MICHAL

GRABOWSKI Arithmetical Completeness versus Relative Completeness

Abstract. In this paper we study the status of the arithmetical completeness of dynamic logic. We prove that for finitistic proof systems for dynamic logic results beyond arithmetical completeness are very unlikely. The role of the set of natural numbers is carefully analyzed.

1. Introduction

Cook has introduced the notion of the relative completeness for proof systems for partial correctness formulas, i.e., the completeness over expressive interpretations (see [1], [41).

It has already been observed by Apt that a totally sound (i.e., sound for all interpretations) proof system for dynamic logic, complete over expressive

interpretat ions, is impossible. (Cf. Apt's remarks on total correctness I l l . ) Thus we have to weaken our requirements: a proof system for dynamic logic is not required to be totally sound and is not required to be comple t e over all expressive interpretations.

Harel has found a type of solution: the subclass of arithmetical inter- pretations of the class of expressive interpretations and an elegant axiom system that is sound and complete for arithmetical interpretations. Notice that the Harel's system is not totally sound: it is sound only for arithmetical interpretations.

It is natural to ask whether we can go further: whether we can find axioms and rules that are sound at least for expressive interpretations and complete for expressive interpretations.

The set of natural numbers is primitive (i.e., primitive relation) in arithmetical interpretations. When we relax this condition to: "the set of natural numbers is first-order definable in the interpretations involved", we obtain the pseudo-arithmetical interpretations.

F rom a general point of view Harel's result, on arithmetical completeness can be stated as follows:

For every pseudo-arithmetical interpretation 1 there exists an effective pro- cedure P such that P, with an oracle answering questions of the validity (in I) of first-order formulas, enumerates all dynamic formulas valid in I.

It is proved that the above quantifiers cannot be interchanged. Moreover, we show that the principal reason for this non-uniformity is not the effectiveness, but the finitistic character of the effective procedure, i.e., having generalized the not ion of an effective procedure to the notion of a uniform method, the non-uniformity of dynamic logic remains. In other words, dynamic

3 - Studia Lo~ica 3/88

214 M. Grabowski

logic does not possess a finitistic proof system S (i.e., non-recursive proof rules are allowed but they must have finite number of premisses) such that S is sound for pseudo-arithmetical interpretations and for every pseudo-arithmetical interpretation I and every dynamic formula q):

I h q) iff Th(I) [--s qo.

Since any pseudo-arithmetical interpretation is expressive, there does not exist a finitistic proof system for dynamic logic, sound and complete for expressive interpretations, even if the system is required to be sound only for expressive interpretations. This result requires a much deeper analysis than in [1]. We actually use non-standard models for arithmetics and Skolemization techniques.

2. P r e l i m i n a r y def ini t ions

The goal s of this section are twofold: to make precise our notions concerning effective procedures with oracles and uniform methods with oracles and to define basic notions related to arithmetical completeness.

2.1. U n i f o r m i t y and relat ive c o m p l e t e n e s s

In this section we define auxiliary notions of effective procedures with oracles and uniform methods with oracles. Then we define the fundamental notions of this paper, i.e., the notion of relative completeness and uniformity.

Let a be a fixed signature: FOL(a) denotes the set of first-order formulas of type a. We assume that a contains at least the constant 0, the unary function symbol S, the two binary function symbols + , , , the unary relation symbol nat and the equality sign =.

Let x = (x~ . . . . , xn) be a vector of individual variables. For the structure co = (co; 0, +1 , + , . , =), Boolx(co) denotes the set of all open arithmetical formulas with variables in x; Tx(co) denotes the set of all arithmetical terms with variables in x.

DEFINITION. By an effective procedure with an oracle we mean a seventuple

P = (D, Nodes, Leafs, x , y, Test, Answer)

where:

- x = (x 1 . . . . . x,) is a vector of input variables, y is an output variable, - D is a recursive subset of {0, 1}* and the empty word e is in D and for every

v, w~ {0,1}*, if v w e D then v~D, - Nodes c {0, 1}* and Leafs ~ {0, 1}* are recursive and D = Nodes u Leafs

and Nodes n Leafs = O and for every v, w e D, if vw ~ Leafs and w v ~ then v ~ Nodes. (Thus D is a recursive binary tree and Leafs is the set of leafs of D and Nodes is the set of internal nodes of D.)

A r i t h m e t i c a l c o m p l e t e n e s s . . . 215

- Test is a recursive function from Nodes into Bool~(o))u FOL(a) (if Test(v) e FOL(cr) then Test(v) is a query to the oracle; if Test(v)e Bool~(co) then Test(v) is a control test).

- Answer is recursive function from Leafs into the set of assignment statements: v : = t(x), where t(x) is in T~(co). []

Let P be an effective procedure with an oracle, I be an interpretat ion of type o-. F'or a vector a e (o" of natural numbers (n is the number of input variables in P) P(I, a) denotes the ou tpu t value determined by the answer y ' = t(x) in the appropr ia te leaf l(P(I, a) = ti(a)). The leaf 1 is determined by the path p from e to l defined as follows:

(1) e~p (2) if v e p and v e Nodes and Test(v) e Boolx(co) then if (o p Test(v)~a] then

vl e p else vOep (3t if v e p and v E Nodes and Test(v) ~ FOL(a) then if I ~ Test(v) then v/~. p

else v0 e p.

Let 1; be a certain signature (possibly different from o'): let m be a structure of the type 1;. Let x = (x 1 . . . . . x,) be a vector of individual variables. FOL~(1;) denotes the set of all first-order formulas of the type 2; with free variables in x: T~(1;) is the set of all terms of the type I; with variables in x.

DEFINITION. By a uniform method over m with an oracle we mean a seventuple

M = (D, Nodes, Leafs, x, Test, Answer)

where:

- x = ( x l , . . . , x,) is a vector of input variables, y is an ou tpu t variable, - D _~ {0, 1}* is a binary tree (not necessarily recursive), Nodes is the set of

internal nodes of D, Leafs' is the set of leafs of D, - Test is a function from Nodes into FOL_~(Z)w FOL(a) (if Test(v)e FOL(~r)

then Test(v) is a query to the oracle; if Test(v)e FOL_~(1;) then Test(v) is a control test),

- Answer is a function from Leafs into the set of assignment statements: y "= t(x) where t ( x ) e T_x(I;). m

Let m be a structure of signature 1;; M be a uniform method with an oracle over m; and let I be an interpretat ion of the signature o.

For a vector a e (dom(m))" (n is the number of input variables of M), M(I, a) denotes the ou tpu t value defined by an appropr ia te path p. The definition of p is a lmost the same as for effective procedures: we have FOL(x) instead of Bool~(o~) and m instead of co.

By dynamic logic we mean DDL, i.e., dynamic logic for regular de- terministic programs wi thout arrays and random assignments (the simplest one), cf. [-6]. For a formula q, e DDL, rtpn denotes its s tandard numeric code

216 M. Grabowski

r(0-~ e on. Now we are in a position to define the fundamental notions of this paper, i.e., uniformity and relative completeness. Let C be a class of interpretations of the signature a, let F be a set of dynamic formulas, F c DDL.

DEFINITION. F is relatively complete in the class C iff there exists an effective procedure P with an oracle such that for every interpretation I in C, P with oracle Th(I) enumerates all formulas in F valid iia I, i.e.,

{r,.,onlq~eF and I ~ cp} = {P(I, a)la e~" } . ,,

DEFINITION. F is uniform in the class C iff there exists a certain structure m, a uniform method M over m with an oracle and a function c: DDL --, dora(m) (coding function) such that for every interpretation I in C, M with oracle rh(I) gives (as answers in leafs for x_ ~(dom(m))") the set of codes of formulas in F valid in I, i.e.,

{c(~p)lcp~F and I ~ ~0} = {M(I, a_)lqe(dom(m))"}. ,

Of course, the above definitions can be directly adapted to the remaining sorts of dynamic logics.

EXAMPLE 1 ([4]). The subset of partial correctness formulas of the set DDL is relatively complete in the class of expressive interpretations, k

EXAMPLE 2 ([2]). Take the following ALGOL-like language AL:

S : := x : = tlif b then S t else S 2 fiIS1; S21begin D; S endlp(_x: f ) D " = new xlprocp(v" 0t; SIDI; D 2. Here, p(x: f ) is a procedure call statement; individual parameters x are separated @ ":" from procedural parameters f . We accept the s tandard copy-rule semantics for AL (cf. [8]): individual parameters are called by name and we take the static scope copy-rule for procedure calls.

Let DLaL be the dynamic logic for the programming language AL; let ~-~in be the class of all finite interpretations of the type a. We have

DLAL is uniform in the class ~ i n while it is not relatively complete in ~ i n . I

Naturally, for every class C of interpretations, if a set F ~_ DDL is relatively complete in C then it is uniform in C. The converse is an open problem for DDL. We conjecture that it is not true.

2.2 Arithmetical and pseudo-arithmetical interpretations

For an interpretation I of our fixed type a, ~0z denotes the set {% S,(0,), S,~(0,) . . . . }.

DEFINITION (Harel). An interpretation I of the type a is arithmetical iff the following conditions hold:

Arithmetical completeness ... 217

(1) cot = {0t, Sx(0• .. .} is infinite, (2) the symbols + , �9 are given their standard meaning (addition, multi-

plication) when applied to the elements of cox. (3) ability to encode finite sequences into one element: there exists

a first-order formula fi(x, y, z) (fl can involve symbols from the whole a, not only S, + , , , 0, = , nat) such that for every natural number m,

F- Vxo. . . Vxm3zVx((/~(x, 0, z) - x = Xo) a . . . a(p(x, Sin(0), z) - x = xm)),

(4) for every d e dom(i), d ~. co r iff I # nat[d], a

D~VINIT~ON. An interpretation I is pseudo-arithmetical Jff I satisfies the conditions (1), (2), (3) of the above definition and the following additional condition (4'): (4') there exists a first-order formula Y ( x ) e F O L ( a ) such that for every

d~dom(I): deco I iff I = .Ar[d]. w

THEOREM 1 (Harel). For every pseudo-arithmetical I there exists an effective procedure Pr with an oracle such that

{r-q)-~lcPEDDL and I ~ q)} = {PI(I, a)la ~con}, where n is the number of input variables of Pt.

3. The result

Uniformity seems to be a very weak property since the supporting structure m in a uniform method M (required by the definition of uniformity) may be quite arbitrary - for instance a model for set theory. Moreover, the set D and functions Test and Answer in M are not required to be recursive. Nevertheless we have the following:

THEOREM 2. The set of all dynamic formulas, DDL, is relatively complete in the class of arithmetical interpretations while it is not uniform in the class of pseudo-arithmetical interpretations.

PROOF. The first part is implied by Harel's theorem on arithmetical completeness of DDL, cf. [63. We obtain the second part by exploiting the main idea of paper [5].

In the sequel we use interpretations which are models of certain ari- thmetical axioms on 0, S, + , , , = . We treat these interpretations as inter- pretations of the signature a; the symbol nat is always interpreted as the whole domain (nat r = dora(l)) and the remaining symbols in a (i.e., other than nat, +, , , S, --) are interpreted in an arbitrary way.

Let Ar be a first-order arithmetical formula such that co ~ Ar and for every interpretation I: if I ~ Ar then I satisfies the conditions (1), (2), (3) of the definition of arithmetical interpretations. (Such a formula exists. Cf. [9], pp. 115-117).

218 M. Grabowski

Let O(x) be the following dynamic formula:

( y : = 0; while x = y do y : = S(y) od ) (x = x).

Assume that DDL is uniform in the class of pseudo-arithmetical inter- pretations, i.e., there exists a structure m and a suitable uniform method over m with an oracle and with n input variables. Since co D Vxq/(x), there exists a vector a e (dorn(m))" such that M(co, a) is equal to the code of the formula Vx0(x ) (M(co, a) = c(VxO(x))). Let p be the pa th defining M(co, a). Let Q be the. set of all queries to the oracle in the path p, i.e.,

Q = {Test(v)tvl E p and Test(v) ~ FOL(a)} w

w { 7 Test(v)IvO ~ p and Test(v) e F O L (a)}.

Let (p be the conjunction of all formulas in Q, (p = m Q. Notice that co~ q).

Following the construction in [5] we are able to construct a pseudo- arithmetical interpretation 1 such that I ~ A t & q~ and I ~ VxO(x).

Assume that the formula Ar & q) is in the quantifier normal form

(*) V x 1 3 y l ... V x , 3 y , ~ ( x l , Yl, . . . , x , , y,).

Let I o be a non-standard model of Th(co). The model I o is naturally ordered by the relation < defined by the formula " 3 z ( x + z = y)". Let f l ( x i ) , f z ( X i , xz), . . . , f . ( x l, x 2, . . . , x.) be first-order definable in I o Skolem functions for (.). There exists a first-order definable in I o increasing function ,q(x), bounding from above all Skolem functions f l . . . . , f , :

9(a) = max{bib = Slo(a) or there are a I . . . . , a, in dom(Io),

a l, . . . , a. < a, such that: b = f l ( a 0 or

b = f z ( a l , a2) or . . . b = L ( a l , - . . , a,)}.

Let e be a nons tandard element of I o. We define the interpretat ion I as a submodel of Io:

dora(I) = {a e dom(Io)la < oi(t;) for some i e co}.

Since 1 is closed with respect to the Skolem functions for (,) we can prove by induct ion on k (k = n, . . . , l) that for every a l , b 1 . . . . , ak- 1, bk- 1 in dom(I)

if I o ~ V X k 3 Y k . . . V x , 3 y , ~ [ a l, bx, . . . , ak_l , bk_ l ] then I p Vxk3v k .. . 3x ,3y , : ( [ a 1, b 1 . . . . . ak - i , bk-x].

Thus I ~ Ar & q~ since I o = Ar & q~. Therefore I satisfies the conditions (1), (2), (3) of the definition of pseudo-arithmetical interpretations, since 1 = Ar.

It remains to be proved that the set of s tandard elements of I , co1, is first-order definable in I.

Notice that the ternary relation "gZ(x) -- y" is definable in I o and in 1. We define: (**) a ~ co, iff I ~ Vx3y(g~(x) = y).

A r i t h m e t i c a l c o m p l e t e n e s s . . . 219

Intuitively, the condition (**) holds since if a is nonstandard then, by definition of [, q"(t:) "jumps" out of I; if a is standard then for every b edom(I), 9"(b)e dora(i). Thus I is pseudo-arithmeticaL

We have I ~ -1 Vx~,(x), since I is nonstandard. Therefore there exists a vector h e (dora(m))" (n is equal to the number of input variables of M) such that Mtl, b) is equal to the code of the formula -!, Vx~b(x). Recall that a E (dora(m))" and M(co, a) is equal to the code of the formula Vx0(x) . We have M(co, a) = M(I, a) since co ~ (p and I ~ cp. Finally, M(I, a) is equal to the code of Vx~b(x) and M(I, b) is equal to the code of 7 Vx~p(x) - contrary to the soundness of M. .

4. Concluding remarks

4.1. Harel suspected (cf. [-6], pp. 5(L53) that arithmetical completeness is only a bit less general that completeness in the sense of Cook (that the only difference is in taking (or not taking) into account finite interpretations). We have proved that these two concepts of completeness are essentially different.

We would like to stress the issue o f uniformity. Harel gives a schema for constructing an axiom system Px for DDL for an expressive interpretation I when we are given first-order definable in I arithmetical notions. This schema seems to be as general as Cook's relative completeness, since arithmetical notions are first-order definable in every non-trivial expressive interpretation (see [7], deMillo, Lipton, Snyder theorem). However, the Harel schema is not uniform in interpretations: P1 heavily depends on 1. On the other hand, Hoare-like axiom systems are uniform in interpretations. In order to gain uniformity for DDL we must accept arithmetical notions as primitive ones (just like Harel does). Thus we come to our main conclusion: with respect to uniformity in interpretation for finitistic axiom systems, we cannot expect any system beyond Harel's axiom system to be sound and complete for arithmetical interpretations.

4.2. Of course, there are uniform (now in the sense of our definition) in the class of expressive interpretations subsets of DDL: for instance the set of partial correctness formulas. It can be proved that there are maximal uniform in expressive interpretations subsets of DDL (by Zorn's lemma). Is it possible to give a concrete example of a maximal uniform in the set of expressive interpretations subset of DDL? We are of the opinion that the structure of uniform subsets of DDL is interesting and deserves a further study.

Acknowledgements

I would like to thank Prof. A. Salwicki for pointing out to me problems in Clarke's and Lipton's papers on Hoare's logic. I also wish to thank Prof. Szabo

220 M. Grabowski

for inviting me to submit a paper to the volume devoted to nonstandard methods in computer science.

References

[1] K. R. APT, Ten years of Hoare Logics, TOPLAS 3 (4), pp. 431-482, 1981. [2] E. M. CLARKE, Programming language constructs for which it is impossible to obtain good Hoare

axiom systems, J. Assoc. Comput. Mach. No. 1, 1979. [3] E. CLARKE, S. GERMAN and J. HALPERN, On effective axiomatization of Hoare Logics, JACM

1983. [-4] S. COOK, Soundness and completeness of axiom system for program verification, SlAM J.

Comput. 7, No. 1, pp. 70-90, 1978. [5] M. GRABOWSKI, On relative incompleteness of logics for total correctness, Proceedings of Logics of

Programs Conference 85, New York; Lecture Notes on Comp. Sci., vol. 192, 1985. [6] D. HAREL, Logics o f programs axiomatics and descriptive power, Report MIT LGS TR-200,

1978. [7] R. A. LIPTON, Necessary and sufficient condition for existence of Hoare logics, Proceedings of

the 18th IEEE Symp. Found. of Comp. Sc., '1977. [-8] E. R. OLDEROG, Sound and complete Hoare-like calculi based on copy-rules, Acta Informatica

16, pp. 161-197, 1981. ['9] J. SHOENF1ELD, Mathematical Logic, 1967.

INSTITUTE OF INFORMATICS UNIVERSITY OF WARSAW PKIN, p. 850 00-901 WARSAW, POLAND

Received September 1, 1987

" Studia Logica XLVII, 3