Guarded Kleene Algebra with Tests: Coequations, Coinduction, and Completeness
GGuarded Kleene Algebra with Tests:Coequations, Coinduction, and Completeness
Todd Schmid ! Department of Computer Science, University College London, United Kingdom
Tobias Kappé ! Department of Computer Science, Cornell University, Ithaca, NY, USA
Dexter Kozen ! Department of Computer Science, Cornell University, Ithaca, NY, USA
Alexandra Silva ! Department of Computer Science, University College London, United Kingdom
Abstract
Guarded Kleene Algebra with Tests (
GKAT ) is an efficient fragment of
KAT , as it allows foralmost linear decidability of equivalence. In this paper, we study the (co)algebraic properties of
GKAT . Our initial focus is on the fragment that can distinguish between unsuccessful programsperforming different actions, by omitting the so-called early termination axiom . We develop anoperational (coalgebraic) and denotational (algebraic) semantics and show that they coincide. Wethen characterize the behaviors of
GKAT expressions in this semantics, leading to a coequation thatcaptures the covariety of automata corresponding to behaviors of
GKAT expressions. Finally, weprove that the axioms of the reduced fragment are sound and complete w.r.t. the semantics, andthen build on this result to recover a semantics that is sound and complete w.r.t. the full set ofaxioms.
Theory of computation Ñ Program reasoning
Keywords and phrases
Kleene algebra, program equivalence, completeness, coequations
Kleene algebra with tests ( KAT ) [17] was introduced in the early 90’s as an extension of Kleenealgebra ( KA ), the algebra of regular expressions. The core idea of the extension was simple:consider regular languages over a two-sorted alphabet, in which one sort represents Booleantests and the other denotes basic program actions. This seemingly simple extension enablesan important application for regular languages in reasoning about imperative programs withbasic control flow structures like branches ( if - then - else ) and loops ( while ). KAT largelyinherited the properties of KA : a language model [22], a Kleene theorem [19], a sound andcomplete axiomatization [22], and a pspace decision procedure for equivalence [8].In 2014, a specialized KAT called
NetKAT [4] was proposed to program software-definednetworks. Equivalence checking of
NetKAT programs serves as a basis to check for importantproperties such as reachability.
NetKAT was later extended with a probabilistic choiceoperator that enabled the modeling of randomized protocols [9]. A decision procedure for
NetKAT program equivalence enables practical verification of reachability in networks withthousands of nodes and links and seemed to scale almost linearly, despite its worst-case pspace complexity [10, 34]. This raised the question: do practical
NetKAT programs belongto a fragment of
KAT that has more favorable properties than the full language?Recently, this question was answered positively [33], in the form of
Guarded KleeneAlgebra with Tests ( GKAT ), a fragment of
KAT obtained by adding a Boolean guard tothe non-deterministic choice and iteration operators so that they correspond exactly tothe standard if-then-else and while constructs.
GKAT is expressive enough to capture all a r X i v : . [ c s . L O ] F e b GKAT: Coequations, Coinduction, and Completeness programs used in network verification while allowing for almost linear time decidability ofequivalence, thereby explaining the experimental results observed in NetKAT .The use of
GKAT as a framework for program analysis also raises further questions. Towhat extent does
GKAT retain the algebraic properties of
KAT ? Is there a class of automatathat provides a Kleene theorem? Is there a sound and complete axiomatization of
GKAT equivalence? The original paper [33] gave incomplete answers to these questions. First,it proposed a class of well-nested automata that can be used to describe the semantics ofall
GKAT programs, but left open whether this class covered all automata that accept thebehaviors of
GKAT programs. Second,
GKAT was axiomatized under the assumption of earlytermination : intuitively, referring to a semantics of imperative programs where programsthat fail immediately are equated to programs that fail eventually. This semantics, thoughuseful, is too coarse in contexts where the behavior of the program prior to failure matters.In this paper, we take a new perspective on the semantics of
GKAT programs and theircorresponding automata using coequations. Coequations provide the right tool to characterizefragments of languages as they enable a precise way to remove unwanted traces. We arethen able to give a precise characterization of the behaviors of
GKAT programs and prove acompleteness theorem for each of the fragments of interest.
Our contributions.
In a nutshell, the contributions of this paper are the following: We give a denotational model for
GKAT without early termination by representingthe behavior as a certain kind of tree. This allows us to design two coequations: onecharacterizing the behaviors denoted by
GKAT expressions, and another capturing onlythe behaviors of
GKAT expressions that terminate early. We obtain two completeness results for
GKAT : one for the model of the previous itemand the axiomatization of [33] without the early termination axiom; and building on this,another for the full axiomatization. The former is new; the latter provides an alternativeproof to the completeness theorem presented in [33]. A concrete example of a well-nested
GKAT automaton with a non-well-nested quotient.This settles an open question of [33] and closes the door on an alternative proof ofcompleteness based on well-nested automata.
At its heart,
Guarded Kleene Algebra with Tests ( GKAT ) is an algebraic theory of imperativeprograms. Expressions in
GKAT are concise formulas for while programs [23], which are builtinductively from actions and tests with sequential composition and the classic programmingconstructs of branches and loops: if b then e else f and while b do e .Formally, these expressions are drawn from a two-sorted language of tests and programs .The tests are built from a finite set of primitive tests T , as follows:BExp Q b, c :: “ | | t P T | ¯ b | b ^ c | b _ c. Here, 0 and 1 are understood as the constant tests false and true respectively, ¯ b denotesthe negation of b , and ^ and _ are conjunction and disjunction, respectively. We will use A to denote the set of atomic tests (or just atoms ), Boolean expressions of the form d ^ ¨ ¨ ¨ ^ d l , where d i P t t i , ¯ t i u for each i ď l and t t i | i ď l u is a fixed enumeration of T . Itis well known that any b P BExp can be written equivalently as the disjunction of the atoms O p nα p n qq , where α p n q is the inverse of Ackermann’s function . Schmid, T. Kappé, D. Kozen, A. Silva 3 Union Axioms Sequence Axioms Loop Axioms
U1. e ` b e ” e S1. p e ¨ f q ¨ g ” e ¨ p f ¨ g q W1. e p b q ” e ¨ e p b q ` b e ` b f ” f ` ¯ b e S2. 0 ¨ e ” p ce q p b q ” p e ` c q p b q U3. p e ` b f q ` c g ” e ` b ^ c p f ` c g q S3. e ¨ ” E p e q ” g ” eg ` b fg ” e p b q ¨ f U4. e ` b f ” b ¨ e ` b f S4. 1 ¨ e ” e ; S5. e ” e ¨ e ¨ g ` b f ¨ g ” p e ` b f q ¨ g S6. b ¨ c ” b ^ c Figure 1
Axioms for GKAT-expressions. Here, e, f, g P Exp and b, c P BExp. a P A that imply b under the laws of Boolean algebra. We will often identify each Booleanexpression b P BExp with this set of atoms and write b Ď A or a P b .Programs are built from tests and a finite set of primitive programs or actions Σ,disjoint from T . Formally, programs are generated by the grammarExp Q e, f :: “ b P BExp | p P Σ | e ¨ f | e ` b f | e p b q Here, a test b abbreviates the statement assert b , the operator ¨ is sequential composition, e ` b f is shorthand for if b then e else f and e p b q is shorthand for while b do e . GKAT programs satisfy standard properties of imperative programs. For instance, swap-ping the branches of an if-then-else construct should not make a difference, provided thatwe also negate the condition; that is, the semantics of e ` b f should coincide with that of f ` b e . The rules in Figure 1 axiomatize equivalences between programs. Together with theaxioms of Boolean algebra, these generate a congruence ” on Exp.Some remarks are in order for axiom W3. The right-hand premise states that an expression g has some self-similarity in the sense that it is equivalent to checking whether b holds, inwhich case it runs e followed by recursing at g , and otherwise running f . Intuitively, thissays that g is loop-like, matching the conclusion that g is equivalent to e p b q ¨ f . However, thisconclusion may not make sense when based on just the second premise. Specifically, if wechoose e , f , g and b to be 1, we can show that the premise holds and derive 1 ” p q ¨
1, whichis to say that assert true is equivalent to (while true do assert true); assert true .Intuitively, this should be false: the first program terminates successfully and immediately,but the second program does not. The problem is that the loop body does not perform anyactions that affect the state and make progress towards the end of the loop.This is remedied by the left-hand premise, which distinguishes loop bodies that can acceptimmediately from those that cannot. It plays the same role as the empty word property inSalomaa’s axiomatization of the algebra of regular events [31]. Formally, given e P Exp, theBoolean expression E p e q is defined inductively by setting E p p q “ E p b q “ b , and E p e ¨ f q “ E p e q ^ E p f q E p e ` b f q “ p b ^ E p e qq _ p ¯ b ^ E p f qq E p e p b q q “ ¯ b We say that an expression e is productive if E p e q ” and R2 [31]. While W3 mayseem restrictive, it can still be used to verify facts about loops, such as e p b q ” e p b q ¨ b , whichsays that the loop condition is false when a loop ends [33].Axiom S3 identifies a program that fails eventually with the program that fails immediately.As a consequence, ” cannot distinguish between processes that loop forever, like p p q and q p q ,even though they perform different actions [33]. Consequently, GKAT can be seen as a theoryof computation schemata, i.e., programs that need to halt successfully to be meaningful.In contrast, it is also useful to be able to reason about process schemata, i.e., programsthat perform meaningful tasks, even when they do not terminate successfully. To this end,we define the reduced congruence ” generated by the axioms of Figure 1 except S3. GKAT: Coequations, Coinduction, and Completeness
Let S be a structure for the language of GKAT and rr´ss : Exp Ñ S a homomorphicinterpretation. We say that rr´ss is sound w.r.t. ” if for all e, f P Exp with e ” f , it holdsthat rr e ss “ rr f ss . Similarly, rr´ss is sound w.r.t. ” if e ” f implies that rr e ss “ rr f ss .Since ” encodes common program laws, one might wonder whether there is a singleinterpretation in which programs are related by ” if and only if they have the same image.Such an interpretation is called free w.r.t. ” . This question is not just of theoreticalinterest: a free interpretation can help decide whether programs are provably equivalent, andhence the same under any sound interpretation, by checking whether their free semanticscoincide. Naturally, the same question can be asked for ” : is there a semantics that is freew.r.t. ” , i.e., where e ” f if and only if e and f have the same interpretation?The remainder of this paper is organized as follows. In Section 3, we describe theoperational structure for GKAT expressions in terms of
GKAT -automata, as in [33]. InSection 4, we provide an explicit construction of a
GKAT -automaton in which all otherautomata can be uniquely interpreted. We then build a semantics that is sound w.r.t. ” in Section 5. In Section 6 we relate our coequational description of GKAT expressions tothe well-nested
GKAT -automata of [33]. In Section 7, we prove that this semantics is infact complete w.r.t. ” and, building on this, obtain a semantics that is complete w.r.t. ” .Omitted proofs are included in the appendix. GKAT -automata
In this section we discuss the small-step operational model for
GKAT programs from [33]. Theoperational perspective provides us with the tools to describe a semantics that is completew.r.t. ” and paves the way to a decision procedure.We can think of a GKAT -program as a machine that evolves as it reads a string of atomictests. Depending on the most recently observed atomic test, the program either accepts,rejects, or emits an action label and changes to a new state. For example, feeding if b do p else q an atomic test a P b causes it to perform the action p and then terminate successfully. § Definition 3.1. A GKAT -automaton [33, 23] is a pair X “ p X, δ q , where X is a set of states and δ : X ˆ A Ñ ` Σ ˆ X is a transition function . We use x a | p ÝÝÑ X x as anotation for δ p x, a q “ p p, x q . Similarly, x ñ X a denotes that δ p x, a q “ , and x Ó X a denotesthat δ p x, a q “ . We drop the subscript X when the automaton is clear from context. Intuitively, X represents the states of an abstract machine running a GKAT program, withdynamics encoded in δ . When the machine is in state x P X and observes a P A , there arethree possibilities: if x Ó a , the machine rejects; if x ñ a , it accepts; and if x a | p ÝÝÑ x , itperforms the action p followed by a transition to the state x . § Remark 3.2.
The reader familiar with coalgebra will recognize that
GKAT -automata areprecisely coalgebras for the functor G “ p ` Σ ˆ Id q A [33]. Indeed, the notions relating to GKAT -automata, such as homomorphism, bisimulation, and semantics to follow are preciselythose that arise from G as prescribed by universal coalgebra [27].We can impose an automaton structure on Exp yielding the syntactic GKAT -automaton E “ p Exp , D q , where D is the transition map given by Brzozowski derivatives [33] as specifiedin Figure 2. For instance, the operational behavior of p p b q as a state of E could be drawn asfollows (we leave rejecting transitions x Ó a implicit): ¯ b p p b q ¨ p p b q ¯ bb | p b | p (1) . Schmid, T. Kappé, D. Kozen, A. Silva 5 a P bb ñ a p a | p ÝÝÑ a P b e ñ ae ` b f ñ a a P ¯ b f ñ ae ` b f ñ a a P b e a | p ÝÝÑ e e ` b f a | p ÝÝÑ e a P ¯ b f a | p ÝÝÑ f e ` b f a | p ÝÝÑ f e ñ a f ñ ae ¨ f ñ a e ñ a f a | p ÝÝÑ f e ¨ f a | p ÝÝÑ f e a | p ÝÝÑ e e ¨ f a | p ÝÝÑ e ¨ f a P b e a | p ÝÝÑ e e p b q a | p ÝÝÑ e ¨ e p b q a P ¯ be p b q ñ a Figure 2
The transition structure of E . Here, e, e , f, f P Exp, b Ď A , and p P Σ. Transitionsthat are not explicitly defined above are assumed to be failed termination.
The operational structure in E and ” are connected as follows. § Theorem 3.3 (Fundamental theorem of GKAT) . Let e P Exp . Now e ” ` E p e q D p e q where D p e q “ Ř e a | p a ÝÝÝÑ e a p a ¨ e a and Ř a P b e a “ $&% if b “ ,e a ` a ´Ř a P b z a e a ¯ some a P b , otherwise . The generalized guarded union above is well defined, i.e., the order of atoms does not matterup to ” [33].States of GKAT -automata have the same behavior if reading the same sequence of atomsleads to the same sequence of actions, acceptance, or rejection. This happens when one statemimics the moves of the other, performing the same actions in response to the same stimuli.For instance, consider the
GKAT -automaton in (1): the behavior of p p b q can be replicated bythe behavior of 1 ¨ p p b q , in that both either consume an a P ¯ b and terminate or consume a P b and emit p before transitioning to 1 ¨ p p b q . This can be made precise. § Definition 3.4.
Let R Ď X ˆ Y be a relation between the state spaces of GKAT -automata X and Y . Then R is a bisimulation if for any p x, y q P R and a P A ,(1) x Ó X a if and only if y Ó Y a ; and (2) x ñ X a if and only if y ñ Y a ; and(3) if x a | p ÝÝÑ X x and y a | q ÝÝÑ Y y for some x and y , then p “ q and p x , y q P R .If a pair of states p x, y q P X ˆ Y is contained in a bisimulation, we say that x and y are bisimilar . If a bisimulation R is the graph of a function φ : X Ñ Y , we write φ : X Ñ Y and call φ a GKAT -automaton homomorphism [27].
Indeed, bisimulations are designed to formally witness behavioral equivalence. We usethe term behavior as a synonym for the phrase bisimilarity (equivalence) class . GKAT -automaton
One way of assigning semantics to
GKAT expressions is to find a sufficiently large
GKAT -automaton Z that contains the behavior of every other GKAT -automaton. In this section,we provide a concrete explicit description of such a “semantic”
GKAT -automaton—this is acrucial step towards being able to devise a completeness proof.Concretely, Z represents the behavior of a state as a tree that holds information aboutacceptance, rejection, and transitions to other states (which are subtrees). Essentially, thistree is an unfolding of the transition graph from that state.We describe these trees using partial functions. Let us write A ` for the set of all non-empty words consisting of atoms. The state space Z of Z is the set of all partial functions t : A ` á ` Σ with A Ď dom p t q , such that the following hold for all a P A and x P A ` . w P dom p t q t p w q P Σ wa P dom p t q w P dom p t q t p w q P wx R dom p t q GKAT: Coequations, Coinduction, and Completeness
The transition structure of Z is defined by the inferences t p a q “ t Ó a t p a q “ t ñ a t p a q “ p P Σ t a | p ÝÝÑ λw.t p aw q When t p w q P Σ, we will write B w t for λu.t p wu q . We can think of t P Z as a tree where theroot has leaves for atoms a P A with t p a q “
1, and a subtree for every a P A with t p a q P Σ. § Remark 4.1.
Trees correspond to deterministic (possibly infinite ) guarded languages [33, 23].More precisely, every tree can be identified with a language L Ď p A ¨ Σ q ˚ ¨ A Y p A ¨ Σ q ω where wapw P L and waqw P L implies p “ q , and either wa R L or wapw R L for any a P A , p, q P Σ. We forgo a description in terms of guarded languages in favor of trees because thesetrees have the constraint about determinism built in.A node of t is a word w P A ˚ such that either w “ ϵ (the empty word), or w P dom p t q and t p w q P Σ. We write Node p t q for the set of nodes of t . A subtree of t is a tree of t suchthat t “ B w t for some w P Node p t q . A leaf of t is a word w P dom p t q such that t p w q P Z (c.f. [28, Theorem 3.1]). § Lemma 4.2. R Ď Z ˆ Z is a bisimulation on Z iff for any p t, s q P R and a P A ,(1) t p a q “ s p a q ; and (2) if either B a t or B a s is defined, then both are defined and pB a t, B a s q P R . We can now prove that bisimilar trees in Z coincide. § Lemma 4.3 (Coinduction) . If s, t P Z are bisimilar, then s “ t . Thus, to show that two trees are equal, it suffices to demonstrate a bisimulation thatrelates them. This proof method is called coinduction . We can also use Lemma 4.2 todefine algebraic operations on Z , and such definitions are said to be coinductive . Many ofthe results in the sequel are argued using coinduction, and many of the constructions arecoinductive. With this in mind, we are now ready to prove that Z contains every behaviorthat can be represented by a GKAT -automaton, as follows. § Theorem 4.4. Z is the final GKAT -automaton. In other words, for every
GKAT -automaton X , there exists a unique GKAT -automaton homomorphism ! X from X to Z . Given a
GKAT -automaton X , the unique map ! X assigns a tree from Z to each of itsstates. In particular, recalling that the syntactic GKAT -automaton E has Exp as its set ofstates, ! E is a semantics of GKAT programs in terms of trees. The following lemma statesthat bisimulation is sound and complete with respect to this semantics. § Lemma 4.5.
States x and x of a GKAT -automaton X are bisimilar iff ! X p x q “ ! X p x q . So far, we have seen that the behavior of a
GKAT -program is naturally interpreted as acertain kind of tree, and that each such tree is the state of the final
GKAT -automaton Z .In this section, we show that the states of Z can themselves be manipulated and combinedusing the programming constructs of GKAT . These operations satisfy all of the axioms thatbuild ” , but fail the early-termination axiom S3. This gives rise to an inductive semanticsof
GKAT -programs rr´ss : Exp Ñ Z that is sound w.r.t. ” . As a matter of fact, we will seethat rr´ss coincides with the unique GKAT -automaton homomorphism ! E : Exp Ñ Z .We begin by interpreting the tests. Given b Ď A , we define rr b ss as the characteristicfunction of b as a subset of A ` , i.e., rr b ss p a q “ a P b , and rr b ss p a q “ . Schmid, T. Kappé, D. Kozen, A. Silva 7 On the other hand, primitive action symbols denote programs that perform an action inone step and then terminate successfully in the next. For p P Σ, this behavior is describedby the unique tree rr p ss such that rr p ss p a q “ p and B a rr p ss “ rr ss for any a P A . When contextcan disambiguate, we write b in place of rr b ss and p in place of rr p ss .Each operation is defined using a behavioral differential equation consisting of a setof initial conditions t p a q “ ξ a P ` Σ indexed by a P A and a set of step equations B a t “ s a indexed by the a P A such that t p a q P Σ. This is possible because every behavioraldifferential equation describes a unique automaton, which by Theorem 4.4 obtains a uniqueinterpretation in Z [28]. Each differential equation below can be read more or less directlyfrom Figure 2.The first operation that we interpret in Z is sequential composition. For any s, t P Z , thetree s ¨ t models sequential composition of programs by replacing each non-zero leaf of s bythe nodal subtree of t given by the corresponding atomic test. This can formally be definedas the unique operation satisfying the following behavioral differential equation. p s ¨ t qp a q “ t p a q if s p a q “ ,s p a q otherwise B a p s ¨ t q “ B a t if s p a q “ , B a s ¨ t otherwise. Using this operation, we define rr e ¨ f ss “ rr e ss ¨ rr f ss .To interpret the guarded union operation, define ` b to be the unique operation such that p s ` b t qp a q “ s p a q if a P b,t p a q otherwise B a p s ` b t q “ B a s if a P b, B a t otherwise. As before, we define rr e ` b f ss “ rr e ss ` b rr f ss .Finally, we interpret the guarded exponential operation. Following Figure 2, t p b q can bedefined as the unique tree satisfying t p b q p a q “ $’&’% a R b,t p a q if a P b and t p a q P Σ , B a p t p b q q “ B a t ¨ t p b q Similar to the other operators, we set ““ e p b q ‰‰ “ rr e ss p b q . This completes our definition of thealgebraic homomorphism rr´ss : Exp Ñ Z .As it happens, rr´ss is also a GKAT automaton homomorphism from E to Z . By uniquenessof such homomorphisms (Theorem 4.4), we can conclude that rr´ss and ! E are the same. § Proposition 5.1.
For any e P Exp , rr e ss “ ! E p e q . This allows us to treat the algebraic and coalgebraic semantics as synonymous. UsingLemma 4.5, we can then show soundness w.r.t. ” by arguing that ” is a bisimulation on E . § Theorem 5.2.
The semantics rr´ss is sound w.r.t. ” . On the other hand, Z does not satisfy S3. For instance, rr p ¨ ss ‰ rr ss for any p P Σ. Wewill adapt the model to overcome this in Section 7.3.
Not all behaviors expressible in terms of finite
GKAT -automata occur in E . For example, thetwo-state automaton in Figure 3 fails to exhibit any behavior of the form rr e ss , with e P Exp,when b, ¯ b ‰
0. This is proven in Appendix D: we show that no branch of a
GKAT behavior
GKAT: Coequations, Coinduction, and Completeness v v b ¯ b b | p ¯ b | q Figure 3 A GKAT -automaton without
GKAT behaviors. can accept both b and ¯ b infinitely often. For another example, see [23], where a particularthree-state automaton is shown to exhibit no GKAT behavior.Intuitively, both of the examples above fail to exhibit the behaviors of
GKAT programsbecause
GKAT lacks a goto -statement that allows control to transfer to an arbitrary positionin the program; instead,
GKAT automata corresponding to
GKAT expressions are structuredby branches and loops. The question then arises: can we characterize the “shapes” ofautomata whose behavior is goto -free, i.e., described by a
GKAT expression?In [33], the authors proposed the class of well-nested
GKAT automata, consisting ofautomata built inductively by applying a series of operations designed to mimic the structuraleffects of loops. It was shown that the behavior of every
GKAT expression can be described bysome well-nested automaton. Moreover, they proved that the class of well-nested automataconstitutes a sufficient condition: the behavior of a well-nested
GKAT automaton is describedby a
GKAT expression. Whether this condition is also necessary , i.e., whether every automatonwith behavior corresponding to a
GKAT expression is well-nested, was left open.Thus, a positive answer to the latter question amounts to showing that every
GKAT automaton whose behavior is the same as a well-nested
GKAT automaton is itself well-nested.Such a class of automata closed under behavioral equivalence is known as a covariety .Covarieties have desirable structural properties. In particular, they are closed under homo-morphic images [27, 12, 3]. Unfortunately, well-nested automata do not satisfy this property:we have found a well-nested automaton whose homomorphic image is not well-nested, de-picted in Figure 4. In other words, there exist non-well-nested automata whose behavior isstill described by a
GKAT expression. This also closes the door on a simpler approach tocompleteness described in [33].Thus, well-nested automata do not constitute a characterization of the
GKAT automatathat correspond to
GKAT expressions. To obtain such a characterization, we take a slightlydifferent approach: rather than describing shapes of these automata, we describe the shapesof the trees that they denote. We refer to a set of trees U Ď Z as a coequation , and treat itas a predicate: a GKAT -automaton X satisfies U , written X |ù U , if every behavior presentin X appears in U — in other words, if ! X factors through U . We write Cov p U q to denotethe class of all GKAT -automata that satisfy U . It is easily shown that Cov p U q is a covariety.The coequation that we give to describe the covariety of automata whose behaviorcorresponds to a GKAT expression is driven by the intuition behind well-nested automata:the trees in this coequation are built using compositions that enforce while -like behavior,and do not permit the construction of goto -like behavior. To this end, we need to define anew continuation operation, as follows. Given s, t P Z , the continuation s ▷ t of s along t is the unique tree satisfying the behavioral differential equation p s ▷ t qp a q “ t p a q if s p a q “ ,s p a q otherwise B a p s ▷ t q “ B a t ▷ t if s p a q “ , B a s ▷ t otherwise. Intuitively, s ▷ t is the tree that attaches infinitely many copies of t to s . This operationcan be thought of as the dual to Kleene’s original ˚ -operation [16], which loops on its first . Schmid, T. Kappé, D. Kozen, A. Silva 9 v v v v v v v v a , a a , a a , a a , a a a a a a a a a Figure 4
As depicted, this automaton is well-nested. However, identifying v with v , and v with v , we obtain an automaton that is not well-nested. argument some number of times before continuing in the second. § Definition 6.1.
The nesting coequation W is the smallest subset of Z containing the discrete coequation D : “ trr b ss | b Ď A u and closed under the nesting rules below: t, s P W t ¨ s P W p@ a P N p t qq B a t P W t P W t, s P W t ▷ s P W Here N p t q : “ A X Node p t q . The first and third nesting rules say that W is closed undercomposition and continuation; the second rule says that integrals over nested trees are nested.It is not too hard to see that W is a subatomaton of Z . In other words, if t P W , then thederivatives of t are in W as well. In fact, W is a subalgebra of Z in that it is closed underthe operations of GKAT . This can be seen from the following observations: first, B a p “ a P A , so p P W for any p P Σ by the second nesting rule. Second, W is closed undersequential composition by definition. Third, if s, t P W and b Ď A , then every derivativeof s ` b t is either a derivative of s or a derivative of t . Lastly, closure under the guardedexponential is a consequence of the identity t p b q “ ▷ p ˜ t ` b q , where ˜ t : “ Ř t a | p a ÝÝÝÑ t a p a ¨ t a . This identity can be shown to hold for all t P Z and b Ď A using a coinductive argument. Itfollows that the nesting coequation contains the image of rr´ss . A similar argument can beused to establish the reverse containment as well, which leads to the following. § Proposition 6.2. W is the set of GKAT program behaviors, i.e, W “ trr e ss | e P Exp u . Proposition 6.2 characterizes W as the the set of behavioral patterns exhibited by GKAT expressions: the states of a
GKAT -automaton X behave like GKAT programs if and only if X satisfies W , or, in other words, if X can be found in the covariety Cov p W q . Since everywell-nested automaton has the behavior of some GKAT expression [33], it must satisfy W . § Proposition 6.3.
Well-nested
GKAT -automata satisfy the nesting coequation.
This section contains two completeness theorems for
GKAT . As in [33], we need to assumethat W3 is generalized to arbitrary (linear) systems of equations. This uniqueness axiom ,discussed in Section 7.1, will allow us to prove that the semantics rr´ss from Section 5 isfree with respect to ” —that is, rr e ss “ rr f ss implies e ” f —in Section 7.2. This will thenprovide an alternative route to completeness for GKAT in Section 7.3.
In part, W3 from Figure 1 ensures that the equation g ” e ¨ g ` b f with indeterminate g has at most one solution in Exp {” for any e, f P Exp under the condition that e denotes aproductive program. In fact, we could have stated the axiom this way from the beginning,as W1 provides the existence of a solution to this equation (even without the restriction onproductivity). As we will see, the uniqueness axiom makes a more general statement thanW3 about systems of equations with an arbitrary number of indeterminates. § Definition 7.1. A system of ( n left-affine) equations is a sequence of n equations ofthe form x i “ e i ¨ x ` b i ¨ ¨ ¨ ` b i p n ´ q e in ¨ x n ` b i n c i , indexed by i ď n , such that (1) x i is an indeterminate variable; (2) p b ij q j ď n is a sequence of disjoint Boolean expressions,i.e. b ij ^ b ik ” for any j ‰ k ; (3) c i is a Boolean expression disjoint from b ij for all j ď n ;and (4) e ij is a GKAT expression for any j ď n .Given any congruence ” satisfying the axioms of ” , a solution in Exp { ” to such asystem is an n -tuple of GKAT expressions p g i q i ď n such that the equivalence g i ” e i ¨ g ` b i ¨ ¨ ¨ ` b i p n ´ q e in ¨ g n ` b in c i holds for all i ď n . For example, the equation in the premise of W3 is a system of one left-affine equation, andthe conclusion prescribes a unique solution (in Exp {” ) to the premise. Every finite GKAT -automaton X gives rise to a system of equations with variables indexed by X “ t x i | i ď n u and coefficients indexed by the transition map, as follows: e ij “ ă x i a | p a ÝÝÝÑ x j p a c i “ t a P A | x i ñ a u b ij “ t a P A | x i a | p ÝÝÑ x j u . Solving this system of equations uncovers the
GKAT -constructs the automaton implements.The uniqueness axiom states that certain systems of equations, like the one in the premiseof W3, admit at most one solution. Choosing which systems the axiom should apply tomust be done carefully for the same reason that necessitates the side-condition on W3.Crucially, we require that the system have productive coefficients , i.e. E p e ij q ” i, j ď n , to admit a unique solution. As this condition is analogous to Salomaa’s empty wordproperty [31], a system of equations with productive coefficients is called Salomaa [33]. The uniqueness axiom (for ” ) states that every Salomaa system of equations has at mostone solution in Exp { ” . It is sound with respect to the semantics rr´ss from Section 5. § Theorem 7.2.
For any i, j ď n , let s ij P Z satisfy s ij p a q ‰ for any a P A , p b ij q j ‰ n be asequence of disjoint Boolean expressions for any i ď n , and c i Ď A be disjoint from b ij foreach i ď n . The system of equations x i “ s i ¨ t ` b i ¨ ¨ ¨ ` b i p n ´ q s in ¨ t n ` b in c i , indexed by i ď n has a unique solution in Z n . ” Next, we present a completeness theorem w.r.t. ” . We have already seen that the behaviorof a program takes the form of a tree, and that the programming constructs of GKAT apply totrees in such a way that equivalence up to the axioms of ” is preserved (Theorem 5.2). Thecompleteness theorem in this section shows is that up to ” -equivalence, GKAT programscan be identified with the trees they denote. § Theorem 7.3 (Completeness for ” ) . Assume the uniqueness axiom for ” and let e, f P Exp .If rr e ss “ rr f ss , then e ” f . . Schmid, T. Kappé, D. Kozen, A. Silva 11 Proof sketch.
Since rr e ss “ rr f ss , e and f are bisimilar as expressions. This bisimulation givesrise to a Salomaa system of equations, which can be shown to admit both the derivatives of e and f as solutions. By the unique solutions axiom, it then follows that e ” f . đ ” Having found a semantics that is sound and complete w.r.t. ” , we proceed to extendthis result to find a semantics that is sound and complete w.r.t. ” . Recall that the onlydifference between these equivalences was S3, which equates programs that fail eventuallywith programs that fail immediately. To coarsen our semantics, we need an operation onlabeled trees that forces early termination in case an accepting state cannot be reached. § Definition 7.4.
We say t P Z is dead when for all w P dom p t q it holds that t p w q ‰ . The normalization operator is defined coinductively, as follows: t ^ p a q “ t p a q P Σ ^ B a t is dead ,t p a q otherwise B a p t ^ q “ pB a t q ^ . § Example 7.5.
Normalizing the tree rr p ` b p ¨ ss prunes the branch corresponding to ¯ b , sinceit has no accepting leaves. This yields the tree rr b ¨ p ss .We can compose the normalization operator with the semantics rr´ss to obtain a newsemantics rr´ss ^ , which replaces dead subtrees with early termination. Composing normal-ization with the earlier semantics of GKAT , we obtain the normalized semantics rr´ss ^ .This semantics is sound w.r.t. ” . § Proposition 7.6. If e ” f , then rr e ss ^ “ rr f ss ^ . For the corresponding completeness property, we need a way of “normalizing” a givenexpression in Exp. The following observation gives us a way to do this. § Lemma 7.7. W is closed under normalization. When e P Exp, we have that rr e ss P W . Moreover, by the above, rr e ss ^ P W , whichmeans that there is an e P Exp such that rr e ss “ rr e ss ^ . We write e ^ for this normalizedexpression . As it turns out, we can derive the equivalence e ^ ” e from the uniquenessaxiom for ” . This gives an alternative proof of the completeness result of [33] that highlightsthe role of coequational methods in reasoning about failure modes. § Corollary 7.8 ([33]) . Assume the uniqueness axiom for ” and ” . If rr e ss ^ “ rr f ss ^ , then e ” f . Proof sketch. If rr e ss ^ “ rr f ss ^ , then rr e ^ ss “ rr f ^ ss . By completeness of ” w.r.t. rr´ss , wecan then derive that e ” e ^ ” f ^ ” f , and since ” is contained in ” , also e ” f . đ By normalizing the trees in W , we obtain the coequation W ^ “ t t ^ | t P W u . This co-equation precisely characterizes GKAT programs with forced early termination. In particular,since W ^ Ď W , neither state in Figure 3 has a semantics described by rr e ss ^ for some e P Exp.
This paper builds on [33], where
GKAT was proposed together with a language semantics basedon guarded strings [15] and an axiomatization closely related to Salomaa’s axiomatization ofregular expressions based on unique fixpoints [31]. Note that the language of propositional while programs from [23, 20] is closely related to
GKAT in terms of semantics, although thecompact syntax and axiomatization were only introduced in [33].Some
GKAT -automata have behavior that does not correspond to any
GKAT expression,such as the example in [23]. The upshot is that the Böhm-Jacopini theorem [6, 13], whichstates that every deterministic flowchart corresponds to a while program, does not holdpropositionally, i.e., when we abstract from the meaning of individual actions and tests [23].In contrast with [33, 23], our work provides a precise characterization of the behaviorsdenoted by
GKAT programs using trees. In other words, we characterize the image of thesemantic map inside the space of all behaviors. This explicit characterization was essentialfor proving completeness of the full theory of
GKAT , including the early termination axiom.
KAT equivalence without early termination has been investigated by Mamouras [24].Brzozowski derivatives [7] appear in the completeness proof of KA [18, 21, 14]. We weremore directly inspired by Silva’s coalgebraic analogues of Brzozowski derivatives used inthe context of completeness [32]. Rutten [28] and Pavlovic and Escardo [26] document theconnection between the differential calculus of analysis and coalgebraic derivatives.Coequations have appeared in the coalgebra literature in a variety of contexts, e.g. [3, 1,5, 29, 30], and notably in the proof of generalized Eilenberg theorems [35, 2]. The use ofcoequations in completeness proofs is, as far as we are aware, new. GKAT was introduced in [23] under the name propositional while programs and extensivelystudied in [33] as an algebraic framework to reason about simple imperative programs. Wepresented a new perspective on the theory of
GKAT , which allowed us to isolate a fragment ofthe original axiomatization that captures the purely behavioral properties of
GKAT programs.We solved an open problem from [33], providing a proof that well-nested automata arenot closed under homomorphisms, thereby making it unlikely that these automata can beused in a completeness proof that does not rely on uniqueness axioms. Finally, we provedcompleteness for the full theory, respecting the early-termination property, in which programsthat fail immediately are equated with programs that fail eventually.There are several directions for future work that are worth investigating. First, it wasconjectured in [33] that the uniqueness axiom follows from the other axioms of
GKAT . Thisremains open, but at the time of writing we think this conjecture might be false. Secondly,the technique we use, based on coequations, can serve as basis for a general approach tocompleteness proofs. We plan to investigate other difficult problems where our techniquemight apply. Of particular interest is an open problem posed by Milner in [25], which consistsof showing that a certain set of axioms are complete w.r.t. bisimulation equivalence forregular expressions. Recently, Grabmeyer and Fokkink [11] provided a partial solution. Webelieve our technique can simplify their proofs and shed further light on Milner’s problem.We have chosen to adopt the axiomatization from [33], which can be described as aSalomaa-style axiomatization—the loop is a unique fixpoint satisfying a side condition ontermination. We would like to generalize the results of the present paper to an axiomatizationin which the loop is a least fixpoint w.r.t. an order. The challenge is that there is no naturalorder in the language because the ` of Kleene Algebra has been replaced by ` b . However,we hope to devise an order ď directly on expressions and extend the characterizations thatwe have to the new setting. This new axiomatization would have the advantage of beingalgebraic (that is, sound under arbitrary substitution), which makes it more suitable forverification purposes as the number of models of the language would increase. . Schmid, T. Kappé, D. Kozen, A. Silva 13 References Jirí Adámek. A logic of coequations. In
CSL , pages 70–86, 2005. doi:10.1007/11538363_7 . Jirí Adámek, Stefan Milius, Robert S. R. Myers, and Henning Urbat. Generalized Eilenbergtheorem: Varieties of languages in a category.
ACM Trans. Comput. Log. , 20(1):3:1–3:47, 2019. doi:10.1145/3276771 . Jirí Adámek and Hans-E. Porst. On varieties and covarieties in a category.
Math. Struct.Comput. Sci. , 13(2):201–232, 2003. doi:10.1017/S0960129502003882 . Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, ColeSchlesinger, and David Walker. NetKAT: semantic foundations for networks. In
POPL , pages113–126, 2014. doi:10.1145/2535838.2535862 . Adolfo Ballester-Bolinches, Enric Cosme-Llópez, and Jan J. M. M. Rutten. The dual equivalenceof equations and coequations for automata.
Inf. Comput. , 244:49–75, 2015. doi:10.1016/j.ic.2015.08.001 . Corrado Böhm and Giuseppe Jacopini. Flow diagrams, Turing machines and languages withonly two formation rules.
Commun. ACM , 9(5):366–371, 1966. doi:10.1145/355592.365646 . Janusz A. Brzozowski. Derivatives of regular expressions.
J. ACM , 11(4):481–494, 1964. doi:10.1145/321239.321249 . Ernie Cohen, Dexter Kozen, and Frederick Smith. The complexity of Kleene algebra withtests. Technical Report TR96-1598, Cornell University, 07 1996. URL: https://hdl.handle.net/1813/7253 . Nate Foster, Dexter Kozen, Konstantinos Mamouras, Mark Reitblatt, and Alexandra Silva.Probabilistic NetKAT. In
ESOP , pages 282–309, 2016. doi:10.1007/978-3-662-49498-1_12 . Nate Foster, Dexter Kozen, Matthew Milano, Alexandra Silva, and Laure Thompson. Acoalgebraic decision procedure for NetKAT. In
POPL , pages 343–355, 2015. doi:10.1145/2676726.2677011 . Clemens Grabmayer and Wan J. Fokkink. A complete proof system for 1-free regular expressionsmodulo bisimilarity. In
LICS , pages 465–478, 2020. doi:10.1145/3373718.3394744 . H. Gumm. Elements of the general theory of coalgebras, 2000. David Harel. On folk theorems.
Commun. ACM , 23(7):379–389, 1980. doi:10.1145/358886.358892 . Bart Jacobs. A bialgebraic review of deterministic automata, regular expressions and languages.In
Algebra, Meaning, and Computation, Essays Dedicated to Joseph A. Goguen on the Occasionof His 65th Birthday , pages 375–404, 2006. doi:10.1007/11780274_20 . Donald M. Kaplan. Regular expressions and the equivalence of programs.
J. Comput. Syst.Sci. , 3(4):361–386, 1969. doi:10.1016/S0022-0000(69)80027-9 . Stephen C. Kleene. Representation of events in nerve nets and finite automata. In Claude E.Shannon and John McCarthy, editors,
Automata Studies , pages 3–41. Princeton UniversityPress, 1956. Dexter Kozen. Kleene algebra with tests and commutativity conditions. In
TACAS , pages14–33, 1996. doi:10.1007/3-540-61042-1_35 . Dexter Kozen. Myhill-Nerode relations on automatic systems and the completeness of Kleenealgebra. In
STACS , pages 27–38, 2001. doi:10.1007/3-540-44693-1_3 . Dexter Kozen. Automata on guarded strings and applications.
Matematica Contemporanea ,24:117–139, 2003. Dexter Kozen. Nonlocal flow of control and Kleene algebra with tests. In
LICS , pages 105–117,2008. doi:10.1109/LICS.2008.32 . Dexter Kozen. On the coalgebraic theory of Kleene algebra with tests. In
Rohit Parikh onLogic, Language and Society , pages 279–298. 2017. doi:10.1007/978-3-319-47843-2_15 . Dexter Kozen and Frederick Smith. Kleene algebra with tests: Completeness and decidability.In
CSL , pages 244–259, 1996. doi:10.1007/3-540-63172-0_43 . Dexter Kozen and Wei-Lung Dustin Tseng. The Böhm-Jacopini theorem is false, propositionally.In
MPC , pages 177–192, 2008. doi:10.1007/978-3-540-70594-9_11 . Konstantinos Mamouras. Equational theories of abnormal termination based on kleene algebra.In
FOSSACS , volume 10203 of
Lecture Notes in Computer Science , pages 88–105, 2017. doi:10.1007/978-3-662-54458-7_6 . Robin Milner. A complete inference system for a class of regular behaviours.
J. Comput. Syst.Sci. , 28(3):439–466, 1984. doi:10.1016/0022-0000(84)90023-0 . Dusko Pavlovic and Martín Hötzel Escardó. Calculus in coinductive form. In
LICS , pages408–417, 1998. doi:10.1109/LICS.1998.705675 . Jan J. M. M. Rutten. Universal coalgebra: a theory of systems.
Theor. Comput. Sci. ,249(1):3–80, 2000. doi:10.1016/S0304-3975(00)00056-6 . Jan J. M. M. Rutten. Behavioural differential equations: a coinductive calculus ofstreams, automata, and power series.
Theor. Comput. Sci. , 308(1-3):1–53, 2003. doi:10.1016/S0304-3975(02)00895-2 . Julian Salamanca, Adolfo Ballester-Bolinches, Marcello M. Bonsangue, Enric Cosme-Llópez,and Jan J. M. M. Rutten. Regular varieties of automata and coequations. In
MPC , pages224–237, 2015. doi:10.1007/978-3-319-19797-5_11 . Julian Salamanca, Marcello M. Bonsangue, and Jurriaan Rot. Duality of equations andcoequations via contravariant adjunctions. In Ichiro Hasuo, editor,
CMCS , pages 73–93, 2016. doi:10.1007/978-3-319-40370-0_6 . Arto Salomaa. Two complete axiom systems for the algebra of regular events.
J. ACM ,13(1):158–169, 1966. doi:10.1145/321312.321326 . Alexandra Silva.
Kleene coalgebra . PhD thesis, Radboud University, Nijmegen, 2010. URL: https://hdl.handle.net/2066/83205 . Steffen Smolka, Nate Foster, Justin Hsu, Tobias Kappé, Dexter Kozen, and Alexandra Silva.Guarded Kleene algebra with tests: Verification of uninterpreted programs in nearly lineartime. In
POPL , 2020. doi:10.1145/3371129 . Steffen Smolka, Praveen Kumar, David M. Kahn, Nate Foster, Justin Hsu, Dexter Kozen, andAlexandra Silva. Scalable verification of probabilistic networks. In
PLDI , pages 190–203, 2019. doi:10.1145/3314221.3314639 . Henning Urbat, Jirí Adámek, Liang-Ting Chen, and Stefan Milius. Eilenberg theorems forfree. In
MFCS , 2017. doi:10.4230/LIPIcs.MFCS.2017.43 . A Detailed proofs for Section 4: The final
GKAT -automaton § Lemma 4.2. R Ď Z ˆ Z is a bisimulation on Z iff for any p t, s q P R and a P A ,(1) t p a q “ s p a q ; and (2) if either B a t or B a s is defined, then both are defined and pB a t, B a s q P R . Proof. If R is a bisimulation containing p t, s q , then for any a P A , s p a q “ $’’&’’% s ñ a,p if s a | p ÝÝÑ B a s, s Ó a. “ $’’&’’% t ñ a,p if t a | p ÝÝÑ B a t, t Ó a. “ t p a q Furthermore, if B a s is defined, then s p a q P Σ by definition of Z . Since t p a q “ s p a q , it followsthat B a t must also be defined; similarly, if B a t is defined, so is B a s . Now, if B a s and B a t aredefined, then s a | s p a q ÝÝÝÝÑ B a s and t a | t p a q ÝÝÝÑ B a t ; hence, pB a s, B a t q P R since R is a bisimulation.Conversely, suppose every pair p t, s q P R satisfies (1) and (2) above. By (1), s ñ a ðñ t ñ a as well as s Ó a ðñ t Ó a . Furthermore, since t a | p ÝÝÑ B a t if and only if t p a q “ p , by (1)we find that s a | p ÝÝÑ B a s if and only if t a | p ÝÝÑ B a t . By (2), pB a s, B a t q P R and we are done. đ§ Lemma 4.3 (Coinduction) . If s, t P Z are bisimilar, then s “ t . . Schmid, T. Kappé, D. Kozen, A. Silva 15 Proof.
Let R be a bisimulation. We claim that, for all w P A ` and p s, t q P R , we have (a) w P dom p s q if and only if w P dom p t q ; and (b) if w P dom p t q X dom p s q then s p w q “ t p w q .The proof proceeds by induction on w . In the base, w “ a with a P A , in which case thefirst claim holds by definition of Z , and the second claim follows from s and t being bisimilar.For the inductive step, let w “ aw for a P A and assume the claim holds for w . If t p a q “ s p a q P
2, then w R dom p s q and w R dom p t q by definition of Z , so both claimshold immediately. Otherwise, if t p a q “ s p a q P Σ, then both B a s and B a t are defined, and pB a s, B a t q P R . For the first claim, we can derive by induction that w P dom p s q ðñ w P dom pB a s q ðñ w P dom pB a t q ðñ w P dom p t q For the second claim, we also derive by induction that s p w q “ B a s p w q “ B a t p w q “ t p w q . đ For the sake of the next proof, it is helpful to note that the
GKAT -automaton homomoph-ism conditions can be rephrased. Consider a function φ : X Ñ Y between the state spaces oftwo GKAT -automata X and Y . Then φ is a GKAT -automaton homomorphism if and only if δ Y p φ p x q , a q “ p p, φ p x qq if δ X p x, a q “ p p, x q P Σ ˆ X.δ X p x, a q otherwise . In particular, if φ is a GKAT -automaton homomorphism, then if either B a φ p x q or ϕ pB a x q isdefined, both are defined and B a φ p x q “ φ pB a x q . § Theorem 4.4. Z is the final GKAT -automaton. In other words, for every
GKAT -automaton X , there exists a unique GKAT -automaton homomorphism ! X from X to Z . Proof.
Let X “ p X, δ q . First, we inductively extend δ to δ ˚ : X ˆ A ` á ` Σ, as follows: δ ˚ p x, w q “ $’’’’&’’’’% δ p x, a q w “ a P A ^ δ p x, a q P p w “ a P A ^ δ p x, a q “ p p, x q δ ˚ p x , w q w “ aw ^ δ p x, a q “ p p, x q undefined otherwiseThe desired GKAT -automaton homomorphism is then! X p x q : “ λw.δ ˚ p x, w q . A straightforward argument shows that ! X is well-defined, that is, ! X p x q is a tree for each x P X . To see the homomorphism condition, first observe that if δ p x, a q P
2, then! X p x qp a q “ p λw.δ ˚ p x, w qqp a q “ δ ˚ p x, a q “ δ p x, a q . Furthermore, if x a | p ÝÝÑ x , then ! X p x qp a q “ δ ˚ p x, a q “ p and B a ! X p x q “ B a p λw.δ ˚ p x, w qq “ λw.δ ˚ p x, aw q “ λw.δ ˚ p δ p x, a q , w q “ λw.δ ˚ p x , w q “ ! X p x q . To see uniqueness, let φ : X Ñ Z be any GKAT -automaton homomorphism. We useLemma 4.2 to argue that the relation tp ! V p x q , φ p x qq | x P V u is a bisimulation. First and foremost, φ p x qp a q “ $’’&’’% x Ó a, x ñ a,p if x a | p ÝÝÑ B a x “ $’’&’’% δ p x, a q “ , δ p x, a q “ ,p if δ ˚ p x, a q “ p “ ! X p x qp a q . For the step equations, observe that! X p x qp a q P Σ ðñ pD p P Σ q x a | p ÝÝÑ B a x ðñ φ p x qp a q P Σ , as well as that ! X pB a x q “ B a p ! X p x qq and φ pB a x q “ B a φ p x q . Hence, pB a p ! X p x qq , B a φ p x qq “ p ! X pB a x q , φ pB a x qq P R. By Lemma 4.2, R is a bisimulation. đ§ Lemma 4.5.
States x and x of a GKAT -automaton X are bisimilar iff ! X p x q “ ! X p x q . Proof.
To see sufficiency, note that the graph of a
GKAT -automaton homomorphism isa bisimulation by definition. It is easily shown that the converse of a bisimulation is abisimulation, as is the (relational) composition of two bisimulations. Composing the graphof ! X with its converse puts the pair p x, x q in a bisimulation on X .For necessity, let Ø be the set of pairs of bisimilar states of X , and note that it forms anequivalence relation. Observe that the quotient map q : X Ñ X {Ø is a GKAT -automatonhomomorphism for a unique
GKAT -automaton structure X {Ø on X {Ø . Because the com-position of GKAT -automaton homomorphisms is again a
GKAT -automaton homomorphism,we have two
GKAT -automaton homomorphisms from X to Z : the map ! X as well as ! X {Ø ˝ q .By Theorem 4.4, these are the same; since q p x q “ q p x q , we conclude that ! X p x q “ ! X p x q . đ B Detailed proofs for Section 5: Trees form an algebra § Proposition 5.1.
For any e P Exp , rr e ss “ ! E p e q . Proof.
It suffices to show that rr´ss is a
GKAT -automaton homomorphism. This amounts toshow that the following rules hold: e Ó a rr e ss p a q “ e ñ a rr e ss p a q “ e a | p ÝÝÑ e rr e ss a | p ÝÝÑ ““ e ‰‰ We do this by induction on the transition rules for e . In the base, there are two cases.By definition, rr b ss p a q “ b Ó a , and rr b ss p a q “ b ñ a . Since b does not admit any transitions in E , the last implication holds vacuously.We have that p a | p ÝÝÑ a P A ; by definition of rr p ss , we have rr p ss p a q “ p and B a rr p ss “
1, and hence rr p ss a | p ÝÝÑ rr ss . Furthermore, p does not terminate (succesfully orunsuccesfully) in E , so the first two rules hold vacuously.In the inductive step, suppose the three inferences above hold for e and f , and b Ď A .If e ` b f Ó a , then either a P b and e Ó a , or a P ¯ b and f Ó a . In the first case, rr e ` b f ss p a q “ rr e ss p a q “
0, and in the second rr e ` b f ss p a q “ rr f ss p a q “ e ` b f ñ a , then either a P b and e ñ a , or a P ¯ b and f ñ a . In the firstcase, rr e ` b f ss p a q “ rr e ss p a q “
1, and in the second rr e ` b f ss p a q “ rr f ss p a q “ e ` b f a | p ÝÝÑ g , then either a P b and e a | p ÝÝÑ g , or a P ¯ b and f a | p ÝÝÑ g . In the firstcase, rr e ` b f ss p a q “ rr e ss p a q “ p and B a rr e ` b f ss “ B a prr e ss ` b rr f ssq “ B a rr e ss “ rr g ss , andin the second, rr e ` b f ss p a q “ rr f ss p a q “ p and B a rr e ` b f ss “ B a rr f ss “ rr g ss . . Schmid, T. Kappé, D. Kozen, A. Silva 17 If e ¨ f Ó a , then either e Ó a , or e ñ a and f Ó a . In the first case, rr e ss p a q “ rr e ¨ f ss p a q “ rr e ss p a q “
0, and in the second, rr e ¨ f ss p a q “ rr e ss ¨ rr f ss p a q “ rr f ss p a q “ e ¨ f ñ a , then e ñ a and f ñ a . Thus, rr e ¨ f ss p a q “ rr f ss p a q “ e ¨ f a | p ÝÝÑ g , then either e ñ a and f a | p ÝÝÑ g , or e a | p ÝÝÑ e and g “ e ¨ f . In thefirst case, rr e ¨ f ss p a q “ rr f ss p a q “ p and B a rr e ¨ f ss “ B a prr e ss ¨ rr f ssq “ B a rr f ss “ rr g ss , meaning rr e ¨ f ss a | p ÝÝÑ rr g ss , and in the second rr e ¨ f ss p a q “ rr e ss p a q “ p , and B a rr e ¨ f ss “ B a rr e ss ¨ rr f ss “ ““ e ‰‰ ¨ rr f ss “ rr g ss , thus showing that rr e ¨ f ss a | p ÝÝÑ rr g ss again.If e p b q Ó a , then a P b and either e Ó a or e ñ a . In either case, ““ e p b q ‰‰ p a q “ rr e ss p b q p a q “ e p b q ñ a , then a P ¯ b and ““ e p b q ‰‰ “ rr e ss p b q p a q “ e p b q a | p ÝÝÑ g , then a P b , e a | p ÝÝÑ e , and g “ e ¨ e p b q . This means that ““ e p b q ‰‰ p a q “rr e ss p b q p a q “ rr e ss p a q “ p and B a ”” e p b q ıı “ B a rr e ss p b q “ B a rr e ss ¨ rr e ss p b q “ ““ e ‰‰ ¨ ”” e p b q ıı “ rr g ss . đ§ Theorem 5.2.
The semantics rr´ss is sound w.r.t. ” . Proof.
We should show that if e, f P Exp with e ” f , then rr e ss “ rr f ss . By Proposition 5.1and Lemma 4.5, it suffices to show that ” is a bisimulation on E . We do this by inductionon ” . The proof is somewhat long, but completely straightforward in almost all cases.In the base, we have one case to consider for each of the axioms. For the guarded unionaxioms U1 through U5, reflexivity of ” means that it suffices to show that if e ” f as aconsequence of one of these axioms, we have for all a P A that e Ó a if and only if f Ó a , aswell as e ñ a if and only if f ñ a , and e a | p ÝÝÑ g if and only if f a | p ÝÝÑ g .(U1) If e “ f ` b f , for some b P BExp, suppose a P b ; then e Ó a if and only if f Ó a by definition of the transition structure on expressions; similarly, e ñ a if andonly if f ñ a , and e a | p ÝÝÑ g if and only if f a | p ÝÝÑ g . The case for a R b is arguedsimilarly.(U2) If e “ g ` b g and f “ g ` b g for some g , g P Exp and b P BExp, thensuppose a P A . We then have e Ó a if and only if g Ó a if and only if f Ó a ,by definition of E . By a similar argument, e ñ a if and only if f ñ a and e a | p ÝÝÑ h if and only if f a | p ÝÝÑ h . The case where a R b is argued similarly.(U3) If e “ p g ` b g q ` c g and f “ g ` b ^ c p g ` c g q where g , g , g P Exp and b, c P BExp, then there are three cases, based on a P A .First, if a P c ^ b , then e Ó a precisely when g Ó a , which holds if and onlyif f Ó a . By a similar argument e ñ a if and only if g ñ a if and only if f ñ a . Likewise, e a | p ÝÝÑ h if and only if g a | p ÝÝÑ h if and only if f a | p ÝÝÑ h .Next, if a P c ^ b , note that the latter is equivalent to a P b ^ c ^ c . Asimilar argument then shows the same properties as in the previous case,except with g .Finally, if a P c then note that in particular a R b ^ c . We again recover thesame properties as in the two previous cases. (U4) If e “ g ` b g and f “ b ¨ g ` b g for some g , g P Exp and b P BExp, thensuppose a P b . In that case, e Ó a if and only if g Ó a , which holds preciselywhen b ¨ g Ó a , which is true if and only if f Ó a . By a similar argument e ñ a if and only if f ñ a and e a | p ÝÝÑ h if and only if f a | p ÝÝÑ h . The case where a R b is covered by a similar argument.(U5) If e “ p g ` b g q ¨ g and f “ g ¨ g ` b g ¨ g for some g , g , g P Exp and b P BExp, first suppose a P b . We can then derive as follows: e Ó a ðñ g ` b g Ó a _ r g ` b g ñ a ^ g Ó a sðñ g ` b Ó a _ r g ñ a ^ g Ó a sðñ g ¨ g Ó a ðñ f Ó a Similarly, we can derive e ñ a ðñ g ` b g ñ a ^ g ñ a ðñ g ñ a ^ g ñ a ðñ f ñ a Finally, we have that e a | p ÝÝÑ h ðñ g ` b g a | p ÝÝÑ h _ r g ` b g ñ a ^ g a | p ÝÝÑ h sðñ g a | p ÝÝÑ h _ r g ñ a ^ g a | p ÝÝÑ h sðñ f a | p ÝÝÑ h The case where a R b is argued similarly.For the sequential composition axioms, we show the properties required of bisimulation.(S1) If e “ g ¨ p g ¨ g q and f “ p g ¨ g q ¨ g , then we derive e Ó a ðñ g Ó a _ r g ñ a ^ g ¨ g Ó a sðñ g Ó a _ r g ñ a ^ r g Ó a _ r g ñ a ^ g Ó a sssðñ g ¨ g Ó a _ r g ¨ g ñ a ^ g Ó a sðñ f Ó a Similarly, for succesful termination we can derive e ñ a ðñ g ñ a ^ g ¨ g ñ a ðñ g ñ a ^ r g ñ a ^ g ñ a sðñ r g ñ a ^ g ñ a s ^ g ñ a ðñ g ¨ g ñ a ^ g ñ a ðñ f ñ a Finally, if e a | p ÝÝÑ h , then there are two cases to consider.If h “ h ¨ p g ¨ g q with g a | p ÝÝÑ h , then g ¨ g a | p ÝÝÑ h ¨ g , and hence f a | p ÝÝÑ p h ¨ g q ¨ g . Since h ¨ p g ¨ g q ” p h ¨ g q ¨ g , we are done.If g ñ a and g ¨ g a | p ÝÝÑ h , then it suffices to show that f a | p ÝÝÑ h . First, if h “ h ¨ g and g a | p ÝÝÑ h , then g ¨ g a | p ÝÝÑ h , and hence f a | p ÝÝÑ h ¨ g “ h .Second, if g ñ a and g a | p ÝÝÑ h , then g ¨ g ñ a , and hence f a | p ÝÝÑ h . . Schmid, T. Kappé, D. Kozen, A. Silva 19 (S2) If e “ ¨ f , then a straightforward argument shows that e Ó a for all a P A ;since 0 Ó a for all a P A , this completes the proof.(S4) If e “ ¨ f , then a straightforward argument shows that e Ó a if and only if f Ó a , as well as e ñ a if and only if f ñ a , and e a | p ÝÝÑ h if and only if f a | p ÝÝÑ h .As with the cases for the guarded union axioms, this suffices.(S5) If e “ f ¨
1, then another straightforward argument shows that e ó a if andonly if f Ó a , as well as e ñ a if and only if f ñ a . Furthermore, if e a | p ÝÝÑ h ,then h “ h ¨ f a | p ÝÝÑ h . Since h ¨ ” h , this completes the proof forthis case.The final cases to consider in the base are the first two loop axioms.(W1) If e “ g ¨ g p b q ` b f “ g p b q with g P Exp and b P BExp, then we derive e Ó a ðñ a P b ^ r g Ó a _ r g ñ a ^ g p b q Ó a ss ðñ f Ó a As far as succesful termination is concerned, we can derive e ñ a ðñ r a P b ^ g ñ a ^ g p b q ñ a s _ a R b ðñ f ñ a Finally, if e a | p ÝÝÑ h , then a P b and h “ g ¨ g p b q with g a | p ÝÝÑ g . But in that case f a | p ÝÝÑ h as well. Since ” is reflexive, this completes the proof.(W2) If e “ p c ¨ g q p b q and f “ p g ` c q p b q with g P Exp and b, c P BExp, then derive e Ó a ðñ a P b ^r c ¨ g Ó a _ c ¨ g ñ a s ðñ a P b ^r g ` c Ó a _ g ` c ñ a s ðñ f Ó a Similarly, for succesful termination we derive e ñ a ðñ a R b ðñ f ñ a Finally, if e a | p ÝÝÑ h , then h “ h ¨ e with c ¨ g a | p ÝÝÑ h . Since c does not permitany transitions, this implies that a P c and g a | p ÝÝÑ h . From this, it follows that g ` c a | p ÝÝÑ h , and htus f a | p ÝÝÑ h ¨ f . Since h ¨ e ” h ¨ f by W2, we are done.The inductive cases for reflexivity, symmetry and transitivity of ” are completely straight-forward, and follow from the fact that bisimilarity enjoys the same properties.To account for the fact that ” is a congruence, we treat the case for sequential composition,i.e., where e “ e ¨ e and f “ f ¨ f with e ” f and e ” f ; the other cases are similar.By induction, this tells us that e is bisimilar to f , and e is bisimilar to f . It is thennot hard to show that e Ó a if and only if f Ó a as well as e ñ a if and only if f ñ a .Furthermore, if e a | p ÝÝÑ e , then either e “ e ¨ e and e a | p ÝÝÑ e , or e ñ a and e a | p ÝÝÑ e . Inthe former case, f a | p ÝÝÑ f such that e ” f , by induction. In that case f a | p ÝÝÑ f ¨ f ; since h “ e ¨ e ” f ¨ f , we are done. Otherwise, if e ñ a and e a | p ÝÝÑ e , then by induction f a | p ÝÝÑ f such that e ” f . Since furthermore f a | p ÝÝÑ f in this case, we are done.The only case where we need a new idea is for W3. Here, we know that e ” f because f “ g p b q ¨ h , with e ” g ¨ e ` b h and E p g q ”
0. A routine argument shows that e Ó a ifand only if f Ó a as well as e ñ a if and only if f ñ a . Next, if e a | p ÝÝÑ e , then we know byapplying the induction hypothesis to e ” g ¨ e ` b h that g ¨ e ` b h a | p ÝÝÑ e with e ” e . Thisgives us two cases to consider.If a P b , then g ¨ e a | p ÝÝÑ e . Now, note that if g ñ a , then E p g q ñ a as well; since the latterwould imply, by induction, that 0 ñ a , we can exclude it. This tells us that e “ g ¨ e with g a | p ÝÝÑ g . In that case, f a | p ÝÝÑ g ¨ f . Since e “ g ¨ e ” g ¨ f , we are done.If a R b , then h a | p ÝÝÑ e . In that case, g p b q ñ a , and hence f a | p ÝÝÑ e . đ C Topological Structure of Z The space of trees Z has a rich structure that is useful in the proofs that follow. In thisappendix, we will show that we can equip Z with the compact metric d , defined d p s, t q “ max " ´| w | ˇˇˇ w P dom p s q X dom p t q and t p w q ‰ s p w q * , where max H “ § Lemma C.1. p Z, d q is a metric space. Proof.
Let s, t P Z . To show that d is a metric, we need to prove that s “ t if and only if d p s, t q “
0, and that d satisfies the triangle inequality.We begin by making the observation that, if w P dom p t qz dom p s q , then d p s, t q ą ´| w | .Let w P dom p t qz dom p s q . Since A Ď dom p s q X dom p t q , there is a longest prefix w a of w suchthat w a P dom p s q X dom p t q . By assumption, t p w a q P Σ, for otherwise w is a leaf of t and w “ w a , contradicting the assumption that w R dom p s q . Moreover, s p w a q P
2, for otherwise w a would be a node of s and we could find a prefix w au of w , for some u P A ` , suchthat wau P dom p s q X dom p t q , contradicting the assumption that w a is the longest prefixof w in dom p s q X dom p t q . This means that t p w a q ‰ s p w a q , because Σ X “ H . Hence, d p s, t q ě ´| w a | ą ´| w | .One consequence of this observation is that, if d p s, t q “
0, then dom p s q “ dom p t q . Sincethis means that dom p t q “ dom p s q X dom p t q “ dom p s q , d p s, t q “ s p w q “ t p w q for any w where either is defined. Hence, s “ t .To see that d satisfies the triangle inequality, assume d p s, t q “ ´ k . Then there is aword w P dom p s q X dom p t q such that | w | “ k and s p w q ‰ t p w q . Now consider a third tree, r P Z . It cannot be the case that both w P dom p r q with s p w q “ r p w q and r p w q “ t p w q , soeither w P dom p s qz dom p r q , in which case d p s, r q ą ´ k , or w P dom p r q with s p w q ‰ r p w q or r p w q ‰ t p w q , meaning one of d p s, r q and d p r, t q is at least 2 ´ k . Whence, d p s, t q “ ´ k ď max t d p s, r q , d p r, t qu ď d p s, r q ` d p r, t q . This concludes the proof that d is a metric. đ Next, we argue that p Z, d q is a complete metric space by showing something much stronger: p Z, d q is compact. § Lemma C.2. p Z, d q is a compact metric space. Proof.
Let p t i q i ą be an infinite sequence in Z . To show that Z is compact, we need toexhibit a convergent subsequence of p t i q i ą . This can be done as follows.Let t p q “ p t i q i ą , and for any k P N let t p k ` q be a subsequence of p t p k q i q i ą satisfying p@ i, j P N qp@ w P A ` q | w | ď k ` ùñ t p k q i p w q “ t p k q j p w q Such a subsequence always exists, because there are finitely many partial functions Ť ni “ A i á ` Σ, and hence there are infinitely many t ki that agree on all words of length at most k ` p t p i q i q i ą of p t i q i ą converges.The intuitive candidate for the limit of p t p i q i q i ą is given by the expression s “ λw.t p| w |q| w | p w q .We need to show that this defines a tree in Z . This can be done by induction on the domainrules for a tree in Z .For the first domain rule, notice that if w P dom p s q and s p w q P Σ, then let n “ | w | tofind t p n q n p w q P Σ. By construction, t p n ` q n ` p w q “ t p n q n p w q , putting t p n ` q n ` p w q P Σ. This meansthat for any a P A , wa P dom p t p n ` q n ` q . This puts wa P dom p s q for every a P A . . Schmid, T. Kappé, D. Kozen, A. Silva 21 For the second domain rule, let s p w q P
2. Where n “ | w | , t p n q n p w q “ s p w q , so t p n q n p w q P t p n ` k q n ` k p w q “ t p n q n p w q for any k ě
0, putting t p n ` k q n ` k p w q P k ě
0. If u P A ` with | u | “ k , then wu R dom p t p n ` k q n ` k q . Hence, wu R dom p s q . This concludesthe argument showing that s P Z .For any n ą
0, and w P dom p s q with | w | ď n , s p w q “ t p| w |q| w | p w q “ t p n q n p w q . This meansthat s and t p n q n agree on all words of length at most n , or equivalently d p s, t p n q n q ď ´ n . As n tends to , the subsequence t p n q n of p t i q i ą converges to s . Hence, Z is compact. đ Indeed, every compact metric space is also complete, for every incomplete metric spacecontains a sequence with no convergent subsequence (consider an arbitrary nonconvergentCauchy sequence). It should be noted, as well, that the completeness of Z does not dependon the finiteness of Σ. In fact, at the time of writing, the finiteness of Σ plays little to norole in the theory of GKAT whatsoever.
D Detailed proofs for Section 6: Well-nested automata and nestedbehaviour
We begin this appendix by showing that our two-state automaton is not nested. § Example D.1.
The automaton X below is not nested if b, ¯ b ‰ v v b ¯ b b | p ¯ b | q This is a direct consequence of the following lemma. § Lemma D.2.
Let b Ă A , t P W , and consider any infinite branch B “ t a , a a , a a a , . . . u Ď Node p t q of t . Then either |t w P B | E pB w t q “ b u| ă ω or |t w P B | E pB w t q “ ¯ b u| ă ω. A branch with this property will be known as finitely alternating . Proof.
By induction on the construction of t . Since discrete trees do not have infinitebranches, the base case is vaccuous.For the induction step, we assume that the lemma holds for any b Ă A and any infinitebranch of r, s and the items of a sequence s a indexed by A .( ` ) Suppose B a t “ s a for all a P N p t q , and consider a particular a P N p t q . If B is a branch of t including a , then B “ t ϵ u Y aB for some branch B of s a . Thus, since B is finitelyalternating by assumption, B must be as well.( ¨ ) Suppose t “ r ¨ s . Similarly, if B is an infinite branch of t , then either B is an infinitebranch of r or there is a word a ¨ ¨ ¨ a n P B such that B “ t a , . . . , a ¨ ¨ ¨ a n u ` p a ¨ a n ´ q B (2)for some branch B of s beginning with a n . Since there are only finitely many words oflength at most n in B , |t w P B | | w | ď n and E pB w t q “ b u| ă ω and |t w P B | | w | ď n and E pB w t q “ ¯ b u| ă ω. Since B is finitely alternating, it follows from Equation (2) that B must be as well.( ▷ ) Suppose t “ r ▷ s , and let B be an infinite branch of t . Without loss of generality, we canassume that B is not a branch of r ¨ s ¨ n for any n P N (by referring to the previous caseotherwise). This means that, for some word wa P B , w P Node p r ¨ s ¨ n q and r ¨ s ¨ n p wa q “ wa P Node p r ▷ s q , so it must be that s p a q ‰ B is not finitely alternating, and without loss of generalitythat a P b . Then, since t w P B | E pB w t q “ b u is infinite, there is an m P N and a word aw P Node p s ¨ m q such that waw P B and E pB waw t q “ b . However, this means that s ¨ m p aw a q “ B waw t p a q “
1, since we assumed a P b . This makes w a an accepting leaf of s , for some suffix w of w , even though s p a q ‰
1. This contradicts the construction of t ,for by definition, the set of atomic suffixes of accepting leaves of s ▷ s must be containedin E p s q . It follows that B must have been finitely alternating to begin with. đ Let t P Z and b Ď A . The observation that W is a subalgebra of Z rested on the theidentity t p b q “ ▷ p ˜ t ` b q , where ˜ t “ Ř t a | p a ÝÝÝÑ t a p a ¨ t a . This is established by showing that the relation tp s ¨ t p b q , s ▷ p ˜ t ` b qq | s, t P Z u Y ∆ Z is abisimulation with Lemma 4.2. To this end, observe that p s ¨ t p b q qp a q “ t p b q p a q if s p a q “ s p a q otherwise “ $’’’’&’’’’% a R b and s p a q “ t p a q if a P b , t p a q P Σ, and s p a q “
10 if a P b , t p a q P
2, and s p a q “ s p a q otherwise “ $’’&’’% a R b and s p a q “ t p a q if a P b and s p a q “ s p a q otherwise “ p s ▷ p ˜ t ` b qqp a q This establishes (1) from Lemma 4.2. For (2), write B a p s ¨ t p b q q “ B a t ¨ t p b q if s p a q “ a P b ^ N p t qB a s ¨ t p b q otherwise B a p s ▷ p ˜ t ` b qq “ B a ˜ t ¨ p ˜ t ` b q if s p a q “ a P b ^ N p t qB a s ¨ p ˜ t ` b q otherwise “ B a t ¨ p ˜ t ` b q if s p a q “ a P b ^ N p t qB a s ¨ p ˜ t ` b q otherwiseEach respective pair is a member of R , so R is a bisimulation by Lemma 4.2. . Schmid, T. Kappé, D. Kozen, A. Silva 23 § Proposition 6.2. W is the set of GKAT program behaviors, i.e, W “ trr e ss | e P Exp u . Proof.
We have already seen W Ě img prr´ssq . The reverse containment can be shown byinduction on the nesting rules.By definition, rr b ss P img prr´ssq for any b Ď A . Furthermore, if B a t “ rr e a ss for all a P N p t q ,then t “ ` E p t q ¨˝ ă a P N p t q t p a q ¨ rr e a ss ˛‚ “ »–»– ` E p t q ¨˝ ă a P N p t q t p a q ¨ e a ˛‚fiflfifl . If s “ rr e ss and t “ rr f ss , then s ¨ t “ rr e ¨ f ss by definition.The continuation case can be seen from the following identity, s ▷ t “ s ¨ t p E p t qq . (3)If s “ rr e ss and t “ rr f ss , then s ▷ t “ rr e ss ¨ rr f ss p E p t qq “ ”” e ¨ f p E p t qq ıı . It now suffices to see Equation (3). This can be shown with a routine coinductive argument,establishing that R “ tp s ▷ t, s ¨ t p E p t qq q | s, t P Z u is a bisimulation. Calculating, we see that both p s ▷ t qp a q and p s ¨ t p E p t qq qp a q are t p a q if s p a q “ ,s p a q otherwise . For the coinductive step, observe that B a p s ¨ t p E p t qq q “ B a p t p E p t qq q if s p a q “ , B a s ¨ t p E p t qq otherwise. “ B a t ¨ t p E p t qq if s p a q “ , B a s ¨ t p E p t qq otherwise.and B a p s ▷ t q “ B a t ▷ t if s p a q “ , B a s ▷ t otherwise.The respective pairs are in R , as desired. This establishes Equation (3). đ To formally define what it means to be well-nested , we need the following automata-theoretic construction. Given a
GKAT -automaton X , a subset U Ď X , and a function h : A Ñ ` Σ ˆ X , the uniform continuation of h along U is the automaton X r U, h s “p
X, δ r U, h sq obtained by setting δ r U, h sp x qp a q “ h p a q if x ñ a and x P U ,δ p x qp a q otherwise . A GKAT -automaton X is called discrete if it satisfies the discrete coequation, D . The classof well-nested GKAT -automata [33] is defined to be the smallest class containing(a) every finite discrete coalgebra, and (b) p X ` Y qr X, h s whenever X and Y are well-nested.A short, relatively abstract proof of the following proposition was already given inSection 6. We include the following more combinatorial proof as a supplement. § Proposition 6.3.
Well-nested
GKAT -automata satisfy the nesting coequation.
Proof.
By induction on the construction of V . Of course, V is discrete if and only if V |ù D ,so the base case follows from the definition of nestedness.For the inductive step, let V “ p X ` Y qr X, h s , where X and Y are well-nested coalgebrassatisfying W , and h : A Ñ ` Σ ˆ p X ` Y q . By finality, we obtain three homomorphisms! X : X Ñ Z , ! Y : Y Ñ Z , and ! V : V Ñ Z . The first two satisfy ! X r X s , ! Y r Y s Ď W by the induction hypothesis. Since Y is a subauto-maton of V , ! V p v q “ ! Y p v q for any v P Y , so it suffices to check that ! V p v q P W for v P X . Todo this, we let ! V p v q “ t for an arbitrary v P X and exhibit a construction of t from thenesting rules.We begin by showing the nestedness of t : “ ! V p v q , where V : “ X r X, h s and h p a q : “ h p a q P Y ,h p a q otherwise . This allows us to write V “ p V ` Y qr X, h s and t “ t ¨ s , where s p a q “ $’’&’’% h p a q “ h p a q P Σ ˆ X, h p a q “ ,p if h p a q “ p p, y q P Σ ˆ Y and B a s “ ! Y p π ˝ h p a qq . Indeed, t p w q “ t p w q for any w P A ` such that δ V p v, w q P X ; as well as for any w P A ` suchthat w “ w a , δ V p v, w q P X , and v ñ V a . Thus, it suffices to see that V |ù W , and byextension that t P W .Towards the construction of t , let t “ ! X p v q , and define s p a q “ $’’&’’% h p a q “ h p a q P Σ ˆ Y , h p a q “ ,p if h p a q “ p p, x q P Σ ˆ X and B a s “ ! X p π ˝ h p a qq . By the induction hypothesis, t , s P W . We claim that t ▷ s “ t .To verify the claim, first let C “ t x P X | v Ñ ` X x and pD a P A qp x ñ X a and h p a q P X qu , where p´q ` denotes transitive closure. If C “ H , then t “ t . Since this puts t P W , itsuffices to consider the case where C ‰ H .Assuming C ‰ H , define m “ min t| w | | w P A ` and δ X p v, w q P C u . Note that d p t , t q ď ´ m by design.Next, set B “ t x P X | pD a P A qp x ñ X a and h p a q P X qu . . Schmid, T. Kappé, D. Kozen, A. Silva 25 Of course, C Ď B , so C ‰ H means B ‰ H also. If ␣p x Ñ ` V y q holds for all x, y P B , then t ¨ s ¨ n “ t ¨ s for all n ą
0. This also means that t “ t ¨ s , so it suffices to consider thecase where x Ñ ` V y holds for some x, y P B .Assuming x Ñ ` V y holds for some x, y P B , let ρ “ min t| w | | w P A ` and pD x, y P B qp δ V p x, w q “ y qu . Every path of the form v Ñ ` X x Ñ ` V x Ñ ` V ¨ ¨ ¨ Ñ ` V x n with x P C and x i P B for i ą m ` nρ . If each path is chosen to bethe shortest possible path, then since a branch of t witnesses the path v Ñ ` X x , a branchof t ¨ s witnesses the path x Ñ ` V x , and so on, we have d p t , t ¨ s ¨ n q ď ´p m ` nρ q ď ´ nρ . Hence, t ▷ s “ lim n Ñ8 t ¨ s ¨ n “ t . đ E Detailed proofs for Section 7.1: Uniqueness of solutions forSalomaa systems
Recall that any finite product of compact spaces is compact. In particular, Z n is compact forany n P N . Compact metric spaces are necessarily complete, so Z n is complete as well. Thisgives us access to the Banach fixed-point theorem , which states that any function f : M Ñ M from a complete metric space p M, d M q to itself that satisfies pD z P r , qqp@ x, y P M q d M p x, y q ď zd M p f p x q , f p y qq has a unique fixed-point. In the formula above, any z P r , q witnessing this property iscalled a contraction scalar for f . § Theorem 7.2.
For any i, j ď n , let s ij P Z satisfy s ij p a q ‰ for any a P A , p b ij q j ‰ n be asequence of disjoint Boolean expressions for any i ď n , and c i Ď A be disjoint from b ij foreach i ď n . The system of equations x i “ s i ¨ t ` b i ¨ ¨ ¨ ` b i p n ´ q s in ¨ t n ` b in c i , indexed by i ď n has a unique solution in Z n . Proof.
Let f : Z n Ñ Z n be the function defined component-wise by f p t q i “ s i ¨ t ` b i ¨ ¨ ¨ ` b i p n ´ q s in ¨ t n ` b n c i where t “ p t i q ď n P Z n . We are going to show that f is a contraction mapping in the productmetric d p p t , t q : “ max t d p t i , t i q | i ď n u on Z n , with contraction scalar 1 {
2, and deduce the result from the Banach fixed-pointtheorem.To this end, let t , t P Z n be two n -tuples of trees, and fix an index i ď n . Clearly, d p f p t q i , f p t q i q “ max t d p s ij ¨ t j , s ij ¨ t j q | j ď n u , since any word aw P dom p f p t q i q X dom p f p t q i q at which f p t q i p aw q ‰ f p t q i p aw q must beginwith an atom a P b ij for some j ď n . We argue below that, in fact, d p s ij ¨ t j , s ij ¨ t j q ďp { q d p t j , t j q for any j ď n . It follows from this observation that d p f p t q i , f p t q i q “ max t d p s ij ¨ t j , s ij ¨ t j q | j ď n u ď p { q max t d p t j , t j q | j ď n u “ p { q d p t , t q , which by definition of the product metric makes 1 { f .In general, d p t, t q ď d p s ¨ t, s ¨ t q for any s, t, t P Z , and d p s, t q ď p { q d pB a s, B a t q whenboth derivatives are defined. Thus, for a fixed j ď n and atom a P b ij , if s ij p a q P Σ, weobtain d p s ij ¨ t j , s ij ¨ t j q ď p { q d pB a p s ij ¨ t j q , B a p s ij ¨ t j qq “ p { q d pB a s ij ¨ t j , B a s ij ¨ t j q ď p { q d p t j , t j q . If there is no such atom, then s ij “
0, because s ij is productive. This would then imply that d p s ij ¨ t j , s ij ¨ t j q “ d p , q “ ď p { q d p t j , t j q . In either case, d p s ij ¨ t j , s ij ¨ t j q ď p { q d p t j , t j q as desired.By definition of the product metric, d p p f p t q , f p t qq “ max t d p f p t q i , f p t q i q | i ď n u ď p { q d p t , t q . Whence, f is a contraction map with contraction scalar 1 {
2. By the Banach fixed-pointtheorem, f has a unique fixed-point in Z n . This fixed-point is the unique r P Z n satisfying r i “ s i ¨ r ` b i ¨ ¨ ¨ ` b i p n ´ q s in ¨ r n ` b n c i , for all i ď n . đ F Detailed proofs for Section 7.2: Completeness w.r.t. ” To prove the completeness theorem for ” , we need the following lemma, which is a way ofsaying that e has finitely many derivatives. § Lemma F.1.
The
GKAT -automaton E “ p Exp , D q is locally finite , meaning that for any e P Exp , the subatomaton generated by e , x e y E , has finitely many states. Proof.
Let |x e y E | be the cardinality of the set of states in the subatomaton x e y E of E , anddefine Ñ N inductively as follows: p b Ď A q “ p p P Σ q “ p e ` b f q “ p e q ` p f q p e ¨ f q “ p e q ` p f q p e p b q q “ p e q We will show that |x e y E | ď p e q for all e P Exp, by induction on the construction of e .Observe that if e “ b Ď A or e “ p P Σ, then |x e y E | “ p e q by definition. This handlesthe base case.For the inductive step, assume |x e y E | ď p e q and |x f y E | ď p f q , and let b Ď A . Everysyntactic derivative of e ` b f is a derivative of either e or f , so immediately we obtain |x e ` b f y E | ď |x e y E | ` |x f y E | ď p e q ` p f q “ p e ` b f q . Similarly, every derivative of e ¨ f is either of the form e ¨ f for some derivative e of e , or isa derivative of f . Hence, |x e ¨ f y E | ď |x e y E ˆ t f u| ` |x f y E | ď p e q ` p f q “ p e ¨ f q . Finally, every derivative of e p b q is of the form e ¨ e p b q for some derivative e of e . These are inone-to-one correspondence with the derivatives of e , so |x e p b q y E | ď |x e y E | ď p e q “ p e p b q q . đ . Schmid, T. Kappé, D. Kozen, A. Silva 27 It follows from this lemma and Proposition 6.2 that W is locally finite as well: indeed,if t “ rr e ss , then x t y Z is a subatomaton of the image of x e y E under ! E (in fact, the two areequal). Thus, since x e y E is finite, so must x t y E be.Now, we know that every finite automaton X “ p X, δ q gives rise to a Salomaa system ofleft-affine equations S p X q “ t x i “ e i ¨ x ` b i ¨ ¨ ¨ ` b i p n ´ q e in ¨ x n ` b n c i | i P I u , where X “ t x i | i P I u is treated as a set of indeterminates, and e ij “ ă x i a | p a ÝÝÝÑ x j p a , where c i “ t a P A | x i ñ a u ,b ij “ t a P A | x i a | p ÝÝÑ x j u , and X “ t x i | i ď n u . By Lemma F.1, every expression e P Exp gives rise to a finite subautomaton x e y E of E . Bythe fundamental theorem, the inclusion map x e y E ã Ñ E is a solution to S px e y E q . By theuniqueness axiom, this inclusion map is the unique solution to S px e y E q up to ” . This showsthat whenever two automata are isomorphic, x e y E – x f y E , we have e ” f , since S px e y E q and S px f y E q are the same up to a renaming of variables. The following much stronger statementcan be shown, which we use to prove completeness. § Lemma F.2.
Let e, f P Exp , and assume the uniqueness axiom for ” . If e and f arebisimilar, then e ” f . Proof.
We argue in a similar manner to the isomorphism case. Let X “ x e y E and Y “ x f y E ,and R Ď X ˆ Y be a bisimulation relating e and f . We equip R with a GKAT -automatonstructure R “ p R, δ R q by setting δ R pp x, y qqp a q “ n if δ X p x qp a q “ δ Y p y qp a q “ n P , p x , y q if δ X p x qp a q “ x and δ Y p y qp a q “ y . Since R is a bisimulation, this is well-defined, and furthermore the projection maps R π ÝÑ X and R π ÝÑ Y are GKAT -automaton homomorphisms. Consider the Salomaa system ofequations S p R q , as well as the maps ϕ e , ϕ f : R Ñ Exp defined by ϕ e p x q “ x and ϕ f p y q “ y .We argue that ϕ e and ϕ f are solutions to S p R q , and conclude from the uniqueness axiomthat x ” y for any p x, y q P R . In particular, e ” f .To see that ϕ e is a solution to S p R q , let | R | “ k and consider an equation p x i , y i q “ e i ¨ p x , y q ` b i ¨ ¨ ¨ ` b i p k ´ q e ik ¨ p x k , y k q ` b ik c i in S p R q . The map ϕ e takes this to the equation x i “ e i ¨ x ` b i ¨ ¨ ¨ ` b i p k ´ q e ik ¨ x k ` b ik c i . Now, where r j s “ t l | x l “ x j u “ tr j s , . . . , r j s m u , b i r j s “ b i r j s m , and g r j s : “ e i r j s ` b i r j s e i r j s ` b i r j s ¨ ¨ ¨ ` b i r j s m ´ e i r j s m , we see that the right-hand side is ” -equivalent to e i ¨ x r s ` b i ¨ ¨ ¨ ` b i p k ´ q e ik ¨ x r k s ` b ik c i ” ´ e i ¨ x r s ` b i ¨ ¨ ¨ ` b i r s m ´ e i r s m ¨ x r s ¯ ` b i r s ¨ ¨ ¨ ` b i r k s c i ” g i r s ¨ x r s ` b i r s ¨ ¨ ¨ ` b i r k s g i r k s ¨ x i r k s ` b i r k s c i . The final expression is precisely the x r i s ’th equation in S p X q , since x r i s a | p ÝÝÑ x r j s if and onlyif p x r i s , y q a | p ÝÝÑ p x r j s , y q for some y, y P Y such that p x r i s , y q , p x r j s , y q P R . Since X ã Ñ E is asolution to S p X q , x r i s ” g i r s ¨ x r s ` b i r s ¨ ¨ ¨ ` b i r k s g i r k s ¨ x i r k s ` b i r k s c i . Since i was arbitrary, ϕ e is a solution to S p R q . Similarly, the same holds for ϕ f . Thus, bythe uniqueness axiom, e ” f . đ§ Theorem 7.3 (Completeness for ” ) . Assume the uniqueness axiom for ” and let e, f P Exp .If rr e ss “ rr f ss , then e ” f . Proof.
From Lemma 4.5 and Proposition 5.1, we see that rr e ss “ rr f ss if and only if e and f are bisimilar. Thus, by Lemma F.2, e ” f . đ G Detailed proofs for Section 7.3: Completeness w.r.t. ” The normalized semantics can be connected to ” with relative ease, allowing us to recoverthe partial completeness result from [33], albeit with a different proof. § Lemma G.1.
Let e P Exp . If rr e ss is dead, then e ” . Proof.
A straightforward check verifies that R “ tp t ¨ , t q | t P Z is dead u is a bisimulation. From this, we know that rr e ss ¨ “ rr e ss , and therefore that rr e ¨ ss “ rr e ss .By completeness of ” w.r.t. rr´ss , we then know that e ¨ ” e . Since e ¨ ” ” iscontained in ” , we can conclude that e ” đ Interestingly, the result above does not depend on the uniqueness axiom. The followingtechnical lemma describes the interaction between normalization and the other operators intrees. § Lemma G.2. If s, t, r P Z and b P BExp , then p s ` b t q ^ “ p s ^ ` b t ^ q ^ p s ¨ t q ^ “ p s ^ ¨ t ^ q ^ p t ¨ q ^ “ “ ^ p t p b q q ^ “ pp t ^ q p b q q ^ Furthermore, if t ^ “ p r ¨ t ` b s q ^ and r is such that r p a q ‰ for all a P A , then t ^ “ p r p b q ¨ s q ^ . Proof.
In all cases, a straightforward coinductive argument suffices. đ§ Proposition 7.6. If e ” f , then rr e ss ^ “ rr f ss ^ . Proof.
We proceed by induction on ” . In all base cases except S3, we know that e ” f ;by Theorem 5.2, we then know that rr e ss “ rr f ss , and hence rr e ss ^ “ rr f ss ^ . For S3, we have rr e ¨ ss ^ “ rr ss ^ by the third equality in Lemma G.2.The inductive cases for reflexivity, symmetry and transitivity are straightforward. Thecase for congruence w.r.t. the operators follows by the equalities in Lemma G.2.Finally, in the inductive step for W3, let e, f, g P Exp and b P BExp with E p f q ” e ” f ¨ e ` b g . By induction, rr E p g qss ^ “ rr e ss ^ “ rr g ¨ e ` b h ss ^ . First, note that rr E p g qss ^ “ rr E p g qss . By an argument similar to the one in Theorem 5.2, we can concludethat rr g ss p a q ‰ a P A . Applying the final implication in Lemma G.2, we can concludethat rr e ss ^ “ ““ g p b q ¨ h ‰‰ ^ “ rr f ss ^ . đ . Schmid, T. Kappé, D. Kozen, A. Silva 29 To prove that W is closed under normalization (this is ?? ), we prove something moregeneral. When P Ď Z and t P Z , we write t @ P for the pruning of t by P , which removes allsubtrees of t that are in P . This operator is defined coinductively. p t @ P qp a q “ t p a q P Σ ^ B a t P P t p a q otherwise B a p t @ P q “ pB a t q @ P Clearly, if P is the coequation of dead trees, then t ^ “ t @ P . We now claim that if t P W and P Ď Z , then t @ P P W . § Lemma G.3.
Let t, s P Z and P Ď Z be a coequation. Then p s ¨ t q @ P “ p s @ P t q ¨ p t @ P q where P t “ t r P Z | r ¨ t P P u Proof.
We claim that R “ tpp s ¨ t q @ P , p s @ P t q ¨ p t @ P qq | t, s P Z, P Ď Z u Y ∆ Z is a bisimulation. As before, we need only check the pairs in the first part, since the diagonalis already a bisimulation.For the initial conditions, let a P A . There are several cases to consider.If p s ¨ t qp a q P Σ and B a p s ¨ t q P P , then pp s ¨ t q @ P qp a q “
0. We should prove that pp s @ P t q ¨ p t @ P qqp a q “ s p a q P Σ, then B a s ¨ t “ B a p s ¨ t q P P , and therefore B a s P P t . Thus, p s @ P t qp a q “ s p a q “ t p a q P Σ, then B a t “ B a p s ¨ t q P P . Thus, p s @ P t qp a q “ p t @ P qp a q “ pp s @ P t q ¨ p t @ P qqp a q “ pp s ¨ t q @ P qp a q “ p s ¨ t qp a q . We should prove that pp s @ P t q¨p t @ P qqp a q “ p s ¨ t qp a q .If s p a q “
0, then p s ¨ t qp a q “ “ p s @ P t qp a q “ pp s @ P t q ¨ p t @ P qqp a q .If s p a q “
1, then p s @ P t qp a q “ p s ¨ t qp a q “ t p a q . It remains to prove that p t @ P qp a q “ t p a q . On the one hand, if t p a q P
2, then p t @ P qp a q “ t p a q immediately.On the other hand, if t p a q P Σ, then B a t “ B a p s ¨ t q R P . Thus, p t @ P qp a q “ t p a q .If s p a q P Σ, then B a s ¨ t “ B a p s ¨ t q R P , thus B a s R P t . We then derive pp s @ P t q ¨ p t @ P qqp a q “ p s @ P t qp a q “ s p a q “ p s ¨ t qp a q For the coinductive step, let a P A is such that pp s ¨ t q @ P qp a q “ pp s @ P t q ¨ p t @ P qqp a q P Σ.There are two cases.First, if s p a q “
1, then we derive B a pp s ¨ t q @ P q “ pB a p s ¨ t qq @ P “ B a t @ P R B a t @ P “ B a pp s @ P t q ¨ p t @ P qq Otherwise, if s p a q P Σ, then B a pp s ¨ t q @ P q “ pB a p s ¨ t qq @ P “ pB a s ¨ t q @ P R pB a s @ P t q ¨ p t @ P q“ pB a p s @ P t qq ¨ p t @ P q“ B a pp s @ P t q ¨ p t @ P qq đ § Lemma G.4.
Let t, s P Z and P Ď Z . Then p s ▷ t q @ P “ p s @ P t q ▷ p t @ P t q where P t “ t r P Z | r ▷ t P P u Proof.
For the initial conditions, there are several cases.If p s ▷ t qp a q P Σ and B a p s ▷ t q P P , then pp s ▷ t q @ P qp a q “
0. We should prove pp s @ P t q ▷ p t @ P t qqp a q “ s p a q P Σ, then B a s ▷ t “ B a p s ▷ t q P P , and therefore B a s P P t . Thus, p s @ P t qp a q “ s p a q “ t p a q P Σ, then B a t ▷ t P P , whence B a t P P t . Thus, p s @ P t qp a q “ p t @ P t qp a q “ pp s @ P t q ▷ p t @ P t qqp a q “ pp s ▷ t q @ P qp a q “ p s ▷ t qp a q . We should prove that pp s @ P t q ▷ p t @ P t qqp a q “p s ▷ t qp a q .If s p a q “
0, then p s ▷ t qp a q “ “ p s @ P t qp a q “ pp s @ P t q ¨ p t @ P t qqp a q .If s p a q “
1, then p s ▷ t qp a q “ t p a q and p s @ P t qp a q “
1. It remains to prove that p t @ P t qp a q “ t p a q . On the one hand, if t p a q P
2, then p t @ P t qp a q “ t p a q immediately.On the other hand, if t p a q P Σ, then B a t ▷ t “ B a p s ▷ t q R P . In that case, B a t R P t aswell. But then p t @ P t qp a q “ t p a q .If s p a q P Σ, then B a s ▷ t “ B a p s ▷ t q R P . In that case, B a s R P t as well. We then derive pp s @ P t q ▷ p t @ P t qqp a q “ p s @ P t qp a q “ s p a q “ p s ▷ t qp a q For the coinductive step, let a P A such that pp s ▷ t q @ P qp a q “ pp s @ P t q ¨ p t @ P t qqp a q P Σ.There are two cases.First, if s p a q “
1, then we derive B a pp s ▷ t q @ P q “ pB a p s ▷ t qq @ P “ ppB a t ▷ t q @ P q R ppB a t @ P t q ▷ p t @ P t qq“ ppB a p t @ P t qq ▷ p t @ P t qq“ B a pp s @ P t q ▷ p t @ P t qq Otherwise, if s p a q P Σ, then B a pp s ▷ t q @ P q “ pB a p s ▷ t qq @ P “ ppB a s ▷ t q @ P q R ppB a s @ P t q ▷ p t @ P t qq“ ppB a p s @ P t qq ▷ p t @ P t qq“ B a pp s @ P t q ▷ p t @ P t qq đ§ Proposition G.5.
Let t P W . Then for all P Ď Z it holds that t @ P P W . Proof.
We proceed by induction on W . In the base, t P D , meaning t @ P “ t . For theinductive step, there are three cases.If t P W because B a t P W for all a P A with t p a q P Σ, then by induction B a p t @ P q “B a t @ P P W for all a P A with p t @ P qp a q P Σ. It then follows that t @ P P W .If t P W because t “ s ¨ r for s, r P W , then by induction s @ P r , r @ P P W . By definitionof W and Lemma G.3, we then have that p s ¨ r q @ P “ p s @ P r q ¨ p r @ P q P W .If t P W because t “ s ▷ r for s, r P W , then by induction s @ P r , r @ P r P W . By definitionof W and Lemma G.4, we then have that p s ▷ r q @ P “ p s @ P r q ▷ p r @ P r q P W . đ . Schmid, T. Kappé, D. Kozen, A. Silva 31 § Lemma 7.7. W is closed under normalization. Proof.
Take P to be the set of dead trees in Proposition G.5. đ§ Lemma G.6.
Let e P Exp , and e ^ be a normalized expression for e . Assume the uniquenessaxiom for ” and ” . Then e ^ ” e . Proof.
Let e P Exp, and X “ x e y E be the Brzozowski automaton for e , where very derivative e of e (including e itself) is a state x e . Define X ^ “ p X, δ ^ q to be the GKAT -automatonobtained from X “ p X, δ q by setting δ ^ p x e , a q “ x e a | p ÝÝÑ X x e ^ rr e ss is dead δ p x, a q otherwise . This
GKAT -automaton is finite, and hence induces a (finite) Salomaa system S p X ^ q whereeach variable x e has a linear constraint that can be written (up to ” -equivalence) as x e “ ` E p e q ă x e a | p ÝÝÑ X ^ x e p ¨ x e We claim that if for x e we fill in the expression e , then this constitutes a solution in Exp {” .After all, we can derive using the fundamental theorem, Lemma G.1 and S3 that e ” ` E p e q ă e a | p ÝÝÑ E e p ¨ e ” ` E p e q ă e a | p ÝÝÑ E e ““ e ‰‰ is not dead p ¨ e ” ` E p e q ă x e a | p ÝÝÑ X x e p ¨ e The rest of the proof works by arguing that if for each x e P X we fill in e , then wehave another solution to the Salomaa system of X ^ in Exp {” . Thus, we obtain the desiredequivalence e ” e ^ from the uniqueness axiom for ” .To this end, we first show that if we fill in rr e ss ^ “ rr e ss for x e P X , we have a solutionto S p X ^ q in Z . By the completeness theorem for ” , filling in e for x e gives a solution to S p X ^ q in Exp {” . It can be shown by induction on the construction of ” that ” Ď ” .Whence, this particular choice of variables constitutes a solution to S p X ^ q in Exp {” asdesired. To see that choosing rr e ss ^ constitutes a solution to S p X ^ q in Z , let x e ÞÑ t e bethe unique solution to S p X ^ q in Z . We show that R “ ␣`““ e ‰‰ ^ , t e ˘ | x P X ( is a bisimulation. Since t e is part of a solution to S p X ^ q in Z , we have rr e ss ^ p a q “ ðñrr e ss p a q “ ðñ a P E p e q ðñ t e p a q “
1. On the other hand, t e p a q “ ðñ x e a | p ÝÝÑ X ^ x e does not hold for any a ðñ x e a | p ÝÝÑ x e and ““ e ‰‰ is dead, or e Ó a ðñ e a | p ÝÝÑ e and ““ e ‰‰ is dead, or e Ó a ðñ ““ e ‰‰ ^ p a q “ . We are left with the coinductive step. In one direction, note that if t e a | p ÝÝÑ B a t e , then B a t e “ t e with x e a | p ÝÝÑ x e , because the t e are a solution to S p X ^ q . In other words, rr e ss cannot be dead, and e a | p ÝÝÑ e . We find B a ““ e ‰‰ ^ “ pB a ““ e ‰‰ q ^ “ ““ B a e ‰‰ ^ “ ““ e ‰‰ ^ . Conversely, if rr e ss ^ a | p ÝÝÑ B a rr e ss ^ , then a is a node of rr e ss ^ , which means that a is also anode of t e by the arguments above. Thus, B a t e “ t e where e a | p ÝÝÑ e , since the t e are asolution to S p X ^ q in Z . In either case, pB a rr e ss ^ , B a t e q P R , so R is a bisimulation. Bysimplicity of Z , rr e ss ^ “ t e for all x e P X , and therefore x e ÞÑ rr e ss ^ solves S p X ^ q in Z . đ§ Corollary 7.8 ([33]) . Assume the uniqueness axiom for ” and ” . If rr e ss ^ “ rr f ss ^ , then e ” f . Proof.
Since rr e ss ^ “ rr f ss ^ , also rr e ^ ss “ rr f ^ ss . By Theorem 7.3 and Lemma G.6, we canthen derive e ” e ^ ” ff
Since rr e ss ^ “ rr f ss ^ , also rr e ^ ss “ rr f ^ ss . By Theorem 7.3 and Lemma G.6, we canthen derive e ” e ^ ” ff ^ ” ff