July 12, 2010

4 Validity and decidability

4.1 Validity and deciding the minimal modal logic A modal formula was valid if it is true at all worlds in all models. The valid formulas form the minimal modal logic, true solely in virtue of local quantification in any graph. It often takes little effort to recognize modal formulas as valid or not. What is the general situation? Logicians think here in terms of “decision procedures”, algorithmic “mechanical” methods that test whether a given formula is valid, or follows logically from others. Indeed, the idea that logical deduction is essentially linked to computation goes back to the Middle Ages. Two landmark facts dominate the history here. Validity in propositional logic can indeed be tested by an algorithmic decision procedure, viz. the truth table method, and computers can do this, too. But the dream that all logical validity might be computable was shattered by the discovery in the 1930s that validity for predicate logic has no mechanical testing method at all. Or, put more succinctly: “first-order logic is undecidable”. Of course, this is not all. In between propositional and predicate logic, many logics are still decidable – with monadic predicate logic, first- order logic with unary predicates only, as a prime example.24 This leads to the “Balance” mentioned earlier in this course. Modal logic sits in between propositional logic and predicate logic qua expres- sive power over its models. But, what about the computational com- plexity of its validity problem? Does it side with propositional logic (where that problem is decidable), or with predicate logic (where it is undecidable)? There is no obvious truth table method for modal logic, since there are infinitely many models (both finite and infinite ones) to be searched in principle. But here is the truth: 24Indeed, existing methods for proof search in predicate logic (which you may have been taught in your first logic course) often do decide validity in special cases, though there is no guarantee that must do so.

37 July 12, 2010

38 / Modal Logic for Open Minds

Theorem 4. The minimal modal logic is decidable. There are many proofs of this result, backed up by concrete de- cision procedures. Methods include “semantic tableaux”, and others that you may know from standard logic courses. In this chapter, we will prove decidability in a number of different ways. Each pass will tell us something more about what makes modal logic tick, showing some interesting difference with first-order logic as a whole.

4.2 The finite model property Basic modal logic has the finite model property (FMP): Theorem 5. Every satisfiable modal formula (that is, true in some M,s) has a finite model. By contrast, first-order logic has no FMP. Let the formula λ say that < is an irreflexive transitive order where every point has a successor. The natural numbers with “smaller than” are a model. λ has only infinite models: any finite transitive model in which each point has a successor must have loops, which are forbidden by the irreflexivity. The FMP does not give decidability per se. We still might have to check all finite models: infinitely many. But it does when we can find an effective bound on the size of a verifying model in terms of the given formula ϕ. This strengthened version of the FMP is called the effective finite model property. Our first analysis works by a method of selection: Theorem 6. Modal logic has the effective finite model property. Proof. Consider any formula ϕ satisfied in a model M, w. For conve- nience, unravel M via a bisimulation to a tree, so ϕ holds at the root. The essential point is that evaluation of ϕ only needs finite path depth into the tree, and finite branching width. Here is the idea. Consider ϕ as a Boolean combination taken from a finite set of propositional atoms

and modal formulas ¿α (this is always possible, looking at ϕ from the outside).25 For atoms, it is enough to know the valuation at the current world. For each true diamond formula in this set, we choose a verifying successor world in the model. The total number needed is bounded by the number of sub-formulas of ϕ, which is at most the size length(ϕ) of ϕ itself. For false diamonds, we need not choose any worlds at all, as these only constrain what should hold at successors we need for other reasons. Going down the tree in this fashion, we lose one level of modal

25We made this same point earlier in Chapter 3, in our proof of the Adequacy

¾ ¾

Lemma for bisimulation games. For instance, the formula ¬(p ∧ ¿(q ∨ p) ∧ s) is

¾ ¾ equivalent to the Boolean combination ¬(p ∧ ¿(q ∨ p) ∧ s), where we consider the bold-face sub-formulas temporarily as “units”. July 12, 2010

Validity and decidability / 39 operator depth in each round: the process stops at md(ϕ). Moreover, the width of the process is also clearly bounded by the size of the for- mula. We can make this precise by induction on finite sets of formulas (counting their total number of operators): if such a set consists of true formulas at a node s, then there is a finite sub-tree starting at s which still verifies the whole set. We put together the finite sub-models for the α’s (which exist by the inductive hypothesis) to get the total model for the set one node higher up. We can compute an effective upper bound on the size of the models constructed in this proof, viz. length(ϕ)md(ϕ)+1. This gives an algorithm for deciding validity. Enumerate all modal models up to this size – using the fact that, modulo isomorphism of models, there are only finitely many of these. Check if the given formula ϕ holds in any one of these models. If so, ϕ is of course satisfiable – and if not, it is not satisfiable at all. This decides SAT (the satisfiability problem) for modal formulas. And then we can decide validity of any formula ϕ by deciding satisfiability of ϕ. ¬ Remark (Finite depth property). Implicit in this proof is a feature of modal formulas called their “Finite Depth Property”. For any model M,s and modal formula ϕ, M,s = ϕ iff M k,s = ϕ, where M k,s is the sub-model of M whose domain| consists| of s plus| all worlds| reach- able from it in at most k successor steps, with k the modal depth of ϕ. Modal formulas can only “see” the current model locally via successor paths up to their own modal depth. Related to this argument is the general method of filtration, which we only sketch here. It proceeds by contracting all worlds that agree on each sub-formula of the ϕ at issue, and it is also somewhat reminiscent of our earlier bisimulation contractions. Definition 4.2.1 (Filtrated model). Consider any model M, and take any modal formula ϕ. The filtrated model M ϕ arises as follows. Set w v if worlds w, v agree on the truth value of| each sub-formula of ϕ. ∼ Take the equivalence classes w∼ of this relation as the new worlds. For accessibility, set w∼Rv∼ iff there are worlds s w, t v with sRt. ∼ ∼ Finally, for the valuation, set w∼ = p iff w = p. | | Clearly, filtrated models are finite, and also, relevant formulas do not change truth values, as seen by a simple induction on their construction: Fact. For each sub-formula α of ϕ, we have this equivalence: 26 M,s = α iff α holds at s∼ in the filtrated model M ϕ. | | 26The method works much more generally, but it needs further twists to preserve July 12, 2010

40 / Modal Logic for Open Minds

4.3 Inductive analysis of valid sequents Next, we look into the concrete syntactic structure of valid inferences. Definition 4.3.1 (Modal sequents). A modal sequent consists of two sequences of modal formulas separated by a double arrow: ϕ ...ϕk 1 ⇒ ψ1,...ψm. Such a sequence is valid if in every world in every model, the conjunction of the ϕ’s implies the disjunction of the ψ’s.27 This implies that a sequent is valid whenever some formula appears on both sides. This convention makes for better combinatorial reduc- tion laws than the stipulation & &. Here, order and multiplicity of formulas on either side of the arrow⇒ is immaterial: just think of them as sets. We use letters , ,... for finite sets of formulas. Now, we give a set of principles thatA decomposeB questions of validity into ever-simpler equivalent ones, so that the associated procedure terminates. The first of these are purely propositional: Fact (Valid propositional reduction laws). 1. A sequent with only atoms is valid iff some formula occurs on both sides. 2. , ϕ iff , ϕ A ¬ ⇒B A⇒B 3. , ϕ iff , ϕ A⇒B ¬ A ⇒B 4. , ϕ ψ iff , ϕ, ψ A ∧ ⇒B A ⇒B 5. , ϕ ψ iff both , ϕ and , ψ A⇒B ∧ A⇒B A⇒B Proof. This is a routine exercise in propositional logic.28

Reducing sequents by these rules leads to ever simpler ones in terms of logical operators, until you hit atomic ones that you can decide “on sight”. So, this is a decision procedure for propositional logic. Now for the modal operators. Starting from the outside of formulas in a se- quent, we can reduce sequents until all outer Boolean connectives have disappeared. We are left with (using only diamonds here as primitive

modalities) irreducible sequents

¿ ¿ ¿ p, ¿ϕ ,..., ϕk ψ ,..., ψm, q (4.1) 1 ⇒ 1 with p, q sequences of proposition letters. Now, we reduce these se- quents by means of the following observation, which is again a highly typical modal style of argument:

special relational features of the original model, such as transitivity. 27It also makes sense to speak of global truth of a sequent in a whole model, but we will not use this here. 28You can easily find similar decomposition rules for the other connectives. July 12, 2010

Validity and decidability / 41

Fact (Modal Decomposition Fact). A modal sequent of the form

¿ ¿ ¿ p, ¿ϕ ,..., ϕk ψ ,..., ψm, q is valid iff either 1 ⇒ 1 1. p, q overlap, or

2. for some i (1 i k), the sequent ϕi ψ ,...,ψm is valid. ≤ ≤ ⇒ 1 Proof. From right to left. If either 1 or 2 holds, a simple argument shows that 4.1 is valid. This involves just the modal truth definition and the definition of sequent validity. Next, from left to right, argue by contraposition. Suppose that neither 1 nor 2 holds. Then, as none of the 2-type sequents are valid, there exist k models Mi, wi in which ϕi is true while all the right-hand formulas ψj are false. Now put all these models together under one new root v – and stipulate an extended valuation at v that makes the p true, but not the q: v ll RRR lll RRR lll RRR lll RRR lll RRR ll RRR vlll  R( w1 7 wk Ó ;; ×× 77 Ó ;; Ó ;; × 7 Ó ;; ÓÓ ; × 77 ÓÓ ; ÓÓ ;; ×× 7 ÓÓ ;; ÓÓ ;; ×× 77 ÓÓ ;; ÓÓ ; ×× 7 ÓÓ ; M1 Mk Then the new root v satisfies the whole left-hand side of 4.1, but none of the formulas on its right-hand side hold:29 and so we have shown that 4.1 is not valid.

Comment: proof calculi Sequents are normally used in proof theory. We then read the above rules bottom up, as introducing new logical operators into inferences already proved. For instance, if we have ϕi

⇒

¿ ¿ ψ1,...,ψm, then we conclude ¿ϕi ψ1,..., ψm. Reading the rules that way gives a complete proof system⇒ for the minimal modal logic. For modal logic, this reveals a delightful subtlety, which connects up with so-called “substructural logics”. Our sequents had sets of formulas. This validates structural rules of inference on sequents, allowing us to contract two instances of the same formula into one, or permute occurrences of formulas on the same side of the . One structural manipulation seems particularly harmless, viz. suppressi⇒ on of multiple occurrences of the same formula:

29Here, we really need to prove that our formulas do not change truth values in passing from the separate models into the new “rooted” one – something that can be done by choosing an appropriate bisimulation: which one? July 12, 2010

42 / Modal Logic for Open Minds

Structural rules of Contraction (a) if , ϕ, ϕ , then , ϕ, (b) if A ,⇒B ϕ, ϕ, then A ⇒B, ϕ A⇒B A⇒B But this may be fatal to decidable proof search: if we use Contrac- tion backwards, searching for possible proofs of the current sequent, this rule increases the size of the sequents that are potential candidates for derivation. In general, this is inevitable. For first-order logic, Contrac- tion is indispensable, since it is involved when we appeal more than once to the same quantifier, for instance, taking different instances of a universal formula xϕ. And this can explode proof search spaces – as first-order logic is∀ undecidable. But for modal logic, this does not hap- pen. The above semantic argument shows that the rule of Contraction is not needed for deriving modal validities: we only need Permutation of formulas, and Monotonicity: insertion of additional formulas right and left.30 The latter rules, read backwards, do not increase the com- plexity of our search space. Thus, we have one more, proof-theoretic explanation of the decidability of the basic modal logic.

4.4 Semantic tableaux Here is one final re-interpretation of our inductive analysis. Reading things in the opposite direction, we can think of the preceding reduction rules as analyzing what it would take to produce a counter-example for an initial sequent ϕ1 ...ϕk ψ1,...ψm. In a stepwise manner, the rules analyze the nature of⇒ some possible model M,s where all antecedent formulas are true and all consequent formulas are false. The result of such an analysis is a finite tree of sequents in which each logical operator gets analyzed, whose branches either “close” (when some formula occurs in both antecedent and consequent set), or stay “open”. Such trees are called semantic tableaux. If all branches close, there is no counter-example, and the initial sequent was valid. If at least one branch remains open, even when all rules have been applied, a counter-example may be read off from that branch. We do not explain this method in technical detail here, but we do give one heuristic illustration:

Example (Modal semantic tableaux). Consider the modal formula

¾ ¾ ¾(p q) ( p q). Can we find a counter-example? We put it on

top of→ a tree→ to be→ constructed, with a marker for the world:

¾ ¾ ¾(p q) ( p q)1 • → → → 30Proof systems without a contraction rule are crucial to categorial grammar and linear logic, two logical approaches to language and computation. July 12, 2010

Validity and decidability / 43

Things to the left of a dot have to be true, things to the right, false. Analyzing this in propositional logic, there is only one way in which a

counter-example might be obtained:

¾ ¾ ¾(p q) p q 1 → • →

Repeating this step, we get:

¾ ¾ ¾(p q), p q 1 → • Now we need to deal with the modal boxes. The ones to the left do not make any existential requirement, but the one on the right asks for a successor 2 of the current world 1 where q is false, while at the same time, all formulas that are boxed to the left must be true: p q,p q 2 → • Analyzing this in propositional logic again, there are two ways to make the implication to the left true, written as the following “splitting”: q,p q 2 p q,p 2 • • Now both of these nodes close, since there are formulas occurring on both sides, making it impossible to give a counter-example. Thus, the initial sequent was valid, and indeed, we have shown, once more, that the modal distribution axiom is valid.31

We display the complete resulting closed tableau in full:

¾ ¾ ¾(p q) ( p q)1

• → → →

¾ ¾ ¾(p q) p q 1

→ • →

¾ ¾ ¾(p q), p q 1 → •

p q,p q 2 →  • @@  @@  @@  @ q,p q 2 p q,p 2

=•• =

¾ ¾ Next, consider the converse implication (¾p q) (p q). Here

is the initial node of its tableau: → → →

¾ ¾ (¾p q) (p q)1 • → → → 31To make all this precise, semantic tableaux need a lot of syntactic “book- keeping”, which detracts a bit from the elegance of the idea behind this method. July 12, 2010

44 / Modal Logic for Open Minds

We go through the rules a bit more quickly:

¾ ¾ ¾p q (p q)1 → • →

We first make a propositional split:

¾ ¾ ¾ ¾q (p q)1 (p q), p 1 • → • → To the left, we create a successor 2 of 1, and write in the requirements: q p q 2 • → Applying an implication rule again, this yields: q,p q 2 • and this closes. But we can also investigate the remaining case to the right, attaching two successor worlds 3, 4 to 1, one for each box (there is absolutely no reason to assume that both boxed formulas need to be falsified in one single successor world): p q 3 p 4 • → • Applying an implication rule again, this yields: p q 3 p 4 • • Both nodes remain open, and no more decomposition rules apply.

The total semantic tableau is then as follows:

¾ ¾ (¾p q) (p q)1

• → → →

¾ ¾ ¾p q O (p q)1 → pp • OOO → ppp OO pp OOO ppp OOO

ppp OO

¾ ¾ ¾ ¾q (p q)1 (p q), p 1 • → • →

q p q 2 p q 3 p 4 • → • → •

q,p q 2 p q 3 =•• From the markings on the right branch of this tree, it is immediate to read off a concrete counter-example M for the initial sequent. The set of worlds of the model M is 1, 3, 4 , the accessibility relation is { } July 12, 2010

Validity and decidability / 45

(1, 3), (1, 4) , and the valuation makes p true at 3, and q nowhere: { } 3,p nn6 nnn 1 Qn QQQ QQQ

( 4

¾ ¾ It is easy to see that (¾p q) (p q) is false at world 1 in this model: the tableau steps themselves→ → show→ how.32 Tableau rules These two examples show general tableau rules in ac- tion. For instance, a “conditional α β to the right” (i.e., to be made false) gets its antecedent α on the left→ in a node marked with the same world (to be made true there), leaving the consequent β on the right.

The modal rule is a bit more ambitious. A box formula ¾ϕ to the right leads to a new node marked for a fresh successor world of the current one, where ϕ is put on the right (representing some successor world where ϕ is to be made false). This is an “active” onetime construction

rule. Modal formulas ¾ϕ to the left in a node, however, marked for some world w, say, are “passive” but may have to be applied many times. Every time we construct a tableau node for a successor world v of w, we must place ϕ on its left. Semantic tableaux were first proposed for first-order logic in the 1950s, but they also turned out very appropriate to modal logic, and they are widely used today in automated deduction.

4.5 Decidability via translation We conclude with a fourth, short, and chique proof of decidability, which points toward yet another view of modal logic, viz. as a member of a much larger family of logics. We will see soon in these lectures how all basic modal formulas can be translated into first-order formulas. In fact, they can be translated into a fragment of first-order logic using only two variables over worlds, free or bound. Now, it was shown in the 1970s that this “two-variable fragment” FO2 of first-order logic is decidable! Therefore, since the translation of modal formulas to two- variable formulas is effective, modal validity can be decided, too. But beware with such easy reductions. The computational complex- ity of deciding FO 2 is in fact higher than that for modal logic, so in that respect, we are explaining “obscurum per obscurius”. Moreover, this path seems a dead-end as far as generalizations are concerned.

32On its open branch, the tableau leaves the propositional valuation under- determined, thus in effect creating a family of counter-examples. July 12, 2010

46 / Modal Logic for Open Minds

Already the three-variable fragment FO 3 of first-order logic is undecid- able (it contains all of relational algebra), so we cannot reduce validity for modal logics with additional typically 3-variable frame conditions like transitivity, even though these are known to be decidable. Indeed, validity is also decidable for many stronger modal logics than the minimal one, working only on special model classes – which we will discuss in more detail later. Proofs for this are often adaptations of the ones presented here. For the modal logic S5, where accessibility is an equivalence relation, or the universal relation which holds between all

worlds, perhaps the simplest proof is again by translation. In S5 models, ¿ a modal ¾ is just a universal quantifier , and a an existential . Then, all modal formulas translate into equivalent∀ formulas of monadic∃ first-order logic, a system which is obviously decidable. Something to think about Here is a sweeping statement about the landscape of all modal logics. There are countably many decision pro- cedures (algorithms are finite sets of instructions, which can be enu- merated), and there are uncountably many modal logics: essentially, modulo some closure conditions, they are all subsets of the countable set of all formulas. Therefore, most modal logics must be undecidable. But, all logics found until the early 1970s were in fact decidable! Only then people constructed finitely axiomatized undecidable modal logics, borrowing ideas from standard logic. We will give an example of an undecidable modal logic much later in Chapter 24. Finally, just to jog your mind, here is an outrageous result from the 1980s. It is undecidable whether a given modal logic is decidable! And maybe that fact is not so strange after all. As all academic researchers know, it can be extremely hard to see that something is easy. July 12, 2010

Validity and decidability / 47

Exercises Chapter 4

1. (a) Derive the correct sequent rules for implication from those stated for negation and conjunction, given the standard propositional definition of in terms of and . (b) Which of the following two→ implications∧ is valid?¬ Give an informal argument, and also an outline of a sequent proof in

the minimal logic:

¿ ¿ ¾(p q) ( p q)

→ → →

¿ ¾ (¿p q) (p q) → → → (c) As for the invalid formula, draw a counter-example. 2. (a) Supply all missing steps in the proof of the Modal Decom- position Fact. In particular, identify the precise place where you need a bisimulation.

(b) What is the formulation of that Fact when stated in terms ¿ of ¾ rather than ?

(c) Using semantic tableau rules, prove the following formula:

¿ ¾ ¾(p q) ( p q) ∧ → ∨ 3. Prove the key Lemma justifying the Filtration method by induc- tion on modal formulas. 4. Make the statement precise that modal S5 is translatable into monadic first-order logic. Is there also a converse translation?