%
\documentclass{paper}
% \documentclass[a4paper,11pt]{article}
%\documentclass[twocolumn,a4paper,11pt]{article}
\usepackage{latexsym}
\usepackage{amssymb}
\usepackage{amsmath}
%\usepackage{exptrees}
\usepackage{url}
\usepackage{bussproofs}
\usepackage{listings}
\renewcommand{\today}{\number\day\
\ifcase\month\or
January\or February\or March\or April\or May\or June\or
July\or August\or September\or October\or November\or December\fi
\ \number\year}
\setcounter{secnumdepth}2
\setcounter{tocdepth}2
% \newtheorem{theorem}{Theorem}[section]
\newcommand{\qed}{\hfill$\dashv$}
\newenvironment{proof}{
\noindent{\bf Proof:}}{\mbox{\bf Q.E.D.}\vspace{1ex}}
\newtheorem{definition}{Definition}[section]
\newtheorem{theorem}{Theorem}[section]
\newtheorem{lemma}{Lemma}[section]
\newtheorem{corollary}{Corollary}[section]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Preamble
\newcommand\derl{\texttt{derl}}
\newcommand\dercl{\texttt{dercl}}
\newcommand\derrec{\texttt{derrec}}
\newcommand\rls{\texttt{rls}}
\newcommand\adm{\texttt{adm}}
\newcommand{\pscrel}{\mathtt{rli}}
\newcommand{\dersrec}{\mathtt{dersrec}}
\newcommand{\prems}{\mathtt{plvs}}
\newcommand{\hash}{\texttt{\#}}
\newcommand{\bra}{\texttt{\{}}
\newcommand{\ket}{\texttt{\}}}
\newcommand\cfile{}
\newcommand\comment[1]{}
\newcommand\cc[1]{#1} % for label names
\newcommand\invrule[2]{
% for use in non-math mode, args interpreted in math mode
\begin{tabular}{@{}c@{}}
$ #1 $ \\ \hline \hline $ #2 $
\end{tabular}}
\newcommand\slrule[2]{ % similar to \frac, except
% for use in non-math mode, args interpreted in math mode
\begin{tabular}{@{}c@{}}
$ #1 $ \\ \hline $ #2 $
\end{tabular}}
\renewcommand\theenumi{(\alph{enumi})}
\renewcommand\labelenumi{\theenumi}
\renewcommand\theenumii{(\roman{enumii})}
\renewcommand\labelenumii{\theenumii}
\newcommand\src[1]{source file \texttt{#1}}
\newcommand\apsrc[1]{Appendix \ref{app:code}}
\newcommand\seesrc[1]{(see source file \texttt{#1})}
\newcommand\insrc[1]{in source file \texttt{#1}}
\newcommand\page[1]{page~\pageref{#1}}
\newcommand\fig[1]{Fig.~\ref{fig:#1}}
\newcommand\ch[1]{Chapter~\ref{ch:#1}}
\newcommand\tbl[1]{Table~\ref{tbl:#1}}
\newcommand\thrm[1]{Theorem~\ref{thrm:#1}}
\newcommand\lem[1]{Lemma~\ref{lem:#1}}
\newcommand\ttl[1]{\tti{#1}\label{#1}}
\newcommand\ttdl[1]{\texttt{#1}\tti{#1}\label{#1}}
\newcommand\ttdef[1]{\texttt{#1}\tti{#1}}
\newcommand\tti[1]{\index{#1@\texttt{#1}}}
\newcommand\bfi[1]{\textbf{#1}\index{#1|textbf}}
\newcommand\dRA{{\boldmath $\delta$}\textbf{RA}}
\newcommand\dKt{{\boldmath $\delta$}\textbf{Kt}}
\newcommand\NRA{\textbf{NRA}}
\newcommand\RA{\textbf{RA}}
%\newcommand\M{$\mathcal M$}
\newcommand\MC{\ensuremath{\mathcal C}}
\newcommand\MD{\ensuremath{\mathcal D}}
\newcommand\MP{\ensuremath{\mathcal P}}
\newcommand\MQ{\ensuremath{\mathcal Q}}
\newcommand\MR{\ensuremath{\mathcal R}}
\newcommand\MS{\ensuremath{\mathcal S}}
\newcommand\M{\ensuremath{\mathcal M}}
\newcommand\Mp{$\mathcal M'$}
\newcommand\psl{\ensuremath\MQ_{l1} \ldots \MQ_{ln}}
\newcommand\psr{\ensuremath\MQ_{r1} \ldots \MQ_{rm}}
\newcommand\up[1]{\vspace{-#1ex}}
\newcommand\vpf{\vspace{-3ex}} % to reduce space before proof tree
\newcommand\1{\textbf 1}
\newcommand\0{\textbf 0}
\newcommand\cut{(\emph{cut})}
\newcommand\dt{\texttt{dt}}
\newcommand\dtn{\texttt{dtn}}
\newcommand{\pordered}[3]{#1 <_{\texttt{\scriptsize #2}} #3}
\newcommand{\Revpordered}[3]{#1 >_{\texttt{\scriptsize #2}} #3}
\newcommand{\LRPord}[2]{\pordered{#1}{LRP}{#2}}
\newcommand{\cutord}[2]{\pordered{#1}{cut}{#2}}
\newcommand{\snoneord}[2]{\pordered{#1}{sn1}{#2}}
\newcommand{\dtord}[2]{\pordered{#1}{dt}{#2}}
\newcommand{\Revdtord}[2]{\Revpordered{#1}{dt}{#2}}
\newcommand\GL{\textbf{GL}}
\newcommand\GLS{\textrm{GLS}}
\newcommand\GLR{\textit{GLR}}
\newcommand\GLRp{\ensuremath{\Box X, X, \Box B \vdash B}} % premise of GLR
\newcommand\GLRc{\ensuremath{\Box X \vdash \Box B}} % conclusion of GLR
\newcommand\lxxc{\ensuremath{\Box X, X \vdash B}} % conclusion of lem20
\newcommand\gbna{\ensuremath{\Box G, \Box B^k \vdash \Box A}}
\newcommand\GLRB{\textit{GLR}($B$)}
\newcommand\GLRXB{\textit{GLR}($X,B$)}
\newcommand\pmz{\texttt{pm0}}
\newcommand\pmgez{\texttt{pm\_ge0}}
\newcommand\delz{\texttt{del0}}
\newcommand\delzs{\ensuremath{\partial^0}}
\newcommand\muxbn{\texttt{muxbn}}
\newcommand\lgp{\mathrm{S4C}}
\newcommand\wbx{\Box}
\newcommand\wdi{\lozenge}
%\newcommand\nxt{\bigcirc}
\newcommand\nxt{\circ}
\newcommand\limp{\rightarrow}
\newcommand\leqv{\leftrightarrow}
\newcommand{\Boxes}{\ensuremath{\vec{\Phi}}}
\newcommand{\Boxesi}[1]{\ensuremath{\vec{\Phi}_{-#1}}}
\newcommand{\cute}{cut-elimination}
\newcommand{\cuta}{cut-admissibility}
\newcommand{\ctra}{contraction-admissibility}
\newcommand{\weaka}{weakening-admissibility}
\newcommand{\ds}{\displaystyle\strut}
\newcommand{\idrule}[2]{
\mbox{#1 \ $\ds$ #2}
}
\newcommand{\urule}[4]{
\AxiomC{#2}
\LeftLabel{#1}
\RightLabel{#4}
\UnaryInfC{#3}
\DisplayProof
}
\newcommand{\brule}[4]{
\AxiomC{#2}
\AxiomC{#3}
\LeftLabel{#1}
\BinaryInfC{#4}
\DisplayProof
}
\hyphenation{
non-classical
conn-ection
typi-cally
tradi-tional
frame-works
con-clusion
deriv-ation
}
\pagestyle{plain}
\begin{document}
\title{Machine-checked Proof-Theory for Propositional Modal Logics}
\author{
Jeremy E.\ Dawson\thanks{Supported by Australian Research Council
Grant DP120101244.},
Rajeev Gor\'e and
Jesse Wu
\\
Logic and Computation Group,
School of Computer Science
\\ The Australian National University,
Canberra ACT 2601
%, Australia
}
\date{}
%% Title
\maketitle
\begin{abstract}
We describe how we machine-checked the admissibility of the standard
structural rules of weakening, contraction and cut for
multiset-based sequent calculi for the unimodal logics S4, S4.3 and K4De,
as well as for the bimodal logic $\lgp$ recently investigated by Mints.
Our proofs for both S4 and S4.3 appear to be new while our
proof for $\lgp$ is different from that originally presented by Mints,
and appears to avoid the complications he encountered.
The paper is intended to be an overview of how to machine-check proof theory
for readers with a good understanding of proof theory.
\end{abstract}
%% Here begins the main text
\newpage
\tableofcontents
\newpage
\section{Introduction} \label{s-intro}
\section{Sequents Built From Multisets Versus Sets}
\section{Our Modal Logics}
\section{Interactive Proof Assistants}\label{s-ipa}
\section{A Deep Embedding of Formulae and Sequents}\label{s-eol}
\section{Implicit Derivations: a shallow embedding of}
\section{Explicit Derivation Trees: a deep embedding of derivations}
\section{Subformula Relation and Rule Extensions with Arbitrary Contexts}
\label{s-gls}
\section{The Weakening, Inversion and Contraction Properties}
\section{Generalising Cut-Admissibility Proofs} \label{s-cagen}
\section{Statement of Cut-Admissibility in Isabelle}
\label{s-main-lemmas}
% and the step of an inductive proof of cut-admissibility,
% for implicit and explicit derivation trees.
\begin{definition}[\texttt{cas,car}]\label{def-cas-car}
A pair of sequents $(XY_l, XY_r)$ satisfies the property \texttt{car}
if the sequent obtained by applying the cut rule to them is derivable.
That is,
$(X_l \vdash Y_l, X_r \vdash Y_r) \in \texttt{car}\ \texttt{rls}\ A$ iff
$(X_l, (X_r - A) \vdash (Y_l - A), Y_r)$ is \texttt{rls}-derivable.
A pair of sequents satisfies the property \texttt{cas} if
cut-admissibility is available for that pair of sequents.
That is, $(X_l \vdash Y_l, X_r \vdash Y_r) \in
\texttt{cas}\ \texttt{rls}\ A$ means that
\emph{if} $X_l \vdash Y_l$ and $X_r \vdash Y_r$ are \texttt{rls}-derivable,
\emph{then}
$(X_l \vdash Y_l, X_r \vdash Y_r) \in \texttt{car}\ \texttt{rls}\ A$.
\end{definition}
\begin{verbatim}
car_eq: "((?Xl |- ?Yl, ?Xr |- ?Yr) : car ?rls ?A) =
((?Xl + (?Xr - {#?A#}) |- ?Yl - {#?A#} + ?Yr) : derrec ?rls {})"
cas_eq: "((?seql, ?seqr) : cas ?rls ?A) =
(?seql : derrec ?rls {} & ?seqr : derrec ?rls {} -->
(?seql, ?seqr) : car ?rls ?A)"
\end{verbatim}
% "([| ?seql : derrec ?rls {}; ?seqr : derrec ?rls {} |]
% ==> (?seql, ?seqr) : car ?rls ?A) ==> (?seql, ?seqr) : cas ?rls ?A"
When we are talking about proving \texttt{cas} or \texttt{car}
by induction on the (implicit) derivation of the two sequents,
that is, we are talking about two sequents which are derivable,
then these two concepts become equivalent.
This is because the definition of \texttt{gen\_step2sr} only involves the
property of the pair of sequents in the cases where those two sequents are
derivable.
Recall that \texttt{prop2} simply gives an equivalent concept with a different
type.
\begin{lemma} \label{l-gs2-cas-eq-car}
The induction steps for proving \texttt{cas} and \texttt{car}
are equivalent.
\end{lemma}
\begin{verbatim}
prop2_def : "prop2 f rls A seqs == seqs : f rls A"
gs2_cas_eq_car: "gen_step2sr (prop2 cas ?rls) ?A ?sub ?rls =
gen_step2sr (prop2 car ?rls) ?A ?sub ?rls"
\end{verbatim}
\begin{definition}[\texttt{casdt}]\label{def-casdt}
% Firstly we define \texttt{casdt}:
Two \emph{valid} (ie. no unproved leaves,
and all steps are rules of \texttt{rls})
derivation trees \texttt{dtl} and \texttt{dtr}
satisfy \texttt{casdt rls A} if their conclusions satisfy \texttt{car}:
\end{definition}
% casdt.I: "valid rls dtl & valid rls dtr -->
% (conclDT dtl, conclDT dtr) : car rls A ==> (dtl, dtr) : casdt rls A"
\begin{verbatim}
casdt_eq: "((?dtl, ?dtr) : casdt ?rls ?A) =
(valid ?rls ?dtl & valid ?rls ?dtr -->
(conclDT ?dtl, conclDT ?dtr) : car ?rls ?A)"
\end{verbatim}
Here is the lemma linking the induction step for cut-admissibility in terms of
implicit derivability with the corresponding
induction step for explicit derivation trees.
\begin{lemma}[\texttt{gs2\_tr\_casdt\_sr}]\label{l-gs2-tr-casdt-sr}
Given two derivation trees \texttt{dta} and \texttt{dtb},
a cut-formula \texttt{A},
a sub-formula relation \texttt{sub}, and a rule set \texttt{rls},
if the bottom rules of those trees satisfy the step condition
\texttt{gen\_step2sr} for cut-admissibility, then the two trees
satisfy the step condition \texttt{gen\_step2\_tr} for cut-admissibility:
\end{lemma}
\begin{verbatim}
gs2_tr_casdt_sr:
"gen_step2sr (prop2 cas ?rls) ?A ?ipsubfml ?rls
(botRule ?dta, botRule ?dtb) ==>
gen_step2_tr (prop2 casdt ?rls) ?A ?ipsubfml (?dta, ?dtb)"
\end{verbatim}
In fact the two concepts are essentially equivalent:
\begin{theorem}[\texttt{gs2\_casdt\_equiv}]\label{t-gs2-casdt-equiv}
Given a set of derivation rules \texttt{rls}, a formula \texttt{A},
a sub-formula relation \texttt{ipsubfml} and two bottom rules \texttt{pscl}
and \texttt{pscr}, then the following are equivalent:
\begin{enumerate}
\item if \texttt{pscl} and \texttt{pscr} are in \texttt{rls},
then they satisfy the step condition
\texttt{gen\_step2sr} for cut-admissibility (for implicit derivations)
\item all trees \texttt{dta} and \texttt{dtb} whose bottom rules
are \texttt{pscl} and \texttt{pscr} respectively,
satisfy the step condition \texttt{gen\_step2\_tr} for cut-admissibility
(for explicit derivations)
\end{enumerate}
\end{theorem}
\begin{verbatim}
gs2_casdt_equiv:
"(?pscl : ?rls --> ?pscr : ?rls -->
gen_step2sr (prop2 cas ?rls) ?A ?ipsubfml ?rls (?pscl, ?pscr)) =
(ALL dta dtb. botRule dta = ?pscl --> botRule dtb = ?pscr -->
gen_step2_tr (prop2 casdt ?rls) ?A ?ipsubfml (dta, dtb))"
\end{verbatim}
% \subsection{Weakening, Invertibility and Contraction} %
% Weakening admissibility, invertibility, and \ctra{} are stated
% using \texttt{wk\_adm}, \texttt{inv\_rl} and \texttt{ctr\_adm}
% respectively:
% % MOST DUPLICATED EARLIER in \S11
% \begin{description}
% \item[\texttt{wk\_adm rls}]~\\
% This states that Weakening is admissible
% for \texttt{rls}. In particular, for any \texttt{rls}-derivable
% sequent $S$, the addition of any other sequent $As$ to this is also
% \texttt{rls}-derivable. Formally, given \texttt{$S \in$ derrec rls \{\}}
% then \texttt{$S + As \in$ derrec rls \{\}}. This is part of the base
% formalisation.
% \item[\texttt{inv\_rl rls (ps, c)}]~\\
% Given a rule
% instance \texttt{(ps, c)}, within a particular calculus \texttt{rls},
% \texttt{inv\_rl} holds if whenever \texttt{c} is \texttt{rls}-derivable,
% then all the premises \texttt{ps} are also \texttt{rls}-derivable.
% % \item[\texttt{ctr\_adm rls A}]~\\
% Contraction-admissibility is
% given as a property for a set of rules \texttt{rls}, and a single
% contraction-formula \texttt{A}: for all sequents \texttt{As}, if
% the only formula in \texttt{As} is equal to \texttt{A} then for
% all \texttt{rls}-derivable sequents $S$ where \texttt{As + As}
% is a sub-sequent of $S$, it holds that $S -$\texttt{As} is also
% \texttt{rls}-derivable.
% \end{description}
%The rather strange definition for \texttt{ctr\_adm} is used so that
% proving \ctra{} is possible using \texttt{gen\_step\_lem}, while also
% allowing the contraction-formula to be present as part of either the
% antecedent or the succedent.
%It should also be noted that the base formalisation only states
% admissibility for a single contraction-formula. However, a simple
% induction on multisets is sufficient to transform this result into an
% admissibility result for multiple formulae.
%Like \texttt{wk\_adm\_ext\_concl}, the proof of inversion lemmas
% only uses the simpler induction principle \texttt{drs.inductr} from
% Lemma~\ref{inductr:lem}. Proving \texttt{ctr\_adm} uses the induction
% principle \texttt{gen\_step\_lem} as in Lemma~\ref{genstep:lem}, which
% allows a double induction over both height and rank. Like the pen and
% paper proofs, the Isabelle proofs of \texttt{ctr\_adm} within this text
% make heavy use of inversion results.
%It is also interesting to note that when using \ctra{} within a \cuta{}
% proof, instead of picking a number of formula to contract on, it is
% simpler in Isabelle to show that the original sequent is a sub-sequent
% of the result after duplicating all formulae within the desired
% endsequent. As an example, consider a derivation of a sequent $\Gamma_C,
% \Gamma_C, \Gamma \vdash \Delta$ where we wish to use \ctra{} to derive
% $\Gamma_C, \Gamma \vdash \Delta$. In Isabelle, this is done by showing
% that the given sequent $\Gamma_C, \Gamma_C, \Gamma \vdash \Delta$ is a
% sub-sequent of $\Gamma_C, \Gamma_C, \Gamma, \Gamma \vdash \Delta, \Delta$.
% In addition to the \texttt{height\_step2\_tr\_lem} lemma,
% we also use the following induction principle, named \texttt{sum\_step2\_tr}.
% The assumption now is that the inductive property holds for two new
% derivations, where some well-founded measure on the new derivations is
% strictly less than the same measure on the derivations leading to $\MC_l$
% and $\MC_r$. For Cut, this measure will be derivation height. Essentially,
% \cuta{} of new derivations can be assumed, as long as their combined
% height is less than the level of the original cut-sequents $\MC_l$
% and $\MC_r$.
% \begin{definition}[\texttt{sum\_step2\_tr}]~\\
% For a formula $A$, a property $P$,
% a subformula relation \texttt{sub},
% measures on derivation trees \texttt{gsl} and \texttt{gsr},
% %a corresponding set of \texttt{rls}-derivable sequents \texttt{derivs}
% (e.g. \texttt{derrec rls plvs}),
% and explicit derivation trees \texttt{dta} and \texttt{dtb},
%
% \smallskip
%
% \texttt{sum\_step2\_tr $P\ A$ sub gsl gsr (dta, dtb)} means: \\
% if
% \begin{itemize}
% \item forall $B$ such that \texttt{$(B, A) \in$ sub}\\
% the property $P\ B\ (a, b)$ holds for all derivation trees
% \texttt{a} and \texttt{b}, and
% \item for all derivation trees \texttt{dtaa} and \texttt{dtbb} where\\
% \texttt{gsl dtaa + gsr dtbb < gsl dta + gsr dtb}\\
% the property $P\ A (dtaa, dtbb)$ holds
% \end{itemize}
% then $P\ A\ (dta, dtb)$ holds.
% \end{definition}
% Instantiating the measures in \texttt{sum\_step2\_tr} with measures
% of derivation height results in the final principle used to prove \cuta{}:
%
% ALREADY HAVE THIS AS LEMMA 11.5
% \begin{theorem}[\texttt{sumh\_step2\_tr\_lem}]~\\
% Where \texttt{heightDT dt} gives the height of
% an explicit derivation tree \texttt{dt}.
% \begin{description}
% \item[if]
% \texttt{A} is in the well-founded part
% of the subformula relation \texttt{sub}\\
% and for all formulae \texttt{B},
% and derivation trees \texttt{dta} and \texttt{dtb}\\
% the induction step condition
% \texttt{sum\_step2\_tr P B sub heightDT heightDT (dta, dtb)} holds
% \item[then]
% \texttt{P A (dta, dtb)} holds
% \end{description}
% \end{theorem}
We are now ready to apply all of our formalisation work to particular calculi.
\section{Weakening, Contraction and Cut Admissibility for S4}
% \subsection{Motivation andRelated Work}
% \label{background:S4}
There exist both pen and paper \cite{ohnishi1957,Troelstra} and a
formalised proof~\cite{dawson14} of mix-elimination for sequent
calculi describing S4 which include explicit weakening and contraction
rules. As stated previously, the inclusion of structural rules is
detrimental for automated reasoning and so provides a practical
motivation for proving admissibility results for a calculus free of
such rules. This is our goal.
Troelstra and Schwichtenberg also state \cute{} for a sequent calculus
G3s~\cite{troelstra-schwichtenberg-basic}
for S4
that no longer uses explicit
structural rules. Unfortunately, the ``proof'' of their theorem only
discusses one actual transformation, and in particular overlooks one
non-trivial case -- when Cut is applied on a formula $\Box A$, with
both premises being an instance of the G3s R$\Box$ rule (shown
below). In this case, the deduction cannot be transformed by simply
permuting the Cut, or introducing a new Cut of smaller rank, on the
sequents in the original deduction. Greater detail is given later in
this section.
\begin{center}
\AxiomC{$\Box \Gamma \vdash A, \Delta$}
\LeftLabel{R$\Box$}
\UnaryInfC{$\Gamma', \Box \Gamma \vdash \Box A, \Delta, \Delta'$}
\DisplayProof
\end{center}
Goubault~\cite{Goubault96} acknowledges the problem posed by absorbing
Weakening into the R$\Box$ rule. However, his solutions are
given in the context of typed $\lambda$-calculi for a minimal version
of S4, interpreted as a sequent calculus through a version of the
Curry-Howard correspondence. Based on a proposal from
\cite{bierman96}, Goubault-Larrecq replaces the R$\Box$ rule by a
different rule with multiple premises (for subformula within the
principal formula), along with both re-write and garbage collection
rules for the $\lambda$ terms involved. While this solution could
possibly be extended to sequent calculi, the creation of new premises
and hence branching is detrimental to backward proof search. The
solution presented in this section also has the advantage of being
significantly simpler.
Negri~\cite{Negri05} proves various admissibility theorems for S4, but the calculus involved is labelled. These labels include elements of the Kripke semantics within the calculus, and so the resulting theorems are thus not entirely syntactical proofs. Furthermore, there are rules in the calculus which deal only with reachability between worlds. While perhaps not as inefficient as the standard structural rules, these rules nevertheless do not operate on logical connectives. In particular to S4, from the perspective of automated reasoning, applying all possible instances of the transitivity rule (shown below) or checking whether the transitivity rule has been saturated can be a very time-consuming process.
\begin{center}
\AxiomC{$xRz, xRy, yRz, \Gamma \vdash \Delta$}
\LeftLabel{Transitivity}
\UnaryInfC{$xRy, yRz, \Gamma \vdash \Delta$}
\DisplayProof{}
\medskip
$R$ is the accessibility relation. $x, y, z$ are worlds.
\end{center}
\subsection{Calculus for S4}
\begin{figure}[!htbp]
\centering
\begin{tabular}{ll}
\textit{Initial Sequents}\\[12px]
\multicolumn{2}{c}{
\AxiomC{}
\LeftLabel{id}
\UnaryInfC{$\Gamma, \varphi \vdash \varphi, \Delta$}
\DisplayProof
}
\\[16px]
\textit{Classical rules}\\[12px]
\AxiomC{$\Gamma, \varphi , \psi \vdash \Delta$}
\LeftLabel{L$\land$}
\UnaryInfC{$\Gamma, \varphi \land \psi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma \vdash \varphi, \Delta$}
\AxiomC{$\Gamma \vdash \psi, \Delta$}
\LeftLabel{R$\land$}
\BinaryInfC{$\Gamma \vdash \varphi \land \psi , \Delta$}
\DisplayProof
\\[12px]
\AxiomC{$\Gamma , \varphi \vdash \Delta$}
\AxiomC{$\Gamma , \psi \vdash \Delta$}
\LeftLabel{L$\lor$}
\BinaryInfC{$\Gamma, \varphi \lor \psi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma \vdash \varphi , \psi, \Delta$}
\LeftLabel{R$\lor$}
\UnaryInfC{$\Gamma \vdash \varphi \lor \psi, \Delta$}
\DisplayProof
\\[12px]
\AxiomC{$\Gamma \vdash \varphi, \Delta$}
\AxiomC{$\Gamma, \psi \vdash \Delta$}
\LeftLabel{L$\to$}
\BinaryInfC{$\Gamma , \varphi \to \psi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma , \varphi \vdash \psi, \Delta$}
\LeftLabel{R$\to$}
\UnaryInfC{$\Gamma \vdash \varphi \to \psi, \Delta$}
\DisplayProof
\\[12px]
\AxiomC{$\Gamma \vdash \varphi, \Delta$}
\LeftLabel{L$\lnot$}
\UnaryInfC{$\Gamma , \lnot \varphi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma , \varphi \vdash \Delta $}
\LeftLabel{R$\lnot$}
\UnaryInfC{$\Gamma \vdash \lnot \varphi, \Delta$}
\DisplayProof
\\[16px]
\textit{Modal rules}\\[12px]
\AxiomC{$\Gamma , \varphi, \wbx \varphi \vdash \Delta$}
\LeftLabel{Refl}
\UnaryInfC{$\Gamma , \wbx \varphi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma , \wbx \Gamma \vdash \varphi$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx \Gamma \vdash \wbx \varphi, \Delta$}
\DisplayProof
\end{tabular}
\caption{\label{S4:rules}Sequent calculus GS4 for S4.}
\end{figure}
\begin{figure}[!htbp]
\begin{verbatim}
inductive "lksne" intros (* skeletons of LK rules *)
axiom : "([], {#A#} |- {#A#}) : lksne"
ilI : "psc : lksil ==> psc : lksne"
irI : "psc : lksir ==> psc : lksne"
inductive "lksss" intros (* extended skeletons for LK *)
extI : "psc : lksne ==> pscmap (extend flr) psc : lksss"
inductive "lkrefl" intros (* refl rule skeleton *)
I : "([{#A#} + {#Box A#} |- {#}], {#Box A#} |- {#}) : lkrefl"
inductive "lkbox" intros (* S4 Box rule skeleton *)
I : "([gamma + mset_map Box gamma |- {#A#}],
mset_map Box gamma |- {#Box A#}) : lkbox"
inductive "gs4_rls" intros
lksI : "psc : lksss ==> psc : gs4_rls"
reflI : "psc : lkrefl ==> pscmap (extend flr) psc : gs4_rls"
(* Note Box rule allows extra formulae in conclusion only *)
boxI : "(prem, conc) : lkbox ==> (prem, extend flr conc) : gs4_rls"
\end{verbatim}
\caption{\label{S4:rules:text}Isabelle rules for GS4.}
\end{figure}
The sequent calculus we use for S4 is based on the calculus
G3cp~\cite{troelstra-schwichtenberg-basic}, with
the addition of two modal rules.
Note that the initial sequents $\Gamma, \varphi \vdash \varphi, \Delta$ do
not require atoms, and that there are only rules for $\wbx$ formulae
with $\wdi\varphi$ interpreted as $\lnot\wbx\lnot\varphi$. The rules
of the calculus are shown in Figures \ref{S4:rules} and \ref{S4:rules:text}.
Note that the clause \verb!boxI! in the inductive definition
for \verb!gs4_rls! applies \verb!extend! only to the conclusion,
corresponding to the appearance of the two sets $\Sigma$ and $\Delta$
in the conclusion of the rule $S4\wbx$.
In Isabelle, the calculus is encoded in a modular manner. With the
overall calculus, called \texttt{gs4\_rls}, built up from separate
declarations of the id rule, the classical rules acting on antecedents
and succedents, and the two modal rules.
\subsection{Weakening for S4}
\begin{definition}
A set of rules \verb!rls! satisfies \verb!ext_concl! iff: for every
list of premises \verb!ps! and conclusion \verb!c! that form a
rule ($\rho_1$ say) in \verb!rls!, and for all possible
sequents \verb!UV!, there exists a list of premises \verb!ps'! such
that the premises \verb!ps'! and the extended conclusion \verb!c + UV!
also form an instance of some rule ($\rho_1'$ say) in \verb!rls! and
for every premise \verb!p! from \verb!ps! there is a corresponding
premise \verb!p'! in \verb!ps'! such that \verb!p'! is either \verb!p!
itself or is an extension of \verb!p!:
\end{definition}
\begin{center}
\AxiomC{$\texttt{p}_1 \ldots \texttt{p}_k$}
\RightLabel{$(\rho_1)$}
\UnaryInfC{$\texttt{c}$}
\DisplayProof
\qquad
\qquad\qquad\qquad
\AxiomC{$\texttt{p'}_1 \ldots \texttt{p'}_k$}
\RightLabel{$(\rho_1')$}
\UnaryInfC{$\texttt{c}$}
\DisplayProof
\qquad\qquad\qquad
$\texttt{p}_i \subseteq \texttt{p'}_i$
\end{center}
% $$
% \frac{\texttt{p}_1 \ldots \texttt{p}_k}{\texttt{c}}
% \qquad\qquad\qquad
% \frac{\texttt{p'}_1 \ldots \texttt{p'}_k}{\texttt{c + UV}}
% $$
The Isabelle text uses \texttt{<=} as described in \S\ref{s-ctr}, and
% \texttt{allrel} as described in \S\ref{s-dp-more}.
\texttt{(ps, ps') : allrel r} means that
\texttt{ps} and \texttt{ps'} are lists of the same length
where each corresponding pair of their members is in \texttt{r}.
\begin{verbatim}
ext_concl_def: "ext_concl ?rls ==
ALL (ps, c):?rls. ALL UV. EX ps'.
(ps', c + UV) : ?rls & (ps, ps') : allrel {(p, p'). p <= p'}"
inductive "allrel r"
intrs
allrel_Nil "([], []) : allrel r"
allrel_Cons "[| (ha, hb) : r ; (ta, tb) : allrel r |] ==>
(ha # ta, hb # tb) : allrel r"
\end{verbatim}
\begin{lemma} \label{l-ext-concl-wk}
If a set of rules \verb!rls! obeys \verb!ext_concl! then \verb!rls!
admits weakening:
\end{lemma}
\begin{verbatim}
wk_adm_ext_concl: "ext_concl ?rls ==> wk_adm ?rls"
\end{verbatim}
The lemma \verb!wk_adm_ext_concl! is simple enough to be proved directly
by the induction principle for \verb!derrec!, Lemma~\ref{l-der-ind},
% shown in \S\ref{s-dp-ind},
ie without using \verb!gen_step_lem!.
Use of lemmas like \verb!gen_step_lem! is really only for the purpose of
breaking up the proofs, so that various different cases of
\verb!gen_step! (ie various final rules of the derivation) can be
put into separate lemmas, some of which may be able to be reused for
different calculi.
\begin{lemma} \label{l-gs4-ext-concl}
The set of rule \verb!gs4_rls! satisfies \verb!ext_concl!.
\end{lemma}
\begin{verbatim}
gs4_ext_concl: "ext_concl gs4_rls"
\end{verbatim}
\begin{corollary} \label{c-gs4-wk-adm}
The rules of S4 satisfy weakening admissibility.
\end{corollary}
\begin{verbatim}
gs4_wk_adm: "wk_adm gs4_rls"
\end{verbatim}
\subsection{Invertibility and Contraction for S4}\label{s-s4-inv-ctr}
We now describe how we captured the traditional proof of
invertibility.
Suppose that we are given a calculus consisting of the rule set
\verb!drls! and suppose that we want to reason about the derivability
predicate \verb!derrec! defined earlier. Let \verb!derivs! be the set
\verb!derrec drls {}! of all sequents that are derivable from the
empty set of leaves using the rules of \verb!drls!. Suppose that we
wish to prove that every rule in \verb!irls! is invertible wrt
\verb!drls! (where \verb!irls! is usually a subset of \verb!drls!).
Without describing it in detail, the function
\verb!invs_of irls c! returns the set of sequents obtainable by
applying each rule of \verb!irls! to the sequent \verb!c!
\textit{backwards} once. That is, a sequent \verb!seq! is in
\verb!invs_of irls c! if applying some rule $\rho$ of \verb!irls!
to \verb!c! backwards, once, will give \verb!seq! as one of
the premises of $\rho$.
To prove that a rule \verb!(ps, concl)! is invertible wrt \verb!drls!
requires us to prove that each sequent \verb!seq! from the list
\verb!ps! of premises is in \verb!derivs! if \verb!concl! is in
\verb!derivs!. To prove that each rule in a set of rules \verb!irls!
is invertible wrt \verb!drls! requires us to prove that the above
property holds for each rule \verb!(ps, concl)! from \verb!irls!: that
is, \verb!invs_of irls concl <= derivs! where \verb!<=! encodes the
subset relation.
Traditional proofs of invertibility proceed by an induction on
the structure of a given derivation of a sequent
\verb!concl! from \verb!derivs!. Assuming that the final rule in this
derivation is \verb!(ps, concl)!, the induction hypothesis is to
assume that the invertibility lemma holds for each premise in
\verb!ps!. That is, we assume that every sequent \verb!seq! obtained
by applying any rule from \verb!irls! \textit{backwards}, once, to any
premise \verb!p! in \verb!ps! is itself in \verb!derivs!:
\begin{verbatim}
ALL p:set ps. invs_of irls p <= derivs
\end{verbatim}
Use of the induction hypothesis stated above can then be encoded in
\texttt{inv\_step}.
Let an ``\texttt{irls}-inverse'' of a sequent $s$ be a sequent $s'$
obtained from $s$ by applying a rule from \verb!irls! backwards once.
\begin{definition}[\texttt{inv\_step}]\label{d-inv-step}
Then for a given set \verb!derivs! of derivable sequents,
for a rule set \verb!irls!,
and for every rule instance \verb!(ps, concl)!,
the property: \\
\verb!inv_step derivs irls (ps, concl)! means:
\begin{description}
\item[If]
% assuming that every premise in \verb!ps! is in \verb!derivs!,
every premise in \verb!ps! being in \verb!derivs! implies that
every ``\texttt{irls}-invert'' of premises in \verb!ps! is in \verb!derivs!,
\item[then] every ``\texttt{irls}-invert'' of the conclusion \texttt{concl}
is in \verb!derivs!.
\end{description}
\end{definition}
\begin{verbatim}
inv_step.simps =
"inv_step ?derivs ?irls (?ps, ?concl) =
(set ?ps <= ?derivs -->
(ALL p:set ?ps. invs_of ?irls p <= ?derivs) -->
invs_of ?irls ?concl <= ?derivs)"
\end{verbatim}
\comment{
note the above does use Ball, but the word Ball gets printed only where
eta-contraction is possible (and then only sometimes)
eg ALL p:set ?ps. f p is also Ball (set ps) f
and ALL p: set ps. f p q is Ball (set ps) (%p. f p q)
}
This is the key result for doing invertibility by stating various cases
of the induction step as separate lemmas.
The expression \verb!UNION (set ?ps) (invs_of ?irls)! represents the
set $X$ of all sequents which can be obtained by applying some rule from
\verb!irls! backwards once to every sequent \verb!p! from a list of
sequents \verb!ps! viewed as a set:
\[
X := \bigcup_{\verb!p!~\in~\verb!set ps!} \verb!(invs_of ?irls p)!
\]
Then, the expression
\verb!(set ?ps Un UNION (set ?ps) (invs_of ?irls))!
represents the union of $X$ and the list of sequents \verb!ps! treated
as a set, ie \\ $\verb!(set ps)! \cup X$.
The property \verb!inv_stepm! is weaker than \verb!inv_step! but is
monotonic in its first argument, which makes reusing lemmas such as
\verb!lks_inv_stepm! possible as follows.
\begin{definition}[\texttt{inv\_stepm}]\label{d-inv-stepm}
For all rule sets \verb!rls!,
for all rule sets \verb!irls!,
for all rules \verb!(ps, concl)!
the expression
\verb!inv_stepm drls irls (ps, concl)! means:
\texttt{irls}-inverses of \verb!concl!
are derivable using \verb!derrec! from
\verb!(set ps)! and the \texttt{irls}-inverses
of every \verb!p! from \verb!set ps!:
\end{definition}
\begin{verbatim}
inv_stepm.simps:
"inv_stepm ?drls ?irls (?ps, ?concl) =
(invs_of ?irls ?concl <=
derrec ?drls (set ?ps Un UNION (set ?ps) (invs_of ?irls)))"
\end{verbatim}
\begin{lemma}\label{lemma:inv-stepm-monotonic}
\verb!inv_stepm! is monotonic in its first argument:
\end{lemma}
\begin{verbatim}
inv_step_mono:
"[| inv_stepm ?drlsa ?irls ?psc ; ?drlsa <= ?drlsb |] ==>
inv_stepm ?drlsb ?irls ?psc"
\end{verbatim}
\begin{lemma}\label{lemma:inv-step-from-inv-stepm}
For every set \verb!drls! of rules and every
set \verb!plvs! of sequents, the function
\verb!derrec drls plvs! returns the set of sequents derivable
from \verb!plvs! using the rules of \verb!drls!. Let us call this
set of sequents \verb!derivs!.
For every set \verb!drls! of rules used for derivations,
for every rule set \verb!irls!,
for every rule \verb!psc!,
if
\verb!inv_stepm drls irls psc!
holds then so does
\verb!inv_step derivs irls psc!
for any set of leaf sequents \verb!plvs!:
\end{lemma}
\begin{verbatim}
inv_step_m:
val it =
"inv_stepm ?drls ?irls ?psc
==> inv_step (derrec ?drls ?plvs) ?irls ?psc"
\end{verbatim}
\begin{lemma}[\texttt{gen\_inv\_by\_step}]\label{lemma:inv-from-inv-step}
For every rule set \verb!rls! which is used to construct a set
\verb!derrec rls {}! of derivations from the empty set of leaves,
% using \verb!derrec!,
for every rule set \verb!irls!, every rule
\verb!psc! from \verb!irls! is invertible wrt \verb!rls! if every
rule instance \verb!(ps, concl)! from \verb!rls! obeys
\verb!inv_step (derrec rls {}) irls (ps, concl)!:
\end{lemma}
\begin{verbatim}
gen_inv_by_step:
"[| Ball ?rls (inv_step (derrec ?rls {}) ?irls) ; ?psc : ?irls |]
==> inv_rl ?rls ?psc"
\end{verbatim}
\begin{lemma}
Every instance of the rule Refl, extended with
arbitrary contexts, is invertible in the rule set \verb!gs4_rls!:
\end{lemma}
\begin{verbatim}
Ball (extrs lkrefl) (inv_rl gs4_rls)
\end{verbatim}
\begin{proof}
Suppose that $\Gamma , \wbx \varphi \vdash \Delta$ is derivable.
We can show that the premise
$\Gamma , \varphi, \wbx \varphi \vdash \Delta$ is derivable by
applying weakening, which has already been shown to be admissible in
\verb!gs4_rls!.
\end{proof}
\begin{lemma}
Every instance of the rule set \verb!lksss! (of classical
propositional logic) is invertible in the rule set
\verb!gs4_rls!:
\end{lemma}
\begin{verbatim}
Ball lksss (inv_rl gs4_rls)
\end{verbatim}
\begin{proof}
By Lemma~\ref{lemma:inv-from-inv-step}, it suffices to prove
\texttt{(inv\_step (derrec gs4\_rls \{\}) lksss) psc}
for every rule \verb!psc! from \verb!gs4_rls!.
By Lemma~\ref{lemma:inv-step-from-inv-stepm}, it suffices to prove
\texttt{inv\_stepm gs4\_rls lksss psc}
for every rule \verb!psc! from \verb!gs4_rls!.
%
Note that \verb!lksss == extrs lksne!: the rule set \verb!lksne!
extended with arbitrary contexts.
For each rule \verb!psc! $in$ \verb!gs4_rls!,
we proceed by cases on the rule \verb!psc!:
\begin{description}
\item[\texttt{psc} = Refl]
% Where the rule \verb!psc! is Refl:
This case is immediate since the inverse of the Refl rule is a case of
weakening.
\begin{verbatim}
"?psc : extrs lkrefl ==> inv_stepm gs4_rls (extrs lksne) ?psc"
\end{verbatim}
\item[\texttt{psc} is from LK]
Where the rule \verb!psc! is a classical rule, we first prove that
the set of classical rules is invertible wrt itself:
\begin{verbatim}
"?psc : extrs lksne ==>
inv_stepm (extrs lksne) (extrs lksne) ?psc"
\end{verbatim}
Since the rules \verb!lksss! are a subset of the rules
\verb!gs4_rls!,
we can use (the monotonicity) Lemma~\ref{lemma:inv-stepm-monotonic}
to obtain
\begin{verbatim}
"?psc : extrs lksne ==> inv_stepm gs4_rls (extrs lksne) ?psc"
\end{verbatim}
\item[\texttt{psc} = $S4\wbx$]
Where last rule is $S4\wbx$ (with arbitrary contexts in conclusion
only to make weakening admissible) we prove a very general result.
If the rule set \verb!rls! contains exactly one rule
\verb!extcs {(ps, c)}! which is the rule (skeleton) \verb!(ps, c)!
with only the conclusion extended by an arbitrary context,
then \verb!inv_stepm rls (extrs {(ips, ic)}) rl! holds for any
rule \verb!(ips, ic)! extended with arbitrary contexts if
the (skeleton of the) conclusion \verb!ic! and the
the (skeleton of the) conclusion \verb!c! are disjoint:
\begin{verbatim}
inv_stepm_disj_cs:
"[| seq_meet ?c ?ic = 0 ;
extcs {(?ps, ?c)} = ?rls ;
?rl : ?rls |] ==> inv_stepm ?rl (extrs {(?ips, ?ic)}) ?rl"
\end{verbatim}
In particular, we can put \verb!extcs {(?ps, ?c)}! to be the rule
$S4\wbx$ and put \verb!(extrs {(?ips, ?ic)})! to be any rule from
\verb!lksss! since the skeletons of the conclusions of the
\verb!lksss! rules contain only the principal formula of the
respective rule and none of these is a $\wbx$-formula.
\end{description}
\end{proof}
\begin{theorem}[\texttt{inv\_rl\_gs4\_refl} and \texttt{inv\_rl\_gs4\_lks}]
The Refl (\texttt{lkrefl}) rule and all Classical (\texttt{lksss}) rules are invertible within \texttt{gs4\_rls}.
\end{theorem}
\begin{proof}
%ODO: remove this? Takes up too much space.
As an example, consider invertibility for the R$\lor$ rule. The proof
proceeds by an induction on height, and uses the induction principle
\texttt{gen\_inv\_by\_step} from
Lemma~\ref{lemma:inv-from-inv-step}.
\begin{description}
\item[Case 1. Axiom]~\\
If $\Gamma \vdash \varphi \lor \psi, \Delta$ is an axiom, and $\varphi
\lor \psi$ is principal, then $\Gamma = \Gamma', \varphi \lor \psi$.
The derivation for $\Gamma \vdash \varphi, \phi, \Delta$ is then:
\begin{center}
\AxiomC{}
\LeftLabel{id}
\UnaryInfC{$\Gamma', \varphi \vdash \varphi, \phi, \Delta$}
\AxiomC{}
\LeftLabel{id}
\UnaryInfC{$\Gamma', \psi \vdash \varphi, \phi, \Delta$}
\LeftLabel{L$\lor$}
\BinaryInfC{$\Gamma', \varphi \lor \psi \vdash \varphi, \phi, \Delta$}
\DisplayProof{}
\end{center}
If $\varphi \lor \psi$ is parametric in the axiom, then $\Gamma \vdash
\Delta$ is an axiom, and so is $\Gamma \vdash \varphi, \phi, \Delta$.
\item[Case 2. Principal]~\\
If $\Gamma \vdash \varphi \lor \psi, \Delta$ is not an axiom, but
$\varphi \lor \psi$ is principal, then R$\lor$ must have been the last
rule applied. Invertibility follows immediately from the premises of
the R$\lor$ rule.
\item[Case 3. Parametric]~\\
If $\Gamma \vdash \varphi \lor \psi, \Delta$ is not an axiom, and
$\varphi \lor \psi$ is parametric, then an application of a new instance
of that last rule (perhaps using the induction hypothesis) obtains the
necessary endsequent. This is because all rules allow arbitrary contexts
in their conclusion (and premises when the premises contain context). To
illustrate, consider the two cases when the last rule used to originally
derive $\Gamma \vdash \varphi \lor \psi, \Delta$ is either the Refl or
the S4$\wbx$ rule.
\begin{itemize}
\item
If the last rule was Refl then $\Gamma = \Gamma', \wbx A$
and the original derivation is:
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$\Gamma', A, \wbx A \vdash \Delta, \varphi \lor \psi$}
\LeftLabel{Refl}
\UnaryInfC{$\Gamma', \wbx A \vdash \Delta, \varphi \lor \psi$}
\DisplayProof{}
\end{center}
Applying the inductive hypothesis on the premises gives a derivation of
$\Gamma', A, \wbx A \vdash \Delta, \varphi, \psi$. Apply Refl to this
gives the required $\Gamma', \wbx A \vdash \varphi, \phi, \Delta$.
\item
If the last rule was S4$\wbx$ then $\Gamma = \Sigma, \wbx \Gamma'$
and $\Delta = \wbx A, \Delta'$ and the original derivation looks like:
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$\Gamma', \wbx \Gamma' \vdash A$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx \Gamma' \vdash \wbx A, \Delta', \varphi \lor \psi$}
\DisplayProof{}
\end{center}
To derive $\Gamma \vdash \varphi, \psi, \Delta$, simply apply a new
instance of S4$\wbx$ to the original premises, this time with $\varphi,
\psi$ as the context instead of $\varphi \lor \psi$:
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$\Gamma', \wbx \Gamma' \vdash A$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx \Gamma' \vdash \wbx A, \Delta', \varphi, \psi$}
\DisplayProof{}
\end{center}
\end{itemize}
\end{description}
\end{proof}
\begin{theorem}[\texttt{gs4\_ctr\_adm}] \label{t-gs4-ctr-adm}
Contraction is admissible for the calculus \texttt{gs4\_rls}:
\begin{verbatim}
gs4_ctr_adm: "ctr_adm gs4_rls ?A"
\end{verbatim}
\end{theorem}
% main results used in Isabelle are
% gen_ctr_adm_step, ctr_adm_step_lksne, sc_ctr_adm_step,
% inv_rl_gs4_refl, ctr_adm_step_lkbox (which uses ctr_adm_step_s4g)
\begin{proof}
The cases for the G3cp % \marginpar{what is G3cp?}
and Refl rules are handled in the standard manner as in
the literature (see \cite{Troelstra} and \cite{Negri01})
using the invertibility results above.
The formalisation performs the necessary transformations
using a simple instantiation \texttt{gen\_ctr\_adm\_step} (not shown)
of the induction principle \texttt{gen\_step\_lem} of
Theorem~\ref{genstep:lem}.
When the rule above the contraction is an instance of the S4$\wbx$
rule, there are two possible cases. Either one or both copies of the
contraction-formula exist within the context of the S4$\wbx$ rule,
or both copies are principal.
In the first case, deleting one copy still leaves an instance of the
rule. That is, if the contraction-formula is $A$, with $A$ in the
succedent, then the original rule instance is as shown below where
either $\wbx \varphi = A$ or $A \in \Delta$:
\begin{center}
\AxiomC{$\Gamma, \wbx \Gamma \vdash \varphi$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx \Gamma \vdash \wbx \varphi, A, \Delta$}
\DisplayProof{}
\end{center}
Applying the S4$\wbx$ rule without introducing the shown second copy
of $A$ in the conclusion above gives a proof of $\Sigma, \wbx \Gamma
\vdash \wbx \varphi, \Delta$ as required since an occurrence of $A$ is
still in the succedent as $\wbx \varphi = A$ or $A \in
\Delta$. Similarly, if $A$ is in the context $\Sigma$ the new
S4$\wbx$ rule instance is then:
%\marginpar{Was just $\varphi$ in succedent of conclusion. (for Jesse to check)}
\begin{center}
\AxiomC{$\Gamma, \wbx \Gamma \vdash \varphi$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma - A, \wbx \Gamma \vdash \wbx\varphi, A, \Delta$}
\DisplayProof{}
\end{center}
The harder case occurs when both instances of the contraction-formula
$A$ are principal. Due to the nature of the S4$\wbx$ rule this
requires $A$ to occur in the antecedent only, as there cannot be two
principal formulae in the succedent. As only boxed formulae are
principal, $A$ has form $\wbx B$. The original rule instance is thus
represented by:
\marginpar{Was just $\varphi$ in succedent of conclusion.}
\begin{center}
\AxiomC{$B, B, \wbx B, \wbx B,\Gamma, \wbx \Gamma \vdash \varphi$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx B, \wbx B, \wbx \Gamma \vdash \wbx\varphi, \Delta$}
\DisplayProof{}
\end{center}
The copies of $\wbx B$ and $B$ can be contracted upon,
first using the induction hypothesis that the result applies to preceding
sequents in the derivation, and then on the rank of the contraction-formula.
The S4$\wbx$ rule can then be applied to give the required conclusion.
\marginpar{Was just $\varphi$ in succedent of conclusion.}
\begin{center}
\AxiomC{$B, \wbx B,\Gamma, \wbx \Gamma \vdash \varphi$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx B, \wbx \Gamma \vdash \wbx\varphi, \Delta$}
\DisplayProof{}
\end{center}
In the Isabelle proof, this step is unfortunately rather more tedious. A
significant number of proof steps in the formalisation are dedicated to
manipulating the ordering of formulae to convince the proof assistant
that the S4$\wbx$ can be applied after applying the induction hypotheses,
and that the resulting sequent is indeed what is required.
\end{proof}
\subsection{Cut-admissibility for S4}\label{s-s4-cut}
We first state a lemma used several times in the proof of cut-admissibility.
\begin{lemma} \label{l-gs2-car-sumhs-tr}
Given two derivation trees \texttt{dta} and \texttt{dtb},
a cut-formula \texttt{A},
a sub-formula relation \texttt{sub}, and a rule set \texttt{rls},
if the bottom rules of those trees satisfy the step condition
\texttt{gen\_step2sr} for cut-admissibility, then the two trees
satisfy the step condition \texttt{sumh\_step2\_tr} for cut-admissibility:
\begin{verbatim}
gs2_car_sumhs_tr:
"gen_step2sr (prop2 car ?rls) ?A ?sub ?rls (botRule ?dta, botRule ?dtb)
==> sumh_step2_tr (prop2 casdt ?rls) ?A ?sub (?dta, ?dtb)"
\end{verbatim}
\end{lemma}
\begin{proof}
By combining Lemmas
\ref{l-gs2-hs2-sumh}, \ref{l-gs2-tr-casdt-sr} and \ref{l-gs2-cas-eq-car}
\end{proof}
\comment{is just
gs2_car_cas RS gs2_tr_casdt_sr RS gs2_tr_height RS hs2_sumh}
\begin{theorem}[\texttt{gs4\_cas}]\label{t-gs4-cas}
Cut is admissible in the calculus \texttt{gs4\_rls}.
\end{theorem}
\begin{proof}
Our proof essentially uses a double induction on level and rank, where
level measures the sum of the heights of the derivation trees for the left and
right premises of the cut, and rank measures the complexity of the cut-formula.
It uses Lemma~\ref{l-sumh-step2-tr-lem}, in which \texttt{?sub}
is instantiated to the immediate subformula property.
\marginpar{ which means, strictly speaking,
that so far as rank is concerned, the induction assumes only
cut admissibility for cut-formula which are immediate subformulae}
The two most difficult cases to consider correspond to when the cut-formula is principal below an application of the S4$\wbx$ rule on the left, and also principal in either the Refl or the S4$\wbx$ rule on the right. As these are all modal rules, the Cut in question must be on a boxed formula, $\wbx A$.
%%%%%%%%%% S4 left, refl right %%%%%%%%%%
In the former case, the original Cut has form:
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx \Gamma_L \vdash \Delta_L, \wbx A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$ A, \wbx A, \Gamma_R \vdash \Delta_R$}
\LeftLabel{Refl}
\UnaryInfC{$\wbx A, \Gamma_R \vdash \Delta_R$}
\LeftLabel{Cut on $\wbx A$}
\BinaryInfC{$\Sigma, \wbx \Gamma_L, \Gamma_R \vdash \Delta_L, \Delta_R$}
\DisplayProof
\end{center}
This is transformed as follows:
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma, \wbx \Gamma_L \vdash \Delta_L, \wbx A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$A, \wbx A, \Gamma_R \vdash \Delta_R$}
\RightLabel{Cut on $\wbx A$}
\BinaryInfC{$A, \Sigma, \wbx \Gamma_L, \Gamma_R \vdash \Delta_L, \Delta_R$}
\RightLabel{Cut on $A$}
\BinaryInfC{$\Sigma, \Gamma_L, \wbx \Gamma_L, \wbx \Gamma_L, \Gamma_R \vdash \Delta_L, \Delta_R$}
\dashedLine
\RightLabel{Contraction-admissibility}
\UnaryInfC{$\Sigma, \Gamma_L, \wbx \Gamma_L, \Gamma_R \vdash \Delta_L, \Delta_R$}
\LeftLabel{Refl}
\UnaryInfC{$\Sigma, \wbx \Gamma_L, \Gamma_R \vdash \Delta_L, \Delta_R$}
\DisplayProof
\end{center}
Importantly, the new Cut on $\wbx A$ has lower level,
and the Cut on $A$ is of smaller rank.
Thus both can be eliminated by the induction hypotheses.
%%%%%%%%%% S4 both sides %%%%%%%%%%
For the latter case, when S4$\wbx$ is principal on both sides,
the original Cut has form:
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma_L, \wbx \Gamma_L \vdash \Delta_L, \wbx A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$A, \wbx A, \Gamma_R, \wbx \Gamma_R \vdash B$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\wbx A, \Sigma_R, \wbx \Gamma_R \vdash \wbx B, \Delta_R$}
\LeftLabel{Cut on $\wbx A$}
\BinaryInfC{$\Sigma_L, \Sigma_R, \wbx \Gamma_L, \wbx \Gamma_R \vdash \wbx B, \Delta_L, \Delta_R$}
\DisplayProof
\end{center}
The normal process of reducing Cut level would apply Cut
on the left cut-sequent and the premise of the right cut-sequent, as follows:
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma_L, \wbx \Gamma_L \vdash \Delta_L, \wbx A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$A, \wbx A, \Gamma_R, \wbx \Gamma_R \vdash B$}
\LeftLabel{Cut on $\wbx A$}
\BinaryInfC{$A, \Sigma_L, \wbx \Gamma_L, \Gamma_R, \wbx \Gamma_R \vdash B, \Delta_L$}
\DisplayProof
\end{center}
Unfortunately, this results in a deduction where we can no longer recover
the $\wbx B$ present in the conclusion of the original Cut. The nature
of the calculus and the S4$\wbx$ rule means that new box formulae cannot
be introduced in any succedent which contains some context $\Delta$
(or where there are additional formula $\Sigma$ in the antecedent). As
stated earlier, this case is omitted in the \cute{} theorem of Troesltra
and Schwichtenberg~\cite{Troelstra}.
To overcome this issue, without introducing the complications and new
branching rule in the solution of Goubault~\cite{Goubault96}, we
modify the original derivation of the left premise, to produce one of
equal height upon which we can still apply the induction hypothesis on
level. The new application of the S4$\wbx$ rule differs from the
original by simply not adding any context in the conclusion. Formally,
the $\Sigma$ and $\Delta$ of the generic S4$\wbx$ rule in Figure
\ref{S4:rules} are $\emptyset$ in the new S4$\wbx$ instance below:
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash A$}
\LeftLabel{S4$\wbx$ (new)}
\UnaryInfC{$\wbx \Gamma_L \vdash \wbx A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$A, \wbx A, \Gamma_R, \wbx \Gamma_R \vdash B$}
\RightLabel{Cut on $\wbx A$}
\BinaryInfC{$A, \wbx \Gamma_L, \Gamma_R, \wbx \Gamma_R \vdash B$}
\RightLabel{Cut on $A$}
\BinaryInfC{$\Gamma_L, \wbx \Gamma_L, \wbx \Gamma_L, \Gamma_R, \wbx \Gamma_R \vdash B$}
\dashedLine
\RightLabel{Contraction-admissibility}
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L, \Gamma_R, \wbx \Gamma_R \vdash B$}
\LeftLabel{S4$\wbx$}
\UnaryInfC{$\Sigma_L, \Sigma_R, \wbx \Gamma_L, \wbx \Gamma_R \vdash \wbx B, \Delta_L, \Delta_R$}
\DisplayProof
\end{center}
In the formalised proof, this instance is the only case where the
inductive principle Lemma~\ref{l-sumh-step2-tr-lem}
% ie \texttt{sumh\_step2\_tr\_lem}
is actually required.
As the combined height of the derivations leading to $\wbx
\Gamma_L \vdash \wbx A$ and $A, \wbx A, \Gamma_R, \wbx \Gamma_R \vdash
B$ is lower than the level of the original Cut, the induction
hypothesis on level can be applied.
In all the other cases Theorem~\ref{thm-gen-step2sr-lem}
% ie \texttt{gen\_step2sr\_lem}
would have sufficed.
So in fact in all the other cases the property we prove is
\texttt{gen\_step2sr \ldots} and we use Lemma~\ref{l-gs2-car-sumhs-tr}
to link it to the required property \texttt{sumh\_step2\_tr \ldots}
where the ellipses indicate arguments to each function as appropriate.
\end{proof}
\section{Weakening, Contraction and Cut Admissibility for S4.3}
There exists a syntactic pen and paper proof for S4.3 in the
literature~\cite{Shimura91}, however the calculus involved contains
Weakening and Contraction as explicit rules, and mix-elimination is
proved rather than cut. There also exist published semantic proofs of
closure under Cut for both sequent and hypersequent calculi for
S4.3~\cite{gore94,indrzejczak12}.
% But, there are no syntactic pen and
% paper proofs of \cuta{} in the literature, nor any machine checked
% proofs for a sequent calculus for S4.3 devoid of explicit structural
% rules (as far as we know).
To our knowledge, there are also no published papers for S4.3
providing a sequent calculus devoid of structural rules and proving
cut-elimination.
The labelled calculi of Negri~\cite{Negri05} and
Castellini~\cite{castellini06} are perhaps the closest representatives
in the literature. As noted previously, while these calculi do not use
Weakening or Contraction, they explicitly include the semantics of the
logic in the calculi, along with corresponding operations on world
accessibility rather than logical operators. Thus they are not purely
syntactic.
\subsection{Calculus for S4.3}
The rules of the sequent calculus for S4.3 are listed in
Figure~\ref{S43:rules}. The calculus is based on the
version of Gor\'e~\cite{gore94}, but with Weakening absorbed into the
modal rules. Note, in the S4.3$\Box$ rule of Figure~\ref{S43:rules},
that $\Boxes = \{\varphi_1, \dots, \varphi_n \}$ and $\Boxesi{i} =
\{\varphi_1, \dots, \varphi_{i-1}, \varphi_{i+1}, \dots, \varphi_n \}$
for $1 \leq i \leq n$.
\begin{figure}[ht]
\centering
\begin{tabular}{ll}
\textit{Zero Premise Rule}\\[12px]
\AxiomC{}
\LeftLabel{id}
\UnaryInfC{$\Gamma, \varphi \vdash \varphi, \Delta$}
\DisplayProof
\\[16px]
\textit{Classical rules}\\[12px]
\AxiomC{$\Gamma, \varphi , \psi \vdash \Delta$}
\LeftLabel{L$\land$}
\UnaryInfC{$\Gamma, \varphi \land \psi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma \vdash \varphi, \Delta$}
\AxiomC{$\Gamma \vdash \psi, \Delta$}
\LeftLabel{R$\land$}
\BinaryInfC{$\Gamma \vdash \varphi \land \psi , \Delta$}
\DisplayProof
\\[12px]
\AxiomC{$\Gamma , \varphi \vdash \Delta$}
\AxiomC{$\Gamma , \psi \vdash \Delta$}
\LeftLabel{L$\lor$}
\BinaryInfC{$\Gamma, \varphi \lor \psi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma \vdash \varphi , \psi, \Delta$}
\LeftLabel{R$\lor$}
\UnaryInfC{$\Gamma \vdash \varphi \lor \psi, \Delta$}
\DisplayProof
\\[12px]
\AxiomC{$\Gamma \vdash \varphi, \Delta$}
\AxiomC{$\Gamma, \psi \vdash \Delta$}
\LeftLabel{L$\to$}
\BinaryInfC{$\Gamma , \varphi \to \psi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma , \varphi \vdash \psi, \Delta$}
\LeftLabel{R$\to$}
\UnaryInfC{$\Gamma \vdash \varphi \to \psi, \Delta$}
\DisplayProof
\\[12px]
\AxiomC{$\Gamma \vdash \varphi, \Delta$}
\LeftLabel{L$\lnot$}
\UnaryInfC{$\Gamma , \lnot \varphi \vdash \Delta$}
\DisplayProof
&
\AxiomC{$\Gamma , \varphi \vdash \Delta $}
\LeftLabel{R$\lnot$}
\UnaryInfC{$\Gamma \vdash \lnot \varphi, \Delta$}
\DisplayProof
\\[16px]
\textit{Modal rules}\\[12px]
\AxiomC{$\Gamma , \varphi, \Box \varphi \vdash \Delta$}
\LeftLabel{Refl}
\UnaryInfC{$\Gamma , \Box \varphi \vdash \Delta$}
\DisplayProof
\\[16px]
\end{tabular}
\AxiomC{$\Gamma , \Box \Gamma \vdash \varphi_1, \Box \Boxesi{1} \; \cdots \;
\Gamma , \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i} \; \cdots \;
\Gamma , \Box \Gamma \vdash \varphi_n, \Box \Boxesi{n}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof
\caption{\label{S43:rules}Sequent calculus for S4.3.}
\end{figure}
From the perspective of backward proof search, the S4.3$\Box$ rule can
be thought of as producing a new premise for all boxed formula in its
conclusion, each of these formula being un-boxed separately in its own
premise. Thus the general statement of the rule contains an
indeterminate number of premises, one is necessary for each $\varphi_i
\in \Boxes$. For the sake of simplicity and clarity, at times only one
of these premises will be shown as a representative for all $n$
premises. That is, the rule will be represented in the following form
shown below at left:
\[
\AxiomC{$\Gamma , \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof
\qquad
\AxiomC{$\Gamma , \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\RightLabel{$\forall \psi. \wbx\psi \not\in \Sigma \cup \Delta$}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof
\]
There are two different versions of the S4.3$\Box$ rule. Either the
context ($\Sigma$ and $\Delta$) can contain any formulae, as shown
above left, or they cannot include top-level boxed-formulae, as shown
above right. In the latter case, the $\Box \Gamma$ and $\Box \Boxes$
in the conclusion of the S4.3$\Box$ rule must correspond to exactly
all the top-level boxed formulae within that sequent. The two versions
of the calculus are in fact equivalent, following a proof of the
admissibility of Weakening for the latter; however, for efficient
backward proof search, the version above right is preferred as it is
invertible and hence does not require backtracking during proof search.
Henceforth, $\Sigma$ and $\Delta$ within the S4.3$\Box$ rule will be
restricted from containing the $\Box$ operator at the top-level. In
Isabelle, this is implemented by creating a new type of formula, based
on the default formula type. HOL's \texttt{typedef} allows a concise
method of declaring new types as a subset of an existing type:
\begin{verbatim}
typedef nboxfml =
"{f::formula. ALL (a::formula). f ~= FC ''Box'' [a]}"
\end{verbatim}
The Isabelle formalisation of the overall calculus is based on the
calculus for S4 given in Figure~\ref{S4:rules}.
The only change is in the S4.3$\Box$ rule, which requires the
mapping function \texttt{nboxseq} to create a new premise for each
individual boxed formula in the succedent.
The code for this is given in Figure~\ref{S43:isabellerules}.
%\lstset{basicstyle=\ttfamily\footnotesize}
\lstset{basicstyle=\ttfamily}
\begin{figure}[h!]
% \begin{lstlisting} % this spaces out characters for some reason
\begin{verbatim}
(* Functions to unbox one formula for each premise *)
consts
ithprem :: "formula multiset => formula list => formula
=> formula sequent"
nprems :: "formula multiset => formula list
=> formula sequent list"
(* The boxes in the succedent are treated as a list As.
"ms_of_list (remove1 Ai As)" is the multiset consisting of
all elements in "As", with one copy of "Ai" removed. *)
defs
ithprem_def : "ithprem Gamma As Ai ==
mset_map Box Gamma + Gamma |-
{#Ai#} + mset_map Box (ms_of_list (remove1 Ai As))"
nprems_def : "nprems Gamma As == map (ithprem Gamma As) As"
consts
gs43_rls :: "formula sequent psc set"
s43box :: "formula sequent psc set"
(* The S4.3 box rule *)
inductive "s43box" intros
I : "(nprems gamma As, mset_map Box gamma |-
mset_map Box (ms_of_list As)) : s43box"
(* The S4.3 calculus as an extension of the LK calculus *)
inductive "gs43_rls" intros
lksI : "psc : lksss ==> psc : gs43_rls"
reflI : "psc : lkrefl ==>
pscmap (extend flr) psc : gs43_rls"
(* boxI allows extra formulae in conclusion only *)
boxI : "(p, c) : lkbox ==>
(p, extend (nboxseq flr) c) : gs43_rls"
\end{verbatim}
% \end{lstlisting}
\caption{\label{S43:isabellerules}S4.3 calculus as encoded in Isabelle}
\end{figure}
\lstset{basicstyle=\ttfamily\small}
\subsection{Weakening for S4.3} \label{s-s43-wk}
As the S4.3$\Box$ rule does not allow arbitrary contexts, \weaka{} must
be proved by induction, in this case on both height and rank
(of the implicit derivation tree, ie, using Lemma~\ref{genstep:lem}).
In order
to simplify the case for the S4.3$\Box$ rule and its multiple premises,
\weaka{} is proven for the antecedent and succedent separately, and only
considering a single formula at a time. The Isabelle encodings for these
properties are given below. The induction itself proceeds on the height
of the derivation, as well as a sub-induction on the rank of the formula
$A$ being inserted into the conclusion.
\begin{definition} ~
\begin{description}
\item[\texttt{wk\_adm\_single\_antec rls}] means:\\ For any
\texttt{rls}-derivable sequent $S$, and any single formulae $A$,\\
if \texttt{$S \in$ derrec rls \{\}} then \texttt{$S + $(\{\#A\#\} |-
\{\#\}) $\in$ derrec rls \{\}}.
\item[\texttt{wk\_adm\_single\_succ rls}] means:\\ For any
\texttt{rls}-derivable sequent $S$, and any single formulae $A$,\\ if
\texttt{$S \in$ derrec rls \{\}} then \texttt{$S + $(\{\#\} |- \{\#A\#\})
$\in$ derrec rls \{\}}.
\end{description}
\end{definition}
\begin{lemma}[\texttt{wk\_adm\_sides}]
If \texttt{wk\_adm\_single\_antec} and \texttt{wk\_adm\_single\_succ}
both hold for a set of rules \texttt{rls}, then so does \texttt{wk\_adm}.
\end{lemma}
\begin{proof}
By multiset induction, repeatedly applying the results for single formulae.
\end{proof}
\begin{theorem}[\texttt{gs43\_wk\_adm}]
Weakening is admissible for the calculus \texttt{gs43\_rls}.
\end{theorem}
\begin{proof}
In the case of the S4.3$\Box$ rule, if $A$ is not boxed, then it is
allowed to be contained in the context of the rule's conclusion. The
derivability of the original premises, followed by an application of
a new S4.3$\Box$ rule including $A$ as part of its context, then
gives the required sequent. The difficulty arises when $A$ is a
boxed formula, say $A = \Box B$. For the sake of clarity, the
representation of the original sequent can be split into its boxed
and non-boxed components, so the original derivation
is:
%\marginpar{Was $\Boxesi{i}$ in succedent of premiss.}
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \wbx\Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof{}
\end{center}
When $A$ is to be added to the antecedent, the induction on height can
be used to add $A = \Box B$ to each of the original
premises. Following this by an application of the sub-induction on
formula rank, allows the addition of $B$, giving the derivability of
$B, \Box B, \Gamma, \Box \Gamma \vdash \varphi_i, \wbx\Boxesi{i}$. An
application of the S4.3$\Box$ rule then completes the case:
\begin{center}
\AxiomC{$B, \Box B, \Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Box B, \Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof{}
\end{center}
The final case to consider is that of adding $A = \Box B$ to the
succedent. The goal once again is to use the S4.3$\Box$ rule to give
the desired conclusion. From the original premises, the induction
hypothesis on height (inserting $\Box B$) gives the derivability of
$\Gamma, \Box \Gamma \vdash \varphi_i, \wbx\Boxesi{i}, \Box B$. A
different application of the S4.3$\Box$ rule, bringing in empty
contexts, on the original premises also gives the derivability of
$\Box \Gamma \vdash \Box \Boxes$. Applying the induction on formula
rank then shows that $\Box \Gamma \vdash B, \Box \Boxes$ is
derivable.
At this point, the derivability of all necessary premises for a new
S4.3$\Box$ rule has been proven. These are sequents of the form $\Gamma,
\Box \Gamma \vdash \varphi'_i, \Box \Boxesi{i}'$ where $\Boxes' = \Boxes,
B$. The final rule application is then:
\begin{center}
\AxiomC{$\Gamma, \Box \Gamma \vdash \varphi'_i, \Box \Boxesi{i}'$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Box B, \Delta$}
\DisplayProof{}
\end{center}
\end{proof}
% In the base formalisation, a general lemma about \weaka{} suffices for a
% fairly broad range of calculi. If the conclusion of rules can be extended
% with an arbitrary context, then proving \weaka{} is very straightforward
% using an induction on height (premises in the formalisation). Weakening
% in formulae is as simple as instantiating the context of the rule as it
% was originally, but with the new formula also included. Note that this
% may require introducing new formulae in the premises as well, using the
% inductive hypothesis.
%\begin{lemma}[\texttt{wk\_adm\_ext\_concl}]\label{wk_adm:lem}
%If all rules in a calculus can be extended by arbitrary contexts
% in the conclusion, then Weakening is admissible in that calculus.
%\end{lemma}
%\begin{proof}
%By an induction on height, using drs.inductr (Lemma~\ref{inductr:lem}).
%\end{proof}
%This lemma is essentially a sufficient condition for \weaka{}, in the same
%style as the conditions for \cuta{} given by \cite{Rasga05}.
%For calculi where some rule(s) restrict contexts in their conclusion,
% the lemma \texttt{wk\_adm\_ext\_concl} no longer applies, and so a proof
% of \weaka{} requires the standard inductive style proof involving a case
% analysis of the last rule applied.
\subsection{Invertibility and Contraction for S4.3} \label{s-s43-inv-ctr}
As for S4, we prove inversion lemmas for the G3cp and Refl rules within
the overall calculus.
\begin{theorem}[\texttt{inv\_rl\_gs43\_refl} and
\texttt{inv\_rl\_gs43\_lks}]
Refl (\texttt{lkrefl}) and all Classical rules (\texttt{lksss})
are invertible within the calculus \texttt{gs43\_rls}.
\end{theorem}
\begin{proof}
Since the inverse of the Refl rule is an instance of weakening, which we
have shown is admissible,
the only notable case occurs for the G3cp rules,
where the last rule applied in the original derivation is S4.3$\Box$.
The proof uses the induction principle of Lemma~\ref{lemma:inv-from-inv-step}.
If the original derivation is given by
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof{}
\end{center}
then proving invertibility for G3cp requires showing the derivability of all premises after applying a G3cp rule backwards from the endsequent of the S4.3$\Box$ rule. As the classical rules do not operate on boxed formulae, the rule can only modify $\Sigma$ or $\Delta$:
\begin{center}
\AxiomC{$\Sigma', \Box \Gamma \vdash \Box \Boxes, \Delta'$}
\LeftLabel{G3cp rule}
\UnaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof{}
\end{center}
Clarifying again, invertibility of the G3cp rule requires deriving
$\Sigma', \Box \Gamma \vdash \Box \Boxes, \Delta'$.
The usual tactic would apply another instance of the S4.3$\Box$ rule
to the original premises, but bringing in a different context.
However, this does not admit a proof if there are boxed formula in $\Sigma'$ or
$\Delta'$. For example, if the G3cp rule is L$\land$ and the principal
formula is $A \land \Box B$ then $\Sigma'$ contains a boxed formula,
$\Box B$, which cannot be introduced within the (box-free) context of
a new S4.3$\Box$ rule application.
To accommodate this case, the premises of the modal rule are used to
derive the conclusion without any context. Then \weaka{} is used to
bring the remaining formulae in the premise of the G3cp rule:
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Box \Gamma \vdash \Box \Boxes$}
\dashedLine
\LeftLabel{Weakening-admissibility}
\UnaryInfC{$\Sigma', \Box \Gamma \vdash \Box \Boxes, \Delta'$}
\DisplayProof{}
\end{center}
\end{proof}
For S4, proving invertibility is sufficient to lead to a \ctra{} proof.
However, using invertibility alone does not allow an obvious
transformation when dealing with the S4.3$\Box$ rule.
In order to prove \ctra{}, we first require the following lemma:
%TODO: possibly change the statement of this lemma?
% this lemma, called gs43_refl, is used in proof of gs43_ctr_adm, in the case
% (* two cases, contraction formula both boxed/one unboxed in premise *)
\begin{lemma}[\texttt{gs43\_refl}]\label{lemma:R-refl-admin}
The rule R-refl is admissible in \texttt{gs43\_rls}.
\begin{center}
\AxiomC{$\Gamma \vdash \Delta, \Box A$}
\LeftLabel{R-refl}
\UnaryInfC{$\Gamma \vdash \Delta, A$}
\DisplayProof{}
\end{center}
The corresponding statement of the lemma in Isabelle states that
%\begin{lstlisting}
% seq : derrec gs43_rls {} -->
% (ALL X Y. seq = extend (X |- Y) (0 |- {#Box A#}) -->
% extend (X |- Y) (0 |- {#A#}) : derrec gs43_rls {})
%\end{lstlisting}
if a sequent \texttt{seq} is derivable in \texttt{gs43\_rls} and the
sequent is equivalent to $X \vdash Y, \Box A$ for any $X$ and $Y$,
then $X \vdash Y, A$ is also derivable.
\end{lemma}
\begin{proof}
By an induction on the structure of the (implicit) derivation tree,
using the \texttt{derrec}-induction principle, Lemma~\ref{l-der-ind}.
% for all $\Gamma$ and $\Delta$.
The analysis is on the last rule applied in deriving
$\Gamma \vdash \Delta, \Box A$.
\begin{description}
\item[Case 1. The last rule applied was id.]
If $\Box A$ is parametric then $\Gamma \vdash \Delta$ is an axiom,
and the conclusion will be also.
If $\Box A$ is principal, then $\Gamma = \{\Box A\} \cup \Gamma'$
and the following transformation is applied:
\begin{center}
\AxiomC{}
\LeftLabel{id}
\UnaryInfC{$A, \Box A, \Gamma' \vdash \Delta, A$}
\LeftLabel{Refl}
\UnaryInfC{$\Box A, \Gamma' \vdash \Delta, A$}
\DisplayProof{}
\end{center}
\item[Case 2. The last rule applied was from G3cp.]
No rules in G3cp operate on a boxed formula, so $\Box A$ must be
parametric. The induction hypothesis on height can thus be applied to
the premise of the G3cp rule. Applying the original G3cp on the resulting
sequent gives the desired conclusion.
\item[Case 3. The last rule applied was Refl.]
As in Case 2, $\Box A$ must be parametric,
as Refl only operates on boxed formula in the antecedent.
\item[Case 4. The last rule applied was S4.3$\Box$.]
Then one premise of the original deduction un-boxes $\Box A$.
Using Refl followed by \weaka{} on this premise is enough to produce
the conclusion.
For clarity, here we express $\Gamma = \Sigma \cup \Box \Gamma'$ and
$\Delta = \Box \Boxes \cup \Delta'$. The original derivation is:
\begin{center}
\AxiomC{$\Pi_1$}
\noLine
\UnaryInfC{$\Gamma', \Box \Gamma' \vdash \Box \Boxes, A$}
\AxiomC{$\Pi_2$}
\noLine
\UnaryInfC{$\Gamma', \Box \Gamma' \vdash
\varphi_i, \Box \Boxesi{i}, \Box A$}
\BinaryInfC{$\Sigma, \Box \Gamma' \vdash \Box \Boxes, \Delta', \Box A$}
\DisplayProof{}
\end{center}
This is transformed into:
\begin{center}
\AxiomC{$\Pi_1$}
\noLine
\UnaryInfC{$\Gamma', \Box \Gamma' \vdash \Box \Boxes, A$}
\LeftLabel{Refl}
\UnaryInfC{$\Box \Gamma' \vdash \Box \Boxes, A$}
\LeftLabel{Weakening-admissibility}
\dashedLine
\UnaryInfC{$\Sigma, \Box \Gamma' \vdash \Box \Boxes, \Delta', A$}
\DisplayProof{}
\end{center}
\end{description}
\end{proof}
%The above lemma is crucial in the case when the S4.3$\Box$
% rule was the last used in a derivation.
\begin{theorem}[\texttt{gs43\_ctr\_adm}]
Contraction is admissible in \texttt{gs43\_rls}.
\end{theorem}
% this thm uses gen_ctr_adm_step which is gen_step_lem instantiated for ctr_adm
\begin{proof}
This proof uses the induction principle Lemma~\ref{genstep:lem},
for implicit derivation trees.
If the last rule used in the derivation was the S4.3$\Box$ rule,
there are two cases to consider. The case where the
contraction-formula is parametric is handled by simply re-applying
another instance of the S4.3$\Box$ rule like the S4 case.
Similarly, when the contraction-formula is principal in the
antecedent, then the proof proceeds like in S4. Specifically, one
copy of $\Box A$ from $\Sigma, \Box A, \Box A, \Box \Gamma \vdash
\Box \Boxes, \Delta$ must be removed. The original derivation is:
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$A, A, \Box A, \Box A, \Gamma, \Box \Gamma \vdash
\varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box A, \Box A, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof{}
\end{center}
By contracting twice using first the induction hypothesis on height,
then the induction hypothesis on rank,
on all premises followed by an application of the S4.3$\Box$ rule,
the desired endsequent is obtained:
\begin{center}
\AxiomC{$\Pi$}
\noLine
\UnaryInfC{$A, A, \Box A, \Box A, \Gamma, \Box \Gamma \vdash
\varphi_i, \Box \Boxesi{i}$}
\dashedLine
\LeftLabel{IH on height}
\UnaryInfC{$A, A, \Box A, \Gamma, \Box \Gamma \vdash
\varphi_i, \Box \Boxesi{i}$}
\dashedLine
\LeftLabel{IH on rank}
\UnaryInfC{$A, \Box A, \Gamma, \Box \Gamma \vdash
\varphi_i, \Box \Boxesi{i}$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Sigma, \Box A, \Box \Gamma \vdash \Box \Boxes, \Delta$}
\DisplayProof{}
\end{center}
When the contraction-formula is principal in the succedent,
then there are two cases of the premises to consider.
Either a premise ``un-boxes'' one of the contraction-formulae
\footnote{Technically, there are two
syntactically identical premises which individually un-box one of the
two copies of $\Box A$}, or it leaves both boxed.
The original deduction is given by:
\begin{center}
\AxiomC{$\Pi_1$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \Box \Boxes, A, \Box A$}
\AxiomC{$\Pi_2$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}, \Box A, \Box A$}
\BinaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Box A, \Box A, \Delta$}
\DisplayProof{}
\end{center}
In the latter case, the induction hypothesis can be directly applied,
removing one copy of the boxed formulae:
\begin{center}
\AxiomC{$\Pi_2$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i},
\Box A, \Box A$}
\dashedLine
\LeftLabel{IH on height}
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}, \Box A$}
\DisplayProof{}
\end{center}
In the former case, the original derivation is:
\begin{center}
\AxiomC{$\Pi_1$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \Box \Boxes, A, \Box A$}
\AxiomC{$\Pi_2$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}, \Box A, \Box A$}
\BinaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Box A, \Box A, \Delta$}
\DisplayProof{}
\end{center}
For this sub-case, we use the above Lemma~\ref{lemma:R-refl-admin} to
produce the following transformation:
\begin{center}
\AxiomC{$\Pi_1$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \Box \Boxes, A, \Box A$}
\dashedLine
\LeftLabel{R-refl}
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \Box \Boxes, A, A$}
\dashedLine
\LeftLabel{IH on rank}
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \Box \Boxes, A$}
\AxiomC{$\Pi_2$}
\noLine
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box
\Boxesi{i}, \Box A, \Box A$}
\dashedLine
\LeftLabel{IH on height}
\UnaryInfC{$\Gamma, \Box \Gamma \vdash \varphi_i, \Box \Boxesi{i}, \Box A$}
\LeftLabel{S4.3$\Box$}
\BinaryInfC{$\Sigma, \Box \Gamma \vdash \Box \Boxes, \Box A, \Delta$}
\DisplayProof{}
\end{center}
\end{proof}
\subsection{Cut-admissibility for S4.3} \label{s-s43-ca}
\begin{theorem}[\texttt{gs43\_cas}]\label{t-gs43-cas}
Cut is admissible in the calculus \texttt{gs43\_Rls}.
\end{theorem}
\begin{proof}
As with Theorem~\ref{t-gs4-cas}, we use the induction principle of
Lemma~\ref{l-sumh-step2-tr-lem}, involving induction on the sums of heights of
two explicit trees, although for the majority of cases the simpler principle
Theorem~\ref{thm-gen-step2sr-lem} would suffice.
So again, in those cases, we prove
\texttt{gen\_step2sr \ldots} and we use Lemma~\ref{l-gs2-car-sumhs-tr}
to link it to the required property \texttt{sumh\_step2\_tr \ldots},
where the ellipses indicate arguments to each function as appropriate.
When S4.3$\Box$ leads to the left cut-sequent, and the Refl rule is
used on the right, the transformation mimics the corresponding case
for S4. However, for the case where S4.3$\Box$ principal is principal
on both sides requires a new transformation. For clarity, the premises
above the S4.3$\Box$ rule on the left are given as two cases, depending
on whether the cut-formula is un-boxed or not. The boxed formula in the
succedents of the premises are also distinguished by the superscripts
$L$ and $R$ for left and right cut premises respectively. Explicitly,
these are $\Boxes^L = \{\varphi_1^L \dots \varphi_i^L \dots \varphi_n^L\}$
and $\Boxes^R = \{\psi_1^R \dots \psi_k^R \dots \psi_m^R\}$.
The original cut thus has form:
\begin{center}
{\footnotesize
\AxiomC{$\Pi_L^a$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L \vdash \varphi_i^L, \Box \Boxesi{i}^L, \Box A$}
\AxiomC{$\Pi_L^b$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L \vdash A, \Box \Boxes^L$}
\LeftLabel{S4.3$\Box$}
\BinaryInfC{$\Sigma_L, \Box \Gamma_L \vdash \Box \Boxes^L, \Delta_L, \Box A$}
\AxiomC{$\Pi_R$}
\noLine
\UnaryInfC{$A, \Box A, \Gamma_R, \Box \Gamma_R \vdash \psi_k^R, \Box \Boxesi{k}^R$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\Box A, \Sigma_R, \Box \Gamma_R \vdash \Box \Boxes^R, \Delta_R$}
\LeftLabel{Cut on $\Box A$}
\BinaryInfC{$\Sigma_L, \Sigma_R, \Box \Gamma_L, \Box \Gamma_R \vdash \Box \Boxes^L, \Box \Boxes^R, \Delta_L, \Delta_R$}
\DisplayProof{}
}
\end{center}
To remove this cut, the derivation is transformed into one where the
principal rule (S4.3$\Box$) is applied last to produce the desired
endsequent. The problem is then proving that the premises of the following
S4.3$\Box$ rule application are derivable. This in itself requires
two different transformations of the original derivation, depending on
the two forms that the premises can take; either the un-boxed formula
in the succedent originated from the left cut premise,
that is from $\Box \Boxes^L$, or from the right, within $\Box \Boxes^R$.
These cases are named $\mathcal{P}_L$ and $\mathcal{P}_R$ respectively.
The final S4.3$\Box$ rule used in our new transformation is then:
\begin{center}
\AxiomC{$\MP_L$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L, \Gamma_R, \Box \Gamma_R \vdash \varphi_i^L, \Box \Boxesi{i}^L, \Box \Boxes^R$}
\AxiomC{$\MP_R$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L, \Gamma_R, \Box \Gamma_R \vdash \Box \Boxes^L, \psi_k^R, \Box \Boxesi{k}^R$}
\LeftLabel{S4.3$\Box$}
\BinaryInfC{$\Sigma_L, \Sigma_R, \Box \Gamma_L, \Box \Gamma_R \vdash \Box \Boxes^L, \Box \Boxes^R, \Delta_L, \Delta_R$}
\DisplayProof{}
\end{center}
For both transformations, the same idea behind the principal S4$\Box$
rule case is used. We first derive the original cut-sequents but without
their original contexts. These new sequents will be called $\mathcal{D}_L$
and $\mathcal{D}_R$ respectively. These are derived using the derivations
in the original cut, but applying new instances of the S4.3$\Box$ rule.
Importantly, the derivations of the new sequents $\mathcal{D}_L$ and
$\mathcal{D}_R$ have the same height as the original cut-sequents.
This is the case where the induction principle of
Lemma~\ref{l-sumh-step2-tr-lem} is required.
\begin{center}
\AxiomC{$\Pi_L^a$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L \vdash \varphi_i^L, \Box \Boxesi{i}^L, \Box A$}
\AxiomC{$\Pi_L^b$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L \vdash A, \Box \Boxes^L$}
\LeftLabel{S4.3$\Box$}
\BinaryInfC{$\mathcal{D}_L = \Box \Gamma_L \vdash \Box \Boxes^L, \Box A$}
\DisplayProof{}
\end{center}
\begin{center}
\AxiomC{$\Pi_R$}
\noLine
\UnaryInfC{$A, \Box A, \Gamma_R, \Box \Gamma_R \vdash \psi_k^R, \Box \Boxesi{k}^R$}
\LeftLabel{S4.3$\Box$}
\UnaryInfC{$\mathcal{D}_R = \Box A, \Box \Gamma_R \vdash \Box \Boxes^R$}
\DisplayProof{}
\end{center}
Having introduced all the necessary notation and pre-requisites,
the first actual case to consider is deriving $\mathcal{P}_L$.
The induction on level allows $\mathcal{D}_R$ to be cut, on cut-formula
$\Box A$, with all of the sequents given by the derivation $\Pi_L^a$
above the original left S4.3$\Box$ rule. The transformation performs $n$
cuts, for all premises corresponding to the formulae in $\Boxes^L$.
The results of this cut then match exactly with $\mathcal{P}_L$ after using
the admissibility of Weakening to introduce the formulae of $\Gamma_R$
in the antecedent.
\begin{center}
\AxiomC{$\Pi_L^a$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L \vdash \varphi_i^L, \Box \Boxesi{i}^L, \Box A$}
\AxiomC{$\MD_R$}
\noLine
\UnaryInfC{$\Box A, \Box \Gamma_R \vdash \Box \Boxes^R$}
\RightLabel{Cut on $\Box A$}
\BinaryInfC{$\Gamma_L, \Box \Gamma_L, \Box \Gamma_R \vdash \varphi_i^L, \Box \Boxesi{i}^L, \Box \Boxes^R$}
\dashedLine
\RightLabel{Weakening-admissibility}
\UnaryInfC{$\mathcal{P}_L = \Gamma_L, \Box \Gamma_L, \Gamma_R, \Box \Gamma_R \vdash \varphi_i^L, \Box \Boxesi{i}^L, \Box \Boxes^R$}
\DisplayProof{}
\end{center}
To derive the sequents in $\mathcal{P}_R$, the induction hypothesis
on level is used to cut $\mathcal{D}_L$ with all of the premises above
the right S4.3$\Box$ in the original cut, with cut-formula $\Box A$.
The induction on formula rank on $A$ is then used to cut the sequent resulting
from $\Pi_L^b$ with all these new sequents. Finally, \ctra{} allows
the removal of the extra copies of $\Box \Gamma$ and $\Box \Boxes^L$,
and concludes the case.
\begin{center}
\AxiomC{$\Pi_L^b$}
\noLine
\UnaryInfC{$\Gamma_L, \Box \Gamma_L \vdash A, \Box \Boxes^L$}
\AxiomC{$\MD_L$}
\noLine
\UnaryInfC{$\Box \Gamma_L \vdash \Box \Boxes^L, \Box A$}
\AxiomC{$\Pi_R$}
\noLine
\UnaryInfC{$A, \Box A, \Gamma_R, \Box \Gamma_R \vdash \psi_k^R, \Box \Boxesi{k}^R$}
\RightLabel{Cut on $\Box A$}
\BinaryInfC{$\Box \Gamma_L, A, \Gamma_R, \Box \Gamma_R \vdash \Box \Boxes^L, \psi_k^R, \Box \Boxesi{k}^R$}
\RightLabel{Cut on $A$}
\BinaryInfC{$\Gamma_L, \Box \Gamma_L, \Box \Gamma_L, \Gamma_R, \Box \Gamma_R \vdash \Box \Boxes^L, \Box \Boxes^L, \psi_k^R, \Box \Boxesi{k}^R$}
\dashedLine
\RightLabel{Contraction-admissibility}
\UnaryInfC{$\mathcal{P}_R = \Gamma_L, \Box \Gamma_L, \Gamma_R, \Box \Gamma_R \vdash \Box \Boxes^L, \psi_k^R, \Box \Boxesi{k}^R$}
\DisplayProof{}
\end{center}
To conclude, the transformations above derive $\mathcal{P}_L$ and
$\mathcal{P}_R$ while reducing cut-level or cut-rank. These are the
premises of an instance of the S4.3$\Box$ rule which results in the
conclusion of the original cut. This completes the \cuta{} proof.
\end{proof}
\section{The system GTD}
\label{s-gtd}
This section describes Isabelle proofs of the
cut admissibility of the logic GTD described in \cite{mints-jaegerfest}
%
Axiomatically, GTD is $K$ with the additional axiom
$\Box A \Leftrightarrow \Box \Box A$.
The sequent inference rules involving $\Box$,
allowing arbitrary context inthe conclusion so as to make weakening admissible,
are shown below:
$$
\frac{\wbx\Gamma, \Gamma \vdash A}
{\Sigma, \Box \Gamma \vdash \Box A, \Delta} (\vdash\Box)
\qquad\qquad\qquad
\frac{\wbx\Gamma, \Gamma \vdash \Box A}
{\Sigma, \Box \Gamma \vdash \Box A, \Delta} (\Box\vdash)
$$
% We first formalised $GTD$ as
% \texttt{glssc GTD}
% using a framework which had previously been applied to other logics.
% \texttt{GTD} means the rules involving $\Box$, and \texttt{glssc} refers to
% a set of classical logic rules, including explicit weakening and contraction
% rules.
% Our formalisation involves sequents consisting of multisets of formulae on
% either side of a turnstile.
% \begin{verbatim}
% datatype 'a sequent = Sequent "'a multiset" "'a multiset"
% \end{verbatim}
The skeletons of the above two rules are encoded as \texttt{GTD} shown below by
factoring out the form of $A$ as either $B$ or as $\wbx B$:
\begin{verbatim}
inductive "GTD" intros
I : "A = B | A = Box B ==>
([mset_map Box X + X |- {#A#}],
mset_map Box X |- {#Box B#}) : GTD"
\end{verbatim}
% glssc_gs2sr_ng:
% "[| c8ger_prop ?psubfml (glssc ?R) ?A (glne - wkrls - UNION UNIV ctrrls);
% (?psa, ?ca) : extrs glne; (?psb, ?cb) : extrs glne |] ==>
% gen_step2sr (prop2 mar (glssc ?R)) ?A ?psubfml (glssc ?R)
% ((?psa, ?ca), ?psb, ?cb)"
% \end{verbatim}
% The property \texttt{c8ger\_prop} says essentially that if \emph{single} cuts
% on subformulae of $A$ are admissible then a single cut on $A$
% is admissible where the last rules on either side are logical introduction
% rules introducing the cut-formula $A$.
% \begin{verbatim}
% "c8ger_prop ?isubfml ?drls ?A ?c8rls ==
% ALL ps qs pse qse X Y.
% (ps, 0 |- {#?A#}) : ?c8rls -->
% (qs, {#?A#} |- 0) : ?c8rls -->
% pse = map (extend (X |- Y)) ps -->
% qse = map (extend (X |- Y)) qs -->
% set pse Un set qse <= derrec ?drls {} -->
% (ALL sfa.
% (sfa, ?A) : ?isubfml --> (ALL seqs. seqs : cas ?drls sfa)) -->
% (X |- Y) : derrec ?drls {}"
% \end{verbatim}
% In the cases of the logical introduction rules proving multicut admissibility
% is more difficult than proving single cut admissibility.
% Where introduction of (just one instance of) the cut-formula $A$
% is the last step on each side before the cut,
% it is nesessary to perform multicut elimination on $A$ between
% $\MQ_{l1} \ldots \MQ_{ln}$ and $\MC_{r}$, and between
% $\MC_{l}$ and $\MQ_{r1} \ldots \MQ_{rm}$;
% then one performs single-cut elimination on the sub-formulae of $A$.
% These steps are part of the proof of \texttt{c8\_gs2\_mas}.
% An example follows.
% Note that here (unlike some of the other diagrams) the contexts
% $U$ and $Y$ may contain copies of the cut-formula.
% Let $Y'$ be $Y$ with copies of $A \land B$ deleted, and
% $U'$ be $U$ with copies of $A \land B$ deleted.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$X \vdash A, Y$}
% \AxiomC{$X \vdash B, Y$}
% \RightLabel{($\vdash \land$)}
% \BinaryInfC{$X \vdash A \land B, Y$}
% \AxiomC{$U, A, B \vdash V$}
% \RightLabel{($\land \vdash$)}
% \UnaryInfC{$U, A \land B \vdash V$}
% \RightLabel{(\textit{mix ?})}
% \dottedLine
% \BinaryInfC{$X, U' \vdash Y', V$}
% \end{prooftree}
% \end{center}
% This is replaced by
% \begin{center}
% \begin{prooftree}
% \AxiomC{$X \vdash A, Y$}
% \AxiomC{$U, A \land B \vdash V$}
% \RightLabel{(\textit{inductive mix})}
% \dottedLine
% \BinaryInfC{$X, U' \vdash A, Y', V$}
% \dottedLine
% \UnaryInfC{\large (A)}
% \end{prooftree}
% \end{center}
% \begin{center}
% \begin{prooftree}
% \AxiomC{$X \vdash B, Y$}
% \AxiomC{$U, A \land B \vdash V$}
% \RightLabel{(\textit{inductive mix})}
% \dottedLine
% \BinaryInfC{$X, U' \vdash B, Y', V$}
% \dottedLine
% \UnaryInfC{\large (B)}
% \end{prooftree}
% \end{center}
% \begin{center}
% \begin{prooftree}
% \AxiomC{$X \vdash A \land B, Y$}
% \AxiomC{$U, A, B \vdash V$}
% \RightLabel{(\textit{inductive mix})}
% \dottedLine
% \BinaryInfC{$X, U', A, B \vdash Y', V$}
% \dottedLine
% \UnaryInfC{\large (C)}
% \end{prooftree}
% \end{center}
% Then (A), (B) and (C) are combined using inductive cuts on the smaller
% cut-formulae $A$ and $B$, and the necessary contractions,
% to derive the required sequent {$X, U' \vdash Y', V$}.
% \begin{verbatim}
% c8_gs2_mas:
% "[| wk_adm ?drls; ?prl = (?ps, 0 |- {#?A#}); ?qrl = (?qs, {#?A#} |- 0);
% ?prl : ?c8rls; ?qrl : ?c8rls;
% ?eprl = pscmap (extend (?Xl |- ?Yl)) ?prl;
% ?eqrl = pscmap (extend (?Xr |- ?Yr)) ?qrl;
% c8ger_prop ?sub ?drls ?A ?c8rls |] ==>
% gen_step2sr (prop2 mas ?drls) ?A ?sub ?drls (?eprl, ?eqrl)"
% \end{verbatim}
% We proved that \texttt{c8ger\_prop} holds in the following theorem.
% \begin{verbatim}
% rls_c8: "c8ger_prop ipsubfml (glssc ?rls) ?A
% (glne - wkrls - UNION UNIV ctrrls)"
% \end{verbatim}
% It remains to look at the case where the final rule on both sides of the
% desired cut are instances of the $GTD$ rules.
% Here there are two quite distinct cases, depending on which $GTD$ rule is used
% as the final step for the left premise of the cut.
% For the first case, the rule on the left is
% the $(\Box \vdash)$ rule as shown,
% and for the rule on the right,
% only its conclusion matters, and is as shown.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash \Box A$}
% \RightLabel{$(\Box\vdash)$}
% \UnaryInfC{$\Box \Gamma \vdash \Box A$}
% % \AxiomC{$A^n, \Box A^n, \Delta, \Box \Delta \vdash B'$}
% % \RightLabel{$\textit{ctr}^*\vdash$}
% % \UnaryInfC{$A, \Box A, \Delta, \Box \Delta \vdash B'$}
% \AxiomC{$\cdots$}
% \UnaryInfC{$\Box A^n, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{mix ?})}
% \dottedLine
% \BinaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% we use the inductive hypothesis permitting multicutting $\Box A$ between
% $\Gamma, \Box \Gamma \vdash \Box A$ with $\Box A^n, \Box \Delta \vdash \Box B$
% then we use weakening and the $(\Box \vdash)$ rule, to get
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash \Box A$}
% \AxiomC{$\cdots$}
% \UnaryInfC{$\Box A^n, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{inductive mix})}
% \dottedLine
% \BinaryInfC{$\Gamma, \Box \Gamma, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{weak})}
% \UnaryInfC{$\Gamma, \Delta, \Box \Gamma, \Box \Delta \vdash \Box B$}
% \RightLabel{($\Box\vdash$)}
% \UnaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% The second case, with the $(\vdash \Box)$ rule on the left as shown,
% is more complicated.
% Note that, for the rule on the right, $B'$ can be either $\Box B$ or $B$.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash A$}
% \RightLabel{$(\Box\vdash)$}
% \UnaryInfC{$\Box \Gamma \vdash \Box A$}
% \AxiomC{$A^n, \Box A^n, \Delta, \Box \Delta \vdash B'$}
% \UnaryInfC{$\Box A^n, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{mix ?})}
% \dottedLine
% \BinaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% In this case, from the premise on the right, we perform
% inductive mix on $\Box A$ with the conclusion on the left,
% then mix on $A$ with the premise on the left,
% contraction(s) on $\Box \Gamma$, and finally an instance of the
% $(\vdash \Box)$ or $(\Box \vdash)$ rule (whichever was on the right before).
% The result is shown below.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash A$}
% \AxiomC{$\Box \Gamma \vdash \Box A$}
% \AxiomC{$A^n, \Box A^n, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{(\textit{inductive mix})}
% \dottedLine
% \BinaryInfC{$A^n, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{(\textit{inductive mix})}
% \dottedLine
% \BinaryInfC{$\Gamma, \Box \Gamma, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{$(\textit{ctr}^*\vdash)$}
% \UnaryInfC{$\Gamma, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \UnaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% \begin{verbatim}
% glssc_gs2sr_GTD_GTD:
% "[| (?psa, ?ca) : GTD; (?psb, ?cb) : GTD |] ==>
% gen_step2sr (prop2 mar (glssc GTD)) ?A ipsubfml (glssc GTD)
% ((?psa, ?ca), ?psb, ?cb)"
% \end{verbatim}
% Finally we combine these results to get the mix admissibility result.
% \begin{verbatim}
% mas_GTD: "(?seql, ?seqr) : mas (glssc GTD) ?A"
% \end{verbatim}
% \section{Inductive proof of cut (\emph{not} mix) admissibility for GTD}
% \label{s-cut-gtd}
% The previous section dealt with a proof of cut admissibility where the
% inductive hypothesis was essentially that mix-admissibility is available for
% the end-sequents of ``smaller'' pairs of derivations.
% We now want to explore what it takes to produce an inductive proof where the
% inductive hypothesis is that (specifically) single-cut admissibility is
% available for ``smaller'' pairs of derivations.
% We define the ordinary logical rules of the differently from the above,
% so that the rules ($\vdash\lor$) and ($\land\vdash$) are
% of the forms shown (without the context)
% $$
% \frac{A, B \vdash}{A \land B \vdash}
% \qquad
% \frac{\vdash A, B}{\vdash A \lor B }
% $$
% In these forms, these rules are invertible.
% We define the rules of the system as follows.
% The rules used for classical logic (before extending them with a context)
% form the set \texttt{lkxcne}: the rule sets \texttt{idrls},
% \texttt{wkrls}, \texttt{ctrrls} $A$, \texttt{lksil} and \texttt{lksir}
% are the axioms, weakening rules, contraction (on $A$) rules,
% and the left and right logical introduction rules.
% \begin{verbatim}
% inductive "lkxcss xrls"
% intros
% extI : "psc : lkxcne ==> pscmap (extend flr) psc : lkxcss xrls"
% x : "psc : xrls ==> psc : lkxcss xrls"
% inductive "lkxcne"
% intros
% id : "psc : idrls ==> psc : lkxcne"
% wk : "psc : wkrls ==> psc : lkxcne"
% ctr : "psc : ctrrls A ==> psc : lkxcne"
% ilI : "psc : lksil ==> psc : lkxcne"
% irI : "psc : lksir ==> psc : lkxcne"
% \end{verbatim}
% When proving single-cut admissibility, the contraction rule causes a
% difficulty, since going up one step in the proof gives us an extra copy of the
% cut-formula to deal with, and the inductive hypothesis enables us to use an
% inductively available cut only to get rid of one copy of the cut-formula.
% The solution is to use the invertibility of the logical introduction rules,
% which reduces the problem of cut on a cut-formula $A$ containing a logical
% connective to cut on sub-formulae of $A$.
% Unfortunately the contraction rule causes the same sort of difficulty here as
% it does with the cut rule.
% So we have to prove, inductively, a sort of ``multi-invertibilty'' property,
% that multiple copies of a formula are invertible according to the introduction
% rule for that formula.
% Again, we define a predicate indicating that one step of an inductive proof
% of this result is available.
% Firstly, we define the set of inverses of a sequent according to a rule set:
% if $(ps, seq) \in irls$ and $p \in ps$,
% then $p \in \texttt{invs\_of}\ irls\ seq$.
% Then the property of interest is that when a sequent is derivable, its
% inverses are also derivable.
% The predicate \texttt{inv\_step} describes that this property holds for the
% end-sequent of a derivation, assuming that it holds for the preceding
% sequent(s).
% Note that there are two rule sets involved, the rules used for derivations and
% the rules being shown to be invertible.
% In the definition of \texttt{inv\_step}, \texttt{derivs} will be the set of
% derivable sequents.
% Then \texttt{inv\_step} \ldots means that
% for the last rule $(ps, concl)$ of a derivation:
% if the inverses of the premises $ps$ of that rule are derivable,
% then the inverses of the conclusion $concl$ are derivable.
% Finally, \texttt{gtd\_inv\_step} shows that the logical introduction rules,
% with each formula repeated $n$ times, and with contexts, are invertible,
% and \texttt{gtd\_inv\_rl} is the invertibility result.
% \begin{verbatim}
% invs_of_def: "invs_of ?irls ?seq ==
% {x. EX p ps. x = p & p : set ps & (ps, ?seq) : ?irls}"
% inv_step.simps: "inv_step ?derivs ?irls (?ps, ?concl) =
% (set ?ps <= ?derivs --> (ALL p:set ?ps. invs_of ?irls p <= ?derivs) -->
% invs_of ?irls ?concl <= ?derivs)"
% gtd_inv_step: "[| ?r : lksil Un lksir; ?x : lkxcss GTD |] ==>
% inv_step (derrec (lkxcss GTD) {}) (extrs (multiples {?r})) ?x"
% gtd_inv_rl: "Ball (extrs (multiples lksne)) (inv_rl (lkxcss GTD))"
% \end{verbatim}
% NOTE: From here the proof of cut admissibility is a single theorem with
% one long monolithic proof. Perhaps I should rearrange it so as to better
% enable a description of the intermediate results.
% First we need a change in the pattern of proof by induction.
% Referring to the diagram in \S\ref{s-induction},
% the induction hypothesis that $P (\MQ_{li}, \MC_{r})$ and $P (\MC_{l},
% \MQ_{rj})$ hold for all $i$ and $j$ will not be sufficient.
% Rather we will need an assumption that
% $P (\MQ'_{li}, \MC_{r})$ and $P (\MC_{l}, \MQ'_{rj})$ hold whenever
% $\MQ'_{li}$ is derived by a derivation no larger than the derivation
% of $\MQ_{li}$ (likewise for $\MQ'_{rj}$).
% This means that we need to define the height of a derivation tree, and
% therefore that we need to define a derivation tree value whose height can be
% defined and calculated.
% Since we have proved invertibility for the logical introduction rules,
% when the cut-formula is a compound formula, then, regardless of what the
% final rules in the actual derivation trees are, we can use the invertibility
% and reduce the problem to that of cuts on smaller formula.
% We then use the fact that for all the logical connnectives,
% with their left and right logical introduction rules,
% we can use cuts on the subformulae on the premises of the introduction rules
% to achieve the effect of a cut on the whole formula
% on the conclusions of those introduction rules.
% This is expressed in the following theorem:
% \begin{verbatim}
% gprstep_q: "[| All (ctr_adm ?drls); wk_adm ?drls;
% (?ps, {#} |- {#?A#}) : lksir; (?qs, {#?A#} |- {#}) : lksil;
% ?pse = map (extend (?Xl |- ?Yl)) ?ps;
% ?qse = map (extend (?Xr |- ?Yr)) ?qs;
% set ?pse Un set ?qse <= derrec ?drls {};
% ALL sfa. (sfa, ?A) : ipsubfml --> (ALL Xl Yl Xr Yr.
% (Xl |- mins sfa Yl, mins sfa Xr |- Yr) : cas ?drls sfa);
% extrs lksne <= ?drls |] ==> (?Xl + ?Xr |- ?Yl + ?Yr) : derrec ?drls {}"
% \end{verbatim}
% There then remains the cases where the cut-formula $A$ is not a compound formula
% introduced by the logical introduction rules in the sets
% \texttt{lksil} and \texttt{lksir}.
% This means that $A$ is either a boxed formula or a primitive proposition
% (or, in our formulation, a formula variable).
% Because the bottom rule on either side may be a contraction on $A$,
% in which case cutting with the premise of that rule is of no help,
% we look upwards on either side to the lowest rule
% which is not a contraction on $A$.
% We have a lemma \texttt{top\_ctr\_r} which says that you can go up a derivation
% tree to a rule which is not contraction on $A$ on the right.
% A similar lemma \texttt{top\_ctr\_l} applies to contraction on the left.
% \begin{verbatim}
% top_ctr_r: "[| ?ctrrl = ([{#} |- {#?A#} + {#?A#}], {#} |- {#?A#});
% valid ?rls ?dt; conclDT ?dt = extend ?flr ({#} |- {#?A#}) |] ==>
% EX dtn n. botRule dtn ~: extrs {?ctrrl} & valid ?rls dtn &
% heightDT ?dt = heightDT dtn + n &
% conclDT dtn = extend ?flr (times (Suc n) ({#} |- {#?A#}))"
% \end{verbatim}
% We then look at the final rule of that derivation tree (which is necessarily
% not a contraction).
% There are cases where the rule is either one of the box rules or is an
% extension $\rho'$ of a rule $\rho$ in \texttt{lkxcne},
% and in this case the rule may or may not have $A$ as its principal formula.
% Where the rule has $A$ (in succedent position) as its principal formula,
% it can only be weakening (or the axiom, which is a trivial case).
% In this case either there are no contractions following the weakening, in which
% case weakening (of $A$) makes the cut-elimination trivial, or
% we construct a tree without the weakening step and with one fewer contractions,
% and this tree has the same conclusion;
% as this tree is smaller, we can apply the inductive hypothesis that
% cut-elimination is available.
% % end of rwr_tacs
% Next there is the case where the principal formula of the rule $\rho$
% is not $A$.
% This case is like the parametric rule case of the simpler cut-elimiation
% proofs.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$X' \vdash Y', A^n$}
% \RightLabel{($\rho'$)}
% \UnaryInfC{$X \vdash Y, A^n$}
% \RightLabel{($\textit{ctr}^* \vdash$)}
% \UnaryInfC{$X \vdash Y, A$}
% \AxiomC{$A, U \vdash V$}
% \RightLabel{(\textit{cut ?})}
% \dottedLine
% \BinaryInfC{$X, U \vdash Y, V$}
% \end{prooftree}
% \end{center}
% Here we must apply the requisite number of contractions on $A$ to the premises
% of $\rho'$, then apply (using the inductive hypothesis) cut on $A$ to each of
% them, and finally apply $\rho''$ which is the appropriate (but different from
% $\rho'$) extension of $\rho$.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$X' \vdash Y', A^n$}
% \RightLabel{($\textit{ctr}^* \vdash$)}
% \UnaryInfC{$X' \vdash Y', A$}
% \AxiomC{$A, U \vdash V$}
% \RightLabel{(\textit{inductive cut})}
% \dottedLine
% \BinaryInfC{$X', U \vdash Y', V$}
% \RightLabel{($\rho''$)}
% \UnaryInfC{$X, U \vdash Y, V$}
% \end{prooftree}
% \end{center}
% The remaining case is where the last rule on the left above the contractions on
% $A$ is one of the $GTD$ rules.
% But as their conclusion is of the form $\Box \Gamma \vdash \Box A$,
% this tells us that there are in fact no contractions following this rule.
% We now look at the right side, and again, look for the last rule above a
% continuous sequence of contractions on the cut-formula.
% Among the cases of the last rule on the right above the contractions,
% the cases of axiom or weakening involving $A$, or an extension of
% a rule in \texttt{lkxcne} whose principal formula is not $A$, are similar to
% those above.
% This leaves us the case where the last rules on both sides above any
% contractions are the GTD rules.
% For the first case, the rule on the left is
% the $(\Box \vdash)$ rule as shown,
% and for the rule on the right,
% only its conclusion matters, and is as shown.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash \Box A$}
% \RightLabel{$(\Box\vdash)$}
% \UnaryInfC{$\Box \Gamma \vdash \Box A$}
% % \AxiomC{$A^n, \Box A^n, \Delta, \Box \Delta \vdash B'$}
% % \RightLabel{$\textit{ctr}^*\vdash$}
% % \UnaryInfC{$A, \Box A, \Delta, \Box \Delta \vdash B'$}
% \AxiomC{$\cdots$}
% \UnaryInfC{$\Box A^n, \Box \Delta \vdash \Box B$}
% \RightLabel{$(\textit{ctr}^*\vdash)$}
% \UnaryInfC{$\Box A, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{cut ?})}
% \dottedLine
% \BinaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% We use the inductive hypothesis permitting cutting $\Box A$ between
% $\Gamma, \Box \Gamma \vdash \Box A$ and $\Box A, \Box \Delta \vdash \Box B$
% then we use weakening and the $(\Box \vdash)$ rule, to get
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash \Box A$}
% \AxiomC{$\cdots$}
% \UnaryInfC{$\Box A, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{inductive cut})}
% \dottedLine
% \BinaryInfC{$\Gamma, \Box \Gamma, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{weak})}
% \UnaryInfC{$\Gamma, \Delta, \Box \Gamma, \Box \Delta \vdash \Box B$}
% \RightLabel{($\Box\vdash$)}
% \UnaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% The second case, with the $(\vdash \Box)$ rule on the left as shown,
% is more complicated.
% Note that, for the rule on the right, $B'$ can be either $\Box B$ or $B$.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash A$}
% \RightLabel{$(\Box\vdash)$}
% \UnaryInfC{$\Box \Gamma \vdash \Box A$}
% \AxiomC{$A^n, \Box A^n, \Delta, \Box \Delta \vdash B'$}
% \UnaryInfC{$\Box A^n, \Box \Delta \vdash \Box B$}
% \RightLabel{$(\textit{ctr}^*\vdash)$}
% \UnaryInfC{$\Box A, \Box \Delta \vdash \Box B$}
% \RightLabel{(\textit{cut ?})}
% \dottedLine
% \BinaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% In this case, from the premise on the right, we perform contractions on
% $\Box A$, then inductive cut on $\Box A$ with the conclusion on the left,
% then contractions on $A$, then cut on $A$ with the premise on the left,
% contraction(s) on $\Box \Gamma$, and finally an instance of the
% $(\vdash \Box)$ or $(\Box \vdash)$ rule (whichever was on the right before).
% The result is shown below.
% \begin{center}
% \begin{prooftree}
% \AxiomC{$\Gamma, \Box \Gamma \vdash A$}
% \AxiomC{$\Box \Gamma \vdash \Box A$}
% \AxiomC{$A^n, \Box A^n, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{$(\textit{ctr}^*\vdash)$}
% \UnaryInfC{$A^n, \Box A, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{(\textit{inductive cut})}
% \dottedLine
% \BinaryInfC{$A^n, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{$(\textit{ctr}^*\vdash)$}
% \UnaryInfC{$A, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{(\textit{inductive cut})}
% \dottedLine
% \BinaryInfC{$\Gamma, \Box \Gamma, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{$(\textit{ctr}^*\vdash)$}
% \UnaryInfC{$\Gamma, \Box \Gamma, \Delta, \Box \Delta \vdash B'$}
% \RightLabel{$(\vdash \Box)$ or $(\Box \vdash)$}
% \UnaryInfC{$\Box \Gamma, \Box \Delta \vdash \Box B$}
% \end{prooftree}
% \end{center}
% Finally we combine these results to get the cut admissibility result,
% in terms of explicit derivation trees, and then in terms of derivability.
% \begin{verbatim}
% gtd_casdt: "(?dta, ?dtb) : casdt (lkxcss GTD) ?A" : Thm.thm
% gtd_cas: "(?cl, ?cr) : cas (lkxcss GTD) ?A" : Thm.thm
% \end{verbatim}
\subsection{Calculus for GTD} \label{s-cut-gtdns}
We now look at proving cut admissibility for a version of GTD without structural
rules, where the box rules have their conclusions (only)
extended with an arbitrary context, which permits weakening to be admissible.
We define the rules of the system as follows. The rules used for
classical logic (before extending them with a context) form the set
\texttt{lksne} where the rule sets \texttt{idrls}, \texttt{lksil} and
\texttt{lksir} are the axioms and the left and right logical
introduction rules: see Figure~\ref{S4:rules}.\marginpar{JED please
check verbatim code!}
\begin{definition}[\texttt{lkssx}]\label{def-lkssx}
Given, a rule set \verb!xrls!, every rule of \verb!xrls! is in the
rule set \verb!lkssx xrls!, and
every rule \verb!psc! in rule set \verb!lknse! gives a
rule in \verb!lkssx xrls! obtained by uniformly extending
both the premise and conclusion of \verb!psc! with an arbitrary
context (sequent) \verb!flr!:
\end{definition}
\begin{verbatim}
inductive "lkssx xrls" intros
x : "psc : xrls ==> psc : lkssx xrls"
extI : "psc : lksne ==> pscmap (extend flr) psc : lkssx xrls"
\end{verbatim}
\begin{definition}[\texttt{extcs}]\label{def-extcs}
Given a rule set \verb!rules!,
the rule set \verb!extcs rules! is obtained by extending only the
conclusion \verb!c! of each rule \verb!(ps, c)! in
\verb!rules! by an arbitrary context (sequent) \verb!flr! (while
leaving the premises unchanged):
\end{definition}
\begin{verbatim}
inductive "extcs rules" intros
I : "(ps, c) : rules ==> (ps, extend flr c) : extcs rules"
\end{verbatim}
The rule set for the logic GTD is obtained by
extending only the conclusion of the rule \verb!GTD! and by
extending every rule of \verb!lknse!, giving the rule set
\texttt{lkssx (extcs GTD)}.
\subsection{Weakening-admissibility for GTD}
First we prove weakening admissibility.
We use a lemma which allows us to apply Lemma~\ref{l-ext-concl-wk}.
\begin{lemma} \label{l-extrs-cs}
For any rule sets \texttt{rls} and \texttt{rlsa}
\begin{enumerate}
\item \texttt{extrs rlsa} $\cup$ \texttt{extcs rls}
satisfies \texttt{ext\_concl}
\item \texttt{extrs rlsa} $\cup$ \texttt{extcs rls}
satisfies weakening admissibility
\end{enumerate}
\begin{verbatim}
extrs_cs_ext_concl: "ext_concl (extrs ?rlsa Un extcs ?rls)"
wk_adm_extrs_cs: "wk_adm (extrs ?rlsa Un extcs ?rls)"
\end{verbatim}
\end{lemma}
\begin{proof}
The first part is easy, and the second follows using
Lemma~\ref{l-ext-concl-wk}.
\end{proof}
\begin{corollary} \label{c-wk-adm-lkssx-extcs}
GTD satisfies weakening admissibility.
\begin{verbatim}
wk_adm_lkssx_cs: "wk_adm (lkssx (extcs ?xrls))"
\end{verbatim}
\end{corollary}
\begin{proof}
Since the rule set \texttt{lkssx (extcs GTD)} for GTD is also equal to
\texttt{extrs lksne} $\cup$ \texttt{extcs GTD},
the result follows from Lemma~\ref{l-extrs-cs}.
\end{proof}
\subsection{Inversion and Contraction-admissibility for GTD}
For contraction admissibility,
first we need to prove invertibility of the logical rules.
The general method for doing this is that described in \S\ref{s-s4-inv-ctr}.
Recall the predicate \texttt{inv\_stepm}, which is used in an inductive proof
of invertibility, and that its three arguments are
\begin{itemize}
\item first, the set of \emph{derivation rules} with respect to which
the invertibility (a case of admissibility) is defined,
\item second, the set of rules whose invertibility is being considered
(the \emph{inversion rules})
\item third, the \emph{final rule} of a derivation ---
since we are talking about
proving the invertibility result by induction on the derivation, so the
inductive hypothesis is that the invertibility result applies to the premises
of this final rule
\end{itemize}
Recall that \texttt{inv\_stepm} (although not \texttt{inv\_step})
is monotonic in the derivation rules argument,
see Lemma~\ref{lemma:inv-stepm-monotonic}.
For the second argument the following property holds:
\begin{lemma} \label{l-inv-stepm-union}
For a given set of derivation rules \texttt{drls} and a given final rule
\texttt{psc}, if \texttt{inv\_stepm} applies for inversion rule sets
\texttt{irlsa} and \texttt{irlsb}, then it applies for
\texttt{irlsa} $\cup$ \texttt{irlsb}.
\end{lemma}
\begin{verbatim}
inv_stepm_Un:
"[| inv_stepm ?drls ?irlsa ?psc; inv_stepm ?drls ?irlsb ?psc |]
==> inv_stepm ?drls (?irlsa Un ?irlsb) ?psc"
\end{verbatim}
So far as the third argument is concerned,
the requirement to prove a rule is invertible is simply that
\texttt{inv\_stepm \ldots} applies for all cases of the third argument
(see Lemmas \ref{lemma:inv-from-inv-step} and
\ref{lemma:inv-step-from-inv-stepm}):
thus the lemmas we use are expressed to apply to single cases of the third
argument.
We now describe the lemmas used as building-blocks for the required
invertibility result.
\begin{lemma} \label{inv_stepm-lemmas}~\\
\begin{enumerate}
\item \texttt{inv\_stepm \ldots} applies where the
derivation rules and the set of rules to be inverted are
the classical logical rules \texttt{extrs lksne},
and the final rule is any one of those rules
\item \label{inv-stepm-disj}
where the set of inversion rules is the set of extensions of
a single skeleton whose conclusion is \texttt{ic}, and
the set of derivation rules is the set of extensions of
a single skeleton rule whose conclusion is \texttt{c},
and these skeleton conclusions
\texttt{ic} and \texttt{c} are disjoint
(ie, have no formula in common on the same side of the turnstile),
and the final rule is one of those derivation rules, then
\texttt{inv\_stepm \ldots} applies
\item \label{inv-stepm-disj-cs}
as for \ref{inv-stepm-disj}, except that the set of derivation rules
is the set of extensions in the conclusion only (using \texttt{extcs})
of the single skeleton
\item \label{inv-stepm-scrls}
where the set of inversion rules
and the set of derivation rules are each the set of extensions of
a single skeleton rule whose conclusion has a single formula,
and if those two skeletons' conclusions are equal
then the two skeletons are equal,
then \texttt{inv\_stepm \ldots} applies
\end{enumerate}
\end{lemma}
\begin{verbatim}
lks_inv_stepm:
"?psc : extrs lksne ==> inv_stepm (extrs lksne) (extrs lksne) ?psc"
inv_stepm_disj:
"[| seq_meet ?c ?ic = 0; extrs {(?ps, ?c)} = ?rls; ?rl : ?rls |] ==>
inv_stepm ?rls (extrs {(?ips, ?ic)}) ?rl"
inv_stepm_disj_cs:
"[| seq_meet ?c ?ic = 0; extcs {(?ps, ?c)} = ?rls; ?rl : ?rls |] ==>
inv_stepm ?rls (extrs {(?ips, ?ic)}) ?rl"
inv_stepm_scrls:
"[| extrs {?srl} = ?rls; ?rl : ?rls; ?srl : scrls; ?irl : scrls;
snd ?srl = snd ?irl --> ?srl = ?irl |] ==>
inv_stepm ?rls (extrs {?irl}) ?rl"
\end{verbatim}
Parts \ref{inv-stepm-disj} and \ref{inv-stepm-disj-cs}
(\texttt{inv\_stepm\_disj} and \texttt{inv\_stepm\_disj\_cs})
are for the case where the
principal formula
of the rule
to be inverted is in the context of
the conclusion of the last rule of the derivation:
the first premise gives us that the formula to be inverted is
not the principal formula of the rule, though it is expressed in a way
which is relevant to a case where the rules in question have more than just one
principal formula.
Part \ref{inv-stepm-scrls} (\texttt{inv\_stepm\_scrls}) (whose proof uses
part \ref{inv-stepm-disj}) uses the fact that for each formula there
is a unique introduction rule, so an inversion step is either
parametric or gives us the premise(s) of the last rule applied.
%gtdns_inv_rl: "Ball (extrs lksne) (inv_rl (lkssx (extcs GTD)))"
\begin{lemma}
Every rule of \verb!lksss! is invertible in the calculus for GTD.
\end{lemma}
\begin{verbatim}
gtdns_inv_rl: "Ball (extrs lksne) (inv_rl (lkssx (extcs GTD)))"
\end{verbatim}
\begin{proof}
This uses Lemmas \ref{lemma:inv-from-inv-step},
\ref{lemma:inv-step-from-inv-stepm} and \ref{inv_stepm-lemmas}.
\end{proof}
Then, to prove contraction admissibility, we follow an approach very similar
to \S\ref{s-s4-inv-ctr}.
For the rules ($\Box\vdash$) and ($\vdash\Box$), the proof for the cases
where either of these is the final rule is just the same as for the
S4$\Box$ rule in \S\ref{s-s4-inv-ctr}.
Thus we get the result
\begin{lemma} \label{l-gtd-ctr}
Contraction is admissible in GTD.
\end{lemma}
\begin{verbatim}
gtdns_ctr_adm: "ctr_adm (lkssx (extcs GTD)) ?A"
\end{verbatim}
\comment{ requires too much explanation
MOVE THIS TO \S\ref{s-s4-inv-ctr} ??
We used a useful and quite general lemma
to handle the case where at least one of the copies of the formula to be
contracted arises from the extension of the conclusion of the box rule.
\begin{verbatim}
ctxt_ctr_adm_step1_cs: "[| pg_meet ?concl (?As + ?As) <= ?As;
?rl = (?ps, ?concl); (?ps, extend ?flr ?concl) = ?erl;
extcs {?rl} <= ?rules |] ==> ctr_adm_step1 (derrec ?rules {}) ?erl ?As"
\end{verbatim}
\texttt{ctr\_adm\_step1} is a simplified version of \texttt{ctr\_adm\_step},
without the inductive hypothesis relating to smaller formulae.
}
\subsection{Cut-admissibility for GTD}
Now, for cut admissibility: the difficult cases are where the last rule on both
sides is one of the two box rules ($\vdash\Box$) and ($\Box\vdash$):
\marginpar{Jem, I think leave the contexts in here as they make sense.}
$$
\frac{\wbx\Gamma, \Gamma \vdash B}
{\Sigma, \Box \Gamma \vdash \Box B, \Delta} (\vdash\Box)
\qquad\qquad\qquad
\frac{\wbx\Gamma, \Gamma \vdash \Box B}
{\Sigma, \Box \Gamma \vdash \Box B, \Delta} (\Box\vdash)
$$
Since the proof is effectively the same whichever of these two rules is on the
right, we define \texttt{s4g} such that
\begin{itemize}
\item
\texttt{s4g} $(\lambda B.\ \{B, \Box B\})$
is all instances of either $(\vdash\Box)$ or $(\Box\vdash)$,
\item
\texttt{s4g} $(\lambda B.\ \{B\})$ is all instances of $(\vdash\Box)$, and
\item
\texttt{s4g} $(\lambda B.\ \{\Box B\})$ is all instances of $(\Box\vdash)$.
\end{itemize}
where the function \texttt{prs B} encapsulates the choices of $B$
and/or $\Box B$, as required and where
\verb!s4g prs! below encodes only the skeletons of the rules above:
see the definition of GTD in \ref{section-gtd}.
\begin{verbatim}
inductive "s4g prs"
intros
I : "A : prs B ==>
([mset_map Box X + X |- {#A#}], mset_map Box X |- {#Box B#}) : s4g prs"
\end{verbatim}
The case of the ($\vdash\Box$) rule on the left is dealt with in
\S\ref{s-s4-cut}: depending on whether we have the
rule ($\vdash\Box$) or ($\Box\vdash$) on the right, we may need to change
$B$ to $\Box B$ in the diagrams there.
For the case where we have the ($\Box\vdash$) rule on the left,
the proof is as in the following diagram, where $B'$ is $B$ or $\Box B$.
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash \Box A$}
\LeftLabel{$\Box\vdash$}
\UnaryInfC{$\Sigma_L, \wbx \Gamma_L \vdash \Delta_L, \wbx A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$A, \wbx A, \Gamma_R, \wbx \Gamma_R \vdash B'$}
\LeftLabel{$\Box\vdash$ or $\vdash\Box$}
\UnaryInfC{$\wbx A, \Sigma_R, \wbx \Gamma_R \vdash \wbx B, \Delta_R$}
\LeftLabel{Cut on $\wbx A$}
\BinaryInfC{$\Sigma_L, \Sigma_R, \wbx \Gamma_L, \wbx \Gamma_R \vdash
\wbx B, \Delta_L, \Delta_R$}
\DisplayProof
\end{center}
As in \S\ref{s-s4-cut}, we modify the original derivation of a premise,
in this case the right premise, by simply not adding any context in the
conclusion. This produces a derivation of equal height
upon which we can still apply the induction hypothesis on level.
Formally,
the $\Sigma$ and $\Delta$ of the generic
box rule ($\vdash\Box$) or ($\Box\vdash$).
are $\emptyset$ in the new instance below:
\begin{center}
\AxiomC{$\Pi_l$}
\noLine
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L \vdash \Box A$}
\AxiomC{$\Pi_r$}
\noLine
\UnaryInfC{$A, \wbx A, \Gamma_R, \wbx \Gamma_R \vdash B'$}
\RightLabel{$\Box\vdash$ or $\vdash\Box$ (new)}
\UnaryInfC{$\wbx A, \wbx \Gamma_R \vdash \Box B$}
\RightLabel{Cut on $\wbx A$}
\BinaryInfC{$\Gamma_L, \wbx \Gamma_L, \wbx \Gamma_R \vdash \Box B$}
\RightLabel{Weakening-admissibility}
\UnaryInfC{$\Gamma_L, \wbx \Gamma_L, \Gamma_R, \wbx \Gamma_R \vdash \Box B$}
\RightLabel{$\Box\vdash$}
\UnaryInfC{$\Sigma_L, \Sigma_R, \wbx \Gamma_L, \wbx \Gamma_R \vdash
\wbx B, \Delta_L, \Delta_R$}
\DisplayProof
\end{center}
\comment{
OMIT? This gives the result \texttt{gtd\_box\_box\_lem} below.
OMIT THESE?
\begin{verbatim}
s4_box_box_lem:
"[| ?prsl = (%B. {B}); wk_adm ?drls; All (ctr_adm ?drls);
extcs (s4g ?prsl) <= ?drls; extcs (s4g ?prsr) <= ?drls;
(map conclDT ?dtll, ?cl) : extcs (s4g ?prsl);
(map conclDT ?dtlr, ?cr) : extcs (s4g ?prsr) |]
==> sumh_step2_tr (prop2 casdt ?drls) ?A ipsubfml
(Der ?cl ?dtll, Der ?cr ?dtlr)"
gtd_box_box_lem:
"[| ?prsl = (%B. {Box B}); wk_adm ?drls; All (ctr_adm ?drls);
extcs (s4g ?prsl) <= ?drls; extcs (s4g ?prsr) <= ?drls;
(map conclDT ?dtll, ?cl) : extcs (s4g ?prsl);
(map conclDT ?dtlr, ?cr) : extcs (s4g ?prsr) |]
==> sumh_step2_tr (prop2 casdt ?drls) ?A ipsubfml
(Der ?cl ?dtll, Der ?cr ?dtlr)"
\end{verbatim}
}
For the cut-elimination proof we also use results for the
parametric cases, that is, where the cut-formula appears in the context of the
last rule on either side above the cut.
This includes cases where that rule is in \texttt{extrs} \ldots
(where the rule has a context which appears in premises and conclusion)
and where that rule is in \texttt{extcs} \ldots
(where the rule has a context which appears only in the conclusion).
The following lemma is used for the common situation of a cut which is
parametric with respect to the last rule of the left-hand derivation.
\begin{lemma}[\texttt{lcg\_gen\_step}] \label{l-param-step}
Consider a set \texttt{erls} of derivation rules,
for which weakening is admissible, and which contains all extensions
a skeleton rule $\rho$ whose conclusion is $U \vdash V$.
Consider two derivations of which the final rule of the left side
is an extension of $\rho$.
Then for a cut-formula $A$ which is not contained in $V$,
the inductive step condition \texttt{gen\_step2\_sr \ldots} holds for the
admissibility of a cut on $A$.
\end{lemma}
A similar lemma \texttt{lcg\_gen\_steps\_extcs}
holds for the case where only extensions in the conclusion of
$\rho$ are contained in \texttt{erls}.
\begin{verbatim}
lcg_gen_step: "[| wk_adm ?erls; extrs {(?ps, ?U |- ?V)} <= ?erls; ~ ?A :# ?V;
?pscl = pscmap (extend (?W |- ?Z)) (?ps, ?U |- ?V) |] ==>
gen_step2sr (prop2 car ?erls) ?A ?any ?erls (?pscl, ?pscr)"
lcg_gen_steps_extcs:
"[| wk_adm ?rls; extcs {(?ps, ?c)} <= ?rls; ~ ?A :# succ ?c |] ==>
gen_step2sr (prop2 car ?rls) ?A ?sub ?rls ((?ps, extend ?flr ?c), ?psr, ?cr)"
\end{verbatim}
Finally we need to deal with the cases of matching instances of the usual
logical introduction rules.
Here we use a general result giving requirements for certain cases of the
final rules on either side of a putative cut to satisfy the step condition
for cut-admissibility.
It uses a property \texttt{c8\_ercas\_prop}, which encodes the property that a
cut which is principal (ie, the cut formula is introduced by a
logical introduction rule in the final step) on both sides
is reducible to cuts on sub-formulae.
It is loosely defined as follows:
\begin{definition}[\texttt{c8\_ercas\_prop}] \label{d-c8-ercas-prop}
Given a set of derivation rules \texttt{prls},
a cut-formula $A$, a subformula relation \texttt{psubfml},
and a set of skeleton rules (typically logical introduction rules) \texttt{rls},
\texttt{c8\_ercas\_prop psubfml prls A rls}
means: \\
assuming that we have cut-admissibility for cut-formulae smaller than $A$,
where two derivations have as their final sequents
$X_l \vdash A, Y_l$ and $X_r, A \vdash Y_r$, and on both sides
the final rule introduces $A$ using logical introduction rules in \texttt{rls},
then $X_l, X_r \vdash Y_l, Y_r$ is derivable,
that is, the cut on $A$ is admissible.
\end{definition}
Of course whether \texttt{c8\_ercas\_prop} holds depends on the specific set of
logical rules in question.
Beyond that, however, the following lemma is quite general.
\begin{lemma} \label{l-gs2sr-alle}
Given a set of derivation rules \texttt{prls},
a cut-formula $A$, and a subformula relation \texttt{psubfml}, if
\begin{itemize}
\item \texttt{prls} satisfy weakening admissibility
\item there is a set \texttt{rls} of skeleton rules all of whose extensions are
contained in \texttt{prls}
\item all rules in \texttt{rls}, other than axiom rules $B \vdash B$,
have a single formula in their conclusion
\item the axiom rules are also in \texttt{prls}
\item \texttt{prls} and \texttt{rls} satisfy \texttt{c8\_ercas\_prop}
\item the final rules of two derivations are extensions of rules in
\texttt{rls}
\end{itemize}
then the step condition \texttt{gen\_step2sr} for cut-admissibility for the two
derivations is satisfied.
\end{lemma}
\begin{verbatim}
gs2sr_alle: "[| wk_adm ?prls; c8_ercas_prop ?psubfml ?prls ?A ?rls;
?rls <= iscrls; idrls <= ?prls; extrs ?rls <= ?prls;
(?psa, ?ca) : extrs ?rls; (?psb, ?cb) : extrs ?rls |] ==>
gen_step2sr (prop2 car ?prls) ?A ?psubfml ?prls ((?psa, ?ca), ?psb, ?cb)"
\end{verbatim}
\comment{
This theorem (which incorporates the parametric cases) uses
\texttt{c8\_ercas\_prop} which says essentially
that if both sides of the cut are logical introduction rules,
and cut is admissible on smaller cut-formulae,
then the cut in question is admissible.
(LATER - on looking back at the previous section I find the result
\texttt{gprstep\_q} shown -
basically that result plus the case of the axiom rules gives us
\texttt{gen\_lksne\_c8sg} below)
Omitting the definition of \texttt{c8\_ercas\_prop},
here is the theorem which uses it:
\begin{verbatim}
c8_ercas_gs2: "[| c8_ercas_prop ?psubfml ?drls ?A ?c8rls;
?prl = (?ps, 0 |- {#?A#}); ?prl : ?c8rls;
?qrl = (?qs, {#?A#} |- 0); ?qrl : ?c8rls;
?eprl = pscmap (extend ?pe) ?prl; ?eqrl = pscmap (extend ?qe) ?qrl |] ==>
gen_step2sr (prop2 car ?drls) ?A ?psubfml ?drls (?eprl, ?eqrl)"
\end{verbatim}
end comment }
We apply this result to the logic GTD using first another general result
\begin{lemma}[\texttt{gen\_lksne\_c8}] \label{l-gen-lksne-c8}
If a set of derivation rules \texttt{drls} satisfies weakening admissibility
and contraction admissibility, and contains the extensions of the logical
introduction rule skeletons \texttt{lksne} then the condition
\texttt{c8\_ercas\_prop} is satisfied
(for the usual immediate proper subformula relation and for any cut-formula).
\end{lemma}
\begin{verbatim}
gen_lksne_c8:
"[| ALL A'. ctr_adm ?drls A' ; wk_adm ?drls; extrs lksne <= ?drls |]
==> c8_ercas_prop ipsubfml ?drls ?A lksne"
\end{verbatim}
\begin{corollary}[\texttt{gtdns\_lksne\_c8}] \label{c-gtdns-lksne-c8}
GTD satisfies \texttt{c8\_ercas\_prop} in relation to the
logical introduction rule skeletons \texttt{lksne}.
\end{corollary}
\begin{verbatim}
gtdns_lksne_c8: "c8_ercas_prop ipsubfml (lkssx (extcs GTD)) ?A lksne"
\end{verbatim}
Finally we get the cut admissibility result:
\begin{theorem}[\texttt{gtdns\_casdt, gtdns\_cas}] \label{t-GTD-ca}
GTD satisfies cut-admissibility.
\end{theorem}
\begin{verbatim}
gtdns_casdt: "(?dt, ?dta) : casdt (lkssx (extcs GTD)) ?A"
gtdns_cas:
"(?Xl |- mins ?A ?Yl, mins ?A ?Xr |- ?Yr) : cas (lkssx (extcs GTD)) ?A"
\end{verbatim}
\section{Dynamic Topological Logic S4C}\label{s-s4cns}
This section describes Isabelle proofs of the
cut admissibility of the logic S4C described in \cite{mints-jaegerfest}
This system has two ``modal'' operators, $\Box$ and $\circ$.
The $S4$-axioms hold for $\Box$, $\circ$ commutes with the boolean operators,
and the following are given:
\begin{align*}
\circ (A \to B) & \leftrightarrow (\circ A \to \circ B) \\
\circ \bot & \leftrightarrow \bot \\
\circ \Box A & \to \Box \circ A
\end{align*}
The following sequent rules are given for S4C by Mints \cite{mints-jaegerfest}
$$
\frac{\circ^k A, \Gamma \vdash \Delta, \circ^k B}
{\Gamma \vdash \Delta, \circ^k (A \to B)}(\vdash\to)
\qquad
\frac{\Gamma \vdash \Delta, \circ^k A \quad \circ^k B, \Gamma \vdash \Delta}
{\circ^k (A \to B), \Gamma \vdash \Delta}(\to\vdash)
$$
$$
\frac{\circ^k A, \Gamma \vdash \Delta}
{\circ^k \Box A, \Gamma \vdash \Delta}(\Box\vdash)
\qquad
\frac{\Gamma \vdash \Delta}
{\circ \Gamma \vdash \circ \Delta}(\circ)
\qquad
\frac{\mathcal B \vdash A}{\mathcal B \vdash \Box A}(\vdash\Box)
$$
In the $(\vdash\Box)$ rule, $\mathcal B$ must consist of
``$\Box$-formulae'', that is, formulae of the form $\circ^k \Box A$.
As this presentation omits the other logical operators,
we include, for them, the usual logical introduction rules
with the principal and side formulae preceded by $\circ^k$ just
as with the $(\vdash\to)$ and $(\to\vdash)$ rules shown above.
% The property we will prove inductively is mix (rather than cut) admissibility.
We use a version of the system without structural rules: we prove
invertibility of the logical rules and contraction admissibility.
In fact the presence of the $(\circ)$ rule adds to the complexity of the proof
and is dealt with in a rather similarly to how we dealt with contraction in
proving cut admissibility for GTD.
As we do not have the structural rules,
we use a presentation of the system which
\begin{itemize}
\item allows an arbitrary context to be added to the conclusion (only) of the
$(\vdash \Box)$ and $(\circ)$ rules
\item uses a version of the $(\Box \vdash)$
rule which includes the principal formula in the premise
\end{itemize}
$$
\frac{\Gamma \vdash \Delta}
{\Sigma, \circ \Gamma \vdash \circ \Delta, \Pi}(\circ)
\qquad
\frac{\mathcal B \vdash A}{\Gamma, \mathcal B \vdash \Box A, \Delta}
(\vdash\Box)
\qquad
\frac{\circ^k \Box A, \circ^k A, \Gamma \vdash \Delta}
{\circ^k \Box A, \Gamma \vdash \Delta}(\Box\vdash)
$$
\subsection{Calculus for S4C}
We now describe how we formalised the system.
First we define the rules which can be extended by an arbitrary context
in their premises and conclusion.
Without the context, these rules form the set \texttt{s4cnsne}.
Applying \texttt{nkmap} $k$ to a rule applies $\circ^k$ to each formula
appearing in that rule.
\begin{verbatim}
inductive "s4cnsne"
intros
id : "psc : idrls ==> psc : s4cnsne"
circ_il : "rl : lksil ==> nkmap k rl : s4cnsne"
circ_ir : "rl : lksir ==> nkmap k rl : s4cnsne"
circ_T : "rl : lkrefl ==> nkmap k rl : s4cnsne"
inductive "lkrefl"
intros
I : "([{#A#} + {#Box A#} |- {#}], {#Box A#} |- {#}) : lkrefl"
defs
nkmap_def : "nkmap k == pscmap (seqmap (funpow Circ k))"
inductive "s4cns"
intros
extI : "rl : s4cnsne ==> pscmap (extend (U |- V)) rl : s4cns"
extcsI : "(ps, c) : circ Un s4cbox ==> (ps, extend (U |- V) c) : s4cns"
inductive "circ"
intros
I : "([seq], seqmap Circ seq) : circ"
inductive "s4cbox"
intros
boxI : "M : msboxfmls ==> ([M |- {#A#}], M |- {#Box A#}) : s4cbox"
inductive "msboxfmls"
intros
I : "ALL f. f :# M --> f : boxfmls ==> M : msboxfmls"
inductive "boxfmls"
intros
I : "funpow Circ k (Box B) : boxfmls"
\end{verbatim}
We first need to prove admissibility of the structural rules, weakening and
contraction.
QUESTION - we did prove contraction admissibility, but is it essential?
\subsection{Weakening for S4C}
Weakening admissibility was straightforward using Lemma~\ref{l-ext-concl-wk}.
\subsection{Inversion and Contraction-admissibility for S4C}
Invertibility of the logical introduction rules was dealt with using multiple
lemmas showing various cases of \texttt{inv\_stepm}, as described in
\S\ref{s-s4-inv-ctr}: as noted there,
a proof of invertibilty can be split up into
\begin{itemize}
\item the invertibility of various different rules
\item cases of what the last rule in the derivation,
from whose conclusion we wish to apply one of the inverted rules
\end{itemize}
As in \S\ref{s-s4-inv-ctr}, we make significant use of
Lemma~\ref{lemma:inv-stepm-monotonic}.
We then prove contraction admissibility.
In part this also makes use of the general result
This uses predicates and results which are essentially
Definition~\ref{d-gen-step} and Lemma~\ref{genstep:lem},
but instantiated to apply to the property of contraction admissibility,
giving the property \texttt{ctr\_adm\_step} and a lemma
\texttt{gen\_ctr\_adm\_step}.
\comment{
The formalisation performs the necessary transformations
using a simple instantiation \texttt{gen\_ctr\_adm\_step} (not shown)
of the induction principle \texttt{gen\_step\_lem} of
Theorem~\ref{genstep:lem}.
MENTIONED AT \ref{t-gs4-ctr-adm} --- SHOULD THIS GO THERE?
PROPOSE TO DELETE THESE DETAILS
\begin{verbatim}
gen_ctr_adm_step: "[| ?A : wfp ?sub;
ALL dt. ALL (ps, concl):?rules.
ctr_adm_step ?sub (derrec ?rules {}) (ps, concl) dt |]
==> ctr_adm ?rules ?A"
ctr_adm_step_eq: "ctr_adm_step ?sub ?derivs (?ps, ?concl) ?A =
(ALL As. ms_of_seq As = {#?A#} -->
(ALL A'. (A', ?A) : ?sub --> (ALL As. ms_of_seq As = {#A'#} -->
(ALL XY. XY : ?derivs --> As + As <= XY --> XY - As : ?derivs))) -->
(ALL p:set ?ps. p : ?derivs & (As + As <= p --> p - As : ?derivs)) -->
As + As <= ?concl --> ?concl - As : ?derivs)"
\end{verbatim}
}
We now look at proving \texttt{ctr\_adm\_step} for each possible case for
the last rule of a derivation.
\begin{lemma} \label{l-gen-ctr-adm-step-inv}
If
\begin{itemize}
\item rule set $lrls$ consists of rules
which are the identity (axiom) rules $A \vdash A$,
or are rules with a single formula in their conclusion,
\item all rule in $lrls$ have the ``subformula'' property
(which here means that for every premise \emph{other than a premise which
contains the conclusion}, every formula in that premise is a subformula of a
formula in the conclusion
\item the rule set $drls$ (derivation rules) contains the extensions of $lrls$
\item in regard to the derivation rules $drls$, the inverses of extensions of
$lrls$ are admissible
\item rule $(ps, c)$ is an extension of a rule of $lrls$
\end{itemize}
then the contraction admissibility step \texttt{ctr\_adm\_step}
holds for the final rule $(ps, c)$ and the derivation rule set $drls$.
\end{lemma}
So the conclusion of this lemma means: assuming that
\begin{itemize}
\item contraction on formulae $A'$ smaller than $A$ is admissible, and
\item contraction on $A$ is admissible in the sequents $ps$
\end{itemize}
then contraction on $A$ in sequent $c$ is admissible.
\begin{verbatim}
gen_ctr_adm_step_inv:
"[| ?epsc : extrs ?lrls; ?lrls <= iscrls; extrs ?lrls <= ?drls;
Ball ?lrls (subfml_cp_prop ?sub);
Ball (extrs ?lrls) (inv_rl ?drls) |] ==>
ctr_adm_step ?sub (derrec ?drls {}) ?epsc ?A"
subfml_cp_prop.simps:
"subfml_cp_prop ?sub (?ps, ?c) =
(ALL p:set ?ps. ?c <= p |
(ALL fp. ms_mem fp p --> (EX fc. ms_mem fc ?c & (fp, fc) : ?sub)))"
\end{verbatim}
Then the other cases of \texttt{ctr\_adm\_step} were proved separately:
\begin{lemma} \label{l-s4c-ctr-box-circ}
In S4C, for derivations with final rules $(\vdash \Box)$ and $(\circ)$
(extended in their conclusions), the
inductive contraction admissibility step \texttt{ctr\_adm\_step} holds.
\end{lemma}
\begin{verbatim}
ctr_adm_step_s4cbox:
"[| ?psc = (?ps, ?c); ?psc : extcs s4cbox; extcs s4cbox <= ?drls |]
==> ctr_adm_step ?sub (derrec ?drls {}) ?psc ?A"
ctr_adm_step_circ:
"[| ?psc = (?ps, ?c); ?psc : extcs circ; extcs circ <= ?drls |]
==> ctr_adm_step ipsubfml (derrec ?drls {}) ?psc ?A"
\end{verbatim}
Consequently, we get contraction admissibilty.
The only case not convered above is for the reflexivity rule $(\Box\vdash)$,
in its form where the principal formula is copied to the premise.
This is required for contraction admissibility, which becomes simple
with the rule in this form.
\begin{lemma}[\texttt{s4cns\_ctr\_adm}] \label{l-s4c-ctr}
Contraction is admissible in GTD.
\end{lemma}
\begin{verbatim}
s4cns_ctr_adm: "ctr_adm s4cns ?A"
\end{verbatim}
\subsection{Cut-admissibility for S4C}
To prove cut admissibility for a system of rules containing an explicit
contraction rule, two methods are
\begin{itemize}
\item to prove mix-elimination directly, where the property proved by
induction on the derivation is that any instance of the mix rule is admissible
\item in respect of the derivations on either side of the cut, to
look up the derivation skipping over consecutive instances of contraction on
the cut-formula, and consider the various cases of the next rule on either
side above those contractions.
\end{itemize}
We do something similar to the second approach here, but we look up the
derivations on either side to find the last rule before a consecutive
sequence of $(\circ)$ rules.
For this we use the theorem \texttt{top\_circ\_ns}.
In some cases we also need the fact that if the bottom rule is not $(\circ)$,
then the tree asserted to exist is actually the original one.
The function \texttt{forget} exists simply to prevent automatic case splitting
of its argument: logically it does nothing.
\begin{lemma}[\texttt{top\_circ\_ns}] \label{l-top-circ-ns}
Given a valid derivation tree \texttt{dt}, then there is a valid tree
\texttt{dtn} and an integer $k$ such that
\begin{itemize}
\item the bottom rule of \texttt{dtn} is not $(\circ)$,
\item the conclusions $c$ and $c'$ of \texttt{dt} and \texttt{dtn}
are related by $c = \circ^k c'$
\item height of \texttt{dt} = height of \texttt{dtn} $ + k$
\item \texttt{dt} and \texttt{dtn} iff $k = 0$ iff the bottom rule of
\texttt{dt} is not $(\circ)$
\end{itemize}
\end{lemma}
\begin{verbatim}
top_circ_ns: "valid ?rls ?dt ==> EX dtn k.
botRule dtn ~: extcs circ & valid ?rls dtn &
seqmap (funpow Circ k) (conclDT dtn) <= conclDT ?dt &
heightDT ?dt = heightDT dtn + k &
forget ((k = 0) = (botRule ?dt ~: extcs circ) & (k = 0) = (dtn = ?dt))"
forget_def: "forget ?f == ?f"
\end{verbatim}
But one easy case is where the last rule on \emph{both} sides is the $(\circ)$
rule: then we can apply cut (on a smaller formula) to the premises of the
$(\circ)$ rules, and then apply the $(\circ)$ rule.
So when we look at the $(\circ)$ rules on both sides immediately preceding the
cut, we need only bother about the case where the number of those
$(\circ)$ rules is zero on one side.
First, the case where both rules are the $(\vdash\Box)$ rule.
The fact that the conclusions of both the $(\circ)$ rule and the $(\vdash\Box)$
rule may be extended by an arbitrary context complicates matters.
Consider the following diagram of a number of $(\circ)$ rules followed by the
$(\vdash\Box)$ rule.
\begin{center}
\begin{prooftree}
\AxiomC{$\M \vdash A$}
\RightLabel{$(\vdash\Box)$}
\UnaryInfC{$\Gamma, \M \vdash \Box A, \Delta$}
\RightLabel{$(\circ^*)$}
\UnaryInfC{$\Gamma', \circ^k \Gamma, \circ^k \M \vdash
\circ^k \Box A, \circ^k \Delta, \Delta'$}
\end{prooftree}
\end{center}
In this case we can instead construct the following derivation tree,
which is of the same height.
\begin{center}
\begin{prooftree}
\AxiomC{$\M \vdash A$}
\RightLabel{$(\vdash\Box)$}
\UnaryInfC{$\M \vdash \Box A$}
\RightLabel{$(\circ^*)$}
\UnaryInfC{$\circ^k \M \vdash \circ^k \Box A$}
\end{prooftree}
\end{center}
Thus we can use, in proving an inductive step, the fact that
$\circ^k \M \vdash \circ^k \Box A$ is derivable, and with a derivation
of the same height as that of $\Gamma', \circ^k \Gamma, \circ^k \M \vdash
\circ^k \Box A, \circ^k \Delta, \Delta'$.
This will be used in our proofs without further comment.
Now, where the cut-formula is within $\circ^k \Delta, \Delta'$
(where this is the derivation tree on the left of a desired cut),
or within $\Gamma', \circ^k \Gamma$ (where this tree is on the right),
the cut is admissible because we can
start from the derivable sequent $\M \vdash A$ and apply $(\vdash\Box)$ and
$\circ$ rule without any extra formulae in the conclusions, as discussed above.
In this case we just use weakening admissibility
to obtain the result of the cut.
These situations are covered by Lemma~\ref{l-s4cns-cs-param-l}
(\texttt{s4cns\_cs\_param\_l''}) and the symmetric
result \texttt{s4cns\_cs\_param\_r''}.
\begin{lemma} \label{l-s4cns-cs-param-l}
Let the left premise subtree of a desired cut be \texttt{dt},
with \texttt{dtn} and $k$ as in Lemma~\ref{l-top-circ-ns},
let the bottom rule of \texttt{dtn} be an extension (of the conclusion) of
a rule in \texttt{s4cns} whose conclusion is $cl \vdash cr$,
and let $C$ not be in $\circ^k cr$.
Then the inductive step \texttt{sumh\_step2\_tr} for proving cut-admissibility
with cut-formula $C$ holds.
\end{lemma}
\begin{verbatim}
s4cns_cs_param_l'':
"[| (?ps, ?cl |- ?cr) : s4cns; botRule ?dtn : extcs {(?ps, ?cl |- ?cr)};
count (mset_map (funpow Circ ?k) ?cr) ?C = 0; valid s4cns ?dtn |] ==>
sumh_step2_tr (prop2 casdt s4cns) ?C ?sub
(Der (seqmap (funpow Circ ?k) (conclDT ?dtn) + ?flr) ?list,
Der ?dtr ?lista)"
\end{verbatim}
A similar pair of results, discussed later (see Lemma~\ref{l-s4cns-param-l}),
covers the case where the rule above the $(\circ)$
rules is a base rule which is extended by an arbitrary context in its
conclusion \emph{and} its premises.
Now we can assume that the cut-formula is within the principal part of the
rule before the $(\circ)$ rules (noting that for the $(\vdash\Box)$ rule
the ``principal part'' means the entire $\M \vdash \Box A$).
Then there must be zero $(\circ)$ rules on the right side (because if there are
zero $\circ$ rules on the left, then the cut-formula must be $\Box A$, whence
there would also be zero $(\circ)$ rules on the right.
\begin{center}
\begin{prooftree}
\AxiomC{$\M \vdash A$}
\RightLabel{$(\vdash\Box)$}
\UnaryInfC{$\Gamma, \M \vdash \Box A, \Delta$}
\RightLabel{$(\circ^*)$}
\UnaryInfC{$\Gamma', \circ^k \Gamma, \circ^k \M \vdash
\circ^k \Box A, \circ^k \Delta, \Delta'$}
\AxiomC{$\circ^k \Box A, \M' \vdash B$}
\RightLabel{$(\vdash\Box)$}
\UnaryInfC{$\Gamma'', \circ^k \Box A, \M' \vdash \Box B, \Delta''$}
\RightLabel{(\textit{cut ?})}
\dottedLine
\BinaryInfC{$\Gamma', \circ^k \Gamma, \Gamma'', \circ^k \M, \M' \vdash
\Box B, \circ^k \Delta, \Delta', \Delta''$}
\end{prooftree}
\end{center}
Here we do the cut, by induction, before the $(\vdash\Box)$ rule on the right,
using a derivation like that on the left, but without any context,
then we apply the $(\vdash\Box)$ rule, introducing the required context.
\begin{center}
\begin{prooftree}
\AxiomC{$\M \vdash A$}
\RightLabel{$(\vdash\Box)$}
\UnaryInfC{$\M \vdash \Box A$}
\RightLabel{$(\circ^*)$}
\UnaryInfC{$\circ^k \M \vdash \circ^k \Box A$}
\AxiomC{$\circ^k \Box A, \M' \vdash B$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{$\circ^k \M, \M' \vdash B$}
\RightLabel{$(\vdash\Box)$}
\UnaryInfC{$\Gamma', \circ^k \Gamma, \Gamma'', \circ^k \M, \M' \vdash
\Box B, \circ^k \Delta, \Delta', \Delta''$}
\end{prooftree}
\end{center}
For the other cases, we first consider the ``parametric'' cases,
where the last rule above the $(\circ)$ rules is an extension $\rho'$
of a rule $\rho$ in \texttt{s4cnsne},
and the principal formula of $\rho$ is not the ``de-circled'' cut-formula $A$.
Recall that \texttt{s4cnsne} consists of the axiom, logical introduction rules
and the $(\Box\vdash)$ rule, as skeletons (ie, not extended with context),
but with $\circ^k$ applied to their formulae.
\begin{center}
\begin{prooftree}
\AxiomC{$X' \vdash Y', A$}
\RightLabel{($\rho'$)}
\UnaryInfC{$X \vdash Y, A$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$W, \circ^k X \vdash \circ^k Y, \circ^k A, Z$}
\AxiomC{$\circ^k A^m, U \vdash V$}
\RightLabel{(\textit{cut ?})}
\dottedLine
\BinaryInfC{W, $\circ^k X, U \vdash \circ^k Y, Z, V$}
\end{prooftree}
\end{center}
Here we must apply the $\circ$ rule the requisite number of times
to the premise(s) of $\rho'$,
then apply (using the inductive hypothesis) cut on $\circ^k A$ to each of
them, and finally apply $\rho''$ which we get by applying
$\circ^k$ to $\rho$, and then extending it appropriately.
This uses the result that if a rule is in \texttt{s4cnsne}
then so is the result of applying $\circ^k$ to all formulae in its premises and
conclusion.
\begin{verbatim}
s4cnsne_nkmap: "?r : s4cnsne ==> nkmap ?k ?r : s4cnsne"
\end{verbatim}
\begin{center}
\begin{prooftree}
\AxiomC{$X' \vdash Y', A$}
\RightLabel{($\circ^*$)}
\UnaryInfC{W, $\circ^k X' \vdash \circ^k Y', \circ^k A, Z$}
\AxiomC{$\circ^k A^m, U \vdash V$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{W, $\circ^k X', U \vdash \circ^k Y', Z, V$}
\RightLabel{($\rho''$)}
\UnaryInfC{W, $\circ^k X, U \vdash \circ^k Y, Z, V$}
\end{prooftree}
\end{center}
Lemma~\ref{l-s4cns-param-l} (\texttt{s4cns\_param\_l'}) and
the symmetric result \texttt{s4cns\_param\_r'} cover this case.
\begin{lemma} \label{l-s4cns-param-l}
Let the left premise subtree of a desired cut be \texttt{dt},
with \texttt{dtn} and $k$ as in Lemma~\ref{l-top-circ-ns},
let the bottom rule of \texttt{dtn} be an extension of
a rule in \texttt{s4cnsne} whose conclusion is $cl \vdash cr$,
and let $C$ not be in $\circ^k cr$.
Then the inductive step \texttt{sumh\_step2\_tr} for proving cut-admissibility
with cut-formula $C$ holds.
\end{lemma}
\begin{verbatim}
s4cns_param_l': "[| (?ps, ?cl |- ?cr) : s4cnsne;
botRule ?dtn : extrs {(?ps, ?cl |- ?cr)};
count (mset_map (funpow Circ ?k) ?cr) ?C = 0; valid s4cns ?dtn;
Suc (heightDTs ?list) = heightDT ?dtn + ?k |] ==>
sumh_step2_tr (prop2 casdt s4cns) ?C ?sub
(Der (seqmap (funpow Circ ?k) (conclDT ?dtn) + ?flr) ?list,
Der ?dtr ?lista)"
\end{verbatim}
It is similar for the parametric case on the right.
The axiom rule is trivial in all cases.
For the $(\vdash \Box)$ rule on the left, where the rule on the right
is an extension of rule $\rho$ whose principal formula is the ``de-circled''
cut-formula, the only case remaining is where $\rho$ is $(\Box \vdash)$.
\begin{center}
\begin{prooftree}
\AxiomC{$\M \vdash A$}
\RightLabel{$(\vdash \Box)$}
\UnaryInfC{$X, \M \vdash \Box A, Y$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$X', \circ^k X, \circ^k \M \vdash \circ^k \Box A, \circ^k Y, Y'$}
\AxiomC{$\circ^{k''} A, U \vdash V$}
\RightLabel{$(\Box \vdash)$}
\UnaryInfC{$\circ^{k''} \Box A, U \vdash V$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^{k' + k''} \Box A, \circ^{k'} U, U' \vdash \circ^{k'} V, V'$}
\RightLabel{(\textit{cut ?})}
\dottedLine
\BinaryInfC{$X', \circ^k X, \circ^k \M, \circ^{k'} U, U' \vdash
\circ^k Y, Y', \circ^{k'} V, V'$}
\end{prooftree}
\end{center}
Here $k' + k'' = k$, but since we also have that $k = 0$ or $k' = 0$,
this means that $k' = 0$ and $k'' = k$. The following diagram omits
a final use of the admissibility of weakening.
\begin{center}
\begin{prooftree}
\AxiomC{$\M \vdash A$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^k \M \vdash \circ^k A$}
\AxiomC{$\M \vdash A$}
\RightLabel{($\vdash \Box$)}
\UnaryInfC{$\M \vdash \Box A$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^k \M \vdash \circ^k \Box A$}
\AxiomC{$\circ^k \Box A, \circ^k A, U \vdash V$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{$\circ^k \M, \circ^k A, U \vdash V$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{$\circ^k \M, \circ^k \M, U \vdash V$}
\RightLabel{(\textit{ctr})}
\UnaryInfC{$\circ^k \M, U \vdash V$}
\end{prooftree}
\end{center}
Next we look at the case of the $(\vdash \Box)$ rule on the right,
but for this, since the cut-formula must be a $\Box$-formula,
all cases have already been dealt with.
Finally, there is the case where the last rules (above the final sequence of
$\circ$-rules) on both sides are extensions of rules in \texttt{s4cnsne}.
Most of these cases have been covered, ie,
the axiom rules, and
the ``parametric'' cases, where the ``de-circled'' cut-formula
is not the principal formula of the rule.
So there remain the cases where the rules on either side are the logical
introduction rules.
For these, the proofs are essentially the same as for other logics generally,
except that we need to allow for a number of circles.
Conceptually it is easiest to imagine that in each case the final $\circ$ rules
are moved upwards to precede the final logical introduction rules,
although we didn't actually prove it this way.
We proved that the usual logical introduction rules,
with $\circ^k$ applied to principal and side formulae (as used in S4C),
satisfy \texttt{c8\_ercas\_prop} (Definition~\ref{d-c8-ercas-prop}).
Recall that this means that assuming cut admissibility on smaller
formulae, us have cut admissibility of a more complex formula where the last
rule on either side is a logical introduction rule.
\begin{lemma}[\texttt{s4cns\_c8\_ercas}] \label{l-s4cns-c8-ercas}
S4C satisfies \texttt{c8\_ercas\_prop} in relation to the
logical introduction rule skeletons \texttt{lksil} $cup$ \texttt{lksir},
with $\circ^k$ applied to all formulae.
\end{lemma}
\begin{verbatim}
s4cns_c8_ercas: "c8_ercas_prop (circrel ipsubfml) s4cns ?A
(nkmap ?k ` (lksil Un lksir))"
\end{verbatim}
The following diagrams show an example.
We let $t = k + k' = l + l'$.
In this case we do not make use of the fact that either $k$ or $l$ must be
zero.
\begin{center}
\begin{prooftree}
\AxiomC{$X \vdash \circ^{k'} A, Y$}
\AxiomC{$X \vdash \circ^{k'} B, Y$}
\RightLabel{($\vdash \land$)}
\BinaryInfC{$X \vdash \circ^{k'} (A \land B), Y$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^k X \vdash \circ^t (A \land B), \circ^k Y$}
\AxiomC{$U, \circ^{l'} A, \circ^{l'} B \vdash V$}
\RightLabel{($\land \vdash$)}
\UnaryInfC{$U, \circ^{l'} (A \land B) \vdash V$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^l U, \circ^t (A \land B) \vdash \circ^l V$}
\RightLabel{(\textit{cut ?})}
\dottedLine
\BinaryInfC{$\circ^k X, \circ^l U \vdash \circ^k Y, \circ^l V$}
\end{prooftree}
\end{center}
The diagram above is simplified by not including the extra context which
may be introduced in the conclusion of the $(\circ)$ rules.
This is replaced by
\begin{center}
\begin{prooftree}
\AxiomC{$X \vdash \circ^{k'} A, Y$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^k X \vdash \circ^t A, \circ^k Y$}
\AxiomC{$\circ^l U, \circ^t (A \land B) \vdash \circ^l V$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{$\circ^k X, \circ^l U \vdash \circ^t A, \circ^k Y, \circ^l V$}
\dottedLine
\UnaryInfC{\large (A)}
\end{prooftree}
\end{center}
\begin{center}
\begin{prooftree}
\AxiomC{$X \vdash \circ^{k'} B, Y$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^k X \vdash \circ^t B, \circ^k Y$}
\AxiomC{$\circ^l U, \circ^t (A \land B) \vdash \circ^l V$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{$\circ^k X, \circ^l U \vdash \circ^t B, \circ^k Y, \circ^l V$}
\dottedLine
\UnaryInfC{\large (B)}
\end{prooftree}
\end{center}
\begin{center}
\begin{prooftree}
\AxiomC{$\circ^k X \vdash \circ^t (A \land B), \circ^k Y$}
\AxiomC{$U, \circ^{l'} A, \circ^{l'} B \vdash V$}
\RightLabel{($\circ^*$)}
\UnaryInfC{$\circ^l U, \circ^t A, \circ^t B \vdash \circ^l V$}
\RightLabel{(\textit{inductive cut})}
\dottedLine
\BinaryInfC{$\circ^k X, \circ^l U, \circ^t A, \circ^t B \vdash
\circ^k Y, \circ^l V$}
\dottedLine
\UnaryInfC{\large (C)}
\end{prooftree}
\end{center}
Then (A), (B) and (C) are combined using inductive cuts on the smaller
cut-formulae $\circ^t A$ and $\circ^t B$, and the necessary contractions, to
derive the required sequent
{$\circ^k X, \circ^l U \vdash \circ^k Y, \circ^l V$}.
Again, we can use weakening admissibility to get the extra context which
was introduced by the $(\circ)$ rules, but omitted from the first diagram.
Finally we combine these results to get the cut admissibility result,
in terms of explicit derivation trees, and then in terms of derivability.
\begin{theorem}[\texttt{s4cns\_casdt, s4cns\_cas}] \label{t-S4C-ca}
S4C satisfies cut-admissibility.
\end{theorem}
\begin{verbatim}
s4cns_casdt: "(?dta, ?dtb) : casdt s4cns ?A"
s4cns_cas: "(?cl, ?cr) : cas s4cns ?A"
\end{verbatim}
\subsection{Comparing our proofs and the proofs of Mints}
The presentation of Mints \cite{mints-jaegerfest} contains a very abbreviated
treatment of cut-admissibility for S4C.
We attempted to follow the proof shown there, but were unable to.
The slides state a lemma (``Substitution Lemma''), that the following rule is
admissible
$$
\frac{\mathcal B \vdash \Box C \quad \Box C, \Gamma \vdash \Delta}
{\mathcal B, \Gamma \vdash \Delta}
$$
As a lemma it is undoubtedly correct (it is a particular case of
cut-admissibility). However, as part of the proof of cut-admissibility
we were unable to prove it as it stands --- it appears to need (at least) an
assumption that cuts on $C$ are admissible.
\section{Related Work}
We may compare this approach with that of Pfenning
\cite{pfenning-structural-cut-elimination}.
Pfenning uses the propositions-as-types paradigm,
where a type represents (partially) a sequent.
More precisely, for intuitionistic logic, a type
\texttt{hyp A -> hyp B -> conc C} represents a sequent containing
\texttt{A} and \texttt{B} in its antecedent, and
\texttt{C} in its succedent.
For classical logic,
\texttt{neg A -> neg B -> pos C -> pos D -> \#}
represents a sequent containing
\texttt{A} and \texttt{B} in its antecedent, and
\texttt{C} and \texttt{D} in its succedent.
A term of a given type represents a derivation of the corresponding sequent.
Pfenning's proof of cut-admissibility proceeds by a triple induction,
using structural induction on the formula and
the two terms representing the derivations.
It therefore most closely resembles our proofs involving explicit derivations,
as described in \S\ref{s-ipedt}.
However in \S\ref{s-ipedt} we go on to measure properties (such as the height)
of an explicit derivation. It seems as though Pfenning's approach does not
allow the possibility of doing that.
\section{Further Work and Conclusion}
\bibliographystyle{alpha}
\bibliography{jaegerfest}
% \input{refs}
\end{document}