanti�cation theory. Proc.Nat. Acad Sciences, 49:828{832, 1963.[Smu68] Raymond M. Smullyan. First-Order Logic. Springer Verlag, 1968.[SS89] Manfred Schmidt-Schau�. Computational Aspects of an Order-Sorted Logicwith Term Declarations, Springer Verlag, LNAI 395, 1989.[Tic82] Pawel Tichy. Foundations of partial type theory. Reports on MathematicalLogic, 14:59{72, 1982.[Wei89] Christoph Weidenbach. A resolution calculus with dynamic sort structuresand partial functions. SEKI Report SR-89-23, Fachbereich Informatik, Uni-versit�at Kaiserslautern, Kaiserslautern, Germany, 1989. Short version inECAI'90, p. 688{693.[Wei91] Christoph Weidenbach. A sorted logic using dynamic sorts. TechnicalReport MPI-I-91-218, Max-Planck-Institut f�ur Informatik, Im Stadtwald,Saarbr�ucken, Germany, 1991. Short version in IJCAI'93, p. 60{65.[Wei94] Christoph Weidenbach. First-order tableaux with sorts. In Krysia Brodaand Marcello D'Agostino et.al., editors, TABLEAUX-'94, 3rd Workshop onTheorem Proving with Analytic Tableaux and Related Methods, pages 247{261. Imperial College of Science Technology and Medicine, TR-94/5, April1994. To appear in the Bulletin of the IGPL.29