Completeness and Decidability of Converse PDL in the Constructive of Christian Doczkal, Joachim Bard

To cite this version:

Christian Doczkal, Joachim Bard. Completeness and Decidability of Converse PDL in the Constructive Type Theory of Coq. Certified Programs and Proofs, Jan 2018, Los Angeles, United States. ￿hal- 01646782￿

HAL Id: hal-01646782 https://hal.archives-ouvertes.fr/hal-01646782 Submitted on 23 Nov 2017

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Completeness and Decidability of Converse PDL in the Constructive Type Theory of Coq

Christian Doczkal∗ Joachim Bard Univ Lyon, CNRS, ENS de Lyon, UCB Lyon 1, LIP Saarland University [email protected]

Abstract bounded size satisfying the formula. Completeness and the The completeness proofs for Propositional Dynamic small-model property as well as decidability of satisfiability, (PDL) in the literature are non-constructive and usually pre- validity and provability then follow as corollaries. The form sented in an informal manner. We obtain a formal and con- of constructive completeness result established here is more structive completeness proof for Converse PDL by recasting informative than a classical completeness result in the sense a completeness proof by Kozen and Parikh into our con- that it provides an algorithm constructing proofs for valid structive setting. We base our proof on a Pratt-style decision formulas rather than merely showing the existence of such method for satisfiability constructing finite models for sat- proofs. isfiable formulas and pruning refutations for unsatisfiable The completeness proofs for ()PDL in the literature either formulas. Completeness of Segerberg’s axiomatization of use non-standard canonical models and filtration [15, 19] or PDL is then obtained by translating pruning refutations to construct “canonical” models inside a finite syntactic uni- derivations in the . We first treat PDL without verse [18]. Both techniques are non-constructive in the sense converse and then extend the proofs to Converse PDL. All that they assume (at least) logical decidability of provability results are formalized in Coq/Ssreflect. (i.e., ⊢ φ ∨ ̸⊢ φ for all φ). While logical decidability follows from (computational) decidability, the easiest way to show decidability of provability is via completeness. 1 Introduction In order to obtain a constructive completeness result, we Propositional Dynamic Logic (PDL) [12, 15] is a modal logic base the completeness proof on a decision method for satis- developed for reasoning about programs with applications fiability. We employ a variant of pruning17 [ , 21] extended for instance in knowledge representation [3]. The modalities to provide refutations for unsatisfiable formulas in addition of PDL are given by regular programs (i.e., regular expres- to constructing models for satisfiable formulas. Translating sions with tests) describing binary relations on states. The these pruning refutations to proofs in the Hilbert system formula [α]φ is satisfied by some state if all α-reachable then yields the desired completeness result. The use of prun- states satisfy φ. The language of programs includes a re- ing as decision procedure underlying the completeness result flexive transitive closure operationα ( ∗) causing PDL to be naturally leads to a factorization of the proof into an algo- non-compact. Converse PDL (CPDL), also defined in [12], rithmic part for the decision method, a semantic argument extends PDL with a converse operation on programs. Both for the model construction, and a syntactic translation from PDL and CPDL have the small-model property [12] and are pruning refutations to Hilbert refutations. We believe that EXPTIME-complete [12, 21]. Axiomatizations of PDL and the constructive nature of the proof and the clear separation CPDL were first given by Segerberg22 [ ] and shown complete of concerns makes the proof particularly easy to follow. independently by Gabbay [13] and Parikh [19]. The pruning-based approach is inspired by completeness Our main result is a machine-checked proofs for the branching time UB (“unified branch- that for every PDL or CPDL formula φ one can either con- ing”) [5] and Computation Tree Logic (CTL) [11] and was struct a proof of ¬φ from the respective axioms or a model of employed by the first author to obtain formal and construc- tive completeness proofs of Hilbert and sequent systems for ∗This author has been funded by the European Research Council (ERC) under the European Union’s Horizon 2020 programme (CoVeCe, grant CTL [8, 10]. For the construction of models using pruning, agreement No 678157). we follow the presentation of pruning in [16]. The transla- This work was supported by the LABEX MILYON (ANR-10-LABX-0070) of tion from pruning refutations to Hilbert proofs builds on Université de Lyon, within the program “Investissements d’Avenir” (ANR- ideas in [18]. For CPDL, we show that the Hilbert system val- 11-IDEX-0007) operated by the French National Research Agency (ANR). idates the conversion of formulas to converse normal form CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA and then use pruning for converse normal formulas. This This is the author’s version of the work. It is posted here for your personal isolates the treatment of converse to a few select places in use. Not for redistribution. The definitive Version of Record will appear in the proof. We are not aware of any other completeness proof Proceedings of the 7th International Conference on Certified Programs and treating converse this way. Proofs, January 8 – 9, 2018.

1 CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA Christian Doczkal and Joachim Bard

The mathematical proofs described in this paper are con- w |= p L p w structive and designed with the formalization in mind. The B M accompanying Coq development [9] follows the proofs out- w |= ⊥ B ⊥ lined in the paper and provides the details elided in the paper. w |= φ → ψ B w |= φ → w |= ψ The development is carried out using the Ssreflect14 [ ] proof α w |= [α]φ B v.w ⇒ v → v |= φ language and the Mathematical Component Libraries [25]. ∀ Our development builds upon the formal and constructive a a completeness proof for test-free PDL presented in [4]. w ⇒ v B w ⇒M v The rest of the paper is organized as follows. Section 2 α+β α β recalls the syntax, semantics, and Hilbert system of PDL w ⇒ v B w ⇒ v ∨ w ⇒ v and describes their representation in Coq. Sections 3 to 6 α β α β ⇒ ⇒ ∧ ⇒ describe the constructive completeness result for PDL. Sec- w v B u.w u u v ∗ ∃ tion 7 describes the changes required to extend our results α α ∗ w ⇒ v B w (⇒) v to CPDL. Section 8 provides a high-level overview of the φ? accompanying Coq development [9]. w ⇒ v B w = v ∧ w |= φ 2 Propositional Dynamic Logic Figure 1. Semantics of formulas and programs We fix a countably infinite type of atomic programs A and a countably infinite type of atomic propositions P. The letter a ranges over atomic programs and the letter p ranges over Our goal is to show soundness and completeness of the atomic propositions. We consider Propositional Dynamic Hilbert system for PDL presented in fig. 2. The Hilbert sys- Logic (PDL) with the following syntax for programs (denoted tem employed here is a variant of Segerberg’s axiomatization α, β,... ) and formulas (denoted φ,ψ,...). as presented in [15]. We replace the original induction axiom ∗ [ ∗]( → [ ] ) → → [ ∗] α, β B a | α + β | αβ | α | φ? (a : A) (i.e., α φ α φ φ α φ) with a rule (Ind) and omit ⊢ φ → [α][α ∗]φ → [α ∗]φ, which is derivable by induc- , | ⊥ | → | [ ] ( P) φ ψ B p φ ψ α φ p : tion. We prefer the system from fig. 2 because, a priori, it We define the remaining logical operations in terms ofthis appears weaker. Nevertheless, it is straightforward to show syntax (i.e., ¬φ B φ → ⊥, φ ∧ ψ B ¬(φ → ¬ψ ), ⟨α⟩φ B that the two systems are equivalent (see [9] for the details). ¬[α]¬φ, ...).1 We write |φ| and |α | for the sizes of formulas Hence, all our results apply to both systems. and programs (i.e., the size of the syntax tree). The satisfaction relation essentially constitutes a shallow2 Formulas are interpreted over transition systems where embedding of the classical object logic PDL into the construc- the states are labeled with atomic propositions and the tran- tive type theory of Coq. In order to ensure that the object sitions are labeled with atomic programs. A transition sys- logic is interpreted classically we restrict our attention to tem M hence consists of those transition systems for which the satisfaction relation is stable under double negation. • A (possibly infinite) type |M| whose elements are called states a Definition 2.1. A (classical) model is a transition system M • A transition relation ⇒M : |M| → |M| → Prop for for which |= is stable under double negation, i.e., a transition every a : A system satisfying • A labeling LM : P → |M| → Prop. w : M φ.¬¬(w |= φ) → w |= φ (*) In the following, we write M for transitions systems as well ∀ ∀ as their underlying type of states. Classical models can be understood in several ways. The Let M be a transition system. We define a satisfaction condition (*) localizes the classical assumptions required for relation between states w of M and formulas φ, written soundness into the definition of models. In fact, classical w |= φ, and an interpretation of programs α as binary rela- models are the largest class of models for which one can α tions on M, written ⇒ (with M implicit), by mutual recur- constructively show soundness of the Hilbert system for sion on formulas and programs (cf. fig. 1). Note that we use PDL given in fig. 2. the same symbols (e.g. →) both for the logical operators of M PDL and for those of the type theory. This does not lead to Theorem 2.2 (Soundness). Let be a transition system. ⊢ M ⊢ | ambiguity. Then is sound for (i.e., φ implies w = φ for all φ and all w : M) if and only if M is a classical model. 1While φ → ψ could be defined as [φ?]ψ , we include it in the syntax since this allows us to define the Hilbert system with minimal reliance on defined 2Here, shallow refers to the fact that w |= φ is just a proposition talking logical operations. about some relations over an arbitrary type. 2 Completeness and Decidability of Converse PDL in Coq CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA

formulas [23] containing all formulas that play a role in ⊢ φ → ψ → φ (1) deciding satisfiability of φ. ⊢ (θ → φ → ψ ) → (θ → φ) → θ → ψ (2) Definition 3.1. We call a finite F of formulas subformula ⊢ ¬¬φ → φ (3) closed if it satisfies the following closure properties: ⊢ [ ]( → ) → [ ] → [ ] α φ ψ α φ α t (4) S1. If φ → ψ ∈ F, then {φ,ψ } ⊆ F. ⊢ [α]φ → [β]φ → [α + β]φ (5) S2. If [a]φ ∈ F, then φ ∈ F. ⊢ [α + β]φ → [α]φ (6) S3. If [α + β]φ ∈ F, then {[α]φ, [β]φ, φ} ⊆ F. S4. If [αβ]φ ∈ F, then {[α][β]φ, [β]φ, φ} ⊆ F. ⊢ [α + β]φ → [β]φ (7) S5. If [α ∗]φ ∈ F, then {[α][α ∗]φ, φ} ⊆ F. ⊢ [αβ]φ → [α][β]φ (8) S6. If [ψ ?]φ ∈ F, then {ψ, φ} ⊆ F. ⊢ [α][β]φ → [αβ]φ (9) ∗ Note that subformula closedness requires the presence ⊢ [α ]φ → φ (10) of more than just the subformulas of every formula (e.g., ⊢ [α ∗]φ → [α][α ∗]φ (11) [α][α ∗]φ when [α ∗]φ ∈ F). ⊢ [φ?]ψ ↔ (φ → ψ ) (12) It is a standard result about PDL that every formula is included in a subformula closed set of size linear in |φ| called ⊢ φ → ψ ⊢ φ ⊢ φ ⊢ φ → [α]φ the Fisher-Ladner closure [12, 15] of φ. This closure be com- MP Nec Ind ∗ ⊢ ψ ⊢ [α]φ ⊢ φ → [α ]φ puted using two mutually recursive functions FL and FL□ as follows: Figure 2. Hilbert system for PDL FL(p) B {p} FL(⊥) B {⊥} FL(φ → ψ ) B {φ → ψ } ∪ FL(φ) ∪ FL(ψ ) Note that every transition system is a classical model if FL([α]φ) B FL□(α, φ) ∪ FL(φ) one assumes excluded middle. Moreover, one can show con- structively that all finite transition systems (with boolean FL□(p, φ) B {[p]φ} transition relations and labeling) are classical models. This FL□(α + β, φ) B {[α + β]φ} ∪ FL□(α, φ) ∪ FL□(β, φ) amounts to proving decidability of the model-checking prob- ( ) {[ ] } ∪ ( [ ] ) ∪ ( ) lem – which in the case of PDL is straightforward. Since PDL FL□ αβ, φ B αβ φ FL□ α, β φ FL□ β, φ ∗ ∗ ∗ has the small-model property, we only need to construct FL□(α , φ) B {[α ]φ} ∪ FL□(α, [α ]φ) finite models to show completeness. FL□(ψ ?, φ) B {[ψ ?]φ} ∪ FL(ψ ) For the rest of the paper, the word model always means classical model. We say that a formula φ is satisfiable if w |= φ In order to show that FL(φ) is subformula closed, we first es- for some state w of some model and valid if w |= φ for every tablish the following transitivity property. The proof follows state w of every model. the presentation in [15]. The main result of this paper is a constructive proof that Lemma 3.2. 1. φ ∈ FL(φ) and [α]φ ∈ FL□(α, φ). for every formula φ, one can either construct a finite model 2. If ψ ∈ FL(φ), then FL(ψ ) ⊆ FL(φ). certifying the satisfiability of φ or a proof of ¬φ from the 3. If ψ ∈ FL□(α, φ), then FL(ψ ) ⊆ FL□(α, φ) ∪ FL(φ). axioms in fig. 2 (certifying the unsatisfiability of φ). Com- pleteness of the Hilbert system (i.e., ⊢ φ whenever φ is valid) Proof. Claim (1) is trivial. Claims (2) and (3) follow by mutual as well as decidability of satisfiability, validity and provability induction on φ for (2) and α for (3). □ then follow as corollaries. Lemma 3.3. FL(φ) is subformula closed. The central notions in the completeness proof are the notions of demo, subformula , and pruning. Demos Proof. Immediate with lemma 3.2(1) and lemma 3.2(2). □ are a class of finite syntactic models designed such that for Lemma 3.4. |FL(φ)| ≤ |φ| and |FL (α,ψ )| ≤ |α |. every subformula universe U , there exists a largest demo □ over U satisfying all satisfiable formulas in U . We construct Proof. By mutual induction on φ and α. □ this largest demo using pruning in such a way that we obtain proofs of ¬φ for all unsatisfiable formulas φ in U . For the definition of subformula universes, we employ signed formulas. A signed formula has the form φσ where φ is a formula and σ ∈ {−, +} is its sign. Signs never occur 3 Subformula Universes within a formula and bind weaker than formula constructors, We now define the notion of subformula universe. Asub- e.g, [α]φ+ is to be read as ([α]φ)+. Semantically, negative formula universe for a formula φ is a finite set of signed signs correspond to top-level negations. That is, w |= φ− is 3 CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA Christian Doczkal and Joachim Bard to be read as w ̸|= φ and w |= φ+ as w |= φ. In particular, we Definition 4.2. Let S be a finite set of clauses. We interpret have: programs as relations on S in the following way: α − − a + + w |= [α]φ ⇔ v.w ⇒ v ∧ w |= φ ⇔ w |= ⟨α⟩¬φ C ⇝S D B { φ | [a]φ ∈ C } ⊆ D ∃ Definition 3.5 (Subformula Universe). Let F be a subfor- α+β α β C S D B C S D ∨ C S D mula closed set. We refer to the set { φσ | φ ∈ F, σ ∈ {+, −} } ⇝ ⇝ ⇝ α β α β as the subformula universe over F. For formulas φ, we write C ⇝S D B E ∈ S.C ⇝S E ∧ E ⇝S D U (φ) for the subformula universe over FL(φ). ∗ ∃ α α ∗ C S D B C ( S ) D Signed formulas are a technical device allowing us to de- ⇝ ⇝ φ? scribe demos and pruning, which are usually described using C ⇝S D B C = D ∧ φ ∈ C negation-normal formulas, in terms of our minimal syntax for PDL. Remark 1. The set library employed in the formalization only allows us to write down sets that are finite by construc- 4 Demos tion. However, finiteness of the unrestricted comprehension { φ+ | [a]φ+ ∈ C } depends on the injectivity of the box con- A clause is a finite set of signed formulas. Demos [16, 17] are structor. In Coq, we instead use replacement and separation certain sets of clauses that can be seen as models in such a (i.e., { body φ | φ ∈ {ψ ∈ C | isBoxψ }}, where isBox tests for way that every state satisfies all signed formulas it contains. the shape [α]φ+ and body strips away the outer box) yielding The first requirement on demos is that all states are Hin- a set that is finite by construction. tikka sets. α Note that ⇝S , does not mention the satisfaction relation. Definition 4.1. A clause H is called a Hintikka set if satisfies α This allows us to use ⇝S to phrase the condition ensuring the following closure conditions. α H1. ⊥+ < H. that ⇒ and |= behave as required. + − H2. There is no formula φ such that {φ , φ } ⊆ H. Definition 4.3 (Demo). A finite set D of Hintikka sets is + − + H3. If (φ → ψ ) ∈ H, then φ ∈ H or ψ ∈ H. called a demo if it satisfies the following condition: − + − H4. If (φ → ψ ) ∈ H, then φ ∈ H and ψ ∈ H. α (D) If [α]φ− ∈ C ∈ D, then C D and φ− ∈ D for some H5. If [αβ]φσ ∈ H, then [α][β]φσ ∈ H. ⇝D D ∈ D. H6. If [α + β]φ+ ∈ H, then [α]φ+ ∈ H and [β]φ+ ∈ H. H7. If [α + β]φ− ∈ H, then [α]φ− ∈ H or [β]φ− ∈ H We now show that for demos D, every state of M(D) H8. If [α ∗]φ+ ∈ H, then φ+ ∈ H and [α][α ∗]φ+ ∈ H. satisfies all formulas it contains. We fix some demo D for H9. If [α ∗]φ− ∈ H, then φ− ∈ H or [α][α ∗]φ− ∈ H. the rest of this section. The proof follows [16]. [ ] + ∈ − ∈ + ∈ H10. If φ? ψ H, then φ H or ψ H. + α H11. If [φ?]ψ − ∈ H, then φ+ ∈ H and ψ − ∈ H. Lemma 4.4. Let [α]φ ∈ C such that C ⇒M(D) D and for all E ∈ S and all ψ with |ψ | < |α | we have that t − ∈ E implies Intuitively, Hintikka sets are clauses that are consistent E ̸|= ψ . Then φ+ ∈ D. with respect to state-local reasoning. Note that if φσ ∈ U for some subformula universe U , then all formulas mentioned Proof. By induction on α. The assumption on formulas smaller in the Hintikka condition for φσ are also in U . The use of than α is required to handle the case for tests. □ signs avoids the need to close subformula universes under α Lemma 4.5. Let {C, D} ⊆ D such that C ⇝D D and assume adding/removing top-level negations (as is, for instance, done that ψ + ∈ E implies E |= ψ for all E ∈ D and all ψ such that in [11]) thus simplifying the reasoning about the closure α |ψ | < |α |. Then C ⇒ D. properties of the subformula universes. M(D) Every finite set of clauses S, can be seen as a model M(S) Theorem 4.6 (Demo Theorem). Let φσ ∈ C ∈ M(D). Then in the following way: C |= φσ . |M(S)| B S Proof. By complete induction on |φ|. The case for φ = [α]ψ + a ′ ′ follows with lemma 4.4 using the induction hypothesis to H ⇒M( ) H B { φ | [a]φ ∈ H } ⊆ H S establish the condition on formulas smaller than |α |. Simi- + LM(S) p H B p ∈ H larly, the case for φ = [α]ψ − follows with the demo condition Even for sets of Hintikka sets, the states of M(S) will and lemma 4.5. All other cases follow by induction using the generally not satisfy all the formulas they contain. To see Hintikka properties of C. □ this, recall that [a]p− corresponds to the diamond formula ⟨a⟩¬p, and consider the case where S B {{[a]p−,p+}}. Then 5 Pruning the only state of M(S) lacks the a-successor satisfying p− Pruning [17, 21] starts from a given set of Hintikka sets required by [a]p−. and removes clauses violating the demo condition until a 4 Completeness and Decidability of Converse PDL in Coq CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA demo is reached. We will show that when starting from pcoref SC ⊆ US ̸▷ C the set of all maximal Hintikka sets over some subformula P1 universe U , this process terminates with a demo satisfying pref C all satisfiable formulas from U . Moreover, we will obtain ⊆ pruning refutations for all removed clauses. S S0 pcoref S − α − We fix some subformula closed set F and write U for the [α]φ ∈ C ¬ D ∈ S.C ⇝S D ∧ φ ∈ D P2 ∃ subformula universe over F. pref C Definition 5.1. A Hintikka set C ⊆ U is called maximal if + − pcoref S B C ∈ S0 \ S.pref C for all φ ∈ F either φ ∈ C or φ ∈ C. ∀ The pruning function is defined recursively as follows: Figure 3. Pruning Refutations ( \{ }) [ ] − ∈ ¬ ∈ prune S C α φ C. D S.  ∃ α ∃− prune S B C ⇝S D ∧ φ ∈ D expresses the fact a clause cannot be supported by D if all SS is a demo clauses that could possibly support it have already been re-  moved and the rule P2 corresponds to the pruning condition. Remark 2. The definition above does not specify which Hin- tikka set is to be removed if several violate the demo condition. Lemma 5.3. D is pruning corefutable. In the Coq development, we use a choice operator for finite sets Theorem 5.4 (Pruning Completeness). Let C ⊆ U , then C to deterministically pick a clause to remove. is either pruning refutable or satisfied by a model with at most We now define a demo over U as follows: 2|U | states.

S0 B { C ⊆ U | C maximal and hintikka } Proof. By case analysis on D ▷C using theorem 4.6 and lem- D B prune S0 mas 5.2 and 5.3. □ Lemma 5.2. D is a demo contained in S0. 6 Hilbert Refutations We say that a set of clauses S supports a clause C, written We now establish completeness of the Hilbert system by S ▷ C, if there exists some Hintikka set D ∈ S such that showing that pruning refutable clauses are also Hilbert refut- C ⊆ D. We have already established that a formula φ ∈ F able. The proof is compositional in the sense that we show is satisfiable whenever D ▷ {φ+} (theorem 4.6). In order to the rules for pruning refutations admissible for the Hilbert obtain completeness, it remains to show ⊢ ¬φ whenever system. D ̸ { +} Ô Ô ▷ φ . To prove this, we need to generalize from single For sets of clauses A, we abbreviate C ∈A C as A. We formulas to clauses, i.e., prove ⊢ ¬C whenever D ̸▷ C. When continue to work with the subformula universe U from a clause C appears in the place of a formula, as in ⊢ ¬C the previous section. We say that a set S ⊆ S0 is (Hilbert) above, it is to be read as the sign respecting conjunction of corefutable if ⊢ ¬C for all clauses in S0 \ S. Ó σ the formulas it contains, i.e., C is to be read as φ σ ∈C ⌊φ ⌋ − Lemma 6.1. Let C ⊆ U be maximal but not a Hintikka set. where ⌊φ ⌋ B ¬φ and ⌊φ+⌋ B φ. If ⊢ ¬C, we call C (Hilbert) ⊢ ¬ refutable. Then C. We will show that all clauses overU that are not supported Proof. By case analysis on the Hintikka condition being vio- by S0 are refutable. Moreover, we will show that this is an in- lated using propositional reasoning and axioms (5-12). □ variant that is preserved during pruning. That is, when a Hin- We remark that lemma 6.1 encapsulates most of the sate- tikka clause is removed from S and therefore some clause 0 local reasoning required to prove completeness. C ⊆ U is no longer supported by the remaining clauses, we can prove ⊢ ¬C, possibly using proofs constructed at an Lemma 6.2 (Extension). Let S ⊆ S0 be corefutable and let earlier stage. C ⊆ U be a clause. Then ⊢ C → Ô{ D ∈ S | C ⊆ D }. To abstract from the algorithmic details of pruning, we Proof. Since S is corefutable, it suffices to show ⊢ C → give an inductive characterization of the clauses over U that Ô{ D ∈ S | C ⊆ D }. The claim follows by induction are not supported by D and then translate derivations of 0 on |U | − |C|. If C is maximal, then either C ∈ S or ⊢ ¬C this inductive definition to proofs in the Hilbert system. The 0 (lemma 6.1). Both cases are trivial. If C is not maximal then rules are given in fig. 3. If pref C, we say that C is pruning ⊢ C → C ∪ {φ+} ∨ C ∪ {φ−} for some φ ∈ F such that refutable and if pcoref S for some S ⊆ S , say that S is prun- 0 {φ+, φ−} ∩ C = ∅ and the claim follow by induction hypoth- ing corefutable. In both rules, the set S corresponds to some esis. □ intermediate stage of pruning and the premise pcoref S cap- tures the intuition that we have already established pref C Lemma 6.3 (Admissibility of P1). Let S be corefutable and for all preciously removed Hintikka clauses. The rule P1 then let C ⊆ U such that S ̸▷ C. Then ⊢ ¬C. 5 CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA Christian Doczkal and Joachim Bard

Proof. Immediate with lemma 6.2. □ Case α = βγ : We reason as follows: Before we can translate the rule P2, we need a few more ⊢ C → [βγ ]¬D auxiliary lemmas. ⇐ ⊢ C → [β][γ ]¬D axiom (9) Lemma 6.4. Let C, D ⊆ U be maximal. Then ⊢ C → ¬D ⇐ ⊢ C → ⟨β⟩⟨γ ⟩D → ⊥ lemma 6.6(4) whenever C , D. Ü ⇐ ⊢ C → ⟨β⟩(( S) ∧ ⟨γ ⟩D) → ⊥ lemma 6.5(1) Lemma 6.5. Let S ⊆ S be corefutable. Then 0 Ü 1. ⊢ Ô S. ⇐ ⊢ C → ⟨β⟩( (E ∧ ⟨γ ⟩D)) → ⊥ 2. ⊢ ¬(Ô A) → Ô(S \ A) for all A ⊆ S. E ∈S Ü Proof. Claim (1) follows immediately with lemma 6.2. For (2) ⇐ ⊢ C → (⟨β⟩(E ∧ ⟨γ ⟩D)) → ⊥ lemma 6.6(6) it suffices to show ⊢ C → ¬(Ô A) → Ô(S \ A) for C ∈ S E ∈S (Claim (1)). If C ∈ A we obtain a contradiction with ¬ Ô A. ⇐ ⊢ C → ⟨β⟩(E ∧ ⟨γ ⟩D) → ⊥ (for E ∈ S) Otherwise, the claim is trivial. □ β γ By assumption, we have C ⇝̸ S E or E ⇝̸ S D. By induction In addition to the lemmas above, we also make use of the hypothesis, we obtain either ⊢ C → [β]¬E or ⊢ E → [γ ]¬D. following facts. The claim then follows with lemma 6.6(3) and lemma 6.6(2). ∗ Lemma 6.6. 1. If ⊢ φ → ψ , then ⊢ [α]φ → [α]ψ and Case: α = β : We want to apply the induction rule with a β ∗ ⟨α⟩φ → ⟨α⟩ψ . suitable invariant. We define I B { E ∈ S | C ⇝S E }. 2. ⊢ ¬⟨α⟩⊥ We clearly have C ∈ I and therefore ⊢ C → Ô I. By 3. ⊢ ⟨α⟩φ → [α]ψ → ⟨α⟩(φ ∧ ψ ) assumption, D < I and therefore ⊢ Ô I → ¬D since for 4. ⊢ ¬[α]φ ↔ ⟨α⟩¬φ every E ∈ I we have E , D and therefore ⊢ E → ¬D 5. ⊢ [α]φ → [α]ψ → [α](φ ∧ ψ ) (lemma 6.4). Using the induction rule with ψ set to Ô I, it 6. ⊢ ⟨α⟩(φ ∨ ψ ) → ⟨α⟩φ ∨ ⟨α⟩ψ suffices to show (Ô I) → [β](Ô I). We reason as follows: ∗ 7. If ⊢ ψ → φ and ⊢ ⟨α⟩ψ → ψ , then ⊢ ⟨α ⟩ψ → φ Ü Ü ⊢ ( I) → [β]( I) Note that lemma 6.6(1) justifies rewriting with implica- Ü tions underneath of modalities, and we will do so without ⇐ ⊢ E → [β]( I) E ∈ I explicit mention. Ü In the following we present Hilbert proofs in “backward ⇐ ⊢ E → ⟨β⟩(¬ I) → ⊥ lemma 6.6(4) Ü style” where each line is obtained from the previous line by ⇐ ⊢ E → ⟨β⟩( S \ I) → ⊥ lemma 6.5(2) rewriting with some lemma or by propositional reasoning Ü (usually the introduction or elimination of some big conjunc- ⇐ ⊢ E → ( ⟨β⟩F) → ⊥ lemma 6.6(6) tion or disjunction). We chose this presentation, rather than F ∈S\I the traditional forward chaining, because it closely matches ⇐ ⊢ E → ⟨β⟩F → ⊥ F ∈ S \ I the way the proofs are obtained in Coq. ⇐ ⊢ E → [β]¬F lemma 6.6(4) The next lemma is the core of the completeness proof. In particular, this is the place where the induction rule for α ∗ β Since E ⇝̸ S F by the definition of I, the last claim follows is used. by induction hypothesis. □ Lemma 6.7. Let S ⊆ S0 be corefutable and let C, D ∈ S. Then α Remark 3. The previous lemma can be seen as a generaliza- ⊢ C → [α]¬D whenever C ⇝̸ S D. tion of the contrapositive of [18, Lemma 1] from the collection Proof. By induction on α. of maximally consistent clauses (over a given universe) to arbi- + Case α = a: By assumption, there exists some [a]φ ∈ C trary corefutable collections of maximal Hintikka sets (i.e., all + − such that φ < D. Hence φ ∈ D since D is maximal. To possible intermediate states of pruning). We need the general- show ⊢ C → [a]¬D it therefore suffices to show ⊢ [a]φ → ization in order to incrementally construct Hilbert derivations [a]¬¬φ which follows with lemma 6.6(1). and the contrapositive since at the current point in the develop- Case: α = ψ ?: By axiom (12), it suffices to show ⊢ C → ψ → ment there is no easy way to show that provability of formulas ψ ? ¬D. Since C ⇝̸ S D, we either have C , D and the claim is decidable. Decidability of provability does follow once we follows with lemma 6.4 or C = D and ψ + < C. But then, have established decidability of satisfiability and completeness − ψ ∈ C since C is maximal. Therefore ⊢ C → ¬ψ and the (cf. corollary 6.12). claim follows with propositional reasoning. Case α = β + γ : By induction hypothesis we have both Lemma 6.8 (Admissibility of P2). Let S ⊆ S0 be corefutable − α ⊢ C → [β]¬D and ⊢ C → [γ ]¬D. The claim then follows and let C ∈ S with [α]φ ∈ C such that ¬ D ∈ S.C ⇝S D ∧ with axiom (5). φ− ∈ D. Then ⊢ ¬C. ∃ 6 Completeness and Decidability of Converse PDL in Coq CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA

Proof. Let X B { D ∈ S | φ− ∈ D }. In order to prove ¬C, we Corollary 6.12 (Decidability). Satisfiability, validity and Ó Ô show that C implies both [α]( D ∈X ¬D) and ⟨α⟩ X and provability of formulas are decidable. that that these two consequences are contradictory. For the Proof. Immediate with soundness and completeness. □ first implication we reason as follows: Û Corollary 6.13 (Small-Model Property). Let φ be satisfiable. ⊢ C → [α]( ¬D) Then φ is satisfied by a model with at most 22|φ | states. D ∈X Û ⇐ ⊢ C → [α]¬D lemma 6.6(5) Proof. Immediate with soundness. □ D ∈X Note that we prove the small-model property (smp) using ⇐ ⊢ → [ ]¬ ∈ C α DD X a decision procedure rather than proving decidability using α the smp as is often done in classical arguments. The last claim follows with lemma 6.7 since C ⇝̸ S D by as- sumption. For the second implication we have: Ü 7 Converse ⊢ → ⟨ ⟩ C α X We now extend the informative completeness result from Ü ⇐ ⊢ ¬[α]φ → ⟨α⟩ X ¬[α]φ ∈ C PDL to CPDL. The proofs remain largely the same as for Ü PDL. Therefore we only describe the parts that need to be ⇐ ⊢ ⟨α⟩¬φ → ⟨α⟩ X lemma 6.6(4) changed. The formalization accompanying this paper [9] − Ü includes separate developments for the two logics. ⇐ ⊢ {φ } → X lemma 6.6(1) We extend the syntax with a new program construct α ⌣. This time, the last claim follows with lemma 6.2. Now it The satisfaction relation for CPDL is defined as for PDL with suffices to show the interpretation of α ⌣ defined as: Û Ü ⊢ [α]( ¬D) → ⟨α⟩( X) → ⊥ α ⌣ α w ⇒ v v ⇒ w D ∈X B Û Ü ⇐ ⊢ ⟨α⟩(( ¬D) ∧ X) → ⊥ lemma 6.6(3) Following [15], the Hilbert system for CPDL extends the D ∈X Hilbert system from fig. 2 with two axioms: Û Ü ⇐ ⊢ ¬(( ¬D) ∧ X) lemma 6.6(2) ⊢ φ → [α]⟨α ⌣⟩φ (13) D ∈X ⊢ φ → [α ⌣]⟨α⟩φ (14) The last claim follows with propositional reasoning. Thus By duality we obtain: we obtain ⊢ ¬C. □ Lemma 7.1. ⊢ ⟨α⟩[α ⌣]φ → φ and ⊢ ⟨α ⌣⟩[α]φ → φ. Lemma 6.9. ⊢ ¬C whenever C is pruning refutable. The main problem in extending the proof to CPDL is to Proof. By induction on pref C using lemmas 6.3 and 6.8. □ adapt the proof of lemma 4.4. It turns out that the Hintikka We are now in the position to prove our main result for conditions (definition 4.1) are insufficient to handle the case PDL. for converse appearing on top of other programs. We resolve this by showing that the Hilbert system validates a conver- Theorem 6.10 (Informative Completeness). For every PDL sion to converse normal form (i.e., formulas where converse formula φ, one can either construct a proof of ¬φ or a model 2|φ | is only applied to atomic programs) and then restricting to with at most 2 states satisfying φ. converse normal formulas. Proof. Fix some formula φ. By theorem 5.4, we either ob- We start by computing converse normal forms. We want tain a model for φ of size 2|U (φ)| and the claim follows with to exhaustively apply the following transformations to pro- lemma 3.4 or we have pref C and the claim follows with grams. lemma 6.9. □ (α + β)⌣ 7→ α ⌣ + β⌣ α ∗⌣ 7→ α ⌣∗ In Coq, theorem 6.10 takes the form of a function having (αβ)⌣ 7→ β⌣α ⌣ α ⌣⌣ 7→ α the (dependent) type As with the computation of the Fisher-Ladner closure, we φ. (ΣM(x : M). |M| < 22|φ | ∧ w |= φ) + (⊢ ¬φ) define two functions ∀ Corollary 6.11 (Completeness). ⊢ φ whenever φ is valid. cnf : formula → formula → → We say a predicate P : X → Prop is decidable if there is cnp : bool program program a function p : X → B such that Px ↔ (p x = true) for all by mutual recursion on formulas and programs as shown x : X (i.e., p decides P). With respect to this (shallow) notion in fig. 4. The boolean argument for cnp serves as a flag sig- of decidability, we also obtain: naling whether we are currently pushing down a converse 7 CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA Christian Doczkal and Joachim Bard

relation on sets of clauses by changing the case for atomic cnf p p cnf (φ → ψ ) cnf φ → cnf ψ B B programs to respect converses of atomic programs ⊥ ⊥ ([ ] ) [ ]( ) cnf B cnf α φ B cnp false α cnf φ a + + C ⇝S D B { φ | [a]φ ∈ C } ⊆ D ∧ cnp false a a B { φ+ | [a⌣]φ+ ∈ D } ⊆ C cnp true a B a⌣ and adapt the definition of M(S) accordingly. cnp false (αβ) B (cnp false α)(cnp false β) Lemma 7.4. Let D be a demo containing only converse nor- cnp true (αβ) B (cnp true β)(cnp true α) α mal formulas and let [α]φ+ ∈ C such that C ⇒ D and cnpb (α + β) cnpb α + cnpb β M(D) B for all E ∈ S and all ψ with |ψ | < |α | we have that t − ∈ E ∗ ∗ cnpb (α ) B (cnpb α) implies E ̸|= ψ . Then φ+ ∈ D. cnpb (φ?) (cnf φ)? B Proof. By induction on α. The case for a⌣ is symmetric to cnpb (α ⌣) B cnp (¬b) α the case for a. All other cases are essentially the same as in the proof of lemma 4.4. □ Figure 4. Converse Normalization The translation to Hilbert refutations requires the addi- tion of two new cases to the proof of lemma 6.7. Firstly, a + operation. This allows for a simple structurally recursive C ⇝S D can now also fail because φ < C for some for- definition of converse normalization. mula [a⌣]φ ∈ D. Secondly, we need to handle the case where α ⌣ C ⇝̸ S D. Both cases are straightforward. Lemma 7.2. 1. ⊢ φ ↔ cnf φ Theorem 7.5. For every CPDL formula φ, one can either con- 2. ⊢ [cnp true α]ψ ↔ [α ⌣]ψ ¬ 4|φ | 3. ⊢ [cnp false α]ψ ↔ [α]ψ struct a proof of φ or a model with at most 2 states satis- fying φ. Proof. We show claim (1) and the conjunction of (2) and (3) by Proof. Let φ be some formula. Then ⊢ φ ↔ cnfφ (lemma 7.2) mutual induction on φ and α. Most cases follow immediately and |U (φ)| ≤ 4|φ| since |cnf φ| ≤ 2|φ|. The claim then fol- with the respective induction hypotheses. It remains to show lows analogously to the proof of theorem 6.10. □ ⊢ [α]φ ↔ [β]φ whenever α 7→ β. We show one direction of the case for α ∗⌣ 7→ α ⌣∗. The corollaries from the previous section carry over to CPDL as expected. ⊢ [α ⌣∗]φ → [α ∗⌣]φ We remark that, since CPDL has both more syntactic con- ∗ ∗ ∗ ∗ ⇐ ⊢ [α ⌣]⟨α ⟩[α ⌣ ]φ → [α ⌣]φ axiom (14) structs and a Hilbert system with more axioms, the complete- ⇐ ⊢ ⟨α ∗⟩[α ⌣∗]φ → φ lemma 6.6(1) ness result for CPDL does not subsume the completeness result for PDL. ⇐ ⊢ ⟨α ∗⟩[α ⌣∗]φ → [α ⌣∗]φ axiom (10) ⇐ ⊢ ⟨α⟩[α ⌣∗]φ → [α ⌣∗]φ lemma 6.6(7) 8 Remarks on the Formalization The Coq development accompanying this paper [9] follows (and ⊢ [α ⌣∗]φ → [α ⌣∗]φ) the mathematical development fairly closely and provides the ∗ ∗ ⇐ ⊢ ⟨α⟩[α ⌣][α ⌣ ]φ → [α ⌣ ]φ axiom (11) details elided in the paper. The development consists of about 1300 lines for CPDL and 1000 lines for PDL split roughly half- The last claim follows with lemma 7.1. □ and-half between specifications and proofs. This conciseness Note that in the proof above, we need to generalize the is achieved by relying on the mathematical component li- claim using axiom (10) before applying the induction lemma braries [25] as well as two libraries developed in [8]. The (lemma 6.6(7)). latter two account for another 2000 lines. The first library is for reasoning about finite sets over We extend the definition of FL□ with an additional clause for converse countable base types (e.g., formulas) and used to define the Fisher-Ladner closure, clauses, demos, and pruning. While ⌣ ⌣ FL□(α , φ) B {[α ]φ} ∪ FL□(α, φ) the mathematical component libraries do contain a library Lemma 7.3. If φ is converse normal, then all ψ ∈ FL(φ) are for extensional finite sets, this library only provides sets over converse normal. finite types, which is too restrictive for our purposes. While we use finite sets as underlying the pruning The only place in the proof where we need to exploit the method for deciding PDL satisfiability, the purpose is to al- fact that we can restrict to converse normal formulas is when low for a constructive proof rather than actually running the adapting the proof of lemma 4.4. We adapt the transition procedure. Consequently, we implement finite sets without 8 Completeness and Decidability of Converse PDL in Coq CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA regard for computational costs. We obtain an extensional flag, along the lines of the formalization underlying [20], representation by representing each set using some canon- signaling the presence or absence of converse in definitions ical duplicate free list. In addition to the usual operations and lemma statements. This could provide for significant (e.g., separation, replacement, and powerset), the library also sharing, at the cost of some technical overhead and slightly features a number of constructions not needed here (e.g., fix- less natural definitions and lemma statements. point operators for bounded monotone functions) and comes with rudimentary automation based on a tableau calculus 9 Conclusion implemented in Ltac [2]. We remark that there is another li- We have given formal and constructive completeness proofs brary for finite sets over countable types [7], currently being for PDL and CPDL by combining ideas and techniques from developed with the aim of integrating it into the mathemati- a variety of sources [15, 16, 18]. We consider the construc- cal component libraries, incorporating some of the design tive argument given here more informative than a classical decisions underlying our finite set library. completeness proof in the sense that it provides an algorithm The second library underlying the development is a li- constructing both finite models for satisfiable formulas and brary for constructing Hilbert derivations. It is folklore that proofs for valid formulas.3 In addition to basing the proof reasoning inside deeply embedded proof systems (i.e., where on an algorithm, we also prove the correctness of this al- the proof system is represented using an inductive defini- gorithm without classical assumptions. The reason for this tion) is cumbersome in Coq. This is particularly true for is twofold. First, classical assumptions (besides those local- reasoning inside a bare Hilbert system due to the lack of ized to classical models) are simply not necessary. Moreover, assumption management. The libraries developed in [8] pro- working without axioms allows us to appeal to the normal- vide tactics for assumption management for any Hilbert ization property of the logic of Coq. This, for instance, yields system extending classical propositional logic. Further, it that the shallow notion of decidability used in corollary 6.12 provides the instances to enable (setoid) rewriting [24] with entails computational decidability in the usual sense. the preorder φ ≺ ψ B ⊢ φ → ψ . The facilities for assump- The completeness proof is designed to be constructive tion management are mainly used when proving basic, often while reusing ideas from the literature wherever possible. propositional, facts. For the more high-level lemmas (e.g., The desire to work constructively essentially rules out the lemma 6.7) rewriting with ≺ is the main source of automation. approach in [15], where completeness is established by using We remark that rewriting with equivalences alone would be filtration on an infinite non-standard canonical model. In too restrictive for our purposes since many important facts fact, even the construction of a finite “canonical” model for a (e.g., axioms (13) and (14)) are only implications. given subformula universe in [18] is non-constructive in the Morally, we see proofs as computational objects that can sense that it requires decidability of Hilbert provability in or- be inspected and manipulated. However, the need for setoid der to determine which formulas are contained in which state. rewriting described above forces us to formalize the Hilbert Of course, Hilbert provability is decidable (corollary 6.12) systems as predicates (i.e., ⊢ : formula → Prop) rather than However, since the Hilbert system is not analytic, the easiest as families of types (i.e., ⊢ : formula → Type). While the way to establish this is via completeness. This motivates introduction of universe polymorphism in recent versions of basing the proof on a decision method. We use pruning since Coq allows, in principle, to use setoid rewriting also for type the maximal demo it constructs corresponds closely to the families, we ran into technical problems that we were, so far, model employed in [18]. This allows us to obtain one of the unable to resolve when trying to turn the Hilbert systems key lemmas in the translation from pruning refutations to into type families. Hilbert refutations by adapting the corresponding lemma From the engineering point of view, it is also unfortunate in [18]. Altogether, we obtain a natural factorization of the that we were forced to create two separate developments for proof into an algorithmic part for the decision method, a se- PDL and CPDL even though there is a considerable overlap mantic argument for the model construction, and a syntactic between the two proofs. We could have obtained a limited translation from pruning refutations to Hilbert refutations. amount of sharing by proving basic facts about the Hilbert By using converse normalization, we were able to adapt systems (e.g., lemma 6.6) for a structure hiding the inductive the proofs for PDL to CPDL with only a few local changes. nature of the Hilbert system (i.e., the fact that there are no We remark that proving the commutation properties under- other axioms) and then instantiating this structure with the lying the correctness of converse normalization (lemma 7.2) Hilbert systems for both PDL and CPDL. This approach was turned out to be surprisingly tricky, in particular as it comes used in [8] to build a hierarchy of Hilbert systems including to ⊢ [α ∗⌣]φ ↔ [α ⌣∗]φ where both directions require a gener- ∗ propositional logic, K, K , and CTL. However, given the large alization of the statement before the induction rule is applied. number of syntactic constructs for PDL and the fact that Our attempts to find the relevant arguments in the literature we only need about a dozen of these basic facts, the gains would be marginal at best. One option to merge the two 3More precisely, it provides an algorithm that is, while still impractical, developments might have been the introduction of a boolean more informative than blindly enumerating proofs. 9 CPP 2018, January 8 – 9, 2018, Los Angeles, CA, USA Christian Doczkal and Joachim Bard were unsuccessful. The Coq development [9] contains all [5] Mordechai Ben-Ari, Amir Pnueli, and Zohar Manna. 1983. The Tem- arguments in their entirety. poral Logic of Branching Time. Acta Inf. 20 (1983), 207–226. There are a number of methodical differences between [6] Kai Brünnler and Martin Lange. 2008. Cut-free sequent systems for temporal logic. J. Log. Algebr. Program. 76, 2 (2008), 216–225. the proofs presented here and the constructive completeness [7] Cyril Cohen. 2017. A finset and finmap DRAFT library. https://github. proofs for CTL in [8, 10]. The most fundamental one is the use com/math-comp/finmap. (Nov. 2017). Accessed Nov. 17th, 2017. of the more traditional Hintikka sets in favor of literal clauses [8] Christian Doczkal. 2016. A Machine-Checked Constructive Metatheory and support. Here, literal clauses are clauses containing only of Computation Tree Logic. Ph.D. Dissertation. Saarland University. formulas of the form [a]φσ and pσ and the support relation [9] Christian Doczkal and Joachim Bard. 2017. Coq development accom- panying this paper. https://perso.ens-lyon.fr/christian.doczkal/cpp18/. is a recursively-defined decidable predicate corresponding (2017). to the Hintikka conditions, e.g., [10] Christian Doczkal and Gert Smolka. 2016. Completeness and Decidabil- ( → )+ − ∨ + ity Results for CTL in Constructive Type Theory. J. Autom. Reasoning C ▷ φ ψ B C ▷ φ C ▷ ψ 56, 3 (2016), 343–365. That is, the support relation is defined such that a literal [11] E. Allen Emerson and Joseph Y. Halpern. 1985. Decision Procedures clause supports all its possible Hintikka extensions. In [8], and Expressiveness in the Temporal Logic of Branching Time. J. Comput. System Sci. 30, 1 (1985), 1–24. where pruning refutations are also translated to derivations [12] Michael J. Fischer and Richard E. Ladner. 1979. Propositional Dynamic of the sequent system for CTL presented in [6], the support Logic of Regular Programs. J. Comput. System Sci. 18 (1979), 194–211. relation provides a natural fit for the destructive reading of Issue 2. the sequent rules (i.e., the reading where the active formula [13] Dov M. Gabbay. 1977. Axiomatization of Logic Programs. (1977). Text is removed when applying a rule and next state rules are of a letter to V. Pratt. [14] Georges Gonthier, Assia Mahboubi, and Enrico Tassi. 2008. A Small applied to literal clauses only). We would have preferred Scale Reflection Extension for the Coq system. Research Report RR-6455. to extend the methodology employed for CTL also to PDL. INRIA. http://hal.inria.fr/inria-00258384/en/ However, as observed in [1, 16], a naive recursive definition [15] David Harel, Dexter Kozen, and Jerzy Tiuryn. 2000. Dynamic Logic. of support for PDL, employing The MIT Press. [16] Mark Kaminski. 2012. Incremental Decision Procedures for Modal Logics C ▷ [α ∗]φ+ B C ▷ φ+ ∧ C ▷ [α][α ∗]φ with Nominals and Eventualities. Ph.D. Dissertation. Saarland Univer- sity. ∗∗ + to handle transitive closure, does not terminate on [a ]p . [17] Mark Kaminski, Thomas Schneider, and Gert Smolka. 2011. Correct- This is sometimes called the nested star problem. While a ness and Worst-Case Optimality of Pratt-Style Decision Procedures notion of support can be defined for PDL [16], it is not clear for Modal and Hybrid Logics. In TABLEAUX 2011 (LNCS (LNAI)), Kai whether the Hilbert system is expressive enough for con- Brünnler and George Metcalfe (Eds.), Vol. 6793. Springer, 196–210. [18] Dexter Kozen and Rohit Parikh. 1981. An Elementary Proof of the structing derivations based on this definition. When moving Completness of PDL. Theor. Comput. Sci. 14 (1981), 113–118. from literals and support to Hintikka sets, the recursive defi- [19] Rohit Parikh. 1978. The Completeness of Propositional Dynamic nition of the support relation is replaced with the checking Logic. In Mathematical Foundations of (LNCS), Józef of closure properties for Hintikka sets, thus avoiding the Winkowski (Ed.), Vol. 64. Springer, 403–415. nested star problem. [20] Damien Pous. 2013. Kleene Algebra with Tests and Coq Tools for while Programs. In Interactive Theorem Proving (ITP 2013) (LNCS), Sandrine Brünnler and Lange [6] suggest that, following the same Blazy, Christine Paulin-Mohring, and David Pichardie (Eds.), Vol. 7998. methodology as for CTL, it should be possible to obtain an Springer, 180–196. analytic sequent system for PDL. To the best of our knowl- [21] Vaughan R. Pratt. 1979. Models of Program Logics. In Proc. 20th Annual edge, the details have not been worked out yet. It would Symp. on Foundations of Computer Science (FOCS’79). IEEE Computer be interesting to see if such an analytic sequent system can Society Press, 115–122. [22] Krister Segerberg. 1977. A Completeness Theorem in the Modal Logic indeed be derived for PDL and whether a pruning based of Programs. Notices Amer. Math. Soc. 24 (1977), A–552. argument can be used to show its completeness. [23] Raymond M. Smullyan. 1963. A Unifying Principal in Quantification Theory. Proceedings of the National Academy of Sciences 49 (1963), References 828–832. [24] Matthieu Sozeau. 2009. A New Look at Generalized Rewriting in Type [1] Pietro Abate, Rajeev Goré, and Florian Widmann. 2009. An On-the-Fly Theory. J. Form. Reason. 2, 1 (2009), 41–62. Tableau-Based Decision Procedure for PDL-Satisfiability. In Proc. 5th [25] The Mathematical Components team. 2008. Mathematical Compo- Workshop on Methods for Modalities (M4M-5) (Electr. Notes Theor. Com- nents. (2008). http://math-comp.github.io/math-comp/ put. Sci.), Carlos Areces and Stéphane Demri (Eds.), Vol. 231. Elsevier, 191–209. [2] Alexander Anisimov. 2015. Proof Automation for Finite Sets. B.Sc. Thesis. Saarland University. [3] Franz Baader and Carsten Lutz. 2007. Description Logic. In Handbook of Modal Logic, Patrick Blackburn, Johan van Benthem, and Frank Wolter (Eds.). Studies in Logic and Practical Reasoning, Vol. 3. Elsevier, 757–820. [4] Joachim Bard. 2017. A Formal Completeness Proof for Test-free PDL. B.Sc. Thesis. Saarland University. 10