Implementing analytic tableaux for justification logic Niels Steenbergen

Transcription

1 Implementing analytic tableaux for justification logic Niels Steenbergen Master s thesis Student number: Programme: Artificial Intelligence Supervisor: Rosalie Iemhoff Second examiner: Henry Prakken Utrecht University The Netherlands May 28, 2018

2

3 Abstract This Master s thesis presents new tableau systems for the justification logics J CS and LP CS, and proves their soundness and completeness by providing a proof of cut-elimination. The accompanying software, judge, is able to automatically construct tableaux, including, but not limited to, those of the proposed systems. The crux lies in its ability to deal with systems in which the expansion rules may introduce formulas that are not subterms of formulas that previously occurred on the branch. Contents 1 Introduction 3 2 Basic theory Language of J L Terminology Semantics and syntax Decidability Axiomatisations Basic justification logics J and J CS Logic of proofs LP CS Models Kripke models Kripke-Fitting models Mkrtychev models Sound- and completeness Decidability from tableaux Methods Signatures Tableau expansion rules Cut rule Closure Subformula property Tableau systems JL e CS T JCS T LPCS Nondeterminism Ranking Cuts Formulas Soundness Completeness Completeness with auxiliaries Elimination of the cut Elimination of the unrestricted (F )

4 3.7 Decidability Implementation Existing software Input Formulas Logical system Tableau rules Constraints Terms Algorithm Usage instructions Conclusion Future research References 54 2

5 1 Introduction Justification logics deal with epistemics, just like modal logics. In fact, the first of its kind, the Logic of Proofs LP, was designed by Artemov (1995) as a constructive semantics for the modal logic S4. It constituted the missing link between intuitionistic logic and classical proofs, (Artemov, 2001) anticipated already in the work of Gödel (1933). A formal connection between these two logical families is established through realisation theorems (Artemov, 2008). In essence, justifications are fine-grained modalities that make explicit their internal structure. This is to be understood in whatever terms are most appropriate to the domain of application be that proofs, evidence, witnesses, resources, or even actions. There are indeed many sensible uses of the logic, not least for the study various philosophical problems, such as the ones surrounding logical omniscience (Artemov & Kuznets, 2009) or self-referential proofs (Kuznets, 2010). Like its modal counterpart, justification logic exposes some of the expressiveness of first-order logic without descending into the realm of the undecidable. However, its formulas are entangled in such a way as to make the logic resistant to straightforward attempts to capture it in a proof system. The method of analytic tableaux offers a natural proof system for many logics. It lends itself easily to implementation often an efficient one, owing to the conciseness of the tableau representation (Agostino et al., 1999). While this method will also to be suitable for deducing true formulas of justification logic, we must first find a way to deal with the aforementioned entanglement. Once established, such a decision procedure would go beyond mathematical interest, also finding applications in computer science and symbolic artificial intelligence. Justification logic is already a conceptual aid in modelling many themes surrounding intelligence, such as rationality, language, common knowledge, and the dynamic behaviour of interacting agents (Artemov & Fitting, 2016). A concrete algorithm would contribute to these efforts, making automated reasoning deserving of the adjective. There is another reason to be enthused about justification logic in concrete settings, which is that it is less computationally complex than modal logic, despite being similarly expressive. This is a boon for the processing speed of a potential reasoning agent, as well as for the usefulness of the logic in general analysis. In this report, I will first introduce syntax and semantics for J CS and LP CS. I will then describe an existing proof system that uses the method of analytic tableaux. In order to improve on tractability, I provide an alternative tableau system, for which I will show soundness, completeness and decidability via proof of cut-elimination. Finally, I document an implementation of this procedure, called judge, which takes the form of a Haskell library and a command-line application. Although the tool was written as a companion to this thesis, it accepts tableau systems beyond the ones here described. 3

6 2 Basic theory 2.1 Language of J L This work is concerned with pure justification logics, built on top of bare propositional logic. There are no quantifiers, other modalities or multi-agent interactions to take into account. The formulas of the language J L of justification logic are at least the atomic propositions (denoted p, q, r and subscripted variants, collectively known as P), the propositional constant, and implications φ ψ. In the interest of simplicity, other propositional constants and operators like,,,, and are to be read as shortcuts to these primitives, according to familiar logical equivalences such as φ ψ φ ψ and φ φ. f ::= p i f f t : f t ::= c i x i t t t + t!t Figure 1: The grammar of evidence terms J, given by t, and of formulas J L, given by f. This propositional basis is then expanded with justified statements of the form t : φ, also called justification assertions by Buss & Kuznets (2012). Here, φ J L is another formula, and t J is a justification term, alternatively called a proof polynomial by Artemov (2008), or an evidence term by Bucheli et al. (2013). It is not essential for our current purposes to fix any particular reading for justification assertions t : φ. It might be that t is accepted as sufficient evidence for statement φ; that t is a resource required for φ; or that φ satisfies the conditions t (Artemov, 2008). The relationships are established axiomatically, not unlike the truth tables of propositional logic: they express nothing beyond the logical behaviour that they exhibit. It will likely be instructive, however, to sketch the intended readings of the inner structure of evidence terms. Naturally, we expect that logics exhibit behaviour that actually matches these intended readings, but whether they will actually do so depends entirely on our definitions. As we progress through later sections, we will develop a more rigid grasp on them. An evidence term is one of the following: A variable, denoting an unspecified justification. Justification variables are written here as x, y, z, or a subscripted variant. A constant, which denotes an atomic justification that will not be subject to further analysis. They will be denoted here by c or a subscripted variant. A compound of two terms, connected by a binary application operator. If the first term is evidence for a material implication, and the second is evidence for its antecedent, then taken together, they are evidence for its conclusion. A compound of two terms, connected by a binary choice operator +. This operator also goes by the name of sum or union. It can capture the property of monotonicity: the idea that adding another justification to a justification object does not change the truth of a statements that it previously justified. A term under a unary operator!, signifying positive verification (also called introspection or simply checking). It can be used to construct justifications for a justified statement. 4

7 Optionally, other operators may be included, such as the negative verifier operator?, which is used to construct justifications for the statement that a justification assertion does not hold. These operators will not be considered here. It is sometimes convenient to drop parentheses. The order of precedence of the operators, from tightest to loosest, is!,?,, +, :,. Of the binary operators, and + are left-associative, is right-associative, and : is non-associative. 2.2 Terminology J L is not itself a logic; it is only the language from which any particular justification logic s formulas are pulled. A justification logic Λ J L is a set of valid or provable formulas of that logic, and must satisfy certain closure properties. Formulas φ Λ are also called the theorems of Λ Semantics and syntax We may have access to Λ in multiple ways. For instance, Λ can be given semantically as Λ M = { φ M = φ }, or the set of formulas that are valid on a class of semantic structures M. Informally, for a formula to be valid, it must evaluate as true under all interpretations of the semantic structures. A formula is called satisfiable if there exists at least one interpretation that makes it true. The concepts of validity and satisfiability are dual: if a formula φ is valid with respect to S, then φ is unsatisfiable in M; and if φ is satisfiable in M, then φ is invalid with respect to M. On the other hand, Λ can also be syntactically defined as Λ H = { φ H φ }, the set of formulas that are provable without assumptions in some logical system H. This means, once again informally, that each formula in the logic is the conclusion of a logical derivation that exclusively uses the set of axioms and inference rules of H. Again, there exists a dual concept: a formula is consistent with the logic if no falsehood can be derived from it, so if a formula φ is provable in H, then φ is inconsistent with H; and if φ is consistent with H, then φ is not provable in H. Soundness and completeness ensure that these perspectives are equivalent; that is, soundness guarantees that anything that is provable is also valid (Λ H Λ M ), and completeness guarantees that anything that is valid is indeed provable (Λ M Λ H ). Definition 1 (Soundness). A logical system H is sound with respect to a class of models M iff H φ = M = φ for any formula φ. Definition 2 (Completeness). A logical system H is complete with respect to a class of models M iff M = φ = H φ for any formula φ Decidability Establishing the decidability of Λ entails showing, for every possible formula φ, whether or not φ Λ. As per Post s theorem (1944), this is the same as showing that Λ and J L\Λ are recursively enumerable. 5

8 A decision procedure is an effective procedure by which arbitrary candidate theorems φ J L are accepted or rejected. This procedure can be realised equivalently as a decider of validity or as one of provability; and since the decidability of a set implies the decidability of its complement, also as one of satisfiability or consistency. Despite their logical equivalence, the efficiency of these approaches may yet be different. If our point of departure is semantic, then, loosely speaking, decidability amounts to showing that there exists a finitely representable class of semantic structures corresponding to the logic, and that there exists a method that is sure to accept or reject, in finite time, that a candidate formula is valid with respect to it. Theorems can instead be syntactically generated if we have access to an axiomatisation of the logic. If a formula φ is provable, such a generative process will clearly produce it eventually. If it is not, it should be possible to verify this unprovability by finding a model in which φ is satisfiable; and given that the set of all models is recursively enumerable, we must eventually stumble upon this model by testing each of them, one by one. Running these two processes in a parallel or alternating fashion will guarantee a decisive answer. The latter method promises better computational efficiency. It also opens up a constructive approach: we can start from the target formula and compose its derivation from the bottom up, rather than wait for a particular theorem to be generated. Ideally, we find that failure to construct a derivation within a certain number of steps guarantees that there is no derivation at all, thereby skipping the requirement of finding confirmation in a counter-model. 2.3 Axiomatisations An axiomatisation is a set of formulas Γ that generate a logic under a given proof system (Blackburn et al., 2001). It provides a syntactic hold on the logic s theorems, without appeal to its semantic structure. We write H φ for any formula φ that can be thus derived in a system H. In this section, we will specify justification logics H { J CS, LP CS } in terms of Hilbert-style systems of axioms and rules. For related systems, J4, J5, JD, JT, JT45, JD45, please refer to Artemov (2008), Ghari (2016b), Bucheli et al. (2013), Kuznets (2006) Basic justification logics J and J CS Of all justification logics, J is the most basic: it is generated by axioms that are common to all justification logics, namely, J = Propositional + Application + Monotonicity, combined with the modus ponens rule ( H φ ψ and H φ implies H ψ). A finite axiomatisation of classical propositional logic. (Propositional) s : (φ ψ) (t : φ (s t) : ψ) (Application) s : φ (s + t : φ) t : φ (s + t : φ) (Monotonicity) 6

9 The system J is absolutely skeptical in the sense that there are no justified statements t : φ among its theorems. However, relative conclusions of the form J (t 0 : ψ 0 t n : ψ n ) s : φ can be drawn. We may wish that, instead of this skepticism, our system has logical awareness: that any logical axiom is also justified. For any axiom φ, there should perhaps be an evidence constant c that justifies φ, and another constant c that justifies c : φ, and so on. To this end, we provide a constant specification CS, which is some set consisting of justified logical axioms: CS { c n : : c 1 : φ c 1,, c n are evidence constants, φ is an axiom of H, n 1 } The logic J CS is obtained by adding to J the axiom necessitation rule: φ CS implies H φ. The constant specification itself may well be infinite, but any particular derivation will depend on only a finite subset of formulas from CS. A CS is axiomatically appropriate if there is a constant c 1 such that c 1 : φ CS for every axiom φ of the logic, and c n 1 : : c 1 : φ CS implies c n : c n 1 : : c 1 : φ CS. It is total if c n : : c 1 : φ CS for any constants c 1,, c n (Artemov, 2008) Logic of proofs LP CS As we have mentioned, the Logic of Proofs was the first justification logic to be developed, then as a realisation of the modal logic S4. It builds upon J CS by adding the axiom of factivity (also called reflection), which says that anything for which there is evidence is also true, and the axiom of proof checking, which says that there is a justification for every true justified formula. 1 t : φ φ (Factivity) t : φ!t : t : φ (Introspection) As with J, LP can be given an explicit constant specification in LP CS. 2.4 Models Kripke models A chronological introduction may clarify our understanding: we look back to the precursor to justification logic: modal logic. In its syntactic inventory, among the familiar propositional operators and atoms, there exist modal operators, denoted i. We assert here that each operator i is unary, which, although not strictly required, will be sufficient for this illustration. Possible-world or Kripke- semantics are the customary semantics given to these logics (Blackburn et al., 2001). In it, formulas are interpreted in the context of some set of worlds (or states). Each world w W 1 The analogues of these axioms in modal logic would be, respectively, T ( φ φ) and 4 ( φ φ). The issue of logical omniscience is avoided in justification logic, because explicit evidence is required. 7

10 has a particular take on the truth values of atomic propositions. This is captured by a valuation function V : P (W ) that maps these propositions to the set of worlds W W in which the relevant propositional variable gets a value assignment of. Modalities then grant limited access to these other worlds. That is, any formula under a modal operator i will be evaluated in each world v that is directly accessible through i from the current world w. To this end, each modality i is associated with a world-to-world accessibility relationship R i : W W. Now, if a subformula φ is true in all worlds v such that w, v R i, then the formula i φ would be true in world w. The combination M = W, R 0,, R n, V is called a model. We say that φ is true in model M in world w, and write M, w = φ (where = is also called the forcing relation), in all and only the following cases: M, w = p w V (p) M, w = φ ψ M, w = φ or M, w = ψ M, w = i φ for all w, v R i [M, v = φ] Should M, w = φ in fact be the case for all worlds w, we write M = φ. Moreover, if specific valuations V are irrelevant, we can also talk of a frame F = W, R i, where F = φ iff M = φ for all specific models M = F, V that can be generated from F. Finally, for classes of models M and frames F, note that M = φ and F = φ iff M = φ and F = φ for all M M and F F, respectively. By imposing the right constraints on the relationships R i, one can obtain specific behaviour. For example, if we have a single modal operator with the interpretation it is known that, we might wish to model that whatever is known to be known, is itself known. This is expressed as axiom 4, φ φ, and holds in any world, for any valuation as long as R is transitive. Therefore, a logic that contains the axiom 4 can only be sound with respect to the class of transitive frames. The idea of a possible world should be understood in as abstract a way as possible; for example, we might imagine that these worlds represent individuals, and that propositional variables represent attributes that may hold for an individual. In this way, some first-order formulas, such as x : p(x), could be expressed as x p. This is a merit of modal logics: they allow a part of the expressiveness of first-order logic, but by limiting access, they tiptoe around the features that nudge the latter into the abyss of incomputability Kripke-Fitting models Justification logics can essentially be viewed as a fine-grained form of modal logic. Rather than defining a small number of indivisible operators with such interpretations as it is known that... or it is provable that..., justification logic boasts a countably infinite number of unary modal operators, the evidence terms, each of which possesses a structure of its own. Alternatively, they can be viewed as labels that annotate its formulas with a proof strategy. For this reason, justification logics have also been referred to as explicit modal logics (Kuznets, 2000). As a consequence, semantics for justification logic operate, to some extent, in the same way as those for modal logic. Its models M = W, R, E, V are called F-models or Fitting models, due to Fitting (2005). These are Kripke models augmented with an admissible evidence function, E : J J L W that maps any justification term t and formula φ to the set of worlds in which t is admissible evidence for φ (Artemov, 2008). 8

11 In order to maintain the expected behaviour, E is subject to closure conditions. Firstly, in the choice operator + we will want to capture the idea that evidence for φ is still evidence for φ when it is combined with some other piece of evidence. This is called indefeasible or monotonic reasoning, and on the syntactic side calls for the Monotonicity axiom. Secondly, the application operator captures the idea of distributing evidence via the Application axiom. From these naturally follow the requirements on E in Definition 3, which is based on the one in (Bucheli et al., 2013). Definition 3 (Fitting models). Let W be a set, R W W a relationship, E : J J L W a function, and V : P W a function. A structure M = W, R, E, V is called a Fitting model for justification logic H with constant specification CS under the following conditions: If c : φ CS, then w W : w E(c, φ). If H contains the Monotonicity axiom, then E(s, φ) E(t, φ) E(s + t, φ). If H contains the Application axiom, then E(s, φ ψ) E(t, φ) E(s t, ψ). If H contains the Factivity axiom, then R is reflexive. If H contains the Introspection axiom, then R is transitive and E(t, φ) E(!t, t : φ). Definition 4 (Truth in Fitting models). A formula φ is satisfied in a Fitting model M = W, R, E, V at world w W iff M, w = φ. This is defined recursively as: M, w = p p P and w V (p) M, w = φ ψ M, w = φ or M, w = ψ M, w = t : φ w E(t, φ) and for all w, v R [M, v = φ] Mkrtychev models F-models are helpful because they offer a natural explanation for why a justified statement t : φ may not be true: it is either because φ is not true at a possible world, or because its evidence t does not hold up. However, it is sometimes convenient to work with a simpler type of structure: a predecessor to the Kripke- Fitting model called the M-model or Mrktychev model, due to Mkrtychev (1997). Here, the accessibility relation R is wholly encoded into the evidence relation E, obtaining what is, effectively, an F-model trimmed down to a single world. Definition 5 (Mkrtychev models). Let E : J (J L) be a function, and V P a set. A structure M = E, V is called a Mkrtychev model for H with constant specification CS under the following conditions: If c : φ CS, then φ E(c). If H contains the Monotonicity axiom, then φ E(t) = φ E(t + s) E(s + t). If H contains the Application axiom, then ψ φ E(s) and ψ E(t) = φ E(s t). If H contains the Introspection axiom, then φ E(t) = t : φ E(!t). 9

12 The class of all Mkrtychev models for H is written M H. Definition 6 (Truth in Mkrtychev models). A formula φ is satisfied in a Mkrtychev model M = E, V for H if M = φ, defined recursively as: M = p p V M = φ ψ M = φ or M = ψ M = t : φ φ E(t) and, if H contains the Factivity axiom, M = φ The formula φ is satisfied in the class of Mkrtychev models M H for H iff M M H [M = φ]. 2.5 Sound- and completeness We will now convince ourselves that J CS and LP CS are sound and complete with respect to their respective M-models. For the corresponding results with respect to F-models, please refer to Artemov (2008) or Fitting (2005). Proving soundness boils down to showing that the axioms of H are valid on all M-models M H, and that the rules of inference preserve that validity. It is a routine matter, and since we will encounter another soundness proof later in Theorem 2, we will not further elaborate on it. Completeness, however, will be shown in detail. The proof is a simplification 2 of the original result in Mkrtychev (1997), with inspiration drawn from Blackburn et al. (2001). We first observe that we can define completeness in terms of consistent formulas: Definition 7 (Consistency). A formula φ is H-consistent iff {φ} is H-consistent. A set of formulas Γ J L with Γ is H-consistent iff: H ( φ Γ φ) Remark 1. We will take for granted that logical systems H will derive the tautologies of propositional logic. Lemma 1. A system H is complete with respect to a class of models M iff every H-consistent formula is satisfiable on some model M M. Proof. The Lemma will be easier to follow once we represent it symbolically, recalling Definitions 2 and 7. φ (M = φ = H φ) ψ ( H ψ = M M (M = ψ)) 2 The simplification is primarily due to dropping the concept of a pre-model, which Mkrtychev uses as a technical convenience, a stepping stone toward models. The distinction is not relevant for our purposes; the proof works without it. 10

13 In the -direction, we already have completeness, φ (M = φ = H φ), and suppose for contraposition that there is a ψ such that H ψ while M M (M = ψ). Then by Definition 6, for this ψ we have M = ψ. But then by completeness we must have H ψ, which is a contradiction. For the -direction, we already have that φ ( H φ = M M (M = φ)), and we suppose for contraposition that ψ (M = ψ H ψ). Consider this ψ. Clearly we have M M (M = ψ), and since H has the tautologies of propositional logic, we must also have H (ψ ) to avoid contradicting H ψ. Using the starting assumption, it follows that M M (M = ψ ). But this is a contradiction. Now, consider that any consistent formula is a member of certain sets of consistent formulas that are maximal in the sense that the addition of any more formulas would sacrifice consistency. We can think of the collection of all such sets as representing the entirety of possible situations within the boundaries of the logic. We will use maximal consistent sets to show that there is always a satisfying model for any consistent formula. Definition 8. A set of formulas Γ is maximally H-consistent iff Γ is H-consistent and any strict superset Γ Γ is H-inconsistent. Lemma 2. Let Γ be a maximally H-consistent set. For every formula φ J L, either φ Γ or φ Γ, but not both. Proof. Suppose that neither φ Γ nor φ Γ. Then there is a strict superset Γ Γ that is also consistent, namely, Γ = Γ {φ} or Γ = Γ {φ }, so then Γ is not maximal. Suppose that both φ Γ and φ Γ. By propositional logic we have H (φ (φ )), so then Γ is H-inconsistent. Lemma 3. For every maximally H-consistent set Γ, H φ implies φ Γ. Proof. Since Γ is maximal, we have either φ Γ or φ Γ (Lemma 2). The latter must be dismissed, since for Γ to be consistent with H, we should have H (φ ), which conflicts with H φ via the tautologies of propositional logic. So φ Γ. Lemma 4. Every maximally H-consistent set Γ is closed under modus ponens. Proof. Suppose ψ Γ and ψ φ Γ. By propositional logic, H ( χ Γ {φ } χ). Due to Lemma 2, we know that either φ Γ or φ Γ. But Γ {φ } cannot be H-consistent, for if it was, we would have H ( χ Γ {φ } χ). Therefore, φ Γ. 11

14 Lemma 5. For every maximally H-consistent set Γ, with H { J CS, LP CS }, there is a model M M H such that M = φ for all φ Γ. Proof. Take an arbitrary maximally H-consistent set Γ. We construct a M = E, V by setting: V = P Γ E(t) = { φ J L t : φ Γ } We show that M is a Mkrtychev model for H as per Definition 5: Take any c : φ CS. By the axiom necessitation rule we have H c : φ, so by Lemma 3 we have c : φ Γ and thus φ E(c). Suppose H contains the Monotonicity axiom and φ E(t). Then t : φ Γ. With H Monotonicity and Lemmas 3 and 4 we have s + t : φ, t + s : φ Γ and thus φ E(s + t) E(t + s). Suppose H contains the Application axiom and ψ φ E(s), ψ E(t). Then t : ψ, s : (ψ φ) Γ. With H Application and Lemmas 3 and 4 we have s t : φ Γ and thus φ E(s t). Suppose H contains the Introspection axiom and φ E(t). It is then immediately granted by E that t : φ Γ. Since H Introspection, with Lemmas 3 and 4 we have!t : t : φ Γ and thus t : φ E(!t). It is straightforward to verify for all φ Γ that M satisfies M = φ, as per Definition 6. Theorem 1 (Completeness). H is complete with respect to its Mkrtychev models M H for H { J CS, LP CS }. Proof. According to Lemma 1, it is sufficient to show that every H-consistent formula is satisfiable on some M M H. So take an arbitrary H-consistent formula φ. We can always expand {φ} into a maximally H-consistent set Γ by adding, for all ψ J L, either ψ or ψ, depending on which maintains consistency, as per Lemma 2. It follows from Lemma 5 that there is a model M M H that satisfies φ. 12

15 3 Decidability from tableaux In this chapter, I will present two analytic tableau systems for J CS and LP CS. Their development is based on the tableau system JL e CS that was introduced in Ghari (2016a), which is, in turn, an alternative version of the preprint of Ghari (2016b). JL e CS contains two cut-rules that, crucially, avoid undecidability, by placing a limitation on what instances of the rule are possible. I will suggest a different set of rules that remove the necessity for these restricted cuts. I will show that this updated set of rules maintains soundness, completeness, and decidability. In the process, notation and terminology will be established will facilitate the implementation of the system. Until section 3.2, we will be mostly laying the groundwork, by reiterating standard terminology. Where an idiosyncratic term or novel definition is is introduced, I will indicate this. The remainder of the chapter consists of original contributions, unless specified otherwise. 3.1 Methods The method of analytic tableaux is a formal procedure for proving theorems of a logic. For a thorough treatment of the method, the reader is referred to Agostino et al. (1999). We will present a brief introduction here. The procedure has the intention of proving the satisfiability of given formulas by constructing a tableau. A tableau is best represented as a rose tree, labelled with sets of signed formulas. The starting tableau consists of a single branch, with at the root a set of formulas for which we wish to find a satisfying model. Those formulas are repeatedly broken down by the rules of the tableau system. When a rule says that the truth or falsehood of some formulas on the branch mandates the truth or falsehood of others, then the consequent formulas are appended to the branch. When there is a choice between multiple possible such formulas, then the branch is forked and the different consequences added to the different branches. In this way, we obtain a set of branches, each populated by ever smaller formulas whose truth or falsehood follows from the truth or falsehood of some formulas occurring earlier on the branch. When we find a direct contradiction between these formulas, the relevant branch is closed. As long as the branch remains open, it can be thought of as corresponding to the set of all models that satisfy its formulas. If the rules for expanding a branch are exhausted without running into any contradiction, then the idea is that there must be a model that satisfies the formulas. The proof of the validity of φ then amounts to a refutation of φ. In other words, to prove a theorem, we try to close every branch that contains its negation, to show that there is no counter-model to the theorem. In terms of the syntax-semantics dichotomy, the tableau method is therefore somewhat of a hybrid: the symbols of the candidate theorem are systematically broken down, but we are still essentially trying to construct a counter-model Signatures Every formula on the branch will be signed with a polarity, T or F, to indicate whether the formula should be satisfied or unsatisfied in the corresponding models. Apart from polarity, signatures may contain additional 13

16 symbols, or marks. This is original notation that provides a general way to enrich formulas with state, so that different tableau rules may apply in different situations, even if the consumed formulas are otherwise identical. Remark 2. The original purpose of marks in this thesis was to avoid the special syntax for activated evidential formulas that was introduced in Ghari (2016a). In that paper, evidential formulas t : φ and t : φ were written using extra operators of the forms [t, φ] and [t, φ] if they were in an activated state. Using the notation with marks, equivalents would be [T,e] t : φ and [F,e] t : φ. However, as it happens, activation is not necessary for the systems treated here. In the interest of generality, the syntax is still described, and implemented as a feature of the tool presented in Chapter 4. Definition 9 (Signed formulas). The set J L S of signed formulas of justification logic is defined as follows, where M is understood to be the set of possible marks, including the polarities T and F. J L S = { [µ] φ φ J L, µ M such that T µ F µ } In other words, any signed formula consists of a plain formula augmented with a signature µ, which is some set of marks that includes at least a polarity. The signature will be written as a prefix to the formula, between square brackets, as a comma-seperated list in typewriter font Tableau expansion rules The prototypical tableau rule is outlined in Figure 2. It is a slight generalisation of the tableau rules discussed in the introductory chapter of Agostino et al. (1999), in that it allows an arbitrary number of formulas to occur on either side of a line. φ 0. ψ 0 0. ψ l0 0 φ n... ψ 0 ṃ. ψ lm m ρ Figure 2: A generic tableau rule. The formulas above the horizontal line in Figure 2 are the rule s consumptions, which must be present on the branch for the rule to be applicable. No requirement is implied by the order in which the consumptions appear, nor is it essential that the productions of one rule are immediately consumed by the next. The formulas below the line are the rule s productions and describe how the application of the rule will expand the branch. When placed on top of one another, the productions are conjunctive and are to be appended to one and the same branch. The vertical separating lines indicate disjunction, meaning that the branch is to be forked and the respective productions placed on the resulting branches. 14

17 The terms consume and produce do not appear in previous literature. They are so named because it is expected but not guaranteed until Theorem 9 that we do not need to bother with consuming formulas that have been previously processed, or indeed consumed, by some other rule. The following definitions are also particular to this thesis: Definition 10 (Terminology). The portion of the branch before a given rule application is called the branch prefix, and the branches produced from it are called the branch extensions. Any portion of a tableau under a particular rule application is called a subtableau of the rule application. If the subtableau is the highest tableau under a rule application, it is a direct subtableau. There may be zero or more direct subtableaux. A rule application is minimal iff there are no applications of the same rule in any of its subtableaux. We will call a rule branching or disjunctive if it forks into two or more branches, and non-branching or conjunctive otherwise. If a rule consumes a non-zero amount of formulas, it is a consumer rule; otherwise it is non-consuming. By convention, a tableau tree grows downwards, from the root to its leaves. It is intuitive to say that the root formula is the highest formula and that leaves are deep or low. This conversational usage matches the formal language of Definitions 11 and 12. Definition 11 (Weight). The weight Θ of a tableau Θ is equal to the number of formulas on it. A tableau with weight 0 is empty. A tableau Θ 1 is lower than another tableau Θ 2 iff Θ 1 < Θ 2. Definition 12 (Weight of rules). The weight ρ of a rule application ρ is equal to the sum of the weights of its direct subtableaux. The rule application ρ is lower than another application ρ iff ρ < ρ. It will sometimes be useful to speak about the effects that consecutive rule applications have. For this, we introduce in Definition 13 the original notion of a chain of rule applications. Definition 13 (Chains). Let π be a branch. A chain of rule applications, or simply a chain, is a possibly empty sequence of rule applications ρ 0, ρ 1,, ρ n where every ρ i+1 consumes at least one formula on π that was produced by ρ i. We say that a chain on π consumes a formula φ if any ρ i consumes it, and that it produces φ if any ρ i produces it. The chain starts with ρ 1 and ends with ρ n. It starts from φ iff ρ 1 consumes φ or the chain is empty, and it ends in φ iff ρ n produces φ or the chain is empty. The set of chains starting from the root formula and ending in a closing formula can be viewed as a tree in its own right, where each chain documents precisely the consecutive rule applications that lead to closure of one branch while abstracting away from other, interposing rule applications. If two productions of a particular rule are consumed by two different rules on the branch, then we get two diverging chains. For a contrived example, the subtableau depicted in Figure 3 includes the chains (T ) 1, (T ) 3, (T ) 1, (T ) 4 and (T ) 1, (F ) 2, but not (T ) 1, (F ) 2, (T ) 4. 15

18 π. π. [T] r [T] r [T] (p ) q [F] p [T] p [F] (F ) 2 (T ) 4 [F] r (T ) 1 [T] q (T ) 3 [T] [F] r [T] Figure 3: Example tableau Cut rule A cut rule, for current purposes, is a tableau rule of the form described in Figure 4a. The generic application of this rule of Figure 4b helps us to establish terminology: its left branch is the T-branch, its right branch is the F-branch, and φ is the cut-formula. Θ T is the T-subtableau and Θ F is the F-subtableau. We say that this is a cut of φ into its direct subtableaux Θ T and Θ F. The cut is trivially a sound rule: any particular model either does or does not make the cut-formula true. However, the rule consumes no formulas, so it can be applied at any point during the tableau procedure, and its productions are not bound to any finite set of values. Therefore, there always exists an infinitude of unattempted applications of the cut. This has unfavourable implications for the decidability of any system that allows them. To attain decidability, the cuts of a system must be either restricted or eliminated altogether. [T] φ [F] φ (cut) [T] φ [F] φ (cut) (a) The cut rule. Θ T Θ F Figure 4: Cut rules and their applications. (b) An arbitrary application of the cut rule. Definition 14 (Branch end). A cut into Θ T and Θ F is at T-branch end iff Θ T = 0; and it is at F-branch end iff Θ F = 0. It is at branch end iff it is either at T-branch end or at F-branch end. 16

19 Definition 15 (Instant processing). A cut of φ into Θ T and Θ F is considered instantly T-processed iff the topmost rule of Θ T consumes the cut-formula φ, and it is instantly F-processed iff the topmost rule of Θ F consumes the cut-formula φ. It is fully instantly processed iff it is both instantly T-processed and instantly F-processed. This concept is also used in Ghari (2016b), but is not explicitly named Closure A branch can be disregarded when it is obviously contradictory. This is captured in Definition 16: Definition 16 (Closure). A tableau closes when all of its branches close. A branch π closes, and φ is the closing formula, iff one of the following is true: Both [µ] φ and [ν] φ are present on π such that T µ, F ν. [µ] φ is present on π for φ =, T µ. For JL e CS, but not for the new systems T J CS and T LPCS, there is an additional closure condition: [µ] φ is present on π for some φ CS, F µ. Definition 17 (Involvement in closure). We say that a formula φ on branch π is involved in the closure of a branch π iff there is a chain that starts from φ and ends in the closing formula on π. φ is involved in the closure of a tableau iff it is involved in the closure of at least one of its branches Subformula property When a tableau system is called analytic, this is usually in reference to the fact that every rule deconstructs a consumed formula into its constituent terms. This property helps us to establish that the procedure always terminates. It clearly fails to hold if the system includes an unrestricted cut-rule. Unfortunately, for justification logic, we must allow rules to produce structures that were never part of its consumed formulas. For example, suppose that we have c 0 : (ψ 1 ψ 2 φ), c 1 : ψ 1, c 2 : ψ 2 CS. We should be able to conclude that the formula c 0 c 1 c 2 : φ is valid. Encouragingly, the proof term c 0 c 1, which we will run into if we disentangle this formula, also occurs in the target formula. However, as we are breaking down the evidence component, the propositional component builds up. The formula c 0 c 1 : (ψ 2 φ) is, in a broad sense, a part of the target formula but it is not a subterm of it, nor indeed even a subterm of the constant specification. The fact that terms thread through the proof in opposite directions is necessary, and even central to justification logic. In order to work around this apparent barrier to analyticity, our technique must deviate somewhat from the standard, Smullyan-style tableaux, in that the rules will be allowed to produce formulas that contain subterms which bear no structural relationship to the consumed formulas. In other words, the system will lack the subformula property. 3 We will ensure that there is nevertheless a finite limitation on the possible productions of the tableau rules. Specifically, productions must be synthesised in a particular way from subterms of initial assumptions, which include the formula at the root of the tableau, as well as any member of CS. We will return to this idea in 3 Unless we redefine what it means for a formula to be a subformula of another, as Ghari (2016b) does. 17

20 Sections 3.6 and 3.7 on completeness and decidability. For now, we only define the notion of a subterm and an extended subterm, which is a reformulation of the same concept in Ghari (2016a). Definition 18. The function sub : J J L (J J L) obtains the subterms of a formula: sub(p i ) = {p i } sub(c i ) = {c i } sub(x i ) = {x i } sub( ) = { } sub(φ ψ) = {φ ψ} sub(φ) sub(ψ) sub(t : φ) = {t : φ} {t} sub(φ) sub(!t) = {!t} sub(t) sub(s + t) = {s + t} sub(s) sub(t) sub(s t) = {s t} sub(s) sub(t) Definition 19 (CS-extended subterms). Define the CS-extended subterms sub CS (φ) of a formula φ as follows: sub CS (φ) = sub(c : ψ) sub(φ) c:ψ CS 3.2 Tableau systems JL e CS Finger (2010) defined a tableau system for justification logic with a restricted cut rule, intended to introduce formulas into the tableau that cannot be obtained through step-by-step decomposition. The restricted cut was proposed by Agostino & Mondadori (1994) as the principle of bivalence (PB). The system maintains decidability in spite of this cut, by limiting the available cut-formulas to specific combinations of terms. Ghari (2016a) and (2016b) used a similar approach. For the reader s convenience, we reproduce here the basic rules of the system JL e CS, as given in Ghari (2016a), modulo notational differences. 4 Refer to the source material for details. A direct implementation of this system is not computationally tractable. This statement will remain loose; I will not formally prove that the algorithm would have a particular complexity. However, it can be empirically verified: the software program described in the next chapter can take the system JL e CS as input, for which the running time is, as expected, prohibitive in those particular cases where the rule (PB e ) becomes relevant. Remark 3 (Computational complexity). For a back-of-the-envelope substantation to the above claim, consider that each application of a (PB )-rule duplicates a branch. There are 2 φ subterms to a target formula φ, and Σ ψ CS 2 ψ more if the CS is included so there are at least that many instances of the (PB f )-rule, 4 This preprint is used because it was the inspiration for the development of the tableau system T JCS, and because it captures the core idea in an uncomplicated manner. The alternative to JL e CS, JLτ, is defined in terms of a redefinition of the notion of a subformula, which would require more explanation. 18

21 [T] φ ψ [F] φ [T] ψ (T ) [F] φ ψ (F ) [T] φ [F] ψ [T] s : φ [T,e] s : φ (T e ) [F] s : φ [F,e] s : φ (F e ) [F,e] s + t : φ [F,e] s : φ (+ L ) [F,e] s + t : φ [F,e] t : φ (+ R ) [T,e] s : (ψ φ) [T,e] t : ψ [T,e] s t : φ ( ) such that s t sub(φ ) and ψ φ sub CS (φ ) [T] φ [F] φ (PB f ) [T,e] s : φ [F,e] s : φ (PB e ) such that φ sub CS (φ ) such that s sub(φ ) and φ sub CS (φ ) Figure 5: Tableau rules for JL e CS, where φ is the root of the tableau. 19

22 and 2 φ times more of the (PB e )-rule. Since these rules do not consume anything, they are always applicable. Therefore, to make sure that an open branch really does not close, we will have to examine all of them. Since there may be up to 2 φ open branches for a target formula φ, even before applying any (PB )-rule, the number of branches to be examined can be as high as 2 2 φ 2 (1+2 φ ) (2 φ +Σ ψ CS 2 ψ ). Clearly, this is intractable T JCS I propose an alternative tableau system T JCS that maintains soundness and completeness with respect to J CS, but that lowers the complexity 5 to such an extent that an implementation can decide theorems in a reasonable length of time. As it turns out, it is sufficient to drop from JL e CS the restricted cut-rules (PB f) and (PB e ), while replacing ( ) with an additional restricted rule (F ). Finally, the rule (CSr) is introduced so as to be able to trigger branch closure upon finding a formula that conflicts with CS, without making this behaviour explicit in the closure conditions of Definition 16. The system is presented in Figure 6. Although T JCS was developed based on Ghari (2016a), it is similar to the one described also by Fitting (2005, p. 21) and Renne (2004, p. 5), and indeed to the non-analytic tableau system for J in the alternative preprint by Ghari (2016b). Just like the aforementioned systems, T JCS contains a (F )-rule. However, it avoids the analytical failure mentioned by Finger, (2010, p. 171) even in the absence of (PB)-rules. The following original changes are crucial to this property: An additional restriction on the (F )-rule makes sure that the system remains decidable. The (CSr)-rule, more than just allowing for simplification of the closure, allows for completeness with respect to LP CS without having to resort to the (PB)-rule. Remark 4 (Number of rules). The absence of rules for (T ) and (T+) in T JCS defies the expectation that every operator will be associated with two tableau rules (one for each polarity). We will have to wait for Section 3.6 on completeness for formal confirmation that this combination of rules is nevertheless sufficient. However, we can already provide an intuitive argument why there should be no such rules. The first observation to make is that every clause in the closure conditions of Definition 5 is a conditional that runs in only one direction ( = ). This means, somewhat counter-intuitively, that it is not necessarily the case that M = s + t : φ implies that M = s : φ or M = t : φ. Similarly, M = s t : φ does not imply the existence of any ψ such that M = s : (ψ φ) and M = t : ψ let alone that this ψ, if it does exist, belongs to any definite set such as sub CS (φ ). The reason for the absence of (T ) and (T+) is now easier to appreciate when we recall that we are trying to examine all possible counter-models satisfiabilities to our candidate validity. When we come across [T] s t : φ on the branch, we assume that the corresponding counter-model must satisfy that formula. But, barring any assumptions to the contrary, a formula of the form s t : φ or s + t : φ is always satisfiable; it is not necessary to know anything about s or t to accept this. 5 At least in an empirical sense; its formal complexity has not been subjected to analysis, as mentioned in Remark 3. 20

23 [T] φ ψ [F] φ [T] ψ (T ) [F] φ ψ (F ) [T] φ [F] ψ [F] s t : φ (F ) [F] s : (ψ φ) [F] t : ψ such that ψ φ sub CS (φ ) [F] s + t : φ [F] s : φ [F] t : φ (F+) [T] c : φ (CSr) such that c : φ CS Figure 6: Proposed tableau rules for the basic system T JCS for J CS, where φ is the root of the tableau. Remark 5 (Underspecification). Following Remark 4, we might ask if it is not nonsensical to allow a model where s t : φ or s + t : φ is true, while s and t by themselves do not justify anything of relevance. It is not unreasonable to expect that a formula like s : φ t : φ s + t : φ is a validity but, as a consequence of the aforementioned peculiarity, it is not. Of course, one could propose a different logic, with a semantics in which there is a reciprocal clause for φ E(s + t), together with a tableau system which does include a (T+)-rule. The situation is even more interesting for a hypothetical (T )-rule. Consider s : (p q) t : p s t : q, for example. It is satisfiable even if we were to insert into the semantics a clause to the effect of φ E(s t) = ψ[ ψ φ E(s) ψ E(t) ]. After all, despite the demand that s : (p q), might it not happen to be that nevertheless s : (p q) and t : p? And if we added the assumption that t : p, then what about t : p? It should be possible to develop a system in which, for example, atomary evidence terms justify at most one formula. This remark serves only to point out what might be confusing about the logic; systems such as those discussed above are outside the scope of this thesis T LPCS The system T LPCS consists of the rules in Figure 7, in addition to the original rules of T JCS. T LPCS corresponds to the logic of proofs LP CS. These rules also occur in Ghari (2016a). 21

24 [T] t : φ [T] φ (e) [F]!t : t : φ [F] t : φ (!) Figure 7: Additional rules for the extended system T LPCS for LP CS. 3.3 Nondeterminism A rule is allowed to consume any formula on the branch, rather than just the productions of the rule that immediately preceded it. A branch prefix may therefore be expanded in multiple ways, depending on which branch formula you choose to process first. This form of nondeterminism fortunately does not lead to fundamentally different outcomes. Lemma 6. Let π be a branch prefix and P a set of possible rules that are applicable to π, such that no two rules ρ 1, ρ 2 P consume any of the same formulas from π. If there is a closed subtableau under π if we choose to apply ρ P to π, then there is also a closed subtableau under π if we choose to apply any other rule ρ P first. Proof. If we choose ρ, there is a closed subtableau under π. If we choose any other ρ P\{ρ }, then ρ can still be applied, since every rule consumes at most one formula, and no rule consumes the same one. Therefore, we can obtain a closed subtableau under π regardless of choice of rule from P. Certainly, it is often computationally advantageous to apply the rules in a specific order. For example, if we prematurely fork a branch using a branching rule, despite the availability of non-branching rules, we may end up doing the same work on both branches. A tableau may also take unnecessarily long to close if we choose to produce formulas that do not need to be involved in the closure of the tableau. Nevertheless, a closable branch will always eventually close, and an unclosable branch will always remain open regardless of permutations on the order of the rule applications as long as the rule applications only consume disjoint sets of formulas. However, in the systems discussed here, a single formula can be consumed by multiple rules. For example, (+ L ) and (+ R ) overlap in JL e CS, and instances of (F ) can overlap in T J CS. This type of nondeterminism is not so innocuous: since we would ideally like to consume a formula no more than once, choosing one rule means that the other should no longer be applied. This leads to situations where some choices lead to closure, whereas others do not. We describe three alternatives to deal with overlapping rules: 1. We could choose to simply allow formulas to be consumed repeatedly. Nondeterminism is then no issue: even if an unfortunate choice of rule is made, the choice that will lead to closure is always still available. Since the ultimate goal, for us, is implementation, we cannot afford this luxury: there must be some efficient way of determining when we have exhausted our options, and treating formulas as consumables is a good way to do so. 2. The natural way to deal with nondeterminism is to treat it as nondeterminism, by trying all choices. A tableau is then closable when there is at least one rule application, for every choice point, that leads to a closed tableau. Reciprocally, a tableau is unclosable if all choices of rules lead to at least one open branch. 22

25 3. The final alternative is that all rule choices will be applied simultaneously, meaning that the productions of all overlapping rules are added to the branch in one go. It simulates a situation in which we temporarily lift the rule that formulas can be consumed at most once. Remark 6 (Tableau interpretation). The addition of non-determinism to the rules makes for a more opaque semantic interpretation of the tableau. After all, if the rule-set is deterministic, an unclosable branch contains all the fundamental characteristics of a counter-model but if it is not, a single open branch no longer tells the whole story. 3.4 Ranking Cuts Although the productions of a rule need not be strictly limited to subterms of the consumptions (see Section on the subformula property), they should still be of lower complexity. It is relatively straightforward to see what such a concept should mean for classical formulas, but the measure of complexity is not immediately apparent for justification logic. The reason, again, is that an evidence term will grow as its formula shrinks. Purely by size, formulas of the form s t : φ may be larger, equal or smaller relative to those of the form s : (ψ φ). Fortunately, the crucial aspect of the dissection process is that it should lead to some basic, irreducible unit a formula that is inert with respect to the tableau rules. In the system T JCS, that goes for any propositional variable p; but it also goes for any formula c : φ with c a proof constant, and for any x : φ with x a proof variable. T LPCS differs from T JCS in this regard there is a rule to process x : φ and c : φ but having lower complexity can still be read as closer to being inert. It will be necessary to formalise this idea in terms of a strict partial order c, since the proof of cut-elimination will make use of induction on the complexity of cut-formulas. We are able to show the relative inertia of two formulas despite the fact that it cannot be inferred from their size by considering which would precede the other in a chain of rule applications. However, such an ordering relation can only be transitive and antisymmetric on signed formulas, because the rules of T LPCS dictate the following (where indicates that the left-hand is a production of a rule that consumes the right-hand): [F] t : s t : φ [F] s t : φ [T] s t : φ [T] t : s t : φ However, a cut represents not one particular formula, but two formulas of opposing polarities. An ordering on cuts would not follow immediately from an ordering on formulas. This is a blessing: the interplay of tableau rules happens to be such that we can define c by simply counting operators. In particular, formulas with a propositional operator at the top level will be compared on their total number of operators, whereas those with a justification operator will be compared on the number of operators in the top-level evidence term. 23

26 Definition 20 (Evidential rank). The evidential rank of a justification term, rank e recursively as: : J N +, is defined rank e (c i ) = rank e (x i ) = 0 rank e (!t) = rank e (?t) = 1 + rank e (t) rank e (s + t) = rank e (s t) = 1 + rank e (s) + rank e (t) Definition 21 (Full rank). The full rank of a formula, rank f : J L N +, is defined recursively as: rank f (p i ) = rank f ( ) = 0 rank f (φ ψ) = 1 + rank f (φ) + rank f (ψ) rank f (t : φ) = 1 + rank e (t) + rank f (φ) Definition 22 (Rank). We say that a cut φ with cut-formula φ is of lower rank than a cut ψ with cut-formula ψ iff φ c ψ, with the following definition: φ c ψ ( (φ = t : φ ) (ψ = s : ψ ) (rank e (t) < rank e (s)) ) ( (φ = t : φ ) (ψ s : ψ ) (rank e (t) < rank f (ψ)) ) ( (φ t : φ ) (ψ s : ψ ) (rank f (φ) < rank f (ψ)) ) In this way, we ensure that a cut-formula of the form φ ψ is never c -smaller than one of the form t : χ, and we satisfy the following relations: φ, ψ c φ ψ s : φ, t : φ c s + t : φ s : (ψ φ), t : ψ c s t : φ t : φ c!t : t : φ Lemma 7. c is transitive. Proof. Let us refer to the disjuncts in Definition 22 as cases 1, 2 and 3 respectively. We will examine these cases, supposing that there is a χ such that φ c χ and χ c ψ. In all cases, we should find that φ c ψ. 1. If χ is of the form u : χ, then via case 1, ψ must be of the form s : ψ. Then we also have that φ is of the form t : φ, and that φ c χ. Therefore, rank e (t) < rank e (u) < rank e (s). Clearly this means rank e (t) < rank e (s) and so φ c ψ. 2. If χ = u : χ and ψ s : ψ but χ c ψ, then again it can only be that φ = t : φ. Therefore, rank e (t) < rank e (u) < rank f (ψ), so φ c ψ. 3. Now consider that χ u : χ and ψ s : ψ, but nevertheless χ c ψ. We distinguish two further cases for φ c χ: 24

27 2. If φ = t : φ then rank e (t) < rank f (χ) < rank f (ψ), so φ c ψ. 3. If φ t : φ, then rank f (φ) < rank f (χ) < rank f (ψ), so φ c ψ. 25

28 Lemma 8. c is asymmetric. Proof. Suppose φ c ψ. No matter which disjunct in Definition 22 is responsible for φ c ψ, it follows fairly directly that ψ c φ since the disjuncts are mutually exclusive and < is asymmetric. Lemma 9. c is a strict partial order. Proof. A strict partial order is irreflexive, transitive and asymmetric. Irreflexivity is granted trivially, since < is irreflexive. Asymmetry and transitivity are shown in Lemmas 7 and Formulas As alluded to in the previous section, it is also possible to establish a strict partial order on signed formulas. In this context, formulas of the form φ ψ may well be smaller than those of the form t : χ. We still have a partial order. Definition 23 (Formula rank). We define two binary relationships on J L S, 1 and 2. For, we take the transitive closure of 1 2. [µ] φ 1 [ν] ψ χ φ sub(ψ χ)\{ψ χ} [T] s : φ 1 [T] t : ψ s : φ sub(t : ψ)\{t : ψ} [F] s : φ 2 [F] t : ψ s : φ c t : ψ Lemma 10. is a strict partial order. Proof. It is immediate that 2 is a strict partial order, because c is (Lemma 9). Confirm that 1 is a strict partial order, too. Now, we show that all properties of a strict partial order are preserved after taking the union and transitive closure. 1 and 2 are asymmetric, transitive and irreflexive on their own. If their union and transitive closure is not also assymetric and irreflexive, then there should be some φ 1 ψ with ψ 2 φ. But from the form of the formulas in Definition 23, we can see that φ 2 ψ implies ψ 1 φ. 26

29 3.5 Soundness We claim that any formula that is derivable in H { J CS, LP CS } is also valid with respect to their Mkrtychev models M H. To prove it, we first establish the relationship between tableau branches and models. Definition 24 (Respect). We say that a branch π respects a model M iff for all formulas [T] φ on π we have M = φ, and for all formulas [F] φ we have M = φ. Lemma 11. If a branch π respects any model, then π is not closed. Proof. Suppose that branch π respects some model M. If π is then also closed, then by the closure conditions of Definition 16, it must be the case that its closing formula φ occurs twice on π with opposite signatures, or else that φ =. Since we assumed that the branch must nevertheless respect M (Definition 24), and M in turn must respect the truth relation (Definition 6), we can deduce that M = φ and M = φ. This cannot be, so π is not closed. Lemma 12. Any application of a rule of T JCS or T LPCS to a branch prefix that respects a Mkrtychev model M, will produce at least one branch extension that continues to respect M. Proof. We simply verify that the proposed property holds for every possible rule of T JCS and T LPCS. Case (CSr) Formulas in the constant specification are by definition true in M. Case (T ) If the rule (T ) is applied, then [T] ψ φ must be on the branch and since it respects M, we have M = ψ φ. By Definition 6, therefore M = ψ or M = φ. The two branch extensions produced by (T ) introduce [F] ψ and [T] φ respectively, so again by Definition 6, at least one extension will continue to respect M. Case (F ) From an application of (F ) follows that M = ψ φ, so we conclude M = ψ and M = φ. [T] ψ and [F] φ are the only additional formulas on the branch extension, so it also respects M. Case (F+) With (F+), we know that M = s + t : φ and in turn φ E(s + t). It must then be the case that φ E(s) and φ E(t), since from the contrary would follow a conflict with the closure conditions on E (Definition 5), namely, φ E(s + t). The branch extension introduces [F] s : φ and [F] t : φ, so it will respect M. Case (F ) Applying (F ) means that we know that M = s t : φ and thus φ E(s t). Note that there can be multiple possible instances of the (F )-rule; one for each ψ φ in the CS-extended subterms of the root of the tableau. Not every such rule instance is necessarily the right choice: some of them, but not all, may lead to an unclosable tableau even if the formula at the root is valid. They should, however, still each constitute a sound step, meaning that they must produce at least one M-respecting branch extension. This is the case, since there can not be any value for ψ such that both ψ φ E(s) and ψ E(t) if there was, the closure conditions on E (Definition 5) would force an inconsistency: φ E(s t). Therefore, for all ψ, it holds at least that M = s : (ψ φ), or else that M = t : ψ. These correspond precisely to the formulas introduced by the branch extensions, respectively [F] s : (ψ φ) or [F] t : ψ. 27

30 Case (!) It must be that M =!t : t : φ, so t : φ E(!t). But then also φ E(t), so as to avoid conflict with Definition 5. So M = t : φ, which is what the branch extension demands. Case (e) When we apply (e), we know that M = t : φ. Therefore, by Definition 6, M = φ, conform the branch extension. Theorem 2 (Soundness). T H φ implies M H = φ for H { J CS, LP CS }. Proof. Say that φ is derivable in T H, which entails that there is a closed tableau Θ with [F] φ at the root. If φ were not also valid on M H, there would be at least one model M M H for which M = φ. Clearly, a branch prefix of Θ containing only its root [F] φ will respect this M, as per Definition 24. Since we have just proven that any rule application must produce a branch that also respects M (Lemma 12), it follows that Θ cannot be guided towards closure (by Lemma 11). But Θ is closed, forcing the conclusion that the supposed counter-model M can not exist. φ must be valid. 3.6 Completeness It is easier to show completeness with respect to M JCS and M LPCS for tableau systems that include some additional rules. That is why we will first convince ourselves that anything that can be derived in the Hilbert system J CS or LP CS also has a proof in a tableau system based on T JCS or T LPCS, in which a (cut)-rule is added, and the (F )-rule is superceded by an unconstrained version ( F ). See Figure 8. [F] s t : φ [F] s : (ψ φ) [F] t : ψ ( F ) [T] φ [F] φ (cut) Figure 8: Auxiliary non-analytic tableau rules. We then recall the ordering on cut-formulas defined in Section 3.4.1, which enables us to show that the (cut)-rule is admissible: if a theorem can be proven with cuts, it can still be proven without cuts. We also find out that every necessary use of ( F ) can be replaced with (F ). Since it is already known that J CS and LP CS are complete with respect to their Mkrtychev models, we know that T JCS and T LPCS must be, too. In this way, we will obtain the central result of this section: Theorem 3 (Completeness). M H = φ implies T H φ for H { J CS, LP CS } Proof. The proof is a consequence of Theorems 1, 4, 5 and 6. This section, and in particular the proof of completeness with auxiliaries and the general approach to cut elimination, is inspired heavily by Ghari (2016a) Completeness with auxiliaries Theorem 4 (Cut-completeness). If H φ, then T H + cut + F φ for H { J CS, LP CS }. 28

31 Proof. If φ is true in H, then it is an axiom of H, or it is produced by the axiom necessitation rule, or it is derived from other formulas in H by the modus ponens rule. We will therefore prove theorems in the auxiliary tableau systems by induction on derivations of H. Recall that a proof of a theorem is a closed tableau with the negated theorem at the root. The base case is shown in Figure 9, where the axioms of H are derived in T H + F, even without cuts. Furthermore, any formula derived from the axiom necessitation rule must trivially have a tableau proof, since for any tableau with a negation of c : φ CS, closure is triggered after a single invocation of (CSr). What remains is the modus ponens rule. [F] (s : (ψ φ)) ((t : ψ) (s t : φ)) [T] s : (ψ φ) [F] (t : ψ) (s t : φ) [F] s : (ψ φ) (F ) (F ) [T] t : ψ [F] s t : φ ( F ) [F] t : ψ (a) The Application axiom of J CS and LP CS. [F] (t : φ) φ [T] t : φ [F] φ [T] φ (F ) (1) (e) (c) The Factivity axiom of LP CS. [F] (s : φ) (s + t : φ) (F ) [T] s : φ [F] s + t : φ (F+) [F] s : φ [F] t : φ (b) One of the Monotonicity axioms of J CS and LP CS. The other is almost identical. [F] (t : φ) (!t : (t : φ)) (F ) [T] t : φ [F]!t : (t : φ) (!) [F] t : φ (d) The Introspection axiom of LP CS. Figure 9: Tableau proofs for the axioms of J CS and LP CS. Now suppose that φ is derivable in H by the modus ponens rule on H ψ φ and H ψ. Then, by induction, there are closed tableaux Θ 1 and Θ 2 with respectively [F] ψ φ and [F] ψ at the root. Figure 10 illustrates that we can then construct a closed tableau of T H + cut + F with [F] φ at the root. Remark 7. Although it is easy to see that ( F ) is also an instance of (F ) in the case of Figure 9a, this is not so apparent when ( F ) occurs after a cut, as it might do in Figure 10. We will address this in Section

32 [F] φ (cut) [T] ψ [F] ψ (cut) [T] ψ φ (T ) [F] ψ φ Θ 2 [F] ψ [T] φ Θ 1 Figure 10: Modus ponens in a tableau system Elimination of the cut Theorem 5 (Cut-elimination). If T H + cut + F φ, then T H + F φ for H { J CS, LP CS }. Proof. We suppose that there is a closed tableau with [F] φ at the root. Getting rid of the lowest cuts of any closed tableau would just yield another closed tableau: one wherein the next-lowest cuts, if any, would take on their role. Therefore, were we to have an argument that all minimal cuts can be eliminated, it could be repeated to show that all cuts can be eliminated. We will give that argument, via induction on the weight of the minimal cut and sub-induction on its rank. 1. If either the T-branch or the F-branch immediately closes after the cut, we will show that it was redundant and can readily be eliminated. 2. Otherwise, we will show that the cut can be pushed down or lowered towards the extremities of the tableau, until it is at a branch end and thus can be eliminated, through induction, via case 1. a. If, in either of the cut s branches, the top-most rule application does not immediately process the freshly introduced cut-formula, then that rule application can be carried upwards over the cut, thereby lowering the cut. b. If the cut-formulas on both branches are instead immediately processed, we demonstrate that the cut can still be lowered. This will be proven individually for every set of rules that might be applicable to the cut-formula, but the pattern is more or less the same every time. Roughly, we use new, higher cuts to pre-introduce whatever formulas are also produced by the rule. The rule application then becomes redundant, since the formulas it introduces are already present, higher up along the branch. By eliminating the rule, the original cut is lowered. Unfortunately, we are then also left with new, higher cuts. The crux here is that those higher cuts must be of lower rank. This ensures that this sub-inductive trick can be done only a finite number of times: eventually, the cuts will reach a point at which no more rule can possibly be applied to their cut-formulas. Their fate is then decided by the remaining cases, 1 and 2a ensuring that these cuts, too, will eventually be eliminated. 30

33 π. Case 1 Let us now provide the argument to the above claims, beginning with the case that the F-branch immediately closes after a cut. More formally stated, on branch π we have a minimal cut with cut-formula φ at F-branch end. The situation is illustrated in Figure 11a. (cut) π. [T] φ [F] φ Θ T (a) Before elimination. Θ T (b) After elimination. Figure 11: An application of (cut) at F-branch end. First, note that if [T] φ is not involved in the closure of the subtableau under the T-branch (see Definition 16), then all branches of Θ T will be closed regardless of its presence. Second, observe that if [F] φ is not involved in the closure of the F-branch, then the branch prefix π must be closable on its own, since there are no other nodes on the F-branch that could be closing. In both situations, the cut is trivially redundant. So suppose instead that φ is involved in closure of both the T- and the F-branch. We also assume that φ, as it is easy to see that a cut with cut-formula can be eliminated right away. Then [F] φ must be closing the F-branch, since the branch extension is empty but for that formula. According to Definition 16, this means that [T] φ must occur in π otherwise the closure could not have been immediately triggered. But in that case, re-introducing [T] φ via a cut does not add any new formulas to the T-branch. So Θ T will still be closed after elimination of the cut. The argument is analogous for cuts at T-branch end. Case 2a Take a cut that is neither at branch end, nor fully instantly processed. If the cut is not instantly T-processed, then the reasoning goes that the rule that immediately follows the cut on the corresponding branch can be pushed upwards. A symmetric argument holds for the F-branch. The content of the argument is as follows: we first apply the rule to the branch prefix π. This is possible, because π contains all consumable formulas but the cut-formula, and it was assumed that the rule will not not consume the cut-formula. We then replicate the original cut under every branch that is thus produced. We can always put closed subtableaux under the resulting cuts, since all the original formulas are present on the new branches just in reversed order. To demonstrate, suppose without loss of generality that it is the rule (T ) that immediately follows the F-branch of a cut. The transformation is shown in Figure 12. Verify that the two cuts in Figure 12b are lower than the one in Figure 12a. Case 2b Finally, let us consider the case in which the cut is fully instantly processed. That is, both branches of the cut are immediately followed by a rule that processes the cut-formula. Review the forms of 31

34 π. [T] φ ψ (cut) [T] χ [F] χ (T ) Θ T [F] φ [T] ψ π. [T] φ ψ (T ) [F] φ [T] ψ (cut) (cut) [T] χ [F] χ [T] χ [F] χ Θ F L Θ F R Θ T Θ F L Θ T Θ F R (a) Before transformation. (b) After transformation. Figure 12: An example of pushing a rule upwards over the cut, if it does not process the cut-formula. the cut-formula and the rules that may apply to those forms, summarised in Table 1. As is then apparent, there is at most one rule applicable to either branch of a cut, so there is at most one pair of possible rules. For the basic system T JCS, there are rules to decompose formulas of the form [F] s t : φ and [F] s + t : φ, there are none to follow up a cut of that form on its T-branch. It follows that such cuts cannot be fully instantly processed, and that cases 1 and 2a will already eliminate them. Therefore, the only possible fully instantly processed minimal cut in T JCS has cut-formula φ ψ and is processed by (T ) and (F ) respectively. Take such a cut and imagine cutting φ and ψ into the tableau, just above it. That is, we get four forks of the branch prefix π, each containing both ψ and φ, but with different polarities. There is always an opportunity for lowering the weight of the cut, since there is always at least one rule application that superfluously introduces formulas that our new cuts also introduce. This transformation is illustrated in Figure 13. Verify that all cuts marked have a lower rank than the original cut and that all those marked have the same rank, but lower weight. For T LPCS, the addition of the (e)-rule unlocks the possibility that cuts of the form s + t : φ and s t : φ are fully instantly processed, and the addition of the (!)-rule results in the possibility for processing a cut of!t : t : φ. See also Table 1. Therefore, we present three additional cases for lowering the cut, described in Figures 14, 15 and 16. Again, verify that all cuts marked have a lower rank than the original cut and that all those marked have the same rank, but lower weight. 32

35 T JCS + cut + F T LPCS + cut + F [T] [F] [T] [F] Proposition p Implication φ ψ T F T F Proof constant c : φ e Proof variable x : φ e Sum s + t : φ F+ e F+ Application s t : φ F e F Proof checker!t : t : φ e! Table 1: Summary of rules applicable to cut-formulas. 33

36 π. [F] φ [T] φ ψ [T] ψ (T ) (cut) [F] φ ψ [T] φ [F] ψ (F ) Θ T L Θ T R Θ F (a) Before transformation. 34 [T] φ ψ Θ T R [T] ψ (cut) [F] φ ψ [T] φ [T] φ ψ (cut) [F] ψ [F] φ ψ [T] φ ψ (F ) (T ) [T] φ [F] ψ [F] φ [T] ψ Θ F Θ T R π. (cut) [T] ψ (cut) [F] φ ψ [T] φ [F] ψ (F ) (cut) [F] φ [T] φ ψ Θ T L (cut) [F] ψ (cut) [F] φ ψ [T] φ [F] ψ (F ) (b) After transformation. Figure 13: Cut elimination step for a fully instantly processed (cut) of φ ψ.

37 π. (cut) [T] s + t : φ (e) [T] φ Θ T [F] s + t : φ [F] s : φ [F] t : φ Θ F (F+) (a) Before transformation. π. 35 [T] s + t : φ Θ T [T] s : φ [T] φ (e) (cut) [F] s + t : φ (F+) [F] s : φ [F] t : φ [T] s + t : φ Θ T [T] t : φ [T] φ (e) [F] s + t : φ [F] s : φ [F] t : φ (b) After transformation. (cut) [F] s : φ (cut) (F+) [T] s + t : φ [T] φ Θ T (e) (cut) [F] t : φ [F] s + t : φ Θ F (cut) Figure 14: Cut elimination step of a fully instantly processed (cut) of s + t : φ.

38 π. (cut) [T] s t : φ [T] φ (e) [F] s t : φ ( F ) [F] s : (ψ φ) [F] t : ψ Θ T Θ F L Θ F R (a) Before transformation. π. (cut) [T] s : (ψ φ) [F] s : (ψ φ) 36 (e) (cut) [T] ψ φ [T] s t : φ [F] s t : φ (T ) (e) [T] t : ψ (e) [T] ψ [F] ψ (cut) [F] t : ψ (cut) [T] s t : φ [F] s t : φ (e) [T] s t : φ Θ T [T] φ (cut) [F] s t : φ ( F ) [F] s : (ψ φ) [F] t : ψ [T] φ Θ T Θ F L [T] φ Θ F R Θ F R Θ T (b) After transformation. Figure 15: Cut elimination step of a fully instantly processed (cut) of s t : φ.

39 π. (cut) [T]!t : t : φ (e) [T] t : φ [F]!t : t : φ (!) [F] t : φ Θ T Θ F (a) Before transformation. 37 π. (cut) [T] t : φ [F] t : φ [T]!t : t : φ (cut) [F]!t : t : φ (!) [T]!t : t : φ (e) (cut) [F]!t : t : φ Θ T [F] t : φ [T] t : φ Θ F (b) After transformation. Figure 16: Cut elimination step of a fully instantly processed (cut) of!t : t : φ.

40 3.6.3 Elimination of the unrestricted (F ) Even after the cut elimination step of the previous section, the system is not analytical, because it contains the ( F )-rule. We show that every sensible application of ( F ) is in fact an instance of its restricted version, (F ). Definition 25. The restriction function restrict CS : J L (J L) provides a limitation on the sets of formulas that any rule may produce. restrict CS (φ) = (sub CS (φ) J L) { t : ψ t sub CS (φ) J, ψ sub CS (φ) J L } Lemma 13. restrict CS (φ) is closed under subformulas: ψ restrict CS (φ) = sub(ψ) restrict CS (φ). For a decidable CS, restrict CS is computable. For a finite CS, restrict CS (φ) is finite. Proof. The truth of these statements can be verified by inspection of Definition 25. Lemma 14. For H { J CS, LP CS }, any rule application ρ that is either non-consuming, or consumes a φ restrict CS (φ ), will produce another ψ restrict CS (φ ). Proof. We distinguish between instances of ρ: If ρ is (CSr), then its production is in the set because CS restrict CS (φ ). If ρ is (T ), (F ), (e) or (!), then the production is a subformula of the consumption. Therefore, given that the consumption is in restrict CS (φ ), by closure under subformulas, so too must the production. If ρ is (F+), given that the consumption φ = s + t : φ 1 is in restrict CS (φ ), it is easily confirmed that the same goes for the productions, s : φ 1 and t : φ 1, by inspecting Definition 25. Finally, if ρ is (F ), and we assume that the consumption φ = s t : φ 1 restrict CS (φ ), then we can again inspect Definition 25 to verify that s : (φ 2 φ 1 ), t : φ 2 restrict CS (φ ), because the restriction on (F ) requires that φ 2 φ 1 sub CS (φ ). Lemma 15. For H { J CS, LP CS }, any chain of rule applications in which the first rule is (CSr), or that starts from the root formula φ, will produce exclusively formulas from restrict CS (φ ). Proof. Take an arbitrary chain P = ρ 1,, ρ n in which the first rule is (CSr), or that starts from the root formula φ. Assume that P is non-empty, for the claim would be vacuously true otherwise. Now take an arbitrary production ψ of this chain. The proof is by induction on the index of the rule that produced ψ. In the base case, let ψ be a production of the first rule in the chain, ρ 1. If the rule is non-consuming, it must be an instance of (CSr). Alternatively, it consumes φ, for which we trivially have that φ restrict CS (φ ). Either way, we can use Lemma 14 to conclude that ψ restrict CS (φ ). For the inductive step, we assume that the production of ρ i is in restrict CS (φ ). Since ρ i+1 consumes this production, it follows immediately from Lemma 14 that the production of ρ i+1 is also in restrict CS (φ ). 38

41 Lemma 16. For H { J CS, LP CS }, if a non-empty chain of rules of T H + F ends in a formula of the form [T] φ, then that chain could not have started with a formula of the form [F] t : ψ. Proof. Remember that any chain consists only of rule applications that consume a formula produced by the immediately preceding rule application. We made sure when defining the ranking on formulas in Definition 23 that every production of a rule from T H + F is -smaller than the associated consumption. Moreover, by Lemma 10, is transitive. So if there is a chain that starts from [F] s : ψ and ends in [T] φ, then [T] φ [F] s : ψ. But from the form of Definition 23 of formula orderings we must also conclude that [T] φ [F] s : ψ. So there cannot be such a chain. Theorem 6. If T H + F φ, then T H φ for H { J CS, LP CS }. Proof. We will take an arbitrary closed tableau Θ of T H + F that φ at the root, and show that any minimal application of ( F ) can either be eliminated, or replaced with instance of (F ). This argument is repeated to show that there is also a tableau of T H with φ at the root. π. [F] s t : φ ( F ) [F] s : (ψ φ) [F] t : ψ Θ L Θ R Figure 17: An application of ( F ). Figure 17 illustrates such a rule application. Observe that, if either [F] s : (ψ φ) or [F] t : ψ is not involved in closure of its subtableau, then the rule application can be eliminated, since then the entire subtableau under π can be replaced with respectively Θ L or Θ R without affecting closure. So, assume that both of these productions are involved in closure. Then there is a chain P of rule applications starting with [F] s : (ψ φ) and ending with a closing formula. The proof is by induction on the length of P. Consider any chain of rule applications that starts from a formula of the form [F] u 1 : (χ 1 χ 2 ) and ends in a closing formula. Our induction hypothesis is that, if it happens to be the case that ψ φ sub(χ 1 χ 2 ), as is the case for the starting formula of P, then we also have ψ φ sub CS (φ ). This would in turn mean that the application is sufficiently restricted as to be an instance of (F ). The base case is the empty chain: if [F] u 1 : (χ 1 χ 2 ) is itself closing, then there must also be a [T] u 1 : (χ 1 χ 2 ) somewhere on the branch. This opposing formula must itself have been introduced to the branch somehow: there must be a chain P that starts with the root formula or with (CSr), and ends in [T] u 1 : (χ 1 χ 2 ). We can see with Lemma 16 that P does not include an application of ( F ), since the rule ( F ) produces a formula of the form [F] s : ψ, which cannot subsequently produce a formula marked with T. 39

42 So all rules on the chain P are rules of T H. By Lemma 15, then we have u 1 : (χ 1 χ 2 ) restrict CS (φ ). As restrict CS (φ ) is closed under subformulas, we get ψ φ restrict CS (φ ) and so ψ φ sub CS (φ ). For the inductive step, we have P = ρ 1,, ρ n and ask ourselves what rule the application ρ 1 could be an instance of. The rules (e) and (!) are not compatible with the starting formula [F] u 1 : (χ 1 χ 2 ), and the unrestricted ( F ) is excluded by assumption. So the application must be an instance of (F+) or (F ). Then the application will produce at least one branch extension containing a production of the form [F] u 2 : (χ 1 χ 2 ) or [F] u 2 : (χ 3 (χ 1 χ 2 )). We still have that ψ φ is a subterm of these formulas, so with the induction hypothesis we find again that ψ φ restrict CS (φ ) and so ψ φ sub CS (φ ). 3.7 Decidability Decidability is succinctly shown below, in the proof of Theorem 7, as a consequence of results in earlier sections. We will additionally show three desirable properties that go beyond the bluntness of decidability, to suggest that the decision procedure is also efficient: There is no need to explicitly check whether a rule will add new formulas to the branch, because within a single chain, it is impossible to produce a formula that was consumed earlier (Theorem 8). Every formula needs to be consumed at most once per branch (Theorem 9). It is never necessary to use a non-consumer rule to produce the same formula on the same branch more than once, so any non-consuming rule instance needs to be invoked at most once per branch (Theorem 10). Theorem 7 (Decidability). For finite CS and H { J CS, LP CS }, construction of tableaux of T H is a decision procedure for the logic H. Proof. Soundness and completeness ensure that φ Λ H iff there is a closed tableau of T H with φ at the root. It follows from Lemma 15 that such a tableau contains exclusively formulas from restrict CS (φ ), so there is at most a finite number of formulas that can possibly be produced by a rule. Therefore, there must be a point at which no rule application can add new formulas onto the branch. If a branch is still open at that point, it will always be open, so tableau construction can be abandoned. Theorem 8 (Absence of loops). If a non-empty chain of rules in a tableau of T JCS or T LPCS starts from φ and ends in ψ, then there is no chain of rules that starts from ψ and ends in φ. Proof. Recall Definitions 13 on rule chains and 23 on formula rankings. Every production of a rule of T JCS or T LPCS is -smaller than the associated consumption, so by transitivity, the ending point of a non-empty chain is -smaller than the starting point. Then by the antisymmetry of, it is impossible to loop back by producing a formula that was consumed in the same rule chain. Lemma 17. Let Θ be a closed tableau with φ at the root, and ρ a rule application in Θ. Then there is a closed tableau Θ with φ at the root, such that all rule applications in the subtableau under ρ are part of a chain of rule applications starting with ρ. Proof. The idea has parallels to Case 2a of the cut elimination proof of Theorem 5, in that we will be pushing 40

43 irrelevant rule applications upwards. Assume without loss of generality that ρ and ρ are branching rules. If a topmost rule application ρ under ρ does not consume a production of ρ as in Figure 18a, then ρ can also appear higher than ρ, as in Figure 18b. Repeat this argument until every rule under ρ is one that consumes a formula that has been produced by a chain that starts with ρ. π. π. (ρ) (ρ ) φ 1 φ 2 ψ 1 ψ 2 (ρ ) (ρ) (ρ) Θ L ψ 1 ψ 2 φ 1 φ 2 φ 1 φ 2 Θ 1 R Θ 2 R Θ L Θ 1 R Θ L Θ 2 R (a) Before transformation. (b) After transformation. Figure 18: Pushing an arbitrary rule upwards. Theorem 9 (Duplicate elimination for consumer rules). Let Θ be a closed tableau of T H for H { J CS, LP CS } with φ at the root. If Θ contains a formula that is consumed more than once on the same branch, then there is also a closed tableau Θ with φ at the root in which the formula is consumed only once. Proof. The decision to consume a formula twice does not affect branch closure if it merely introduces identical productions to the branch. So we only consider the case in which the same consumption is taken by different rules (or by different instances of the same rule) to produce different formulas. In fact, we will look at minimal duplicate applications, that is, any two rule applications that consume the same formula, such that no formula that occurs lower on the branch is consumed twice. Once the minimal applications are eliminated, other duplicates are eliminated by the same token. The only overlapping rule in T H is (F ), so we know that the doubly consumed formula is s t : φ, and that the rule applications are instances of (F ). Furthermore, suppose without loss of generality that the duplicate application happens somewhere in the right-hand subtableau of the first rule application. The situation is illustrated in Figure 19. We assume that every rule application in the subtableau under [F] s t : φ is part of a chain that starts from [F] s t : φ; that every rule application in Θ 1 R is part of a chain that starts from [F] s : (ψ 2 φ); and that every rule application in Θ 2 R is part of a chain that starts from [F] t : ψ 2. These assumptions are justified through Lemma 17. If the tableau is already closed even without the application of (F ) 2 under Θ C, then clearly (F ) 2 and every subsequent rule application can be eliminated, as in Figure 19b. So, suppose that there is a branch of Θ C that only closes if (F ) 2 and its subtableaux are appended. But in that case (F ) 1, and every rule application 41

44 π. [F] s t : φ (F ) 1 [F] s : (ψ 1 φ) [F] t : ψ 1 Θ L [F] s : (ψ 2 φ) Θ C (F ) 2 [F] t : ψ 2 Θ 1 R (a) Before transformation. Θ 2 R π. [F] s t : φ π. [F] s t : φ (F ) 1 (F ) 2 [F] s : (ψ 1 φ) [F] t : ψ 1 [F] s : (ψ 2 φ) [F] t : ψ 2 Θ L Θ C Θ 1 R Θ 2 R (b) After transformation. (c) After transformation. Figure 19: Consuming the same formula twice. 42

45 thence, can be eliminated, as in Figure 19c. This is possible for the following reasons: There can be no branch under (F ) 2 that requires the presence of any formula in Θ C : it was, after all, our assumption that all rule applications in either of the subtableaux under (F ) 2 are part of a chain that starts from (F ) 2. All rules of T H take at most one consumption, so all rule applications under (F ) 2 consume a formula that was produced also somewhere under (F ) 2. Every branch is closed regardless of the presence of any formula in Θ C : by Lemma 16, any chain that starts with (F ) can only produce formulas of the form [F]. We have assumed that all formulas under [F] s t : φ are part of such a chain, so the positive half of the closing formula, [T] χ, must occur high up in the tableau, somewhere in the branch prefix π. The negative half, [F] χ, must occur somewhere under (F ) 2, for otherwise the application of (F ) 2 was redundant. Theorem 10 (Duplicate elimination for non-consumer rules). Let Θ be a closed tableau of T H for H { J CS, LP CS } with φ at the root. If Θ contains a non-consuming rule that produces the same formula more than once on the same branch, then there is also a closed tableau Θ with φ at the root in which this rule is applied at most once per branch. Proof. The only non-consumer rule of T JCS and T LPCS is (CSr). Take an arbitrary application of this rule. If the rule is not involved in the closure of the tableau, then any chain starting with the rule can be eliminated without affecting closure. If it is involved in closure, then it produces the closing formula or it is part of a chain that leads to the closing formula. In the first case, the duplicate invocation is clearly unnecessary; in the second case, it can be eliminated via Theorem 9, since the production of the rule would be consumed more than once. 43

46 4 Implementation This chapter is dedicated to the implementation of the tableau systems presented in the previous chapter, as well as any other systems that can be described in similar terms. This command line tool is called judge. Its source code is freely available under the GNU Public License 3 at and technical documentation can be found at The version described in this thesis is As the language of implementation, I selected the general-purpose functional programming language Haskell. As Doets and Van Eijck (2012) put it: [Haskell] is a marvelous demonstration tool for logic and maths because its functional character allows implementations to remain very close to the concepts that get implemented, while the laziness permits smooth handling of infinite data structures. Apart from being aesthetically pleasing, Haskell s purity with regard to side effects facilitates parallel computation, an attribute that is beneficial for programs that require the exploration of a large solution space. Although this was indeed a consideration, I have not further examined the opportunities it presents. judge should be able to handle any tableau system that can be captured in the input language of Section 4.2. Owing to its modular design, further adaptation, or accommodation to other proof systems or other logical families, should not require major refactoring of the rest of the source code. 4.1 Existing software In spite of the suitability of the language, at the time of writing, no software libraries or applications in the official Haskell package repository at implement a decision procedure for justification logic; indeed, none make any reference to justification logic at all. A handful relevant implementations do drift around outside the world of Haskell. Realisation algorithms were implemented in Coq and MetaPRL by Novak (2009), and in Prolog by Fitting (2013). Moreover, Bryukhov (2006) provided a theorem prover for S4 J n, the logic of justified common knowledge, in MetaPRL. Finally, in her Bachelor s thesis, Fuog (2015) provides a proof search implementation for LP in Python. To the best of my knowledge, no other implementations of justification logic exist. Upon broadening our logical horizon, we do find relevant Haskell software. Implementations of tableau methods for first-order logic, modal and hybrid logics exist in the Hackage repository; notably, tableaux, htab and hylotab. However, upon cursory inspection it was found that none of these can satisfactorily deal with the non-standard nature of tableaux for justification logic. Therefore, judge is written from scratch. 44

47 4.2 Input judge takes two inputs: a logical system and a set of candidate theorems to be proven Formulas A formula or set of formulas is presented as a text string, where variables are sequences starting with an uppercase character, and constants start with a lowercase character. Both Unicode representations and simple ASCII alternatives are accepted as logical operators. The parser respects operator precedence. The type of formulas is parameterised such that all formulas build upon a propositional base. This means that introducing support for a different logical language will only require the addition of a small subparser. Table 2 summarises the operators and constants available to all types of formulas; Table 3 presents the extension for justifications. Extended operators always bind tighter than propositional operators. If there are any operators that are not handled by the logical system directly, a rewriting step will simplify the formulas, so that they consist exclusively of basic symbols. In our case, the basic symbols are and. This behaviour is hardcoded at the time of writing. Variables in the specification of the logical system are always interpreted as schematic: they are gaps, to be filled in by concrete formulas during the procedure. Table 2: Recognised propositional operators, from tight to loose. Operator or constant Symbol ASCII Unicode code point Absurdity 0 U+22A5 Tautology 1 U+22A4 Negation \texttt~ U+00AC Conjunction & U+2227 Exclusive disjunction \textttˆ U+22BB Disjunction U+2228 Implication -> U+2192 Inverse implication <- U+2190 Bi-implication <-> U+2194 Table 3: Recognised justification operators, from tight to loose. Proof checker!! U+0021 Summation + + U+002B Application \texttt* U+22C5 or U+007B Justification : : U+003A 45

48 4.2.2 Logical system Logical systems are specified in the human-friendly YAML format or its more widely supported subset JSON. These standards are described, respectively, in Ben-Kiki, Evans, & Ingy (2009) and IETF (2017). This approach intends to make it easy to add or change systems without having to familiarise oneself with the code base. Let the example specification in Listing 1 act as a guide. Listing 1: A tableau system in the input format required by judge. logic: " justification " system: " tableau " rules: - name: "F " consume: ["[F] φ ψ"] produce: - - "[T] φ" - "[F] ψ" - name: "T " consume: ["[T] φ ψ"] produce: - - "[F] φ" - - "[T] ψ" - name: "T " consume: ["[T] S:(φ ψ)", "[T] T:φ"] produce: - - "[T] S T:ψ" restrict: and: - match: "φ ψ" with: [" subterms ", " formulas "] in: union: [" root ", " assumptions "] - match: "S T" with: " subterms " in: " root " - name: " CSr " consume: [] produce: - - "[T] φ" generate: match: "φ" with: " all " in: " assumptions " compose: " greedy " assumptions: - "c:(a (B A))" 46

49 At the top level, the logical system is a mapping with the following keys: logic expects a string value indicating the logical language. It will affect parsing of the rest of the file. At the moment, only justification is recognised. system expects a string value indicating the type of proof system. As before, this will affect parsing of the rest of the file. At the moment, only tableau is recognised. rules expects a list of rules in the relevant proof system. Tableau rules are specified in Section The rules are always applied in order of appearance in the specification, so it is important to put the most computationally expensive rules toward the end of the list. assumptions expects a list of formulas that we may assume to be true. For justification logic, this is where we can put relevant axiom instances from the constant specification. Optional. In any mapping, unrecognised keys will be ignored Tableau rules A tableau rule is represented as a mapping with the following keys: name expects an arbitrary string value. consume expects a list of signed formulas that represent the consumptions. produce expects a list of lists of signed formulas that represent the productions. The top-level list are the branches; the lists underneath are the formulas to be introduced on those branches. restrict expects a restriction, as specified in Section Optional. generate expects a generator, also specified in Section Optional. compose expects a string value that determines how to handle the instances created by the generator: we can choose to commit to the first valid one, or to keep trying instances until one leads to a closing tableau. The default is nondeterministic, but for performance reasons, rules with empty consumptions are automatically greedy. Optional. [F] s t : φ [F] s : (ψ φ) [F] t : ψ such that ψ is a subterm of the root x name: "x" consume: ["[F] s * t : φ"] produce: - - "[F] s : (ψ φ)" - - "[F] t : ψ" generate: match: "ψ" with: " subterms " in: " root " Figure 20: Example of rule specification. 47

50 4.2.4 Constraints Restrictions and generators have almost identical syntax, as they serve similar purposes. We will refer to them collectively as constraints. A restriction limits the applicability of a rule, by simply checking whether the constraint is satisfied in the current situation. A generator can serve the very same purpose by creating and then comparing all the possible variable assignments represented by the constraint. The latter approach has a pleasant side effect: we gain the ability to obtain a finite number of possible assignments, even when the productions contain variables that do not occur in the consumptions. Restrictions are computationally cheaper, because they do not involve inspecting and keeping track of all possible variable assignments of which there may be many. Unfortunately, they are not always sufficient, since tableau rules for justification logic have free variables in the productions. Using the intersection of generators and restrictions alleviates both their limitations. Generators are to be used sparingly and they should be as specific and uncomplicated as possible, so as to contain the threat of a combinatorial explosion. Constraints are represented as a mapping: match expects some term be it a signed formula, a formula, or an extension to be matched. in expects a specification of the terms against which we can match. For a generator, these must be static terms; for a restriction, the terms may also be dynamic. Specified in Section with expects a string or list of strings that represents a transformation on the term specification. When there are multiple transformations, they are applied from left to right. Possible values are all, subterms, formulas, extensions/justifications, constants, variables, atomary and constants. The application can be instructed to overlap, or to choose between, multiple constraints, by wrapping a list of constraints with or or and Terms Abstract sets of terms are represented by strings. We distinguish static and dynamic terms: root and assumptions will not change once the tableau procedure is initialised. This makes them suitable for generators, because, as the algorithm will track which rules have not yet been used on a branch, all rules should be fully estabilished from the very beginning. processed and unprocessed refer to a different set of terms at every step. These can be used exclusively in restrictions. The union or intersection of a set of terms is obtained by wrapping a list of term specifications with union or intersect. 48

51 4.3 Algorithm The fundamentals of the algorithm are fairly straightforward. What follows is a high-level description of the design; no knowledge of Haskell is expected. For a deeper technical perspective and implementational subtleties, please refer to the relevant documentation and commented source code. [F] s t : φ [F] s t : φ [F] s : (ψ φ) [F] t : ψ such that ψ sub(p p) [F] s : ((p p) φ) [F] t : (p p) [F] s t : φ [F] s : ( p φ) [F] t : p [F] s t : φ [F] s : (p φ) [F] t : p Figure 21: Example of rule initialisation. Initialisation Every rule that is associated with a generator is first instantiated into zero or more rule instances. This is done by transforming the abstract term specifications mentioned in the generator into a concrete set of terms. The schematic variables of the rule s consumptions and productions are then substituted with terms drawn from this source. Figure 21 provides an example based on Figure 20, assuming that the root formula is p p. Once the rules are instantiated, the initial tableau is set to a single branch that contains only the negation of the target formula. We enter the main loop. Rule selection For as long as an open branch remains, we look for a rule to apply to it. The approach here is mostly greedy, in that the selected rule is always the first applicable rule of the specification. However, it is not completely greedy: if multiple instances of the same rule are applicable, and the compositor of said rule is set to nondeterministic, then the rule application is a choice point. In case the tableau underneath the application fails to lead to closure, we may return here and try again with a different instance of the same rule. For a supporting discussion, review Section 3.3 about nondeterminism. Remark 8. The rules (+ L ) and (+ R ) are overlapping in JL e CS. The software does not implement nondeterminism for overlapping rules of different rule instances, so the input for JL e CS is to be slightly amended, by merging these rules into a single rule (F+), as discussed in Section 3.3. Rule application To determine whether a rule is applicable to a branch, the schematic consumptions of the rule are patterned to concrete formulas on the branch that have yet to be consumed. Patterning entails treating the variables in the consumptions of a rule as gaps to be filled. If succesful, the patterning operation yields a variable assignment. For example, φ ψ patterns with p (q r) to obtain the assignment σ = { φ, p, ψ, q r }. Patterning is not quite the same as unification, in that it is a one-way operation: φ may well pattern with φ ψ. 49

52 If a variable assignment could indeed be obtained and it satisfies the restriction on the rule, should there be any then the rule is applicable. It is applied by substituting the variable assignment we found into the rule, and attaching its productions to the branch. Closure We thus obtain one or more new branch endings. A branch closes as soon as a contradiction is identified. At the moment, detection of contradictions is hardcoded to occur when the formula [T] is added, or when a formula marked with T is added to a branch that also contains the same formula marked with F, or vice versa. The process is repeated until there are no more open branches left. Alternatively, if we both fail to find any rule applicable to an open branch, and exhaust the rule instances at all preceding choice points, then the target formula is not a theorem of the logic. Fortunately, the search for an applicable rule cannot get into a loop, due to Theorem 8. Post-processing Before the output is finalised, a number of post-processing steps will transform it to improve readability. The nodes are decorated with unique identification numbers. If a rewriting step was applied to the goal formula (cf. Section 4.2.1), this is added explicitly to the tableau, as a special rule. If possible, the tableau is shortened by eliminating any rule applications that were not involved in the closure of the tableau. This is particularly useful for the (CSr) rule: since this rule does not consume any formulas and is applied greedily, some of its applications tend to be superfluous. 6 Bookkeeping To be able to execute the algorithm as described above, we have at least two duties that force us to do some bookkeeping: We must keep track of which formulas are on the branch, and which of those have already been consumed. By only considering unconsumed formulas, we avoid hopeless repetitions, while, according to Theorem 9, leaving completeness intact. A rule that takes no consumptions is always applicable, since it trivially patterns with a set of formulas on the branch, namely, the null set. In order to efficiently ensure termination, we enforce that an instance of a non-consuming rule can be applied no more than once per branch. Again, we will not lose completeness, according to Theorem 10. A first idea might be to associate with each branch a reminder of the formulas and rule instances that are no longer allowed for use. However, there can be many formulas and rule instances, a large proportion of which may be forbidden. It is more convenient to remember the remaining entries seperately, and choose freely from these. We use a zipper list, introduced by Huet (1997), for a purely functional data structure that allows us to efficiently manipulate the remaining entries, while partially sharing memory across the branches. 6 Note that many extraneous rules do close a branch; particularly if they are branching, like (PB). It would be an interesting exercise to process away all redundant rule applications, as it would result in prettier proofs. 50

53 4.4 Usage instructions The application has a simple command-line interface. To run it, use judge SYSTEM, where SYSTEM is a specification of the logical system. Four specifications are included with the application by default. These are example for the system of Listing 1, J0 for T JCS, LP for T LPCS, and J0-PB for the system based on JL e CS as defined by Ghari (2016a). Other systems can be defined by the user in the format detailed in Section 4.2. Further features are controlled via flags (see also judge -h). We list the most important ones: If no target formula(s) are provided via -g or --goal, formulas are read from the standard input. To add assumptions ad-hoc, use -a or --assumption. If no output file is provided via -o or --output, the result is written to the standard output. There are two output modules that can be invoked with -f or --format. The default, Plain, will produce colorised plain text, indended for the terminal. To obtain L A TEX code instead, use LaTeX. Both methods will result in a graphical representation of the tableau, including annotations to indicate which rules were applied to which formulas. See Figure 22. [F] (x : A) (c x : (B A)) 1 judge logic /LP.yml \ -g "x:a -> x*c:(b -> A)" \ -a "c:(a -> B -> A)" \ -f LaTeX \ -o example. tex pdflatex example. tex F (1) [T] x : A 2 [F] c x : (B A) 3 [F] c : (A (B A)) 4 [F] x : A 6 CSr () F (3) (6,2) [T] c : (A (B A)) 5 (5,4) echo "x:a -> x*c:(b -> A)" \ judge LP -a "c:(a -> B -> A)" Figure 22: Running the application. Both runs lead to the same tableau. 51