Operational Semantics and Program Verification Using Many-Sorted Hybrid Modal Logic

Abstract

We propose a general framework to allow: (a) specifying the operational semantics of a programming language; and (b) stating and proving properties about program correctness. Our framework is based on a many-sorted system of hybrid modal logic, for which we prove its completeness results. We believe that our approach to program verification improves over the existing approaches within modal logic as (1) it is based on operational semantics which enables a more natural description of the execution than Hoare-style weakest precondition used by dynamic logic; (2) since it is multi-sorted, it allows for a clearer encoding of semantics, with a smaller representational distance to its intended meaning.

All authors contributed equally to this work.

Appendices

A Proofs from Sect. 3

Proposition 1 (Pure formulas in \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\)). Let \({\mathcal M}\) be a named model where \({\mathcal M}=(W, (R_\sigma )_{\sigma \in \varSigma }, (w^c)_{c\in {N}}, V)\), \({\mathcal {F}}=(W, (R_\sigma )_{\sigma \in \varSigma }, (w^c)_{c\in {N}})\) the corresponding frame and \(\phi \) a \(\forall \exists \)-pure formula of sort s. Then if and only if .

Proof

Let \(\phi \) be a pure formula of sort s and suppose . Then there exist a valuation \(V'\) and some state \(w \in W_s\) in the model \(\mathcal {M}'=(\mathcal {F}, V')\) such that .

On each sort \(s \in S\) we will notate \(j^s_1, \ldots , j^s_t\) all the nominals occurring in \(\phi \). But because we are working in a named model, V labels every state of any sort in \(\mathcal {F}\) with a nominal of the same sort. Hence, on each sort \(s \in S\) there exist \(k^s_1, \ldots , k^s_t\) nominals such that \(V_s^{N}(j^s_1)=V'_s(k^s_1)\), \(\ldots \) ,\(V_s^{N}(j^s_t)=V'_s(k^s_t)\). Therefore, if and \(\psi \) is obtained by substituting on each sort each nominal \(j^s_i\) with the corresponding one \(k^s_i\), then .

But \(\phi \) is a pure formula, and by substituting the nominals contained in the formula with other nominals of the same sort, the new instance it is also a pure formulas like \(\psi \). Therefore, by hypothesis, we have for any \(v \in W_s\). But also \(w\in W_s\), hence , and we have a contradiction.

Next, suppose where \(y_1, \ldots , y_n\) do not occur in \(\phi \). Hence, for any g and any w of sort s, where \(y_1, \ldots , y_n \) do not occur in \(\phi \). So, for any assignment \(g'{\mathop {\sim }\limits ^{x_1,\ldots ,x_n}}g\) exists an assignment \(g''{\mathop {\sim }\limits ^{y_1,\ldots ,y_n}}g'\) such that . Let \(g'(x_i)=\{w_i \}\) and \(g''(y_i)=\{ w_i'\}\) for any \(i \in [n]\). Because we work with named model, there exist nominals \(k_i\) and \(j_i\) such that \(V_s^{N}(k_i)=\{w_i\}\) and \(V_s^{N}(j_i)=\{w_i'\}\) for any \(i \in [n]\). Therefore, we get for any \(k_1, \ldots , k_n\) exist \(j_1, \ldots , j_n\) such that . But now we have a pure formula and the assignment function will not affect the satisfiability of the formula. Therefore, for any \(k_1, \ldots , k_n\) exist \(j_1, \ldots , j_n\) such that . Therefore, for any assignment g and any w of sort s we have that for any \(k_1, \ldots , k_n\) there exist \(j_1, \ldots , j_n\) such that . We use the contrapositive of (Q2) axiom to get that and by Lemma 7 we get that for any assignment g and any w of sort s we have that if and only if

   \(\square \)

Before proceeding with the next results from Sect. 3, we need to prove some lemmas that are generalization of [4].

Nominals and constant nominals are always substitutable for state variables of the same sort. If x and z are state variables of the sort s, then we define:

• if \(\phi \in \mathrm{PROP}_s\cup \mathrm{SVAR}_{s}\cup \mathrm{NOM}_s \cup {N}_s\), then z is substitutable for x in \(\phi \),

• z is substitutable for x in \(\lnot \phi \) iff z is substitutable for x in \( \phi \),

• z is substitutable for x in \(\phi \vee \psi \) iff z is substitutable for x in \( \phi \) and \(\psi \),

• z is substitutable for x in \(\sigma (\phi _1, \ldots , \phi _n)\) iff z is substitutable for x in \( \phi _i\) for all \(i\in [n]\),

• z is substitutable for x in \(@_j^s \phi \) iff z is substitutable for x in \( \phi \),

• z is substitutable for x in \(\forall y\, \phi \) iff x does not occur free in \(\phi \), or \(y \ne z\) and z is substitutable for x in \(\phi \).

In the sequel, we will say that a substitution is legal if it perform only allowed replacements. If \(\phi \) is a formula and x is a state variable we denote by \(\phi [z/x]\) the formula obtained by substituting z for all free occurrences of x in \(\phi \) (z must be a nominal, a constant nominal or a state variable substitutable for x).

Lemma 5

(Agreement Lemma). Let \(\mathcal {M}\) be a standard model. For all standard \(\mathcal {M}\)-assignments g and h, all states w in \(\mathcal {M}\) and all formulas \(\phi \) of sort \(s \in S\), if g and h agree on all state variables occurring freely in \(\phi \), then:

Proof

We suppose that g and h agree on all state variables occurring freely in \(\phi \) on each sort. We prove this lemma by induction on the complexity of \(\phi \):

• iff \(a\in \mathrm{PROP_s}\cup \mathrm{NOM_s}\cup {N}_s\) we have \(w\in V_s^{N}(a)\) iff .

• iff \(x \in \mathrm{SVAR_s}\) we have \( w=g_s(x)\), but \(g_s(x)=h_s(x)\), therefore .

• iff . But, if g and h agree on all state variables occurring freely in \(\lnot \phi \), then same for \(\phi \). Therefore, from the induction hypothesis, iff . Then iff . Then .

• , iff or . But, g and h agree on all state variables occurring freely in \( \phi \) or \(\psi \), then from induction hypothesis, we have ( iff ) or ( iff ). Then, ( or ) iff .

• iff there is \((w_1,\ldots ,w_n) \in W_{s_1}\times \cdots \times W_{s_n}\) such that \(R_{\sigma } ww_1\ldots w_n\) and for each \(i \in [n]\), then, by induction hypothesis for each \(i \in [n]\). Hence, we have that there is \((w_1,\ldots ,w_n) \in W_{s_1}\times \cdots \times W_{s_n}\) such that \(R_{\sigma } ww_1\ldots w_n\) and for each \(i \in [n]\) iff .

• iff where \(V_{s'}^{N}(j)=\{ v \}\) iff where \(V_{s'}^{N}(j)=\{ v \}\) (induction hypothesis) iff .

• iff \(\forall g'( g' {\mathop {\sim }\limits ^{x}} g \) implies . But g and h agree on all state variables occurring freely in \( \forall x\phi \) and because x is bounded, then \(h_s(y)=g_s(y)\) for any \(y \ne x\). Therefore, \(\forall g'( g_s'(y)=g_s(y)=h_s(y)\) for any \(y\ne x \) implies equivalent with \(\forall g'( g' {\mathop {\sim }\limits ^{x}} h\) implies iff .    \(\square \)

Lemma 6

(Substitution Lemma). Let \(\mathcal {M}\) be a standard model. For all standard \(\mathcal {M}\)-assignments g, all states w in \(\mathcal {M}\) and all formulas \(\phi \), if y is a state variable that is substitutable for x in \(\phi \) and j is a nominal then:

• iff where \(g' {\mathop {\sim }\limits ^{x}} g\) and \( g'_s(x) =g_s(y)\)

• iff where \(g' {\mathop {\sim }\limits ^{x}} g\) and \( g'_s(x) =V_s^{N}(j)\)

Proof

By induction on the complexity of \(\phi \).

• \(\phi = a\), \(a\in \mathrm{PROP}_s\cup \mathrm{NOM}_s\cup {N}_s\). Then \(a[y/x]=a\) and if and only if if and only if \(w \in V_s^{N}(a)\). But \( g' {\mathop {\sim }\limits ^{x}} g \) and by Agreement Lemma .

• \(\phi = z\), where \(z \in \mathrm{SVAR}_s\). We have two cases:

  1. 1.

     If \(z\ne x\), then if and only if if and only if (Agreement Lemma).

  2. 2.

     If \(z=x\), then if and only if if and only if \(w \in g_s(y)\) if and only if \(w \in g'_s(x)\) if and only if \(w \in g'_s(z)\) if and only if .

• \(\phi = \lnot \phi \), then if and only if if and only if (inductive hypothesis) if and only if .

• \(\phi = \phi \vee \psi \), then if and only if or if and only if (inductive hypothesis) if and only if .

• \(\phi = \sigma (\phi _1, \ldots , \phi _n)\), then if and only if if and only if exists \((u_1, \ldots , u_n) \in W_{s_1}\times \ldots \times W_{s_n}\) such that \(R_{\sigma }wu_1 \ldots u_n\) and for any \(i \in [n]\) if and only if there exists \((u_1, \ldots , u_n) \in W_{s_1}\times \ldots \times W_{s_n}\) such that \(R_{\sigma }wu_1 \ldots u_n\) and for any \(i \in [n]\) (inductive hypothesis) if and only if .

• \(\phi = @_j^s \phi \), then if and only if where \( V^{N}_{s'}(j)=\{v\}\) if and only if where \( V^{N}_{s'}(j)=\{v\}\) (inductive hypothesis) if and only if .

• \(\phi = \forall x \phi \), then if and only if if and only if if and only if (Agreement Lemma).

For the next case we will use the notation \(g^{x \leftarrow y}\) to specify that x is substituted by y, therefore, if x if free in a formula, after substitution we will not have any more x.

Claim 1

(1). The following two statements are equivalent:

• For all \(g'\), if \(g'{\mathop {\sim }\limits ^{z}}g\) then .

• For all \(g'\), if \(g' {\mathop {\sim }\limits ^{z}} g^{x\leftarrow y}\) then .

Proof

Suppose for all \(g'\), if \(g'{\mathop {\sim }\limits ^{z}}g\) then and \(g' {\mathop {\sim }\limits ^{z}} g^{x\leftarrow y}\). Since \(g_s'(o)=g_s^{x\leftarrow y}(o)\) for any \(o \ne z\) and \(x\ne z\), then \(g_s'(x)=g_s^{x\leftarrow y}(x)=g_s(y)\). Therefore, \(g_s'={g_s'}^{x\leftarrow y}\) and \(g'={g'}^{x\leftarrow y}\). Hence, . Next, suppose for all \(g'\), if \(g' {\mathop {\sim }\limits ^{z}} g^{x\leftarrow y}\) then and \(g'{\mathop {\sim }\limits ^{z}}g\). Therefore, \(g_s'^{x\leftarrow y} {\mathop {\sim }\limits ^{z}} g_s^{x\leftarrow y}\), so \(g'^{x\leftarrow y} {\mathop {\sim }\limits ^{z}} g^{x\leftarrow y}\). From second case, we have that .

• \(\phi = \forall z \phi \), where \(z\ne x\). Suppose iff iff for all \(g'\), if \(g'{\mathop {\sim }\limits ^{z}}g\) then iff for all \(g'\), if \(g'{\mathop {\sim }\limits ^{z}}g\) then (induction hypothesis) iff or all \(g'\), if \(g' {\mathop {\sim }\limits ^{z}} g^{x\leftarrow y}\) then (Claim 1) iff where \(g_s'(x)=g(y)\) and \(g' {\mathop {\sim }\limits ^{z}} g\) iff where \(g_s'(x)=g_s(y)\) and \(g' {\mathop {\sim }\limits ^{z}} g\) (Agreement Lemma).

For the second case, when substituting with a nominal, the proof is similar.    \(\square \)

Lemma 7

(Generalization on nominals). Assume where \(i\in \mathrm{NOM}_t\) and \(x\in \mathrm{SVAR}_t\) for some \(t\in S\). Then there is a state variable \(y\in \mathrm{SVAR}_t\) that does not appear in \(\phi \) such that

Proof

There are two cases. First, let us suppose that x does not occur free in \(\phi \), therefore \(\phi [j/x]\) is identical to \(\phi [y/x]\), hence as \(\phi [j/x]\) is provable, so is \(\forall y \phi [y/x]\) for any choice of y.

Secondly, suppose that x occur free in \(\phi \). Suppose \(\phi [j/x]\). Hence we have a proof of \(\phi [j/x]\) and we choose any variable y that does not occur in the proof, or in \(\phi \). We replace every occurrence of j in the proof of \(\phi [j/x]\) with y. It follows by induction on the length of proofs that this new sequence is a proof of \(\phi [y/x]\). By generalization we extend the proof with \(\forall y(\phi [y/x])\) and we can conclude that \(\forall y(\phi [y/x])\) is provable.    \(\square \)

We are ready now to proceed with the proves from Sect. 3.

Proposition 2 (Soundness). The deductive systems for \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\) from Fig. 2 is sound.

Proof

Let \(\mathcal {M}\) be an arbitrary model and w any state of sort s.

\((K_@)\) Suppose if and only if where \(V^{N}_t(j)=\{ v\}\) iff implies where \(V^{N}_t(j)=\{ v\}\). Suppose and \(V^{N}_t(j)=\{ v\}\). Then where \(V^{N}_t(j)=\{ v\}\) , but this implies that where \(V^{N}_t(j)=\{ v\}\) iff .

(Agree) Suppose iff where \(V^{N}_t(k)=\{ v\}\) iff where \(V^{N}_t(k)=\{ v\}\) and \(V^{N}_s(j)=\{ u\}\). Then where \(V^{N}_s(j)=\{ u\}\) which implies that .

(SelfDual) Suppose iff iff where \(V^{N}_t(j)=\{ v\}\) iff where \(V^{N}_t(j)=\{ v\}\) iff .

(Back) Suppose if and only if there is \((w_1,\ldots ,w_n) \in W_{s_1}\times \cdots \times W_{s_n}\) such that \(R_{\sigma } ww_1\ldots w_n\) and for any \(i \in [n]\). This implies that there is \(w_i \in W_{s_i}\) such that , then where \(V^{N}_t(j)=\{ v\}\). Hence,

(Ref) Suppose . Then where \(V^{N}_t(j)=\{ v\}\), contradiction.

(Intro) Suppose and . Then \(V^{N}_s(j)=\{ w\}\) and implies that . Now, suppose and . Because, from the first assumption, we have \(V^{N}_s(j)=\{ w\}\), then, form the second one, we can conclude that .

(Q1) Suppose that iff for all \(g' {\mathop {\sim }\limits ^{x}} g\). Results that for all \(g' {\mathop {\sim }\limits ^{x}} g\) we have implies . But \(\phi \) contains no free occurrences of x, then for all \(g' {\mathop {\sim }\limits ^{x}} g\) we have ( implies ). Hence, implies that, for all \(g' {\mathop {\sim }\limits ^{x}} g\), . Then, implies that iff .

(Q2) Suppose that . We need to prove that . But this is equivalent, by Substitution Lemma, with proving that where \(g' {\mathop {\sim }\limits ^{x}} g\) and \( g'_s(x) =g_s(y)\). But iff for all \(g' {\mathop {\sim }\limits ^{x}} g\). Let \(g'_s(z)=g_s(y)\), if \(z=x\), and \(g'_s(z)=g_s(z)\), otherwise. Therefore, we have \(g' {\mathop {\sim }\limits ^{x}} g\) , \( g'_s(x) =g_s(y)\) and . For the case of substituting with a nominal is similar. We define \( g'_s(x)=V^{N}_s(j)\), if \(z=x\), and \(g'_s(z)=g_s(z)\), otherwise.

(Name) Suppose that iff exists \(g' {\mathop {\sim }\limits ^{x}} g\) and . We choose \(g'\) an x-variant of g such that \(g'_s(x)= \lbrace w\rbrace \).

(Barcan) Suppose then for all \(g' {\mathop {\sim }\limits ^{x}} g,\) and for all \(w_i \in W_{s_i}\), \(i \in [n]\), \(R_{\sigma } ww_1\ldots w_n\) implies for all \(i \in [n]\). But g and \(g'\) agree on all state variables occurring freely. Therefore, for all \(w_i \in W_{s_i}\), \(i \in [n]\), \(R_{\sigma } ww_1\ldots w_n\) and all \(g' {\mathop {\sim }\limits ^{x}} g\) , we have for all \(i \in [n]\) and \(i \ne l\) and . Hence, for the l-th argument, we have . So, .

(Barcan@) Suppose iff for all \(g' {\mathop {\sim }\limits ^{x}} g\). Then, for all \(g' {\mathop {\sim }\limits ^{x}} g\) where \(V^{N}_t(j)=\{ v\}\) and so where \(V^{N}_t(j)=\{ v\}\). Hence, .

\((Nom\ x)\) Suppose and . Then where \(V^{N}_t(j)=\{ v\}\) and where \(V^{N}_t(k)=\{ u\}\). This implies that \(u=v\), so \(V^{N}_t(j)=V^{N}_t(k)\). Then for any model \(\mathcal {M}\) and any world w.

(BroadcastS) Suppose if and only if where \(V^{N}_t(j)=\{ v\}\). Hence, for any \(s' \in S\) we have .

Now, let \(\mathcal {M}\) be an arbitrary named model.

(Name@) Suppose iff where \(V^{N}_{s'}(j)=\{v \}\), but we work in named models, therefore, in any model \(\mathcal {M}\) there exist v and j where \(V^{N}_{s'}(j)=\{v \}\) and this implies .

(Paste) Suppose

iff and implies . Hence, where \(V^{N}_{s'}(j)=\{v \}\) iff exists \((v_1, \ldots ,v_n) \in W_{s_1}\times \ldots \times W_{s_n}\) such that \(R_{\sigma }v v_1 \ldots v_i \ldots v_n\) where \(V^{N}_{s'}(j)=\{v \}\) and for any \(e \in [n], e\ne i\) and iff \(V^{N}_{s_i}(k)=\{v_i\}\). If and \(V^{N}_{s_i}(k)=\{v_i\}\), then .

Then, if there exists \((v_1, \ldots ,v_n) \in W_{s_1}\times \ldots \times W_{s_n}\) such that \(R_{\sigma }v v_1 \ldots v_i \ldots v_n\) where \(V^{N}_{s'}(j)=\{v \}\) and for any \(e \in [n], e\ne i\) and , these imply . So, where \(V^{N}_{s'}(j)=\{v \}\) implies .

In conclusion, .    \(\square \)

In the sequel, by PL we mean classical propositional logic and by ML we mean the basic modal logic.

Lemma 1 .

1. 1.

   The following formulas are theorems:

   

2. 2.

   if then

   for any \(s,t\in S\), \(\sigma \in \varSigma _{t_1\cdots t_n,t}\), \(j\in \mathrm{NOM}_s\cup {N}_s\) and \(\phi \) a formula of sort s.

Proof

1. 1.

   (Nom)

   

   (Sym)

   

   (Bridge)

   

   2.

   

   Therefore, if then .

   

   Therefore, if then .

   \(\square \)

Lemma 2 (Extended Lindenbaum Lemma).

Let \(\varLambda \) be a set of formulas in the language of \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\) and \(s\in S\). Then any consistent set \(\varGamma _s\) of formulas of sort s from \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )+\varLambda \) can be extended to a named, pasted and @-witnessed maximal consistent set by adding countably many nominals to the language.

Proof

The proof generalizes to the S-sorted setting well-known proofs for the mono-sorted hybrid logic, see [7, Lemma 7.25], [3, Lemma 3, Lemma 4], [4, Lemma 3.9].

For each sort \(s\in S\), we add a set of new nominals and enumerate this set. Given a set of formulas \(\varGamma _s\), define \(\varGamma _s^k\) to be \(\varGamma _s \cup \{ k_s\} \cup \{@_{j_x}^s x| \ x \in \mathrm{SVAR_s} \}\), where \(k_s\) is the first new nominal of sort s in our enumeration and \(j_x\) are such that if x and y are different state variables of sort s then also \(j_x\) and \(j_y\) are different nominals of same sort s. Now that we know we are working on the sort s, we will write k instead of \(k_s\).

Suppose \(\varGamma _s^k\) is not consistent. Then there exists some conjunction of formulas \(\theta \in \varGamma _s\) such that . We use the (Gen@) rule and the (K@) axiom to prove that . From the (Ref) axiom and the (MP) rule it follows . Remember that k is a new nominal, so it does not occur in \(\theta \) and we use (Name@) rule to get that . But this contradicts the consistency of \(\varGamma _s\). Now, we prove the case for the additional \(@_{j_x}^s x\) formulas. Suppose . We use the (SelfDual) axiom to get . If , this contradicts the consistency of \(\varGamma _s\). If , then . Hence, for any model \(\mathcal {M}\), any assignment function g and any world \(w \in W_s\), we have if and only if where \(V^{N}_s(j_x)=\{v\}\). Then for any model \(\mathcal {M}\) and any assignment g, \(g_s(x) \ne V^{N}_s(j_x)\), contradiction.

Now we enumerate on each sort \(s \in S\) all the formulas of the new language obtained by adding the set of new nominals and define \(\varGamma ^0 := \varGamma _s^k\). Suppose we have defined \(\varGamma ^m\), where \(m \ge 0\). Let \(\phi _{m+1}\) be the \(m+1-th\) formula of sort s in the previous enumeration. We define \(\varGamma ^{m+1}\) as follows. If \(\varGamma ^{m}\cup \{\phi _{m+1}\}\) is inconsistent, then \(\varGamma ^{m+1} = \varGamma ^{m}\). Otherwise:

1. (i)

   \(\varGamma ^{m+1} = \varGamma ^{m} \cup \{\phi _{m+1}\} \), if \(\phi _{m+1}\) is neither of the form \(@_j\sigma (\ldots , \varphi , \ldots )\), nor of the form \(@_j \exists x\varphi (x)\), where j is any nominal of sort \(s''\), \(\varphi \) a formula of sort \(s''\) and \(x \in \mathrm{SVAR_{s''}}\).

2. (ii)

   \(\varGamma ^{m+1} = \varGamma ^{m} \cup \{\phi _{m+1}\} \cup \{@_j \sigma (\ldots , k, \ldots ) \wedge @_k \varphi \} \), if \(\phi _{m+1}\) is of the form \(@_j \sigma (\ldots , \varphi , \ldots )\).

3. (iii)

   \(\varGamma ^{m+1} = \varGamma ^{m} \cup \{\phi _{m+1}\} \cup \{ @_j \varphi [k/x]\}\), where \(\phi _{m+1} \) is of the form \(@_j \exists x\varphi (x)\).

In clauses (ii) and (iii), k is the first new nominal in the enumeration that does not occur neither in \(\varGamma ^i\) for all \(i \le m\), nor in \(@_j \sigma (\ldots , \varphi , \ldots )\).

Let \(\varGamma ^+= \bigcup _{n\ge 0} \varGamma ^n\). Because \(k \in \varGamma ^0 \subseteq \varGamma ^+\), this set in named, maximal, pasted and @-witnessed by construction. We will check if it is consistent for the expansion made in the second and third items.

Suppose \(\varGamma ^{m+1} = \varGamma ^{m} \cup \{\phi _{m+1}\} \cup \{@_j \sigma (\ldots , k, \ldots ) \wedge @_k \varphi \} \) is an inconsistent set, where \(\phi _{m+1}\) is \(@_j \sigma (\ldots , \varphi , \ldots )\). Then there is a conjunction of formulas \(\chi \in \varGamma ^m \cup \{\phi _{m+1}\} \) such that and so . But k is the first new nominal in the enumeration that does not occur neither in \(\varGamma ^m\), nor in \(@_j \sigma (\ldots , \varphi , \ldots )\) and by Paste rule we get , which contradicts the consistency of \(\varGamma ^m \cup \{\phi _{m+1}\}\).

Suppose \(\varGamma ^{m+1} = \varGamma ^{m} \cup \{\phi _{m+1}\} \cup \{ @_j \varphi [k/x]\}\) is inconsistent, where \(\phi _{m+1}\) is \( @_j \exists x\varphi (x)\). Then there is a conjunction of formulas \(\chi \in \varGamma ^m \cup \{\phi _{m+1}\}\) such that , where k is the new nominal. By generalization on nominals (Lemma 7) we can prove \( \forall y( \chi \rightarrow \lnot @_j \varphi [y/x])\), where y is a state variable that does not occur in \(\chi \rightarrow \lnot @_j \varphi [k/x]\). Using (Q1) axiom, we get \( \chi \rightarrow \forall y\lnot @_j \varphi [y/x]\) and by (SelfDual) \( \chi \rightarrow \forall y @_j \lnot \varphi [y/x] \). Next, we use (Barcan@) to get \( \chi \rightarrow @_j \forall y \lnot \varphi [y/x])\). Because x has no free occurrences in \(\varphi [y/x]\), we can prove that \( @_j \forall y \lnot \varphi [y/x]) \leftrightarrow @_j \forall x \lnot \varphi \). Therefore, \( \chi \rightarrow @_j \forall x \lnot \varphi \) , so \( \chi \rightarrow @_j \lnot \exists x \varphi \). Use once again (SelfDual) and we have \( \chi \rightarrow \lnot @_j \exists x \varphi \). Then \(\lnot @_j \exists x \varphi \) \(\in \varGamma ^m \cup \{\phi _{m+1}\}\), but this contradicts the consistency of \(\varGamma ^m \cup \{\phi _{m+1}\}\).

   \(\square \)

Lemma 3. The Henkin model from Definition 9 is well-defined.

Proof

Let \(s\in S\) and assume that \(\varGamma _s\) is a set of formulas of sort s. Note that \(R_\sigma ^\varGamma \) is well-defined by (Nom) and (Bridge) from Lemma 1. For \(t\in S\) and \(j\in \mathrm{NOM}_t\), \(V^\varGamma (j)\) is well-defined by axiom (Ref). For the system \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\), we further that \(\varGamma _s\) is also @-witnessed so, for any \(t\in S\) and \(x\in \mathrm{SVAR}_t\), there is a nominal \(j\in \mathrm{NOM}_t \) such that \(@_j^sx\in \varGamma \). The fact that \(g^\varGamma \) is well-defined follows by \((Nom\, x)\).    \(\square \)

Lemma 4 (Truth Lemma). Let \(s\in S\) and assume \(\varGamma _s\) is a named, pasted and @-witnessed maximal consistent set of formulas of sort s from \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\). For any sort \(s' \in S\), \(j\in \mathrm{NOM}_{s'}\cup {N}_{s'}\) and for any formula \(\phi \) of sort \(s'\) we have .

Proof

We make the proof by structural induction on \(\phi \).

• , where \(a\in \mathrm{PROP}_{s'}\cup \mathrm{NOM}_{s'}\cup {N}_{s'}\) iff \(|j| \in V_{s'}^{N}(a) \) iff \( @_j^s a \in \varGamma _s \).

• , where \(x \in \mathrm{SVAR}_{s'}\) iff \(g^{\varGamma }_{s'}(x)=|j|\) iff \(@_j^s x \in \varGamma _s.\)

• iff iff \( @_j^s \phi \not \in \varGamma _s\), but we work with consistent sets, therefore \( @_j^s \phi \not \in \varGamma _s \) iff \(\lnot @_j^s \phi \in \varGamma _s \) iff \( @_j^s \lnot \phi \in \varGamma _s\) (SelfDual).

• iff or iff (inductive hypothesis) \( @_j^s \phi \in \varGamma _s\) or \( @_j^s\varphi \in \varGamma _s \) iff \( @_j^s \phi \vee @_j^s \varphi \in \varGamma _s \) iff \( @_j^s (\phi \vee \varphi ) \in \varGamma _s \).

• iff exists \(|k_i| \in W_{s_i}\) such that \(R|j||k_1| \ldots |k_n|\) and for any \(i \in [n]\). Using the induction hypothesis, we get \(@_{k_i}^s \phi _i \in \varGamma _s\). But \(R|j||k_1| \ldots |k_n|\) iff \( @_j^s \sigma (k_{1}, \ldots ,k_{n}) \in \varGamma _s\). Use the Bridge axiom to prove \( @_j^s \sigma (k_{1}, \ldots ,k_{n}) \wedge @_{k_1}^s\phi _1 \wedge \ldots \wedge @_{k_n}^s\phi _n \rightarrow @_j^s \sigma (\phi _{1}, \ldots ,\phi _{n})\), so \( @_j^s \sigma (\phi _{1}, \ldots ,\phi _{n}) \in \varGamma _s\). Now, suppose \( @_j^s \sigma (\phi _1, \ldots , \phi _n) \in \varGamma _s\). We work with pasted models, so there are some nominals \(k_i\) such that \( @_j^s \sigma ( k_1, \ldots , k_n)\in \varGamma _s\) and \( @_{k_i}^s \phi _i \in \varGamma _s\) for any \(i \in [n]\). Therefore, exists \(k_i\) such that \(R|j||k_1|\ldots |k_n|\) and, by induction hypothesis, for any \(i \in [n]\) if and only if .

• iff , but from induction hypothesis \(@_k^{s} \phi \in \varGamma _{s}\) and by applying (Agree) we get \( @_j^s @_k^{s} \phi \in \varGamma _s\).

• \( @_j^s \exists x \phi \in \varGamma _s\), then there exists \(l \in \mathrm{NOM_{s'}}\) such that \( @_j^s \phi [l/x] \in \varGamma _s\). Let \(g'{\mathop {\sim }\limits ^{x}} g^\varGamma \) such that \(g'_{s'}(x)=\{|l|\}\). Therefore, there exists \(l \in \mathrm{NOM_{s'}}\) such that \(g'_{s'}(x)=\{|l|\}\), \(g'{\mathop {\sim }\limits ^{x}} g^\varGamma \) and iff .

• iff exists \(g'{\mathop {\sim }\limits ^{x}} g^\varGamma \) and . Let \(g'_{s'}(x)=\{|l|\}\). Hence, there exists \(l \in \mathrm{NOM_{s'}}\) such that \(g'_{s'}(x)=\{|l|\}\), \(g'{\mathop {\sim }\limits ^{x}} g^\varGamma \) and iff and from inductive hypothesis \( @_j^s \phi [l/x] \in \varGamma _s\). Use the contrapositive of the (Q2) axiom, and the (Gen@) and (K@) rules to obtain \( @_j^s \phi [l/x] \rightarrow @_j^s \exists x \phi \in \varGamma _s\). Therefore, \( @_j^s \exists x \phi \in \varGamma _s\).    \(\square \)

Theorem 2 (Completeness).

1. 1.

   Strong model-completeness. Let \(\varLambda \) be a set of formulas in the language of \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\) and \(s\in S\) and assume \(\varGamma _s\) is a set of formulas of sort s. If \(\varGamma _s\) is a consistent set in \({\mathcal L}={\mathcal H}_{\varvec{\Sigma }}(@,\forall )+\varLambda \) then \(\varGamma _s\) has a model that is also a model of \(\varLambda \). Consequently, for a formula \(\phi \) of sort s,

2. 2.

   Strong frame-completeness for pure extensions. Let \(\varLambda \) be a set of pure formulas in the language of \(\forall \exists \)-pure formulas in the language of \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )\) and \(s\in S\) and assume \(\varGamma _s\) is a set of formulas of sort s. If \(\varGamma _s\) is a consistent set in \({\mathcal L}={\mathcal H}_{\varvec{\Sigma }}(@,\forall )+\varLambda \) then \(\varGamma _s\) has a model based on a frame that validates every formula in \(\varLambda \). For a formula \(\phi \) of sort s,

Proof

Since 1. is obvious, we only prove 2. If \(\varGamma _s\) is a consistent set in \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )+\varLambda \) then, applying the Extended Lindenbaum Lemma, then \(\varGamma _s\subseteq \varTheta _s\), where \(\varTheta _s\) is a maximal consistent named, pasted and @-witnessed set (in an extended language \({\mathcal L}'\)). If \({\mathcal M}^\varTheta \) is the Henkin model and \(g^\varTheta \) is the assignment from Definition 9 then, by Truth Lemma, for any \(t\in S\) and \(j\in \mathrm{NOM}_t\cup {N}_t\). Moreover, \({\mathcal M}^\varTheta \) is a named model (in the extended language) that is also a model of \(\varLambda \). By Proposition 1, the underlying frame of \({\mathcal M}^\varTheta \) satisfies the \(\forall \exists \)-pure formulas from \(\varLambda \). Hence the logic \({\mathcal H}_{\varvec{\Sigma }}(@,\forall )+\varLambda \) is strongly complete w.r.t to the class of frames satisfying \(\varLambda \). Assume that and suppose that . It follows that \(\varGamma _s\cup \{\lnot \phi \}\) is inconsistent, so there exists a model of \(\varGamma _s\) based on a frame satisfying \(\varLambda \) that is not a model of \(\phi \). We get a contradiction, so the intended completeness result is proved.    \(\square \)

Proposition 3.

1. 1.

   (Nominal Conjunction) For any formulas and any nominals of appropriate sorts, the following hold:

   1. (i1)

      \(\sigma (\ldots , \phi _{i-1},\phi _i,\phi _{i+1}, \ldots ) \wedge @_k(\psi ) \leftrightarrow \sigma (\ldots , \phi _{i-1},\phi _i \wedge @_k(\psi ),\phi _{i+1}, \ldots )\)

   2. (i2)

      

2. 2.

   If \(\phi _1, \ldots \phi _n\) are formulas of appropriate sorts and x is a state variable that does not occur in \(\phi _j\) for any \(j \ne i\) then:

   1. (i3)

      \(\exists x \sigma ^{\scriptscriptstyle {\Box }} (\ldots , \phi _{i-1},\phi _i,\phi _{i+1}, \ldots ) \rightarrow \sigma ^{\scriptscriptstyle {\Box }} (,\ldots , \phi _{i-1},\exists x \phi _i,\phi _{i+1}, \ldots ) \)

Proof

1. 1.

   (Nominal Conjunction)

   1. (i1)

      iff

      and iff

      where \(V^{N}_{s'}=\{v\}\) and there exist \(w_1\in W_{s_1},\ldots ,w_n\in W_{s_n}\) such that \(R_\sigma ww_1\cdots w_n\) and for all \(1\le j \le n\) iff

      there exist \(w_1\in W_{s_1},\ldots ,w_n\in W_{s_n}\) such that \(R_\sigma ww_1\cdots w_n\) and

      for all \(1\le j \le n\), \(j\ne i\), and iff

      \(\mathcal{M}, g, w \models \sigma (\ldots , \phi _{i-1},\phi _i \wedge @_k(\psi ),\phi _{i+1}, \ldots )\).

   2. (i2)

      iff

      and iff

      where \(V^{N}_{s'}=\{v\}\) and for all \(w_1\in W_{s_1},\ldots ,w_n\in W_{s_n}\) for which \(R_\sigma ww_1\cdots w_n\), there exists \(1\le j \le n\) such that iff

      where \(V^{N}_{s'}=\{v\}\) and for all \(w_1\in W_{s_1},\ldots ,w_n\in W_{s_n}\) for which \(R_\sigma ww_1\cdots w_n\), there exists \(1\le j \le n\), \(j\ne i\) such that or iff and for all \(w_1\in W_{s_1},\ldots ,w_n\in W_{s_n}\) for which \(R_\sigma ww_1\cdots w_n\), there exists \(1\le j \le n\), \(j\ne i\) such that or iff .

2. 2.

           

   1. (i3)

      iff exists \(g' {\mathop {\sim }\limits ^{x}} g\) such that iff exists \(g' {\mathop {\sim }\limits ^{x}} g\) such that for all \((v_1, \ldots , v_n) \in W_{s_1}\times \ldots \times W_{s_n}\), \(R_{\sigma }wv_1\ldots v_n\) implies for some \(j \in [n]\). Then, for all \((v_1, \ldots , v_n) \in W_{s_1}\times \ldots \times W_{s_n}\), \(R_{\sigma }wv_1\ldots v_n\) implies there exists \(g' {\mathop {\sim }\limits ^{x}} g\) such that for some \(j \in [n]\). But x does not occur in \(\phi _j\) for any \(j \in [n]\) and \(j \ne i\), so for all \((v_1, \ldots , v_i, \ldots , v_n) \in W_{s_1}\times \ldots \times W_{s_i} \times \ldots \times W_{s_n}\), \(R_{\sigma }wv_1\ldots v_i \ldots v_n\) implies and there exists \(g' {\mathop {\sim }\limits ^{x}} g\) such that for some \(i,j \in [n]\) and \(j \ne i\). We use Agreement Lemma, then for all \((v_1, \ldots , v_i, \ldots , v_n) \in W_{s_1}\times \ldots \times W_{s_i} \times \ldots \times W_{s_n}\), \(R_{\sigma }wv_1\ldots v_i \ldots v_n\) implies and for some \(i,j \in [n]\) and \(j \ne i\). Therefore, .    \(\square \)

Proposition 4 ( soundness). Let \(\varvec{\Gamma }\) be an S-sorted set and \(\phi \) a formula of sort \(s\in S\). If then \({\mathcal M}\models {\varvec{\Gamma }}\) implies for any model \(\mathcal M\).

Proof

Let \(\mathcal M\) be a model and assume as above. If \({\mathcal M}\models {\varvec{\Gamma }}\) then, by (Gen@), . Using the soundness of the local deduction, we get the desired conclusion.    \(\square \)

B Proofs from Sect. 4

Proposition 5 (Hoare-like Admissible Rules). The following rules are admissible:

1. 1.

   Rules of Consequence

   • If \(\vdash \phi \rightarrow [\alpha ] \psi \) and \(\vdash \psi \rightarrow \chi \) then \(\vdash \phi \rightarrow [\alpha ] \chi \).

   • If \(\vdash \phi \rightarrow [\alpha ] \psi \) and \(\vdash \chi \rightarrow \phi \) then \(\vdash \chi \rightarrow [\alpha ] \psi \).

2. 2.

   Rule of Composition, iterated

   • If \(\phi _0 \rightarrow [\alpha _1]\phi _1\), ..., \(\phi _{n-1} \rightarrow [\alpha _n]\phi _n\), then \(\phi _0 \rightarrow [\alpha _1 ; \ldots ; \alpha _n] \phi _n\).

3. 3.

   Rule of Conditional

   If B is a formula of sort Bool, and vs, mem, P are formulas of appropriate sorts such that

   

   then

Proof

In the sequel we shall mention the sort of a formula only when it is necessary.

1. 1.

   Rule of Consequence follows easily by (UG).

2. 2.

   Rule of Composition follows easily by (UG) and (CStmt).

3. 3.

   Rule of Conditional. Since B is a formula of sort Bool, using the axiom (B1) and the completeness theorem, one can easily infer that

   

   Using the fact that any operator \(\sigma \in \varSigma \) commutes with disjunctions, Proposition 3 we get

   

   Now we prove that

   . Note that , so we use (A?) and \((A\lnot ?)\) as follows: Next we prove that (@[]) \(\vdash @_k\varphi \rightarrow [\alpha ]@_k\varphi \) for any formulas \(\alpha \), \(\varphi \) and nominal k of appropriate sorts. Note that \(\vdash [\alpha ]\top \) so, using Proposition 3.3, we have the following chain of inferences: \(\vdash @_k\varphi \rightarrow @_k\varphi \wedge [\alpha ]\top \) \(\vdash @_k\varphi \wedge [\alpha ]\top \rightarrow [\alpha ]@_k\varphi \) and (@[]) easily follows. Consequently, Since dual operators \(\sigma ^{\scriptscriptstyle {\Box }}\) for \(\sigma \in \varSigma \) commutes with conjunctions, using also (h4) we get By (h2) and (K) it follows that Since \(\bot \rightarrow [c(s2)]\chi \), and using \((A\cup )\) we proved . In a similar way, we get . By (\(*\)) we infer Using (K) and (Dif) we get the conclusion.    \(\square \)

Proposition 6 (Rule of Iteration). Let B, vs, mem, and P be formulas with variables over \(\mathbf {x}\), where \(\mathbf {x}\) is a set of state variables. If there exist substitutions \(\mathbf {x_{init}}\) and \(\mathbf {x_{body}}\) for the variables of \(\mathbf {x}\) such that:

1. (h1)

   ,

2. (h2)
3. (h3)

   \(\vdash P\rightarrow [\alpha ] P\) for any formula \(\alpha \) of sort CtrlStack

then .

Proof

Denote and \(\theta _I := \exists \mathbf {x}\theta \). We think of \(\theta _I\) as being the invariant of . Note that, using the contraposition of (Q2) and (h1) we infer that

(c1) \(\vdash \phi \rightarrow [c(b)]\theta _I\)

In the following we firstly prove that

(c2) \(\vdash \theta _I\rightarrow [\alpha ]\theta _I\),

where . Since

it follows that

By (A?), (h3) and (@[]) (from the proof of Proposition 5) we infer

and, by (h2)

Since , by \((A\lnot ?)\) we get

, so

As consequence \(\vdash \theta \rightarrow [\alpha ]\theta [\mathbf {x_{body}}/\mathbf {x}]\) and, using the contraposition of \(Q_2\), we infer that \(\theta \rightarrow [\alpha ]\theta _I\). We use now the fact that

\(\vdash \forall x(\varphi (x)\rightarrow \psi )\rightarrow (\exists x \varphi (x)\rightarrow \psi )\) if x does not appear in \(\psi \),

which leads us to \(\vdash \theta _I\rightarrow [\alpha ]\theta _I\). Using (UG) we get \(\vdash [c(b);\alpha ^*] (\theta _I\rightarrow [\alpha ]\theta _I)\).

By (c1) it follows that

\(\vdash \phi \rightarrow ([c(b)]\theta _I \wedge ([c(b);\alpha ^*] (\theta _I\rightarrow [\alpha ]\theta _I)) \)

Using the induction axiom, (UG), (K) and the fact that the dual operators commutes with conjunctions, we get

\(\vdash ([c(b)]\theta _I \wedge ([c(b);\alpha ^*] (\theta _I\rightarrow [\alpha ]\theta _I))\rightarrow [c(b);\alpha ^*]\theta _I\)

So \(\vdash \phi \rightarrow [c(b);\alpha ^*]\theta _I\), which proves the invariant property of .

To conclude, so far we proved

\(\vdash \phi \rightarrow [c(b);\alpha ^*] \exists \mathbf {x}\theta \)

We can safely assume that the state variables from \(\mathbf {x}\) do not appear in \(\phi \), b

Note that

As before,

Using again (A?) and \((A\lnot ?)\) we have that

It follows that

so, using the properties of the existential binder

Since the state variables from \(\mathbf {x}\) do not appear in , by Proposition 3 it follows that

We can finally obtain the intended result:

   \(\square \)