Gentzen System for CTL - A machine-checked constructive metatheory of computation tree logic

satisfying the conclusion of the rule. For the formal soundness proof below we transform the intuitive argument above into an inductive argument that avoids reasoning about paths.

Theorem 6.1.3 (Soundness) Let M be a finite model. If ð C|a, then C|a is not satisfied by any state of M.

Proof By induction on ð C|a. Soundness of all rules except the G⁻_H-rule is straightforward. For the G⁻_H-rule, we obtain two induction hypotheses:

∀w ∈ M. w 6î C, s⁻|ε (6.1)

∀w ∈ M. w 6î C|^∗H,Cs⁻ (6.2) Now assumew î C and w î ^∗Hs⁻for some statew of M. We derive a contra-diction. By (6.1), we havew 6î s⁻. By inversion onw î ^∗Hs⁻, there exists some statev such that w ⇒Mv and v î ^∗Hs⁻. By (6.2), it suffices to showv î ^∗_H,Cs⁻ to obtain a contradiction. We provev î ^∗H,Cs⁻by induction onv î ^∗Hs⁻. Case 1. We havev 6î H and v î s⁻. The claim follows sincev 6î C by (6.1).

Case 2. We have v 6î H, v ⇒M u and u î ^∗H,Cs⁻ for some state u of M. By induction hypothesis, it suffices to showv 6î C. This follows with (6.2).

Remark 6.1.4 The proof of Theorem 6.1.3 is one of several examples in this thesis, where the desire to obtain a concise formalization leads to proofs that differ significantly from the informal proofs.

Recall that satisfiability with respect to classical models and finite models coincides for history-free clauses (Corollary 4.5.10 and Fact 3.5.1). Hence, the restriction to finite models only concerns “auxiliary” clauses with annotated eventualities. Also note that, just like the original system for CTL [BL08], the Gentzen system for K^∗is sound but not complete for arbitrary annotated clauses.

Example 6.1.5 (Incompleteness) The annotated clause|^∗{{p⁻}}p⁻is clearly un-satisfiable. The only rule that applies to|^∗{{p⁻}}p⁻is G⁻_H. This yields {p⁻}|ε as left premise which is clearly satisfiable and therefore underivable (Theorem 6.1.3).

Before we argue completeness of the Gentzen system for K^∗, we first extend the system to CTL.

6.2 Gentzen System for CTL

We now consider a history-based Gentzen system for CTL (Chapter 5). The system is obtained as a variant of the sequent calculus CT [BL08] adapted to our use of

signed formulas and clauses. We continue to use annotated clauses. In the case of CTL,annotated eventualitiestake one of the following four forms.

A(s U_Ht)⁺| A(s UHt)⁺|A(s R_Ht)⁻| A(s RHt)⁻

As for GK^∗, an annotated eventuality is satisfied if the eventuality can be satisfied without satisfying any clause in the history along the way.

The request of a clauseC is defined as before (i.e., R C := { s⁺| s⁺ ∈C }).

Since annotations for CTL may contain positive boxes, we need to extend the notion of request to annotations. Therequestof an annotationa, writtenr a, is defined analogously to the request for clauses, i.e.r ( A(s UHt)⁺) = A(s UHt)⁺ andr a = ε for all other annotations.

The Gentzen system GCT derives unsatisfiable annotated clauses. The rules of the system are given in Figure 6.3. As before, we write ðC|a if C|a is derivable using the tableau rules. Compared to GK^∗(Figure 6.1) the system GCT features one set of history rules for each of the two eventualities of CTL. Moreover, the system features a jump rule for clauses without diamonds (rule Xs) to capture the fact that we only consider serial models for CTL. We will show the system GCT sound for all clauses and complete for annotation-free clauses.

Remark 6.2.1 The presentation of CT [BL08] employs sequents comprised of annotated and non-annotated formulas. This simplifies the presentation of rules, in particular for those rules that do not change the annotation. In order to obtain an analytic system, every rule of CT carries the proviso that sequents may contain at most one annotated eventuality. Our use of annotated clauses enforces this condition without an explicit side condition at the cost of a more verbose notation.

Aside from these syntactic changes, the main differences between CT and GCT are that in CT the X-rules may only be applied to literal clauses and that all the rules carry the proviso that the active formula in the conclusion does not appear in the context. We impose no such restrictions. The reason for this is simply convenience. Our completeness proof will not make use of this added flexibility.

Recall that an annotated eventuality is satisfied if the eventuality can be satisfied without satisfying any clause in the history along the way. In the case of CTL, this can be expressed using formulas [BL08]. As a consequence we can translate derivations of GCT to refutations in the Hilbert System for CTL (Section 5.2). This yields a purely syntactic soundness argument and, once we have established completeness of GCT, an alternative completeness proof for the Hilbert system.

We define theassociated formula of a historyH to be the formulaV

C∈H¬C.

In unsigned formulas, we lets UHt abbreviate (s ∧ H) U(t ∧ H). Theassociated

6.2 Gentzen System for CTL

formulaof an annotation is then defined as follows:

af(ε) := >

af(A(s U_Ht)⁺) := A(s U_Ht) af( A(s UHt)⁺) := A(s UHt)

af(A(s RHt)⁻) := E(¬s UH¬t) af( A(s RHt)⁻) := ♦ E(¬s UH¬t)

The admissibility proofs for all rules except UHand RHare straightforward. We prove admissibility U_H and R_Has separate lemmas.

Lemma 6.2.2 (Admissibility of UH) If ` ¬(C ∧ t) and ` ¬(C ∧ s ∧ A(s UH,Ct)), (Lemma 5.6.1(1)). We then obtain A(s UH,Ct) with (6.3). Together with (b), this yields the required contradiction.

It remains to show (6.3). After applying the rule UI, it remains to show

`t ∧ H → A(s UH,Ct) (6.4)

`s ∧ H → A(s UH,Ct) → A(s UH,Ct) (6.5) Claim (6.4) follows with (a) and U1. For (6.5), assumes, H and A(s UH,Ct). By U2, it suffices to show ¬C. This follows with (b). For the admissibility proof for the rule RH, we employ the rules and axioms for A(s R t) in their dualized form.

Lemma 6.2.3

1. ` E(s U t) ↔ t ∨ (s ∧ ♦ E(s U t))

2. If `t → u and ` s → ♦u → u, then ` E(s U t) → u The structure of the proof then follows that of Lemma 6.2.2.

Lemma 6.2.4 (Admissibility of R_H) If ` ¬(C ∧ t) and ` ¬(C ∧ s ∧ ♦ E(s UH,Ct)), then ` ¬(C ∧ E(s UHt)).

Proof Assume (a) ` ¬(C ∧ t) and (b) ` ¬(C ∧ s ∧ ♦ E(s UH,Ct)). We first argue that it suffices to show

`E(s UHt) → E(s UH,Ct) (6.6)

AssumeC and E(s UHt). We obtain ¬t with (a) and therefore s, H, and ♦ E(s UHt) (Lemma 6.2.3(1)). With (6.6), we also obtain ♦ E(s UH,Ct). Together with (b), this yields the required contradiction.

We now show (6.6). After applying Lemma 6.2.3(2), we need to show:

`t ∧ H → E(s U_H,Ct) (6.7)

`s ∧ H → ♦ E(s UH,Ct) → E(s U_H,Ct) (6.8) Claim (6.7) follows with (a) and Lemma 6.2.3(1) For (6.8), assume s, H, and

♦ E(s UH,Ct). With (b) we also obtain ¬C. Finally, we obtain E(s U_H,Ct) with

Lemma 6.2.3(1).

Theorem 6.2.5 ` ¬(C ∧ af(a)) whenever ð C|a.

Proof By induction on ðC|a. The cases for the rules U_Hand R_Hfollow with the lemmas above. All other cases are straightforward. One immediate consequence is that the soundness result from Section 5.2 trans-fers to the tableau system in the case of annotation free clauses.

Corollary 6.2.6 If ðC|ε, then C is unsatisfiable.

In document A machine-checked constructive metatheory of computation tree logic (Page 91-95)