A Rewriting Logic Approach to Specification, Proof-search, and Meta-proofs in Sequent Systems
aa r X i v : . [ c s . L O ] J a n Noname manuscript No. (will be inserted by the editor)
A Rewriting Logic Approach to Specification, Proof-search,and Meta-proofs in Sequent Systems
Carlos Olarte · Elaine Pimentel · Camilo Rocha
Received: date / Accepted: date
Abstract
This paper develops an algorithmic-based approach for proving inductiveproperties of propositional sequent systems such as admissibility, invertibility, cut-elimination, and identity expansion. Although undecidable in general, these struc-tural properties are crucial in proof theory because they can reduce the proof-searcheffort and further be used as scaffolding for obtaining other meta-results such as con-sistency. The algorithms –which take advantage of the rewriting logic meta-logicalframework, and use rewrite- and narrowing-based reasoning– are explained in detailand illustrated with examples throughout the paper. They have been fully mechanizedin the
L-Framework , thus offering both a formal specification language and off-the-shelf mechanization of the proof-search algorithms coming together with semi-decision procedures for proving theorems and meta-theorems of the object system.As illustrated with case studies in the paper, the
L-Framework achieves a great de-gree of automation when used on several propositional sequent systems, includingsingle conclusion and multi-conclusion intuitionistic logic, classical logic, classicallinear logic and its dyadic system, intuitionistic linear logic, and normal modal logics.
Keywords
Sequent systems · L-Framework · Rewriting logic · Proof Theory
Contents
Gentzen’s sequent systems [13] have proved to be a flexible and robust logical for-malism for specifying proof systems. With the advent of new needs in the form oftechniques and technologies (e.g., to reason in temporal, epistemic, and modal do-mains), the past decades have witnessed a vivid scene where novel sequent-basedcalculi have been proposed (see, e.g., [5, 18]. It is fair to say that one of the mostimportant aims of these new systems is the ultimate goal of having both a formalspecification language and a mechanization of proof-search algorithms coming to-gether with decision procedures –whenever possible and feasible.Cut-free sequent systems are key for this latter purpose. Intuitively, the cut-ruleexpresses the mathematical use of lemmas in proofs: if A follows from B and C fol-lows from A , then C follows from B . That is, one can cut the intermediate lemma A .Cut-elimination theorems then state that any judgment that possesses a proof mak-ing use of the cut-rule, also possesses a proof that does not make use of it. This is ofpractical convenience for proof-search purposes because it is often much easier to findproofs when the need to mechanically come up with auxiliary lemmas can be avoided.Moreover, there are important applications of cut-elimination theorems, such as thereduction of consistency proofs and “subformula properties” to mere structural syn-tactic checks. However, structural properties of a logical system such as cut-freenessare actually inductive meta-properties and thus undecidable to check in general. Inpractice, proof-theoretic approaches to establish them usually require combinatorialsearch heuristics based on the structure of formulas of each particular system. Theseheuristics, in turn, may depend on the ability to prove other inductive properties. Forinstance, Gentzen-style proofs of cut-elimination heavily depends on checking ad-missibility of other structural rules (e.g., weakening and contraction) and showingthat some of the sequent rules defining the system are invertible.The main goal of this article is to present the L-Framework , a tool for alge-braically specifying and analyzing propositional sequent systems. It provides both aspecific scaffolding of constructs usually found in a sequent system, and off-the-shelfalgorithms for proving inductive properties such as admissibility, invertibility, cut-elimination, and identity expansion. The proposed framework is generic in the sensethat only mild restrictions are imposed on the formulas of the sequent system, and modular since cut-elimination, admissibility, invertibility, and identity expansion canbe proved incrementally.The algorithms and their implementation in the L-Framework are based on theexpressive power of rewriting logic [24], both as a logical and a reflective meta-logical framework [2,23]. A sequent system is specified as a rewriting logic theory S and a sequent as a formula ϕ in the syntax of S . In this setting, the process of build-ing a proof of ϕ in S is cast as a reachability goal of the form S ⊢ ϕ ∗ → ⊤ , where https://carlosolarte.github.io/L-framework/ itle Suppressed Due to Excessive Length 3 ⊤ denotes the empty sequent. Therefore, as a logical framework, rewriting logic di-rectly serves the purpose of providing a proof-search algorithm at the object level of S . Since rewriting logic is reflective, a universal rewrite theory U is further used toprove meta-logical properties (e.g., cut-freeness) of the system S . More precisely,such proofs are specified as reachability goals of the form U ⊢ (cid:0) S ; Γ (cid:1) ∗ → (cid:0) S ; ⊤ (cid:1) ,where Γ is a set of sequents representing the proof-obligations to be discharged, and S and Γ are the meta-representation of S and Γ in the syntax of the universal the-ory U , respectively. In this way, starting with the specification of the propositionalsequent S in rewriting logic, the framework presented in this paper enables both theproof of theorems and inductive meta-theorems of S .The framework comprises a generic rewrite theory offering sorts, operators, andstandard procedures for proof-search at the object- and meta-level. The sorts are usedto represent different elements of the syntactic structure of a sequent system such asformulas, sets of formulas, sequents, and collections of sequents. The inference rulesof a sequent system are specified as reversed rewrite rules, so that an inference stepof the mechanized system is carried out by matching a sequent to the conclusion ofan inference rule, and replacing the latter by the corresponding substitution instanceof the rule’s premises. Conceptually, a proof at the object level is found when allproof-obligations are conclusions of inference rules without premises (i.e., axioms).Once a sequent system S is specified, proofs of its cut-freeness, admissibility,invertibility, and identity expansion properties can be searched for. The process ofobtaining proofs for each one of these properties follows a similar pattern. Namely,the rules of S are used by pair-wise comparison and narrowing to generate the induc-tive hypothesis H and the proof obligations Γ . Therefore, if for each pair ( H , Γ ) the(meta-)reachability goal U ⊢ (cid:0) S ∪ H ; Γ (cid:1) ∗ → (cid:0) S ∪ H ; ⊤ (cid:1) can be answered posi-tively, then the corresponding property of the sequent system S holds. The univer-sal theory U contains the rewrite- and narrowing-based heuristics that operate over S ∪ H and Γ . Much of the effort in obtaining the proposed framework was devoteddesigning such meta-level heuristics and fully implementing them in Maude [8], ahigh-performance reflective language and system supporting rewriting logic.The case studies presented in this paper comprise several propositional sequentsystems, encompassing different proof-theoretical aspects. The chosen systems in-clude: single conclusion ( G3ip ) and multi-conclusion intuitionistic logic ( mLJ ), clas-sical logic (
G3cp ), classical linear logic ( LL ) and its dyadic system ( DyLL ), intuition-istic linear logic (
ILL ), and normal modal logics ( K and S4 ). Beyond advocating forthe use of rewriting logic as a meta-logical framework, the novel algorithms presentedhere are able to automatically discharge many proof obligations and ultimately obtainthe expected results.This paper is an extended version of the work [30], bringing not only new resultsand analyses, but also new uses of the L-Framework tool. In particular: – Properties and the spectrum of logics: the procedures have been updated andextended to automatically check invertibility of rules in a larger class of logicalsystems, including modal logics and variants of linear logic. Moreover, the cur-rent analyses prove stronger properties: invertibility lemmas and admissibility ofstructural rules are shown to be height-preserving (a fact needed in the proof of
Carlos Olarte et al. cut-elimination). For that, the definitions and necessary conditions in Section 5were refined. – New reasoning techniques: cut-elimination is probably the most important prop-erty of sequent systems. This paper shows how to use the proposed frameworkto automatically discard most of the cases in proofs of cut-elimination. In somecases, the proposed algorithms are able to complete entire cut-elimination proofs.The cases of failure are also interesting, since they tell much about the reasons forsuch failure. Some are fixable by proving and adding invertibility and admissibil-ity lemmas. Others can be used in order to shed light on the reason for the failure.Finally, this work also addresses the dual property of identity expansion. Togetherwith cut-elimination, this property is core on designing harmonical systems [12]. – Pretty printing and output: the previous implementation has been updated togenerate proof terms that can be used, e.g., to produce L A TEX files with the prooftrees in the meta-proofs. This allows for generating documents with complete anddetailed proofs of several results in the literature, as well as identifying dependen-cies among the different theorems.
Outline.
The rest of the paper is organized as follows. Section 2 introduces the struc-tural properties of sequent systems that are considered in this work and Section 3presents order-sorted rewriting logic and its main features as a logical framework.Section 4 presents the machinery used for specifying sequent systems as rewrite the-ories. Then, Section 5 establishes how to prove the structural properties based ona rewriting approach. Section 6 addresses cut-elimination and identity expansion.The design principles behind the
L-Framework are described in Section 7. Section 8presents different sequent systems and properties that can be proved with the ap-proach. Finally, Section 9 concludes the paper and presents some future researchdirections.
This section presents and illustrates with examples the properties of admissibility and invertibility of rules in sequent systems [27, 35]. Additional notation and standarddefinitions are established to make the text self-contained.
Definition 1 (Sequent)
Let L be a formal language consisting of well-formed for-mulas. A sequent is an expression of the form Γ ⊢ ∆ where Γ (the antecedent ) and ∆ (the succedent ) are finite multisets of formulas in L , and ⊢ is the consequence symbol. If the succedent of a sequent contains at most one formula, it is called single-conclusion ; otherwise, it is called multiple-conclusion . Definition 2 (Sequent System) A sequent system S is a set of inference rules. Eachinference rule is a rule schema and a rule instance is a rule application . An inferencerule has the form S · · · S n S r itle Suppressed Due to Excessive Length 5 Γ , p ⊢ p I Γ ⊢ ⊤ ⊤ R Γ ⊢ C Γ , ⊤ ⊢ C ⊤ L Γ , ⊥ ⊢ C ⊥ L Γ , F ⊢ C Γ , G ⊢ C Γ , F ∨ G ⊢ C ∨ L Γ ⊢ F i Γ ⊢ F ∨ F ∨ R i Γ , F , G ⊢ C Γ , F ∧ G ⊢ C ∧ L Γ ⊢ F Γ ⊢ G Γ ⊢ F ∧ G ∧ R Γ , F ⊃ G ⊢ F Γ , G ⊢ C Γ , F ⊃ G ⊢ C ⊃ L Γ , F ⊢ G Γ ⊢ F ⊃ G ⊃ R Fig. 1: System
G3ip for propositional intuitionistic logic. In the I axiom, p is atomic.where the sequent S is the conclusion inferred from the premise sequents S , . . . , S n in the rule r . If the set of premises is empty, then r is an axiom . In a rule introducing aconnective, the formula with that connective in the conclusion sequent is the principalformula . When sequents are restricted to having empty antecedents (hence being ofthe shape ⊢ ∆ ), the system is called one-sided ; otherwise it is called two-sided .As an example, Fig. 1 presents the two-sided single-conclusion propositional in-tuitionistic sequent system G3ip [35], with formulas built from the grammar: F , G :: = p | ⊤ | ⊥ | F ∨ G | F ∧ G | F ⊃ G where p ranges over atomic propositions. In this system, for instance, the formula F ∨ G in the conclusion sequent of the inference rule ∨ L is the principal formula. Definition 3 (Derivation) A derivation in a sequent system S (called S -derivation)is a finite rooted tree with nodes labeled by sequents, axioms at the top nodes, andwhere each node is connected with the (immediate) successor nodes (if any) accord-ing to its inference rules. A sequent S is derivable in the sequent system S , notation S ◮ S , iff there is a derivation of S in S . The system S is usually omitted when itcan be inferred from the context.It is important to distinguish the two different notions associated to the symbols ⊢ and ◮ , namely: the former is used to build sequents and the latter denotes derivabilityin a sequent system. Definition 4 (Height of derivation)
The height of a derivation is the greatest numberof successive applications of rules in it, where an axiom has height 1. The expression S ◮ n Γ ⊢ ∆ denotes that the sequent Γ ⊢ ∆ is derivable in S with a height of derivation at most n .A property is said height-preserving if such n is an invariant. The annotated sequent Γ ⊢ n ∆ is a shorthand for S ◮ n Γ ⊢ ∆ when S is clear from the context. Moreover, when Γ and ∆ are unimportant or irrelevant, this notation is further simplified to n : S . Carlos Olarte et al.
In what follows, annotated sequents are freely used in inference rules. For in-stance, if s ( · ) represents the successor function on natural numbers, then n : S . . . n : S k s ( n ) : S r represents the annotated rule r stating thatif S ◮ n S i for each i = , . . . , k , then S ◮ s ( n ) S It may be useful to derive new rules from the ones initially proposed in a system,since this may ease the reasoning when proving properties. Such derived new rules aresaid to be admissible in the system.
Invertibility , on the other hand, is the admissibilityof “upside-down” rules, where the premises of a rule are derived from the conclusion.Invertibility is one of the most important properties in proof theory, since it is thecore of proofs of cut-elimination [13], as well as the basis for tailoring focused proofsystems [1, 21].
Definition 5 (Admissibility and Invertibility)
Let S be a sequent system. An in-ference rule S · · · S k S is called:i. admissible in S if S is derivable in S whenever S , . . . , S k are derivable in S .ii. invertible in S if the rules SS , . . . , SS k are admissible in S .The admissibility of structural rules is often required in the proof of other prop-erties. A structural rule does not introduce logical connectives, but instead changesthe structure of the sequent. Since sequents are built from multisets, such changes arerelated to the cardinality of a formula or its presence/absence in a context.In the intuitionistic setting, the structural rules for weakening and contraction Γ ⊢ C Γ , ∆ ⊢ C W and Γ , ∆ , ∆ ⊢ C Γ , ∆ ⊢ C C (1)are height-preserving admissible in G3ip . A proof of the admissibility of weakeningcan be built by induction on the height of derivations (considering all possible ruleapplications) and it is often independent of any other results. For example, supposethat
G3ip ◮ n Γ ⊢ C and consider, e.g., the case where C = A ⊃ B and that the lastrule applied in the proof of Γ ⊢ A ⊃ B is ⊃ R Γ , A ⊢ i B Γ ⊢ s ( i ) A ⊃ B ⊃ R By inductive hypothesis, the sequent Γ , ∆ , A ⊢ i B is derivable and then, Γ , ∆ , A ⊢ i B Γ , ∆ ⊢ s ( i ) A ⊃ B ⊃ R The same exercise can be done for the other rules of the system, thus showing that W is height-preserving admissible: itle Suppressed Due to Excessive Length 7 G3ip ◮ n Γ ⊢ C implies G3ip ◮ n Γ , ∆ ⊢ C On the other hand, proving invertibility may require the admissibility of weaken-ing. For example, for proving that ⊃ R is height-preserving invertible in G3ip , one hasto show that
G3ip ◮ n Γ , F ⊢ G whenever G3ip ◮ n Γ ⊢ F ⊃ G . The proof follows byinduction on the height of the derivation of Γ ⊢ F ⊃ G . Consider, e.g., the case when Γ = Γ ′ , A ⊃ B and the last rule applied is ⊃ L Γ ′ , A ⊃ B ⊢ i A Γ ′ , B ⊢ i F ⊃ G Γ ′ , A ⊃ B ⊢ s ( i ) F ⊃ G ⊃ L By inductive hypothesis on the right premise, Γ ′ , B , F ⊢ i G is derivable. Consideringthe left premise, since Γ ⊢ i A is derivable, height-preserving admissibility of weaken-ing implies that Γ , F ⊢ i A is derivable and the result follows: Γ , F ⊢ i A Γ ′ , B , F ⊢ i G Γ , F ⊢ s ( i ) G ⊃ L Note that not all introduction rules in
G3ip are invertible: if p , p are differentatomic propositions, then p i ⊢ p ∨ p is derivable for i = ,
2, but p i ⊢ p j is not for i = j . Indeed, ∨ R i and ⊃ L are the only non-invertible rules in G3ip .Finally, admissibility of contraction ( C ) often depends on invertibility results. Asan example, consider that G3ip ◮ n Γ , F ∨ G , F ∨ G ⊢ C with last rule applied ∨ L Γ , F ∨ G , F ⊢ i C Γ , F ∨ G , G ⊢ i C Γ , F ∨ G , F ∨ G ⊢ s ( i ) C ∨ L The inductive hypothesis cannot be applied since the premises do not have duplicatedcopies of formulas. Since ∨ L is height-preserving invertible, the derivability of Γ , F ∨ G , F ⊢ i C and Γ , F ∨ G , G ⊢ i C implies the derivability of Γ , F , F ⊢ i C and Γ , G , G ⊢ i C .By induction, Γ , F ⊢ i C and Γ , G ⊢ i C are derivable and the result follows: Γ , F ⊢ i C Γ , G ⊢ i C Γ , F ∨ G ⊢ s ( i ) C ∨ L Invertibility and admissibility results will be largely used for showing cut-eliminationin Section 6.
This section briefly explains order-sorted rewriting logic [24] and its main features asa logical framework. Maude [8] is a language and tool supporting the formal specifi-cation and analysis of rewrite theories, which are the specification units of rewritinglogic.An order-sorted signature Σ is a tuple Σ =( S , ≤ , F ) with a finite poset of sorts ( S , ≤ ) and a set of function symbols F typed with sorts in S , which can be subsort-overloaded. For X = { X s } s ∈ S an S -indexed family of disjoint variable sets with each X s countably infinite, the set of terms of sort s and the set of ground terms of sort Carlos Olarte et al. s are denoted, respectively, by T Σ ( X ) s and T Σ , s ; similarly, T Σ ( X ) and T Σ denote theset of terms and the set of ground terms. A substitution is an S -indexed mapping θ : X −→ T Σ ( X ) that is different from the identity only for a finite subset of X andsuch that θ ( x ) ∈ T Σ ( X ) s if x ∈ X s , for any x ∈ X and s ∈ S . A substitution θ is called ground iff θ ( x ) ∈ T Σ or θ ( x ) = x for any x ∈ X . The application of a substitution θ to a term t is denoted by t θ . Acquaintance with the usual notions of position p in a term t , subterm t | p at position p , and term replacement t [ u ] p at of t ’s subtermat position p with term u is assumed (see, e.g., [11]). The expression u (cid:22) t (resp., u ≺ t ) denotes that term u is a subterm (resp., proper subterm) of term t . Given aterm t ∈ T Σ ( X ) , t ∈ T ( S , ≤ , F ∪ C t ) ( X ) is the ground term obtained from t by turningeach variable x ∈ vars ( t ) of sort s ∈ S into the fresh constant x of sort s and where C t = { x | x ∈ vars ( t ) } .A rewrite theory is a tuple R = ( Σ , E ⊎ B , R ) with: (i) ( Σ , E ⊎ B ) an order-sortedequational theory with signature Σ , E a set of (possibly conditional) equations over T Σ ( X ) , and B a set of structural axioms – disjoint from the set of equations E –over T Σ ( X ) for which there is a finitary matching algorithm (e.g., associativity, com-mutativity, and identity, or combinations of them); and (ii) R a finite set of rewriterules over T Σ ( X ) (possibly with equational conditions). A rewrite theory R induces arewrite relation → R on T Σ ( X ) defined for every t , u ∈ T Σ ( X ) by t → R u if and only ifthere is a one-step rewrite proof of ( ∀ X ) t → u in R . More precisely, t → R u iff thereis a rule ( l → r if γ ) ∈ R , a term t ′ , a position p in t ′ , and a substitution θ : X −→ T Σ ( X ) satisfying t = E ⊎ B t ′ = t ′ [ l θ ] p , u = E ⊎ B t ′ [ r θ ] p , and R ⊢ γθ .The tuple T R = ( T Σ / E , ∗ → R ) , where ∗ → R is the reflexive-transitive closure of → R , is called the initial reachability model of R [3]. An inductive property of arewrite theory R does not need to hold for any model of R , but just for T R . Usinga suitable inductive inference system, for example, one based on a convenient notionof constructors as proposed in [34], the semantic entailment | = in T R can be under-approximated by an inductive inference relation (cid:13) in R , which is shown to be soundwith respect to | = (i.e., for any property ϕ , if R (cid:13) ϕ , then T R | = ϕ ). A Σ -sentence ( ∀ X ) ϕ is called an inductive consequence of R iff R (cid:13) ( ∀ X ) ϕ , and this implies that T R | = ϕ .Appropriate requirements are needed to make an equational theory R executable in Maude. It is assumed that the equations E can be oriented into a set of (possiblyconditional) sort-decreasing, operationally terminating, and confluent rewrite rules −→ E modulo B [8]. For a rewrite theory R , the rewrite relation → R is undecidable ingeneral, even if its underlying equational theory is executable, unless conditions suchas coherence [36] are given (i.e., rewriting with → R / E ⊎ B can be decomposed intorewriting with → E / B and → R / B ). The executability of a rewrite theory R ultimatelymeans that its mathematical and execution semantics coincide.In this paper, the rewriting logic specification of a sequent system S is a rewritetheory R S = ( Σ S , E S ⊎ B S , R S ) where: Σ S is an order-sorted signature describingthe syntax of the logic S ; E S is a set of executable equations modulo the structuralaxioms B S ; and R S is a set of executable rewrite rules modulo B S capturing thosenon-deterministic aspects of logical inference in S that require proof search. Thepoint is that although both the computation rules E S and the deduction rules R S itle Suppressed Due to Excessive Length 9 are executed by rewriting modulo B S , by the executability assumptions on R S , therewrite relation → E S / B S has a single outcome in the form of a canonical form andthus can be executed blindly with a “don’t care” non-deterministic strategy. Further-more, B S provides yet one more level of computational automation in the form of B S -matching and B S -unification algorithms. This interplay between axioms, equa-tions, and rewrite rules can ultimately make the executable specification R S veryefficient with modest memory requirements.Finally, the expression CSU B ( t , u ) denotes the complete set of unifiers of terms t and u modulo the structural axioms B . Recall that for each substitution σ : X −→ T Σ ( X ) , there are substitutions θ ∈ CSU B ( t , u ) and γ : X −→ T Σ ( X ) such that σ = B θγ . For a combination of free and associative and/or commutative and/or identityaxioms B , except for symbols that are associative but not commutative, such a finitaryunification algorithm exists [16]. In the case of R S , the structural axioms are identity,commutativity, and associativity, which are the usual structural axioms for multisetsof formulas and sequents. This section presents the machinery used for specifying a propositional sequent sys-tem S as a rewrite theory R S . Such a framework is equipped with sorts that repre-sent formulas, set of formulas, sequents, and lists of sequents. The user of the frame-work is expected to inhabit the sort for formulas in R S with the concrete syntax ofthe system S . This has the immediate effect of fully inhabiting the remaining sortsof R S . As shown below, rewrite rules in R S correspond to backwards inferencerules of S , so that proof-search in the former is successful whenever all leaves in aproof-tree are instances of axioms. The system G3ip (Fig. 1) is used throughout thesection for illustrating the proposed approach.The notation of Maude [8] is adopted as an alternative representation to the rewrit-ing logic one introduced in Section 3. This decision has the immediate effect ofproducing an executable specification of sequent systems, while providing a precisemathematical semantics of the given definitions. Additional details about the imple-mentation in Maude are given in Section 7.As a reference for the development of this section, Maude declarations are sum-marized next. mod M is ... endm --- rewrite theory Msort S . --- declaration of sort Ssubsort S1 < S2 . --- subsort relationop f : S1,...,Sn -> T . --- function symbol f of sort S1,...,Sn --> Top c : -> T . --- constant c of sort Trl [rule-name] : l => r . --- rewrite rule with name ’rule-name’crl [rule-name] : l => r if c . --- conditional rewrite rule
An order-sorted signature Σ S defining the sorts for building formulas (and mul-tisets of formulas and sequents, which are introduced later), is assumed: sort Prop . --- Atomic propositionssort Formula . --- Formulassubsort Prop < Formula . --- Atomic propositions are formulas The object logic to be specified must provide suitable constructors for these two sorts.For instance: mod G3i is...op p : Nat -> Prop . --- Atomic Propositionsop _/\_ : Formula Formula -> Formula . --- Conjunctionop False : -> Formula . --- False/bottom...endm
Atomic propositions take the form p ( n ) , where the natural number n is the identifierof the proposition (e.g., the proposition p is written as p(3) ). Constructors for Prop are not allowed to have arguments of type
Formula .Multisets of formulas are built in the usual way: sort MSFormula . --- Multiset of Formulassubsort Formula < MSFormula . --- A formula is a singleton multiset of formulasop * : -> MSFormula . --- Empty multisetop _;_ : MSFormula MSFormula -> MSFormula [assoc comm id: * ] . --- Union
Given two multisets M and N , the term M;N denotes M ⊎ N . Note that the mixfixoperator op _;_ (in Maude, _ denotes the position of the parameters) is declared withthree structural axioms: associativity, commutativity, and the empty multiset as itsidentity element. Due to the subsort relation Formula < MSFormula , the sort
Formula isthe least sort of a formula F , while F is also a singleton containing F .Sequents, as expected, are built as pairs of multisets of formulas. A goal is a listof sequents to be proved: sorts Sequent Goal . --- Sequents and lists of sequentssubsort Sequent < Goal .op _|--_ : MSFormula MSFormula -> Sequent . --- Sequents--- Goals: List of sequents to be provedop proved : -> Goal [ctor] . --- The empty list of sequentsop _|_ : Goal Goal -> Goal [frozen(2) id: proved] . The attribute frozen used in the declaration of the operator op _|_ (goals’ concatena-tion) means that inference steps can only be performed on the head of a non-empty listof goals (i.e., the usual ‘head-tails’ recursive structure). More precisely, the attribute frozen(2) defines a rewriting strategy where the second parameter cannot be subjectof rewriting. In this way, only the first sequent S in the list S | G can be reduced untilit becomes proved (when possible), as will be explained shortly.Inference rules in the rewrite theory R S are specified as rewrite rules that rewritelist of sequents. There are two options for expressing an inference rule as a rewriterule. Namely, they can be axiomatized as backwards inference (i.e., from conclusionto premises) or as forward inference (i.e., from premises to conclusion). In this paper,as explained in Section 3, the backwards inference approach is adopted, so that aproof-search process advances by rewriting the target goal of an inference rule to itspremises, thus aiming at a bottom-up proof-search procedure. For instance, the initialrule, and the left and right introduction rules for conjunction in the system G3ip arespecified as follows: var P : Prop . itle Suppressed Due to Excessive Length 11 var Gamma : MSFormula .vars A B C : Formula .--- Rulesrl [I] : P ; Gamma |-- P => proved .rl [AndL] : A /\ B ; Gamma |-- C => A ; B ; Gamma |-- C .rl [AndR] : Gamma |-- A /\ B => (Gamma |-- A) | (Gamma |-- B) .
Variables in rules are implicitly universally quantified. The type of variables isspecified with the syntax var x : S . Hence, the initial rule must be read as ( ∀ P : Prop , Γ : MSFormula )(( P , Γ ⊢ P ) → proved ) The constant proved denotes the empty list of goals or, equivalently, the empty collec-tion of (pending) proof obligations. Rules with more than one premise, such as
AndR ,are specified using op: _|_ . Modulo the axioms B S , a term proved | G is structurallyequal to G , thus making the goal G automatically active for proof-search under therewrite strategy declared for goals.As illustrated with the running example, the syntax of the object logic in R S ,as well as its inference rules, is straightforward. This is usually called in rewritinglogic the ε -representational distance [25], where the system being specified math-ematically as a rewrite theory and its codification in Maude as a system module arebasically the same. This is certainly an appealing feature that can widen the adoptionof the framework proposed here for implementing and analyzing sequent systems.In face of the ε -representational distance, the adequacy of R S with respect to S follows from the soundness of rewriting logic itself. Proposition 1 (Adequacy)
Let S be a sequent system, R S the resulting rewritetheory encoding the syntax and inference rules of S , S a sequent in S , and t S itsrepresentation in R S . Then, S ◮ S iff R S (cid:13) t S ∗ → proved . Observe that the proof of a sequent S in S may follow different strategies depend-ing on the order the subgoals are proved. Such strategies are irrelevant because all thebranches in the derivation of a proof must be closed (i.e., ending with an instance ofan axiom). Hence, if S is provable, it can be proved using the strategy enforced by op _|_ in R S : always trying to first solve the left-most subgoal of the pending goals.Let r be a sequent rule in S and R the corresponding rewrite rule in R S . Modulothe associativity and commutativity of multisets of formulas, it is easy to show that,for any sequent S and its representation t S , t S → R S t ′ S iff t ′ S is the representation ofthe premises (where proved means no premises) obtained when r is applied (on thesame active formula) in S . Hence, rewrite steps are in one-to-one correspondencewith proof search (bottom-up) steps in S -derivations.When using the proposed framework, the resulting rewrite theory becomes aproof search procedure. For instance, Maude’s command search p(1) /\ p(2) |-- p(2) /\ p(1) =>* proved . answers the question of whether the sequent p ∧ p ⊢ p ∧ p is provable in G3ip .For the proof analyses later developed in this paper, operations to the rewritetheory R S are added. A new constructor for annotated sequents (see Definition 4)and also a copy of the inference rules dealing with annotations are included: op _:_ : Nat Sequent -> Sequent . --- Annotated sequentsvar k : Nat .--- Automatically generated annotated sequent rulesrl [I] : s(k) : P ; Gamma |-- P => proved.rl [AndL] : s(k) : A /\ B ; Gamma |-- C => k : A ; B ; Gamma |-- C .rl [AndR] : s(k) : Gamma |-- A /\ B =>( k : Gamma |-- A) | ( k : Gamma |-- B) . The function application s(.) denotes the successor function on
Nat . Note thataxioms are annotated with an arbitrary height k ≥
1. In rules with two premises, bothof them are marked with the same label. This is, without loss of generality, since it isalways possible to obtain larger annotations from shorter ones (see Theorem 1).In the rest of the paper, given a sequent system S , R S will denote the resultingrewrite theory that encodes the syntax, inference, and annotated inference rules of S .By abusing the notation, when a sequent S ∈ S is used in the context of the rewritetheory R S (e.g., in S → R S S ′ ), such S must be understood as the corresponding term t S ∈ Σ R S ( X ) representing S in R S . Similarly, “a sequent rule r ” in the context ofthe theory R S is to be understood as “the representation of r in R S ”. The expres-sion R ∪ R denotes the extension of the theory R by adding the inference rulesof R (and vice versa ); in this case, the sequents in the resulting theory R ∪ R areterms in the signature Σ R ∪ Σ R . If S is a sequent, the expression R ∪ { S } denotesthe extension resulting from R by adding the sequent S as an axiom, understoodas a zero-premise rule (i.e., R is extended with the rule rl [ax] S => proved . ).Moreover, given a rewrite theory R and a sequent S , the notation R (cid:13) S means R (cid:13) S ∗ → proved , i.e., there is a derivation of S in the system specified by R . Simi-larly, for annotated sequents, R (cid:13) n : S means R (cid:13) ( n : S ) ∗ → proved . Theorem 1
Let S be a sequent system, S a sequent, and k ≥ . Then, R S (cid:13) k : S implies R S (cid:13) s ( k ) : S . Proof
By induction on k . If k =
1, then S is necessarily an instance of an axiom and s ( ) : S → R S proved using the same axiom. The case k > This section presents rewrite- and narrowing-based techniques for proving admissi-bility and invertibility of inference rules of a sequent system specified as a rewritetheory R S (see Section 4). They are presented as meta-theorems about sequent sys-tems with the help of rewrite-related scaffolding, such as terms and substitutions,and they provide sufficient conditions for obtaining the desired properties. The sys-tem G3ip is, as in previous sections, used as running example (Section 8 presents thecomplete set of case studies).The procedures proposed here heavily depend on unification , hence a brief dis-cussion on the subject is presented next. First, note that, if no additional axioms are itle Suppressed Due to Excessive Length 13 added to the symbols in the syntax of the object logic S , the existence of a unifi-cation algorithm for terms in the sort Sequent is guaranteed. As a matter of example,consider the unification of the conclusions of the right and left rules for conjunc-tion in
G3ip . Unification problems take the form t1 =? t1’ /\ ... /\ tn =? tn’ andMaude’s command variant unify computes the set of unifiers modulo the declaredaxioms in the theory: variant unify suc(n) : A /\ B ; Gamma |-- C =? suc(n’) : Gamma’ |-- A’ /\ B’ .Unifier
Observe that the variables of the second rule are renamed to avoid clash of names.The term %1:Formula denotes a fresh variable of sort
Formula . Let t and t ′ be thetwo terms in the above unification problem and θ the (unique) substitution com-puted. Consider the least signature Σ ′ R S that contains Σ R S as well as a fresh con-stant %i.Type for each variable %i:Type in t θ . Note the “:” in the variable %i:Type and the “.” in the constant %i.Type . To avoid confusion, when the sort can be in-ferred from the context, the constant %i.Type is written as %i , but variables alwayscarry their typing information. In this example, Σ ′ R S extends Σ R S with constants op %1 : -> Formula . , op %6 : -> MSFormula . , etc. The ground term t θ in the sig-nature Σ ′ R S is s(%4) : %1 /\ %2 ; %6 |-- %4 /\ %5 . As expected, on this (ground)sequent it is possible to apply both AndL and
AndR .5.1 Admissibility of RulesThis section introduces sufficient conditions to prove theorems of the formif S ◮ n Γ ′ ⊢ ∆ ′ , then S ◮ n Γ ⊢ ∆ i.e., height preserving admissibility of the rule Γ ′ ⊢ ∆ ′ Γ ⊢ ∆ r Admissibility is often proved by induction on the height of the derivation π ofthe sequent Γ ′ ⊢ ∆ ′ in combination with case analysis on the last rule applied in π . Itturns out that this analysis may depend on other results. For example, as illustrated inSection 2, proving admissibility of contraction often depends on invertibility results. The admissibility problems considered in this section correspond to one-premise rules only. Observethat a general approach for proving admissibility of rules with more than one premise does not exist.Indeed, cut-elimination itself is an admissibility problem, which will be addressed in Section 6.4 Carlos Olarte et al.
Hence, any general definition of admissibility of rules in the rewriting setting has tointernalize such reasoning. This will be formalized by closing the leaves in π w.r.t.theorems of the form “if S is provable, so is S ”. Such theorems will be encoded asrewrite rules of the form r : S → S . More precisely, let t s be a ground term denotinga sequent and r : t → t ′ be a rule. The set [[ t s ]] r = { t s } ∪ { t ′ θ | θ ∈ CSU ( t , t s ) } is the least set containing t s and the resulting premises after the instantiation of r in t s . Let T s be a set of ground terms and R = { r , ... r m } be a set of theorems of the form r k : t k −→ t k . Then, [[ T s ]] R = T s ∪ [ k ∈ .. m { t k θ | t ∈ T s , θ ∈ CSU ( t k , t ) } . Proofs of admissibility need to consider all the cases of the last rule applied in aproof π . Definition 6 identifies rules that are height-preserving admissible relative toone of the sequent rules of the system. Definition 6 (Local admissibility)
Let S be a sequent system, I be a (possiblyempty) set of rules, and r t ∈ S and r s be rules given by k : T · · · k : T n s ( k ) : T r t S S r s The rule r s is height-preserving admissible relative to r t in S under the assumptions I iff assuming that i : S is provable then, for each θ ∈ CSU ( i : S , s ( k ) : T ) , R S ∪ [[ { ( k : T j ) θ | j ∈ .. n } ]] I ∪ { ( ∀ ~ x )( k θ : S −→ k θ : S ) } (cid:13) ( i : S ) θ , where vars ( i : S ) ∩ vars ( s ( k ) : T ) = /0 and ~ x = vars ( S ) ∪ vars ( S ) .For proving admissibility of the rule r s , the goal is to prove that, if S is derivablewith height i , then S is also derivable with at most the same height. The proof followsby induction on i (the height of a derivation π of S ). Suppose that the last rule appliedin π is r t . This is only possible if S and T “are the same”, up to substitutions. Hence,the idea is that each unifier θ of i : S and s ( k ) : T covers the cases where the rule r t can be applied on the sequent S . For computing this unifier, it is assumed that therules do not share variables (the implementation takes care of renaming the variablesif needed). A proof obligation is generated for each unifier. Consider, for instance, theproof obligation of the ground sequent ( i : S ) θ for a given θ ∈ CSU ( i : S , s ( k ) : T ) .This means that, as hypothesis, the derivation below is valid ( k : T ) θ · · · ( k : T n ) θ ( i : S ) θ r t (2)Hence, all the premises in this derivation are assumed derivable. This is the purpose ofextending the theory with the following set of ground sequents (which are interpretedas rules of the form t −→ proved ): n ( k : T j ) θ | j ∈ .. n o (3) itle Suppressed Due to Excessive Length 15 The proof of admissibility theorems may require auxiliary lemmas. Assuming thetheorems I , the sequents resulting after an application of r ∈ I to the sequents inEquation 3 can be also assumed to be provable (notation [[ · ]] I ). The typical instanti-ation of I in admissibility analysis will be the already proved invertibility lemmas.If θ ∈ CSU ( i : S , s ( k ) : T ) , then θ should map k to a fresh variable, say %1:Nat and i to s(%1:Nat) . Hence, the (ground) goal ( i : S ) θ to be proved takes the form s(%1) : S θ where %1 = k θ is the freshly generated constant in the extended signature. Byinduction, it can be assumed that the theorem (i.e., S implies S ) is valid for shorterderivations, i.e., derivations of height at most %1 . This is the purpose of the added rule { ( ∀ ~ x )( k θ : S −→ k θ : S ) } (4)where the height of the derivation is “frozen” to be the constant k θ . This allows forapplying r s only on sequent of height k θ . In particular, induction can be used on allthe premises of the rule r t in Equation (2).If it is possible to show that the ground sequent ( i : S ) θ is derivable from the ex-tended rewrite theory, then the admissibility result will work for the particular casewhen r t is the last applied rule in the derivation π of S . Since a complete set ofunifiers is finite for terms of the sort Sequent , then there are finitely many proof obli-gations to discharge in order to check if a rule is admissible relative to a rule in asequent system. Observe that the set
CSU ( i : S , s ( k ) : T ) may be empty. In this case,the set of proof obligations is empty and the property vacuously holds.The base cases in this proof correspond to axiom rules. Consider for instance thecase where r t is the initial rule in the system G3ip . Since there are no premises, the setin Equation (3) is empty and hence there are no ground sequents of the form %1: T j θ as hypothesis. Consider the hypothetical case that s(%1): S θ is rewritten to a term ofthe form %1: S’ by using another rule of the system (different from the initial rule r t ). Note that it is not possible to use the rule in Equation (4) to reduce the goal to proved : an application of this rule produces inevitably yet another sequent of the form %1: S’’ . Thus the only hope to finishing the proof is to apply the initial rule on thesequent s(%1): S θ and the rule in Equation (4) is never used in such a proof.The notion of admissibility relative to a rule is the key step in the inductive ar-gument, when establishing sufficient conditions for the admissibility of a rule in asequent system. Theorem 2
Let S be a sequent system, I be a (possibly empty) set of rules, and Γ ′ ⊢ ∆ ′ Γ ⊢ ∆ r s be an inference rule. If r s is admissible relative to each r t in S under theassumption I , then r s is height-preserving admissible in S under the assumption I , i.e., S ◮ n Γ ′ ⊢ ∆ ′ implies S ◮ n Γ ⊢ ∆ assuming the theorems I .Proof Assume that Γ ′ ⊢ n ∆ ′ is derivable in the system S . The proof proceeds byinduction on n with case analysis on the last rule applied. Assume that the last appliedrule is r t . By hypothesis (using Definition 6), it can be concluded that Γ ⊢ n ∆ isderivable and the result follows.It is important to highlight the rationale behind Definition 6, which is similarto the results in the forthcoming sections. The proof search procedures try to show that ( i : S ) θ is provable by reducing it to provable (Proposition 1). Since rules in R S are encoded in a backward fashion (rewriting the conclusion into the premises),the procedure attempts to build a bottom-up derivation of that sequent. The set ofassumptions (Equation (3)) is added as axioms and it is closed under the rules in I .The closure reflects a forward reasoning: if the (ground) sequent S is provable andtheorem r ∈ I applies on it, then the right-hand side of r can be also assumed to beprovable. During the search procedure, a goal is immediately discharged if it belongsto that set of assumptions. Finally, the induction principle is encoded by specializingthe theorem to be proved, and allowing applications of it to ground sequents withshorter height annotations (Equation (4)).The proof of admissibility of weakening for G3ip and some other systems studiedin Section 8 does not rely on any result (and hence, I is empty). Also, the proof ofTheorem 1, mechanized by stating it as the admissibility of the annotated rule n : Ss ( n ) : S H (5)is also proved with I = /0 in all the systems in Section 8. The proof of contractionrequires some invertibility lemmas and they must be added to I . The use of I thus presents a convenient and modular approach because properties can be provedincrementally.5.2 Invertibility of RulesThis section gives a general definition for proving height-preserving invertibility ofrules. Observe that such analysis is done premise-wise. The case of rules with severalpremises is performed for each one of them separately. For instance, consider the rule ⊃ L of G3ip , and let ⊃ L and ⊃ L be the rules Γ , F ⊃ G ⊢ C Γ , F ⊃ G ⊢ F ⊃ L Γ , F ⊃ G ⊢ C Γ , G ⊢ C ⊃ L It can be shown that ⊃ L is not admissible while ⊃ L is. Hence, ⊃ L is invertible onlyin its right premise (see Definition 5).Some invertibility results depend on, e.g., the admissibility of weakening. Hence,for modularity, the invertibility analysis is parametric under a set of rules H of ad-missible rules of the system (that can be used during the proof search procedure). Definition 7 (Local invertibility)
Let S be a sequent system and H be a (possiblyempty) set of rules. Consider the following annotated inference rules: k : S · · · k : S m s ( k ) : S r s m : T · · · m : T n s ( m ) : T r t Under the assumption H , the premise l ∈ .. m of the rule r s is height-preservinginvertible relative to the rule r t iff for each θ ∈ CSU ( s ( k ) : S , s ( m ) : T ) : H ∪ R S ∪ n ( m : T j ) θ | j ∈ .. n o ∪ S j ∈ .. n { ( m : S l ) γ | γ ∈ CSU ( k : S , ( m : T j ) θ ) } (cid:13) ( k : S l ) θ itle Suppressed Due to Excessive Length 17 where the variables in S and T are assumed disjoint. Under the assumption H , therule r s is height-preserving invertible relative to r t if all its premises are.In order to show the invertibility of a rule r s , the goal is to check that derivability isnot lost when moving from the conclusion S to the premises S , · · · , S m . Each premise S l entails a different proof obligation. Let S l S r sl be the “sliced” version of rule r s when the case of the premise l ∈ .. m is considered. The proof is by induction onthe derivation π of S . Suppose that the last rule applied in π is r t . Observe that thisis only possible if S and T unify. Let θ ∈ CSU ( s ( k ) : S , s ( m ) : T ) and assume that θ ( k ) = %1:Nat (and hence θ ( m ) = %1:Nat ). The resulting derivation π takes the form%1 : T θ . . . %1 : T n θ s ( %1 ) : S θ r t (6)The premises of this derivation are assumed to be provable and the theory is extendedwith the axioms ( m : T j ) θ . Since those premises have shorter derivations, inductionapplies on them. More precisely, given that the ground sequent ( m : T j ) θ is provableand the rule r sl can be applied on it, the resulting sequent after the application of r sl is also provable with the same heigh of derivation m θ :if T j S l T j θ r sl then the sequent T j S l is provable with height %1 (7)This inductive reasoning is captured by the expression [ j ∈ .. n { ( m : S l ) γ | γ ∈ CSU ( k : S , ( m : T j ) θ ) } The unifier γ checks whether it is possible to apply r sl on the premise T j . If this isthe case, the resulting premise S l γ is added as an axiom. If, from the extended theory,it is possible to prove derivable the premise S l with height k θ , then the invertibilityresult will work for the particular case when r t was the last applied rule in the deriva-tion π of S . If the set CSU ( s ( k ) S , s ( m ) : T ) is empty, it means that the rules r t and r s cannot be applied on the same sequent and the property vacuously holds for thatparticular case of r t . For instance, in G3ip , the proof of invertibility of ∧ R does notneed to consider the case of invertibility relative to ∨ R since it is not possible to have,at the same time, a conjunction and a disjunction on the succedent of the sequent. Inmultiple-conclusion systems as e.g, G3cp (see Section 8.3), this proof obligation isnot vacuously discarded.Theorem 3 presents sufficient conditions for checking the invertibility of a rule r s in a sequent system. Note that if r s is a rule without premises (i.e., an axiom), theresult vacuously holds. Hence, only the case for m ≥ Theorem 3
Let S be a sequent system, H be a set of rules, and r s be an inferencerule with m ≥ premises in S . Let l ∈ .. m. If the premise l of r s is height-preservinginvertible relative to each r t in S under the assumption H , then the premise l in r s is height-preserving invertible in S under the assumption H . Most of the proofs of invertibility require Theorem 1 and, in some cases, admis-sibility of weakening. Hence, the assumption H must contain those theorems foreach case. The dependencies among the different proofs will be stated in Section 8for each of the systems under analysis. One of the most fundamental properties of a proof system is analyticity , expressingthat in a proof of a given formula F , only subformulas of F need to appear. In sequentcalculus, this property is often proved by showing that the cut-rule is admissible.Roughly, the cut-rule introduces an auxiliary lemma A in the reasoning “if A followsfrom C and B follows from A , then B follows from C ”. The admissibility of the cutrule (known as the cut-elimination property) states that adding intermediary lemmasdoes not change the set of theorems of the logical system. That is, the lemma A isnot needed in the proofs of the system. This implies that, if B is provable from thehypothesis C , then there exists a direct (cut-free) proof of this fact.The cut-rule may take different forms depending on the logical system at hand.For concreteness, consider the following cut-rule for the system G3ip : Γ ⊢ A Γ , A ⊢ B Γ ⊢ B Cut (8)This rule has an additive flavor: the context Γ is shared by the premises. Later,different cut-rules will be considered, including multiplicative-like cut-rules (splittingthe context Γ in the premises) and also cut-rules for one-sided sequent systems.Gentzen’s style proof of admissibility of the cut-rule [13] generally follows byproving that top-most applications of cut can be eliminated. This is usually donevia a nested induction on the complexity of the cut-lemma A and sub-induction onthe cut-height , i.e., the sum of the heights of the derivations of the premises. In thefollowing, the rationale behind this cut-elimination procedure will be formalized bymeans of rewrite-based conditions. The next section discusses how these conditionsbecome a semi-automatic procedure for checking the cut-elimination property fordifferent logical systems.The analyses in Section 5 showed how to inductively reason on the height ofderivations inside the rewriting logic framework. But what about the induction on thecomplexity of formulas? In general, it is possible to inductively reason about termsbuilt from algebraic specifications. The unification of a sequent against the conclusionof an inference rule r s ∈ S uniquely determines the active formula F introduced by r s . Since terms in the sort Formula are inductively generated from the constructors ofthat sort, special attention can be given to the sub-terms (if any) of F since those arethe only candidates that are useful to build the needed inductive hypothesis in thecut-elimination proof. Such sub-terms are called auxiliary formulas .Gentzen’s procedure consists of reducing topmost cut-applications to the atomiccase, then showing that these cuts can be eliminated. The reduction step to be per-formed depends on the status of the cut-formula in the premises: principal on both or non-principal on at least one premise. This procedure is formalized next. itle Suppressed Due to Excessive Length 19 Principal Cases.
If the cut-formula is principal (see Definition 2) in both premisesof the cut-rule, then induction on the complexity of the cut-formula is applied. Forinstance, consider the case when the cut-formula is A ∧ B : Γ ⊢ n A Γ ⊢ n B Γ ⊢ s ( n ) A ∧ B ∧ R Γ , A , B ⊢ m C Γ , A ∧ B ⊢ s ( m ) C ∧ L Γ ⊢ C Cut Γ ⊢ A Γ ⊢ B Γ , A ⊢ B W Γ , A , B ⊢ C Γ , A ⊢ C Cut Γ ⊢ C Cut
Both applications of the cut-rule in the right-hand derivation are on smaller formu-las and then induction applies. Note that this kind of reduction does not necessarilypreserve the height of the derivation. Hence, no height-annotation can be used on theresulting premises. Note also that weakening is needed in order to match the deriva-tion leaves.If the cut-formula A ∧ B is frozen (making A , B constants of type Formula ), thenthe inductive reasoning is formalized with the following rules: rl [cutF] : Gamma |-- C => (Gamma |-- cA) | (Gamma, cA |- C)rl [cutF] : Gamma |-- C => (Gamma |-- cB) | (Gamma, cB |- C)
Here cA , cB are constants representing the sub-terms of the ground term A ∧ B . Theother terms are variables. More generally, if the cut formula is a term of the form f ( t , ..., t n ) , each t i of sort Formula gives rises to a different rule. In the case of con-stants (e.g.,
False ) and atomic propositions (no sub-terms of sort
Formula ), the set ofgenerated rules is empty.
Non-principal Cases.
The non-principal cases in the proof of cut-elimination requirepermuting up the application of the cut-rule w.r.t. the application of an inference rule,thus reducing the cut-height . As an example, assume that the left premise of the cut-rule is the conclusion of an application of the rule ∧ L . Hence, it must be the case thatthe antecedent of the sequent contains a conjunct F ∧ G . The reduction is as follows: Γ , F , G ⊢ n A Γ , F ∧ G ⊢ s ( n ) A ∧ L Γ , F ∧ G , A ⊢ s ( m ) B Γ , F ∧ G ⊢ B Cut Γ , F , G ⊢ n A Γ , F , G , A ⊢ s ( m ) B Γ , F , G ⊢ B Cut Γ , F ∧ G ⊢ B ∧ L Permuting up cuts results in an application of the cut-rule on shorter derivations. Thetop-rightmost sequent in the right-hand side derivation is deduced via the height-preserving invertibility of the ∧ L rule and the fact that Γ , F ∧ G , A ⊢ s ( m ) B is provable.Similar reductions are possible when the cut formula A is not principal in the rightpremise of the cut-rule.If the height of the premises in the above derivation is frozen, it is possible to ex-tend the theory R S with two new rules that exactly mimic the behavior of replacinga non-principal cut with a smaller one. Those rules are: rl [CutH] : Gamma |-- G => (cn : Gamma |-- cA) | (s(cm) : Gamma, cA |-- G) .rl [CutH] : Gamma |-- G => (s(cn) : Gamma |-- cA) | (cm : Gamma, cA |-- G) . where cn (resp., cm ) is the frozen constant resulting from n (resp., m ) and cA theground term representing the cut-formula. The first rule reflects the principle behindthe above reduction where the height of the left premise of the cut-rule is reduced.The second rule reflects the case where the cut-formula is not principal in the rightpremise. Note that the first rule cannot be applied directly on the sequent Γ , F ∧ G ⊢ B : the left premise Γ , F ∧ G ⊢ A is provable with height s ( n ) but, not necessarily, withheight n . Similarly for the second rule and the right premise of the cut-rule.6.1 Cut EliminationThe scenario is ready for establishing the necessary conditions for cut-elimination.The specification of the additive cut-rule for the system G3ip can be written as rl [cut] : Gamma |-- C => (Gamma |-- A) | (Gamma, A |-- C) [nonexec] .
This rewrite rule has an extra variable ( A ) in the right-hand side and cannot beused for execution (unless a strategy is provided). Hence, the attribute nonexec iden-tifies this rule as no executable. In the following, lcut (resp., rcut ) is used to de-note the term Gamma |-- A (resp.,
Gamma, A |-- C ) whose set of variables is {Gamma, A} (resp., {Gamma, A, C} ). Moreover, hcut denotes the head/conclusion of the cut-rule,i.e., the term
Gamma |-- C .As already illustrated, admissibility results and invertibility lemmas are usuallyneeded in order to complete the proof of cut-elimination. Such auxiliary results arespecified in the analysis, respectively, as H and I . As explained in Sections 5.1and 5.2, a rule in H encodes an admissible rule of the system that can be used, in abackward fashion, during the proof-search procedure. Moreover, a rule in I is usedto close the assumptions under the invertibility results.Given a logical system S , every possible derivation of the premises of the cut-rule should be considered. This means that there is a proof obligation for each r s , r t ∈ S s.t. r s (resp., r t ) is applied on the left (resp., right) premise (i.e., when r s matches lcut and r t marches rcut ). More precisely: Definition 8 (Local cut-elimination)
Let S be a sequent system, and H and I aset of rules. Let n : S · · · n : S m s ( n ) : S r s k : T · · · k : T n s ( k ) : T r t be inference rules in S . Under the assumptions H and I , the cut rule is admissiblerelative to r s and r t iff for each θ ∈ CSU ( S , lcut ) and γ ∈ CSU ( T , rcut θ ) : H ∪ R S ∪ ind-F ∪ ind-H ∪ [[ { ( n : S j ) γ , S j γ | j ∈ .. m } ∪ { ( n : T j ) γ , T j γ | j ∈ .. n } ]] I (cid:13) hcut γ where the variables in S and T are assumed disjoint and ind-F = (cid:8) ( hcut −→ lcut | rcut )[ t / A ] | t ≺ A γ and t has sort Formula (cid:9) ind-H = { hcut −→ ( n γ : lcut | s ( n ) γ : rcut )[ A γ / A ] }∪{ hcut −→ ( s ( n ) γ : lcut | n γ : rcut )[ A γ / A ] } itle Suppressed Due to Excessive Length 21 The rules in S are extended with axioms corresponding to the sequents result-ing after the application of r s and r t on the premises of the cut-rule. Note that thosepremises are added with and without the height annotations, which can be used inapplications of inductive hypothesis with shorter derivations and (non-height pre-serving) applications of the cut-rule over simpler formulas, respectively. Note alsothat the set of axioms is closed under applications of the rules in I .The set of rules in ind-F specifies a valid application of the cut-rule with sub-terms of the cut-formula ( t ≺ A γ ). As usual, this rule is assumed to be universallyquantified on the remaining variables ( t is a ground term). On the other hand, the setof rules in ind-H specifies a valid application of the cut-rule with shorter derivations.As discussed previously, two cases need to be considered: when the left and rightpremises are shorter. In both cases, the height of the derivation is fixed ( n γ ) as wellas the cut-formula ( [ A γ / A ] ).Regarding the base-cases of the induction, if the cut-formula is a constant or anatomic proposition, the set ind-F is empty. If the rule r s is an axiom, then the set (cid:8) n : S j γ , S j γ | j ∈ .. m (cid:9) is also empty. In this case, an attempt of proving hcut γ bystarting with the first rule in ind-H leads to a goal of the form n γ : lcut where noinference rule r ∈ S can be applied: n γ is a constant of the form %1 and it does notunify with the annotation s ( n ) in the conclusion of r . Hence, if r s is an axiom, a proofof hcut γ cannot start with ind-H . A similar analysis applies for r t .The cut-elimination proof needs to consider all the possible matchings of the rulesof the system and the premises of the cut-rule. Theorem 4
Let S be a sequent system, and H and I be set of rules. If for each r s and r t ∈ S the cut-rule is admissible relative to r s and r t under the assumptions H and I , then the cut-rule is admissible in S (relative to H and I ).Proof Consider the annotated cut-rule below (a similar analysis applies for the othercut-rules introduced in Section 8): Γ ⊢ s ( n ) A Γ , A ⊢ s ( m ) B Γ ⊢ B Cut
Assume that there exists a derivation of the premises starting, respectively with therules r s and r t . By the hypothesis and Definition 8, there is a valid derivation of thesequent in the conclusion and the result follows.6.2 Identity ExpansionThe identity axiom states that any atomic formula is a consequence of itself. It has adual flavor w.r.t. the cut-rule, in the sense that, while in the cut-rule a formula is elim-inated, in the identity axiom an atomic formula is introduced. In G3ip , I representsthe general schema for the identity axiom (see Fig. 1), where p is an atomic formula.In Section 6.1, the cut-rule was proved admissible relative to some assumptions.The correspondent dual property w.r.t. the identity axiom is the identity expansion :assuming I , is any well founded formula a consequence of itself? Or equivalently: Is the general identity axiom – not restricted to atoms – admissible? For example, in
G3ip , proving identity expansion requires proving the admissibility of the axiom I A for an arbitrary formula A : Γ , A ⊢ A I A Observe that the cut/identity duality is also reflected during (bottom-up) proof-search:while applications of the cut-rule should be avoided because arbitrary formulas needto be produced “out of thin air”, applications of general identity axioms are mostwelcome, since they may make the proof smaller and proof-search simpler.The proof of identity expansion proceeds by induction on the formula A . Considera constructor C = f ( ~ t ) of type S , ..., S n −→ Formula and let C be the ground term f ( ~ t ) where each t i ∈ ~ t is replaced by a fresh constant ~ t i of sort S i . Hence, the goal is to prove C ⊢ C assuming that t i ⊢ t i is provable for each t i ∈ ~ t of sort Formula . Theorem 5
Let S be a propositional sequent system and R S , with signature ( S , ≤ , F ) ,be the resulting rewrite theory encoding S . Identity expansion holds in S iff for eachsymbol f ∈ F of type S , ..., S n −→ Formula (n ≥ ), R S ∪ { t ′ ⊢ t ′ | t ′ ≺ f ( ~ t ) and t ′ has sort Formula } (cid:13) ( f ( ~ t ) ⊢ f ( ~ t )) In one-sided systems, the goal is to show that ⊢ A , A ⊥ is provable for any A , where A ⊥ denotes the dual of A (see Section 8.4 for the definition of duality). Theorem 5can be easily adapted to the one-sided case. This section details the design principles behind the
L-Framework , a tool imple-menting the narrowing procedures described in Sections 5 and 6. The L-Framework receives as input the object logic sequent system (OL) to be analyzed, as a rewritetheory R S , and the specification of the properties of interest. Then, it outputs L A TEXfiles with the results of the analyses of, e.g., the proof reductions needed to estab-lish cut-elimination. The specification of the OL follows as in Section 4 (details canbe found in Section 7.1). As explained in Section 7.2, the implementation of thealgorithms heavily relies on the reflective capabilities of rewriting logic. Moreover,the specification of the properties for each kind of analysis follows a similar patternwhere a suitable functional theory needs to be instantiated (Section 7.3). The subse-quent sections offer further details about the implementation of each kind of analysis:admissibility of rules (Section 7.4), invertibility of rules (Section 7.5), cut elimination(Section 7.6), and identity expansion (Section 7.7).For readers interested in the details of the implementation, pointers to the Maudefiles and definitions are given in this section. However, readers interested only in theresults of the analyses can safely skip this section; several examples and instances ofthe definitions presented here can be found in Section 8. https://carlosolarte.github.io/L-framework/ itle Suppressed Due to Excessive Length 23 syntax.maude contains the functional module (i.e., anequational theory and no rewriting rules) SYNTAX-BASE . Such a module defines thesorts
Prop and
Formula , as well as the subsort relation
Prop < Formula . No constructorsfor these sorts are given since those depend on the OL and hence must be provided.The sort
MSFormula , for multiset of formulas, is pre-defined here with the constructorspresented in Section 4: op * denoting the empty multiset and op _;_ for multisetunion. Some auxiliary functions, needed to produce L A TEX outputs, are declared inthis module. In particular, the OL may define a mapping to replace symbols of thesyntax with L A TEX macros, e.g., eq TEXReplacement = (’|-- |-> ’\vdash), (’/\ |-> ’\wedge) , (’\/ |-> ’\vee) ...
The sequent.maude file defines the functional module
SEQUENT with the sort
Sequent and the following constructors: op |--_ : MSFormula -> Sequent . --- one sidedop _|--_ : MSFormula MSFormula -> Sequent . --- two sided
This syntax should suffice for most of the sequent-based inference systems. Asshown in Section 8, it is also possible to provide more constructors to deal, for in-stance, with dyadic systems (i.e., one-sided sequents with two separated contexts).Internally, the tool annotates sequents with inductive measures. For this purpose,the constructor op _:_ : INat Sequent -> Sequent . --- height annotations is added to the specification. The sort
INat (file nat-inf.maude ) extends the naturalnumbers expressed in Peano-like notation as s n ( z ) with a constant inf denoting “un-known”. This constant is used, e.g., in the cut-elimination procedure where structuralcuts do not preserve/decrease the height of the derivation and, therefore, the resultingsequent does not have any (known) measure.OLs are also allowed to define equations to complete the definition of the mapping TEXReplacementSeq that replaces the name of the rules with suitable L A TEX symbols: eq TEXReplacementSeq = (’AndL |-> ’\wedge_L), (’AndR |-> ’\wedge_R) ...
The sort
Goal , the subsort relation
Sequent < Goal , the constructors op _|_ , and proved (for building list of sequents) are also defined in the module
SEQUENT .The sequent.maude file also specifies the module
SEQUENT-SOLVING with auxiliaryprocedures for building derivation trees and outputting L A TEX code. This module usesreflection heavily (more on this in the next section) in order to deal, in a general anduniform way, with the representation of any sequent regardless of its specific syntax.Moreover, Maude’s module
LEXICAL is used for converting between strings and listsof Maude’s quoted identifiers (terms of the form ’identifier with sort
Qid ). As shownbelow, Qids materialize the meta-representation of any term. (cid:13) . Formally, there is an universal rewrite theory U in which any finitely represented rewrite theory R canbe represented as a term b R , including U itself, any terms t , u in R as terms b t , b u ,respectively, and a pair ( R , t ) as a term h b R , b t i in such a way that the equivalence R (cid:13) t → u ⇔ U (cid:13) h b R , b t i → h b R , b u i holds. Since U is representable in itself,a “reflective tower” can be achieved with an arbitrary number of levels of reflection.In general, simulating a single step of rewriting at one level involves many rewrit-ing steps one level up. Therefore, in naive implementations, each step up the reflec-tive tower comes at considerable computational cost. In Maude, key functionalities ofthe universal theory U have been efficiently implemented in the functional module META-LEVEL , providing ways to perform reflective computations.Additional utilities for manipulating modules and terms in the
L-Framework areimplemented in the meta-level-ext.maude file. For instance, all the operations on the-ories described in Section 5 are contained there (some of them are detailed below).The module
META-LEVEL implements the so called descent functions that manipu-late (meta-) terms. The function op upTerm : Universal -> Term . returns the (meta)representation b t of a term t . For example, constants are represented as Id.Type (e.g., ’proved.Goal ), variables as
Id:Type (e.g., ’F:Formula ), and functions as
Id[Params] (e.g., the term ’_;_[Gamma:MSFormula,Delta:MSFormula] represents the multiset of for-mulas
Gamma ; Delta ).From a well-formed (meta-) term b t it is possible to recover the term t (one leveldown). Note, however, that not all meta-terms have a suitable representation in thetheory in the level below, for instance, ’_|_[S:Sequent, F:Formula] is not the image ofany valid sequent or formula in the module specifying the system G3ip . The function op downTerm : Term Universal -> Universal takes as parameter the (meta) represen-tation of a term b t and a term t ′ . It returns the canonical form of t if it is a term havingthe same sort of t ′ ; otherwise, it returns t ′ . Usually, t ′ is an error term used to denotethat the descent translation was not possible. For instance, if b t is expected to be themeta-representation of a formula, then t ′ can be the constant op error : -> Formula . At the meta-level, modules in Maude (i.e., rewrite theories) are represented asterms with sort
Module . The function upModule can be used to obtain such a term. Allthe components of a module (sorts, functions, equations and rules) have a suitablesort and representation in the meta-level, thus making them first-class citizens. Forinstance, most of the analyses require to extend the sequent theory with new rules.The function below adds to the module M a set of rules RS : itle Suppressed Due to Excessive Length 25 op newModuleRls : Module RuleSet -> Module .eq newModuleRls(M, RS)= (mod ’NEW-MOD isgetImports(M) --- Sorts, imports, equations, etc remain the samesorts getSorts(M) .getSubsorts(M) getOps(M) getMbs(M) getEqs(M)(getRls(M) RS) --- Union of the rules of M and RSendm ) . Rules at the meta-level are terms of sort
Rule built from the constructors op rl_=>_[_]. : Term Term AttrSet -> Rule .op crl_=>_if_[_]. : Term Term Condition AttrSet -> Rule . --- conditional rule
The parameter of sort
AttrSet is a set of attributes of the rule, including, e.g.,the label used as identification ( [label(’AndR)] ). This representation opens the pos-sibility of manipulating rules in a simple way. For instance, consider a sequent rule r = ( S −→ S ′ ) , for some conclusion S and premise S ′ , to be proved height-preservingadmissible. Consider also that the current goal is to show that a given ground sequentis provable with height at most s(h) . A call to the function below with parameters h and r produces a restricted version of r where it can be applied only on sequentsannotated with (the constant height) h : op inductive-rule : GroundTerm Rule -> Rule .eq inductive-rule(gt, rl ’_:_[’n:FNat , S] => ’_:_[’n:FNat , S’] [ AS ].) =rl ’_:_[gt , S] => ’_:_[gt , S’] [ AS ]. The module
META-LEVEL offers functions to perform Maude’s operations at themeta-level. For instance, the function metaRewrite allows for rewriting the meta-representation of a term in a given module and metaVariantDisjointUnify to solveunification problems. Moreover, given a theory R and two terms t , u in that theory, metaSearchPath allows for checking the entailment R (cid:13) t → u by testing whether U (cid:13) h b R , b t i → h b R , b u i . For instance, in the following assignment: Ans := metaSearchPath(M, SGoal, upTerm(proved), nil, ’*, bound-spec, 0) . the term M is the meta-representation of a sequent system; SGoal is a term representingthe goal/sequent to be proved; nil specifies that there are no additional conditions tobe satisfied by the solution; ’* means that the reduction may take 0 or more steps; bound-spec indicates the maximum depth of the search; and the final 0 is the solutionnumber. The term Ans is a term of type
Trace? . It can be failure or a list of trace stepsshowing how to perform each of the reductions t → r t ′ where the rule r is applied to t leading to t ′ . It is worth noticing that metaSearchPath implements a breadth-first searchstrategy. Hence, if SGoal can be rewritten into proved with at most bound-spec steps,then metaSearchPath will eventually find such proof (if the executability conditions forthe rewrite theory are met [8]). Moreover, since
Ans is a proof term evidencing howto prove the rewriting
SGoal ∗ → proved , it can be used to rebuild the needed derivationof SGoal in the sequent system at hand.7.3 The General Approach for Implementing the AlgorithmsAll the analyses implemented in
L-Framework are instances of the same template:
1. A module interface (called theory in Maude) specifies the input for the analysis.This theory includes parameters such as: the name of the module implementingthe OL; the specification, as a rewrite rule, of the theorem to be proved; the extrahypotheses (set of rewrite rules) corresponding to the already proved theorem; thebound for the search depth; etc.2. A module implementing the decision procedures proposed in Sections 5 and 6.All algorithms follow the same principles:(a) A function generate-cases uses unification to generate all the proof obliga-tions to be discharged. In each kind of analysis, there are suitable sorts andconstructors to represent the proof obligations. Normally, the cases includethe terms denoting the premises (that can be assumed to be provable) as wellas the goal to be proved.(b) Auxiliary definitions to extend the theory with new axioms and the right in-ductive hypothesis. Take for instance the function inductive-rule explainedabove.(c) A function holds? that receives as parameter one of the proof obligations, usesthe functions in (b) to extend the theory and calls to metaSearchPath to checkif the goal can be proved.3. An extra module providing facilities to produce the L A TEX output.The following sections give some details about the components (1) and (2) foreach kind of analysis. Common facilities for all the analyses are implemented in the theorem-proving-base.maude file, including: converting the term t into the ground term t (i.e., replacing variables with fresh constants) and generating axioms (rules of theform rl [ax] T => proved . ) from the assumptions of the theorem.7.4 Admissibility AnalysisThe core procedures for automating the proof of admissibility theorems, followingthe definitions in Section 5.1, are specified in admissibility.maude . The input point isthe definition of the functional theory below. fth ADMISSIBILITY-SPEC ispr META-LEVEL .op th-name : -> String . --- Name of the theoremop mod-name : -> Qid . --- Module with the OL specificationop file-name : -> String . --- Output fileop rule-spec : -> Rule . --- Rule to be proved admissible (goal => premise)op bound-spec : -> Nat . --- Depth-search--- Already proved admissibility lemmas (set of rules)op already-proved-theorems : -> RuleSet .--- Identifiers of the height preserving invertible rulesop inv-rules : -> QidList .--- Mutual inductive rule (for mutual inductive proofs).op mutual-ind : GroundTerm -> RuleSet .endfth Theories in Maude are module interfaces used for declaring parameterized mod-ules. Such interfaces define the syntactic and semantic properties to be satisfied bythe actual parameter modules used in an instantiation [7]. itle Suppressed Due to Excessive Length 27
The name of the theorem is specified with the string th-name (e.g., “Admissibilityof weakening.”). The identifier of the module mod-name (e.g., ’G3ip ) is used to obtainthe meta-representation of the OL module defining the syntax and inference rules ofthe sequent system. The field file-name specifies the output (L A TEX) file.The theorem to be proved is specified via a rewriting rule (a term of sort
Rule ).As an example, the height-preserving admissibility of weakening for
G3ip is: eq rule-spec =rl ’_:_[’n:FNat, ’_|--_[’_;_[’Gamma:MSFormula, ’F:Formula], ’G:Formula]] =>’_:_[’n:FNat, ’_|--_[’Gamma:MSFormula,’G:Formula]][ label(’W) ]. ) .
This term is the meta-representation of the rule rl [W] n : Gamma, F |-- G => n : Gamma |-- G .
Note that the premise and the conclusion have the same height, specifying that ifthe premise is provable with height at most n so is the conclusion. Since the entail-ment relation is undecidable in general, all the analyses are performed up to a givensearch depth (field bound-spec ). Hence the procedures are sound (in the sense of thetheorems in Sections 5 and 6), but not complete.As already explained, for modularity, the analyses can depend on external lem-mas. Those auxiliary results are specified as already-proved-theorem (backward rea-soning) and inv-rules (forward reasoning). Finally, some theorems require mutualinduction. For instance, admissibility of contraction for the system of classical logic(Section 8.3) requires a mutual induction on the the right and left rule for contrac-tion. The field mutual-ind specifies the other theorems that can be applied on shorterderivations. For that, if the parameter of type GroundTerm is of the form ’s[h.Nat] , themutual-theorem is instantiated with sequents of (constant) height h .The main procedures implementing the analysis of admissibility of rules canbe found in the parametric module ADMISSIBILITY-ALG{SPEC :: ADMISSIBILITY-SPEC} .Consider, for instance, the task of proving the admissibility of a rule rs . Such a ruleis specified as the parameter rule-spec in SPEC . For each rule rt of the system, proofobligations are generated by the module’s functionality. Following Definition 6, thisis done by unifying the premise/body of rs with the conclusion/head of rt : U := metaVariantDisjointUnify(module,getBody(rule-spec, module) =? getHead(rt, module), empty, 0, N) .
Here, N is a natural number used to enumerate the unifiers. By identifying the unifier U ,it is possible to obtain the resulting premises when rt is applied on the body/premiseof rs (see Equation (2)). For that, the descent function metaXapply enables the applica-tion of a rule to a term according to a given substitution. Computing the ground termthat substitutes the variables by fresh constants is a routine exercise by following theinductive definition of the sort Term .The cases for admissibility take the form adm-case(Q, M, GTC, GTP, GG) , where: Q is the identifier of the rule rt in Definition 6; M is the module implementing the OL, GTC and
GTP correspond to the conclusion and the premises in Equation (2), and GG isthe goal to be proved ( ( i : S ) θ in Definition 6). A useful mnemonic that applies from now on: G is for ground , T for term , C for conclusion , P for premise(s) , and the last G in GG for goal .The module M above is extended as follows: M’ := newModuleRls(M,inductive(getHeight(GG)) --- theorem instantiated on shorter derivationsmutual-ind(getHeight(GG))premises(GTP) --- all premises in GTP as axiomsinv-premises(M, inv-rules, GTP) --- closing w.r.t invertible rulesalready-proved-theorems ) .
The function inductive takes as parameter the annotated height of the currentgoal GG . If it is of the form s(h) , rule-spec is instantiated with the height h (asexplained in the Section 7.2). Otherwise, inductive and mutual-ind return none (anempty list of rules). The function call premises(GTP) generates, for each sequent S in the set of premises GTP , a new axiom rule (
S => proved ); inv-premises generatesfurther axioms by applying the invertible rules inv-rules in the premises GTP ; and already-proved-theorems adds already proved theorems (specified as rules).From the extended theory M’ , metaSearchPath is used to check whether GG canreach proved and determine the status of the current proof obligation.7.5 Invertibility of RulesThe core procedures are in invertibilty.maude . The input to the invertibility analysisis specified as a realization of the functional theory INV-SPEC : fth INV-SPEC ispr META-LEVEL .op th-name : -> String . --- Name of the theoremop mod-name : -> Qid . --- Module with the OL specificationop bound-spec : -> Nat . --- Bound of the search procedureop file-name : -> String . --- File name to write the outputop already-proved-theorems : -> RuleSet . --- Admissible rulesendfth There is no need to specify the theorem to be proved, because it suffices to takeeach of the rules of the input module and “flip” it in order to obtain the invertibilitylemma to be proved (see Definition 5). This procedure outputs a L A TEX file with theinvertibility status of each rule in the system. In the case of rules with two premises,each premise is analyzed separately (see Def. 7). This allows for proving, e.g., thatthe rule ⊃ L in the system G3ip is invertible only in its right premise (see Section 8.1).Following the same recipe for admissibility, the proof obligations for invertibilityare generated by solving unification problems. Assume that the rule being analyzedis Q and it is to be tested invertible with respect to the rule Q’ . If Q is a two-premiserule, then it is split into two different rules to be analyzed separately. Assume thatthe resulting sliced rule with at most one premise is R . The N -th unifier between theheads/conclusions of the rules is T := getHead(R)T’ := getHead(Q’, module)U := metaVariantDisjointUnify(module, getHead(T) =? getHead(T’), empty, 0, N) itle Suppressed Due to Excessive Length 29
The case to be analyzed is then: inv-case(R, Q’,apply(T’, U), --- the sequent where R and Q’ can be appliedapplyRule(apply(T, U), Q’, module, U), --- applying Q’ on the resulting seq.applyRule(apply(T, U), R, module, U)) --- applying R on the resulting seq.
The first two parameters identify the case. The third parameter corresponds to the se-quent where both rules can be applied, i.e., the conclusion in Equation (6). The fourthparameter corresponds to the premises after the application of Q’ , i.e., the premises inEquation (6). The last parameter is the goal being proved, i.e., the premise resultingafter the application of R on the same sequent ( ( k : S l ) θ in Definition 7). Call GTC , GTP ,and GG to the last three parameters of the case once their variables are replaced withfresh constants.The inductive reasoning consists in applying, when possible, the rule R on the se-quents in GTP . By induction, such application of R on a sequent S in GTP must preservethe height annotation of S . Hence, a modified version of R is needed: op inductive-rule : Rule -> Rule .eq inductive-rule( ( rl ’_:_[’s[T],T’] => T’’ [ AS ]. ) )= ( rl ’_:_[ T, T’] => T’’ [ label(’IND) ]. ) . Note the use of the height T (instead of s[T] ) in the resulting rule. Call RI the ruleresulting from the application of this function to the rule R being analyzed.Computing the set of sequents that can be assumed as axioms by induction be-comes now a simple task. It suffices to compute one step of rewriting for each sequent GT in the set GTP as follows: metaSearch(MRI, GT, ’G:Goal, nil, ’+, 1, k) .
The term
MRI inherits all the functional description of the module specifying the OL,but it contains only one single rule, namely, RI . The (ground) sequent GT is rewrittento any possible list of sequents (variable ’G:Goal ) in this theory in exactly one step ( ’+ means one or more steps and the bound in the 6th parameter forces it to be exactlyone). The last parameter is used to enumerate all the possible solutions.Finally, the OL theory M can be extended before attempting a proof of the goal GG of the current case: M’ := newModuleRls(M, premises(GTP) --- axioms from GTPinductive(M, GTP, R) --- inductive reasoningalready-proved-theorems) cut-elimination-base.maude defines common facilities for all the cut-elimination pro-cedures. Impressive enough, minor extensions to this module have been required toimplement cut-elimination procedures for the systems in Section 8.The common interface is the following functional theory: fth CUT-SPEC ispr META-LEVEL .op th-name : -> String . --- Name of the theoremop mod-name : -> Qid . --- Module with the OL specificationop bound-spec : -> Nat . --- Bound of the search procedureop file-name : -> String . --- File name to write the outputop already-proved-theorems : -> RuleSet . --- Admissible rulesop inv-rules : -> QidList . --- Invertible rulesendfth
The parametric module
CUT-BASE{SPEC :: CUT-SPEC} contains the common definitions.An operator for the cut rule is defined op cut-rule : -> Rule . , but no equation forit is provided. Each OL is responsible for completing this definition. For instance,in
G3ip , the cut-rule shares the context in the antecedent of the sequent between thetwo premises. Hence, the file cut-add-scon.maude (additive cut for single conclusionsystems) extends
CUT-BASE with the following equation: eq cut-rule =(rl ’_:_[’inf.INat, ’_|--_[’Gamma:MSFormula, ’F:Formula]] =>’_|_[’_:_[’h1 $$ :FNat,’_|--_[’_;_[’Gamma:MSFormula, ’FCut $$ :Formula],’F:Formula]],’_:_[’h2 $$ :FNat,’_|--_[ ’Gamma:MSFormula ,’FCut $$ :Formula]]][ label(’\Cut) ]. ) . The conclusion of the rule is annotated with inf (the constant of type
INat denoting“don’t know”). This specification is nothing else that the meta-representation of therule in Equation (8). In all the analyses, the cut-formula is expected to be named as
FCut $$ and the height of the two premises as h1 $$ and h2 $$ .The module CUT-BASE offers mechanisms to generate, in a uniform way, the proofobligations for the cut-elimination procedures considered here. This is done in twosteps. First, one of the rules of the system identified as Q1 is matched against the firstpremise of the cut-rule ( lcut below): U := metaVariantDisjointUnify(module, lcut =? getHead(Q1, module), empty, 0, N)
The unifier U must map the variables of lcut to some fresh variables. Hence, beforeunifying a second rule Q2 against the second premise of the cut-rule, denoted as rcut ,the substitution U must be applied on rcut (see Definition 8): U’ := metaVariantDisjointUnify(module, apply(rcut, U) =?getHead(Q2, module), empty, Nvars, M) .
A proof obligation takes the following form: cut-case( cut-sub-case(TC, TP), --- left premise (conclusion and premises)cut-sub-case(TC’, TP’), --- right premise (conclusion and premises)apply(getHead(cut-rule), (U ; U’)), --- goal to be provedapply(’FCut $$ :Formula, (U ; U’)) --- the cut formula) The notation
U ; U’ is used for composition of substitutions.Induction on the height of the derivation is also defined in
CUT-BASE in a generalway and independently of the cut-rule. itle Suppressed Due to Excessive Length 31 op induct-height : GroundTerm GroundTerm GroundTerm -> RuleSet .eq induct-height(’suc[gh], ’suc[gh’], GF) =( rl getHead(cut-rule) =>’_|_[ --- Fixing heights (gh and suc[gh’]) and the cut-formula (GF)apply(lcut, (’h1 $$ :FNat <- gh ; ’FCut $$ :Formula <- GF)),apply(rcut, (’h2 $$ :FNat <- ’suc[gh’] ; ’FCut $$ :Formula <- GF))][ label(’\hCut) ]. )( rl getHead(cut-rule) =>’_|_[ --- Fixing heights (suc[gh] and gh’) and the cut-formula (GF)apply(lcut, (’h1 $$ :FNat <- ’suc[gh] ; ’FCut $$ :Formula <- GF)),apply(rcut, (’h2 $$ :FNat <- gh’ ; ’FCut $$ :Formula <- GF))][ label(’\hCut) ]. ) . The syntax x <- t is used to denote the substitution [ t / x ] . This specification imple-ments ind-H in Definition 8. The first two parameters are the height of the left andthe right premises above the cut. The last parameter is the cut-formula considered inthe current goal.Induction on the structure of the formula is partially defined in CUT-BASE , but ad-ditional work is needed in the specific OL. General definitions include, e.g., op induct-struct : GroundTerm -> RuleSet .eq induct-struct(Q[LGT]) = $ induct-struct(LGT) .eq induct-struct(GT) = none [owise] . The first equation applies to constructors for formulas (e.g., ’_/\_[A, B] , repre-senting A ∧ B ) and then, induction applies on all the sub-terms in the list of groundterms LGT (if they are of sort
Formula ). If the parameter is a constant, e.g., ’False.Formula ,only the second equation applies and no inductive rule is generated. The keyword owise (a shorthand for otherwise ) means “use this equation if all the others defin-ing the corresponding function symbol fail”. This is syntactic sugar to simplify thespecification and it can be encoded in plain conditional equational theories [8].The function $ induct-struct calls to induct-struct-formula for each term in LGT .The definition of induct-struct-formula is specific for each OL. Here the one definedin cut-add-scon.maude : op induct-struct-formula : GroundTerm -> RuleSet .eq induct-struct-formula(GTA)= if getType(GTA) == ’Formula --- only sub-terms of sort Formulathen ( rl getHead(cut-rule) => --- head unchanged’_|_[ --- premises with height ’inf and the cut-formula fixed to GTAapply(lcut, (’h1 $$ :FNat <- ’inf.INat ; ’FCut $$ :Formula <- GTA)),apply(rcut, (’h2 $$ :FNat <- ’inf.INat ; ’FCut $$ :Formula <- GTA)) ][ label(’\sCut) ]. )else none --- no rule if GTA is not a formulafi . The parameter
GTA is a ground term denoting a proper sub-formula of the cut-formula.The cut-rule is instantiated as follows: the head of the rule is unchanged, the heightof the premises is ’inf.INat , and the cut-formula is fixed to be (the ground term)
GTA . The change in the height of the premises is due to the fact that cuts on smallerformulas do not preserve necessarily the height of the derivation.The above definition seems to be general enough for any cut-rule and, in theory,it would be possible to define it once and for all the systems. However, the generated rule is problematic from the point of view of proof search. Note that both premisesare annotated with ’inf.INat . Hence, even if the rule does not need to “guess” thecut-formula (since it is fixed to a ground term A ), it is always possible to rewrite thegoal Γ ⊢ G into Γ , A ⊢ G and later into Γ , A , A ⊢ G , etc. For this reason, in somesystems, extra conditions are needed to restrict the application of this rule and reducethe search space (more about this in Section 8). Of course, a bad choice of suchconditions may render the analysis inconclusive. A natural rule of thumb that workedin most of the cases was to restrict the application of this rule when the sub-formula A is not already in the context Γ .Finally, the main search procedure must be also tailored for each OL. There is atemplate that, with little modifications, can be used in all systems reported here. Inparticular, OLs may define different conditions for the application of the rules withthe aim of reducing the search space. The main definition in cut-add-scon.maude is: ceq holds $ ?(cut-case( ... ))= output ...if --- Premises with implicit weakeningRS := premises-W(GTC) premises-W(GTC’) premises-W(GTP) premises-W(GTP’)--- invertibility lemmas on the premisesinv-premises(M, inv-rules, GTP) inv-premises(M, inv-rules, GTP’)already-proved-theorems --- adding admissibility lemmas--- Induction on the height of the derivationinduct-height(getHeight(gtc), getHeight(gtc’), GF)--- Induction on the formula only in principal casesif numFormulas(GG) <= 1 then induct-struct(GF) else none fi In the code above, RS is the set of rules used to extend the theory of the OL beforecalling the search procedure. This extension is similar to the ones presented for ad-missibility and invertibility. There are, however, two new ingredients: (a) the way theaxioms are generated and (b) the additional condition deciding whether the rule forstructural induction is added or not to solve the current goal GG :.(a) premises-W(S) converts into an axiom the sequent S . Unlike premises(S) used inthe previous sections, the resulting rule in premises-W(S) internalizes weakening:if S is the (ground) sequent Γ ⊢ F , then ∆ ⊢ F is provable for any ∆ ⊇ Γ . Thisavoids the need for adding the rule W into already-proved-theorems , thus reducingthe search space. This simplification cannot be used, of course, in substructurallogics, such as linear logic (Section 8.4).(b) As already explained, the rule for structural induction is problematic from thepoint of view of proof search. In some OLs it is possible to control its use. Forexample, in G3ip , the application of ind-F can be restricted to solve only theprincipal cases (and the non-principal cases will run faster). Such cases can beidentified by counting the number of constants of type
Formula in the current goal GG (see the last line in the code above). In other systems, however, this simplifica-tion does not work as in the case of the system mLJ (Section 8.2) where structuralinduction is also needed in some of the non-principal cases.Wrapping up, configuring the cut-elimination procedure requires adjusting andtuning some parameters. As shown in Section 8, some logics that share the same itle Suppressed Due to Excessive Length 33 structural properties may reuse a common infrastructure. For instance, the cut-ruleand procedures defined in file cut-add-mcon.maude (two-sided and multi-conclusionsystems where weakening and contraction are allowed) can be used to prove cut-elimination for the system G3cp (Sec. 8.3), mLJ (Sec. 8.2), and some systems formodal logics (Sec. 8.5). However, cut-elimination is a non-trivial property and hence,full automation is impossible for ‘the’ general case. In each of these systems, the usermust determine the invertibility lemmas that will be considered during the search pro-cedure. This is done by simply modifying the input parameter inv-rules in CUT-SPEC .7.7 Identity ExpansionThis analysis uses the following functional theory as interface ( id-expand.maude ): fth ID-EXP-SPEC isop mod-name : -> Qid .op file-name : -> String .op bound-spec : -> Nat .op goal : GroundTerm -> GroundTerm . --- e.g., F |-- F or |- F, dual(F)op already-proved-theorems : -> RuleSet .op types-formula : -> TypeList . --- types different from ’Formula to be analyzedendfth Given a ground term F denoting a formula, the call goal(F) returns the sequentto be proved. This definition allows to consider id-expansion theorems for one-sidedand two-sided systems. The last field is used to define other sorts that need to beconsidered in the analysis. For instance, the specification of modal logics includesthe sort BFormula < Formula for boxed formulas (see Section 8.5). By adding
BFormula in types-formula , the case (cid:3) F ⊢ (cid:3) F is generated. This section explains how structural meta-properties of several propositional sequentsystems can be specified and proved with the approach presented in this paper. Thesite hosting the
L-Framework includes all the logical systems described here, theproof-search implementation of the strategies, and the PDFs generated by the proof-search algorithms. The chosen methodology for proving the (meta-)theorems in thissection is modular: first, it attempts to build a proof without any external lemma;second, when needed, it analyzes the failing cases and adds already proved theoremsfor completing the proof. This methodology allows for analyzing interdependenciesbetween the different results inside various logical systems. Since there are no similartools to compare the performance of the L-Framework , the main benchmark pursuedis to show that it is flexible enough to deal with several proof-theoretic properties withlittle effort in defining the object logic and the properties of interest. In all the cases,but those reported in Section 8.4 (where the proof of cut-elimination requires induc-tion on two different rules), implementing the analyses amounts only to instantiatethe interfaces/theories described in Section 7. https://carlosolarte.github.io/L-framework/ In order to show the feasibility of the
L-Framework , time-related observationsare reported. In all the cases, the depth bound ( bound-spec ) is set to 15 and the ex-periments are performed on a MacBook Pro, 4 cores 2.3 GHz, and 8GB of RAM,running Maude 3.0. On average, the admissibility analyses are completed in about 5seconds. Once all the auxiliary lemmas are added, the time needed to complete theproof of cut-elimination depends on whether explicit structural rules are used (about30 seconds) or not (about 15 seconds).8.1 System
G3ip for Propositional Intuitionistic LogicThe system
G3ip and its specification as a rewrite theory are presented in Section 5.The proof of meta-theoretical properties is next described in detail.
Weakening.
Theorem 1 (see rule H in Equation (5)) and height-preserving admissi-bility of weakening can be proved without auxiliary lemmas. Theorem 6 (Weakening and Weak-height) If G3ip ◮ n Γ ⊢ C, then
G3ip ◮ s ( n ) Γ ⊢ C. Moreover, the rule W (Equation (1) ) is height-preserving admissible in G3ip .Proof
See the specification of the theorems in g3i/prop-W.maude and g3i/prop-H.maude .The resulting proofs are in g3i/g3i.pdf . Both properties are proved in less than 1 sec-ond without any additional lemma. ⊓⊔ Invertibility.
All the rules in
G3ip are invertible, but ∨ R i and ⊃ L . However, the toolinitially fails (in 7.6s) to prove the invertibility of ⊃ R , ∧ R , ∧ L , ∨ L , and ⊤ L .Consider the rule ⊃ R . Recall that the invertibility of a rule is proven by testingthe local invertibilities relative to all possible rules (see Definition 7). Hence, the toolproves, e.g., that ⊃ R is invertible w.r.t ∧ L (the symbol • denotes successor): h ∆ , F , F ⊢ F ⊃ F • h ∆ , F ∧ F ⊢ F ⊃ F ∧ L −→ h ∆ , F , F , F ⊢ F ax / ind • h ∆ , F , F ∧ F ⊢ F ∧ L Note the application of the inductive hypothesis on the shorter derivation of height h . All the other cases of local invertibility of ⊃ R are similar, but the cases w.r.t. ⊃ R and ⊃ L fail. As shown below, when the admissible rules H and W (Theorem 6) areadded to the set of already-proved-theorems , the tool completes the missing cases.The failure w.r.t. ⊃ R is: h ∆ , F ⊢ F • h ∆ ⊢ F ⊃ F ⊃ R −→ • h ∆ , F ⊢ F fail This is the dummy case where the same rule is applied on the same formula and theproof transformation should be trivial. In fact, an application of H completes the case: h ∆ , F ⊢ F • h ∆ ⊢ F ⊃ F ⊃ R −→ h ∆ , F ⊢ F ax • h ∆ , F ⊢ F H Regarding the failure of the invertibility of ⊃ R w.r.t ⊃ L itle Suppressed Due to Excessive Length 35 h ∆ , F ⊃ F ⊢ F h ∆ , F ⊢ F ⊃ F • h ∆ , F ⊃ F ⊢ F ⊃ F ⊃ L −→ • h ∆ , F , F ⊃ F ⊢ F fail If ⊃ L is applied on the sequent ∆ , F , F ⊃ F ⊢ s ( h ) F , two premises are obtained: ∆ , F , F ⊃ F ⊢ h F and ∆ , F , F ⊢ h F . The second premise is provable by induc-tion. The proof of the first premise requires weakening on F : h ∆ , F ⊃ F ⊢ F h ∆ , F ⊢ F ⊃ F • h ∆ , F ⊃ F ⊢ F ⊃ F ⊃ L −→ h ∆ , F ⊃ F ⊢ F axh ∆ , F , F ⊃ F ⊢ F W h ∆ , F , F ⊢ F ax / ind • h ∆ , F , F ⊃ F ⊢ F ⊃ L Once W is added, the proofs of invertibility of ∧ R , ∧ L , ∨ L and ⊤ L are also completed.Some cases are vacuously discharged. For instance, there are no proof obligationsfor the invertibility of ⊃ R w.r.t. ∧ R (it is impossible to unify the conclusion of theserules). Moreover, the cases of the axioms I , ⊤ R , and ⊥ L are trivial since the onlyproof obligation is to reduce proved into proved : h ∆ , F ⊃ F ⊢ F h ∆ , F ⊢ ⊤• h ∆ , F ⊃ F ⊢ ⊤ ⊃ L −→ trivial The rules ∨ R , ∨ R , and the left premise of ⊃ L are clearly not invertible. Thefollowing failures provide good evidences that these cases do not succeed: h ∆ ⊢ F • h ∆ ⊢ F ∨ F ∨ −→ • h ∆ ⊢ F fail and h • : ∆ , F ⊃ F ⊢ ⊤ ⊤ R −→ h • : ∆ , F ⊃ F ⊢ F fail Theorem 7 (Invertibility)
All the rules, but ∨ R i and ⊃ L , are height-preserving in-vertible in G3ip . Moreover, the right premise of ⊃ L is height-preserving invertible.Proof The invertibility of ∧ R , ∧ L , ∨ L , and ⊤ L depends on the admissibility of W (Theorem 6). The invertibility of ⊃ R and the invertibility of the right premise of ⊃ L require Theorem 6 ( W and H ). The specification of the property is in prop-inv.maude .The analysis is completed in 7.7 seconds. ⊓⊔ Contraction.
When attempting a proof of admissibility of contraction, the local ad-missibility cases w.r.t ⊃ L , ∧ L , ∨ L , and ⊤ L fail. Here is the failing case for ∨ L : h ∆ , F , F ∨ F ⊢ F h ∆ , F , F ∨ F ⊢ F • h ∆ , F ∨ F , F ∨ F ⊢ F ∨ L −→ • h ∆ , F ∨ F ⊢ F fail Note that the inductive hypothesis cannot be used neither on the left nor on theright premise. After adding ’OrL to the set of already-proved invertible rules (field inv-rules ), the
L-Framework completes this case as follows: h ∆ , F , F ∨ F ⊢ F h ∆ , F , F ∨ F ⊢ F • h ∆ , F ∨ F , F ∨ F ⊢ F ∨ L −→ h ∆ , F , F ⊢ F inv-th/axh ∆ , F ⊢ F IH h ∆ , F , F ⊢ F inv-th/axh ∆ , F ⊢ F IH • h ∆ , F ∨ F ⊢ F ∨ L h ∆ , F , F , F ⊢ F h ∆ , F , F , F ⊢ F • h ( ∆ , F ∨ F ) , F , F ⊢ F ∨ L −→ h ∆ , F , F , F ⊢ F axh ∆ , F , F ⊢ F IH h ∆ , F , F , F ⊢ F axh ∆ , F , F ⊢ F IH • h ∆ , F , F ∨ F ⊢ F ∨ L Due to unification, there are indeed two cases: one in which the disjunctive formula iscontracted and one of the copies is principal, and another case with the disjunction notbeing contracted (instead, another formula F is). The second case follows withoutusing the invertibility lemma. Theorem 8 (Contraction)
The contraction rule C (Equation (1) ) is height-preservingadmissible in G3ip .Proof
The cases ∨ L , ∧ L , and ⊤ L require the invertibility of the respective rules (The-orem 7). The case ⊃ L requires invertibility of the right premise of this rule (specifiedin inv-rules as ’impL $$ ). The proof takes 1.3 seconds. ⊓⊔ Cut-Elimination.
Controlling the structural rules is one of the key points to reducethe search space in sequent systems. The system
G3ip embeds weakening in its initialrule ( Γ can be an arbitrary context) and contraction in rules with two premises (allrules are additive and contraction is explicit in the left premise of ⊃ L ). Thus, W and C are admissible in G3ip , and the proof search procedure does not need to guesshow many times a formula must be contracted or whether some of them need to beweakened. The cut-rule considered for
G3ip is additive (see Equation (8)), hence alsocarrying an implicit contraction.The cut-elimination procedure for
G3ip implements two strategies for reducingthe search space (see Section 7.6):1. If
GTP is the resulting set of sequents that can be assumed to be provable, then suchsequents are added as axioms that internalize weakening. For instance, if Γ ⊢ F is a (ground) sequent in GTP , then, ∆ ⊢ F is assumed to be provable whenever ∆ ⊇ Γ . This avoids the need for adding the rule W to the set of already provedtheorems, thus reducing the non-determinism during proof-search: weakening is“delayed” until the leaves of the derivation are reached.2. The inductive hypothesis on the structure of the formula is only used in the prin-cipal cases. Hence, less alternatives are explored when proving the non-principalcases.The strategy (1) considerably affects the performance in both failing and suc-cessful attempts as explained below. The strategy (2) saves few seconds when all theneeded auxiliary lemmas are added and the proof succeeds. In failing attempts, thisstrategy has an important impact.Due to (1), W and C are not added to already-proved-theorems and, for the mo-ment, consider also that none of the invertibility lemmas is added. This experimentleads to proofs for the trivial cases ( ⊤ R , ⊥ L , I and ⊤ L ) and fails for the other rules inalmost 15 seconds . Non-principal Cases.
Usually the non-principal cases are easily solved by permutingdown the application of a rule and reducing the height of the cut. Some of this casesare already proved in this first iteration. For instance, the case ( ∧ L , ∨ ) — ∧ L appliedon the left premise and ∨ on the right premise — is solved as follows: h ∆ , F , F ⊢ F • h ∆ , F ∧ F ⊢ F ∧ L h ∆ , F , F ∧ F ⊢ F • h ( ∆ , F ∧ F ) , F ⊢ F ∨ F ∨ − : ∆ , F ∧ F ⊢ F ∨ F Cut −→ • h ∆ , F ∧ F ⊢ F ax/W h ∆ , F , F ∧ F ⊢ F ax/W − : ∆ , F ∧ F ⊢ F hCut − : ∆ , F ∧ F ⊢ F ∨ F ∨ In the right derivation, hCut is an application of the cut-rule with shorter derivations.Moreover, ax/W finishes the proof due to the sequents assumed to be provable (on In the same experiment, if the strategy (2) is not considered, the case ⊃ R does not finish after 15 min.itle Suppressed Due to Excessive Length 37 the left derivation), possibly applying W . In this particular case, weakening is notneeded. Some other similar cases, however, fail. Take for instance the case ( ∧ L , ∧ L ): h ∆ , F , F ⊢ F ∧ F • h ∆ , F ∧ F ⊢ F ∧ F ∧ L h ∆ , F , F , F ∧ F ⊢ F • h ( ∆ , F ∧ F ) , F ∧ F ⊢ F ∧ L − : ∆ , F ∧ F ⊢ F Cut −→ − : ∆ , F ∧ F ⊢ F fail What is missing here is the invertibility of ∧ L on the assumption ∆ , F , F , F ∧ F ⊢ h F . If this invertibility lemma is added, the tool completes the case: −→ h ∆ , F , F ⊢ F ∧ F ax/W h ∆ , F , F , F , F ⊢ F inv-th/ax • h ∆ , F , F , F ∧ F ⊢ F ∧ L − : ∆ , F , F ⊢ F hCut − : ∆ , F ∧ F ⊢ F ∧ L Inspecting similar failing cases suggests the need for including also the invertibil-ity of the rules ∧ R and ∨ L , and also the invertibility of the right premise of ⊃ L . Thissolves some missing cases but still, the cases for ⊃ L , ∧ L and ∨ L are not complete.One of the failures for ( ⊃ L , ⊃ L ) is the following: h ∆ , F ⊃ F ⊢ F h ∆ , F ⊢ F • h ∆ , F ⊃ F ⊢ F ⊃ L h ∆ , F , F ⊃ F ⊢ F h ∆ , F , F ⊢ F • h ( ∆ , F ⊃ F ) , F ⊢ F ⊃ L − : ∆ , F ⊃ F ⊢ F Cut −→ − : ∆ , F ⊃ F ⊢ F fail The cut-formula is F and it is not principal in any of the premises. Once ⊃ L isapplied on the goal ∆ , F ⊃ F ⊢ F , the resulting left premise is already proved (seethe left-most sequent in the left derivation). The right premise can be proved with H (Theorem 6) if it is added to already-proved-theorems : −→ − : ∆ , F ⊃ F ⊢ F ax/W h ∆ , F ⊢ F ax/W h ∆ , F , F ⊢ F ax/W • h ∆ , F , F ⊢ F H − : ∆ , F ⊢ F hCut − : ∆ , F ⊃ F ⊢ F ⊃ L Principal Cases.
Note that in all the above derivations, due to unification, there isalways more than one constant of sort
Formula in the goal: besides the formula in thesuccedent of the sequent, there are formulas in the antecedent that are needed for theapplication of a left rule in the left premise of the cut. Due to the strategy (2), cutson smaller formulas are not considered during the proof search for these cases. Thesituation is different in the principal cases. Consider for instance the case ( ⊃ R , ⊃ L ) : h : ∆ , F ⊢ F • h : ∆ ⊢ F ⊃ F ⊃ R h : ∆ , F ⊃ F ⊢ F h : ∆ , F ⊢ F • h : ∆ , F ⊃ F ⊢ F ⊃ L − : ∆ ⊢ F Cut −→• h : ∆ ⊢ F ⊃ F ax/W h : ∆ , F ⊃ F ⊢ F ax/W − : ∆ ⊢ F hCut − : ∆ , F ⊢ F ax/W − : ∆ , F , F ⊢ F ax/W − : ∆ , F ⊢ F sCut − : ∆ ⊢ F sCut Rule sCut corresponds to a cut on a sub-formula. Note that the antecedent of the thegoal is just a constant of sort
MSFormula ( ∆ ). Theorem 9 (Cut elimination)
The cut-rule in Equation (8) is admissible in
G3ip .Proof
See the specification and dependencies in g3i/prop-cut.maude . The proof re-quires Theorem 6. All the cases –except for ⊤ R , ⊤ L , ⊥ L , and I – require Theorem 7.The proof is completed in 13.8 sec. ⊓⊔ Multiplicative Cut in
G3ip . Observe that, by adopting the additive version of thecut-rule, several common proof search problems are avoided, e.g., loops created bythe uncontrolled use of contraction. But what if the following multiplicative cut isconsidered in
G3ip instead, where the context is split between the two premises? Γ ⊢ A ∆ , A ⊢ B Γ , ∆ ⊢ B Cut (9)The search tree now is considerably bigger since all the alternatives on how to splitthe context Γ , ∆ need to be considered (see cut-mul-scon.maude ). This is an interestingquestion, and the discussion presented next will serve to pave the way to the analysisof sequent systems with linear contexts (see Section 8.4).Note that, if only the rule H (Theorem 6) is added, then all the cases but theprincipal cases for ⊃ and ∧ succeed in 26 seconds. The failure on ( ∧ R , ∧ L ) is: h ∆ ⊢ F h ∆ ⊢ F • h ∆ ⊢ F ∧ F ∧ R h ∆ , F , F ⊢ F • h ∆ , F ∧ F ⊢ F ∧ L − : ∆ , ∆ ⊢ F Cut −→ − : ∆ , ∆ ⊢ F fail This case is solved by cutting with F and F . However, since the cut-rule is multi-plicative, the contexts ∆ and ∆ need to be contracted first. Adding contraction, onterms of sort MSFormula makes infeasible the proof search procedure: any subset ofthe antecedent context can be chosen for contraction and such rule can be appliedon any sequent/goal. Instead, a more controlled version of contraction can be added:contract the whole context only if there are no duplicated elements in it. This morerestricted rule cannot be applied twice on the same goal, thus reducing the number ofalternatives leading to the following proof transformation: h : ∆ , F ⊢ F • h : ∆ ⊢ F ⊃ F ⊃ R h : ∆ , F ⊃ F ⊢ F h : ∆ , F ⊢ F • h : ∆ , F ⊃ F ⊢ F ⊃ L − : ∆ , ∆ ⊢ F Cut −→• h : ∆ ⊢ F ⊃ F ax/W h : ∆ , F ⊃ F ⊢ F ax/W − : ∆ , ∆ ⊢ F hCut − : ∆ , F ⊢ F ax/W − : ∆ , F ⊢ F ax/W − : ∆ , ∆ , F ⊢ F sCut − : ∆ , ∆ , ∆ , ∆ ⊢ F sCut − : ∆ , ∆ ⊢ F C Theorem 10 (Multiplicative Cut-elim. )
The rule in Eq. (9) is admissible in
G3ip .Proof
The specification is in prop-cut-mul.maude . See the contraction rule used inthe definition of already-proved-theorems . No invertibility lemma is needed for thisproof. The analysis is completed in 25.6 seconds. ⊓⊔ If W is not embedded in the initial axioms and C is allowed on arbitrary contexts,there is little hope to conclude these proofs in reasonable time. Identity Expansion.
Finally, the dual property of cut-elimination, identity expansion,is easily proved in the
L-Framework . Theorem 11 (Identity-Expansion)
If F is a formula, then F ⊢ F is provable in
G3ip . itle Suppressed Due to Excessive Length 39 Γ , A ⊃ B ⊢ A , ∆ Γ , B ⊢ ∆Γ , A ⊃ B ⊢ ∆ ⊃ L Γ , A ⊢ B Γ ⊢ A ⊃ B , ∆ ⊃ R Γ ⊢ A , B , ∆Γ ⊢ A ∨ B , ∆ ∨ R Fig. 2: The multi-conclusion intuitionistic sequent system mLJ . Proof
See prop-ID.maude . The rule W needs to be added to the set of already provedtheorems. It is used, e.g., in the following case: − : F ⊢ F IH − : F , F ⊃ F ⊢ F W − : F ⊢ F IH − : F , F ⊢ F W − : F , F ⊃ F ⊢ F ⊃ L − : F ⊃ F ⊢ F ⊃ F ⊃ R ⊓⊔ mLJ )Maehara’s mLJ [22] is a multiple conclusion system for intuitionistic logic. The rulesin mLJ have the exact same shape as in G3ip , except for the right rules for disjunctionand implication (see Fig. 2). The disjunction right rule in mLJ matches the correspon-dent rule in classical logic where the disjunction is interpreted as the comma in thesuccedent of sequents. The right implication, on the other hand, forces all formulas inthe succedent of the premise to be weakened. This guarantees that, when the ⊃ R ruleis applied on A ⊃ B , the formula B should be proved assuming only the pre-existentantecedent context extended with the formula A . This creates an interdependency be-tween A and B . Weakening.
The proof of admissibility of weakening in mLJ is similar to
G3ip , onlynoting that, in the former, weakening is also height-preserving admissible in thesuccedent of sequents.
Theorem 12 (Weakening and Weak-height) If mLJ ◮ n Γ ⊢ ∆ , then mLJ ◮ s ( n ) Γ ⊢ ∆ ( H ). Moreover, the following rules are height-preserving admissible in mLJ : Γ ⊢ ∆Γ , F ⊢ ∆ W L Γ ⊢ ∆Γ ⊢ ∆ , F W R Proof
The three properties are specified in mLJ/prop-WH.maude . No auxiliary lemmasare needed. This theorem is proved in less than 3 seconds. ⊓⊔ Invertibility.
All the rules in mLJ are invertible, with the exception of ⊃ R . Theorem 13 (Inv. )
All the rules but ⊃ R are height-preserving invertible in mLJ .Proof See the specification in mLJ/prop-inv.maude . H (Theorem 12) is needed for allthe cases but ⊤ R , ⊥ L and I . This proof takes 15.1 seconds. ⊓⊔ Contraction.
Contraction is also admissible, on both sides of sequents.
Theorem 14 (Contraction)
The rules Γ , F , F ⊢ ∆Γ , F ⊢ ∆ C L Γ ⊢ F , F , ∆Γ ⊢ F , ∆ C R are both height-preserving admissible in mLJ .Proof The specification is in mLJ/prop-C.maude . The proof of admissibility of C L (resp. C R ) requires the invertibility of ⊤ L , ∨ L , ∧ L , and ⊃ L (resp., ⊥ R , ∨ R and ∧ R ). ⊓⊔ Cut-elimination and Identity Expansion.
In the cut-elimination procedure for
G3ip ,the application of the rule for structural induction ( sCut ) is restricted to goals with atmost one term of sort
Formula (corresponding to the principal cases). That simplifi-cation is not possible in mLJ : with that restriction, the cases for ∧ R and ∨ R fail w.r.t. ⊃ R . Here is the case for ( ∨ R , ⊃ R ) : h ∆ ⊢ ( ∆ , F ⊃ F ) , F , F • h ∆ ⊢ ( ∆ , F ⊃ F ) , F ∨ F ∨ R h ∆ , F , F ∨ F ⊢ F • h ∆ , F ∨ F ⊢ ∆ , F ⊃ F ⊃ R − : ∆ ⊢ ∆ , F ⊃ F Cut −→ − : ∆ ⊢ ∆ , F ⊃ F fail Note that the cut formula F ∨ F is principal on the left premise, but it is not on theright premise. This case cannot be solved by reducing the height of the cut by firstapplying ⊃ R since this would remove the context ∆ (needed in the left premise).The cut-elimination procedure for mLJ is based on the module defined in thefile cut-add-mcon.maude (additive multiple-conclusion) where sCut is added in caseswhere the goal sequent has at most two terms of sort Formula . Hence, sCut is allowedalso in non-principal cases. This solves the previous case and the search procedurefinds the following proof transformation: −→ − : ∆ ⊢ ∆ , F , F , F ⊃ F ax/W − : ∆ , F , F ⊢ F inv-th/ax − : ∆ , F ⊢ ∆ , F , F ⊃ F ⊃ R − : ∆ ⊢ ∆ , F , F ⊃ F sCut − : ∆ , F , F ⊢ F inv-th/ax − : ∆ , F ⊢ ∆ , F ⊃ F ⊃ R − : ∆ ⊢ ∆ , F ⊃ F sCut Theorem 15 (Cut-elimination and ID-expansion)
The following cut rule Γ ⊢ ∆ , A Γ , A ⊢ ∆Γ ⊢ ∆ Cutis admissible in mLJ . Moreover, for any F, the sequent F ⊢ F is provable.Proof
For cut-elimination ( prop-cut.maude ), H as well as the invertibility of the rules ∧ L , ∧ R , ∨ L , ∨ R , and ⊃ L are needed. For identity-expansion ( prop-ID.maude ), the ad-missibility of W R and W L (Theorem 12) is needed. The proof takes 35.2 seconds. ⊓⊔ itle Suppressed Due to Excessive Length 41 G3cp for Propositional Classical Logic
G3cp [35] is a well known two-sided sequent system for classical logic, where thestructural rules are implicit and all the rules are invertible. The rules are similar tothose of mLJ with the exception of ⊃ R : Γ , F ⊢ ∆ , G Γ ⊢ ∆ , F ⊃ G ⊃ R Weakening.
Admissibility of weakening of
G3cp follows that same lines as in mLJ . Theorem 16 (Weakening and Weak-height) If G3cp ◮ n Γ ⊢ ∆ , then G3cp ◮ s ( n ) Γ ⊢ ∆ ( H ). The rules W L and W R (see Theorem 12) are height-preserving admissiblein G3cp .Proof
The three properties are specified in g3c/prop-WH.maude . No auxiliary lemmasare needed. ⊓⊔ Invertibility.
All the rules in
G3cp are invertible.
Theorem 17 (Invertibility)
All the rules in
G3cp are height-preserving invertible.Proof
See the specification in g3c/prop-inv.maude . H (Theorem 16) is needed. Thisproof takes 15.1 seconds. ⊓⊔ Contraction.
An attempt of proving admissibility of contraction on the left side ofthe sequent fails due to ⊃ L (and on the right due to ⊃ R ). Here the failing case for C L : h ∆ , F ⊃ F ⊢ ∆ , F h ∆ , F , F ⊃ F ⊢ ∆ • h ∆ , F ⊃ F , F ⊃ F ⊢ ∆ ⊃ L −→ • h ∆ , F ⊃ F ⊢ ∆ fail Due to invertibility of ⊃ L , the sequent ∆ ⊢ ∆ , F , F is provable. However, inductiondoes not apply on this sequent since F is on the right side of the sequent.Hence, the proof of admissibility of contraction is by mutual induction on C L and C R . For instance, the case of ⊃ L is solved by applying C R on a shorter derivation: h ∆ , F ⊃ F ⊢ ∆ , F h ∆ , F , F ⊃ F ⊢ ∆ • h ∆ , F ⊃ F , F ⊃ F ⊢ ∆ ⊃ L −→ h ∆ ⊢ ∆ , F , F inv-th/axh ∆ ⊢ ∆ , F IH-Mutual h ∆ , F , F ⊢ ∆ inv-th/axh ∆ , F ⊢ ∆ IH • h ∆ , F ⊃ F ⊢ ∆ ⊃ L h ∆ , F , F ⊢ ∆ , F h ∆ , F , F , F ⊢ ∆ • h ( ∆ , F ⊃ F ) , F , F ⊢ ∆ ⊃ L −→ h ∆ , F , F ⊢ ∆ , F axh ∆ , F ⊢ ∆ , F IH h ∆ , F , F , F ⊢ ∆ axh ∆ , F , F ⊢ ∆ IH • h ∆ , F , F ⊃ F ⊢ ∆ ⊃ L In the second proof transformation, contraction is applied on a formula different fromthe implication and mutual induction is not needed.
Theorem 18 (Contraction)
The rules C L and C R are height-preserving admissiblein G3cp . ⊢ p ⊥ , p I ⊢ ⊢ Γ ⊢ Γ , ⊥ ⊥ ⊢ Γ , ⊤ ⊤⊢ Γ , A ⊢ Γ , B ⊢ Γ , Γ , A ⊗ B ⊗ ⊢ Γ , A , B ⊢ Γ , A O B O ⊢ Γ , A ⊢ Γ , B ⊢ Γ , A & B & ⊢ Γ , A ⊢ Γ , A ⊕ B ⊕ ⊢ Γ , B ⊢ Γ , A ⊕ B ⊕ Fig. 3: One-sided multiplicative-additive linear logic (
MALL ). Proof
The specification is in prop-C.maude . The proof of admissibility of C L (resp., C R ) requires the invertibility of ⊤ L , ∨ L , ∧ L , and ⊃ L (resp., ⊥ R , ∨ R , ∧ R , and ⊃ R ). For C L , the specification includes the following definition for mutual induction: eq mutual-ind(’suc[GT]) =rl ’_:_[GT, ’_|--_[’Gm:MSFormula, ’_;_[’F:Formula, ’Dt:MSFormula]]] =>’_:_[GT, ’_|--_[’Gm:MSFormula, ’_;_[’_;_[’F:Formula,’F:Formula],’Dt:MSFormula]]] [ label(’\IHMutual) ]. ) .eq mutual-ind (GT) = none [owise] . This means that C R can be applied on shorter derivations of height GT (due to the pat-tern “ ’suc[GT] ” in the definition of the equation). Similarly, the proof of C R requiresmutual induction on C L (specifically for the case ⊃ R ). ⊓⊔ Cut-elimination and Identity Expansion.
The proofs of cut-elimination and identityexpansion are also similar to the cases of mLJ . Theorem 19 (Cut-elimination and ID-expansion)
The cut-rule in Theorem 15 isadmissible in
G3cp . Moreover, for any F, the sequent F ⊢ F is provable.Proof
For cut-elimination ( prop-cut.maude ), H as well as the invertibility of the rules ⊃ L , ⊃ R , ∧ L , ∧ R , ∨ L , and ∨ R are needed. For identity-expansion ( prop-ID.maude ), theadmissibility of W R and W L is needed. The proof of cut-elimination takes 22.5 sec-onds and id-expansion less than one second. ⊓⊔ LL ) [14] is a resource-conscious logic. Formulas are consumed whenused during proofs, unless they are marked with the exponential ? (whose dual is!), in which case they can be weakened and contracted. Besides the exponentials,propositional LL connectives include the additive conjunction & and disjunction ⊕ ,their multiplicative versions ⊗ and O , and the unities 1 , , ⊤ , ⊥ . These connectivesform actually pairs of dual operators: ( A & B ) ⊥ ≡ A ⊥ ⊕ B ⊥ ( A ⊗ B ) ⊥ ≡ A ⊥ O B ⊥ ( ! A ) ⊥ ≡ ? A ⊥ ⊥ ≡ ⊤ ⊥ ≡ ⊥ where A ⊥ denotes the negation of the formula A . All negations in LL can be pushedinwards and restricted to the atomic scope.First, consider the fragment of LL without the exponentials, that is, (classical)propositional multiplicative-additive linear logic ( MALL ). The one-sided proof sys-tem for
MALL is depicted in Fig. 3. As expected, the structural rules for weakeningand contraction are not admissible in this system. itle Suppressed Due to Excessive Length 43 ⊢ ? A , . . . , ? A n , A ⊢ ? A , . . . , ? A n , ! A ! ⊢ Γ , A ⊢ Γ , ? A ? ⊢ Γ ⊢ Γ , ? A ? W ⊢ Γ , ? A , ? A ⊢ Γ , ? A ? C Fig. 4: Exponential rules for LL . Invertibility.
The well known invertibility results for
MALL are easily proved in the
L-Framework . Theorem 20 (Weak-height and Invertibility) If MALL ◮ n ⊢ Γ , then MALL ◮ s ( n ) ⊢ Γ ( H ). Moreover, all the rules but ⊗ and ⊕ i , i ∈ { , } , are height-preserving in-vertible.Proof See
MALL/prop-H.maude and
MALL/prop-inv.maude . Due to the splitting of thecontext, clearly ⊗ is not invertible. Here two (failing) cases showing that the leftpremise of this rule is not invertible. The first one corresponds to invertibility w.r.t. ⊤ and the second one w.r.t. ⊗ : • h ⊢ ⊤ , ∆ , ∆ , F ⊗ F ⊤ −→ • h ⊢ F , ∆ fail h ⊢ F , ∆ , ∆ , F ⊗ F h ⊢ F , ∆ , ∆ • h ⊢ ( ∆ , ∆ , F ⊗ F ) , ( ∆ , ∆ ) , F ⊗ F ⊗ −→ • h ⊢ F , ∆ , ∆ , F ⊗ F fail ⊓⊔ Cut-elimination and Identity Expansion.
Since the system under consideration isone-sided, the cut-rule has a one-sided presentation. The theory in cut-lin-osided.maude (linear cut, one sided) specifies the operation op dual : Formula -> Formula . andthe OL must define equations for it reflecting the De Morgan dualities of the connec-tives. Here some examples for the LL connectives: eq dual(p(i)) = perp(i) . eq dual(perp(i)) = p(i) . eq dual(1) = bot .eq dual(F ** G) = dual(F) $ dual(G) . eq dual(F $ G) = dual(F) ** dual(G) .
Theorem 21 (Cut-elim. and identity-expansion)
The rule ⊢ Γ , F ⊢ ∆ , F ⊥ ⊢ Γ , ∆ Cut isadmissible in
MALL . Moreover, for any formula F, the sequent ⊢ F , F ⊥ is provable.Proof The notation F ⊥ corresponds to dual(F) . The proof of cut-elimination (specifi-cation in MALL/prop-cut.maude ) relies only on the admissibility of H . Here the principalcase ( ⊗ , O ) : h ⊢ F , ∆ h ⊢ F , ∆ • h ⊢ F ⊗ F , ∆ , ∆ ⊗ h ⊢ ∆ , dual ( F ) , dual ( F ) • h ⊢ dual ( F ⊗ F ) , ∆ O − : ⊢ ( ∆ , ∆ ) , ∆ Cut −→ − : ⊢ ∆ , F ax − : ⊢ ∆ , F ax − : ⊢ ∆ , dual ( F ) , dual ( F ) ax − : ⊢ ∆ , ∆ , dual ( F ) sCut − : ⊢ ∆ , ∆ , ∆ sCut ⊓⊔ Exponentials.
Consider the one-sided system for linear logic obtained by adding theexponential ? and its dual !. The system LL results from the inclusion of the inferencein Fig. 4 to those in Fig. 3. Note the explicit rules for weakening and contraction onformulas marked with ?.The specification of the rule ! (called promotion ) requires a new sort to guaranteethat the context only contains formulas marked with ? (see LL.maude ): sorts ?Formula ?MSFormula . --- Formulas and multisets of formulas marked with ?op ?_ : Formula -> ?Formula . --- a ?-Formula is built with ?subsort ?Formula < ?MSFormula . --- A single ?-Formula is also a ?-multisetsubsort ?MSFormula < MSFormula . --- Multisets of ?-formulas are also multisets--- In Rule !, the context must contain only ?-Formulasvar CLq : ?MSFormula . rl [bang] : |-- CLq ; ! F => |-- CLq ; F . Theorem 22 (Weak-height, Weak-! and inv.) If LL ◮ n ⊢ Γ , then LL ◮ s ( n ) ⊢ Γ ( H ).The rule ⊢ Γ , ! F ⊢ Γ , F W ! is height-preserving admissible. Moreover, none of the rules inFig. 4 is height-preserving invertible.Proof See
LL/prop-H.maude , LL/prop-WB.maude and
LL/prop-inv.maude . The invertibil-ity results and the admissibility of W ! depend on H . Note that the rule ? C is invertible:it is always possible to apply it to later use ? W on the same contracted formula. How-ever, such procedure does not preserve the height of the derivation. ⊓⊔ The cut elimination procedure for this system is certainly more involved. An at-tempt of proving this result fails for ! and ? C : h ⊢ F , ? Γ • h ⊢ ! F , ? Γ h ⊢ ∆ , ? dual ( F ) , ? dual ( F ) • h ⊢ dual ( ! F ) , ∆ C − : ⊢ ? Γ , ∆ Cut −→ − : ⊢ ? Γ , ∆ fail This is the principal case where the cut formula is ! F and it is promoted, and itsdual contracted. This case is solved by using the rule below that cuts ! F with n copiesof the formula ? F ⊥ : ⊢ Γ , ! F ⊢ ∆ , ( ? F ⊥ ) n ⊢ Γ , ∆ mCut (10)Hence, the cut-elimination procedure for this system must mutually eliminate thecut-rules in Theorem 21 and Equation 10. More precisely, the elimination of one ofthe cases of Cut relies on the application of mCut on shorter derivations and one of thecases in the elimination of mCut requires the application of
Cut on smaller formulas.Here are the two relevant cases: h ⊢ F , ? Γ • h ⊢ ! F , ? Γ h ⊢ ∆ , ? dual ( F ) , ? dual ( F ) • h ⊢ dual ( ! F ) , ∆ C − : ⊢ ? Γ , ∆ Cut −→ • h ⊢ ? Γ , ! F ax h ⊢ ∆ , ? dual ( F ) , ? dual ( F ) ax − : ⊢ ? Γ , ∆ mCut h ⊢ F , ? Γ • h ⊢ ! F , ? Γ h ⊢ ∆ , dual ( F ) , ctr ( n , ? dual ( F )) • h ⊢ ctr ( s n , ? dual ( F )) , ∆ − : ⊢ ? Γ , ∆ mCut −→ − : ⊢ ? Γ , F ax • h ⊢ ? Γ , ! F ax h ⊢ ∆ , dual ( F ) , ctr ( n , ? dual ( F )) ax − : ⊢ ? Γ , ∆ , dual ( F ) hCut − : ⊢ ? Γ , ∆ Cut
In the last derivation, ctr(s n5, ? dual(F4)) denotes ( ? F ⊥ ) s ( n ) and the applica-tion of Cut is on a smaller formula ( F instead of ! F ). Theorem 23 (Cut-elim. and id-exp.)
The following rules are admissible in LL : ⊢ Γ , F ⊢ Γ , F ⊥ ⊢ Γ Cut ⊢ Γ , ! F ⊢ ∆ , ( ? F ⊥ ) n ⊢ Γ , ∆ mCut.Moreover, for all formulas F, the sequent ⊢ F , F ⊥ is provable. itle Suppressed Due to Excessive Length 45 Proof
The procedures using mutual-induction are defined in
LL/cut-ll.maude and
LL/cut-ll-cc.maude (for mCut ). The properties are specified in prop-cut.maude and prop-cut-cc.maude . Discharging the cases for
Cut (resp., mCut ) takes 13.2 seconds(resp. 115.6 seconds). In cut-ll.maude , the definition op mutual-induct : GroundTerm GroundTerm GroundTerm -> RuleSet .eq mutual-induct(’suc[gh], ’suc[gh’], ’!_[GTA]) = ... --- specification of mCuteq mutual-induct(’suc[gh], ’suc[gh’], ’?_[GTA]) = ... --- specification of mCuteq mutual-induct(gh, gh’, GTA) = none [owise] . receives as parameter the height of the two premises of the cut and the cut-formula F .If F is not a formula marked with ! or ?, no additional rule is generated (the [owise] case in the definition). Also, the patter matching on the heights of the derivationallows for controlling the application of the cut-rule on shorter derivations. A similardefinition can be found in cut-ll-cc.maude .The elimination of Cut assumes as auxiliary lemmas H and also a generalizationof ? W on terms of sort ?MSFormula : ⊢ Γ ⊢ Γ , ? ∆ ? GW . Note that this rule is not height-preserving admissible, but it is clearly admissible (and hence, it can be used onlyon sequents marked with ’inf.INat ). Currently, the L-Framework does not supportinductive proofs on the size of lists/multisets as needed for this auxiliary lemma. Thisrule is used in the following case (where the height of the derivation is irrelevant): h ⊢ F , ? Γ • h ⊢ ! F , ? Γ h ⊢ ∆ • h ⊢ dual ( ! F ) , ∆ W − : ⊢ ? Γ , ∆ Cut −→ − : ⊢ ∆ ax − : ⊢ ? Γ , ∆ GW The elimination of mCut assumes H and the admissibility of W ! (Th. 22), e.g., h ⊢ F , ? Γ , ! F • h ⊢ ! F , ? Γ , ? F h ⊢ ∆ , dual ( F ) , ctr ( n , ? dual ( F )) • h ⊢ ctr ( s n , ? dual ( F )) , ∆ − : ⊢ ( ? Γ , ? F ) , ∆ Cut −→− : ⊢ ? Γ , ! F , ? F ax − : ⊢ ? Γ , F , ? F W ! • h ⊢ ? Γ , ! F , ? F ax h ⊢ ∆ , dual ( F ) , ctr ( n , ? dual ( F )) ax − : ⊢ ? Γ , ∆ , ? F , dual ( F ) hCut − : ⊢ ? Γ , ∆ , ? F mCut Also, a generalization of ? C on terms of sort ?MSFormula is used here: h ⊢ F , ? Γ , ! F • h ⊢ ! F , ? Γ , ? F h ⊢ ∆ , F , ctr ( n , ? dual ( F )) h ⊢ ∆ , F , ? dual ( F ) • h ⊢ ctr ( s n , ? dual ( F )) , ∆ , ∆ , F ⊗ F ⊗− : ⊢ ( ? Γ , ? F ) , ∆ , ∆ , F ⊗ F Cut −→• h ⊢ ? Γ , ! F , ? F ax h ⊢ ∆ , F , ctr ( n , ? dual ( F )) ax − : ⊢ ? Γ , ∆ , F , ? F hCut • h ⊢ ? Γ , ! F , ? F ax h ⊢ ∆ , F , ? dual ( F ) ax − : ⊢ ? Γ , ∆ , F , ? F hCut − : ⊢ ? Γ , ? Γ , ∆ , ∆ , ? F , ? F , F ⊗ F ⊗− : ⊢ ? Γ , ∆ , ∆ , ? F , F ⊗ F GC As explained in Sec. 8.1, arbitrary applications of contraction are problematic forproof search. Hence, in prop-cut-cc.maude , ? GC is introduced as a conditional rule thatcan be applied on a given multiset only if there are exactly one occurrence of it in thecurrent sequent. As in the case of ? GW , the admissibility of ? GC cannot be proved in L-Framework . Discharging the cases of
Cut (resp., mCut ) takes 30s (resp. 124s). ⊓⊔ ⊢ Γ , F : ∆ ⊢ Γ : ∆ , ? F ? ⊢ Γ : F ⊢ Γ :! F ! ⊢ Γ , F : ∆ , F ⊢ Γ , F : ∆ ? C ⊢ Γ : ∆ , A ⊢ Γ : ∆ , B ⊢ Γ : ∆ , ∆ , A ⊗ B ⊗ Fig. 5: Some rules of the dyadic system
DyLL ( [1]).
Dyadic System for Linear Logic.
Since formulas of the form ? F can be contractedand weakened, such formulas can be treated as in classical logic. This rationale isreflected into the syntax of the so called dyadic sequents of the form ⊢ Γ : ∆ , inter-preted as the linear logic sequent ⊢ ? Γ , ∆ where ? Γ = { ? A | A ∈ Γ } . It is then possibleto define a proof system without explicit weakening and contraction (system DyLL inFig. 5). The complete dyadic proof system for linear logic can be found in [1].
Theorem 24 (Weak-height, Weak-! and invertibility) If DyLL ◮ n ⊢ Γ : ∆ , then DyLL ◮ s ( n ) ⊢ Γ : ∆ ( H ). The following three rules are height-preserving admissible: Γ , F , F : ∆Γ , F : ∆ C Γ : ∆Γ , F : ∆ W ⊢ Γ : ∆ , ! F ⊢ Γ : ∆ , F W ! . Moreover, all the rules of the sys-tem but ⊕ i , ⊗ and ? C are height-preserving invertible.Proof For the admissibility results, see
DyLL/prop-H.maude , prop-C.maude prop-W.maude and prop-WB.maude . The invertibility results are specified in DyLL/prop-inv.maude . H and the admissibility of C and W do not require any additional lemma. The admissi-bility of W ! depends on H . The invertibility results rely on H , W , and W !. ⊓⊔ As in the system LL , the cut-elimination theorem for DyLL requires mutual induc-tion on two different rules. The rule
Cut ! below internalizes the storage of formulasmarked with ? into the classical context.
Theorem 25 (Cut-elim. and id-exp.)
The following rules are admissible in LL : ⊢ Γ : ∆ , F ⊢ Γ : ∆ , F ⊥ ⊢ Γ : ∆ , ∆ Cut ⊢ Γ : ! F ⊢ Γ , F ⊥ : ∆ ⊢ Γ : ∆ Cut ! .Moreover, for any formula F, the sequent ⊢ · : F , F ⊥ is provable.Proof The procedures are defined in
DyLL/cut-dyadic.maude and
DyLL/cut-dyadic-cc (for
Cut !). The properties are specified in prop-cut.maude and prop-cut-cc.maude . Dis-charging the cases for
Cut (resp.,
Cut !) takes 32.4 seconds (resp., 4 seconds). Theadmissibility of
Cut (resp.,
Cut !) relies on H and W (resp., H , W and W !). ⊓⊔ Intuitionistic Linear Logic.
The directory
ILL contains the specification and analysesfor intuitionistic linear logic (
ILL ). In this system, the multiplicative disjunction O isnot present and the linear implication −◦ needs to be added (in classical LL , F −◦ G is a shorthand for F ⊥ O G ). The resulting system is two-sided and single-conclusion.Formulas marked with ! on the left of the sequent can be weakened and contracted.The proof of cut-elimination follows the same principles that the one for LL and themulticut rule below is required where ! Γ is a multiset of formulas marked with !(specified as the sort !MSFormula )! Γ ⊢ ! F ∆ , ( ! F ) n ⊢ G ! Γ , ∆ ⊢ G mCut itle Suppressed Due to Excessive Length 47 Γ ⊢ A Γ ′ , (cid:3) Γ ⊢ (cid:3) A , ∆ k Γ , (cid:3) A , A ⊢ ∆Γ , (cid:3) A ⊢ ∆ T (cid:3) Γ ⊢ A Γ ′ , (cid:3) Γ ⊢ (cid:3) A , ∆ Fig. 6: The modal sequent rules for K ( k ) and S4 ( T + )8.5 Normal modal logics: K and S4 Modal logics extend classical logic with the addition of modal connectives (e.g., theunary modal connective (cid:3) ), used to qualify the truth of a judgment, widening thescope of logical-conceptual analysis. The alethic interpretation of (cid:3) A is “the formula A is necessarily true”. A modal logic is normal if it contains the axiom ( k ) (cid:3) ( A ⊃ B ) ⊃ (cid:3) A ⊃ (cid:3) B and it is closed under generalization : if A is a theorem then so it is (cid:3) A .The smallest normal modal logic is called K , and S4 extends K by assuming theaxioms ( T ) (cid:3) A ⊃ A and ( ) (cid:3) A ⊃ (cid:3)(cid:3) A . The sequent systems considered here forthe modal logics K and S4 are extensions of G3cp with the additional rules for themodalities depicted in Fig. 6.
Structural rules.
The admissibility of the structural rules follows as in Section 8.3.
Theorem 26 (Structural rules) If K ◮ n Γ ⊢ ∆ , then K ◮ s ( n ) Γ ⊢ ∆ ( H ). Similarlyfor S4 . Moreover, the rules W L , W R , C L , and C R are height-preserving admissible inboth K and S4 .Invertibility. As in
G3cp , all the rules for the propositional connectives are invertible.Furthermore, T is invertible, but k and are not (due to the implicit weakening). Theorem 27 (Invertibility)
Only the rule T in Fig. 6 is invertible.Proof See the specification in
K/prop-inv.maude and
S4/prop-inv.maude . H is requiredin this proof. Below, one of the trivial cases showing that the rule k is not invertible: • h (cid:3) ∆ , ∆ ⊢ ⊤ , ∆ , (cid:3) F ⊤ R −→ • h unbox ( (cid:3) ∆ ) ⊢ F fail Multisets of boxed formulas belong to the sort
MSBFormula and the operation op unbox : MSBFormula -> MSFormula . removes the boxes. ⊓⊔ Cut-elimination and Identity Expansion.
The cut-elimination procedure for K and S4 uses the same infrastructure developed for G3cp . Theorem 28 (Cut-elimination and ID-expansion)
The cut-rule in Theorem 15 isadmissible in both K and S4 . Moreover, for any F, the sequent F ⊢ F is provable in K and S4 .Proof The specifications are in
K/prop-cut.maude and
S4/prop-cut.maude . In both cases, H is required as well as the invertibility of the propositional rules. ⊓⊔ Modal Logic S5 . Some extensions of the modal logic K do not have (known) cut-free sequent systems. In particular, consider the system S5 , obtained by extending K with the axiom T and the rule below: (cid:3) Γ ⊢ A , (cid:3) ∆Γ ′ , (cid:3) Γ ⊢ ∆ ′ , (cid:3) A , (cid:3) ∆ (see KT45/KT45.maude ). Using the same strategy as in Theorem 28, the tool is able todiscard some of the proof obligations for cut-elimination. However, some subcasesinvolving and the other two modal rules ( T and k ) fail. Here, one example: h (cid:3) ∆ ⊢ (cid:3) ∆ , F , (cid:3) F • h (cid:3) ∆ , ∆ ⊢ ( (cid:3) ∆ , ∆ , (cid:3) F ) , (cid:3) F A h (cid:3) ∆ , F , ∆ , (cid:3) F ⊢ (cid:3) ∆ , ∆ , (cid:3) F • h ( (cid:3) ∆ , ∆ ) , (cid:3) F ⊢ (cid:3) ∆ , ∆ , (cid:3) F AT − : (cid:3) ∆ , ∆ ⊢ (cid:3) ∆ , ∆ , (cid:3) F Cut −→ − : (cid:3) ∆ , ∆ ⊢ (cid:3) ∆ , ∆ , (cid:3) F fail This case is clearly not provable: the cut-formula (cid:3) F is not decomposed in theleft premise. Hence, cutting with F will not finish the proof. The only alternativeis to reduce the height of the cut. The rule T cannot be applied (on F ) on the lastsequent. If is applied on the last sequent, either F or one of the formulas in theboxed context ∆ will lose the box. In both cases, none of the leaves of the leftderivation can be used.The failing cases are interesting, because they spot the point where the cut-eliminationfails: if the goal is to propose a cut-free sequent system for a logic, certain shapes ofrules should be avoided. Checking structural properties of proof systems demands trustful methods. Usually,proving such properties is done via case-by-case analysis, where all the possible com-binations of rule applications in a system are exhausted. The advent of automatedreasoning has changed completely the landscape, since theorems can nowadays beproved automatically in meta-logical frameworks (see e.g. [10]). This approach hasbrought a fresh perspective to the field of proof theory: useless proof search steps,usually singular to a specific logic, have been disregarded in favor of developing uni-versal methods for providing general automation strategies. These developments haveultimately helped in abstracting out conceptual characteristics of logical systems, aswell as in identifying effective frameworks that can capture (and help in reasoningabout) them in a natural way.This work moves forward towards such a direction: it proposes a general, natural,and uniform way of proving key structural properties of sequent systems by using therewriting logic logical and meta-logical framework [2]. It ultimately enables modularand incremental proofs of meta-level properties of propositional sequent systems,both specified and mechanized in the language of Maude [8]. The approach buildson top of core algorithms that are combined and used for proving admissibility andinvertibility of rules, as well as cut-elimination and identity expansion of sequentsystems. itle Suppressed Due to Excessive Length 49
The choice of rewriting logic as a meta-logical framework brings key advantages.Indeed, as detailed below, while approaches using logical frameworks depend heavilyon the specification method and/or the implicit properties of the meta and objectlogics, rewriting logic enables the specification of the rules as they are actually writtenin text and figures [2,23]. Moreover, notions as derivability and admissibility of rulescan be neatly formulated in the context of rewriting systems [15].Consider, for instance, the LF framework [32] based on intuitionistic logic, wherethe left context is handled by the framework as a set. Specifying sequent systemsbased on multisets requires elaborated mechanisms in most logical frameworks, whichmakes the encoding of the system of interest far from being natural and straightfor-ward. Moving from intuitionistic to linear logic solves this problem [6, 26], but stillseveral sequent systems cannot be naturally specified in frameworks based on LL ,as it is the case of mLJ . This latter situation can be partially fixed by adding subex-ponentials [9] to linear logic ( SELL ) [28, 29]. However, the resulting encodings areoften non-trivial and difficult to automate. Moreover, several logical systems cannotbe naturally specified in
SELL , such as the modal sequent system K [31].A completely different approach is presented in [37], where cut-elimination isobtained by considering the relation between the cut-rule in Gentzen’s system LK and the resolution rule for (propositional) classical logic. But, again, this method isrestricted to systems having a (classical) semantics as a starting point.All in all, this paper presents yet more evidence of the fact that rewriting logic isan innovative and elegant framework for both specifying and reasoning in and aboutlogical systems, with the further benefit of easy modular extension. In fact, a strongconjecture is that mild adjustments to the proposed approach and algorithms areneeded to reason about other systems, including normal (multi-)modal [19] and para-consistent [17] sequent systems. It seems also possible to have an extension to handlevariants of sequent systems themselves, like nested [4] or linear nested [18] systems.This ultimately widens the scope of logics that can be analyzed in the L-Framework ,such as normal and non-normal modal logics [20]. It is also an interesting future re-search path to consider first-order sequent systems. Previous work on mechanizingfirst-order sequent systems in rewriting logic, including proof-search heuristics at themeta-level, has been presented before in [33].A usual concern when a new sequent system is proposed is to implement it. Fewimplementational efforts have provided tools for emerging sequent systems for log-ics such as epistemic, lax, deontic, knotted, linear-modal, etc., logics. It would notrequire much effort to reuse some of the algorithms presented here to implement aprocedure that, given the inference rules of a sequent system, outputs an implemen-tation of such a system in Maude. Also, implementing new induction principles onlists/multisets may help in obtaining new automatic proofs (see Theorem 23). Moreinterestingly, using invertibility lemmas would also enable the generation of a weak-focus [1] version of the original systems, thus eliminating part of the non-determinismduring proof-search. It should be noted, however, that this depends on a deeper in-vestigation of the role of invertible rules as equational rules in rewriting logic. Whilethis idea sounds more than reasonable, it is necessary to check whether promotinginvertible rules to equations preserves completeness of the system (e.g., the resultingequational theory needs to be Church-Rosser and terminating modulo the structural axioms of the operators). If the answer to this question is in the affirmative for a largeclass of systems, then the approach presented here also opens the possibility to theautomatic generation of focused systems.Finally, a word about cut-elimination. The usual Gentzen’s cut-elimination proofstrategy can be summarized by the following steps: (i) transforming a proof with cutsinto a proof with principal cuts; (ii) transforming a proof with principal cuts into aproof with atomic cuts; and (iii) transforming a proof with atomic cuts into a cut-freeproof. While step (ii) is not difficult to solve (see, e.g., [26]), steps (i) and (iii) canbe problematic to mechanize. The results presented in this work suggest that suchtechniques can be fully automated to a certain degree, as showcased with variousproof systems in Section 8.
References
1. J.-M. Andreoli. Logic programming with focusing proofs in linear logic.
Journal of Logic andComputation , 2(3):297–347, 1992.2. D. Basin, M. Clavel, and J. Meseguer. Reflective metalogical frameworks.
ACM Transactions onComputational Logic , 5(3):528–576, 2004.3. R. Bruni and J. Meseguer. Semantic foundations for generalized rewrite theories.
Theoretical Com-puter Science , 360(1-3):386–414, 2006.4. K. Br¨unnler. Deep sequent systems for modal logic.
Archive for Mathematical Logic , 48:551–577,2009.5. S. Burns and R. Zach. Relational hypersequents for modal logics.
CoRR , abs/1805.09437, 2018.arXiv.6. I. Cervesato and F. Pfenning. A Linear Logical Framework.
Information and Computation , 179(1):19–75, 2002.7. M. Clavel, F. Dur´an, S. Eker, P. Lincoln, N. Mart´ı-Oliet, J. Meseguer, and J. F. Quesada. Maude:specification and programming in rewriting logic.
Theoretical Computer Science , 285(2):187–243,2002.8. M. Clavel, F. Dur´an, S. Eker, P. Lincoln, N. Mart´ı-Oliet, J. Meseguer, and C. Talcott.
All About Maude- A High-Performance Logical Framework , volume 4350 of
LNCS . Springer, 2007.9. V. Danos, J.-B. Joinet, and H. Schellinx. The structure of exponentials: Uncovering the dynamics oflinear logic proofs. In
Kurt G¨odel Colloquium , pages 159–171, 1993.10. J. E. Dawson and R. Gor´e. Generic methods for formalising sequent calculi applied to provabilitylogic. In
LPAR-17 , pages 263–277, 2010.11. N. Dershowitz and J.-P. Jouannaud. Rewrite systems. In J. van Leeuwen, editor,
Handbook of Theo-retical Computer Science, Vol. B , pages 243–320. North-Holland, 1990.12. N. Francez and R. Dyckhoff. A note on harmony.
Journal of Philosophical Logic , 41(3):613–628,2012.13. G. Gentzen. Investigations into logical deduction. In
The Collected Papers of Gerhard Gentzen , pages68–131. North-Holland, 1969.14. J.-Y. Girard. Linear logic.
Theoretical Computer Science , 50:1–102, 1987.15. C. Grabmayer. From abstract rewriting systems to abstract proof systems.
CoRR , abs/0911.1412,2009. arXiv.16. J. Hendrix and J. Meseguer. Order-sorted equational unification revisited.
Electronic Notes in Theo-retical Computer Science , 290:37 – 50, 2012.17. O. Lahav, J. Marcos, and Y. Zohar. Sequent systems for negative modalities.
Logica Universalis ,11(3):345–382, 2017.18. B. Lellmann. Linear nested sequents, 2-sequents and hypersequents. In
TABLEAUX-24 , pages 135–150, 2015.19. B. Lellmann and E. Pimentel. Proof search in nested sequent calculi. In
LPAR-20 , pages 558–574,2015.20. B. Lellmann and E. Pimentel. Modularisation of sequent calculi for normal and non-normal modali-ties.
ACM Transactions on Computational Logic , 20(2):7:1–7:46, 2019.itle Suppressed Due to Excessive Length 5121. C. Liang and D. Miller. Focusing and polarization in linear, intuitionistic, and classical logics.
Theo-retical Computer Science , 410(46):4747–4768, 2009.22. S. Maehara. Eine darstellung der intuitionistischen logik in der klassischen.
Nagoya MathematicalJournal , pages 45–64, 1954.23. N. Mart´ı-Oliet and J. Meseguer. Rewriting Logic as a Logical and Semantic Framework. In
Handbookof Philosophical Logic , pages 1–87. Springer, Dordrecht, 2002.24. J. Meseguer. Conditional rewriting logic as a unified model of concurrency.
Theoretical ComputerScience , 96(1):73–155, 1992.25. J. Meseguer. Twenty years of rewriting logic.
Journal of Logic and Algebraic Programming , 81(7-8):721–781, Oct. 2012.26. D. Miller and E. Pimentel. A formal framework for specifying sequent calculus proof systems.
The-oretical Computer Science , 474:98–116, 2013.27. S. Negri and J. von Plato.
Structural Proof Theory . Cambridge University Press, 2001.28. V. Nigam, E. Pimentel, and G. Reis. An extended framework for specifying and reasoning about proofsystems.
Journal of Logic and Computation , 26(2):539–576, 2016.29. V. Nigam, G. Reis, and L. Lima. Quati: An automated tool for proving permutation lemmas. In
IJCAR-7 , pages 255–261, 2014.30. C. Olarte, E. Pimentel, and C. Rocha. Proving structural properties of sequent systems in rewritinglogic. In
WRLA-12 , pages 115–135, 2018.31. C. Olarte, E. Pimentel, and B. Xavier. A fresh view of linear logic as a logical framework.
ElectronicNotes in Theoretical Computer Science , 351:143 – 165, 2020.32. F. Pfenning. Structural Cut Elimination I. Intuitionistic and classical logic.
Information and Compu-tation , 157(1/2):84–141, Mar. 2000.33. C. Rocha and J. Meseguer. Theorem Proving Modulo Based on Boolean Equational Procedures. In
RelMiCS-10 , pages 337–351. 2008.34. C. Rocha and J. Meseguer. Constructors, Sufficient Completeness, and Deadlock Freedom of RewriteTheories. In
LPAR-17 , pages 594–609. Springer, 2010.35. A. Troelstra and H. Schwichtenberg.
Basic Proof Theory . Cambridge Univ. Press, 1996.36. P. Viry. Equational rules for rewriting logic.
Theoretical Computer Science , 285(2):487–517, 2002.37. R. Zach. Cut elimination and normalization for generalized single and multi-conclusion sequent andnatural deduction calculi.