\DeclareBoldMathCommand\boldlangle⟨\DeclareBoldMathCommand\boldrangle⟩
Operational semantics and program verification using many-sorted hybrid modal logic
Ioana Leuştean
Natalia Moangă
Traian Florin Şerbănuţă
Faculty of Mathematics and Computer Science, University of Bucharest,
Academiei nr.14, sector 1, C.P. 010014, Bucharest, Romania
[email protected] [email protected]
[email protected]
Abstract
We propose a general framework to allow: (a) specifying the operational semantics of a programming language; and (b) stating and proving properties about program correctness.
Our framework is based on a many-sorted system of hybrid modal logic, for which we prove completeness results.
We believe that our approach to program verification improves over the existing approaches within modal logic as (1) it is based on operational semantics which allows for a more natural description of the execution than Hoare’s style weakest precondition used by dynamic logic; (2) being multi-sorted, it allows for a clearer encoding of semantics, with a smaller representational distance to its intended meaning.
Keywords: Operational semantics, Program verification, Hybrid modal logic, Many sorted logic
1 Introduction
Program verification within modal logic, as showcased by dynamic logic [14], is following the mainstream axiomatic approach proposed by Hoare/Floyd [10, 16]. In this paper, we continue our work from [17] in exploring the amenability of dynamic logic in particular, and of modal logic in general, to express operational semantics of languages (as axioms), and to make use of such semantics in program verification.
Consequently, we consider the SMC Machine described by Plotkin [19], we derive a dynamic logic set of axioms from its proposed transition semantics, and we argue that this set of axioms can be used to derive Hoare-like assertions regarding functional correctness of programs written in the SMC language.
The main idea is to define a general logical system that is powerful enough to represent both the programs and their semantics in a uniform way. With respect to this, we follow the line of [13] and the recent work from [20].
The logical system that we developed as support for our approach is a many-sorted hybrid polyadic modal logic, built upon our general many-sorted polyadic modal logic defined in [17]. We chose a modal setting since, as argued above, through dynamic logic and Hoare logic, modal logic has a long-standing tradition in program verification (see also [8] for a modal logic approach to separation logic [21]) and it is successfully used in specifying and verifying hybrid systems [18].
In [17] we defined a general many-sorted modal logic, generalizing some of the already existing approaches, e.g. [22, 23] (see [17] for more references on many-sorted modal logic). This system allows us to specify a language and its operational semantics and one can use it to certify executions as well. However, both its expressivity and its capability are limited: we were not able to perform symbolic execution and, in particular, we were not able to prove Hoare-style invariant properties for loops. In Remark 2.4, we point out some theoretical aspects related to these issues.
In the present paper we employ the procedure of hybridization on top of our many-sorted modal logic previously defined. We drew our inspiration from
[7, 20] for practical aspects, and from the extensive research on hybrid modal logic [1, 6] on the theoretical side.
Our aim was to develop a system that is strong enough to perform all the addressed issues (specification, semantics, verification), but also to keep it as simple as possible from a theoretical point of view. To conclude: in our setting we are able to associate a sound and complete many-sorted hybrid modal logic to a given language such that both operational semantics and program verification can be performed through logical inference.
We have to make a methodological comment: sometimes nominals are presented as another sort of atoms (see, e.g.[6]). Our sorts come from a many-sorted signature (S,Σ), as in [13], so all the formulas (in particular the propositional variables, the state variables, the nominals) are S-sorted sets. When we say that the hybrid logic is mono-sorted we use sorted according to our context, i.e. the sets of propositional variables, nominals and state variables are regular sets and not S-sets.
We recall our many-sorted modal logic [17] in Section 2. The hybridization is performed in Section 3. A concrete language and its operational semantics are defined in Section 4; we also show how to perform Hoare-style verification. A section on related and future work concludes our paper.
2 Preliminaries: a many-sorted modal logic
Our language is determined by a fixed, but arbitrary, many-sorted signature Σ=(S,Σ) and an S-sorted set of propositional variables P={Ps}s∈S such that Ps=∅ for any s∈S and Ps1∩Ps2=∅ for any s1=s2 in S.
For any n∈N and s,s1,…,sn∈S we denote
Σs1…sn,s={σ∈Σ∣σ:s1⋯sn→s}.
The set of formulas of MLΣ is an S-indexed family inductively defined by:
ϕs::=p∣¬ϕs∣ϕs∨ϕs∣σ(ϕs1,…,ϕsn)
where s∈S, p∈Ps and σ∈Σs1⋯sn,s.
We use the classical definitions of the derived logical connectors: for any σ∈Σs1…sn,s the dual operation is
σ□(ϕ1,…,ϕn):=¬σ(¬ϕ1,…,¬ϕn).
In the sequel, by ϕs we mean that ϕ is a formula of sort s∈S. Similarly, Γs means that Γ is a set of formulas of sort s. When the context uniquely determines the sort of a state symbol, we shall omit the subscript.
In order to define the semantics we introduce the (S,Σ)-frames and the (S,Σ)-models.
An (S,Σ)-frame is a tuple
F=(W,(Rσ)σ∈Σ)
such that:
W={Ws}s∈S is an S-sorted set of worlds and Ws=∅ for any s∈S,
Rσ⊆Ws×Ws1×…×Wsn for any σ∈Σs1⋯sn,s.
An (S,Σ)-model based on F is a pair M=(F,V) where V={Vs}s∈S such that Vs:Ps→P(Ws) for any s∈S. The model M=(F,V) will be simply denoted as M=(W,(Rσ)σ∈Σ,V).
In the sequel we introduce a many-sorted satisfaction relation.
If M=(W,(Rσ)σ∈Σ,V) is an (S,Σ)-model, s∈S, w∈Ws and ϕ is a formula of sort s, then the many-sorted satisfaction relation M,w∣\joinrel=sϕ
is inductively defined:
M,w∣\joinrel=sp iff w∈Vs(p)
M,w∣\joinrel=s¬ψ iff M,w∣\joinrel=sψ
M,w∣\joinrel=sψ1∨ψ2 iff M,w∣\joinrel=sψ1 or M,w∣\joinrel=sψ2
if σ∈Σs1…sn,s, then M,w∣\joinrel=sσ(ϕ1,…,ϕn) iff there exists (w1,…,wn)∈Ws1×⋯×Wsn such that Rσww1…wn and
M,wi∣\joinrel=siϕi for any i∈[n].
Definition 2.1** (Validity and satisfiability).**
Let s∈S and assume ϕ is a formula of sort s. Then ϕ is satisfiable if M,w∣\joinrel=sϕ for some model M and some w∈Ws. The formula ϕ is valid in a model M if M,w∣\joinrel=sϕ for any w∈Ws; in this case we write M∣\joinrel=sϕ. The formula ϕ is valid in a frame F if ϕ is valid in all the models based on F; in this case we write F∣\joinrel=sϕ. Finally, the formula ϕ is valid if ϕ is valid in all frames; in this case we write ∣\joinrel=sϕ.
The set of theorems of KΣ is the least set of formulas that contains all the axioms and it is closed under deduction rules. Note that the set of theorems is obviously closed under S-sorted uniform substitution (i.e. propositional variables of sort s are uniformly replaced by formulas of the same sort). If ϕ is a theorem of sort s write ∣\joinrel\joinrel sKΣϕ. Obviously, KΣ is a generalization of the modal system K (see [6] for the mono-sorted version).
The distinction between local and global deduction from the mono-sorted setting (see [6]) is deepened in our version: locally, the conclusion and the hypotheses have the same sort, while globally, the set of hypotheses is a many-sorted set. In the sequel we only consider the local setting.
Definition 2.2** (Local deduction).**
[17]** If s∈S and Γs ∪ {ϕ} is a set of formulas of sort s, then we say that ϕ is (locally) provable from Γs if there are γ1,…,γn∈Γs such that
∣\joinrel\joinrel sKΣ(γ1∧…∧γn)→ϕ. In this case we write Γ∣\joinrel\joinrels\joinrel sKΣϕ.
The construction of the canonical model is a straightforward generalization of the mono-sorted setting. For more details, we refer to [17]. The last result we recall is the (strong) completeness theorem with respect to the class of all frames.
Theorem 2.3**.**
[17]** Let Γs be a set of formulas of set s. If Γs is a consistent set in KΣ then
Γs has a model. Moreover, if ϕ is a formula of sort s, then Γs⊨KΣϕ iff Γs⊢KΣϕ,
where Γs⊨KΣϕ denotes the fact that any model of Γ is also a model of ϕ.
Remark 2.4** (Problems).**
The many-sorted modal logic allows us to define both the syntax and the semantics of a programming language (see [17] for a complex example). However, there are few issues, both theoretical and operational, that we could not overcome:
the logic can be used to certify executions, but not to perform symbolic verification; in particular, in order to prove the invariant properties for loops, the existential binder is required;
the completeness theorem for extensions of
KΣ from **[17]** only refers to model completeness, but says nothing about frame completeness (see **[11]** for a general discussion on this distinction);
the sorts are completely isolated formally, but in our example elements of different sorts have a rich interaction.
These issues will be adressed in the following sections.
3 Many-sorted hybrid modal logic
The hybridization of our many-sorted modal logic is developed using a combination of ideas and techniques from [1, 3, 4, 6, 11, 12]. Hybrid logic is defined on top of modal logic by adding nominals, states variables and specific operators and binders.
Nominals allow us to directly refer the worlds (states) of a model, since they are evaluated in singletons in any model. However, a nominal may refer different worlds in different models. In the sequel we introduce the constant nominals, which are evaluated to singletons, but they refer to the same world (state) in all models. Our example for constant nominals are true and false from Section 4.
Definition 3.1** (Signature with constant nominals).**
A signature with constant nominals is a triple (S,Σ,N) where (S,Σ) is a many-sorted signature and N=(Ns)s∈S is an S-sorted set of constant nominal symbols. In the sequel, we denote
Σ=(S,Σ,N).
As before, the sorts will be denoted by s, t, … and by PROP={PROPs}s∈S, NOM={NOMs}s∈S and SVAR={SVARs}s∈S we will denote some countable S-sorted sets. The elements of PROP are ordinary propositional variables and they will be denoted p, q,…; the elements of NOM are called nominals and they will be denoted by j, k, …; the elements of SVAR are called state variables and they are denoted x, y, …. We shall assume that for any distinct sorts s=t∈S, the corresponding sets of propositional variables, nominals and state variables are distinct. A state symbol is a nominal, a constant nominal or a state variable..
As in the mono-sorted case, nominals and state variables will be semantically constrained: they are evaluated in singleton, which means they will always refer to a unique world of our model. In addition, the constant nominals will refer to the same world(state) in any evaluation, so they will be defined at the frames’ level.
In the mono-sorted setting, starting with a modal logic, the simplest hybrid system is obtained by adding nominals alone. However, the basic hybrid system is obtained by adding the satisfaction modality @jϕ (which states that ϕ is true at the world denoted by the nominal j). The most powerful hybrid systems are obtained by further adding the binders ∀ and ∃ that bind state variables to worlds, with the expected semantics [1, 2, 4]. The subsequently defined systems HΣ(@) and HΣ(@,∀) develop the hybrid modal logic in our many-sorted setting.
Note that, whenever the context is clear, we’ll simply write ∣\joinrel=s instead of ∣\joinrel=sHΣ(@) or ∣\joinrel=sHΣ(@,∀), and ∣\joinrel\joinrel s instead of ∣\joinrel\joinrel sHΣ(@) or ∣\joinrel\joinrel sHΣ(@,∀). We will further assume that the sort of a formula (set of formulas) is implied by a concrete context but, whenever necessary, we will use subscripts to fix the sort of a symbol: xs means that x is a state variable of sort s, Γs means that Γ is a set of formulas of sort s, etc.
Definition 3.2** (Formulas).**
*For any s∈S we define the formulas of sort s:
-
for HΣ(@):
ϕs:=p∣j∣¬ϕs∣ϕs∨ϕs∣σ(ϕs1,…,ϕsn)s\mid@ksϕt
-
for HΣ(@,∀):
ϕs:=p∣j∣ys∣¬ϕs∣ϕs∨ϕs∣σ(ϕs1,…,ϕsn)s\mid@ksϕt∣∀xtϕs
Here, p∈PROPs, j∈NOMs∪Ns, t∈S, k∈NOMt∪Nt,x∈SVARt, y∈SVARs and σ∈Σs1⋯sn,s. For any σ∈Σs1…s,s, the dual formula σ□(ϕ1,…,ϕn) is defined as in Section 2. We also define the dual binder ∃: for any s,t∈S, if ϕ is a formula of sort s and x is a state variable of sort t, then ∃xϕ:=¬∀x¬ϕ is a formula of sort s. The notions of free state variables and bound state variables are defined as usual.
Remark 3.3** (Expressivity).**
As a departure from our sources of inspiration, we only defined the satisfaction operators @j for nominals, and not for state variables. Hence, @x is not a valid formula in our logic. Our reason was to keep the system as ”simple” as possible, but strong enough to overcome the problems encountered in the non-hybrid setting (see Remarks 2.4). More issues concerning expressivity are analyzed in Section 5.
One important remark is the definition of the satisfaction modalities:
if k and ϕ are a nominal and respectively, a formula of the sort t∈S, then we define a family of satisfaction operators
{@ksϕ}s∈S such that @ksϕ is a formula of sort s for any s∈S. This means that ϕ is true at the world denoted by k on the sort t and is acknowledged on any sort s∈S. So, our sorted worlds are not isolated anymore, both from a syntactic and a semantic point of view.
Definition 3.4**.**
If Σ=(S,Σ,N) then a Σ-frame is F=(W,(Rσ)σ∈Σ,NF) where (W,(Rσ)σ∈Σ) is an (S,Σ)-frame and NF=(NsF)s∈S and NsF=(wc)c∈Ns ⊆Ws for any s∈S. We will further assume that distinct constant nominals have distinct sorts, so we shall simply write NF=(wc)c∈N.
Definition 3.5** (The satisfaction relation in HΣ(@)).**
A (hybrid) model in HΣ(@) is a triple
M=(W,(Rσ)σ∈Σ,(wc)c∈N,V)**
where
V:PROP∪NOM→P(W) is an S-sorted valuation such that Vs(k) is a singleton for any s∈S and k∈NOMs. If V is an S-sorted evaluation, we define VN:PROP∪NOM∪N→P(W) by VsN(c)={wc} for any s∈S,c∈Ns and VsN(v)=Vs(v) otherwise.
The satisfaction relation for nominals, constant nominals and satisfaction operators is defined as follows:
M,w∣\joinrel=tk* if and only if VtN(k)={w},*
M,w′∣\joinrel=s@ksϕ* if and only if M,w∣\joinrel=tϕ where VtN(k)={w}.*
Here s,t∈S, w∈Wt, w′∈Ws, k∈NOMt∪Nt and ϕ is a formula of sort t.
Satisfiability and validity in H(@) are defined as in Section 2.
In order to define the semantics for HΣ(@,∀) more is needed. Given a model M=(W,(Rσ)σ∈Σ,(wc)c∈N,V), an assignment is an S-sorted map g:SVAR→W. If g and g′ are assignment functions s∈S and x∈SVARs then we say that g′ is an x-variant of g (and we write g′∼xg) if gt=gt′ for
t=s∈S and gs(y)=gs′(y) for any y∈SVARs, y=x.
Definition 3.6** (The satisfaction relation in HΣ(@,∀)).**
In the sequel
M=(W,(Rσ)σ∈Σ,(wc)c∈N,V)**
is a model and g:SVAR→W an S-sorted assignment. The satisfaction relation is defined as follows:
M,g,w∣\joinrel=sa, if and only if w∈VsN(a), where a∈PROPs∪NOMs∪Ns,
M,g,w∣\joinrel=sx, if and only if w=gs(x), where x∈SVARs,
M,g,w∣\joinrel=s¬ϕ, if and only if M,g,w∣\joinrel=sϕ
M,g,w∣\joinrel=sϕ∨ψ, if and only if M,g,w∣\joinrel=sϕ or M,g,w∣\joinrel=sψ
*if σ∈Σs1…sn,S then M,g,w∣\joinrel=sσ(ϕ1,…,ϕn), if and only if there is *
(w1,…,wn)∈Ws1×⋯×Wsn* such that Rσww1…wn and M,g,wi∣\joinrel=siϕi for any i∈[n],*
M,g,w∣\joinrel=s@ksϕ* if and only if M,g,u∣\joinrel=tϕ where k∈NOMt∪Nt, ϕ has the sort t and VtN(k)={u},*
M,g,w∣\joinrel=s∀xϕ, if and only if M,g′,w∣\joinrel=sϕ for all g′∼xg.
Consequently,
M,g,w∣\joinrel=s∃xϕ, if and only if ∃g′(g′∼xg and M,g′,w∣\joinrel=sϕ).
Following the mono-sorted setting, satisfiability in H(@,∀) is defined as follows: a formula ϕ of sort s∈S is satisfiable if M,g,w∣\joinrel=sϕ for some model M, some assignment g and some w∈Ws. Consequently, the formula ϕ is valid in a model M if M,g,w∣\joinrel=sϕ for any assignment g and any w∈Ws. One can speak about validity in a frame as in Section 2.
In the presence of nominals, we can speak about named models and pure formulas, as in [6][Section 7.3].
Definition 3.7** (Named models and pure formulas).**
A formula is pure if it does not contain propositional variables. A pure instance of a formula is obtained by is obtained by uniformly substituting nominals for nominals of the same sort. A model M=(W,(Rσ)σ∈Σ,(wc)c∈NV) is named if for any sort s∈S and world w∈Ws there exists k∈NOMs∪Ns such that w=VsN(k).
As in the mono-sorted case, pure formulas and named models are important since they give rise to strong completeness results with respect to the class of frames they define.
Proposition 3.8** (Pure formulas in HΣ(@)).**
Let M=(W,(Rσ)σ∈Σ,(wc)c∈N,V) be a named model, F=(W,(Rσ)σ∈Σ,(wc)c∈N) the corresponding frame and ϕ a pure formula of sort s. Then
F∣\joinrel=sϕ if and only if M∣\joinrel=sψ for any ψ that is a pure instance of ϕ.
Proof.
Let ϕ be a pure formula of sort s and suppose F∣\joinrel=sϕ. Then there exist a valuation V′ and some state w∈Ws in the model M′=(F,V′) such that M′,w∣\joinrel=sϕ.
On each sort s∈S we will notate j1s,…,jts all the nominals occurring in ϕ. But because we are working in a named model, V labels every state of any sort in F with a nominal of the same sort. Hence, on each sort s∈S there exist k1s,…,kts nominals such that VsN(j1s)=Vs′(k1s), … ,VsN(jts)=Vs′(kts). Therefore, if M′,w∣\joinrel=sϕ and ψ is obtained by substituting on each sort each nominal jis with the corresponding one kis, then M,w∣\joinrel=sψ.
But ϕ is a pure formula, and by substituting the nominals contained in the formula with other nominals of the same sort, the new instance it is also a pure formulas like ψ. Therefore, by hypothesis, we have M,v∣\joinrel=sψ for any v∈Ws. But also w∈Ws, hence M,w∣\joinrel=sψ, and we have a contradiction.
∎
Can we prove a similar result for the system HΣ(@,∀)? We give a positive answer to this question, inspired by the discussion on existential saturation rules from [3][Lemma 1]. In order to do this, we define the ∀∃-pure formulas and we characterize frame satisfiability for such formulas.
As consequence, Propositions 3.8 and 3.11 will lead to completeness results with respect to frame validity.
Definition 3.9**.**
In HΣ(@,∀), we say that a formula is ∀∃-pure if it is pure or it has the form ∀x1…∀xn∃y1…∃ymψ, where ψ contains no propositional variables and the only state symbols from ψ are in
{x1,…,xn,y1,…,ym}.
Proposition 3.10** (Pure formulas in HΣ(@,∀)).**
Let M be a named model where M=(W,(Rσ)σ∈Σ,(wc)c∈N,V), F=(W,(Rσ)σ∈Σ,(wc)c∈N) the corresponding frame and ϕ a ∀∃-pure formula of sort s. Then F∣\joinrel=sϕ if and only if M∣\joinrel=sϕ.
Proposition 3.11** (Pure formulas in HΣ(@,∀)).**
Let M be a named model where M=(W,(Rσ)σ∈Σ,(wc)c∈N,V), F=(W,(Rσ)σ∈Σ,(wc)c∈N) the corresponding frame and ϕ a ∀∃-pure formula of sort s. Then F∣\joinrel=sϕ if and only if M∣\joinrel=sϕ.
Proof.
Suppose M∣\joinrel=s∀x1…∀xn∃y1…∃ynϕ where y1,…,yn do not occur in ϕ. Hence, for any g and any w of sort s, M,g,w∣\joinrel=s∀x1…∀xn∃y1…∃ynϕ where y1,…,yn do not occur in ϕ. So, for any assignment g′∼x1,…,xng exists an assignment g′′∼y1,…,yng′ such that M,g′′,w∣\joinrel=sϕ(x1,…,xn,y1,…,yn). Let g′(xi)={wi} and g′′(yi)={wi′} for any i∈[n]. Because we work with named model, there exist nominals ki and ji such that VsN(ki)={wi} and VsN(ji)={wi′} for any i∈[n]. Therefore, we get for any k1,…,kn exist j1,…,jn such that M,g′′,w∣\joinrel=sϕ[k1/x1,…,kn/xn,j1/y1,…,jn/yn]. But now we have a pure formula and the assignment function will not affect the satisfiability of the formula. Therefore, for any k1,…,kn exist j1,…,jn such that F∣\joinrel=sϕ[k1/x1,…,kn/xn,j1/y1,…,jn/yn]. Therefore, for any assignment g and any w of sort s we have that for any k1,…,kn there exist j1,…,jn such that M′,g,w∣\joinrel=sϕ[k1/x1,…,kn/xn,j1/y1,…,jn/yn]. We use the contrapositive of (Q2) axiom to get that M′,g,w∣\joinrel=s∃y1…∃ynϕ[k1/x1,…,kn/xn] and by Lemma 3.14 we get that for any assignment g and any w of sort s we have that M′,g,w∣\joinrel=s∀x1,…,∀xn∃y1…∃ynϕ if and only if F∣\joinrel=s∀x1,…,∀xn∃y1…∃ynϕ.
∎
We are ready now to define the deductive systems of our logics.
The deductive systems for HΣ(@) and HΣ(@,∀) are presented in Figure 2.
In the sequel, our main focus is on the more expressive system H(@,∀). The properties and the proofs for
H(@) follow easily from their equivalent in the richer setting.
Theorems and (local) deduction from hypothesis are defined as in Section 2. In order to further develop our framework, we need to analyze the uniform substitutions. Apart for being S-sorted, in the hybrid setting, more restrictions are required: state variables are uniformly replaced by state symbols that are substitutable for them (as in the mono-sorted setting [4]). Nominals and constant nominals are always substitutable for state variables of the same sort. If x and z are state variables of the sort s, then we define:
if ϕ∈PROPs∪SVARs∪NOMs∪Ns, then z is substitutable for x in ϕ,
z is substitutable for x in ¬ϕ iff z is substitutable for x in ϕ,
z is substitutable for x in ϕ∨ψ iff z is substitutable for x in ϕ and ψ,
z is substitutable for x in σ(ϕ1,…,ϕn) iff z is substitutable for x in ϕi for all i∈[n],
z is substitutable for x in @jsϕ iff z is substitutable for x in ϕ,
z is substitutable for x in ∀yϕ iff x does not occur free in ϕ, or y=z and z is substitutable for x in ϕ.
In the sequel, we will say that a substitution is legal if it perform only allowed replacements. If ϕ is a formula and x is a state variable we denote by ϕ[z/x] the formula obtained by substituting z for all free occurrences of
x in ϕ (z must be a nominal, a constant nominal or a state variable substitutable for x).
Lemma 3.12** (Agreement Lemma).**
Let M be a standard model. For all standard
M-assignments g and h, all states w in M and all formulas ϕ of sort s∈S, if g and h agree on all state variables occurring freely in ϕ, then:
[TABLE]
Proof.
We suppose that g and h agree on all state variables occurring freely in ϕ on each sort. We prove this lemma by induction on the complexity of ϕ:
M,g,w∣\joinrel=sa iff a∈PROPs∪NOMs∪Ns we have w∈VsN(a) iff M,h,w∣\joinrel=sa.
M,g,w∣\joinrel=sx iff x∈SVARs we have w=gs(x), but gs(x)=hs(x), therefore M,h,w∣\joinrel=sx.
M,g,w∣\joinrel=s¬ϕ iff M,g,w∣\joinrel=sϕ. But, if g and h agree on all state variables occurring freely in ¬ϕ, then same for ϕ. Therefore, from the induction hypothesis, M,g,w∣\joinrel=sϕ iff M,h,w∣\joinrel=sϕ. Then M,g,w∣\joinrel=sϕ iff M,h,w∣\joinrel=sϕ. Then M,h,w∣\joinrel=s¬ϕ.
M,g,w∣\joinrel=sϕ∨ψ, iff M,g,w∣\joinrel=sϕ or M,g,w∣\joinrel=sψ. But, g and h agree on all state variables occurring freely in ϕ or ψ, then from induction hypothesis, we have (M,g,w∣\joinrel=sϕ iff M,h,w∣\joinrel=sϕ) or (M,g,w∣\joinrel=sψ iff M,h,w∣\joinrel=sψ). Then, (M,h,w∣\joinrel=sψ or M,h,w∣\joinrel=sψ) iff M,h,w∣\joinrel=sϕ∨ψ.
M,g,w∣\joinrel=sσ(ϕ1,…,ϕn) iff there is (w1,…,wn)∈Ws1×⋯×Wsn such that Rσww1…wn and M,g,wi∣\joinrel=siϕi for each i∈[n], then, by induction hypothesis M,h,wi∣\joinrel=siϕi for each i∈[n]. Hence, we have that there is (w1,…,wn)∈Ws1×⋯×Wsn such that Rσww1…wn and M,h,wi∣\joinrel=siϕi for each i∈[n] iff M,h,w∣\joinrel=sσ(ϕ1,…,ϕn).
M,g,w∣\joinrel=s@jsϕ iff M,g,v∣\joinrel=s′ϕ where Vs′N(j)={v} iff M,h,v∣\joinrel=s′ϕ where Vs′N(j)={v} (induction hypothesis) iff M,h,w∣\joinrel=s@jsϕ.
M,g,w∣\joinrel=s∀xϕ iff ∀g′(g′∼xg implies M,g′,w∣\joinrel=sϕ). But g and h agree on all state variables occurring freely in ∀xϕ and because x is bounded, then hs(y)=gs(y) for any y=x. Therefore, ∀g′(gs′(y)=gs(y)=hs(y) for any y=x implies M,g′,w∣\joinrel=sϕ) equivalent with ∀g′(g′∼xh implies M,h′,w∣\joinrel=sϕ) iff M,h,w∣\joinrel=s∀xϕ.
□
∎
Lemma 3.13** (Substitution Lemma).**
Let M be a standard model. For all standard
M-assignments g, all states w in M and all formulas ϕ, if y is a state variable that is substitutable for x in ϕ and j is a nominal then:
M,g,w∣\joinrel=sϕ[y/x]* iff M,g′,w∣\joinrel=sϕ where g′∼xg and gs′(x)=gs(y)*
M,g,w∣\joinrel=sϕ[j/x]* iff M,g′,w∣\joinrel=sϕ where g′∼xg and gs′(x)=VsN(j)*
Proof.
By induction on the complexity of ϕ.
ϕ=a, a∈PROPs∪NOMs∪Ns. Then a[y/x]=a and M,g,w∣\joinrel=sa[y/x] if and only if M,g,w∣\joinrel=sa if and only if w∈VsN(a). But g′∼xg and by Agreement Lemma M,g′,w∣\joinrel=sa.
ϕ=z, where z∈SVARs. We have two cases:
-
If z=x, then M,g,w∣\joinrel=sz[y/x] if and only if M,g,w∣\joinrel=sz if and only if M,g′,w∣\joinrel=sz (Agreement Lemma).
2. 2.
If z=x, then M,g,w∣\joinrel=sz[y/x] if and only if M,g,w∣\joinrel=sy if and only if w∈gs(y) if and only if w∈gs′(x) if and only if w∈gs′(z) if and only if M,g′,w∣\joinrel=sz.
ϕ=¬ϕ, then M,g,w∣\joinrel=s¬ϕ if and only if M,g,w∣\joinrel=sϕ if and only if M,g′,w∣\joinrel=sϕ (inductive hypothesis) if and only if M,g′,w∣\joinrel=s¬ϕ.
ϕ=ϕ∨ψ, then M,g,w∣\joinrel=s(ϕ∨ψ)[y/x] if and only if M,g,w∣\joinrel=sϕ[y/x] or M,g,w∣\joinrel=sψ[y/x] if and only if M,g′,w∣\joinrel=sϕ or M,g′,w∣\joinrel=sψ (inductive hypothesis) if and only if M,g′,w∣\joinrel=sϕ∨ψ.
ϕ=σ(ϕ1,…,ϕn), then M,g,w∣\joinrel=sσ(ϕ1,…,ϕn)[y/x] if and only if M,g,w∣\joinrel=sσ(ϕ1[y/x],…,ϕn[y/x]) if and only if exists (u1,…,un)∈Ws1×…×Wsn such that Rσwu1…un and M,g,ui∣\joinrel=siϕi[y/x] for any i∈[n] if and only if there exists (u1,…,un)∈Ws1×…×Wsn such that Rσwu1…un and M,g′,ui∣\joinrel=siϕi for any i∈[n] (inductive hypothesis) if and only if M,g′,w∣\joinrel=sσ(ϕ1,…,ϕn).
ϕ=@jsϕ, then M,g,w∣\joinrel=s@jsϕ[y/x] if and only if M,g,v∣\joinrel=sϕ[y/x] where Vs′N={v} if and only if M,g′,v∣\joinrel=s′ϕ where Vs′N={v} (inductive hypothesis) if and only if M,g′,w∣\joinrel=s@jsϕ.
ϕ=∀xϕ, then M,g,w∣\joinrel=s(∀xϕ)[y/z] if and only if M,g,w∣\joinrel=s(∀xϕ)[y/z] if and only if M,g,w∣\joinrel=s∀xϕ if and only if M,g′,w∣\joinrel=s∀xϕ (Agreement Lemma).
For the next case we will use the notation gx←y to specify that x is substituted by y, therefore, if x if free in a formula, after substitution we will not have any more x.
Claim 1**.**
The following two statements are equivalent:
For all g′, if g′∼zg then M,g′x←y,w∣\joinrel=sϕ.
For all g′, if g′∼zgx←y then M,g′,w∣\joinrel=sϕ.
Proof.
Suppose for all g′, if g′∼zg then M,g′x←y,w∣\joinrel=sϕ and g′∼zgx←y. Since gs′(o)=gsx←y(o) for any o=z and x=z, then gs′(x)=gsx←y(x)=gs(y). Therefore, gs′=gs′x←y and g′=g′x←y. Hence, M,g′,w∣\joinrel=sϕ. Next, suppose for all g′, if g′∼zgx←y then M,g′,w∣\joinrel=sϕ and g′∼zg. Therefore, gs′x←y∼zgsx←y, so g′x←y∼zgx←y. From second case, we have that M,g′x←y,w∣\joinrel=sϕ.
∎
ϕ=∀zϕ, where z=x. Suppose M,g,w∣\joinrel=s(∀zϕ)[y/x] iff M,g,w∣\joinrel=s∀z(ϕ[y/x]) iff for all g′, if g′∼zg then M,g′,w∣\joinrel=sϕ[y/x] iff for all g′, if g′∼zg then M,g′x←y,w∣\joinrel=sϕ (induction hypothesis) iff or all g′, if g′∼zgx←y then M,g′,w∣\joinrel=sϕ (Claim 1) iff M,gx←y,w∣\joinrel=s∀zϕ where gs′(x)=g(y) and g′∼zg iff M,g′,w∣\joinrel=s∀zϕ where gs′(x)=gs(y) and g′∼zg (Agreement Lemma).
∎
Lemma 3.14** (Generalization on nominals).**
Assume ∣\joinrel\joinrel sϕ[i/x] where i∈NOMt and x∈SVARt for some t∈S. Then there is a state variable y∈SVARt that does not appear in ϕ such that ∣\joinrel\joinrel sϕ[y/x]
Proof.
There are two cases. First, let us suppose that x does not occur free in ϕ, therefore ϕ[j/x] is identical to ϕ[y/x], hence as ϕ[j/x] is provable, so is ∀yϕ[y/x] for any choice of y.
Secondly, suppose that x occur free in ϕ. Suppose ϕ[j/x]. Hence we have a proof of ϕ[j/x] and we choose any variable y that does not occur in the proof, or in ϕ. We replace every occurrence of j in the proof of ϕ[j/x] with y. It follows by induction on the length of proofs that this new sequence is a proof of ϕ[y/x]. By generalization we extend the proof with ∀y(ϕ[y/x]) and we can conclude that ∀y(ϕ[y/x]) is provable.
∎
The systems HΣ(@) and HΣ(@,∀) are sound with respect to the intended semantics.
Proposition 3.15** (Soundness).**
The deductive systems for HΣ(@) and HΣ(@,∀) from Figure 2 are sound.
Proof.
We will only prove the soundness of the more complex system H(@,∀), since this proof is similar for the HΣ(@) system.
Let M be an arbitrary model and w any state of sort s.
(K@)
Suppose M,g,w∣\joinrel=s@js(ϕt→ψt) if and only if M,g,v∣\joinrel=tϕt→ψt where VtN(j)={v} iff M,g,v∣\joinrel=tϕt implies M,g,v∣\joinrel=tψt where VtN(j)={v}. Suppose M,g,w∣\joinrel=s@jsϕt and VtN(j)={v}. Then M,g,v∣\joinrel=tϕt where VtN(j)={v} , but this implies that M,g,v∣\joinrel=tψt where VtN(j)={v} iff M,g,w∣\joinrel=s@jsψt.
(Agree)
Suppose M,g,w∣\joinrel=t′@kt′@jtϕs iff M,g,v∣\joinrel=t@jtϕs where VtN(k)={v} iff M,g,u∣\joinrel=sϕs where VtN(k)={v} and VsN(j)={u}. Then M,g,u∣\joinrel=sϕs where VsN(j)={u} which implies that M,g,w∣\joinrel=t′@jt′ϕs.
(SelfDual)
Suppose M,g,w∣\joinrel=s\neg@js¬ϕt iff M,g,w∣\joinrel=s@js¬ϕt iff M,g,v∣\joinrel=t¬ϕt where VtN(j)={v} iff M,g,v∣\joinrel=tϕt where VtN(j)={v} iff M,g,w∣\joinrel=s@jsϕt.
(Back)
Suppose M,g,w∣\joinrel=sσ(…,ϕi−1,@jsiψt,ϕi+1,…)s if and only if there is (w1,…,wn)∈Ws1×⋯×Wsn such that Rσww1…wn and M,g,wi∣\joinrel=siϕi for any i∈[n]. This implies that there is wi∈Wsi such that M,g,wi∣\joinrel=si@jsiψt, then M,g,v∣\joinrel=tψt where VtN(j)={v}. Hence, M,g,w∣\joinrel=s@jsψt
(Ref)
Suppose M,g,w∣\joinrel=s@jsjt. Then M,g,v∣\joinrel=tj where VtN(j)={v}, contradiction.
(Intro)
Suppose M,g,w∣\joinrel=sj and M,g,w∣\joinrel=sϕs. Then VsN(j)={w} and M,g,w∣\joinrel=sϕs implies that M,g,w∣\joinrel=s@jsϕs. Now, suppose M,g,w∣\joinrel=sj and M,g,w∣\joinrel=s@jsϕs. Because, from the first assumption, we have VsN(j)={w}, then, form the second one, we can conclude that M,g,w∣\joinrel=sϕs.
(Q1)
Suppose that M,g,w∣\joinrel=s∀x(ϕ→ψ) iff M,g′,w∣\joinrel=sϕ→ψ for all g′∼xg. Results that for all g′∼xg we have M,g′,w∣\joinrel=sϕ implies M,g′,w∣\joinrel=sψ. But ϕ contains no free occurrences of x, then for all g′∼xg we have (M,g,w∣\joinrel=sϕ implies M,g′,w∣\joinrel=sψ). Hence, M,g,w∣\joinrel=sϕ implies that, for all g′∼xg, M,g′,w∣\joinrel=sψ. Then, M,g,w∣\joinrel=sϕ implies that M,g,w∣\joinrel=s∀ψ iff M,g,w∣\joinrel=sϕ→∀xψ .
(Q2)
Suppose that M,g,w∣\joinrel=s∀xϕ. We need to prove that M,g′,w∣\joinrel=sϕ[y/x]. But this is equivalent, by Substitution Lemma, with proving that M,g′,w∣\joinrel=sϕ where g′∼xg and gs′(x)=gs(y). But M,g,w∣\joinrel=s∀xϕ iff M,g′,w∣\joinrel=sϕ for all g′∼xg. Let gs′(z)=g(y), if z=x, and gs′(z)=g(z), otherwise. Therefore, we have g′∼xg , gs′(x)=gs(y) and M,g′,w∣\joinrel=sϕ. For the case of substituting with a nominal is similar. We define gs′(x)=VsN(j), if z=x, and gs′(z)=g(z), otherwise.
(Name) Suppose that M,g,w∣\joinrel=s∃xx iff exists g′∼xg and M,g′,w∣\joinrel=sx. We choose g′ an x-variant of g such that gs′(x)={w}.
(Barcan)
Suppose M,g,w∣\joinrel=s∀xσ□(ϕ1,…,ϕn) then for all g′∼xg, and for all wi∈Wsi, i∈[n], Rσww1…wn implies M,g′,wi∣\joinrel=siϕi for all i∈[n]. But g and g′ agree on all state variables occurring freely. Therefore, for all wi∈Wsi, i∈[n], Rσww1…wn and all g′∼xg , we have M,g,wi∣\joinrel=siϕi for all i∈[n] and i=l and M,g′,wl∣\joinrel=slϕl. Hence, for the l-th argument, we have M,g,wl∣\joinrel=sl∀xϕl. So, M,g,w∣\joinrel=sσ□(ϕ1,…,∀xϕl…ϕn).
(Barcan@)
Suppose M,g,w∣\joinrel=s∀x@jsϕ iff M,g′,w∣\joinrel=s@jsϕ for all g′∼xg. Then, M,g′,v∣\joinrel=tϕ for all g′∼xg where VtN(j)={v} and so M,g,v∣\joinrel=t∀xϕ where VtN(j)={v}. Hence, M,g,w∣\joinrel=s@js∀xϕ.
(Nom x)
Suppose M,g,w∣\joinrel=s@jsx and M,g,w∣\joinrel=s@ksx. Then M,g,v∣\joinrel=tx where VtN(j)={v} and M,g,u∣\joinrel=tx where VtN(k)={u}. This implies that u=v, so VtN(j)=VtN(k). Then M,g,w∣\joinrel=s@jsk for any model M and any world w.
(BroadcastS)
Suppose M,g,w∣\joinrel=s@jsϕt if and only if M,g,v∣\joinrel=tϕt where VtN(j)={v}. Hence, for any s′∈S we have M,g,w∣\joinrel=s′@js′ϕt.
Now, let M be an arbitrary named model.
(Name@) Suppose M,g,w∣\joinrel=s@jsϕ iff M,g,v∣\joinrel=s′ϕ where Vs′N(j)={v}, but we work in named models, therefore, in any model M there exist v and j where Vs′N(j)={v} and this implies M,g,v∣\joinrel=s′ϕ.
(Paste) Suppose M,g,w∣\joinrel=s@jsσ(ψ1,…,ψi−1,k,ψi+1,…,ψn)\wedge@ksϕ→ψ
iff M,g,w∣\joinrel=s@jsσ(ψ1,…,ψi−1,k,ψi+1,…,ψn) and
M,g,w∣\joinrel=s@ksϕ implies M,g,w∣\joinrel=sψ. Hence, M,g,v∣\joinrel=s′σ(ψ1,…,ψi−1,k,ψi+1,…,ψn) where Vs′N(j)={v} iff exists (v1,…,vn)∈(Ws1×…×Wsn) such that Rσvv1…vi…vn where Vs′N(j)={v} and M,g,ve∣\joinrel=s′ψe for any e∈[n],e=i and M,g,vi∣\joinrel=sik iff VsiN(k)={vi}. If M,g,w∣\joinrel=s@ks and VsiN(k)={vi}, then M,g,vi∣\joinrel=siϕ.
Then, if there exists (v1,…,vn)∈(Ws1×…×Wsn) such that Rσvv1…vi…vn where Vs′N(j)={v} and M,g,ve∣\joinrel=s′ψe for any e∈[n],e=i and M,g,vi∣\joinrel=siϕ, these imply M,g,w∣\joinrel=sψ. So, M,g,v∣\joinrel=s′σ(ψ1,…,ψi−1,ϕ,ψi+1,…,ψn) where Vs′N(j)={v} implies M,g,w∣\joinrel=sψ.
In conclusion, M,g,w∣\joinrel=s′@jsσ(ψ1,…,ψi−1,ϕ,ψi+1,…,ψn)→ψ.
∎
Lemma 3.16**.**
The following formulas are theorems:
[TABLE]
if ∣\joinrel\joinrel sϕ→j then
∣\joinrel\joinrel tσ(…,ϕ,…)→σ(…,j,…)\wedge@jtϕ
for any s,t∈S, σ∈Σt1⋯tn,t, j∈NOMs∪Ns and ϕ a formula of sort s.
Proof.
In the sequel, by PL we mean classical propositional logic and by ML we mean the basic modal logic.
- (Nom)
(1) ∣\joinrel\joinrel tj→(ϕ\leftrightarrow@jtϕ) (Intro)
(2) ∣\joinrel\joinrel s@ks(j→(ϕ\leftrightarrow@jtϕ)) (Gen@)
(3) ∣\joinrel\joinrel s@ks(j→(ϕ\leftrightarrow@jtϕ))→(@ksj\to@ks(ϕ\leftrightarrow@jtϕ)) (K@)
(4) ∣\joinrel\joinrel s@ksj\to@ks(ϕ\leftrightarrow@jtϕ) (MP):(2),(3)
(5) ∣\joinrel\joinrel s@ks(ϕ\leftrightarrow@jtϕ)↔(@ksϕ\leftrightarrow@ks@jtϕ) ML
(6) ∣\joinrel\joinrel s@ksj→(@ksϕ\leftrightarrow@ks@jtϕ) PL:(4),(5)
(7) ∣\joinrel\joinrel s@ks@jtϕ\leftrightarrow@jsϕ (Agree)
(8) ∣\joinrel\joinrel s@ksj→(@ksϕ\leftrightarrow@jsϕ) PL:(6),(7)
(Sym)
(1) ∣\joinrel\joinrel s@ksj\wedge@jsk\to@jsk Taut
(2) ∣\joinrel\joinrel s@ksj\wedge@jsk\to@jsk)→(@ksj→(@jsk\to@jsk)) Taut
(3) ∣\joinrel\joinrel s@ksj→(@jsk\to@jsk) (MP):(1),(2)
(4) ∣\joinrel\joinrel s(@jsk\to@jsk)\to@jsk PL
(5) ∣\joinrel\joinrel s@ksj\to@jsk PL
(6) ∣\joinrel\joinrel s@jsk\to@ksj Analogue
(7) ∣\joinrel\joinrel s@jsk\leftrightarrow@ksj PL:(5),(6)
(Bridge)
(1) ∣\joinrel\joinrel \joinrel sσ(…ϕi1,j,ϕi+1…)∧σ□(…,¬ϕi−1,ϕ,¬ϕi+1,…)→\hfill
σ(…ϕi−1,j∧ϕ,ϕi+1,…) ML
(2) ∣\joinrel\joinrel sj∧ϕ\to@jsϕ (Intro)
(3) ∣\joinrel\joinrel sσ(…ϕi−1,j∧ϕ,ϕi+1,…)→σ(…ϕi−1,@jsϕ,ϕi+1,…) ML
(4) ∣\joinrel\joinrel sσ(…ϕi−1,@jsϕ,ϕi+1,…)\to@jsϕ (Back)
(5) ∣\joinrel\joinrel sσ(…ϕi1,j,ϕi+1…)∧σ□(…,¬ϕi−1,ϕ,¬ϕi+1,…)\to@jsϕ PL
(6) ∣\joinrel\joinrel sσ(…ϕi1,j,ϕi+1…)∧σ□(…,¬ϕi−1,¬ϕ,¬ϕi+1,…)\to@js¬ϕ (5)
(7) ∣\joinrel\joinrel s\neg@js¬ϕ→¬(σ(…ϕi1,j,ϕi+1…)∧σ□(…,¬ϕi−1,¬ϕ,¬ϕi+1,…)) PL
(8) ∣\joinrel\joinrel s@jsϕ→(¬σ(…ϕi1,j,ϕi+1…)∨¬σ□(…,¬ϕi−1,¬ϕ,¬ϕi+1,…)) PL
(9) ∣\joinrel\joinrel s@jsϕ→(¬σ(…ϕi1,j,ϕi+1…)∨σ(…,ϕi−1,ϕ,ϕi+1,…)) (Dual)
(9) ∣\joinrel\joinrel s@jsϕ→(σ(…ϕi1,j,ϕi+1…)→σ(…,ϕi−1,ϕ,ϕi+1,…)) PL
(10) ∣\joinrel\joinrel s@jsϕ∧σ(…ϕi1,j,ϕi+1…)→σ(…,ϕi−1,ϕ,ϕi+1,…) PL
(1) ∣\joinrel\joinrel sj→(¬ϕ\leftrightarrow@js¬ϕ) (Intro)
(2) ∣\joinrel\joinrel sj→(¬ϕ\leftrightarrow@js¬ϕ)→(j→(@js¬ϕ→¬ϕ)) PL
(3) ∣\joinrel\joinrel sj→(@js¬ϕ→¬ϕ) (MP):(1),(2)
(4) ∣\joinrel\joinrel s(j→(@js¬ϕ→¬ϕ))→(j\wedge@js¬ϕ→¬ϕ) PL
(5) ∣\joinrel\joinrel sj\wedge@js¬ϕ→¬ϕ (MP):(3),(4)
(6) ∣\joinrel\joinrel sϕ→(¬j\vee@jsϕ) PL,(SelfDual)
(7) ∣\joinrel\joinrel sϕ→j hypothesis
(8) ∣\joinrel\joinrel sϕ→(¬j\vee@jsϕ)∧j PL
(9) ∣\joinrel\joinrel sϕ\to@jsϕ∧j PL
(10) ∣\joinrel\joinrel s(ϕ\to@jsϕ)∧(ϕ→j) PL
(11) ∣\joinrel\joinrel sϕ\to@jsϕ PL
Therefore, if ∣\joinrel\joinrel sϕ→j then ∣\joinrel\joinrel sϕ\to@jsϕ.
(1) ∣\joinrel\joinrel sϕ→j hypothesis
(2) ∣\joinrel\joinrel tσ(…,ψi−1,ϕ,ψi+1,…)→σ(…,ψi−1,j,ψi+1,…) ML(1)
(3) ∣\joinrel\joinrel sϕ\to@jsϕ (1)
(4) ∣\joinrel\joinrel tσ(…,ψi−1,ϕ,ψi+1,…)→σ(…,ψi−1,@jsϕ,ψi+1,…) ML(3)
(5) ∣\joinrel\joinrel tσ(…,ψi−1,ϕ,ψi+1,…)\to@jtϕ (Back),PL(4)
(6) ∣\joinrel\joinrel tσ(…,ψi−1,ϕ,ψi+1,…)→(σ(…,ψi−1,j,ψi+1,…)\wedge@jtϕ) PL:(2),(5)
Therefore, if ∣\joinrel\joinrel sϕ→j then
∣\joinrel\joinrel tσ(…,ϕ,…)→σ(…,j,…)\wedge@jtϕ.
∎
Let ⊥s denote a formula of sort s that is nowhere true. If s∈S and Γs is a set of formulas of sort s, then Γs is consistent if Γs ∣\joinrel\joinrel\joinrel s⊥s. An inconsistent set of formulas is a set of formulas of the same sort that is not consistent. Maximal consistent sets are defined as usual.
In the rest of the section we develop the proof of the strong completeness theorem for our hybrid logical systems, possibly extended with additional axioms. If Λ is a set of formulas, we denote by H(@)+Λ and H(@,∀)+Λ the systems obtained when the formulas of Λ are seen as additional axiom schemes.
The main steps are: the extended Lindenbaum Lemma, the construction of the Henkin model and the Truth Lemma (all of them extending the similar results in the mono-sorted case). In order to state our extended Lindenbaum Lemma, we need to define the named, pasted and @-witnessed sets of formulas.
Definition 3.17** (Named, pasted and @-witnessed sets).**
Let s∈S and Γs be a set of formulas of sort s from
HΣ(@). We say that
Γs* is named if one of its elements is a nominal or a constant nominal,*
Γs* is pasted if, for any t∈S, σ∈Σs1⋯sn,t, k∈NOMt∪Nt, and ϕ a formula of sort si, whenever @ksσ(…,ϕi−1,ϕ,ϕi+1,…)∈Γs there exists a nominal j∈NOMsi such that @ksσ(…,ϕi−1,j,ϕi+1,…)∈Γs and @jsϕ∈Γs.*
If Γs be a set of formulas of sort s from HΣ(@,∀) then we say that
Γs* is @-witnessed if the following two conditions are satisfied:*
for s′,t∈S , x∈SVARt, k∈NOMs′∪Ns′ and any formula ϕ of sort s′, whenever @ks∃xϕ∈Γs there exists j∈NOMt such that @ksϕ[j/x]∈Γs,
for any t∈S and x∈SVARt there is js∈NOMt such that @jxsx∈Γs.
Lemma 3.18** (Extended Lindenbaum Lemma).**
*Let Λ be a set of formulas in the language of HΣ(@) (in the language of HΣ(@,∀)) and s∈S. Then any consistent set Γs of formulas of sort s from HΣ(@)+Λ (from HΣ(@,∀)+Λ) can be extended to a named and pasted *(named, pasted and @-witnessed ) maximal consistent set by adding countably many nominals to the language.
Proof.
The proof generalizes to the S-sorted setting well-known proofs for the mono-sorted hybrid logic, see [6, Lemma 7.25], [3, Lemma 3, Lemma 4], [4, Lemma 3.9].
For each sort s∈S, we add a set of new nominals and enumerate this set. Given a set of formulas Γs, define Γsk to be Γs∪{ks}∪{@jxsx∣ x∈SVARs}, where ks is the first new nominal of sort s in our enumeration and jx are such that if x and y are different state variables of sort s then also jx and jy are different nominals of same sort s. Now that we know we are working on the sort s, we will write k instead of ks.
Suppose Γsk is not consistent. Then there exists some conjunction of formulas θ∈Γs such that ∣\joinrel\joinrel sk→¬θ. We use the (Gen@) rule and the (K@) axiom to prove that ∣\joinrel\joinrel s@ksk\to@ks¬θ. From the (Ref) axiom and the (MP) rule it follows ∣\joinrel\joinrel s@ks¬θ. Remember that k is a new nominal, so it does not occur in θ and we use (Name@) rule to get that ∣\joinrel\joinrel s¬θ⇒¬θ∈Γs. But this contradicts the consistency of Γs. Now, we prove the case for the additional @jxsx formulas. Suppose ∣\joinrel\joinrel sθ→\neg@jxsx. We use the (SelfDual) axiom to get ∣\joinrel\joinrel s¬θ\vee@jxs¬x. If ∣\joinrel\joinrel s¬θ, this contradicts the consistency of Γs. If ∣\joinrel\joinrel s@jxs¬x, then ∣\joinrel=s@jxs¬x. Hence, for any model M, any assignment function g and any world w∈Ws, we have M,g,w∣\joinrel=s@jxs¬x if and only if M,g,v∣\joinrel=s¬x where VsN(jx)={v}. Then for any model M and any assignment g, gs(x)=VsN(jx), contradiction.
Now we enumerate on each sort s∈S all the formulas of the new language obtained by adding the set of new nominals and define Γ0:=Γsk. Suppose we have defined Γm, where m≥0. Let ϕm+1 be the m+1−th formula of sort s in the previous enumeration. We define Γm+1 as follows. If Γm∪{ϕm+1} is inconsistent, then Γm+1=Γm. Otherwise:
Γm+1=Γm∪{ϕm+1}, if ϕm+1 is neither of the form @jσ(…,φ,…), nor of the form @j∃xφ(x), where j is any nominal of sort s′′, φ a formula of sort s′′ and x∈SVARs′′.
Γm+1=Γm∪{ϕm+1}∪{@jσ(…,k,…)\wedge@kφ}, if ϕm+1 is of the form @jσ(…,φ,…).
Γm+1=Γm∪{ϕm+1}∪{@jφ[k/x]}, where ϕm+1 is of the form @j∃xφ(x).
In clauses (ii) and (iii), k is the first new nominal in the enumeration that does not occur neither in Γi for all i≤m, nor in @jσ(…,φ,…).
Let Γ+=⋃n≥0Γn. Because k∈Γ0⊆Γ+, this set in named, maximal, pasted and @-witnessed by construction. We will check if it is consistent for the expansion made in the second and third items.
Suppose Γm+1=Γm∪{ϕm+1}∪{@jσ(…,k,…)\wedge@kφ} is an inconsistent set, where ϕm+1 is @jσ(…,φ,…). Then there is a conjunction of formulas χ∈Γm∪{ϕm+1} such that ∣\joinrel\joinrel sχ→¬(@jσ(…,k,…)\wedge@kφ) and so ∣\joinrel\joinrel s@jσ(…,k,…)\wedge@kφ→¬χ. But k is the first new nominal in the enumeration that does not occur neither in Γm, nor in @jσ(…,φ,…) and by Paste rule we get ∣\joinrel\joinrel s@jσ(…,φ,…)→¬χ∣\joinrel\joinrel⇒\joinrel sχ→\neg@jσ(…,φ,…), which contradicts the consistency of Γm∪{ϕm+1}.
Suppose Γm+1=Γm∪{ϕm+1}∪{@jφ[k/x]} is inconsistent, where ϕm+1 is @j∃xφ(x). Then there is a conjunction of formulas χ∈Γm∪{ϕm+1} such that ∣\joinrel\joinrel s χ→\neg@jφ[k/x], where k is the new nominal. By generalization on nominals (Lemma 3.14) we can prove ∣\joinrel\joinrel s ∀y(χ→\neg@jφ[y/x]), where y is a state variable that does not occur in χ→\neg@jφ[k/x]. Using (Q1) axiom, we get ∣\joinrel\joinrel s χ→∀y\neg@jφ[y/x] and by (SelfDual) ∣\joinrel\joinrel s χ→∀y@j¬φ[y/x]. Next, we use (Barcan@) to get ∣\joinrel\joinrel s χ\to@j∀y¬φ[y/x]). Because x has no free occurrences in φ[y/x], we can prove that @j∀y¬φ[y/x])\leftrightarrow@j∀x¬φ. Therefore, ∣\joinrel\joinrel s χ\to@j∀x¬φ , so ∣\joinrel\joinrel s χ\to@j¬∃xφ . Use once again (SelfDual) and we have ∣\joinrel\joinrel s χ→\neg@j∃xφ. Then \neg@j∃xφ ∈Γm∪{ϕm+1}, but this contradicts the consistency of Γm∪{ϕm+1}.
∎
We are now ready to define a Henkin model, see [1, 3]
for the mono-sorted hybrid modal logic.
Definition 3.19** (The Henkin model).**
Let s∈S and assume Γs is a maximal consistent set of formulas of sort s from HΣ(@) (from HΣ(@,∀)). For any t∈S and j∈NOMt∪Nt we define
∣j∣={k∈NOMt∪Nt∣@jsk∈Γs}. The Henkin model is MΓs=(WΓ,(RσΓ)σ∈Σ,(∣c∣)c∈N,VΓ) where
[TABLE]
For the system HΣ(@,∀), under the additional assumption that Γs is @-witnessed, we define
the assignment gΓ:SVAR→WΓ by
[TABLE]
Lemma 3.20**.**
The Henkin model from Definition 3.19 is well-defined.
Proof.
Let s∈S and assume that Γs is a set of formulas of sort s. Note that RσΓ is well-defined by (Nom) and (Bridge) from Lemma 3.16. For t∈S and j∈NOMt, VΓ(j) is well-defined by axiom (Ref). For the system HΣ(@,∀), we further that Γs is also @-witnessed so, for any t∈S and x∈SVARt, there is a nominal j∈NOMt such that @jsx∈Γ. The fact that gΓ is well-defined follows by (Nomx).
∎
Lemma 3.21** (Truth Lemma).**
Let s∈S and assume Γs is a named and pasted maximal consistent set of formulas of sort s from HΣ(@). For any sort t∈S, j∈NOMt∪Nt and for any formula ϕ of sort t we have MΓ,∣j∣∣\joinrel=tϕ\mboxiff@jsϕ∈Γs.
Let s∈S and assume Γs is a named, pasted and @-witnessed maximal consistent set of formulas of sort s from HΣ(@,∀). For any sort s′∈S, j∈NOMs′∪Ns′ and for any formula ϕ
of sort s′ we have MΓ,gΓ,∣j∣∣\joinrel=s′ϕ\mboxiff@jsϕ∈Γs.
Proof.
We make the proof by structural induction on ϕ.
MΓ,∣j∣∣\joinrel=s′a, where a∈PROPs′∪NOMs′∪Ns′ iff ∣j∣∈Vs′N(a) iff @jsa∈Γs.
MΓ,∣j∣∣\joinrel=s′x, where x∈SVARs′ iff gs′Γ(x)=∣j∣ iff @jsx∈Γs.
MΓ,∣j∣∣\joinrel=s′¬ϕ iff MΓ,∣j∣ ∣\joinrel=s′ϕ iff @jsϕ∈Γs, but we work with consistent sets, therefore @jsϕ∈Γs iff \neg@jsϕ∈Γs iff @js¬ϕ∈Γs (SelfDual).
MΓ,∣j∣∣\joinrel=s′ϕ∨φ iff MΓ,∣j∣∣\joinrel=s′ϕ or MΓ,∣j∣∣\joinrel=s′φ iff (inductive hypothesis) @jsϕ∈Γs or @jsφ∈Γs iff @jsϕ\vee@jsφ∈Γs iff @js(ϕ∨φ)∈Γs.
MΓ,∣j∣∣\joinrel=s′σ(ϕ1,…,ϕn) iff exists ∣ki∣∈Wsi such that R∣j∣∣k1∣…∣kn∣ and MΓ,∣ki∣∣\joinrel=siϕi for any i∈[n]. Using the induction hypothesis, we get @kisϕi∈Γs. But R∣j∣∣k1∣…∣kn∣ iff @jsσ(k1,…,kn)∈Γs. Use the Bridge axiom to prove @jsσ(k1,…,kn)\wedge@k1sϕ1∧…\wedge@knsϕn\to@jsσ(ϕ1,…,ϕn), so @jsσ(ϕ1,…,ϕn)∈Γs. Now, suppose @jsσ(ϕ1,…,ϕn)∈Γs. We work with pasted models, so there are some nominals ki such that @jsσ(k1,…,kn)∈Γs and @kisϕi∈Γs for any i∈[n]. Therefore, exists ki such that R∣j∣∣k1∣…∣kn∣ and, by induction hypothesis, MΓ,∣ki∣∣\joinrel=siϕi for any i∈[n] if and only if MΓ,∣j∣∣\joinrel=s′σ(ϕ1,…,ϕn).
MΓ,∣j∣∣\joinrel=s′@ks′ϕ iff MΓ,∣k∣∣\joinrel=s′′ϕ , but from induction hypothesis @ksϕ∈Γs and by applying (Agree) we get @js@ksϕ∈Γs.
Further, for the HΣ(@,∀) system, we need to pay attention to the assignment function and it only affects the following cases.
@js∃xϕ∈Γs, then there exists l∈NOMs′ such that @jsϕ[l/x]∈Γs. Let g′∼xgΓ such that gs′′(x)={∣l∣}. Therefore, there exists l∈NOMs′ such that gs′′(x)={∣l∣}, g′∼xgΓ and MΓ,g′,∣j∣∣\joinrel=s′ϕ iff MΓ,gΓ,∣j∣∣\joinrel=s′∃xϕ.
MΓ,gΓ,∣j∣∣\joinrel=s′∃xϕ iff exists g′∼xgΓ and MΓ,g′,∣j∣∣\joinrel=s′ϕ. Let gs′′(x)={∣l∣}. Hence, there exists l∈NOMs′ such that gs′′(x)={∣l∣}, g′∼xgΓ and MΓ,g′,∣j∣∣\joinrel=s′ϕ iff MΓ,g,∣j∣∣\joinrel=s′ϕ[l/x] and from inductive hypothesis @jsϕ[l/x]∈Γs. Use the contrapositive of the (Q2) axiom, ∣\joinrel\joinrel s′ϕ[l/x]→∃xϕ and the (Gen@) and (K@) rules to obtain @jsϕ[l/x]\to@js∃xϕ∈Γs. Therefore, @js∃xϕ∈Γs.
∎
We are ready now to prove the strong completeness theorem for the hybrid logics HΣ(@) and HΣ(@,∀) extended with axioms from Λ. For a logic L, the relation ∣\joinrel\joinrel sL denotes the local deduction, the relation ∣\joinrel=sMod(L) denotes the semantic entailment w.r.t. models satisfying all the axioms of L, while ∣\joinrel=sL denotes the semantic entailment w.r.t. frames satisfying all the axioms of L.
Theorem 3.22** (Completeness).**
Strong model-completeness*. Let Λ be a set of formulas in the language of HΣ(@) *(*a set of formulas in the language of HΣ(@,∀)) and s∈S and assume Γs is a set of formulas of sort s. If Γs is a consistent set in L=HΣ(@)+Λ *(in L=HΣ(@,∀)+Λ) then Γs has a model that is also a model of Λ. Consequently, for a formula ϕ of sort s,
Γs∣\joinrel=sMod(L)ϕ\mboxiffΓ∣\joinrel\joinrels\joinrel sLϕ.
Strong frame-completeness for pure extensions*. Let Λ be a set of pure formulas in the language of HΣ(@) *(*a set of ∀∃-pure formulas in the language of HΣ(@,∀)) and s∈S and assume Γs is a set of formulas of sort s. If Γs is a consistent set in L=HΣ(@)+Λ *(in L=HΣ(@,∀)+Λ) then Γs has a model based on a frame that validates every formula in Λ. Consequently, for a formula ϕ of sort s,
Γs∣\joinrel=sMod(L)ϕ\mboxiffΓ∣\joinrel\joinrels\joinrel sLϕ.
Proof.
Since 1. is obvious, we only prove 2. If Γs is a consistent set in HΣ(@,∀)+Λ then, applying the Extended Lindenbaum Lemma, then Γs⊆Θs, where Θs is a maximal consistent named, pasted and @-witnessed set (in an extended language L′). If MΘ is the Henkin model and gΘ is the assignment from Definition 3.19 then, by Truth Lemma,
MΘ,gΘ,∣j∣∣\joinrel=sΓs for any t∈S and j∈NOMt∪Nt. Moreover, MΘ is a named model (in the extended language) that is also a model of Λ. By Proposition 3.11, the underlying frame of MΘ satisfies the ∀∃-pure formulas from Λ. Hence the logic HΣ(@,∀)+Λ is strongly complete w.r.t to the class of frames satisfying Λ. Assume that Γs∣\joinrel=sΛϕ and suppose that Γs ∣\joinrel\joinrel\joinrel sϕ. It follows that
Γs∪{¬ϕ} is inconsistent, so there exists a model of Γs based on a frame satisfying Λ that is not a model of ϕ. We get a contradiction, so the intended completeness result is proved.
∎
The following useful results can be easily proved semantically:
Proposition 3.23**.**
(Nominal Conjunction) For any formulas and any nominals of appropriate sorts, the following hold:
σ(…,ϕi−1,ϕi,ϕi+1,…)\wedge@k(ψ)↔σ(…,ϕi−1,ϕi\wedge@k(ψ),ϕi+1,…)**
σ□(…,ϕi−1,ϕi,ϕi+1,…)\wedge@k(ψ)↔**
σ□(…,ϕi−1,ϕi\wedge@k(ψ),ϕi+1,…)\wedge@k(ψ)**
If ϕ1,…ϕn are formulas of appropriate sorts and x is a state variable that does not occur in ϕj for any j=i then:
∃xσ□(…,ϕi−1,ϕi,ϕi+1,…)→σ□(,…,ϕi−1,∃xϕi,ϕi+1,…)**
Proof.
- (Nominal Conjunction)
M,g,w∣\joinrel=sσ(…,ϕi−1,ϕi,ϕi+1,…)\wedge@k(ψ) iff
M,g,w∣\joinrel=s@k(ψ) and M,g,w∣\joinrel=sσ(…,ϕi−1,ϕi,ϕi+1,…) iff
M,g,v∣\joinrel=s′ψ where Vs′N={v} and there exist w1∈Ws1,…,wn∈Wsn such that Rσww1⋯wn and M,g,wj∣\joinrel=sjϕj for all 1≤j≤n iff
there exist w1∈Ws1,…,wn∈Wsn such that Rσww1⋯wn and
M,g,wj∣\joinrel=sjϕj for all 1≤j≤n, j=i, and M,g,wi∣\joinrel=siϕi\wedge@k(ψ) iff
M,g,w⊨σ(…,ϕi−1,ϕi\wedge@k(ψ),ϕi+1,…)
M,g,w∣\joinrel=sσ□(…,ϕi−1,ϕi,ϕi+1,…)\wedge@k(ψ) iff
M,g,w∣\joinrel=s@k(ψ) and M,g,w∣\joinrel=s¬σ(…,¬ϕi−1,¬ϕi,¬ϕi+1,…) iff
M,g,v∣\joinrel=s′ψ where Vs′N={v} and for all w1∈Ws1,…,wn∈Wsn for which Rσww1⋯wn, there exists 1≤j≤n such that M,g,wj∣\joinrel=sjϕj iff
M,g,v∣\joinrel=s′ψ where Vs′N={v} and for all w1∈Ws1,…,wn∈Wsn for which Rσww1⋯wn, there exists 1≤j≤n, j=i such that M,g,wj∣\joinrel=sjϕj or M,g,wi∣\joinrel=siϕi iff
M,g,v∣\joinrel=s′ψ and for all w1∈Ws1,…,wn∈Wsn for which Rσww1⋯wn, there exists 1≤j≤n, j=i such that M,g,wj∣\joinrel=sjϕj or M,g,wi∣\joinrel=siϕi\wedge@k(ψ) iff
M,g,w∣\joinrel=sσ□(…,ϕi−1,ϕi\wedge@k(ψ),ϕi+1,…)\wedge@k(ψ)
M,g,w∣\joinrel=s∃xσ□(ϕ1,…,ϕi−1,ϕi,ϕi+1,…,ϕn) iff exists g′∼xg such that M,g′,w∣\joinrel=sσ□(ϕ1,…,ϕi−1,ϕi,ϕi+1,…,ϕn) iff exists g′∼xg such that for all vj∈Wsj, Rσwv1…vn implies M,g′,vj∣\joinrel=sjϕj for some j∈[n]. Then, for all vj∈Wsj, Rσwv1…vn implies there exists g′∼xg such that M,g′,vj∣\joinrel=sjϕj for some j∈[n]. But x does not occur in ϕj for any j∈[n] and j=i, so for all vj∈Wsj and vi∈Wsi, Rσwv1…vi…vn implies M,g′,vj∣\joinrel=sjϕj and there exists g′∼xg such that M,g′,vi∣\joinrel=siϕi for some i,j∈[n] and j=i. We use Agreement Lemma, for all vj∈Wsj and vi∈Wsi, Rσwv1…vi…vn implies M,g,vj∣\joinrel=sjϕj and M,g,vi∣\joinrel=si∃xϕi for some i,j∈[n] and j=i. Therefore, M,g,w∣\joinrel=sσ□(ϕ1,…,ϕi−1,∃xϕi,ϕi+1,…,ϕn).
∎
In the many-sorted setting one can wonder what happens if we have an S-sorted set of deduction hypothesis Γ={Γs}s∈S. The following considerations hold for any of HΣ(@) and HΣ(@,∀). Clearly, a model M is a model of Γ if M∣\joinrel=sγs for any s∈S and γs∈Γs (in this case we write M⊨Γ). Using the ”broadcasting” properties of the @i operators, we define another syntactic consequence relation:
Γ∣\joinrel∼sϕ* iff there are s1,…,sn∈S, j1∈NOMs1,…,jn∈NOMsn and γ1∈Γs1,…,γn∈Γsn such that ∣\joinrel\joinrel s@j1sγ1∧⋯\wedge@jnsγn→ϕ*.
Proposition 3.24** (∣\joinrel∼s soundness).**
Let Γ be an S-sorted set and ϕ a formula of sort s∈S. If Γ∣\joinrel∼sφ then M⊨Γ implies M∣\joinrel=sϕ for any model M.
Proof.
Let M be a model and assume
∣\joinrel\joinrel s@j1sγ1∧⋯\wedge@jnsγn→ϕ as above. If M⊨Γ then, by (Gen@), M∣\joinrel=sΓs∪{@j1sγ1,…,@jnsγn}. Using the soundness of the local deduction, we get the desired conclusion.
∎
4 A SMC-like language and a Hoare-like logic for it
To showcase the application of our logic into program verification, we have chosen to specify
a state-machine, whose expressions have side effects and where Hoare-like semantics are known to
be hard to use.
In Figure 4.1, we introduce the signature Σ=(S,Σ,N) of our logic as a context-free grammar (CFG) in a BNF-like form.
We make use of the established equivalence between CFGs and algebraic signatures (see, e.g., [15]), by mapping non-terminals to sorts and CFG productions to operation symbols.
Note that, due to non-terminal renamings (e.g., AExp ::= Nat), it may seem that our syntax relies on subsorting. However, this is done for readability reasons only. The renaming of non-terminals in syntax can be thought of as syntactic sugar for defining injection functions. For example, AExp ::= Nat can be thought of as AExp ::= nat2Exp(Nat), and all occurrences of an integer term in a context, in which an expression is expected, could be wrapped by the nat2Exp function.
Our language is inspired by the SMC machine [19] which consists of a set of transition rules defined between configurations of the form ⟨S,M,C⟩, where S is the value stack of intermediate results, M represents the memory, mapping program identifiers to values, and C is a control stack of commands representing the control flow of the program.
Since our target is to extend the Propositional Dynamic Logic (PDL) [14], we identify the control stack with the notion of program in dynamic logic, and use the ”;” operator to denote stack composition. We define our formulas to stand for configurations of the form ⟨vs,mem⟩ comprising only of a value stack and a memory. Hence, the sorts CtrlStack and Config correspond to programs and formulas from PDL, respectively.
Inspired by PDL, we use the dual modal operator
[_]_:CtrlStack×Config→Config
to assert that a configuration formula must hold after executing the commands in the control stack.
The axioms defining the dynamic logic semantics of the SMC machine are then formulas of the form
cfg→[ctrl]cfg′
saying that a configuration satisfying cfg must change to one satisfying cfg′ after executing ctrl.
The usual operations of dynamic logic ;, ∪, ∗ are defined accordingly [14, Chapter 5]. We depart from PDL with the definition of ? (test): in our setting, in order to take a decision, we test the top value of the value stack. Consequently, the signature of the test operator is ?:Val→CtrlStack.
A deductive system, that allows us to accomplish our goal, is defined in Figure 4.1. In this way we define an expansion of H(@,∀).
Our definition is incomplete (e.g. we do not fully axiomatize the natural numbers), but one can see that,e.g. NBool={true,false}.
To simplify the presentation, we omit sort annotations in the sequel; these should be easily inferrable from the context.
Remark 4.1**.**
Assume that Λ contains all the axioms from Figure
and denote L=H(@,∀)+Λ.
Then L is a many-valued hybrid modal system associated to our language, and all results from Section 3 applies in this case. In particular, the system enjoys strong model-completeness. Moreover, we can safely assume that Λ contains only ∀∃-pure formulas, so L is strongly complete w.r.t the class of frames satisfying Λ by Theorem 3.22.
We present below several Hoare-like rules of inference. Note that they are provable from the PDL and language axioms.
Proposition 4.2**.**
The following rules are admissible :
Rules of Consequence**
- If ⊢ϕ→[α]ψ and ⊢ψ→χ then ⊢ϕ→[α]χ.
- If ⊢ϕ→[α]ψ and ⊢χ→ϕ then ⊢χ→[α]ψ.
-
Rule of Composition, iterated**
- If ϕ0→[α1]ϕ1, …, ϕn−1→[αn]ϕn, then ϕ0→[α1;…;αn]ϕn.
-
Rule of Conditional**
If B is a formula of sort Bool, and vs, mem, P are formulas of appropriate sorts such that
[TABLE]
then ⊢ϕ→[c(ifbthens1elses2)]χ
Proof.
In the sequel we shall mention the sort of a formula only when it is necessary.
Rule of Consequence follows easily by (UG).
Rule of Composition follows easily by (UG) and (CStmt).
Rule of Conditional. Since B is a formula of sort Bool, using the axiom (B1) and the completeness theorem, one can easily infer that
⊢B↔(true\wedge@trueB)∨(false\wedge@falseB)
Using the fact that any operator σ∈Σ commutes with disjunctions, Lemma 3.23 we get
(∗) ⊢\boldlangleB⋅vs,mem\boldrangle→(\boldlangletrue⋅vs,mem\boldrangle\wedge@trueB)∨
(\boldlanglefalse⋅vs,mem\boldrangle\wedge@falseB)
Now we prove that
⊢\boldlangletrue⋅vs,mem\boldrangle\wedge@trueB→[(true?;c(s1))∪(false;c(s2))]χ.
Note that \vdash@true(¬false), so we use (A?) and (A¬?) as follows:
⊢\boldlangletrue⋅vs,mem\boldrangle\wedge@trueB→\boldlangletrue⋅vs,mem\boldrangle\wedge@trueB\wedge@true(¬false)
⊢\boldlangletrue⋅vs,mem\boldrangle→[true?]\boldlanglevs,mem\boldrangle
⊢\boldlangletrue⋅vs,mem\boldrangle\wedge@true(¬false)→[false?]⊥
Next we prove that
(@[]) \vdash@kφ→[α]@kφ
for any formulas α, φ and nominal k of appropriate sorts. Note that ⊢[α]⊤ so, using Lemma 3.23, we have the following chain of inferences:
\vdash@kφ\to@kφ∧[α]⊤
\vdash@kφ∧[α]⊤→[α]@kφ
and (@[]) easily follows.
Consequently
\vdash@trueB→[true?]@trueB
Since dual operators σ□ for σ∈Σ commutes with conjunctions, using also (h4) we get
⊢\boldlangletrue⋅vs,mem\boldrangle∧P\wedge@trueB→([true?](\boldlanglevs,mem\boldrangle∧P\wedge@trueB))∧[false?]⊥
By (h2) and (K) it follows that
⊢\boldlangletrue⋅vs,mem\boldrangle∧∧P@trueB→[true?;c(s1)]χ∧[false?]⊥
Since ⊥→[c(s2)]χ, and using (A∪) we proved
⊢\boldlangletrue⋅vs,mem\boldrangle∧P\wedge@trueB→[(true?;c(s1))∪(false?;c(s2))]χ.
In a similar way, we get
⊢\boldlanglefalse⋅vs,mem\boldrangle∧P\wedge@falseB→[(true?;c(s1))∪(false?;c(s2))]χ.
By (∗) we infer
⊢\boldlangleB⋅vs,mem\boldrangle→[(true?;c(s1))∪(false?;c(s2))]χ
Using (K) and (Dif) we get the conclusion.
∎
Note that our Rule of Conditional requires two more hypotheses, (h1) and (h4) than the inspiring rule in Hoare-logic.
(h1) is needed because language expressions are no longer identical to formulas and need to be evaluated; in particular this allows for expressions to have side effects.
(h4) is useful to carry over extra conditions through the rule; note that (h4) holds for all @jφ formulas.
Similarly, the Rule of Iteration needs to take into account the evaluation steps required for
evaluating the condition. Moreover, since assignment is now handled by a forwards-going operational
rule, we require existential quantification over the invariant to account for the values of the
program variables in the memory, and work
with instances of the existentially quantified variables.
Proposition 4.3** (Rule of Iteration).**
Let
B, vs, mem, and P be formulas with variables over x, where x is a set of state variables.
If there exist substitutions xinit and xbody for the variables of x such that:
(h1) ⊢ϕ→[c(b)](\boldlangleB⋅vs,mem\boldrangle∧P)[xinit/x],
(h2) ⊢\boldlanglevs,mem\boldrangle∧P\wedge@true(B)→[c(s);c(b)](\boldlangleB⋅vs,mem\boldrangle∧P)[xbody/x]
(h3) ⊢P→[α]P for any formula α of sort CtrlStack
then ⊢ϕ→[c(whilebdos)]∃x\boldlanglevs,mem\boldrangle∧P\wedge@false(B).
Proof.
Denote θ:=\boldlangleB⋅vs,mem\boldrangle∧P and
θI:=∃xθ. We think of θI as being the invariant of whilebdos.
Note that, using the contraposition of (Q2) and (h1) we infer that
(c1) ⊢ϕ→[c(b)]θI
In the following we firstly prove that
(c2) ⊢θI→[α]θI,
where α=true?;c(s);c(b). Since
⊢B↔(true\wedge@trueB)∨(false\wedge@falseB)
it follows that
⊢θ→(\boldlangletrue⋅vs,mem\boldrangle∧P\wedge@trueB)∨(\boldlanglefalse⋅vs,mem\boldrangle∧P\wedge@falseB)
By (A?), (h3) and (@[]) (from the proof of Proposition 4.2) we infer
⊢\boldlangletrue⋅vs,mem\boldrangle∧P\wedge@trueB→[true?](\boldlanglevs,mem\boldrangle∧P\wedge@trueB)
and, by (h2)
⊢\boldlangletrue⋅vs,mem\boldrangle∧P\wedge@trueB)→[α]θ[xbody/x]
Since \vdash@false(¬true), by (A¬?) we get
⊢\boldlanglefalse⋅vs,mem\boldrangle\wedge@false(¬true)→[true?]⊥, so
⊢\boldlanglefalse⋅vs,mem\boldrangle∧P\wedge@falseB)→[α]θ[xbody/x]
As consequence ⊢θ→[α]θ[xbody/x] and, using the contraposition of Q2,
we infer that θ→[α]θI. We use now the fact that
⊢∀x(φ(x)→ψ)→(∃xφ(x)→ψ) if x does not appear in ψ,
which leads us to ⊢θI→[α]θI. Using (UG) we get ⊢[c(b);α∗](θI→[α]θI).
By (c1) it follows that
⊢ϕ→([c(b)]θI∧([c(b);α∗](θI→[α]θI))
Using the induction axiom, (UG), (K) and the fact that the dual operators commutes with conjunctions, we get
⊢([c(b)]θI∧([c(b);α∗](θI→[α]θI))→[c(b);α∗]θI
so ⊢ϕ→[c(b);α∗]θI, which proves the invariant property of whilebdos.
To conclude, so far we proved
⊢ϕ→[c(b);α∗]∃xθ
We can safely assume that the state variables from x do not appear in ϕ, b
Note that c(whilebdos)↔c(b);α∗;false?
As before,
⊢θ→(\boldlangletrue⋅vs,mem\boldrangle∧P\wedge@trueB)∨(\boldlanglefalse⋅vs,mem\boldrangle∧P\wedge@falseB)
Using again (A?) and (A¬?) we have that
⊢\boldlanglefalse⋅vs,mem\boldrangle→[false?]\boldlanglevs,mem\boldrangle
⊢\boldlangletrue⋅vs,mem\boldrangle\wedge@true(¬false)→[false?]⊥
It follows that
⊢θ→[false?](<vs,mem>∧P\wedge@falseB) so, using the properties of the existential binder
⊢∃xθ→∃x[false?](<vs,mem>∧P\wedge@falseB)
Since the state variables from x do not appear in false?, by Lemma 3.23 it follows that
⊢∃x[false?](<vs,mem>∧P\wedge@falseB)→
[false?]∃x(<vs,mem>∧P\wedge@falseB)
We can finally obtain the intended result:
⊢ϕ→[c(b);α∗;false?]∃x(<vs,mem>∧P\wedge@falseB)
∎
Proving a program correct.
Let us now exhibit proving a program using the operational semantics and the Hoare-like rules above. Consider the program:
⬇
s := 0; i := 0;
while ++ i <= n do s := s + i;
Let pgm stand for the entire program. We want to prove that if the initial value of n is any natural number, then the final value of s is the sum of numbers from 1 to n.
Formally,
\boldlanglevs,set(mem,n,vn\boldrangle→
[c(pgm)]\boldlanglevs,set(set(set(mem,n,vn\boldrangle,s,vn∗(vn+1)/2),i,vn+1))
Let Cnd stand for ++i<=n and Body stand for s:=s+i.
By applying the axioms above we can decompose pgm as
c(pgm)↔c(0);asgn(s);c(0);asgn(i);c(whileCnddoBody)
Similarly, c(Cnd)↔c(++i);c(n);leq and c(Body)↔c(s);c(i);plus;asgn(s).
We have the following instantiations of the axioms:
\boldlanglevs,set(mem,n,vn)\boldrangle→[c(0)]\boldlangle0⋅vs,set(mem,n,vn)\boldrangle
Aint
\boldlangle0⋅vs,set(mem,n,vn)\boldrangle→[asgn(s)]\boldlanglevs,set(set(mem,n,vn),s,0)\boldrangle
Aasgn
\boldlanglevs,set(set(mem,n,vn),s,0)\boldrangle→[c(0)]\boldlangle0⋅vs,set(set(mem,n,vn),s,0)\boldrangle
Aint
\boldlangle0⋅vs,set(set(mem,n,vn\boldrangle,s,0))
→[asgn(i)]\boldlanglevs,set(set(set(mem,n,vn),s,0),i,0)\boldrangle
Aasgn
And by applying the Rule of Composition we obtain:
(1) \boldlanglevs,set(mem,n,vn\boldrangle)
→[c(0);asgn(s);c(0);asgn(i)]\boldlanglevs,set(set(set(mem,n,vn),s,0),i,0)\boldrangle
We now want to apply the Rule of Iteration. First let us handle the condition.
Similarly to the “stepping” sequence above,
we can use instances of (A++), (Aid), (Aleq), and the Rule of Composition to chain them to obtain:
\boldlanglevs,set(set(set(mem,n,vn),s,0),i,0)\boldrangle
→[c(Body)]\boldlangle(1≤vn)⋅vs,set(set(set(mem,s,0),i,1),n,vn)\boldrangle
Let x=vi,
B=vi≤vn,
vs=vs,
mem=set(set(set(mem,s,(vi−1)∗vi/2),i,vi),n,vn),
P=@true(vi≤vn+1).
For xinit=1 we have that
B[1/vi]=1≤vn,
mem[1/vi]=set(set(set(mem,s,(1−1)∗1/2),i,1),n,vn),
P[1/vi]=@true(1≤vn+1).
Using that (1−1)∗1/2↔0 and 1≤vn+1 we obtain
(2) \boldlanglevs,set(set(set(mem,n,vn),s,0),i,0)\boldrangle→[c(Cnd)](\boldlangleB⋅vs,mem\boldrangle∧P)[1/vi]
Now, we can again use instances of (Aid), (Aid), (Aplus), (Aasgn), (AMem), (A++), (AId), (Aleq),
and the Rule of Composition to derive
\boldlanglevs,set(set(set(mem,i,vi),n,vn),s,(vi−1)∗vi/2)\boldrangle→[c(Body);c(Cnd)]
\boldlangle(vi+1≤vn)⋅vs,set(set(set(mem,s,vi∗(vi+1)/2,i,vi+1),n,vn)\boldrangle
By applying equivalences between formulas on naturals, the above leads to
\boldlanglevs,set(set(set(mem,i,vi),n,vn),s,(vi−1)∗vi/2)\boldrangle
→[c(Body);c(Cnd)]\boldlangleB⋅vs,mem\boldrangle[vi+1/vi]
Using Proposition 3.23 (i2) and the fact that vi≤vn↔vi+1≤vn+1, we obtain
(3)\boldlangleB⋅vs,mem\boldrangle∧P\wedge@true(B)
→[c(Body);c(Cnd)](\boldlangleB⋅vs,mem\boldrangle∧P)[vi+1/vi]
Now using the Rule of Iteration with (2) and (3) we derive that
\boldlanglevs,set(set(set(mem,n,vn),s,0),i,0)\boldrangle
→[c(whileCnddoBody)]∃vi.\boldlangleB⋅vs,mem\boldrangle∧P\wedge@false(B)
By arithmetic reasoning, ⊢(false→vi≤vn)↔(true→vn+1≤vi), hence \vdash@false(vi≤vn)\leftrightarrow@true(vn+1≤vi).
Moreover, @true(vn+1≤vi)\wedge@true(vi≤vn+1)\leftrightarrow@true(vn+1≤vi∧vi≤vn+1) which by arithmetic reasoning is equivalent to @true(vi=Natvn+1), which by (I1) is equivalent to vi↔vn+1 which allows us to substitute vi by vn+1 and eliminate the quantification, leading to
∃vi.\boldlanglevs,mem\boldrangle∧P\wedge@false(B)↔\boldlanglevs,mem\boldrangle[vn+1/vi],\mboxhence,
(4) \boldlanglevs,mem′\boldrangle→[c(whileCnddoBody)]\boldlanglevs,mem′′\boldrangle
where mem′′=set(set(set(mem,s,vn∗(vn+1)/2),i,vn+1),n,vn),
mem′=set(set(set(mem,n,vn),s,0),i,0).
Using the Rule of Composition on (1) and (4) we obtain our goal.
5 Conclusions and related work
We defined a general many-sorted hybrid polyadic modal logic that is sound and complete with respect to the usual modal semantics. From a theoretical point of view, we introduced nominal constants and we restricted the application of the satisfaction operators to nominals alone. We proved that the system is sound and complete and we also investigated the completeness of its pure axiomatic expansions. Given a concrete language with a concrete SMC-inspired operational semantics, we showed how to define a corresponding (sound and complete) logical system and we also proved (rather general) results that allow us to perform Hoare-style verification.
Our approach was to define the weakest system that allows us to reach our goals.
There is an abundance of research literature on hybrid modal logic, we refer to [1] for a comprehensive overview. Our work was mostly inspired by [3, 5, 11, 12], where a variety of hybrid modal logics are studied in a mono-sorted setting. We need to make a comment on our system’s expressivity: the strongest hybrid language employs both the existential binder and satisfaction operator for state variables (i.e. @x with x∈SVAR). Our systems seems to be weaker, but the exact relation will be analyzed elsewhere.
Concerning hybrid modal systems in many-sorted setting, we refer to [7, 9]. The system from [7] is built upon differential dynamic logic, while the one from [9] is equationally developed, does not have nominals and satisfaction operators, the strong completeness being obtained in the presence of a stronger operator called definedness (which is the modal global operator). Note that, when the satisfaction operator is defined on state variables, the global modality is definable in the presence of the universal binder. However, we only have the satisfaction operator defined on nominals, so, again, our system seems to be weaker.
There are many problems to be addressed in the future, both from theoretical and practical point of view. We should definitely analyze the standard translation and clarify the issues concerning expressivity; we should study the Fischer-Ladner closure and analyze completeness w.r.t. standard models from the point of view of dynamic logic; of course we should analyze more practical examples and even employ automatic techniques.
To conclude, the analysis of hybrid modal logic in a many-sorted setting leads us to a general system, that is theoretically solid and practically flexible enough for our purpose. We were able to specify a programming language, to define its operational semantics and to perform Hoare-style verification, all within the same deductive system. Modal logic proved to be, once more, the right framework and in the future we hope to take full advantage of its massive development.