Complete Sequent Calculi for Induction and Infinite Descent James - - PowerPoint PPT Presentation

Complete Sequent Calculi for Induction and Infinite Descent

James Brotherston

Programming Principles, Logic and Verification Group

• Dept. of Computer Science

University College London, UK J.Brotherston@ucl.ac.uk

Leeds Logic Seminar, 17 February 2016

1/ 26

Introduction

• We investigate and compare two related styles of inductive

reasoning:

2/ 26

Introduction

• We investigate and compare two related styles of inductive

reasoning:

• 1. explicit rule induction over definitions;

2/ 26

Introduction

• We investigate and compare two related styles of inductive

reasoning:

• 1. explicit rule induction over definitions;
• 2. infinite descent `

a la Fermat.

2/ 26

Introduction

• We investigate and compare two related styles of inductive

reasoning:

• 1. explicit rule induction over definitions;
• 2. infinite descent `

a la Fermat.

• We work in first-order logic with inductive definitions.

2/ 26

Introduction

• We investigate and compare two related styles of inductive

reasoning:

• 1. explicit rule induction over definitions;
• 2. infinite descent `

a la Fermat.

• We work in first-order logic with inductive definitions.
• We formulate and compare proof-theoretic foundations of

thes two styles of reasoning above, using Gentzen-style sequent calculus proof systems.

2/ 26

Part I Inductive definitions in first-order logic

3/ 26

First-order logic with inductive definitions (FOLID)

• We extend standard first-order logic with a schema for

inductive definitions.

4/ 26

First-order logic with inductive definitions (FOLID)

• We extend standard first-order logic with a schema for

inductive definitions.

• Our inductive rules are each of the form:

P1(t1(x)) . . . Pm(tm(x)) ⇒ P(t(x)) where P, P1, . . . , Pm are predicate symbols.

4/ 26

First-order logic with inductive definitions (FOLID)

• We extend standard first-order logic with a schema for

inductive definitions.

• Our inductive rules are each of the form:

P1(t1(x)) . . . Pm(tm(x)) ⇒ P(t(x)) where P, P1, . . . , Pm are predicate symbols.

• E.g., define N, E, O, R+ (natural nos; even/odd nos;

transitive closure of R) by rules ⇒ N0 ⇒ E0 Rxy ⇒ R+xy Nx ⇒ Nsx Ox ⇒ Esx R+xy, R+yz ⇒ R+xz Ex ⇒ Osx

4/ 26

Standard models of FOLID

• The inductive rules determine a monotone operator ϕΦ on

any first-order structure M.

5/ 26

Standard models of FOLID

• The inductive rules determine a monotone operator ϕΦ on

any first-order structure M. E.g., for N: ϕΦN (X) = {0M} ∪ {sMx | x ∈ X}

• In standard models, P M is the least prefixed point of the

corresponding operator.

5/ 26

Standard models of FOLID

• The inductive rules determine a monotone operator ϕΦ on

any first-order structure M. E.g., for N: ϕΦN (X) = {0M} ∪ {sMx | x ∈ X}

• In standard models, P M is the least prefixed point of the

corresponding operator.

• This least prefixed point can be approached via a sequence

(ϕα

Φ) of approximants.

5/ 26

Standard models of FOLID

• The inductive rules determine a monotone operator ϕΦ on

any first-order structure M. E.g., for N: ϕΦN (X) = {0M} ∪ {sMx | x ∈ X}

• In standard models, P M is the least prefixed point of the

corresponding operator.

• This least prefixed point can be approached via a sequence

(ϕα

Φ) of approximants. E.g. for N we have:

ϕ0

ΦN = ∅, ϕ1 ΦN = {0M}, ϕ2 ΦN = {0M, sM0M}, . . .

5/ 26

Henkin models of FOLID

• We can also give non-standard interpretations to the

inductive predicates of the language, in so-called Henkin models.

6/ 26

Henkin models of FOLID

• We can also give non-standard interpretations to the

inductive predicates of the language, in so-called Henkin models.

• A class of sets H over a first order structure M is a Henkin

class if, roughly speaking, every first-order-definable relation is interpretable inside it.

6/ 26

Henkin models of FOLID

• We can also give non-standard interpretations to the

inductive predicates of the language, in so-called Henkin models.

• A class of sets H over a first order structure M is a Henkin

class if, roughly speaking, every first-order-definable relation is interpretable inside it.

• (M, H) is a Henkin model if the least prefixed point of ϕΦ

exists inside H; we define P M to be this point.

6/ 26

Part II Sequent calculus for explicit induction

7/ 26

LKID: a sequent calculus for induction in FOLID

Extend the usual sequent calculus LKe for classical first-order logic with equality by adding rules for inductive predicates.

8/ 26

LKID: a sequent calculus for induction in FOLID

Extend the usual sequent calculus LKe for classical first-order logic with equality by adding rules for inductive predicates. E.g., right-introduction rules for N are: (NR1) Γ ⊢ N0, ∆ Γ ⊢ Nt, ∆ (NR2) Γ ⊢ Nst, ∆

8/ 26

LKID: a sequent calculus for induction in FOLID

Extend the usual sequent calculus LKe for classical first-order logic with equality by adding rules for inductive predicates. E.g., right-introduction rules for N are: (NR1) Γ ⊢ N0, ∆ Γ ⊢ Nt, ∆ (NR2) Γ ⊢ Nst, ∆ The left-introduction rule embodies rule induction: Γ ⊢ F0, ∆ Γ, Fx ⊢ Fsx, ∆ Γ, Ft ⊢ ∆ (x fresh) (Ind N) Γ, Nt ⊢ ∆

8/ 26

LKID: a sequent calculus for induction in FOLID

Extend the usual sequent calculus LKe for classical first-order logic with equality by adding rules for inductive predicates. E.g., right-introduction rules for N are: (NR1) Γ ⊢ N0, ∆ Γ ⊢ Nt, ∆ (NR2) Γ ⊢ Nst, ∆ The left-introduction rule embodies rule induction: Γ ⊢ F0, ∆ Γ, Fx ⊢ Fsx, ∆ Γ, Ft ⊢ ∆ (x fresh) (Ind N) Γ, Nt ⊢ ∆

• NB. Mutual definitions give rise to mutual induction rules.

8/ 26

Results about LKID

Proposition (Soundness) Any LKID-provable sequent is valid in all Henkin models.

9/ 26

Results about LKID

Proposition (Soundness) Any LKID-provable sequent is valid in all Henkin models. Theorem (Completeness) Any sequent valid in all Henkin models is cut-free provable in LKID.

9/ 26

Results about LKID

Proposition (Soundness) Any LKID-provable sequent is valid in all Henkin models. Theorem (Completeness) Any sequent valid in all Henkin models is cut-free provable in LKID.

• Supposing Γ ⊢ ∆ not provable, we use a uniform infinitary

search procedure to build an unprovable limit sequent Γω ⊢ ∆ω.

9/ 26

Results about LKID

Proposition (Soundness) Any LKID-provable sequent is valid in all Henkin models. Theorem (Completeness) Any sequent valid in all Henkin models is cut-free provable in LKID.

• Supposing Γ ⊢ ∆ not provable, we use a uniform infinitary

search procedure to build an unprovable limit sequent Γω ⊢ ∆ω.

• We then use this limit sequent to define a syntactic

countermodel for Γ ⊢ ∆.

9/ 26

Results about LKID

Proposition (Soundness) Any LKID-provable sequent is valid in all Henkin models. Theorem (Completeness) Any sequent valid in all Henkin models is cut-free provable in LKID.

• Supposing Γ ⊢ ∆ not provable, we use a uniform infinitary

search procedure to build an unprovable limit sequent Γω ⊢ ∆ω.

• We then use this limit sequent to define a syntactic

countermodel for Γ ⊢ ∆.

• (We need to define a Henkin class and deal with inductive

predicates though.)

9/ 26

Cut-elimination in LKID

Corollary Any LKID-provable sequent is provable without cut.

10/ 26

Cut-elimination in LKID

Corollary Any LKID-provable sequent is provable without cut. This is contrary to the popular myth that cut-elimination is impossible in the presence of induction.

10/ 26

Cut-elimination in LKID

Corollary Any LKID-provable sequent is provable without cut. This is contrary to the popular myth that cut-elimination is impossible in the presence of induction. In fact, the real limitation is that the subformula property is not achievable.

10/ 26

Cut-elimination in LKID

Corollary Any LKID-provable sequent is provable without cut. This is contrary to the popular myth that cut-elimination is impossible in the presence of induction. In fact, the real limitation is that the subformula property is not achievable. Proposition The eliminability of cut in LKID implies the consistency of Peano arithmetic.

10/ 26

Cut-elimination in LKID

Corollary Any LKID-provable sequent is provable without cut. This is contrary to the popular myth that cut-elimination is impossible in the presence of induction. In fact, the real limitation is that the subformula property is not achievable. Proposition The eliminability of cut in LKID implies the consistency of Peano arithmetic. Hence there is no elementary proof of cut-eliminability in LKID.

10/ 26

Part III Sequent calculus for infinite descent

11/ 26

LKIDω: a proof system for infinite descent in FOLID

• Rules are as for LKID except the induction rules are

replaced by weaker case-split rules.

12/ 26

LKIDω: a proof system for infinite descent in FOLID

• Rules are as for LKID except the induction rules are

replaced by weaker case-split rules. E.g. for N: Γ, t = 0 ⊢ ∆ Γ, t = sx, Nx ⊢ ∆ (x fresh) (Case N) Γ, Nt ⊢ ∆

12/ 26

LKIDω: a proof system for infinite descent in FOLID

• Rules are as for LKID except the induction rules are

replaced by weaker case-split rules. E.g. for N: Γ, t = 0 ⊢ ∆ Γ, t = sx, Nx ⊢ ∆ (x fresh) (Case N) Γ, Nt ⊢ ∆

• Pre-proofs are infinite (non-well-founded) derivation trees.

12/ 26

LKIDω: a proof system for infinite descent in FOLID

• Rules are as for LKID except the induction rules are

replaced by weaker case-split rules. E.g. for N: Γ, t = 0 ⊢ ∆ Γ, t = sx, Nx ⊢ ∆ (x fresh) (Case N) Γ, Nt ⊢ ∆

• Pre-proofs are infinite (non-well-founded) derivation trees.
• For soundness we need to impose an additional condition
• n pre-proofs.

12/ 26

Traces

• A trace following a path in an LKIDω pre-proof tracks an

inductive predicate occurring on the left of the sequents on the path.

13/ 26

Traces

• A trace following a path in an LKIDω pre-proof tracks an

inductive predicate occurring on the left of the sequents on the path.

• A trace progresses when the inductive predicate is unfolded

using its case-split rule.

13/ 26

Traces

• A trace following a path in an LKIDω pre-proof tracks an

inductive predicate occurring on the left of the sequents on the path.

• A trace progresses when the inductive predicate is unfolded

using its case-split rule.

• A pre-proof is a proof if, for every infinite path in it, there

is an infinitely progressing trace following some tail of the path.

13/ 26

A sample proof

(ER1) ⊢ E0, O0 (=L) x0 = 0 ⊢Ex0, Ox0 (etc.) . . . (Case N) Nx1 ⊢ Ex1, Ox1 (OR1) Nx1 ⊢ Ox1, Osx1 (ER2) Nx1 ⊢ Esx1, Osx1 (=L) x0 = sx1, Nx1 ⊢ Ex0, Ox0 (Case N) Nx0 ⊢ Ex0, Ox0

14/ 26

A sample proof

(ER1) ⊢ E0, O0 (=L) x0 = 0 ⊢Ex0, Ox0 (etc.) . . . (Case N) Nx1 ⊢ Ex1, Ox1 (OR1) Nx1 ⊢ Ox1, Osx1 (ER2) Nx1 ⊢ Esx1, Osx1 (=L) x0 = sx1, Nx1 ⊢ Ex0, Ox0 (Case N) Nx0 ⊢ Ex0, Ox0 Continuing the expansion of the right branch, the formulas in red form an infinitely progressing trace, so the pre-proof thus

• btained is indeed an LKIDω proof.

14/ 26

LKIDω: soundness

Proposition Any LKIDω-provable sequent is valid in all standard models.

15/ 26

LKIDω: soundness

Proposition Any LKIDω-provable sequent is valid in all standard models. Roughly:

• Suppose Γ ⊢ ∆ is not valid. Since rules are locally sound,

there must be an infinite path in the pre-proof consisting of invalid sequents.

15/ 26

LKIDω: soundness

Proposition Any LKIDω-provable sequent is valid in all standard models. Roughly:

• Suppose Γ ⊢ ∆ is not valid. Since rules are locally sound,

there must be an infinite path in the pre-proof consisting of invalid sequents.

• By the soundness condition, there is an infinitely

progressing trace of this path following some predicate P say.

15/ 26

LKIDω: soundness

Proposition Any LKIDω-provable sequent is valid in all standard models. Roughly:

• Suppose Γ ⊢ ∆ is not valid. Since rules are locally sound,

there must be an infinite path in the pre-proof consisting of invalid sequents.

• By the soundness condition, there is an infinitely

progressing trace of this path following some predicate P say.

• But then we can construct an infinite descending chain of
• rdinals based on the approximants of P, contradiction.

15/ 26

Completeness of LKIDω

Theorem Any sequent valid in all standard models has a cut-free proof in LKIDω.

16/ 26

Completeness of LKIDω

Theorem Any sequent valid in all standard models has a cut-free proof in LKIDω.

• Given Γ ⊢ ∆ (not provable), we construct an infinite

derivation tree corresponding to an exhaustive search for a proof of it.

16/ 26

Completeness of LKIDω

Theorem Any sequent valid in all standard models has a cut-free proof in LKIDω.

• Given Γ ⊢ ∆ (not provable), we construct an infinite

derivation tree corresponding to an exhaustive search for a proof of it.

• Either the tree gets stuck at some node which we call

Γω ⊢ ∆ω, or else some branch fails the trace condition, in which case Γω ⊢ ∆ω is the “limit union” of the sequents along this branch.

16/ 26

Completeness of LKIDω

Theorem Any sequent valid in all standard models has a cut-free proof in LKIDω.

• Given Γ ⊢ ∆ (not provable), we construct an infinite

derivation tree corresponding to an exhaustive search for a proof of it.

• Either the tree gets stuck at some node which we call

Γω ⊢ ∆ω, or else some branch fails the trace condition, in which case Γω ⊢ ∆ω is the “limit union” of the sequents along this branch.

• Either way, we show Γω ⊢ ∆ω is not provable (this uses the

trace condition).

16/ 26

Completeness of LKIDω

Theorem Any sequent valid in all standard models has a cut-free proof in LKIDω.

• Given Γ ⊢ ∆ (not provable), we construct an infinite

derivation tree corresponding to an exhaustive search for a proof of it.

• Either the tree gets stuck at some node which we call

Γω ⊢ ∆ω, or else some branch fails the trace condition, in which case Γω ⊢ ∆ω is the “limit union” of the sequents along this branch.

• Either way, we show Γω ⊢ ∆ω is not provable (this uses the

trace condition).

• Thus we can use Γω ⊢ ∆ω to construct a syntactic

counter-model (the inductive predicate case also uses the trace condition).

16/ 26

Eliminability of cut

Corollary Any LKIDω-provable sequent also has a cut-free LKIDω proof.

17/ 26

Eliminability of cut

Corollary Any LKIDω-provable sequent also has a cut-free LKIDω proof. Unlike in LKID, cut-free proofs in LKIDω enjoy a property akin to the subformula property, which seems close to the spirit of Girard’s “purity of methods”.

17/ 26

Part IV Cyclic proofs by infinite descent

18/ 26

CLKIDω: a cyclic subsystem of LKIDω

• The infinitary system LKIDω is clearly unsuitable for

formal reasoning!

19/ 26

CLKIDω: a cyclic subsystem of LKIDω

• The infinitary system LKIDω is clearly unsuitable for

formal reasoning!

• Indeed, completeness for standard validity implies that

there is no complete enumeration of LKIDω proofs.

19/ 26

CLKIDω: a cyclic subsystem of LKIDω

• The infinitary system LKIDω is clearly unsuitable for

formal reasoning!

• Indeed, completeness for standard validity implies that

there is no complete enumeration of LKIDω proofs.

• However, the restriction of LKIDω to proofs given by

regular trees, which we call CLKIDω, is a natural one that is suitable for formal reasoning.

19/ 26

CLKIDω: a cyclic subsystem of LKIDω

• The infinitary system LKIDω is clearly unsuitable for

formal reasoning!

• Indeed, completeness for standard validity implies that

there is no complete enumeration of LKIDω proofs.

• However, the restriction of LKIDω to proofs given by

regular trees, which we call CLKIDω, is a natural one that is suitable for formal reasoning.

• In this restricted system, every proof can be represented as

a finite (cyclic) graph.

19/ 26

Cyclic proofs

• · · · •

(Inference)

• (Axiom)
• 20/ 26

A cyclic proof

(ER1) ⊢ E0, O0 Nz ⊢ Oz, Ez (†) (Subst) Ny ⊢ Oy, Ey (OR1) Ny ⊢ Oy, Osy (ER2) Ny ⊢ Esy, Osy (NL) Nz ⊢ Ez, Oz (†)

21/ 26

A cyclic proof

(ER1) ⊢ E0, O0 Nz ⊢ Oz, Ez (†) (Subst) Ny ⊢ Oy, Ey (OR1) Ny ⊢ Oy, Osy (ER2) Ny ⊢ Esy, Osy (NL) Nz ⊢ Ez, Oz (†) Any infinite path has a tail consisting of repetitions of the loop indicated by (†), and there is a progressing trace on this loop. By concatenating copies of this trace we obtain an infinitely progressing trace as required.

21/ 26

Results about CLKIDω

Proposition (Proof-checking decidability) It is decidable whether a CLKIDω pre-proof is a proof.

22/ 26

Results about CLKIDω

Proposition (Proof-checking decidability) It is decidable whether a CLKIDω pre-proof is a proof. Theorem Any LKID proof can be transformed into a CLKIDω proof.

22/ 26

Results about CLKIDω

Proposition (Proof-checking decidability) It is decidable whether a CLKIDω pre-proof is a proof. Theorem Any LKID proof can be transformed into a CLKIDω proof. (Proof: We show how to derive any induction rule in CLKIDω.)

22/ 26

Results about CLKIDω

Proposition (Proof-checking decidability) It is decidable whether a CLKIDω pre-proof is a proof. Theorem Any LKID proof can be transformed into a CLKIDω proof. (Proof: We show how to derive any induction rule in CLKIDω.) Conjecture Any CLKIDω-provable sequent is also LKID-provable.

22/ 26

Results about CLKIDω

Proposition (Proof-checking decidability) It is decidable whether a CLKIDω pre-proof is a proof. Theorem Any LKID proof can be transformed into a CLKIDω proof. (Proof: We show how to derive any induction rule in CLKIDω.) Conjecture Any CLKIDω-provable sequent is also LKID-provable. This conjecture can be seen as a formalised version of: Proof by induction is equivalent to regular proof by infinite descent.

22/ 26

Part V Summary

23/ 26

Summary

standard validity Henkin validity cut-free provability in LKIDω cut-free provability in LKID provability in CLKIDω inclusion completeness soundness soundness completeness subsystem + cut-elim transformation conjecture

24/ 26

Some more recent developments

• Cyclic proof has started to see use in automatic theorem

proving and in program verification tools.

25/ 26

Some more recent developments

• Cyclic proof has started to see use in automatic theorem

proving and in program verification tools.

• Cyclic systems have been developed for various other logics

with inductive definitions or fixed point operators.

25/ 26

Some more recent developments

• Cyclic proof has started to see use in automatic theorem

proving and in program verification tools.

• Cyclic systems have been developed for various other logics

with inductive definitions or fixed point operators.

• Attempts at solving the conjecture. . .

25/ 26

Further reading

• P. Martin-L¨
• f.

Haupstatz for the intuitionistic theory of iterated inductive definitions. In Proc. Second Scandinavian Logic Symposium, 1971.

• J. Brotherston and A. Simpson.

Sequent calculi for induction and infinite descent. In Journal of Logic and Computation 21(6), 2011.

• J. Brotherston, R. Bornat and C. Calcagno.

Cyclic proofs of program termination in separation logic. In Proc. POPL, 2008.

• J. Brotherston and N. Gorogiannis.

A generic cyclic theorem prover. In Proc. APLAS, 2012.

• C. Sprenger and M. Dam.

On the structure of inductive reasoning: circular and tree-shaped proofs in the µ-calculus. In Proceedings of FOSSACS, 2003.

26/ 26