Boolean BI is Decidable (via Display Logic)

Transcription

1 Boolean BI is Decidable (via Display Logic) James Brotherston Dept. of Computing Imperial College, London, UK Abstract We give a display calculus proof system for Boolean BI (BBI) based on Belnap s general display logic. We show that cut-elimination holds in our system and that it is sound and complete with respect to the usual notion of validity for BBI. We then demonstrate that proof search in the system can be restricted to a finitely bounded space (without loss of generality). Thus provability in our display calculus is decidable, and consequently so too is validity in BBI. 1. Introduction O Hearn and Pym s logic of bunched implications BI [14] is a well-known substructural logic whose formulas have a natural declarative interpretation as statements about resource. Formulas of the logic freely combine the standard additive units and connectives of propositional logic (,,,,, ) with a multiplicative (a.k.a. linear ) unit, conjunction and implication. There are two main flavours of BI, induced by two alternative treatments of the additive connectives. If the latter are interpreted intuitionistically, then the resulting logic is called (intuitionistic) BI, while the variant in which they are instead considered classically is known as Boolean BI (BBI). There has been considerable interest in the theory and application of BI and its variants among the computer science research community over the last few years, primarily because the logic s concise representation of resource makes it a viable basis for reasoning about resourcemanipulating programs [11]. Strikingly, however, theoretical developments in BI have focused for the most part on its intuitionistic version, whereas the numerous program verification applications of BI notably the numerous spin-offs of separation logic [17] including various flavours of shape analysis [7, 8, 5, 6] are mainly based on its Boolean variant. These applications typically rely heavily on theorem proving, and stand to benefit substantially from further de- Research supported by an EPSRC postdoctoral fellowship. velopment of the theory of BBI. Indeed, of four basic theoretical questions about BBI completeness with respect to a class of models, cut-elimination, decidability and the existence of a well behaved type theory only the first has so far been answered. In this paper, we give positive answers to the second and third questions. Our starting point in this paper is to consider BBI from the proof-theoretic viewpoint. For intuitionistic BI there is both a complete natural deduction proof system satisfying normalisation, and a complete sequent calculus satisfying cut-elimination [15]. In contrast, no such well-behaved syntactic proof systems for BBI presently exist in the literature 1. Rather, proof systems for BBI are usually obtained by adding a suitable axiom or inference rule (e.g. the axiom F F ) to the corresponding proof system for BI. Such additions typically break normalisation and cutelimination properties, which is less than ideal both from the point of view of BBI as a bona fide logic in its own right and from the perspective of the aforementioned program analysis tools based on BBI. However, extending the BI sequent calculus (cf. [15]) to BBI without breaking cutelimination in the process is problematic. The contexts in this calculus are bunches : trees whose leaves are formulas and whose internal nodes are labelled by either a semicolon or a comma, denoting respectively additive and multiplicative combination of formulas. The following rightintroduction rules for the two implications illustrate the relationship between the structural connectives and the formula connectives: Γ; F G ( R) Γ F G Γ, F G ( R) Γ F G Weakening and contraction are then permitted with respect to the additive semicolon, but not the multiplicative comma. In order to cope with the enriched structure of bunches, the left-introduction rules for logical connectives are written in a deep inference style that allows these rules to apply to formulas at arbitrary positions within a bunch, e.g.: Γ(F 1 ; F 2 ) F ( L) Γ(F 1 F 2 ) F Γ(F 1, F 2 ) F ( L) Γ(F 1 F 2 ) F 1 However, a tableau proof system for BBI is given in [12]. 1

2 where Γ( ) denotes a bunch Γ with a distinguished subbunch occurrence. It is not obvious how to extend this style of rule to additive negation. Furthermore, it seems clear that the extended calculus should subsume Gentzen s sequent calculus LK for classical logic, thus necessitating the use of multiple-conclusion sequents (in some form). However, it is then far from clear how to formulate the rightintroduction rules for and in multiple-conclusion form, since these do not distribute over additive disjunction. Instead of a sequent calculus, we give in this paper a Belnap-style display calculus proof system for BBI. Display calculi can be seen as generalised sequent calculi, allowing the combination of arbitrarily many families of logical connectives, each such family being assigned a corresponding set of structural connectives. This results in a very rich meta-level for proof judgements, and to cope with this one postulates special structural rules, called display rules. The display rules ensure that any part of a proof judgement can be rearranged so as to display (i.e. bring to the top level) any given part of the judgement. Our system, DL BBI, largely follows our previous formulation, with Calcagno, of a display calculus for CBI, which is a nonconservative extension of BBI including multiplicative versions of falsity, negation and disjunction [3]. However, DL BBI differs from this calculus, and other standard display calculi, in that its proof judgements are syntactically (and semantically) asymmetric, reflecting the lack of symmetry in the multiplicative connectives of BBI. Despite this asymmetry, DL BBI nevertheless enjoys the crucial display property, from which cut-elimination for DL BBI follows as a straightforward corollary of Belnap s cut-elimination proof for general display logic [1]. Soundness is an easy direct result, and completeness follows from the reduction of provability in DL BBI to provability in a Hilbert-style proof system which is known to be complete. Although cut-elimination for DL BBI entails a traditional subformula property, it is clear that naive approaches to proof search in DL BBI will lead to divergence, mainly due to the evident need to employ the aforementioned display rules and the usual structural rules such as contraction. The complexity arising in proof search is not unexpected since, by soundness and completeness, decidability of provability in DL BBI is equivalent to decidability of validity in BBI, which has been an open problem for some time. Indeed, it is not obvious at the outset whether or not BBI ought to be decidable. On the one hand, intuitionistic BI is already known to be decidable [10], as are some related program logics such as context logic [4] and certain restricted fragments of separation logic [2]. On the other hand, decidability of BBI does not follow from these results; indeed, Larchey- Wendling and Galmiche have recently demonstrated that there is an encoding of BI into BBI whereas the converse is not known to hold [12]. Furthermore, several well-known substructural logics of seemingly similar expressivity to BBI are in fact known to be undecidable, such as propositional linear logic [13] and the relevant logic R [18]. However, by adapting techniques from Restall [16], we show that provability in DL BBI is indeed decidable, and thus that BBI is a decidable logic. The proof essentially divides into three stages. First, we show that it suffices to consider only proofs that are called semi-reduced in that each judgement appearing in the proof may contain only a limited amount of superfluous information. Second, we define a (potentially infinite) search tree corresponding to an exhaustive search for a semi-reduced proof of a given proof judgement. Third, we show that this search tree must in fact be finite. Thus deciding provability in DL BBI is simply a matter of checking whether any of the finitely many subtrees of the search tree is a proof. The remainder of this paper is structured as follows. In Section 2 we give a brief overview of BBI. We formulate our display calculus system DL BBI in Section 3, and outline there the arguments for cut-elimination, soundness and completeness of this system. In Section 4 we present our main technical contribution: the proof that provability in DL BBI is decidable. Finally, in Section 5 we conclude with some comments and suggestions regarding future work. 2. Syntax and semantics of BBI In this section we briefly recall the syntax of BBI and its standard algebraic semantics. We also recall a Hilbert-style proof system for BBI which is sound and complete with respect to the algebraic semantics. We assume a fixed infinite set V of propositional variables, and write Pow(X) for the powerset of a set X. Definition 2.1 (Formula). Formulas of BBI are given by the following grammar, where P ranges over V: F ::= P F F F F F F F F F F F Definition 2.2 (BBI-model). A BBI-model is a relational commutative monoid R,, e, where e R and : R R Pow(R) are such that is commutative, with r e = {r} for all r R. We extend to Pow(R) Pow(R) by X Y = x X,y Y x y. Under this extension, is required to be associative. An environment for a BBI-model R,, e is a map ρ : V Pow(R) interpreting propositional variables as subsets of R. Definition 2.3 (Satisfaction). Let M = R,, e be a BBImodel and let ρ be an environment for M. Satisfaction of a formula F by a resource state r R and the environment 2

3 ρ is denoted r = F and defined by structural induction on F as follows: r = P r ρ(p) r = always r = never r = F r = F r = F 1 F 2 r = F 1 and r = F 2 r = F 1 F 2 r = F 1 or r = F 2 r = F 1 F 2 r = F 1 implies r = F 2 r = r = e r = F 1 F 2 r 1, r 2. r r 1 r 2 and r 1 = F 1 and r 2 = F 2 r = F 1 F 2 r, r. r r r and r = F 1 implies r = F 2 Definition 2.4 (Formula validity). A formula F is said to be true in a BBI-model M = R,, e if for any environment ρ for M and for all r R, we have r = F. F is said to be valid if it is true in all BBI-models. HL BBI, the standard Hilbert-style proof system for BBI (cf. [15, 9]) is obtained by extending some fixed finite axiomatisation of classical propositional logic by the following axioms and inference rules: F F ( F) (Ax 1) ( F) F (Ax 2) F G G F (Ax 3) F (G H) (F G) H (Ax 4) F G (MP) G F (G H) ( 1) (F G) H F 1 G 1 F 2 G 2 ( ) F 1 F 2 G 1 G 2 (F G) H ( 2) F (G H) The following result is due to Galmiche and Larchey- Wendling (independently proved by Yang). Theorem 2.5 (Completeness [9]). Any valid formula is HL BBI -provable. 3. DL BBI : a display calculus for BBI In this section we formulate a Belnap-style display calculus proof system for BBI. Our display calculus, DL BBI, departs slightly from traditional display calculi in that the form of proof judgements is not symmetric. Nevertheless, our proof system admits the fundamental display property of display calculi, and satisfies cut-elimination. The judgements of our proof system, called consecutions, are built from structures which generalise the bunches used in natural deduction and sequent calculus proof systems for BI (cf. [15]). Definition 3.1 (Structure / Consecution). A-structures X and C-structures Y are (mutually) defined by the grammar: X ::= F Y X; X X, X Y ::= F X Y ; Y X Y where F ranges over BBI-formulas. We use the generic name structure to refer to both A-structures and C- structures. If X is an A-structure and Y is a C-structure then X Y is said to be a consecution. Roughly speaking, A-structures and C-structures represent respectively antecedent parts and consequent parts of our consecutions (we defer a formal definition of these terms until later). The asymmetry between the two is caused by the absence of multiplicative versions of falsity, negation and disjunction in BBI, which leads us to employ a non-standard structural connective in C-structures, interpreted as multiplicative implication. The following definition gives the interpretation of our consecutions. Definition 3.2 (Consecution validity). For any consecution X Y we define two BBI-formulasΨ X and Υ Y by mutual induction over the structure of X and Y as follows: Ψ F = F Υ F = F Ψ = Υ = Ψ Y = Υ Y Υ X = Ψ X Ψ X1;X 2 = Ψ X1 Ψ X2 Υ Y1;Y 2 = Υ Y1 Υ Y2 Ψ = Υ X Y = Ψ X Υ Y = Ψ X1 Ψ X2 Ψ X1,X 2 X Y is said to be valid iff Ψ X Υ Y is a valid formula. A consecutions is said to be derivable from another consecution S (using some fixed set of proof rules) if, given a derivation of S, one can construct a derivation of S. That is, there is a derivation whose root is S and whose leaves are either axioms or occurrences of S. The consecution S is said to be interderivable with S if S is derivable from S and vice versa. We write proof rules with a double-line between premise and conclusion to indicate that they are invertible, i.e. that the roles of premise and conclusion may be reversed. Obviously, the premise and conclusion of any invertible rule are interderivable. Definition 3.3 (Display-equivalence). Two consecutions X Y and X Y are said to be display-equivalent, written X Y D X Y, if they are interderivable using only the display rules of Figure 1. We remark that D is indeed an equivalence relation. Definition 3.4 (Antecedent and consequent parts). Let Z be a substructure occurrence in a structure X. We classify Z as either a positive part or negative part of X as follows: if Z = X then Z is a positive part of X; 3

4 X; Y Z ======== (AD1a) X Y ; Z ======== (AD1b) Y ; X Z X Y ====== (AD3a) Y X ====== (AD3b) X Y X Y ; Z ======== (AD2a) X; Y Z ======== (AD2b) X Z; Y X, Y Z ========= (MD1a) X Y Z ========= (MD1b) Y, X Z rules in this form without loss of generality. The structural rules implement suitable associativity and unitary laws for the structural connectives, plus weakening and contraction with respect to the semicolon. The identity axiom (Id) is stated only for atomic propositions P V, but can be extended to arbitrary formulas. Proposition 3.6 (Identity sanity). F F is provable in DL BBI for any formula F. Proof. (Sketch) By structural induction on F. Figure 1. Display rules for DL BBI. if X is of the form X 1, X 2 or X 1 ; X 2 and Z is a positive (negative) part of either X 1 or X 2 then Z is a positive (negative) part of X; if X is of the form X and Z is a positive (negative) part of X then Z is a negative (positive) part of X; if X is of the form X 1 X 2 and Z is a negative (positive) part of X 1 or a positive (negative) part of X 2, then Z is a positive (negative) part of X. Z is said to be an antecedent part of a consecution X Y if it is a positive part of X or a negative part of Y. Z is said to be a consequent part of X Y if it is a negative part of X or a positive part of Y. Theorem 3.5 (Display theorem). Let Z be a structure occurrence in a consecution X Y. If Z is an antecedent part of X Y then there exists some structure W such that Z W D X Y. Similarly, if Z is a consequent part of X Y then there exists some structure W such that W Z D X Y. Proof. (Sketch) The display rules allow us to focus on Z essentially by moving any surrounding structure to the opposite side of the consecution. Moreover, each of the display rules preserves all antecedent and consequent parts of consecutions, so that Z must appear on the correct side of the consecution. A full proof is given in Appendix A. The process of of rearranging a consecution X Y into the consecution Z W or W Z using the display rules is called displaying Z (or W ), and Z (or W ) is said to be displayed in the resulting consecution. The proof rules for DL BBI are given in Figure 2, and fall into three distinct categories. The identity rules consist of the identity axiom for propositional variables, a rule for display-equivalence, and a cut rule. The logical rules consist of a left and right introduction rule for each formula connective, in the style familiar from sequent calculus. Note that the formula introduced by a logical rule is displayed on the side of the consecution in which it is introduced; the display theorem allows us to write the logical Proposition 3.7 (Soundness). Any DL BBI -provable consecution is valid. Proof. (Sketch) One shows that each rule of DL BBI is locally sound in that, if each of its premises is valid, then so is its conclusion. This is an easy verification. Theorem 3.8 (Completeness). Any valid consecution is DL BBI -provable. Proof. (Sketch) If a consecution X Y is valid then Ψ X Υ Y is a valid formula, and hence HL BBI -provable by completeness (Theorem 2.5). It can be easily verified that the axioms and rules of HL BBI (cf. Section 2) are all derivable in DL BBI under the trivial embedding F ( F) from formulas to consecutions. Thus Ψ X Υ Y is DL BBI -derivable, so by considering the following DL BBI derivation: Ψ X Υ Y X Ψ X (Id) Ψ X Ψ X (Id) Υ Y Υ Y ( L) Ψ X Υ Y Ψ X ; Υ Y Ψ X ; Υ Y ; Ψ X Υ Y ( L) X Y Ψ X Υ Y Ψ X Y Υ Y Y it suffices to show that X Ψ X and Υ Y Y are both DL BBI -provable, which follows by a straightforward mutual induction on the structure of X and Y. We say a DL BBI proof is cut-free if it contains no instances of the rule. Theorem 3.9 (Cut-elimination). Any DL BBI proof can be transformed into a cut-free DL BBI proof (of the same consecution). Proof. (Sketch) Belnap [1] gives 8 conditions to be satisfied by the proof rules of DL BBI which, together with the display property, imply that cut-elimination holds. This is a simple verification. We give a statement of the conditions and their verification in Appendix B. 4

5 Identity rules: (Id) P P X F F Y X Y X Y X Y D X Y ( D ) X Y Logical rules: X ( L) X ( R) F; G X ( L) F G X ( L) X ( R) X F X ( L) F X X F ( R) X F X F Y G ( R) X; Y F G Corollary 3.10 (Subformula property). Any DL BBI - provable consecution X Y has a proof in which every formula occurrence is a subformula of a formula occurring in X Y. Proof. If X Y is DL BBI -provable then it has a cut-free proof by Theorem 3.9. By inspection of the proof rules, any formula occurring in the premises of a rule instance in this proof is a subformula of a formula occurring in its conclusion. Thus every formula occurring in this proof is a subformula of a formula occurring in X Y. In spite of the subformula property, cut-free proof search in DL BBI is complicated considerably by the presence of the display rule and the structural rules. For example, the cut-free proof of the consecution F (F G) (F G) shown in Figure 3 makes seemingly essential use of contraction on a structure which is introduced into the proof using unitary and display rules. F X G Y ( L) F G X; Y X F G Y ( L) F G X; Y X ( L) X F, G X ( L) F G X X F G Y F G X Y Structural rules: ( L) W; (X; Y ) Z =========== (AAL) (W; X); Y Z ; X Y ======= ( L) X Y X Z (WkL) X; Y Z X; X Z (CtrL) X Z W, (X, Y ) Z =========== (MAL) (W, X), Y Z X F; G ( R) X F G X; F G ( R) X F G ( R) X F Y G ( R) X, Y F G X, F G ( R) X F G W (X; Y ); Z =========== (AAR) W X; (Y ; Z) X Y ; ======= ( R) X Y X Z (WkR) X Y ; Z X Z; Z (CtrR) X Z, X Y ======= ( L) X Y Prop. 3.6 F F Prop. 3.6 F F Prop. 3.6 G G ( D) G G ( R) G G ( R) F, G F G (WkR) F, G F G; F G ( D) (F (F G; F G)) G ( R) F, (F (F G; F G)) F G (WkL) (F, (F (F G; F G))); (F G) F G ( D) (F (F G; F G)) F (F G; F G) (WkL) ; (F (F G; F G)) F (F G; F G) ( D) (F (F G; F G));(F (F G; F G)) (CtrR) F (F G; F G) ( D) F, F G; F G ( L) F F G; F G ( R) F (F G) (F G) Figure 3. A DL BBI proof of the consecution F (F G) (F G). 4. Decidable proof search for DL BBI Figure 2. Proof rules for DL BBI. In this section we present the proof that provability in DL BBI is decidable. Our proof is obtained by adapting Re- 5

6 stall s techniques for showing the decidability of display calculi for a class of relevant logics [16]. However, several substantial alterations are necessary in order to make the result go through in the setting of BBI. First, given any structure X we define its reduced inversion X as follows: { Y X = def X if X = Y for some Y otherwise Proposition 4.1. Provability in DL BBI remains unaffected if the rule is excised and the rules ( R), ( L) and ( L) are replaced by the following variants: X F X G ( R) X F G X F X G ( L) F G X F Y G Y ( L) F G Y Proof. Provability in DL BBI is obviously unaffected by the removal of, given cut-elimination (Theorem 3.9). It therefore suffices to show that the old versions of ( L), ( L) and ( L) (cf. Figure 2) are derivable using the new versions. In the case of ( L), we proceed as follows, using the rule symbol (=) to denote rewriting a consecution by the definition of X: X F (WkL) X; Y F (X; Y ) F F G (X; Y ) (=) G Y Y G (WkL) Y ; X G (X; Y ) G ( L) F G (X; Y ) F G X; Y The other rule cases are similar. Thus any proof using the old rules can be converted to one using the new rules. From now on, we work with respect to the modified proof rules of DL BBI given by Proposition 4.1. Definition 4.2 ( -reduction). A structure is said to be - reduced if it has no substructures of the form X. A consecution X Y is -reduced just in case both X and Y are -reduced, and a proof is -reduced just in case every consecution in it is -reduced. The -reduction of a consecution S is the consecution obtained from S by successively replacing every structure occurrence of the form X by the structure X until the result is -reduced. We remark that any consecution is clearly displayequivalent to its -reduction. Thus a consecution is provable just in case its -reduction is provable. Lemma 4.3. Any provable -reduced consecution has a - reduced proof. Proof. Let π be a proof of a -reduced consecution and let π be the tree obtained by replacing every consecution in π by its -reduction. We claim that π is still a proof. It suffices to show that each of the proof rules remains unaffected by -reduction, i.e., that any instance of a proof rule remains an instance of the same rule under -reduction. This property can easily be seen to be satisfied for all the rules that do not introduce or eliminate occurrences of. The remaining rules are ( D ), ( L), ( R) and ( L). The display rule ( D ) is obviously all right, since any consecution is display equivalent to its - reduction and display-equivalence is transitive. So too are the negation-introduction rules ( L) and ( R), because F is already -reduced (since F is a formula). In the case of ( L), the modified left-introduction rule for implication, one observes that if the premises of ( L) are -reduced then clearly so is the conclusion, because of the use of the reduced inversion X in place of X. So π is indeed a proof, as required. Lemma 4.3 implies that, in order to search for a proof of a consecution S, it suffices to consider just those proofs involving only -reduced consecutions. The following series of definitions is intended to assist in dealing with the non-determinism in proof search caused by the structural rules by defining a notion of reduction on consecutions that eliminates superfluous information. They follow the corresponding definitions in [16] but with some crucial differences, mainly due to the presence of two structural units in our calculus (the additive and multiplicative ) whereas Restall s calculi only have one. Definition 4.4 (AD-equivalence). Two consecutions S and S are said to be AD-equivalent (standing for associativedisplay-equivalent ) if they are interderivable using the display rule ( D ) and the structural associativity rules (AAL), (AAR) and (MAL). Definition 4.5 (Nearness). Two structure occurrences Z 1, Z 2 in a consecution S are said to be near (in S) if S is AD-equivalent to Z 1 ; Z 2 W or W Z 1 ; Z 2 for some W (where Z 1 and Z 2 are the occurrences indicated). Definition 4.6 (Superfluous units). An occurrence of in a consecution S is said to be superfluous if S is ADequivalent to W; Z or W Z; or, Z for some W, Z (where is any of the occurrences indicated). An occurrence of in S is superfluous if S is AD-equivalent to W, Z for some W, Z (where is the occurrence indicated). Definition 4.7 (Deletion). Let Z be a structure occurrence in a consecution X Y. We say that Z can be deleted from 6

7 X Y if Z is a strict substructure of some structure W in X Y where W is of the form W 1 ; W 2 or W 1, W 2 or W 1 W 2. (In other words, Z is not any of X, Y, X, Y.) The consecution obtained by deleting Z from X Y is obtained by replacing any of W Z, Z W, W Z, Z W by W, where is comma, semicolon or. For example, the result of deleting Z 1 and Z 2 in the consecution X, ( Y ; Z 1 ) W (Z 2 W ) is X, Y W W. We cannot delete W W in the latter consecution, because it is not a strict substructure of any structure in the consecution (and the result of deleting W W would fail to be a consecution). We remark that if X and Y are near in a consecution S then at least one of them can be deleted from S. The preceding definitions lead to a tighter notion of reduction for consecutions than simple -reduction. Definition 4.8 (Reduction). For any -reduced consecution S, we define its reduction r(s) to be the consecution obtained from S by iterating the following sequence of steps until a fixed point is reached: 1. For any two occurrences of the same structure that are near to one another, we delete the first such occurrence, from left to right, that can be deleted (there must be at least one such). 2. We delete any superfluous occurrences of and that can be deleted. 3. There may be some superfluous occurrences of and that cannot be deleted because they (or their - prefixed equivalents) are the entire antecedent or consequent of the consecution. These are eliminated as follows, observing that e.g. if is superfluous and the entire antecedent then the consecution must be of the form X; Y : X; Y and (X; Y ) X Y X; Y and (X; Y ) X Y X Y and (X Y ) X Y A consecution S is said to be reduced if S = r(s). Clearly a consecution is valid (hence provable) iff its reduction is valid (hence provable). Unfortunately, it will not be possible to exclusively consider reduced consecutions. Indeed, it is clear that any proof which uses contraction or the rules for the units and will necessarily involve non-reduced consecutions. We therefore introduce a notion of semi-reduction. Informally speaking, a consecution is semi-reduced if it is either reduced or one reduction step away from being so. Definition 4.9 (Semi-reduction). A consecution S is said to be semi-reduced if it is reduced or contains any of the following: a single superfluous occurrence of ; a single superfluous occurrence of ; a single structure occurrence near to another occurrence of the same structure such that, when these occurrences are deleted from S (possibly using the extra reductions given in Definition 4.8), the resulting consecution is reduced. A proof is semi-reduced if every consecution appearing in it is semi-reduced. Definition 4.10 (Irredundancy). A proof is said to be irredundant just in case no consecution occurs twice on any branch in the proof. Lemma Any provable reduced consecution has a proof that is both semi-reduced and irredundant. Proof. First, any semi-reduced proof that is not irredundant can be converted to a proof that is both semi-reduced and irredundant by deleting the sections of proof between every pair of identical consecutions occurring on the same branch in the proof. Thus it suffices to show that any provable reduced consecution has a semi-reduced proof. Let π be a proof of a reduced consecution S. By Lemma 4.3 we can assume without loss of generality that π is -reduced. Then define π to be the tree obtained by replacing every consecution in π by its reduction. π is almost a proof of S; its root is S because S is already reduced by assumption, and the leaves of π are axioms because every axiom in π (i.e. instances of the conclusions of the rules (Id), ( L), ( R) and ( R)) is also already reduced. For each of the other proof rules, we show how to derive the reduction of its conclusion from the reductions of its premises, using only semi-reduced consecutions. By substituting these derivations into π as required, we obtain a semi-reduced proof of S. For space reasons, we only display two interesting rule cases here. The remaining cases are given in Appendix C. Case ( L). Suppose first that the reduced premise r( X) is of the form X. Then by applying ( L) we obtain X, which is possibly only semi-reduced (because the introduced instance of may be near to another instance of in X ). We note that the reduced conclusion r( X) is of the form X because the indicated instance of cannot be deleted from X. One observes that X and X can differ in two respects. First, X may contain a that is near to the indicated 7

8 in X, and thus is not in X. If so, we apply display and contraction rules to remove it. Second, X may contain an instance of that is near to the indicated in X and thus is not in X. If so, we apply display and weakening rules to reintroduce it (note that this maintains semi-reduction). The result is then X = r( X) as required. For example, if X = ; then the reduced premise is and the reduced conclusion is. We patch the rule instance in the manner described above via the following derivation: ( L) (WkR) ; ( D ) ; (CtrL) If r( X) is not of the form X then the indicated instance of was deleted (because it was superfluous), and we must reintroduce it. Writing r( X) = Y Z, we obtain the semi-reduced r( Y Z) by applying ( L) and display-equivalence. This is of the form X, and we can then proceed as in the previous case. Case ( R). Note that the reduced premises r(x F) and r(g Y ) are of the form X F and G Y respectively (because the indicated F and G cannot be deleted by reduction). We can immediately apply ( R) to obtain X, Y F G. Note that the reduced conclusion r(x, Y F G) is of the form X F G. However, X and (X, Y ) can differ in several respects. First, X may contain an instance of F and/or an instance of G that are missing in (X, Y ) because they are near respectively to the indicated F and G in X F and G Y (and so were deleted by reduction). If so, the said instances must be restored into X, Y F G using display and weakening rules. Second, either X or Y may be the unit, in which case it is superfluous in X, Y F G and must be deleted using the unit rule ( L). Third, X may contain an instance of either F G (if Y is a superfluous ) or Y F G (if Y is not a superfluous ) near to the indicated instances in X, Y F G and the displayequivalent X Y F G. (This can also hold with the roles of X and Y reversed.) In this case we use display and contraction rules to eliminate the duplicate structure instance. Note that the second and third conditions can hold simultaneously, but this is still allowed by semi-reduction. Finally, if X = Y = then these instances of are superfluous in the semi-reduced consecution, F G obtained by applying ( R). We show how to remove one of the indicated instances of using only semi-reduced consecutions:, F G F G (WkL) ; F G ( L) F G, F G ( L) F G This possibility forces us to allow both a superfluous and a superfluous to occur in semi-reduced consecutions. Since a consecution is provable iff its reduction is provable, it clearly suffices for a proof search for an arbitrary consecution S to consider only semi-reduced, irredundant proofs of r(s). We observe that the proof of the reduced consecution F (F G) (F G) in Figure 3 is semireduced; the contraction introduces one structure near to an instance of the same structure, and exactly one superfluous is used (note that it is however not superfluous in the premise of the contraction instance). We now define a tree corresponding to an exhaustive search of a semi-reduced, irredundant proof for a reduced consecution. Definition 4.12 (Proof search tree). Given a consecution S, we define the proof search tree π(s) as follows. The root of π(s) is defined to be r(s). Then, for each node S of π(s) having no children, we do nothing if S is the conclusion of an axiom rule. Otherwise, we create a new child S of S for every semi-reduced consecution S such that: 1. S does not occur on the branch of π from the root r(s) to S ; 2. S is a premise of a proof rule instance of which S is the conclusion. Restall [16] defines a notion of complexity on consecutions such that (a) complexity decreases monotonically along any branch in a proof and (b) only finitely many semireduced consecutions of any fixed complexity can be constructed from a finite set of formulas. This immediately entails that the search tree for a consecution must be finite. Unfortunately, this notion of complexity does not adapt to DL BBI. Instead, we proceed by arguing directly that the search tree for a consecution can have no infinite branches, using the notion of interderivability to stand in for Restall s notion of complexity. Note that, using a notion of complexity à la Restall, condition (a) above already implies that all interderivable consecutions must have equal complexity. Definition 4.13 (Interderivability class). The interderivability class [S] generated by a consecution S is defined as follows: [S] = {S S is semi-reduced and interderivable with S} 8

9 We remark that [S] is an equivalence class for any S. Lemma For any consecution S, the class [S] is finite. Proof. We assume without loss of generality that the consecution S is reduced, since r(s) is clearly interderivable with S. We require to show that only finitely many semi-reduced consecutions are interderivable with S. The reason that this holds is that only a finitely bounded amount of structure can be introduced into S while maintaining semi-reduction (cf. Definition 4.9) and interderivability with S. Given this fact, it is obvious that there cannot be infinitely many semireduced consecutions that are interderivable with S. However, while it is intuitively obvious that we cannot add extra structure to S indefinitely, care is needed since backward applications of contraction and the unit rules, which intuitively make consecutions less reduced by introducing superfluous structures, can simultaneously destroy the redundancy of other structures. For example, in both the following applications of contraction: ; X Y (CtrL) X Y X Y ; X Y (CtrR) X Y the indicated is superfluous in the conclusion but not in the premise. Similarly, introducing a superfluous can cause a to become non-superfluous or a structure to no longer be near to an instance of the same structure, and introducing a superfluous can render a non-superfluous. Indeed, if X Y is reduced then the following consecution is semi-reduced (and interderivable with X Y ): (, ( ; ), ); X Y ; since it contains a single superfluous (the rightmost), a single superfluous (the leftmost), and a single structure ( ) near to an instance of the same structure. However, it is clear that this consecution is in a sense saturated : we cannot introduce any further superfluous units. Nor can we apply contraction in order to render one of the units nonsuperfluous; contraction can never render a superfluous non-superfluous, and using contraction to render the superfluous non-superfluous must break semi-reduction, either by introducing a second structure near to an instance of the same structure or by introducing a second superfluous. In general, introducing extra structure indefinitely via contraction and unitary rules must eventually produce two distinct structures near to instances of the same structure or structures of the form or or (up to ADequivalence), where is comma or semicolon. It is clear that only a finite number of such structures can be present in any semi-reduced consecution. Given that only a finite number of structures can be introduced, clearly only a finite number can be removed. Lemma For any consecution S, each branch of π(s) is of finite length. Proof. By Lemma 4.14 it suffices to show that an arbitrary branch of π(s) cannot contain infinitely many consecutions from distinct interderivability classes, since each of these consists of only finitely many consecutions. Let S be a premise of some proof rule R with conclusion S, and suppose that S [S ]. Clearly R has at least one premise that is not interderivable with its conclusion. Thus R is either a weakening rule or a logical rule. These remove a formula or structure from S which is irreplaceable in the sense that S is not interderivable with S, and thus the structure cannot be reintroduced in its original position in S even with the use of contraction and unit rules. For example, it is clear that the formula F G is irreplaceable in the consecution F G F; since, if it is removed by applying ( L), it cannot be restored (due to the subformula property). In contrast, the structure F is not irreplaceable in the same consecution since, if it is removed by weakening (say), it can be restored as follows: F G F; F (F G); (WkL) F; G (F G); ( L) F G (F G); F G; F G (CtrL) F G (WkR) F G F; Thus the irreplaceable structure deleted from S by the application of R does not reappear anywhere in [S ] in the position corresponding to that in which it occurred in S. It is clear that the process of removing irreplaceable structure in this manner must terminate, since there is clearly no way of generating infinitely many irreplaceable structures in a derivation. (Replaceable structures can of course be rendered irreplaceable but only by virtue of removing near structures which enable their replacement.) Theorem 4.16 (Decidability). It is decidable whether a consecution is provable in DL BBI. Thus it is decidable whether an arbitrary BBI formula is valid. Proof. First note that, by Lemma 4.11, a consecution S is provable iff there is an irredundant semi-reduced proof of r(s). By construction of π(s), if there is such a proof then it must appear as a finite subtree of π(s). To decide whether S is provable, it therefore suffices to enumerate the subtrees of π(s) and check whether any of them is a proof. Note that π(s) is finitely branching, as any consecution S in the tree has only finitely many children S satisfying the conditions in Definition This is because there are only finitely many rules, and each one can be applied to a given conclusion in only finitely many ways. Since every 9

10 branch of π(s) is finite by Lemma 4.15, π(s) is then a finite tree (by König s Lemma). Thus the process of enumerating and checking the subtrees of π(s) must terminate, and so provability in DL BBI is decidable. By soundness (Proposition 3.7) and completeness (Theorem 3.8) it follows that the validity of consecutions is decidable. Clearly a BBI-formula F is valid iff F is a valid consecution, and thus F is valid iff F is DL BBI - provable, so the validity of BBI-formulas is decidable. 5. Conclusions and future work In this paper, we address two fairly long-standing open problems for BBI. First, we give a well-behaved (i.e. cuteliminating) syntactic proof system for BBI, formulated as a display calculus. Secondly, we establish the decidability of BBI, by reducing the decision problem to the problem of deciding provability in our display calculus, and showing that the latter problem is decidable. Our results build upon previous work by others, in particular a completeness result due to Larchey-Wendling and Galmiche, the generalised cut-elimination theorem for display logic due to Belnap, and (some of) Restall s proof-theoretical machinery for analysing proof search in display logic. Our main technical contributions are the design of the DL BBI display calculus, using a nonsymmetric form of proof judgement, and the adaptation of Restall s methods to our display calculus, which is not straightforward because of the significant differences between our calculus and the calculi he considers. It remains open whether or not BBI has the finite model property, i.e., whether any invalid BBI-formula has a finite countermodel. We observe that, if a BBI-formula F is invalid, then the search tree π( F) provides a finitary witness to its non-validity, and speculate that it might be possible to extract a finite counter-model from such a tree. Our decision procedure is designed with simplicity rather than efficiency in mind and, although we have not investigated its complexity, it is probably wildly sub-optimal. Thus we see investigation into efficient implementations of the decision procedure for BBI as an important avenue for future work, as well as investigating the viability of DL BBI as a basis for automated theorem-proving tools. Also, we think that the methods in this paper should adapt to establish the decidability of classical BI (cf. [3]). There, the main technical obstacle to be overcome seems to be the presence of two (meta-level) negations. Acknowledgements We extend special thanks to Greg Restall for his helpful and enthusiastic technical advice regarding the decidability proof for DL BBI, and to Lucas Dixon for encouraging the initial investigation. Thanks also to Cristiano Calcagno, Philippa Gardner, Peter O Hearn and the East London Massive for useful discussions and feedback. References [1] N. D. Belnap, Jr. Display logic. Journal of Philosophical Logic, 11: , [2] J. Berdine, C. Calcagno, and P. O Hearn. A decidable fragment of separation logic. In Proceedings of FSTTCS, [3] J. Brotherston and C. Calcagno. Classical BI (A logic for reasoning about dualising resource). In Proceedings of POPL-36, [4] C. Calcagno, T. Dinsdale-Young, and P. Gardner. Decidability of context logic. Submitted, [5] C. Calcagno, D. Distefano, P. O Hearn, and H. Yang. Compositional shape analysis by means of BI-abduction. In Proceedings of POPL-36, [6] B.-Y. E. Chang and X. Rival. Relational inductive shape analysis. In Proceedings of POPL-35, [7] W.-N. Chin, C. David, H. H. Nguyen, and S. Qin. Enhancing modular OO verification with separation logic. In Proceedings of POPL-35, [8] D. Distefano and M. Parkinson. jstar: Towards practical verification for Java. In Proceedings of OOPSLA, pages ACM, [9] D. Galmiche and D. Larchey-Wendling. Expressivity properties of Boolean BI through relational models. In Proceedings of FSTTCS, [10] D. Galmiche, D. Mery, and D. Pym. The semantics of BI and resource tableaux. Mathematical Structures in Computer Science, 15: , [11] S. Ishtiaq and P. W. O Hearn. BI as an assertion language for mutable data structures. In Proceedings of POPL 01, January [12] D. Larchey-Wendling and D. Galmiche. Exploring the relation between intuitionistic BI and Boolean BI: An unexpected embedding. Mathematical Structures in Computer Science, To appear. [13] P. Lincoln, J. C. Mitchell, A. Scedrov, and N. Shankar. Decision problems for propositional linear logic. Annals of Pure and Applied Logic, 56(1 3): , [14] P. O Hearn and D. J. Pym. The logic of bunched implications. Bulletin of Symbolic Logic, 5(2): , June [15] D. Pym. The Semantics and Proof Theory of the Logic of Bunched Implications. Applied Logic Series. Kluwer, Errata and remarks (Pym 2004) maintained at pym/ reductive-logic-errata.html. [16] G. Restall. Displaying and deciding substructural logics 1: Logics with contraposition. Journal of Philosophical Logic, 27: , [17] J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings of 17th LICS, [18] A. Urquhart. The undecidability of entailment and relevant implication. Journal of Symbolic Logic, 49(4): ,

11 A. Proof of display theorem (Theorem 3.5) Definition A.1 (Height). Let Z be a substructure occurrence in a structure X. Define the height of Z in X as the length of the path from the root of X to the root of Z, when structures are viewed as trees. If Z is a structure occurrence in a consecution X Y, then define the height of Z in X Y as the height of Z in X if Z is a substructure occurrence in X and the height of Z in Y otherwise. Lemma A.2. Let Z be a structure occurrence with height h 0 in a consecution X Y. There is a consecution X Y that is display-equivalent to X Y and such that Z has height < h in X Y. Moreover, Z is an antecedent (consequent) part of X Y iff it is an antecedent (consequent) part of X Y. Proof. We proceed by cases as follows. Case Z occurs in X. We observe that since h 0, we have Z X and so X is not of the form F, or. The remaining subcases are treated as follows: Subcase X = W. We proceed as follows: W Y (AD3a) Y W (AD3b) W Y (AD3a,b) W Y (AD3a) Y W and thus set X Y = Y W, which is clearly display-equivalent to X Y = W Y as required. Also note that if Z is an antecedent (consequent) part of W Y then it is a positive (negative) part of W, thus a negative (positive) part of W and so an antecedent (consequent) part of Y W. Furthermore, Z has a lower height in W than in W, thus a lower height in Y W than in W Y, as required. Subcase X = W 1 ; W 2. If Z occurs in W 1 then we proceed as follows: W 1 ; W 2 Y (AD1a) W 1 W 2 ; Y Otherwise, Z occurs in W 2 and we instead use rule (AD1b) in a similar fashion. The justification that the required properties hold is then similar to the subcase above. Subcase X = W 1, W 2. If Z occurs in W 1 then we proceed as follows: W 1, W 2 Y (MD1a) W 1 W 2 Y Otherwise, Z occurs in W 2 and we instead use rule (MD1b) in a similar fashion. The justification that the required properties hold is then similar to the subcase above. This completes the case. Case Z occurs in Y. Since h 0, in particular Z Y and so Y is not of the form F or. The remaining subcases are treated as follows: Subcase Y = W. We proceed as follows: X W (AD3a) W X W X The justification that the required properties hold is similar to the cases above. Subcase Y = W 1 ; W 2. If Z occurs in W 1 then we proceed as follows: X W 1 ; W 2 (AD2b) X; W 2 W 1 Otherwise, Z occurs in W 2 and we instead use rule (AD2a) in a similar fashion. The justification that the required properties hold is then similar to the subcase above. Subcase Y = W 1 W 2. If Z occurs in W 1 then we proceed as follows: X W 1 W 2 (MD1b) W 1, X W 2 (MD1a) W 1 X W 2 Otherwise, Z occurs in W 2 and we proceed as follows: X W 1 W 2 (MD1a) X, W 1 W 2 The justification that the required properties hold is then similar to the subcases above. This completes the case and thus the proof. We can now complete the proof of the display theorem. Proof of Theorem 3.5. By induction on the height h of Z in X Y. In the case h = 0, we are trivially done. In the case where h > 0, we can apply Lemma A.2 and the induction hypothesis to obtain the required consecution. B. Proof of cut-elimination (Theorem 3.9) The following definition is taken from Belnap [1]. By a constituent of a structure or consecution we mean an occurrence of one of its substructures. 11

12 Definition B.1 (Parameters / congruence). Let I be an instance of a DL BBI proof rule R. Note that I is obtained by assigning structures to the structure variables occurring in R and formulas to the formula variables occurring in R. Any constituent of the consecutions in I occurring as part of structures assigned to structure variables in I are defined to be parameters of I. All other constituents are defined to be non-parametric in I, including those assigned to formula variables. Constituents occupying similar positions in occurrences of structures assigned to the same structure variable are defined to be congruent in I. We remark that congruence as defined above is an equivalence relation. We can now prove cut-elimination for DL BBI using the standard Belnap-style argument. Proof of Theorem 3.9. Belnap s original analysis of display logic [1] guarantees cut-elimination (Theorem 3.9) provided the proof rules of DL BBI satisfy the following 8 conditions, which are stated with reference to an instance I of a proof rule R. (Here, we state a stronger, combined version of Belnap s original conditions C6 and C7, since the rules satisfy this stronger condition.) In each case, we indicate how to verify that the condition holds for our rules. C1. Preservation of formulas. Each formula which is a constituent of some premise of I is a subformula of some formula in the conclusion of I. Verification. One observes that, in each rule, no formula variable or structure variable is lost when passing from the premises to the conclusions. C2. Shape-alikeness of parameters. Congruent parameters are occurrences of the same structure. Verification. Immediate from the definition of congruence. C3. Non-proliferation of parameters. No two constituents in the conclusion of I are congruent to each other. Verification. One just observes that, for each rule, each structure variable occurs exactly once in the conclusion. C4. Position-alikeness of parameters. Congruent parameters are either all antecedent or all consequent parts of their respective consecutions. Verification. One observes that, in each rule, no structure variable occurs both as an antecedent part and a consequent part. C5. Display of principal constituents. If a formula is nonparametric in the conclusion of I, it is either the entire antecedent or the entire consequent of that conclusion. Such a formula is said to be principal in I. Verification. It is easy to verify that the only nonparametric formulas in the conclusions of our rules are the two occurrences of P in (Id) and those occurring in the introduction rules for the logical connectives in Figure 2, which obviously satisfy the condition. C6/7. Closure under substitution for parameters. Each rule is closed under simultaneous substitution of arbitrary structures for congruent formulas which are parameters. Verification. This condition is satisfied because no restrictions are placed on the structural variables used in our rules. C8. Eliminability of matching principal formulas. If there are inferences I 1 and I 2 with respective conclusions X F and F Y and with F principal in both inferences, then either X Y is equal to one of X F and F Y, or there is a derivation of X Y from the premises of I 1 and I 2 in which every instance of cut has a cut-formula which is a proper subformula of F. Verification. There are only two cases to consider. If F is atomic then X F and F Y are both instances of (Id). Thus we must have X F = F Y = X Y, and are done. Otherwise F is non-atomic and introduced in I 1 and I 2 respectively by the right and left introduction rule for the main connective of F. In this case, a derivation of the desired form can be obtained using only the display rule ( D ) and cuts on subformulas of F. For example, if the considered cut is of the form: X, F G ( R) X F G Y F X Y Z then the cut is reduced as follows: Y F X, F G F X G Y X G X, Y G G Z ( L) F G Y Z X, Y Z X Y Z G Z Similarly, a principal cut on the formula F G has the 12