Integrating Induction and Coinduction via Closure Operators and Proof Cycles

Abstract

Coinductive reasoning about infinitary data structures has many applications in computer science. Nonetheless developing natural proof systems (especially ones amenable to automation) for reasoning about coinductive data remains a challenge. This paper presents a minimal, generic formal framework that uniformly captures applicable (i.e. finitary) forms of inductive and coinductive reasoning in an intuitive manner. The logic extends transitive closure logic, a general purpose logic for inductive reasoning based on the transitive closure operator, with a dual ‘co-closure’ operator that similarly captures applicable coinductive reasoning in a natural, effective manner. We develop a sound and complete non-well-founded proof system for the extended logic, whose cyclic subsystem provides the basis for an effective system for automated inductive and coinductive reasoning. To demonstrate the adequacy of the framework we show that it captures the canonical coinductive data type: streams.

1 Introduction

The principle of induction is used widely in computer science for reasoning about data types such as numbers or lists. The lesser-known principle of coinduction is used for reasoning about coinductive data types, which are data structures containing non-well-founded elements, e.g. infinite streams or trees [7, 25, 27, 32, 35, 37, 44, 46, 48]. A duality between the two principles is observed when formulating them within an algebraic, or categorical, framework [49]. However, such formulation does not account well for the way these principles are commonly used in deduction, where there is a mismatch in how they are usually applied.

Due to this tension between the abstract theory of coalgebras and its implementation in formal frameworks [41], coinductive reasoning is generally not fully and naturally incorporated into major proof assistants (e.g. Coq [7], Nuprl [20], Agda [8], Idris [9] and Dafny [36]). Even in notable exceptions such as  [33, 36, 38, 44] the combination of induction and coinduction is not intuitively accounted for. The standard approach in such formalisations is to define inductive data with constructors and coinductive data with destructors, or observations [1]. In this paper we propose an alternative approach to formally integrating induction and coinduction that clearly reveals the duality between the two principles. Our approach has the advantage that the same signature is shared for both inductive and coinductive data, making certain aspects of the relationship between the two principles more apparent. To achieve this, we extend and combine two powerful frameworks: semantically we follow the approach of transitive closure logic, a generic logic for expressing inductive structures [3, 14,15,16, 31, 39, 51]; for deduction, we adopt non-well-founded proof theory [2, 5, 10,11,12, 17,18,19, 23, 24, 26, 50, 55]. This combination captures the intuitive dynamics of inductive and coinductive reasoning, reflecting how these principles are understood and applied in practice.

Transitive closure (\(\mathsf {RTC}\)) logic minimally extends first-order logic by adding a single, intuitive notion: an operator, \( RTC \), for forming the (reflexive) transitive closures of an arbitrary formula (more precisely, of the binary relation induced by the formula). This operator alone is sufficient for capturing all finitary induction schemes within a single, unified language (unlike other systems that are a priori parametrized by a set of inductive definitions [12, 40, 42, 58]). Transitive closures arise as least fixed points of certain composition operators. In this paper we extend \(\mathsf {RTC}\) logic with the semantically dual notion: an operator, \( RTC ^{\mathsf {op}}\), for forming greatest fixed points of these same composition operators.¹ We call these transitive co-closures, and show that they are equally as intuitive. Just as transitive closure captures induction, we show that transitive co-closure facilitates coinductive definitions and reasoning.

Non-well-founded proof theory formalises the infinite-descent style of induction. It enables a separation between local steps of deductive inference and global well-foundedness arguments (i.e. induction), which are encoded in traces of formulas through possibly infinite derivations. A major benefit of these systems is that inductive invariants do not need to be explicit. On the other hand, existing approaches for combining induction and coinduction rely on making (co)invariants explicit within proofs [4, 30, 59]. In previous work, a non-well-founded proof system for \(\mathsf {RTC}\) logic was developed [17, 18]. In this paper, we show that the meaning of the transitive co-closure operator can be captured proof-theoretically using inference rules having the exact same structure, with soundness now requiring infinite ascent (i.e. showing productivity) rather than descent. What obtains is a proof system in which induction and coinduction are smoothly integrated, and which very clearly highlights their similarities. Their differences are also thrown into relief, consisting in the way formulas are traced in a proof derivation. Specifically, traces of \( RTC \) formulas show that certain infinite paths cannot exist (induction is well-founded), while traces of \( RTC ^{\mathsf {op}}\) formulas show that other infinite paths must exist (coinduction is productive).

To demonstrate that our system naturally captures patterns of mixed inductive/coinductive reasoning, we formalise one of the most well-known examples of a coinductive data type: streams. In particular, we consider two illustrative examples: transitivity of the lexicographic ordering on streams; and transitivity of the substream relation. Both are known to be hard to prove. Our system handles these without recourse to general fixpoint operators or algebraic structures.

The transitive (co-)closure framework is contained in the first-order mu-calculus [43], but offers several advantages. The concept of transitive (co-)closure is intuitively simpler than that of general fixed-point operators, and does not require any syntactic restrictions to ensure monotonicity. Our framework is also related, but complementary to logic programming with coinductive interpretations [52, 53] and its coalgebraic semantics [34]. Logic programs, built from Horn clauses, have a fixed intended domain (viz. Herbrand universes), and the semantics of mixing inductive and coinductive interpretations is subtle. Our framework, on the other hand, uses a general syntax that can freely mix closures and co-closures, and its semantics considers all first-order models. Furthermore, the notion of proof in our setting is more general than the (semantic) notion of proof in logic programming, in which, for instance, there is no analogous concept of global trace condition.

Outline. Section 2 presents the syntax and semantics of the extended logic, \(\mathsf {RTcC}\). Section 3 describes how streams and their properties can be expressed in \(\mathsf {RTcC}\). Section 4 presents non-well-founded proof systems for \(\mathsf {RTcC}\), showing soundness and completeness. Section 5 then illustrates how the examples of Sect. 3 are formalised in this system. Section 6 concludes with directions for future work.

2 \(\mathsf {RTcC}\) Logic: Syntax and Semantics

Transitive closure (\(\mathsf {RTC}\)) logic [3, 15] extends the language of first-order logic with a predicate-forming operator, \( RTC \), for denoting the (reflexive) transitive closures of (binary) relations. In this section we extend \(\mathsf {RTC}\) logic into what we call transitive (co-)closure (\(\mathsf {RTcC}\)) logic, by adding a single transitive co-closure operator, \( RTC ^{\mathsf {op}}\). Roughly speaking, whilst the \( RTC \) operator denotes the set of all pairs that are related via a finite chain (or path), the \( RTC ^{\mathsf {op}}\) operator gives the set of all pairs that are ‘related’ via a possibly infinite chain. In Sect. 3 we show that this allows capturing coinductive definitions and reasoning.

For simplicity of presentation we assume (as is standard practice) a designated equality symbol. Note also that we use the reflexive transitive closure; however the reflexive and non-reflexive forms are equivalent in the presence of equality.

Definition 1

(\(\mathsf {RTcC}\) Formulas). Let s, t and P range over the terms and predicate symbols, respectively, of a first-order signature \(\varSigma \). The language \(\mathcal {L}_{\mathsf {RTcC}}\) (of formulas over \(\varSigma \)) is given by the following grammar:

where the variables x and y in the formulas \((\mathop { RTC _{{x},{y}}} {\varphi })(s, t)\) and \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\) must be distinct and are bound in the subformula \(\varphi \), referred to as the body.

The semantics of formulas is an extension of the standard semantics of first-order logic. We write \(M\) and \(\nu \) to denote a first-order structure over a (non-empty) domain \(D\) and a valuation of variables in \(D\), respectively. We denote by \(\nu [x_1 := d_n, \ldots , x_n := d_n]\) the valuation that maps \(x_i\) to \(d_i\) for each i and behaves as \(\nu \) otherwise. We write for the result of simultaneously substituting each \(t_{i}\) for the free occurrences of \(x_{i}\) in \(\varphi \). We use \((\mathbf {d}_{i})_{i \le n}\) to denote a non-empty sequence of elements \(d_1, \ldots , d_n\); and \((\mathbf {d}_{i})_{i > 0}\) for a (countably) infinite sequence of elements \(d_1, d_2, \ldots \). We use \(\equiv \) to denote syntactic equality.

Definition 2 (Semantics)

Let \(M\) be a structure for \(\mathcal {L}_{\mathsf {RTcC}}\), and \(\nu \) a valuation in \(M\). The satisfaction relation \(M, \nu \models \varphi \) extends the standard satisfaction relation of classical first-order logic with the following clauses:

Intuitively, the formula \((\mathop { RTC _{{x},{y}}} {\varphi })(s, t)\) asserts that there is a (possibly empty) finite \(\varphi \)-path from s to t. The formula \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\) asserts that either there is a (possibly empty) finite \(\varphi \)-path from s to t, or an infinite \(\varphi \)-path starting at s.

We can connect these closure operators to the general theory of fixed points, with \((\mathop { RTC _{{x},{y}}} {\varphi })\) and \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })\) denoting, respectively, the least and greatest fixed points of a certain operator on binary relations.

Definition 3 (Composition Operator)

Given a binary relation X, we define an operator \(\varPsi _{X}\) on binary relations, which post-composes its input with X, by: .

Notice that the set of all binary relations (over some given domain) forms a complete lattice under the subset ordering \(\subseteq \). Moreover, composition operators \(\varPsi _{X}\) are monotone w.r.t. \(\subseteq \). Thus we have the following standard results, from the Knaster–Tarski theorem. For any binary relation X, the least fixed point of \(\varPsi _{X}\) is given by , i.e. the intersection of all its prefixed points. Dually, the greatest fixed point of \(\varPsi _{X}\) is given by the union of all its postfixed points, i.e. . Via the usual notion of formula definability, \( RTC \) and \( RTC ^{\mathsf {op}}\) are easily seen to be fixed point operators. For a model \(M\) and valuation \(\nu \), denote the binary relation defined by a formula \(\varphi \) with respect to x and y by \([\![{\varphi }]\!]^{M,\nu }_{x,y} = \{ (a, b) \,\mid \, M, \nu [x\,{:}{=}\,a, y\,{:}{=}\,b] \models \varphi \}\).

Proposition 1

The following hold.

1. (i)

   \(M, \nu \models (\mathop { RTC _{{x},{y}}} {\varphi })(s, t)\) iff \(\nu (s)=\nu (t)\) or .

2. (ii)

   \(M, \nu \models (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\) iff \(\nu (s) = \nu (t)\) or .

Note that labelling the co-closure ‘transitive’ is justified since, for any model \(M\), valuation \(\nu \), and formula \(\varphi \), the relation is indeed transitive.

The \( RTC ^{\mathsf {op}}\) operator enjoys dualisations of properties governing the transitive closure operator (see, e.g., [16, Proposition 3]) that are either symmetrical, or involve the first component. This is because the semantics of the \( RTC ^{\mathsf {op}}\) has an embedded asymmetry between the arguments. Reasoning about closures is based on decomposition into one step and the remaining path. For \( RTC \), this decomposition can be done in both directions, but for \( RTC ^{\mathsf {op}}\) it can only be done in one direction.

Proposition 2

The following formulas, connecting the two operators, are valid.

1. i)

   \((\mathop { RTC _{{x},{y}}} {\varphi })(s, t) \rightarrow (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\)

2. ii)

   \(\lnot (\mathop { RTC _{{x},{y}}} {\lnot \varphi })(s, t) \rightarrow (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\)

3. iii)

   \(\lnot (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\lnot \varphi })(s, t) \rightarrow (\mathop { RTC _{{x},{y}}} {\varphi })(s, t)\)

4. iv)
5. v)

   \(((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t) \wedge \lnot (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi \wedge y \ne t})(s, t)) \rightarrow (\mathop { RTC _{{x},{y}}} {\varphi })(s, t)\)

Note that the converse of these properties do not hold in general, thus they do not provide characterisations of one operator in terms of the other. A counter-example for the converses of (ii) and (iii) can be obtained by taking \(\varphi \) to be \(x = y\). Then, for any domain D, the formulas \((\mathop { RTC _{{x},{y}}} {\lnot \varphi })\), \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })\), and \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\lnot \varphi })\) all denote the full binary relation \(D \times D\), while \((\mathop { RTC _{{x},{y}}} {\varphi })\) denotes the identity relation on D.

3 Streams in \(\mathsf {RTcC}\) Logic

This section demonstrates the adequacy of \(\mathsf {RTcC}\) logic for formalising and reasoning about coinductive data types. As claimed by Rutten: “streams are the best known example of a final coalgebra and offer a perfect playground for the use of coinduction, both for definitions and for proofs.” [47]. Hence, in this section and Sect. 5 we illustrate that \(\mathsf {RTcC}\) logic naturally captures the stream data type (see, e.g., [29, 48]).

3.1 The Stream Datatype

We formalise streams as infinite lists, using a signature consisting of the standard list constructors: the constant \(\mathsf {nil}\) and the (infix) binary function symbol ‘\({{\,\mathrm{{:}{:}}\,}}\)’, traditionally referred to as ‘cons’. These are axiomatized by:

Note that for simplicity of presentation we have not specified that the elements of possibly infinite lists should be any particular sort (e.g. numbers). Thus, the theory of streams we formulate here is generic in this respect. To refer specifically to streams over a particular domain, we could use a multisorted signature containing a \(\mathsf {Base}\) sort, in addition to the sort \(\mathsf {List}^{\infty }\) of possibly infinite lists, with \(\mathsf {nil}\) a constant of type \(\mathsf {List}^{\infty }\) and \({{\,\mathrm{{:}{:}}\,}}\) a function of type \(\mathsf {Base} \times \mathsf {List}^{\infty }\longrightarrow \mathsf {List}^{\infty }\). Nonetheless, we do use the following conventions for formalising streams in this section and in Sect. 5. For variables and terms ranging over \(\mathsf {Base}\) we use \(a,b,c,\dots \) and \(e,e',\dots \), respectively; and for variables and terms ranging over possibly infinite lists we use \(x,y,z,\dots \) and \(\sigma ,\sigma ',\dots \), respectively.

The (graphs of) the standard head (\(\mathsf {hd}\)) and tail (\(\mathsf {tl}\)) functions are definable² by and . Finite and possibly infinite lists can be defined by using the transitive closure and co-closure operators, respectively, as follows.

$$\begin{aligned} \mathsf {List}(\sigma )&\mathbin {\;{\mathop {:=}\limits ^{\texttt {def}}}\;}(\mathop { RTC _{{x},{y}}} {\mathsf {tl}(x) = y})(\sigma , \mathsf {nil}) \\ \mathsf {List}^{\infty }(\sigma )&\mathbin {\;{\mathop {:=}\limits ^{\texttt {def}}}\;}(\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\mathsf {tl}(x) = y})(\sigma , \mathsf {nil}) \end{aligned}$$

Roughly speaking, these formulas assert that we can perform some number of successive tail decompositions of the term \(\sigma \). For the \( RTC \) formula, this decomposition must reach the second component, \(\mathsf {nil}\), in a finite number of steps. For the \( RTC ^{\mathsf {op}}\) formula, on the other hand, the decomposition is not required to reach \(\mathsf {nil}\) but, in case it does not, must be able to continue indefinitely.

To define the notion of a necessarily infinite list (i.e. a stream), we specify in the body that, at each step, the decomposition of the stream cannot actually reach \(\mathsf {nil}\) (abbreviating \(\lnot (s = t)\) by \(s \ne t\)). Moreover, since we are using reflexive forms of the operators we must also stipulate that \(\mathsf {nil}\) itself is not a stream.

$$\begin{aligned} \mathsf {Stream}(\sigma ) \mathbin {\;{\mathop {:=}\limits ^{\texttt {def}}}\;}(\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\mathsf {tl}(x) = y \wedge y \ne \mathsf {nil}})(\sigma ,\mathsf {nil}) \wedge \sigma \ne \mathsf {nil}\end{aligned}$$

This technique—of specifying that a single step cannot reach \(\mathsf {nil}\) and then taking \(\mathsf {nil}\) to be the terminating case in the \( RTC ^{\mathsf {op}}\) formula—is a general method we will use in order to restrict attention to the infinite portion in the induced semantics of an \( RTC ^{\mathsf {op}}\) formula. To this end, we define the following notation.

$$\begin{aligned} \mathop {\overline{\varphi }^{\mathtt {inf}}_{{x},{y}}}(\sigma ) \mathbin {\;{\mathop {:=}\limits ^{\texttt {def}}}\;}(\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {(\varphi \wedge y\ne \mathsf {nil})})(\sigma , \mathsf {nil}) \wedge \sigma \ne \mathsf {nil}\end{aligned}$$

3.2 Relations and Operations on Streams

We next show that \(\mathsf {RTcC}\) also naturally captures properties of streams. Using the \( RTC \) operator we can (inductively) define the extension relation \(\mathbin {\triangleleft }\) on possibly infinite lists as follows:

$$\begin{aligned} \sigma \mathbin {\triangleleft }\sigma ' \mathbin {\;{\mathop {:=}\limits ^{\texttt {def}}}\;}( RTC _{{x},{y}}\,{\mathsf {tl}(x) = y})(\sigma , \sigma ') \end{aligned}$$

This asserts that \(\sigma \) extends \(\sigma '\), i.e. that \(\sigma \) is obtained from \(\sigma '\) by prepending some finite sequence of elements to \(\sigma '\). Equivalently, \(\sigma '\) is obtained by some finite number of tail decompositions from \(\sigma \): that is, \(\sigma '\) is a suffix of \(\sigma \).

We next formalise some standard predicates.

\(\mathsf {Contains}(e, \cdot )\) defines the possibly infinite lists that contain the element denoted by e; \(\mathsf {Const}(e, \cdot )\) defines the constant stream consisting of the element denoted by e; and \({{\,\mathrm{\mathsf {Const}_{{\mathop {\infty }\limits ^{\rightarrow }}}}\,}}\) defines streams that are eventually constant.

We next consider how (functional) relations on streams can be formalised in \(\mathsf {RTcC}\), using some illustrative examples. To capture these we need to use ordered pairs. For this, we use the notation \(\langle {u}, {v} \rangle \) for \({u}{{\,\mathrm{{:}{:}}\,}}{({v}{{\,\mathrm{{:}{:}}\,}}{\mathsf {nil}})}\),³ then abbreviate by \((\mathop { RTC _{{\langle {u}, {v} \rangle },{\langle {u'}, {v'} \rangle }}} {\varphi })\) (and similarly for \( RTC ^{\mathsf {op}}\) formulas), and also write \(\mathop {\overline{\varphi }^{\mathtt {inf}}_{{\langle {x_1}, {x_2} \rangle },{\langle {y_1}, {y_2} \rangle }}}(\langle {\sigma }, {\sigma '} \rangle )\) to stand for \((\mathop { RTC ^{\mathsf {op}}_{{\langle {x_1}, {x_2} \rangle },{\langle {y_1}, {y_2} \rangle }}} {(\varphi \wedge y_1\ne \mathsf {nil}\wedge y_2\ne \mathsf {nil})})(\langle {\sigma }, {\sigma '} \rangle , \langle {\mathsf {nil}}, {\mathsf {nil}} \rangle ) \wedge \sigma \ne \mathsf {nil}\wedge \sigma ' \ne \mathsf {nil}\).

Append and Periodicity. With ordered pairs, we can inductively define (the graph of) the function that appends a possibly infinite list to a finite list.

We remark that the formulas \(\sigma \mathbin {\triangleleft }\sigma '\) and are equivalent. To define this as a function requires also proofs that the defined relation is total and functional. However, this is generally straightforward when the body formula is deterministic, as is the case in all the examples we present here. Other standard operations on streams, such as element-wise operations, are also definable in \(\mathsf {RTcC}\) as (functional) relations. For example, assuming a unary function \(\oplus \), we can coinductively define its elementwise extension to streams \(\oplus _{\infty }\) as follows.

As an example of mixing induction and coinduction, we can express a predicate coinductively defining the periodic streams using the append function.

Lexicographic Ordering. The lexicographic order on streams extends pointwise an order on the underlying elements. Thus, we assume a binary relation symbol \(\le \) with the standard axiomatisation of a (non-strict) partial order.

$$\begin{aligned} {} \Rightarrow {e \le e} \qquad {e \le e', e' \le e''} \Rightarrow {e \le e''} \qquad {e \le e', e' \le e} \Rightarrow {e = e'} \end{aligned}$$

The lexicographic ordering relation \(\mathrel {\le _{\ell }}\) is captured as follows, where we use \(e < e'\) as an abbreviation for \(e \le e' \wedge e\ne e'\).

The semantics of the \( RTC ^{\mathsf {op}}\) operator require an infinite sequence of pairs such that, until \(\langle {\mathsf {nil}}, {\mathsf {nil}} \rangle \) is reached, each two consecutive pairs are related by \(\psi _\ell \). This formula states that if the heads of the lists in the first pair are equal, the next pair of lists in the infinite sequence is their two tails, thus the lexicographic relation must also hold of them. Otherwise, if the head of the first is less than that of the second, nothing is required of the tails, i.e. they may be any streams.

Substreams. We consider one stream to be a substream of another if the latter contains every element of the former in the same order (although it may contain other elements too). Equivalently, the latter is obtained by inserting some (possibly infinite) number of finite sequences of elements in between those of the former. This description makes it clearer that defining this relation involves mixing (or, rather, nesting) induction and coinduction. We formalise the substream relation, \(\succcurlyeq \) using the inductive extension relation \(\mathbin {\triangleleft }\) to capture the inserted finite sequences, wrapping it within a coinductive definition using the \( RTC ^{\mathsf {op}}\) operator.

On examination, one can observe that this relation is transitive. However, proving this is non-trivial and, unsurprisingly, involves applying both induction and coinduction. In Sect. 5, we give a proof of the transitivity of \(\succcurlyeq \) in \(\mathsf {RTcC}\). This relation was also considered at length in [6, §5.1.3] where it is formalised in terms of selectors, which form streams by picking out certain elements from other streams. The treatment in [6] requires some heavy (coalgebraic) metatheory. While our proof in Sect. 5 requires some (fairly obvious) lemmas, the basic structure of the (co)inductive reasoning required is made plain by the cycles in the proof. Furthermore, the \(\mathsf {RTcC}\) presentation seems to enable a more intuitive understanding of the nature of the coinductive definitions and principles involved.

4 Proof Theory

We now present a non-well-founded proof system for \(\mathsf {RTcC}\), which extends (an equivalent of) the non-well-founded proof system considered in [17, 18] for transitive closure logic (i.e. the \(\mathsf {RTC}\)-fragment of \(\mathsf {RTcC}\)).

4.1 A Non-well-Founded Proof System

In non-well-founded proof systems, e.g. [2, 5, 10,11,12, 23, 24, 50], proofs are allowed to be infinite, i.e. non-well-founded trees, but they are subject to the restriction that every infinite path in the proof admits some infinite progress, witnessed by tracing terms or formulas. The infinitary proof system for \(\mathsf {RTcC}\) logic is defined as an extension of \(\mathcal {LK}_=\), the sequent calculus for classical first-order logic with equality and substitution [28, 56].⁴ Sequents are expressions of the form \({\varGamma } \Rightarrow {\varDelta }\), for finite sets of formulas \(\varGamma \) and \(\varDelta \). We abbreviate \(\varGamma , \varDelta \) and \(\varGamma , \varphi \) by \(\varGamma \cup \varDelta \) and \(\varGamma \cup \{ \varphi \}\), respectively, and write \(\mathsf {fv}(\varGamma )\) for the set of free variables of the formulas in \(\varGamma \). A sequent \({\varGamma } \Rightarrow {\varDelta }\) is valid if and only if the formula \(\bigwedge _{\varphi \in \varGamma } \varphi \rightarrow \bigvee _{\psi \in \varDelta } \psi \) is.

Fig. 1.

Proof rules of \({\mathsf {RTcC}}^{\infty }_{G}\)

Definition 4

(\({\mathsf {RTcC}}^{\infty }_{G}\)). The proof system \({\mathsf {RTcC}}^{\infty }_{G}\) is obtained by adding to \(\mathcal {LK}_=\) the proof rules given in Fig. 1.

Rules (6), and (8) are the unfolding rules for the two operators that represent the induction and coinduction principles in the system, respectively. The proof rules for both operators have exactly the same form, and so the reader may wonder what it is, then, that distinguishes the behaviour of the two operators. The difference proceeds from the way the decomposition of the corresponding formulas is traced in the non-well-founded proof system. For induction, \( RTC \) formulas on the left-hand side of the sequents are traced through Rule (6); for coinduction, \( RTC ^{\mathsf {op}}\) formulas on the right-hand side of sequents are traced through Rule (8).

Definition 5

(\({\mathsf {RTcC}}^{\infty }_{G}\) Pre-proofs). An \({\mathsf {RTcC}}^{\infty }_{G}\) pre-proof is a rooted, possibly non-well-founded (i.e. infinite) derivation tree constructed using the \({\mathsf {RTcC}}^{\infty }_{G}\) proof rules. A path in a pre-proof is a possibly infinite sequence \(S_0, S_1, \ldots (, S_n)\) of sequents with \(S_0\) the root of the proof, and \(S_{i+1}\) a premise of \(S_i\) for each \(i < n\).

We adopt the usual proof-theoretic notions of formula occurrence and sub-occurrence, and of ancestry between formulas [13]. A formula occurrence is called a proper formula if it is not a sub-occurrence of any formula.

Definition 6 ((Co-)Traces)

A trace (resp. co-trace) is a possibly infinite sequence \(\tau _{1}, \tau _{2}, \ldots (, \tau _{n})\) of proper \( RTC \) (resp. \( RTC ^{\mathsf {op}}\)) formula occurrences in the left-hand (resp, right-hand) side of sequents in a pre-proof such that \(\tau _{i+1}\) is an immediate ancestor of \(\tau _{i}\) for each \(i > 0\). If the trace (resp. co-trace) contains an infinite number of formula occurrences that are principal for instances of Rule (6) (resp. Rule (8)), then we say that it is infinitely progressing.

As usual in non-well-founded proof theory, we use the notion of (co-)trace to define a global trace condition, distinguishing certain ‘valid’ pre-proofs.

Definition 7

( \({\mathsf {RTcC}}^{\infty }_{G}\) Proofs). An \({\mathsf {RTcC}}^{\infty }_{G}\) proof is a pre-proof in which every infinite path has a tail followed by an infinitely progressing (co-)trace.

In general, one cannot reason effectively about infinite proofs, as found in \({\mathsf {RTcC}}^{\infty }_{G}\). In order to do so our attention has to be restricted to those proof trees which are finitely representable. That is, the regular infinite proof trees, containing only finitely many distinct subtrees. They can be specified as systems of recursive equations or, alternatively, as cyclic graphs [22]. One way of formalising such proof graphs is as standard proof trees containing open nodes (called buds), to each of which is assigned a syntactically equal internal node of the proof (called a companion). The restriction to cyclic proofs provides the basis for an effective system for automated inductive and coinductive reasoning. The system \({\mathsf {RTcC}}^{\infty }_{G}\) can naturally be restricted to a cyclic proof system for \(\mathsf {RTcC}\) logic as follows.

Definition 8 (Cyclic Proofs)

The cyclic proof system \({\mathsf {RTcC}}^{\omega }_{G}\) for \(\mathsf {RTcC}\) logic is the subsystem of \({\mathsf {RTcC}}^{\infty }_{G}\) comprising of all and only the finite and regular infinite proofs (i.e. proofs that can be represented as finite, possibly cyclic, graphs).⁵

It is decidable whether a cyclic pre-proof satisfies the global trace condition, using a construction involving an inclusion between Büchi automata [10, 54]. However since this requires complementing Büchi automata (a PSPACE procedure), \({\mathsf {RTcC}}^{\omega }_{G}\) is not a proof system in the Cook-Reckhow sense [21]. Notwithstanding, checking the trace condition for cyclic proofs found in practice is not prohibitive [45, 57].

Although \({\mathsf {RTcC}}^{\infty }_{G}\) is complete (cf. Theorem 2 below) \({\mathsf {RTcC}}^{\omega }_{G}\) is not, since arithmetic can be encoded in \(\mathsf {RTcC}\) logic and the set of \({\mathsf {RTcC}}^{\omega }_{G}\) proofs is recursively enumerable.⁶ Nonetheless, \({\mathsf {RTcC}}^{\omega }_{G}\) is adequate for \(\mathsf {RTcC}\) logic in the sense that it suffices for proving the standard properties of the operators, as in, e.g., Proposition 2.

Example 1

Figure 2 demonstrates an \({\mathsf {RTcC}}^{\omega }_{G}\) proof that the transitive closure is contained within the transitive co-closure. Notice that the proof has a single cycle, and thus a single infinite path. Following this path, there is both a trace (consisting of the highlighted \( RTC \) formulas, on the left-hand side of sequents) which progresses on traversing Rule (6) (marked ), and a co-trace (consisting of the highlighted \( RTC ^{\mathsf {op}}\) forumlas, on the right-hand side of sequents), which progresses on traversing Rule (8) (marked ). Thus, Fig. 2 can be seen both as a proof by induction and a proof by coinduction. It exemplifies how naturally such reasoning can be captured within \({\mathsf {RTcC}}^{\omega }_{G}\).

Fig. 2.

Proof in \({\mathsf {RTcC}}^{\omega }_{G}\) of \({(\mathop { RTC _{{x},{y}}} {\varphi })(u, v)} \Rightarrow {(\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(u, v)}\)

A salient feature of non-well-founded proof systems, including this one, is that (co)induction invariants need not be mentioned explicitly, but instead are encoded in the cycles of a proof. This facilitates the automation of such reasoning, as the invariants may be interactively constructed during a proof-search process.

4.2 Soundness

To show soundness, i.e. that all derived sequents are valid, we establish that the infinitely progressing (co-)traces in proofs preclude the existence of counter-models. By local soundness of the proof rules, any given counter-model for a sequent derived by a proof identifies an infinite path in the proof consisting of invalid sequents. However, the presence of a (co-)trace along this path entails a contradiction (and so conclude that no counter-models exist). From a trace, one may infer the existence of an infinitely descending chain of natural numbers. This relies on a notion of (well-founded) measure for \( RTC \) formulas, viz. the measure of \(\phi \equiv (\mathop { RTC _{{x},{y}}} {\varphi })(s, t)\) with respect to a given model \(M\) and valuation \(\nu \)—denoted by \(\delta _{\phi }({M}, {\nu })\)—is defined to be the minimum number of \(\varphi \)-steps needed to connect \(\nu (s)\) and \(\nu (t)\) in \(M\). Conversely, from a co-trace beginning with a formula \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\) one can construct an infinite sequence of \(\varphi \)-steps beginning at s, i.e. a witness that the counter-model does in fact satisfy \((\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\).

The key property needed for soundness of the proof system is the following strong form of local soundness for the proof rules.

Proposition 3 (Trace Local Soundness)

Let \(M\) be a model and \(\nu \) a valuation that invalidate the conclusion of an instance of an \({\mathsf {RTcC}}^{\infty }_{G}\) inference rule; then there exists a valuation \(\nu '\) that invalidates some premise of the inference rule such that the following hold.

1. 1.

   If \((\tau , \tau ')\) is a trace following the path from the conclusion to the invalid premise, then \(\delta _{\tau '}({M}, {\nu '}) \le \delta _{\tau }({M}, {\nu })\); moreover \(\delta _{\tau '}({M}, {\nu '}) < \delta _{\tau }({M}, {\nu })\) if the rule is an instance of (6) and \(\tau \) is the principal formula.

2. 2.

   If \((\tau , \tau ')\) is a co-trace following the path from the conclusion to the invalid premise, with \(\tau \equiv (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\) and \(\tau ' \equiv (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi '})(r, t')\), then: (a) \(M, \nu [x\,{:}{=}\,d, y\,{:}{=}\,d'] \models \varphi \) if and only if \(M, \nu '[x\,{:}{=}\,d, y\,{:}{=}\,d'] \models \varphi '\), for all elements d and \(d'\) in \(M\); and (b) if \(\tau \) is the principal formula of an instance of (8), and \(\nu (s) = \nu '(r)\) otherwise.

The global soundness of the proof system then follows.

Theorem 1

(Soundness of \({\mathsf {RTcC}}^{\infty }_{G}\)). Sequents derivable in \({\mathsf {RTcC}}^{\infty }_{G}\) are valid.

Proof

Take a proof deriving \({\varGamma } \Rightarrow {\varDelta }\). Suppose, for contradiction, that there is a model \(M\) and valuation \(\nu _{1}\) invalidating \({\varGamma } \Rightarrow {\varDelta }\). Then by Proposition 3 there exists an infinite path of sequents \(({\mathbf {S}_{i}})_{i > 0}\) in the proof and an infinite sequence of valuations \(({\mathbf {\nu }_{i}})_{i > 0}\) such that \(M\) and \(\nu _i\) invalidate \(S_i\) for each \(i > 0\). Since the proof must satisfy the global trace condition, this infinite path has a tail \(({\mathbf {S}_{i}})_{i > k}\) followed by an infinitely progressing (co-)trace \(({\mathbf {\tau }_{i}})_{i > 0}\).

• If \(({\mathbf {\tau }_{i}})_{i > 0}\) is a trace, Proposition 3 implies an infinitely descending chain of natural numbers: \(\delta _{\tau _{1}}({M_{k+1}}, {\nu _{k+1}}) \le \delta _{\tau _{2}}({M_{k+2}}, {\nu _{k+2}}) \le \ldots \)

• If \(({\mathbf {\tau }_{i}})_{i > 0}\) is a co-trace, with \(\tau _1 \equiv (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\) and \(M, \nu _{k+1} \not \models \tau _1\), then Proposition 3 entails that there is an infinite sequence of terms \(t_0, t_1, t_2, \ldots \) with \(s \equiv t_0\) such that \(M, \nu _{k+1}[x {:}{=} \nu _{k+1}(t_j), y {:}{=} \nu _{k+1}(t_{j+1})] \models \varphi \) for each \(j \ge 0\). That is, it follows from Definition 2 that \(M, \nu _{k+1} \models (\mathop { RTC ^{\mathsf {op}}_{{x},{y}}} {\varphi })(s, t)\).

In both cases we have a contradiction, so conclude that \({\varGamma } \Rightarrow {\varDelta }\) is valid.   \(\square \)

Since every \({\mathsf {RTcC}}^{\omega }_{G}\) proof is also an \({\mathsf {RTcC}}^{\infty }_{G}\) proof, soundness of \({\mathsf {RTcC}}^{\omega }_{G}\) is an immediate corollary.

Corollary 1

A sequent \({\varGamma } \Rightarrow {\varDelta }\) is valid if there is an \({\mathsf {RTcC}}^{\omega }_{G}\) proof deriving it.

4.3 Completeness

The completeness proof for \({\mathsf {RTcC}}^{\infty }_{G}\) is obtained by extending the completeness proof of the \( RTC \)-fragment of \({\mathsf {RTcC}}^{\infty }_{G}\) found in [17, 18], which, in turn, follows a standard technique used in e.g. [12]. We next outline the core of the proof, full details can be found in the appendix.

Roughly speaking, for a given sequent \({\varGamma } \Rightarrow {\varDelta }\) one constructs a ‘search tree’ which corresponds to an exhaustive search strategy for a cut-free proof for the sequent. Search trees are, by construction, recursive and cut-free. In case the search tree is not an \({\mathsf {RTcC}}^{\infty }_{G}\) proof (and there are no open nodes) it must contain some untraceable infinite branch, i.e. one that does not satisfy the global trace condition. We then collect the formulas occurring along such an untraceable branch to construct a (possibly infinite) ‘sequent’, \({\varGamma _{\omega }} \Rightarrow {\varDelta _{\omega }}\) (called a limit sequent), and construct the Herbrand model \(M_{\omega }\) of open terms quotiented by the equalities it contains. That is, taking \(\sim \) to be the smallest congruence on terms such that \(s \sim t\) whenever \(s = t \in \varGamma _{\omega }\), the elements of \(M_{\omega }\) are \(\sim \)-equivalence classes and every k-ary relation symbol q is interpreted as \(\{ ([t_1], \ldots , [t_k]) \,\mid \, q(t_1, \ldots , t_k) \in \varGamma _{\omega } \}\) (here [t] denotes the \(\sim \)-equivalence class containing t). This model, together with the valuation \(\nu _{\omega }\) defined by \(\nu _{\omega }(x) = [x]\) for all variables x, can be shown to invalidate the sequent \({\varGamma } \Rightarrow {\varDelta }\). The completeness result therefore follows.

Theorem 2 (Completeness)

All valid sequents are derivable in \({\mathsf {RTcC}}^{\infty }_{G}\).

Proof

Given any sequent S, if some search tree for S is not an \({\mathsf {RTcC}}^{\infty }_{G}\) proof then it has an untraceable branch, and the model \(M_{\omega }\) and valuation \(\nu _{\omega }\) constructed from the corresponding limit sequent invalidate S. Thus if S is valid, then the search tree is a recursive \({\mathsf {RTcC}}^{\infty }_{G}\) proof deriving S.    \(\square \)

We obtain admissibility of cut for the full infinitary system as the search tree, by construction, is cut-free. Since the construction of the search tree does not necessarily produce \({\mathsf {RTcC}}^{\omega }_{G}\) pre-proofs, we do not obtain a regular completeness result using this technique.

Corollary 2 (Cut admissibility)

Cut is admissible in \({\mathsf {RTcC}}^{\infty }_{G}\).

5 Proving Properties of Streams

We now demonstrate how (co)inductive reasoning about streams and their properties is formalised in the cyclic fragment of the proof system presented above. For the sake of clarity, in the derivations below we elide detailed applications of the proof rules (including the axioms for list constructors), instead indicating the principal rules involved at each step. We also elide (using ‘\(\ldots \)’) formulas in sequents that are not relevant to the local reasoning at that point.

Transitivity of Lexicographic Ordering. Fig. 3 outlines the main structure of an \({\mathsf {RTcC}}^{\omega }_{G}\) proof deriving the sequent \({x \mathrel {\le _{\ell }}y, y \mathrel {\le _{\ell }}z} \Rightarrow {x \mathrel {\le _{\ell }}z}\), where x, y, and z are distinct variables. All other variables in Fig. 3 are freshly introduced. \(\mathcal {U}_{\ell }(\sigma _1, \sigma _2, \sigma '_1, \sigma '_2)\) abbreviates the set (i.e. the result of unfolding the step case of the formula \(\sigma _1 \mathrel {\le _{\ell }}\sigma _2\) using \(\sigma '_1\) and \(\sigma '_2\) as the intermediate terms).

Fig. 3.

High-level structure of an \({\mathsf {RTcC}}^{\omega }_{G}\) proof of transitivity of \(\mathrel {\le _{\ell }}\).

The proof begins by unfolding the definitions of \(x \mathrel {\le _{\ell }}y\) and \(y \mathrel {\le _{\ell }}z\), shown in Fig. 3b. The interesting part is the sub-proof shown in Fig. 3a, when each of the lists is not \(\mathsf {nil}\). Here, we perform case splits on the relationship between the head elements a, b, and c. For the case \(a = c\), i.e. the heads are equal, when unfolding the formula \(x \mathrel {\le _{\ell }}z\) on the right-hand side, we instantiate the second components of the \( RTC ^{\mathsf {op}}\) formula to be the tails of the streams, \(x'\) and \(z'\). In the left-hand premise we must show , which can be done by matching with formulas already present in the sequent. The right-hand premise must derive \(x' \mathrel {\le _{\ell }}z'\), i.e. the tails are lexicographically related. This is where we apply the coinduction principle, by renaming the variables and forming a cycle in the proof back to the root. This does indeed produce a proof, since we can form a co-trace by following the formulas \(x \mathrel {\le _{\ell }}z, \ldots , x' \mathrel {\le _{\ell }}z'\) on the right-hand side of sequents along this cycle. This co-trace progresses as it traverses the instance of Rule (8) each time around the cycle (marked ).

Fig. 4.

High-level structure of an \({\mathsf {RTcC}}^{\omega }_{G}\) proof of transitivity of  \(\succcurlyeq \).

Transitivity of the Substream Relation. Fig. 4 outlines the structure of an \({\mathsf {RTcC}}^{\omega }_{G}\) proof of the sequent \({x \succcurlyeq y, y \succcurlyeq z} \Rightarrow {x \succcurlyeq z}\), for distinct variables x, y, and z. As above, other variables are freshly introduced, and we use \(\mathcal {U}_{\succcurlyeq }(\sigma _1, \sigma _2, \sigma '_1, \sigma '_2)\) to denote the set (i.e. the result of unfolding the step-case of the formula \(\sigma _1 \succcurlyeq \sigma _2\) using \(\sigma '_1\) and \(\sigma '_2\) as the intermediate terms).

The reflexive cases are handled similarly to the previous example. Again, the work is in proving the step cases. After unfolding both \(x \succcurlyeq y\) and \(y \succcurlyeq z\), we obtain \(x' \succcurlyeq y'\) and \(y'' \succcurlyeq z'\), as part of \(\mathcal {U}_{\succcurlyeq }(x, y, x', y')\) and \(\mathcal {U}_{\succcurlyeq }(y, z, y'', z')\), respectively. We also have (for fresh variables a and b) that: (i) \(x \mathbin {\triangleleft }{a}{{\,\mathrm{{:}{:}}\,}}{x'}\); (ii) \(y = {a}{{\,\mathrm{{:}{:}}\,}}{y'}\) (\(y'\) is the immediate tail of y); (iii) \(y \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{y''}\) (\(y''\) is some tail of y); and (iv) \(z = {b}{{\,\mathrm{{:}{:}}\,}}{z'}\) (\(z'\) is the immediate tail of z). Ultimately, we are looking to obtain \(x \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{x''}\) and \(x'' \succcurlyeq y''\) (for some tail \(x''\)), so that we can unfold the formula \(x \succcurlyeq z\) on the right-hand side to obtain \(x'' \succcurlyeq z'\) and thus be able to form a (coinductive) cycle.

The application of Rule (6) shown in Fig. 4 performs a case-split on the formula \(y \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{y''}\). The left-hand branch handles the case that \(y''\) is, in fact, the immediate tail of y; thus \(y' = y''\) and \(a = b\), and so we can substitute b and \(y''\) in place of a and \(y'\), respectively, and take \(x''\) to be \(x'\). In the right-hand branch, corresponding to the case that \(y''\) is not the immediate tail of y, we obtain \(y' \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{y''}\) from the case-split. Then we apply two lemmas; namely: (i) if \(x' \succcurlyeq y'\) and \(y' \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{y''}\), then there is some \(x''\) such that \(x' \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{x''}\) and \(x'' \succcurlyeq y''\); and (ii) if \(x \mathbin {\triangleleft }{a}{{\,\mathrm{{:}{:}}\,}}{x'}\) and \(x' \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{x''}\), then \(x \mathbin {\triangleleft }{b}{{\,\mathrm{{:}{:}}\,}}{x''}\) (a form of transitivity for the extends relation). For space reasons we do not show the structure of the sub-proofs deriving these, however, as marked in the figure, we note that they are both carried out by induction on the \(\mathbin {\triangleleft }\) relation.

In summary the proof contains two (inductive) sub-proofs, each validated by infinitely progressing inductive traces, and also two overlapping outer cycles. Infinite paths following these outer cycles have co-traces consisting of the highlighted formulas in Fig. 4, which progress infinitely often as they traverse the instances of Rule (8) (marked ).

6 Conclusion and Future Work

This paper presented a new framework that extends the well-known, powerful transitive closure logic with a dual transitive co-closure operator. An infinitary proof system for the logic was developed and shown to be sound and complete. Its cyclic subsystem was shown to be powerful enough for reasoning over streams, and in particular automating combinations of inductive and coinductive arguments.

Much remains to be done to fully develop the new logic and its proof theory, and to study its implications. Although we have shown that our framework captures many interesting properties of the canonical coinductive data type, streams, a primary task for future research is to formally characterise its ability to capture finitary coinductive definitions in general. In particular, it seems plausible that \(\mathsf {RTcC}\) is a good candidate setting in which to look for characterisations that complement and bridge existing results for coinductive data in automata theory and coalgebra. That is, it may potentially mirror (and also perhaps even replace) the role that monadic second order logic plays for (\(\omega \)-)regular languages.

Another important research task is to further develop the structural proof theory of the systems \({\mathsf {RTcC}}^{\infty }_{G}\) and \({\mathsf {RTcC}}^{\omega }_{G}\) in order to describe the natural process and dynamics of inductive and coinductive reasoning. This includes properties such as cut elimination, admissibility of rules, regular forms for proofs, focussing, and proof search strategies. For example, syntactic cut elimination for non-well-founded systems has been studied extensively in the context of linear logic [5, 26]. The basic approach would seem to work for \(\mathsf {RTcC}\), however, one expects that cut-elimination will not preserve regularity.

Through the proofs-as-programs paradigm (a.k.a. the Curry-Howard correspondence) our proof-theoretic synthesis of induction and coinduction has a number of applications that invite further investigation. Namely, our framework provides a general setting for verifying program correctness against specifications of coinductive (safety) and inductive (liveness) properties. Implementing proof-search procedures can lead to automation, as well as correct-by-construction synthesis of programs operating on (co)inductive data. Finally, grounding proof assistants in our framework will provide a robust, proof-theoretic basis for mechanistic coinductive reasoning.