Abstract
Guarded Kleene Algebra with Tests (\(\texttt{GKAT}\) for short) is an efficient fragment of Kleene Algebra with Tests, suitable for reasoning about simple imperative while-programs. Following earlier work by Das and Pous on Kleene Algebra, we study \(\texttt{GKAT}\) from a proof-theoretical perspective. The deterministic nature of \(\texttt{GKAT}\) allows for a non-well-founded sequent system whose set of regular proofs is complete with respect to the guarded language model. This is unlike the situation with Kleene Algebra, where hypersequents are required. Moreover, the decision procedure induced by proof search runs in \(\textsf{NLOGSPACE}\), whereas that of Kleene Algebra is in \(\textsf{PSPACE}\).
The research of Jan Rooduijn has been made possible by a grant from the Dutch Research Council NWO, project number 617.001.857.
You have full access to this open access chapter, Download conference paper PDF
Keywords
1 Introduction
Guarded Kleene Algebra with Test (\(\texttt{GKAT}\)) is the fragment of Kleene Algebra with Tests (\(\texttt{KAT}\)) comprised of the deterministic \(\textsf{while}\) programs. Those are the programs built up from sequential composition \((e \cdot f)\), conditional branching (if-b-then-e-else-f) and loops (while b do e). For an introduction to \(\texttt{KAT}\) we refer the reader to [10]. The first papers focusing on the fragment of \(\texttt{KAT}\) that is nowadays called \(\texttt{GKAT}\) are Kozen’s [11] and Kozen & Tseng’s [12], where it is used to study the relative power of several programming constructs.
As \(\texttt{GKAT}\) is a fragment of \(\texttt{KAT}\), it directly inherits a rich theory. It admits a language semantics in the form of guarded strings and for every expression there is a corresponding \(\texttt{KAT}\)-automaton. Already in [12] it was argued that \(\texttt{GKAT}\) expressions are more closely related to so-called strictly deterministic automata, where every state transition executes a primitive program. Smolka et al. significantly advanced the theory of \(\texttt{GKAT}\) in [22], by studying various additional semantics, identifying the precise class of strictly deterministic automata corresponding to \(\texttt{GKAT}\)-expressions (proving a Kleene theorem), giving a nearly linear decision procedure of the equivalence of \(\texttt{GKAT}\)-expressions, and studying its equational axiomatisation. Since then \(\texttt{GKAT}\) has received considerable further attention, e.g. in [17, 20, 21, 24].
One of the most challenging and intriguing aspects of \(\texttt{GKAT}\) is its proof theory. The standard equational axiomatisation of \(\texttt{KAT}\) from [10] does not simply restrict to \(\texttt{GKAT}\), since a derivation of an expression that lies within the \(\texttt{GKAT}\)-fragment might very well contain expressions that lie outside of it. Moreover, the axiomatisation of \(\texttt{KAT}\) contains a least fixed point rule that relies on the equational definability of inclusion, which does not seem to be available in \(\texttt{GKAT}\).
In [22], this problem is circumvented by introducing a custom equational axiomatisation for \(\texttt{GKAT}\) that uses a unique fixed point rule. While a notable result, this solution is still not entirely satisfactory. First, completeness is only proven under the inclusion of a variant of the unique fixed point rule that operates on entire systems of equations (this problem was recently addressed for the so-called skip-free fragment of \(\texttt{GKAT}\) in [21]). Moreover, even the ordinary, single-equation, unique fixed point rule contains a non-algebraic side-condition, analogous to the empty word property in Salomaa’s axiomatisation of Kleene Algebra [18]. Because of this, a proper definition of ‘a \(\texttt{GKAT}\)’ is still lacking.
In recent years the proof theory of logics with fixed point operators (such as while-b-do-e) has seen increasing interest in non-well-founded proofs. In such proofs, branches need not to be closed by axioms, but may alternatively be infinitely deep. To preserve soundness, a progress condition is often imposed on each infinite branch, facilitating a soundness proof by infinite descent. In some cases non-well-founded proofs can be represented by finite trees with back-edges, which are then called cyclic proofs. See e.g. [2, 4, 5, 8, 13] for a variety of such approaches. Often, the non-well-founded proof theory of some logic is closely related to its corresponding automata theory. Taking the proof-theoretical perspective, however, can be advantageous because it is more fine-grained and provides a natural setting for establishing results such as interpolation [3, 14], cut elimination [1, 19], and completeness by proof transformation [6, 23].
In [7], Das & Pous study the non-well-founded proof theory of Kleene Algebra, a close relative of \(\texttt{GKAT}\) (for background on Kleene Algebra we refer the reader to [9]). They show that a natural non-well-founded sequent system for Kleene Algebra is not complete when restricting to the subset of cyclic proofs. To remedy this, they introduce a hypersequent calculus, whose cyclic proofs are complete. They give a proof-search procedure for this calculus and show that it runs in \(\textsf{PSPACE}\). Since deciding Kleene Algebra expressions is \(\textsf{PSPACE}\)-complete, their proof-search procedure induces an optimal decision procedure for this problem. In a follow-up paper together with Doumane, left-handed completeness of Kleene Algebra is proven by translating cyclic proofs in the hypersequent calculus to well-founded proofs in left-handed Kleene Algebra [6].
The goal of the present paper is to study the non-well-founded proof theory of \(\texttt{GKAT}\). This is interesting in its own right, for instance because, as we will see, it has some striking differences with Kleene Algebra. Moreover, we hope it opens up new avenues for exploring the completeness of algebraic proof systems for \(\texttt{GKAT}\), through the translation of our cyclic proofs.
Outline. Our paper is structured as follows.
-
In Sect. 2 we introduce preliminary material: the syntax of \(\texttt{GKAT}\) and its language semantics.
-
Sect. 3 introduces our non-well-founded proof system \(\textsf{SGKAT}\) for \(\texttt{GKAT}\).
-
In Sect. 4 we show that (possibly infinitary) proofs in \(\textsf{SGKAT}\) are sound. That is, the interpretation of each derivable sequent - a \(\texttt{GKAT}\)-inequality - is true in the language model (which means that a certain inclusion of languages holds).
-
In Sect. 5 we show that proofs are finite-state: each proof contains only finitely many distinct sequents. More precisely, by employing a more fine-grained analysis than in [7], we give a quadratic bound on the number of distinct sequents occurring in a proof, in terms of the size of its endsequent. It follows that the subset of cyclic proofs proves exactly the same sequents as the set of all non-well-founded proofs.
-
Sect. 6 deals with completeness and complexity. We first use a proof-search procedure to show that \(\textsf{SGKAT}\) is complete: every sequent whose interpretation is valid in the language model, can be derived. We then show that this proof-search procedure runs in \(\textsf{coNLOGSPACE}\). This gives an \(\textsf{NLOGSPACE}\) upper bound on the complexity of the language inclusion problem for \(\texttt{GKAT}\)-expressions.
Our Contributions. Our paper closely follows the treatment of Kleene Algebra in [7]. Nevertheless, we make the following original contributions:
-
Structure of sequents: we devise a form of sequents bespoke to \(\texttt{GKAT}\), by labelling the sequents by sets of atoms. This is similar to how the appropriate automata for \(\texttt{GKAT}\) are not simply \(\texttt{KAT}\)-automata. In contrast to Kleene Algebra, it turns out that we do not need to extend our sequents to hypersequents in order to obtain completeness for the fragment of cyclic proofs.
-
Soundness argument: our modest contribution here is the notion of priority of rules and the fact that our rules are all invertible when they have priority. The soundness argument for finite proofs is, of course, slightly different, because our rules are different. (The step from the soundness of finite proofs, towards the soundness of infinite proofs, is completely analogous to that of [7].)
-
Regularity: this concerns showing that every proof contains only finitely many distinct sequents. As in [7], our argument views each expression in a proof as a subexpression of an expression in the proof’s root. A modest contribution is that our argument is made more formal by considering these expressions as nodes in a syntax tree. More importantly, the bound on the number of distinct cedents we obtain is sharper: where in [7] it is exponential in the size of the syntax tree, our bound is linear (yielding a quadratic bound on the number of sequents).
-
Completeness: the structure of the argument is identical to that in [7], but the details differ due to the different rules and different type of sequents. This for instance shows in our proof of Lemma 9 (which is analogous to Lemma 20 in [7]), where we make crucial use of the set of atoms annotating a sequent.
-
Complexity: our complexity argument is necessarily different because it applies to a different system and is designed to give a different upper bound.
Due to space limitations several proofs are only sketched or omitted entirely. Full versions of these proofs can be found in the extended version of this paper [15].
2 Preliminaries
2.1 Syntax
The language of \(\texttt{GKAT}\) has two sorts, namely programs and a subset thereof consisting of tests. It is built from a finite and non-empty set T of primitive tests and a non-empty set \(\varSigma \) of primitive programs, where T and \(\varSigma \) are disjoint. For the rest of this paper we fix such sets T and \(\varSigma \). We reserve the letters t and p to refer, respectively, to arbitrary primitive tests and primitive programs. The first of the following grammars defines the tests, and the second the expressions.
where \(t \in T\) and \(p \in \varSigma \). Intuitively, the operator \(+_b\) stands for the if-then-else construct, and the operator \((-)^{(b)}\) stands for the while loop. Note that the tests are simply propositional formulas. It is convention to use \(\cdot \) instead of \(\wedge \) for conjunction. As usual, we often omit \(\cdot \) for syntactical convenience, e.g. by writing pq instead of \(p \cdot q\).
Example 1
The idea of \(\texttt{GKAT}\) is to model imperative programs. For instance, the expression \((p +_b q)^{(a)}\) represents the following imperative program:
Remark 1
As mentioned in the introduction, \(\texttt{GKAT}\) is a fragment of Kleene Algebra with Tests, or \(\texttt{KAT}\) [10]. The syntax of \(\texttt{KAT}\) is the same as that of \(\texttt{GKAT}\), but with unrestricted union \(+\) instead of guarded union \(+_b\), and unrestricted iteration \((-)^*\) instead of the while loop operator \((-)^{(b)}\). The embedding \(\varphi \) of \(\texttt{GKAT}\) into \(\texttt{KAT}\) acts on guarded union and guarded iteration as follows, and commutes with all other operators: \(\varphi (e +_b f) = b \cdot \varphi (e) + \overline{b} \cdot \varphi (f)\), and \(\varphi (e^{(b)}) = (b \cdot \varphi (e))^* \cdot \overline{b}\).
2.2 Semantics
There are several kinds of semantics for \(\texttt{GKAT}\). In [22], a language semantics, a relational semantics, and a probabilistic semantics are given. In this paper we are only concerned with the language semantics, which we shall now describe.
We denote by \(\textsf{At}\) the set of atoms of the free Boolean algebra generated by \(T = \{t_1, \ldots t_n\}\). That is, \(\textsf{At}\) consists of all tests of the form \(c_1 \cdots c_n\), where \(c_i \in \{t_i, \overline{t_i}\}\) for each \(1 \le i \le n\). Lowercase Greek letters \((\alpha , \beta , \gamma , \ldots )\) will be used to denote elements of \(\textsf{At}\). A guarded string is an element of the regular set \(\textsf{At} \cdot (\varSigma \cdot \textsf{At})^*\). That is, a string of the form \(\alpha _1 p_1 \alpha _2 p_2 \cdots \alpha _n p_n \alpha _{n+1}\). We will interpret expressions as languages (formally just sets) of guarded strings. The sequential composition operator \(\cdot \) is interpreted by the fusion product \(\diamond \), given by \(L \diamond K := \{x \alpha y \mid x\alpha \in L \text { and } \alpha y \in K\}\). For the interpretation of \(+_b\), we define for every set of atoms \(B \subseteq \textsf{At}\) the following operation of guarded union on languages: \(L +_B K := (B \diamond L) \cup (\overline{B} \diamond K)\), where \(\overline{B}\) is \(\textsf{At} \setminus B\). For the interpretation of \((-)^{(b)}\), we stipulate:
Finally, the semantics of \(\texttt{GKAT}\) is inductively defined as follows:
Note that the interpretation of \(\cdot \) between tests is the same whether they are regarded as tests or as programs, i.e. \(\llbracket {b}\rrbracket \cap \llbracket {c}\rrbracket = \llbracket {b}\rrbracket \diamond \llbracket {c}\rrbracket \).
Remark 2
While the semantics of expressions is explicitly defined, the semantics of tests is derived implicitly through the free Boolean algebra generated by T. It is standard in the \(\texttt{GKAT}\) literature to address the Boolean content in this manner.
Example 2
In a guarded string, atoms can be thought of as states of a machine, and programs as executions. For instance, in case of the guarded string \(\alpha p \beta \), the machine starts in state \(\alpha \), then executes program p, and ends in state \(\beta \). Let us briefly check which guarded strings of, say, the form \(\alpha p \beta q \gamma \) belong to the interpretation \(\llbracket {(p +_b q)^{(a)}}\rrbracket \) of the program of Example 1. First, we must have \(\alpha \le a\), for otherwise we would not enter the loop. Moreover, we have \(\alpha \le b\), for otherwise q rather than p would be executed. Similarly, we find that \(\beta \le a, \overline{b}\). Since the loop is exited after two iterations, we must have \(\gamma \le \overline{a}\). Hence, we find
We state two simple facts that will be useful later on.
Lemma 1
For any two languages L, K of guarded strings, and primitive program p, we have:
(i) \(L^{n + 1} = L \diamond L^n\); (ii) \(\llbracket {p}\rrbracket \diamond L = \llbracket {p}\rrbracket \diamond K\) implies \(L = K\).
Remark 3
The fact that \(\texttt{GKAT}\) models deterministic programs is reflected in the fact that sets of guarded strings arising as interpretations of \(\texttt{GKAT}\)-expressions satisfy a certain determinacy property. Namely, for every \(x \alpha y\) and \(x \alpha z\) in L, either y and z are both empty, or both begin with the same primitive program. We refer the reader to [22] for more details.
Remark 4
The language semantics of \(\texttt{GKAT}\) is the same as that of \(\texttt{KAT}\) (see [10]), in the sense that \(\llbracket {e}\rrbracket = \llbracket {\varphi (e)}\rrbracket \), where \(\varphi \) is the embedding from Remark 1, the semantic brackets on the right-hand side denote the standard interpretation in \(\texttt{KAT}\), and e is any \(\texttt{GKAT}\)-expression.
3 The Non-well-founded Proof System \(\textsf{SGKAT}^\infty \)
In this section we commence our proof-theoretical study of \(\texttt{GKAT}\). We will present a cyclic sequent system for \(\texttt{GKAT}\), inspired by the cyclic sequent system for Kleene Algebra presented in [7]. In passing, we will compare our system to the latter.
Definition 1
(Sequent). A sequent is a triple \((\varGamma , A, \varDelta )\), written \(\varGamma \Rightarrow _A \varDelta \), where \(A \subseteq \textsf{At}\) and \(\varGamma \) and \(\varDelta \) are (possibly empty) lists of \(\texttt{GKAT}\)-expressions.
The list on the left-hand side of a sequent is called its antecedent, and the list on the right-hand side its succedent. In general we refer to lists of expressions as cedents. The symbol \(\epsilon \) refers to the empty cedent.
Remark 5
As the system in [7] only deals with Kleene Algebra, it does not include tests. We choose the deal with the tests present in \(\texttt{GKAT}\) by augmenting each sequent by a set of atoms. This tucks away the Boolean content, as is usual in the \(\texttt{GKAT}\) literature, allowing us to omit propositional rules.
Definition 2
(Validity). We say that a sequent \(e_1, \ldots , e_n \Rightarrow _A f_1, \ldots , f_m\) is valid whenever \(A \diamond \llbracket e_1 \cdots e_n \rrbracket \subseteq \llbracket f_1 \cdots f_n \rrbracket \).
We often abuse notation writing \(\llbracket {\varGamma }\rrbracket \) instead of \(\llbracket {e_1 \cdots e_n}\rrbracket \), where \(\varGamma = e_1, \ldots , e_n\).
Example 3
An example of a valid sequent is given by \((cp)^{(b)} \Rightarrow _\textsf{At} (p (cp +_b 1))^{(b)}\). The antecedent denotes guarded strings \(\alpha _1 p \alpha _2 p \cdots \alpha _n p \alpha _{n+1}\) where \(\alpha _i \le b, c\) for each \(1 \le i \le n\), and \(\alpha _{n+1} \le \overline{b}\). The succedent denotes such strings where \(\alpha _{i} \le c\) is only required for those \(1 \le i \le n\) where i is even.
Remark 6
Like the sequents for Kleene Algebra in [7], our sequents express language inclusion, rather than language equivalence. For Kleene Algebra this difference is insignificant, as the two notions are interdefinable using unrestricted union: \(\llbracket {e}\rrbracket \subseteq \llbracket {f}\rrbracket \Leftrightarrow \llbracket {e + f}\rrbracket = \llbracket {f}\rrbracket \). For \(\texttt{GKAT}\), however, it is not clear how to define language inclusion in terms of language equivalence. As a result, an advantage of axiomatising language inclusion rather than language equivalence, is that the while-operator can be axiomatised as a least fixed point, eliminating the need for a strict productivity requirement as is present in the axiomatisation in [22].
Given a set of atoms A and a test b, we write \(A \restriction b\) for \(A \diamond \llbracket {b}\rrbracket \), i.e. the set of atoms \(\{\alpha \in A : \alpha \le b\}\). The rules of \(\textsf{SGKAT}\) are given in Fig. 1. Importantly, the rules are always applied to the leftmost expression in a cedent. As a result, we have the following lemma, that later will be used in the completeness proof.
Lemma 2
Let \(\varGamma \Rightarrow _A \varDelta \) be a sequent, and let \(\textsf{r}\) be any rule of \(\textsf{SGKAT}\). Then there is at most one rule instance of \(\textsf{r}\) with conclusion \(\varGamma \Rightarrow _A \varDelta \).
Remark 7
Following [7], we call \(\textsf{k}\) a ‘modal’ rule. The reason is simply that it looks like the rule \(\textsf{k}\) (sometimes called \(\textsf{K}\) or \(\square \)) in the standard sequent calculus for basic modal logic. Our system also features a second modal rule, called \(\textsf{k}_0\). Like \(\textsf{k}\), this rule adds a primitive program p to the antecedent of the sequent. Since the premiss of \(\mathsf {k_0}\) entails that \(\llbracket {\varGamma }\rrbracket = \llbracket {0}\rrbracket \), the antecedent of its conclusion will denote the empty language, and is therefore included in any succedent \(\varDelta \).
Remark 8
Note that the rules of \(\textsf{SGKAT}\) are highly symmetric. Indeed, the only rules that behave differently on the left than on the right, are the b-rules and \(\textsf{k}_0\). Note that b-l changes the set of atoms, while b-r uses a side condition. The asymmetry of \(\textsf{k}_0\) is clear: the succedent of the premiss has a 0, whereas the antecedent does not. A third asymmetry will be introduced in Definition 3, with a condition on infinite branches that is sensitive to (b)-l but not to (b)-r.
Remark 9
The authors of [20] study a variant of \(\texttt{GKAT}\) that omits the so-called early termination axiom, which equates all programs that eventually fail. They give a denotational model of this variant in the form of certain kinds of trees. We conjecture that omitting the rule \(\textsf{k}_0\) from our system will make it sound and complete with respect to this denotational model.
An \(\textsf{SGKAT}^\infty \)-derivation is a (possibly infinite) tree generated by the rules of \(\textsf{SGKAT}\). Such a derivation is said to be closed if every leaf is an axiom.
Definition 3
(Proof). A closed \(\textsf{SGKAT}^\infty \)-derivation is said to be an \(\textsf{SGKAT}^\infty \)-proof if every infinite branch is fair for (b)-l, i.e. contains infinitely many applications of the rule (b)-l.
We write \(\textsf{SGKAT} \vdash ^\infty \varGamma \Rightarrow _A \varDelta \) if there is an \(\textsf{SGKAT}^\infty \)-proof of \(\varGamma \Rightarrow _A \varDelta \).
Example 4
Not every \(\textsf{SGKAT}^\infty \)-derivation is a proof. Consider for instance the following derivation, where \((\bullet )\) indicates that the derivation repeat itself (Fig. 2).
Example 5
Let \(\varDelta _1 := (p (cp +_b 1))^{(b)}\) and \(\varDelta _2 := cp +_b 1, \varDelta _1\). The following proof \(\varPi _1\) is an example \(\textsf{SGKAT}^\infty \)-proof of the sequent of Example 3. We again use \((\bullet )\) to indicate that the proof repeats itself at this leaf and, for the sake of readability, omit branches that can be closed immediately by an application of \(\bot \) (Fig. 3).
To illustrate the omission of branches that can be immediately closed by an application of \(\bot \), let us write out the two applications of \(+_b\)-r in \(\varPi _1\).
It can also be helpful to think of the set of atoms as selecting one of the premisses.
We close this section with a useful definition and a lemma.
Definition 4
(Exposure). A list \(\varGamma \) of expressions is said to be exposed if it is either empty or begins with a primitive program.
Recall that the sets of primitive tests and primitive programs are disjoint. Hence an exposed list \(\varGamma \) cannot start with a test. The following easy lemma will be useful later on.
Lemma 3
Let \(\varGamma \) and \(\varDelta \) be exposed lists of expressions. Then:
-
(i)
\(\alpha x \in \llbracket {\varGamma }\rrbracket \Leftrightarrow \beta x \in \llbracket {\varGamma }\rrbracket \) for all \(\alpha , \beta \in \textsf{At}\)
-
(ii)
\(\varGamma \Rightarrow _{\textsf{At}} \varDelta \) is valid if and only if \(\varGamma \Rightarrow _A \varDelta \) is valid for some \(A \not = \emptyset \).
4 Soundness
In this section we prove that \(\textsf{SGKAT}^\infty \) is sound. We will first prove that well-founded (that is, finite) \(\textsf{SGKAT}^\infty \)-proofs are sound. The following straightforward facts will be useful in the soundness proof.
Lemma 4
For any set A of atoms, test b, and cedent \(\varTheta \), we have:
-
(i)
\(\llbracket {e +_b f, \varTheta }\rrbracket = (\llbracket {b}\rrbracket \diamond \llbracket {e, \varTheta }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond \llbracket {f, \varTheta }\rrbracket )\);
-
(ii)
\(\llbracket {e^{(b)}, \varTheta }\rrbracket = (\llbracket {b}\rrbracket \diamond \llbracket {e, e^{(b)}, \varTheta }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond \llbracket {\varTheta }\rrbracket )\).
We prioritise the rules of \(\textsf{SGKAT}\) in order of occurrence in Fig. 1, reading left-to-right, top-to-bottom. Hence, each left logical rule is of higher priority than each right logical rule, which is of higher priority than each axiom or modal rule. Recall that a rule is sound if the validity of all its premisses implies the validity of its conclusion. Conversely, a rule is invertible if the validity of its conclusion implies the validity of all of its premisses.
We say that a rule application has priority of there is no higher-priority rule with the same conclusion. Conveniently, the following proposition entails that every rule instance which has priority is invertible. This will aid our proof search procedure in Sect. 6.
Proposition 1
Every rule of \(\textsf{SGKAT}\) is sound. Moreover, every rule is invertible except for \(\textsf{k}\) and \(\textsf{k}_0\), which are invertible whenever they have priority.
Proof
(sketch). We treat two illustrative cases. For the rule \(+_b\)-r, we find
where the first equivalence holds due to Lemma 4.(ii), and the second due to \(A \diamond \llbracket {\varGamma }\rrbracket = (\llbracket {b}\rrbracket \diamond A \diamond \llbracket {\varGamma }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond A \diamond \llbracket {\varGamma }\rrbracket )\) and Lemma 4.(i).
The other rule we will treat is \(\textsf{k}\). Suppose first that some application of \(\textsf{k}\) does not have priority. The only rule of higher priority than \(\textsf{k}\) which can have a conclusion of the form \(p, \varGamma \Rightarrow _A p, \varDelta \) is \(\bot \). In this case \(A = \emptyset \), which means that the conclusion must be valid. Hence any application of \(\textsf{k}\) that does not have priority is vacuously sound. It need, however, not be invertible, as the following rule instance demonstrates
Next, suppose that some application of \(\textsf{k}\) does have priority. This means that the set A of atoms in the conclusion \(p, \varGamma \Rightarrow _A p, \varDelta \) is not empty. We will show that under this restriction the rule is both sound and invertible. Let \(\alpha \in A\). We have
as required. The step marked by \(\dagger \) is the following property of guarded languages: \(\llbracket {p}\rrbracket \diamond L = \llbracket {p}\rrbracket \diamond K\) implies \(L = K\).
Proposition 1 entails that all finite proofs are sound. We will now extend this result to non-well-founded proofs, closely following the treatment in [7]. We first recursively define a syntactic abbreviation: \([e^{(b)}]^0 := \overline{b}\) and \([e^{(b)}]^{n + 1} := be[e^{(b)}]^n\).
Lemma 5
For every \(n \in \mathbb {N}\): if we have \(\textsf{SGKAT} \vdash ^\infty e^{(b)}, \varGamma \Rightarrow _A \varDelta \), then we also have \(\textsf{SGKAT} \vdash ^\infty [e^{(b)}]^n, \varGamma \Rightarrow _A \varDelta \).
We let the while-height \(\textsf{wh}(e)\) be the maximal nesting of while loops in a given expression e. Formally,
-
\(\textsf{wh}(b) = \textsf{wh}(p) = 0;\) − \(\textsf{wh}(e \cdot f) = \textsf{wh}(e +_b f) = \max \{\textsf{wh}(e), \textsf{wh}(f)\};\)
-
\(\textsf{wh}(e^{(b)}) = \textsf{wh}(e) + 1.\)
Given a list \(\varGamma \), the weighted while-height \(\textsf{wwh}(\varGamma )\) of \(\varGamma \) is defined to be the multiset \([\textsf{wh}(e) : e \in \varGamma ]\). We order such multisets using the Dershowitz-Manna ordering (for linear orders): we say that \(N < M\) if and only if \(N \not = M\) and for the greatest n such that \(N(n) \not = M(n)\), it holds that \(N(n) < M(n)\).
Note that in any \(\textsf{SGKAT}\)-derivation the weighted while-height of the antecedent does not increase when reading bottom-up. Moreover, we have:
Lemma 6
\(\textsf{wwh}([e^{(b)}]^n, \varGamma ) < \textsf{wwh}(e^{(b)}, \varGamma )\) for every \(n \in \mathbb {N}\).
Finally, we can prove the soundness theorem using induction on \(\textsf{wwh}(\varGamma )\).
Theorem 1
(Soundness). If \(\textsf{SGKAT} \vdash ^\infty \varGamma \Rightarrow _A \varDelta \), then \(A \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {\varDelta }\rrbracket \).
Proof
We prove this by induction on \(\textsf{wwh}(\varGamma )\). Given a proof \(\pi \) of \(\varGamma \Rightarrow _A \varDelta \), let \(\mathcal {B}\) contain for each infinite branch of \(\pi \) the node of least depth to which a rule (b)-l is applied. Note that \(\mathcal {B}\) must be finite, for otherwise, by Kőnig’s Lemma, the proof \(\pi \) cut off along \(\mathcal {B}\) would have an infinite branch that does not satisfy the fairness condition.
Note that Proposition 1 entails that of every finite derivation with valid leaves the conclusion is valid. Hence, it suffices to show that each of the nodes in \(\mathcal {B}\) is valid. To that end, consider an arbitrary such node labelled \(e^{(b)}, \varGamma ' \Rightarrow _{A'} \varDelta '\) and the subproof \(\pi '\) it generates. By Lemma 5, we have that \([e^{(b)}]^{n}, \varGamma ' \Rightarrow _{A'} \varDelta '\) is provable for every n. Lemma 6 gives \(\textsf{wwh}([e^{(b)}]^{n}, \varGamma ') < \textsf{wwh}(e^{(b)}, \varGamma ') \le \textsf{wwh}(\varGamma )\), and thus we may apply the induction hypothesis to obtain
for every \(n \in \mathbb {N}\). Then by
we obtain that \(e^{(b)}, \varGamma ' \Rightarrow _{A'} \varDelta '\) is valid, as required.
5 Regularity
Before we show that \(\textsf{SGKAT}^\infty \) is not only sound, but also complete, we will first show that every \(\textsf{SGKAT}^\infty \)-proof is finite-state, i.e. that it contains at most finitely many distinct sequents.
The results of this section crucially depend on the fact that we are only applying rules to the leftmost expressions of cedents. Indeed, otherwise one could easily create infinitely many distinct sequents by simply unravelling the same while loop \(e^{(b)}\) infinitely often.
Our treatment differs from that in [7] in two major ways. First, we formalise the notion of (sub)occurrence using the standard notion of a syntax tree. Secondly, and more importantly, we obtain a quadratic bound on the number of distinct sequents occurring in a proof, rather than an exponential one. In fact, we will show that the number of distinct antecedents (succedents) is linear in the size of the syntax tree of the antecedent (succedent) of the root. We will do this by showing that each leftmost expression of a cedent in the proof (given as node of the syntax tree of a root cedent) can only occur in the proof as the leftmost expression of that unique cedent.
Definition 5
The syntax tree \((T_e, l_e)\) of an expression e is a well-founded, labelled and ordered tree, defined by the following induction on e.
-
If e is a test or primitive program, its syntax tree only has a root node \(\rho \), with label \(l_e(\rho ) := e\).
-
If \(e = f_1 \circ f_2\) where \(\circ = \cdot \) or \(\circ = +_b\), its syntax tree again has a root node \(\rho \) with label \(l_e(\rho ) = e\), and with two outgoing edges. The first edge connects \(\rho \) to \((T_{f_1}, l_{f_1})\), the second edge connects it to \((T_{f_2}, l_{f_2})\).
-
If \(e = f^{(b)}\), its syntax tree again has a root node \(\rho \) with label \(l_e(\rho ) = e\), but now with just one outgoing edge. This edge connects \(\rho \) to \((T_{f}, l_f)\).
Definition 6
An e-cedent is a list of nodes in the syntax tree of e. The realisation of an e-cedent \(u_1, \ldots , u_n\) is the cedent \(l_e(u_1), \ldots , l_e(u_n)\).
Given the leftmost expression of a cedent, we will now explicitly define the cedent that it must be the leftmost expression of.
Definition 7
Let u be a node in the syntax tree of e. We define the e-cedent \(\textsf{tail}(u)\) inductively as follows:
-
For the root \(\rho \) of \(T_e\), we set \(\textsf{tail}(\rho )\) to be the empty list \(\epsilon \).
-
For every node u of \(T_e\), we define \(\textsf{tail}\) on its children by a case distinction on the main connective \(\textsf{mc}\) of u:
-
if \(\textsf{mc} = \cdot \), let \(u_1\) and \(u_2\) be, respectively, the first and second child of u. We set \(\textsf{tail}(u_1) := u_2, \textsf{tail}(u)\) and \(\textsf{tail}(u_2) := \textsf{tail}(u)\).
-
if \(\textsf{mc} = +_b\), let \(u_1\) and \(u_2\) again be its first and second child. We set \(\textsf{tail}(u_1) := \textsf{tail}(u_2) := \textsf{tail}(u)\).
-
if \(\textsf{mc} = (-)^{(b)}\), let v be the single child of u. We set \(\textsf{tail}(v) := u, \textsf{tail}(u)\).
-
An e-cedent is called \(\textsf{tail}\)-generated if it is empty or of the form \(u, \textsf{tail}(u)\) for some node u in the syntax tree of e.
Example 6
Below is the syntax tree of \((p(p +_b 1))^{(b)}\) and a calculation of \(\textsf{tail}(u_3)\).
The following lemma embodies the key idea for the main result of this section: every leftmost expression is the leftmost expression of a unique cedent.
Lemma 7
Let \(\pi \) be an \(\mathsf {SGKAT^\infty }\)-derivation of a sequent of the form \(e \Rightarrow _A f\). Then every antecedent in \(\pi \) is the realisation of a \(\textsf{tail}\)-generated e-sequent, and every succedent is the realisation of a \(\textsf{tail}\)-generated f-sequent or 0-sequent.
Proof
We first prove the following claim.
Let e be an expression and let u be a node in its syntax tree. Then \(\textsf{tail}(u)\) is a \(\textsf{tail}\)-generated e-sequent.
We prove this by induction on the syntax tree of e. For the root \(\rho \), we have \(\textsf{tail}(\rho ) = \epsilon \), which is \(\textsf{tail}\)-generated by definition. Now suppose that the thesis holds for some arbitrary node u in the syntax tree of e. We will show that the thesis holds for the children of u by a case distinction on the main connective \(\textsf{mc}\) of u.
-
\(\textsf{mc} = \cdot \). Let \(u_1\) and \(u_2\) be the first and second child of u, respectively. We have \(\textsf{tail}(u_1) = u_2, \textsf{tail}(u) = u_2, \textsf{tail}(u_2)\), which is \(\textsf{tail}\)-generated by definition. Moreover, we have that \(\textsf{tail}(u_2) = \textsf{tail}(u)\) is \(\textsf{tail}\)-generated by the induction hypothesis.
-
\(\textsf{mc} = +_b\). Then for each child v of u, we have \(\textsf{tail}(v) = \textsf{tail}(u)\) and thus we can again invoke the induction hypothesis.
-
\(\textsf{mc} = (-)^{(b)}\). Then for the single child v of u, it holds that \(\textsf{tail}(v) = u, \textsf{tail}(u)\), which is \(\textsf{tail}\)-generated by definition.
Using this claim, the lemma follows by bottom-up induction on \(\pi \). For the base case, note that e and f are realisations of the roots of their respective syntax trees. Such a root \(\rho \) is \(\textsf{tail}\)-generated, since \(\rho = \rho , \epsilon = \rho , \textsf{tail}(\rho )\). The induction step follows by direct inspection of the rules of \(\textsf{SGKAT}\).
The number of realisations of \(\textsf{tail}\)-generated e-sequents is clearly linear in the size of the syntax tree of e, for every expression e. Hence we obtain:
Corollary 1
The number of distinct sequents in an \(\textsf{SGKAT}^\infty \)-proof of \(e \Rightarrow _A f\) is quadratic in \(|T_e| + |T_f|\).
Note that the above lemma and corollary can easily be generalised to arbitrary (rather than singleton) cedents, by rewriting each cedent \(e_1, \ldots , e_n\) as \(e_1 \cdots e_n\).
Recall that a non-well-founded tree is regular if it contains only finitely many pairwise non-isomorphic subtrees. The following corollary follows by a standard argument in the literature (see e.g [16, Corollary I.2.23]).
Corollary 2
If \(\varGamma \Rightarrow _A \varDelta \) has an \(\textsf{SGKAT}^\infty \)-proof, then it has a regular one.
We define a cyclic \(\textsf{SGKAT}\)-proof as a regular \(\textsf{SGKAT}^\infty \)-proof. Cyclic proofs can be equivalently described using finite trees with back edges, but this is not needed for the purposes of the present paper.
6 Completeness and Complexity
In this section we prove the completeness of \(\textsf{SGKAT}^\infty \). Our argument uses a proof search procedure, which we will show to induce a \(\textsf{NLOGSPACE}\) decision procedure for the language inclusion problem of \(\texttt{GKAT}\) expressions. The material in this section is again inspired by [7], but requires several modifications to treat the tests present in \(\texttt{GKAT}\).
First note the following fact.
Lemma 8
Any valid sequent is the conclusion of some rule application.
Note that in the following lemma A and B may be distinct.
Lemma 9
Let \(\pi \) be a derivation using only right logical rules and containing a branch of the form:
such that (1) \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) is valid, and (2) every succedent on the branch has \(e^{(b)}, \varDelta \) as a final segment. Then \(\varGamma \Rightarrow _B 0\) is valid.
Proof
We claim that \(e^{(b)} \Rightarrow _B 0\) is provable. We will show this by exploiting the symmetry of the left and right logical rules of \(\textsf{SGKAT}\) (cf. Remark 8). Since on the branch (*) every rule is a right logical rule, and \(e^{(b)}, \varDelta \) is preserved throughout, we can construct a derivation \(\pi '\) of \(e^{(b)} \Rightarrow _B 0\) from \(\pi \) by applying the analogous left logical rules to \(e^{(b)}\). Note that the set of atoms B precisely determines the branch (*), in the sense that for every leaf \(\varGamma \Rightarrow _C \varTheta \) of \(\pi \) it holds that \(C \cap B = \emptyset \). Hence, as the root of \(\pi '\) is \(e^{(b)} \Rightarrow _B 0\), every branch of \(\pi '\) except for the one corresponding to (*) can be closed directly by an application of \(\bot \). The branch corresponding to (*) is of the form
and can thus be closed by a back edge. The resulting finite tree with back edges clearly represents an \(\textsf{SGKAT}^\infty \)-proof.
Now by soundness, we have \(B \diamond \llbracket e^{(b)} \rrbracket = \emptyset \). Moreover, by the invertibility of the right logical rules and hypothesis (1), we get
as required.
Lemma 10
Let \((\varGamma _n \Rightarrow _{A_n} \varDelta _n)_{n \in \omega }\) be an infinite branch of some \(\textsf{SGKAT}^\infty \)-derivation on which the rule (b)-r is applied infinitely often. Then there are n, m with \(n < m\) such that the following hold:
-
(i)
the sequents \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) and \(\varGamma _m \Rightarrow _{A_m} \varDelta _m\) are equal;
-
(ii)
the sequent \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) is the conclusion of (b)-r in \(\pi \);
-
(iii)
for every \(i \in [n, m)\) it holds that \(\varDelta _n\) is a final segment of \(\varDelta _i\).
Proof
First note that \(\textsf{k}_0\) is not applied on this branch, because if it were then there could not be infinitely many applications of (b)-r.
Since the proof is finite-state (cf. Corollary 1), there must be a \(k \ge 0\) be such that every \(\varDelta _i\) with \(i \ge k\) occurs infinitely often on the branch above. Denote by \(|\varDelta |\) the length of a given list \(\varDelta \) and let l be minimum of \(\{|\varDelta _i| : i \ge k\}\). In other words, l is the minimal length of the \(\varDelta _i\) with \(i \ge k\).
To prove the lemma, we first claim that there is an \(n \ge k\) such that \(|\varDelta _n| = l\) and the leftmost expression in \(\varDelta _n\) is of the form \(e^{(b)}\) for some e. Suppose, towards a contradiction, that this is not the case. Then there must be a \(u \ge k\) such that \(|\varDelta _u| = l\) and the leftmost expression in \(\varDelta _u\) is not of the form \(e^{(b)}\) for any e. Note that (b)-r is the only rule apart from \(\textsf{k}_0\) that can increase the length of the succedent (when read bottom-up). It follows that for no \(w \ge u\) the leftmost expression in \(\varDelta _w\) is of the form \(e^{(b)}\), contradicting the fact that (b)-r is applied infinitely often.
Now let \(n \ge k\) be such that \(|\varDelta _n| = l\) and the leftmost expression of \(\varDelta _n\) is \(e^{(b)}\). Since the rule (b)-r must at some point after \(\varDelta _n\) be applied to \(e^{(b)}\), we may assume without loss of generality that \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) is the conclusion of an application of (b)-r. By the pigeonhole principle, there must be an \(m > n\) such that \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) and \(\varGamma _m \Rightarrow _{A_m} \varDelta _m\) are the same sequents. We claim that these sequents satisfy the three properties above. Properties (i) and (ii) directly hold by construction. Property (iii) follows from the fact that \(\varDelta _n\) is of minimal length and has \(e^{(b)}\) as leftmost expression.
With the above lemmas in place, we are ready for the completeness proof.
Theorem 2
(Completeness). Every valid sequent is provable in \(\textsf{SGKAT}^\infty \).
Proof
Given a valid sequent, we do a bottom-up proof search with the following strategy. Throughout the procedure all leaves remain valid, in most cases by an appeal to invertibility.
-
1.
Apply left logical rules as long as possible. If this stage terminates, it will be at a leaf of the form \(\varGamma \Rightarrow _A \varDelta \), where \(\varGamma \) is exposed. We then go to stage (2). If left logical rules remain applicable, we stay in this stage (1) forever and create an infinite branch.
-
2.
Apply right logical rules until one of the following happens:
-
(a)
We reach a leaf at which no right logical rule can be applied. This means that the leaf must be a valid sequent of the form \(\varGamma \Rightarrow _A \varDelta \) such that \(\varGamma \) is exposed, and \(\varDelta \) is either exposed or begins with a test b such \(A \restriction b \not = A\). We go to stage (4).
-
(b)
If (a) does not happen, then at some point we must reach a valid sequent of the \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) which together with an ancestor satisfies properties (i) - (iii) of Lemma 10. In this case Lemma 9 is applicable. Hence we must be at a leaf of the form \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) such that \(e^{(b)} \Rightarrow _A 0\) is valid. We then go to stage (3).
Since at some point either (a) or (b) must be the case, stage (2) always terminates.
-
(a)
-
3.
We are at a valid leaf of the form \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \), where \(\varGamma \) is exposed. If \(A = \emptyset \), we apply \(\bot \). Otherwise, if \(A \not = \emptyset \), we use the validity of \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) and \(e^{(b)} \Rightarrow _A 0\) to find:
$$ A \diamond \llbracket {\varGamma }\rrbracket \subseteq A \diamond \llbracket {e^{(b)}}\rrbracket \diamond \llbracket {\varDelta }\rrbracket = \emptyset . $$We claim that \(\llbracket {\varGamma }\rrbracket = \emptyset \). Indeed, suppose towards a contradiction that \(\alpha x \in \llbracket {\varGamma }\rrbracket \). By the exposedness of \(\varGamma \) and item (i) of Lemma 3, we would have \(\beta x \in \llbracket {\varGamma }\rrbracket \) for some \(\beta \in A\), contradicting the statement above. Therefore, the sequent \(\varGamma \Rightarrow _\textsf{At} 0\) is valid. We apply the rule \(\textsf{k}_0\) and loop back to stage (1).
Stage (3) only comprises a single step and thus always terminates.
-
4.
Let \(\varGamma \Rightarrow _A \varDelta \) be the current leaf. By construction \(\varGamma \Rightarrow _A \varDelta \) is valid, \(\varGamma \) is exposed, and \(\varDelta \) is either exposed or begins with a test b such that \(A \restriction b \not = A\). Note that only rules \(\textsf{id}\), \(\bot \), \(\textsf{k}\), and \(\mathsf {k_0}\) can be applicable. By Lemma 8, at least one of them must be applicable. If \(\textsf{id}\) is applicable, apply \(\textsf{id}\). If \(\bot \) is applicable, apply \(\bot \). If \(\textsf{k}\) is applicable, apply \(\textsf{k}\) and loop back to stage (1). Note that this application of \(\textsf{k}\) will have priority and is therefore invertible.
Finally, suppose that only \(\textsf{k}_0\) is applicable. We claim that, by validity, the list \(\varGamma \) is not \(\epsilon \). Indeed, since A is non-empty, and \(\varDelta \) either begins with a primitive program p or a test b such that \(A \restriction b \not = A\), the sequent
$$ \epsilon \Rightarrow _A \varDelta $$must be invalid. Hence \(\varGamma \) must be of the form \(p, \varTheta \). We apply \(\textsf{k}_0\), which has priority and thus is invertible, and loop back to stage (1).
Similarly to stage (3), stage (4) only comprises a single step and thus always terminates.
We claim that the constructed derivation is fair for (b)-l. Indeed, every stage except stage (1) terminates. Therefore, every infinite branch must either eventually remain in stage (1), or pass through stages (3) or (4) infinitely often. Since \(\textsf{k}\) and \(\textsf{k}_0\) shorten the antecedent, and no left logical rule other than (b)-l lengthens it, such branches must be fair.
By Corollary 2 we obtain that the subset of cyclic \(\textsf{SGKAT}\)-proofs is also complete.
Corollary 3
Every valid sequent has a regular \(\textsf{SGKAT}^\infty \)-proof.
Proposition 2
The proof search procedure of Theorem 2 runs in \(\textsf{coNLOGSPACE}\). Hence proof search, and thus also the language inclusion problem for \(\texttt{GKAT}\)-expressions, is in \(\textsf{NLOGSPACE}\).
Proof
(sketch). Assume without loss of generality that the initial sequent is of the form \(e \Rightarrow _A f\). We non-deterministically search for a failing branch, at each iteration storing only the last sequent. By Lemma 7 this can be done by storing two pointers to, respectively, the syntax trees \(T_e\) and \(T_f\), together with a set of atoms. The loop check of stage (2) can be replaced by a counter. Indeed, stage (2) must always hit a repetition after \(|\textsf{At}| \cdot |T_f|\) steps, where m is the number of nodes in the syntax tree. After this repetition there must be a continuation that reaches a repetition to which Lemma 9 applies before this stage has taken \(2 \cdot |\textsf{At}| \cdot |T_f|\) steps in total. Finally, a global counter can be used to limit the depth of the search. Indeed, a failing branch needs at most one repetition (in stage (2), to which \(\textsf{k}_0\) is applied) and all other repetitions can be cut out. Hence if there is a failing branch, there must be one of size at most \(4 \cdot |T_e| \cdot |\textsf{At} | \cdot |T_f|\).
7 Conclusion and Future Work
In this paper we have presented a non-well-founded proof system \(\textsf{SGKAT}^\infty \) for \(\texttt{GKAT}\). We have shown that the system is sound and complete with respect to the language model. In fact, the fragment of regular proofs is already complete, which means one can view \(\textsf{SGKAT}\) as a cyclic proof system. Our system is similar to the system for Kleene Algebra in [7], but the deterministic nature of \(\texttt{GKAT}\) allows us to use ordinary sequents rather than hypersequents. To deal with the tests of \(\texttt{GKAT}\) every sequent is annotated by a set of atoms. Like in [7], our completeness argument makes use of a proof search procedure. Here again the relative simplicity of \(\texttt{GKAT}\) pays off: the proof search procedure induces an \(\textsf{NLOGSPACE}\) decision procedure, whereas that of Kleene Algebra is in \(\textsf{PSPACE}\).
The most natural question for future work is whether our system could be used to prove the completeness of some (ordered)-algebraic axiomatisation of \(\texttt{GKAT}\). We envision using the original \(\texttt{GKAT}\) axioms (see [22, Figure 1]), but basing it on inequational logic rather than equational logic. This would allow one to use a least fixed point rule of the form
eliminating the need for a Salomaa-style side condition. We hope to be able to prove the completeness of such an inequational system by translating cyclic \(\textsf{SGKAT}\)-proofs into well-founded proofs in the inequational system. This is inspired by the paper [6], where a similar strategy is used to give an alternative proof of the left-handed completeness of Kleene Algebra.
Another relevant question is the exact complexity of the language inclusion problem for \(\texttt{GKAT}\)-expressions. We have obtained an upper bound of \(\textsf{NLOGSPACE}\), but do not know whether it is optimal.
Finally, it would be interesting to verify the conjecture in Remark 9 above.
References
Acclavio, M., Curzi, G., Guerrieri, G.: Infinitary cut-elimination via finite approximations. In: 32nd Annual Conference on Computer Science Logic, CSL. LIPIcs, vol. 288, pp. 8:1–8:19. Schloss Dagstuhl (2024)
Afshari, B., Enqvist, S., Leigh, G.E.: Cyclic proofs for the first-order \(\mu \)-calculus. Log. J. IGPL 32(1), 1–34 (2022)
Afshari, B., Leigh, G.E., Menéndez Turata, G.: Uniform interpolation from cyclic proofs: the case of modal mu-calculus. In: Das, A., Negri, S. (eds.) TABLEAUX 2021. LNCS (LNAI), vol. 12842, pp. 335–353. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86059-2_20
Afshari, B., Wehr, D.: Abstract cyclic proofs. In: Ciabattoni, A., Pimentel, E., de Queiroz, R.J.G.B. (eds.) WoLLIC 2022. LNCS, vol. 13468, pp. 309–325. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15298-6_20
Brotherston, J.: Cyclic proofs for first-order logic with inductive definitions. In: Beckert, B. (ed.) TABLEAUX 2005. LNCS (LNAI), vol. 3702, pp. 78–92. Springer, Heidelberg (2005). https://doi.org/10.1007/11554554_8
Das, A., Doumane, A., Pous, D.: Left-handed completeness for Kleene algebra, via cyclic proofs. In: 22nd International Conference on Logic for Programming, Artificial Intelligence and Reasoning, LPAR. EPiC Series in Computing, vol. 57, pp. 271–289 (2018)
Das, A., Pous, D.: A cut-free cyclic proof system for Kleene algebra. In: Schmidt, R.A., Nalon, C. (eds.) TABLEAUX 2017. LNCS (LNAI), vol. 10501, pp. 261–277. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66902-1_16
Dekker, M., Kloibhofer, J., Marti, J., Venema, Y.: Proof systems for the modal \(\mu \)-calculus obtained by determinizing automata. In: Ramanayake, R., Urban, J. (eds.) TABLEAUX 2023. LNCS, vol. 14278, pp. 242–259. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-43513-3_14
Kozen, D.: A completeness theorem for Kleene algebras and the algebra of regular events. Inf. Comput. 110(2), 366–390 (1994)
Kozen, D.: Kleene algebra with tests. ACM Trans. Program. Lang. Syst. 19(3), 427–443 (1997)
Kozen, D.: Nonlocal flow of control and Kleene algebra with tests. In: 23rd Annual Symposium on Logic in Computer Science, LICS, pp. 105–117. IEEE (2008)
Kozen, D., Tseng, W.-L.D.: The Böhm–Jacopini theorem is false, propositionally. In: Audebaud, P., Paulin-Mohring, C. (eds.) MPC 2008. LNCS, vol. 5133, pp. 177–192. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70594-9_11
Kuperberg, D., Pinault, L., Pous, D.: Cyclic proofs, system T, and the power of contraction. In: 48th Annual Symposium on Principles of Programming Languages, POPL, pp. 1–28 (2021)
Marti, J., Venema, Y.: Focus-style proof systems and interpolation for the alternation-free \(\mu \)-calculus, arXiv preprint arXiv:2103.01671 (2021)
Rooduijn, J., Kozen, D., Silva, A.: A cyclic proof system for Guarded Kleene Algebra with Tests (full version) (2024). https://arxiv.org/abs/2405.07505
Rooduijn, J.: Fragments & Frame Classes. Ph.D. thesis, University of Amsterdam (2024)
Rozowski, W., Kappé, T., Kozen, D., Schmid, T., Silva, A.: Probabilistic guarded KAT modulo bisimilarity: completeness and complexity. In: 50th International Colloquium on Automata, Languages, and Programming, ICALP. LIPIcs, vol. 261, pp. 136:1–136:20. Schloss Dagstuhl (2023)
Salomaa, A.: Two complete axiom systems for the algebra of regular events. J. ACM 13(1), 158–169 (1966)
Savateev, Y., Shamkanov, D.: Cut-elimination for the modal Grzegorczyk logic via non-well-founded proofs. In: Kennedy, J., de Queiroz, R.J.G.B. (eds.) WoLLIC 2017. LNCS, vol. 10388, pp. 321–335. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-55386-2_23
Schmid, T., Kappé, T., Kozen, D., Silva, A.: Guarded Kleene algebra with tests: coequations, coinduction, and completeness. In: 48th International Colloquium on Automata, Languages, and Programming, ICALP. LIPIcs, vol. 198, pp. 142:1–142:14. Schloss Dagstuhl (2021)
Schmid, T., Kappé, T., Silva, A.: A complete inference system for skip-free guarded Kleene algebra with tests. In: Wies, T. (ed.) ESOP 2023. LNCS, vol. 13990, pp. 309–336. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30044-8_12
Smolka, S., Foster, N., Hsu, J., Kappé, T., Kozen, D., Silva, A.: Guarded Kleene algebra with tests: verification of uninterpreted programs in nearly linear time. In: 47th Annual Symposium on Principles of Programming Languages, POPL, pp. 61:1–61:28 (2020)
Sprenger, C., Dam, M.: On the structure of inductive reasoning: circular and tree-shaped proofs in the \(\mu \)-calculus. In: Gordon, A.D. (ed.) FoSSaCS 2003. LNCS, vol. 2620, pp. 425–440. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36576-1_27
Zetzsche, S., Silva, A., Sammartino, M.: Guarded Kleene algebra with tests: automata learning. In: Proceedings of the 38th Conference on the Mathematical Foundations of Programming Semantics, MFPS. EPTICS, vol. 1. EpiSciences (2022)
Acknowledgments
Jan Rooduijn thanks Anupam Das, Tobias Kappé, Johannes Marti and Yde Venema for insightful discussions on the topic of this paper. Alexandra Silva wants to acknowledge Sonia Marin, who some years ago proposed a similar master project at UCL. We moreover thank the reviewers for their helpful comments, in particular for pointing out that our complexity result could be sharpened. Lastly, Jan Rooduijn is grateful for the inspiring four-week research visit at the Computer Science department of Cornell in the summer of 2022.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2024 The Author(s)
About this paper
Cite this paper
Rooduijn, J., Kozen, D., Silva, A. (2024). A Cyclic Proof System for Guarded Kleene Algebra with Tests. In: Benzmüller, C., Heule, M.J., Schmidt, R.A. (eds) Automated Reasoning. IJCAR 2024. Lecture Notes in Computer Science(), vol 14740. Springer, Cham. https://doi.org/10.1007/978-3-031-63501-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-63501-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-63500-7
Online ISBN: 978-3-031-63501-4
eBook Packages: Computer ScienceComputer Science (R0)