Keywords

1 Introduction

Guarded Kleene Algebra with Test (\(\texttt{GKAT}\)) is the fragment of Kleene Algebra with Tests (\(\texttt{KAT}\)) comprised of the deterministic \(\textsf{while}\) programs. Those are the programs built up from sequential composition \((e \cdot f)\), conditional branching (if-b-then-e-else-f) and loops (while b do e). For an introduction to \(\texttt{KAT}\) we refer the reader to [10]. The first papers focusing on the fragment of \(\texttt{KAT}\) that is nowadays called \(\texttt{GKAT}\) are Kozen’s [11] and Kozen & Tseng’s [12], where it is used to study the relative power of several programming constructs.

As \(\texttt{GKAT}\) is a fragment of \(\texttt{KAT}\), it directly inherits a rich theory. It admits a language semantics in the form of guarded strings and for every expression there is a corresponding \(\texttt{KAT}\)-automaton. Already in [12] it was argued that \(\texttt{GKAT}\) expressions are more closely related to so-called strictly deterministic automata, where every state transition executes a primitive program. Smolka et al. significantly advanced the theory of \(\texttt{GKAT}\) in [22], by studying various additional semantics, identifying the precise class of strictly deterministic automata corresponding to \(\texttt{GKAT}\)-expressions (proving a Kleene theorem), giving a nearly linear decision procedure of the equivalence of \(\texttt{GKAT}\)-expressions, and studying its equational axiomatisation. Since then \(\texttt{GKAT}\) has received considerable further attention, e.g. in [17, 20, 21, 24].

One of the most challenging and intriguing aspects of \(\texttt{GKAT}\) is its proof theory. The standard equational axiomatisation of \(\texttt{KAT}\) from [10] does not simply restrict to \(\texttt{GKAT}\), since a derivation of an expression that lies within the \(\texttt{GKAT}\)-fragment might very well contain expressions that lie outside of it. Moreover, the axiomatisation of \(\texttt{KAT}\) contains a least fixed point rule that relies on the equational definability of inclusion, which does not seem to be available in \(\texttt{GKAT}\).

In [22], this problem is circumvented by introducing a custom equational axiomatisation for \(\texttt{GKAT}\) that uses a unique fixed point rule. While a notable result, this solution is still not entirely satisfactory. First, completeness is only proven under the inclusion of a variant of the unique fixed point rule that operates on entire systems of equations (this problem was recently addressed for the so-called skip-free fragment of \(\texttt{GKAT}\) in [21]). Moreover, even the ordinary, single-equation, unique fixed point rule contains a non-algebraic side-condition, analogous to the empty word property in Salomaa’s axiomatisation of Kleene Algebra [18]. Because of this, a proper definition of ‘a \(\texttt{GKAT}\)’ is still lacking.

In recent years the proof theory of logics with fixed point operators (such as while-b-do-e) has seen increasing interest in non-well-founded proofs. In such proofs, branches need not to be closed by axioms, but may alternatively be infinitely deep. To preserve soundness, a progress condition is often imposed on each infinite branch, facilitating a soundness proof by infinite descent. In some cases non-well-founded proofs can be represented by finite trees with back-edges, which are then called cyclic proofs. See e.g.  [2, 4, 5, 8, 13] for a variety of such approaches. Often, the non-well-founded proof theory of some logic is closely related to its corresponding automata theory. Taking the proof-theoretical perspective, however, can be advantageous because it is more fine-grained and provides a natural setting for establishing results such as interpolation [3, 14], cut elimination [1, 19], and completeness by proof transformation [6, 23].

In [7], Das & Pous study the non-well-founded proof theory of Kleene Algebra, a close relative of \(\texttt{GKAT}\) (for background on Kleene Algebra we refer the reader to [9]). They show that a natural non-well-founded sequent system for Kleene Algebra is not complete when restricting to the subset of cyclic proofs. To remedy this, they introduce a hypersequent calculus, whose cyclic proofs are complete. They give a proof-search procedure for this calculus and show that it runs in \(\textsf{PSPACE}\). Since deciding Kleene Algebra expressions is \(\textsf{PSPACE}\)-complete, their proof-search procedure induces an optimal decision procedure for this problem. In a follow-up paper together with Doumane, left-handed completeness of Kleene Algebra is proven by translating cyclic proofs in the hypersequent calculus to well-founded proofs in left-handed Kleene Algebra [6].

The goal of the present paper is to study the non-well-founded proof theory of \(\texttt{GKAT}\). This is interesting in its own right, for instance because, as we will see, it has some striking differences with Kleene Algebra. Moreover, we hope it opens up new avenues for exploring the completeness of algebraic proof systems for \(\texttt{GKAT}\), through the translation of our cyclic proofs.

Outline. Our paper is structured as follows.

  • In Sect. 2 we introduce preliminary material: the syntax of \(\texttt{GKAT}\) and its language semantics.

  • Sect. 3 introduces our non-well-founded proof system \(\textsf{SGKAT}\) for \(\texttt{GKAT}\).

  • In Sect. 4 we show that (possibly infinitary) proofs in \(\textsf{SGKAT}\) are sound. That is, the interpretation of each derivable sequent - a \(\texttt{GKAT}\)-inequality - is true in the language model (which means that a certain inclusion of languages holds).

  • In Sect. 5 we show that proofs are finite-state: each proof contains only finitely many distinct sequents. More precisely, by employing a more fine-grained analysis than in [7], we give a quadratic bound on the number of distinct sequents occurring in a proof, in terms of the size of its endsequent. It follows that the subset of cyclic proofs proves exactly the same sequents as the set of all non-well-founded proofs.

  • Sect. 6 deals with completeness and complexity. We first use a proof-search procedure to show that \(\textsf{SGKAT}\) is complete: every sequent whose interpretation is valid in the language model, can be derived. We then show that this proof-search procedure runs in \(\textsf{coNLOGSPACE}\). This gives an \(\textsf{NLOGSPACE}\) upper bound on the complexity of the language inclusion problem for \(\texttt{GKAT}\)-expressions.

Our Contributions. Our paper closely follows the treatment of Kleene Algebra in [7]. Nevertheless, we make the following original contributions:

  • Structure of sequents: we devise a form of sequents bespoke to \(\texttt{GKAT}\), by labelling the sequents by sets of atoms. This is similar to how the appropriate automata for \(\texttt{GKAT}\) are not simply \(\texttt{KAT}\)-automata. In contrast to Kleene Algebra, it turns out that we do not need to extend our sequents to hypersequents in order to obtain completeness for the fragment of cyclic proofs.

  • Soundness argument: our modest contribution here is the notion of priority of rules and the fact that our rules are all invertible when they have priority. The soundness argument for finite proofs is, of course, slightly different, because our rules are different. (The step from the soundness of finite proofs, towards the soundness of infinite proofs, is completely analogous to that of [7].)

  • Regularity: this concerns showing that every proof contains only finitely many distinct sequents. As in [7], our argument views each expression in a proof as a subexpression of an expression in the proof’s root. A modest contribution is that our argument is made more formal by considering these expressions as nodes in a syntax tree. More importantly, the bound on the number of distinct cedents we obtain is sharper: where in [7] it is exponential in the size of the syntax tree, our bound is linear (yielding a quadratic bound on the number of sequents).

  • Completeness: the structure of the argument is identical to that in [7], but the details differ due to the different rules and different type of sequents. This for instance shows in our proof of Lemma 9 (which is analogous to Lemma 20 in [7]), where we make crucial use of the set of atoms annotating a sequent.

  • Complexity: our complexity argument is necessarily different because it applies to a different system and is designed to give a different upper bound.

Due to space limitations several proofs are only sketched or omitted entirely. Full versions of these proofs can be found in the extended version of this paper [15].

2 Preliminaries

2.1 Syntax

The language of \(\texttt{GKAT}\) has two sorts, namely programs and a subset thereof consisting of tests. It is built from a finite and non-empty set T of primitive tests and a non-empty set \(\varSigma \) of primitive programs, where T and \(\varSigma \) are disjoint. For the rest of this paper we fix such sets T and \(\varSigma \). We reserve the letters t and p to refer, respectively, to arbitrary primitive tests and primitive programs. The first of the following grammars defines the tests, and the second the expressions.

$$\begin{aligned} b,c :\,\!:= 0 \mid 1 \mid t \mid \overline{b} \mid b \vee c \mid b \cdot c \qquad e,f :\,\!:= b \mid p \mid e \cdot f \mid e +_b f \mid e^{(b)}, \end{aligned}$$

where \(t \in T\) and \(p \in \varSigma \). Intuitively, the operator \(+_b\) stands for the if-then-else construct, and the operator \((-)^{(b)}\) stands for the while loop. Note that the tests are simply propositional formulas. It is convention to use \(\cdot \) instead of \(\wedge \) for conjunction. As usual, we often omit \(\cdot \) for syntactical convenience, e.g. by writing pq instead of \(p \cdot q\).

Example 1

The idea of \(\texttt{GKAT}\) is to model imperative programs. For instance, the expression \((p +_b q)^{(a)}\) represents the following imperative program:

$$\begin{aligned} \texttt {while~a~do~(if~b~then~p~else~q)} \end{aligned}$$

Remark 1

As mentioned in the introduction, \(\texttt{GKAT}\) is a fragment of Kleene Algebra with Tests, or \(\texttt{KAT}\) [10]. The syntax of \(\texttt{KAT}\) is the same as that of \(\texttt{GKAT}\), but with unrestricted union \(+\) instead of guarded union \(+_b\), and unrestricted iteration \((-)^*\) instead of the while loop operator \((-)^{(b)}\). The embedding \(\varphi \) of \(\texttt{GKAT}\) into \(\texttt{KAT}\) acts on guarded union and guarded iteration as follows, and commutes with all other operators: \(\varphi (e +_b f) = b \cdot \varphi (e) + \overline{b} \cdot \varphi (f)\), and \(\varphi (e^{(b)}) = (b \cdot \varphi (e))^* \cdot \overline{b}\).

2.2 Semantics

There are several kinds of semantics for \(\texttt{GKAT}\). In [22], a language semantics, a relational semantics, and a probabilistic semantics are given. In this paper we are only concerned with the language semantics, which we shall now describe.

We denote by \(\textsf{At}\) the set of atoms of the free Boolean algebra generated by \(T = \{t_1, \ldots t_n\}\). That is, \(\textsf{At}\) consists of all tests of the form \(c_1 \cdots c_n\), where \(c_i \in \{t_i, \overline{t_i}\}\) for each \(1 \le i \le n\). Lowercase Greek letters \((\alpha , \beta , \gamma , \ldots )\) will be used to denote elements of \(\textsf{At}\). A guarded string is an element of the regular set \(\textsf{At} \cdot (\varSigma \cdot \textsf{At})^*\). That is, a string of the form \(\alpha _1 p_1 \alpha _2 p_2 \cdots \alpha _n p_n \alpha _{n+1}\). We will interpret expressions as languages (formally just sets) of guarded strings. The sequential composition operator \(\cdot \) is interpreted by the fusion product \(\diamond \), given by \(L \diamond K := \{x \alpha y \mid x\alpha \in L \text { and } \alpha y \in K\}\). For the interpretation of \(+_b\), we define for every set of atoms \(B \subseteq \textsf{At}\) the following operation of guarded union on languages: \(L +_B K := (B \diamond L) \cup (\overline{B} \diamond K)\), where \(\overline{B}\) is \(\textsf{At} \setminus B\). For the interpretation of \((-)^{(b)}\), we stipulate:

$$\begin{aligned} L^0 := \textsf{At} \qquad L^{n+1} := L^{n} \diamond L \qquad L^B := \bigcup _{n \ge 0} (B \diamond L)^n \diamond \overline{B} \end{aligned}$$

Finally, the semantics of \(\texttt{GKAT}\) is inductively defined as follows:

$$\begin{aligned} \begin{array}{lll} \llbracket {b}\rrbracket := \{\alpha \in \textsf{At} : \alpha \le b\} &{}\llbracket {p}\rrbracket := \{\alpha p \beta : \alpha , \beta \in \textsf{At}\} &{}\llbracket {e \cdot f}\rrbracket := \llbracket {e}\rrbracket \diamond \llbracket {f}\rrbracket \\ \llbracket {e +_b f}\rrbracket := \llbracket {e}\rrbracket +_{\llbracket {b}\rrbracket } \llbracket {f}\rrbracket &{} \llbracket {e^{(b)}}\rrbracket := \llbracket {e}\rrbracket ^{\llbracket {b}\rrbracket } &{} \end{array} \end{aligned}$$

Note that the interpretation of \(\cdot \) between tests is the same whether they are regarded as tests or as programs, i.e. \(\llbracket {b}\rrbracket \cap \llbracket {c}\rrbracket = \llbracket {b}\rrbracket \diamond \llbracket {c}\rrbracket \).

Remark 2

While the semantics of expressions is explicitly defined, the semantics of tests is derived implicitly through the free Boolean algebra generated by T. It is standard in the \(\texttt{GKAT}\) literature to address the Boolean content in this manner.

Example 2

In a guarded string, atoms can be thought of as states of a machine, and programs as executions. For instance, in case of the guarded string \(\alpha p \beta \), the machine starts in state \(\alpha \), then executes program p, and ends in state \(\beta \). Let us briefly check which guarded strings of, say, the form \(\alpha p \beta q \gamma \) belong to the interpretation \(\llbracket {(p +_b q)^{(a)}}\rrbracket \) of the program of Example 1. First, we must have \(\alpha \le a\), for otherwise we would not enter the loop. Moreover, we have \(\alpha \le b\), for otherwise q rather than p would be executed. Similarly, we find that \(\beta \le a, \overline{b}\). Since the loop is exited after two iterations, we must have \(\gamma \le \overline{a}\). Hence, we find

$$ \alpha p \beta q \gamma \in \llbracket {(p +_b q)^{(a)}}\rrbracket \Leftrightarrow \alpha \le a, b \text { and } \beta \le a, \overline{b} \text { and } \gamma \le \overline{a}. $$

We state two simple facts that will be useful later on.

Lemma 1

For any two languages LK of guarded strings, and primitive program p, we have:

(i) \(L^{n + 1} = L \diamond L^n\);      (ii) \(\llbracket {p}\rrbracket \diamond L = \llbracket {p}\rrbracket \diamond K\) implies \(L = K\).

Remark 3

The fact that \(\texttt{GKAT}\) models deterministic programs is reflected in the fact that sets of guarded strings arising as interpretations of \(\texttt{GKAT}\)-expressions satisfy a certain determinacy property. Namely, for every \(x \alpha y\) and \(x \alpha z\) in L, either y and z are both empty, or both begin with the same primitive program. We refer the reader to [22] for more details.

Remark 4

The language semantics of \(\texttt{GKAT}\) is the same as that of \(\texttt{KAT}\) (see [10]), in the sense that \(\llbracket {e}\rrbracket = \llbracket {\varphi (e)}\rrbracket \), where \(\varphi \) is the embedding from Remark 1, the semantic brackets on the right-hand side denote the standard interpretation in \(\texttt{KAT}\), and e is any \(\texttt{GKAT}\)-expression.

3 The Non-well-founded Proof System \(\textsf{SGKAT}^\infty \)

In this section we commence our proof-theoretical study of \(\texttt{GKAT}\). We will present a cyclic sequent system for \(\texttt{GKAT}\), inspired by the cyclic sequent system for Kleene Algebra presented in [7]. In passing, we will compare our system to the latter.

Definition 1

(Sequent). A sequent is a triple \((\varGamma , A, \varDelta )\), written \(\varGamma \Rightarrow _A \varDelta \), where \(A \subseteq \textsf{At}\) and \(\varGamma \) and \(\varDelta \) are (possibly empty) lists of \(\texttt{GKAT}\)-expressions.

The list on the left-hand side of a sequent is called its antecedent, and the list on the right-hand side its succedent. In general we refer to lists of expressions as cedents. The symbol \(\epsilon \) refers to the empty cedent.

Remark 5

As the system in [7] only deals with Kleene Algebra, it does not include tests. We choose the deal with the tests present in \(\texttt{GKAT}\) by augmenting each sequent by a set of atoms. This tucks away the Boolean content, as is usual in the \(\texttt{GKAT}\) literature, allowing us to omit propositional rules.

Definition 2

(Validity). We say that a sequent \(e_1, \ldots , e_n \Rightarrow _A f_1, \ldots , f_m\) is valid whenever \(A \diamond \llbracket e_1 \cdots e_n \rrbracket \subseteq \llbracket f_1 \cdots f_n \rrbracket \).

We often abuse notation writing \(\llbracket {\varGamma }\rrbracket \) instead of \(\llbracket {e_1 \cdots e_n}\rrbracket \), where \(\varGamma = e_1, \ldots , e_n\).

Fig. 1.
figure 1

The rules of \(\textsf{SGKAT}\). The side condition \((\dagger )\) requires that \(A \restriction b = A\).

Full size image

Example 3

An example of a valid sequent is given by \((cp)^{(b)} \Rightarrow _\textsf{At} (p (cp +_b 1))^{(b)}\). The antecedent denotes guarded strings \(\alpha _1 p \alpha _2 p \cdots \alpha _n p \alpha _{n+1}\) where \(\alpha _i \le b, c\) for each \(1 \le i \le n\), and \(\alpha _{n+1} \le \overline{b}\). The succedent denotes such strings where \(\alpha _{i} \le c\) is only required for those \(1 \le i \le n\) where i is even.

Remark 6

Like the sequents for Kleene Algebra in [7], our sequents express language inclusion, rather than language equivalence. For Kleene Algebra this difference is insignificant, as the two notions are interdefinable using unrestricted union: \(\llbracket {e}\rrbracket \subseteq \llbracket {f}\rrbracket \Leftrightarrow \llbracket {e + f}\rrbracket = \llbracket {f}\rrbracket \). For \(\texttt{GKAT}\), however, it is not clear how to define language inclusion in terms of language equivalence. As a result, an advantage of axiomatising language inclusion rather than language equivalence, is that the while-operator can be axiomatised as a least fixed point, eliminating the need for a strict productivity requirement as is present in the axiomatisation in [22].

Given a set of atoms A and a test b, we write \(A \restriction b\) for \(A \diamond \llbracket {b}\rrbracket \), i.e. the set of atoms \(\{\alpha \in A : \alpha \le b\}\). The rules of \(\textsf{SGKAT}\) are given in Fig. 1. Importantly, the rules are always applied to the leftmost expression in a cedent. As a result, we have the following lemma, that later will be used in the completeness proof.

Lemma 2

Let \(\varGamma \Rightarrow _A \varDelta \) be a sequent, and let \(\textsf{r}\) be any rule of \(\textsf{SGKAT}\). Then there is at most one rule instance of \(\textsf{r}\) with conclusion \(\varGamma \Rightarrow _A \varDelta \).

Remark 7

Following [7], we call \(\textsf{k}\) a ‘modal’ rule. The reason is simply that it looks like the rule \(\textsf{k}\) (sometimes called \(\textsf{K}\) or \(\square \)) in the standard sequent calculus for basic modal logic. Our system also features a second modal rule, called \(\textsf{k}_0\). Like \(\textsf{k}\), this rule adds a primitive program p to the antecedent of the sequent. Since the premiss of \(\mathsf {k_0}\) entails that \(\llbracket {\varGamma }\rrbracket = \llbracket {0}\rrbracket \), the antecedent of its conclusion will denote the empty language, and is therefore included in any succedent \(\varDelta \).

Remark 8

Note that the rules of \(\textsf{SGKAT}\) are highly symmetric. Indeed, the only rules that behave differently on the left than on the right, are the b-rules and \(\textsf{k}_0\). Note that b-l changes the set of atoms, while b-r uses a side condition. The asymmetry of \(\textsf{k}_0\) is clear: the succedent of the premiss has a 0, whereas the antecedent does not. A third asymmetry will be introduced in Definition 3, with a condition on infinite branches that is sensitive to (b)-l but not to (b)-r.

Remark 9

The authors of [20] study a variant of \(\texttt{GKAT}\) that omits the so-called early termination axiom, which equates all programs that eventually fail. They give a denotational model of this variant in the form of certain kinds of trees. We conjecture that omitting the rule \(\textsf{k}_0\) from our system will make it sound and complete with respect to this denotational model.

An \(\textsf{SGKAT}^\infty \)-derivation is a (possibly infinite) tree generated by the rules of \(\textsf{SGKAT}\). Such a derivation is said to be closed if every leaf is an axiom.

Definition 3

(Proof). A closed \(\textsf{SGKAT}^\infty \)-derivation is said to be an \(\textsf{SGKAT}^\infty \)-proof if every infinite branch is fair for (b)-l, i.e. contains infinitely many applications of the rule (b)-l.

We write \(\textsf{SGKAT} \vdash ^\infty \varGamma \Rightarrow _A \varDelta \) if there is an \(\textsf{SGKAT}^\infty \)-proof of \(\varGamma \Rightarrow _A \varDelta \).

Example 4

Not every \(\textsf{SGKAT}^\infty \)-derivation is a proof. Consider for instance the following derivation, where \((\bullet )\) indicates that the derivation repeat itself (Fig. 2).

Fig. 2.
figure 2

An \(\textsf{SGKAT}^\infty \)-derivation that is not a proof.

Full size image

Example 5

Let \(\varDelta _1 := (p (cp +_b 1))^{(b)}\) and \(\varDelta _2 := cp +_b 1, \varDelta _1\). The following proof \(\varPi _1\) is an example \(\textsf{SGKAT}^\infty \)-proof of the sequent of Example 3. We again use \((\bullet )\) to indicate that the proof repeats itself at this leaf and, for the sake of readability, omit branches that can be closed immediately by an application of \(\bot \) (Fig. 3).

Fig. 3.
figure 3

The \(\textsf{SGKAT}^\infty \)-proof \(\varPi _1\).

Full size image

To illustrate the omission of branches that can be immediately closed by an application of \(\bot \), let us write out the two applications of \(+_b\)-r in \(\varPi _1\).

figure a

It can also be helpful to think of the set of atoms as selecting one of the premisses.

We close this section with a useful definition and a lemma.

Definition 4

(Exposure). A list \(\varGamma \) of expressions is said to be exposed if it is either empty or begins with a primitive program.

Recall that the sets of primitive tests and primitive programs are disjoint. Hence an exposed list \(\varGamma \) cannot start with a test. The following easy lemma will be useful later on.

Lemma 3

Let \(\varGamma \) and \(\varDelta \) be exposed lists of expressions. Then:

  1. (i)

    \(\alpha x \in \llbracket {\varGamma }\rrbracket \Leftrightarrow \beta x \in \llbracket {\varGamma }\rrbracket \) for all \(\alpha , \beta \in \textsf{At}\)

  2. (ii)

    \(\varGamma \Rightarrow _{\textsf{At}} \varDelta \) is valid if and only if \(\varGamma \Rightarrow _A \varDelta \) is valid for some \(A \not = \emptyset \).

4 Soundness

In this section we prove that \(\textsf{SGKAT}^\infty \) is sound. We will first prove that well-founded (that is, finite) \(\textsf{SGKAT}^\infty \)-proofs are sound. The following straightforward facts will be useful in the soundness proof.

Lemma 4

For any set A of atoms, test b, and cedent \(\varTheta \), we have:

  1. (i)

    \(\llbracket {e +_b f, \varTheta }\rrbracket = (\llbracket {b}\rrbracket \diamond \llbracket {e, \varTheta }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond \llbracket {f, \varTheta }\rrbracket )\);

  2. (ii)

    \(\llbracket {e^{(b)}, \varTheta }\rrbracket = (\llbracket {b}\rrbracket \diamond \llbracket {e, e^{(b)}, \varTheta }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond \llbracket {\varTheta }\rrbracket )\).

We prioritise the rules of \(\textsf{SGKAT}\) in order of occurrence in Fig. 1, reading left-to-right, top-to-bottom. Hence, each left logical rule is of higher priority than each right logical rule, which is of higher priority than each axiom or modal rule. Recall that a rule is sound if the validity of all its premisses implies the validity of its conclusion. Conversely, a rule is invertible if the validity of its conclusion implies the validity of all of its premisses.

We say that a rule application has priority of there is no higher-priority rule with the same conclusion. Conveniently, the following proposition entails that every rule instance which has priority is invertible. This will aid our proof search procedure in Sect. 6.

Proposition 1

Every rule of \(\textsf{SGKAT}\) is sound. Moreover, every rule is invertible except for \(\textsf{k}\) and \(\textsf{k}_0\), which are invertible whenever they have priority.

Proof

(sketch). We treat two illustrative cases. For the rule \(+_b\)-r, we find

$$\begin{aligned} &A \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {e +_b f}\rrbracket \diamond \llbracket {\varDelta }\rrbracket \\ &\ \ \Leftrightarrow A \diamond \llbracket {\varGamma }\rrbracket \subseteq (\llbracket {b}\rrbracket \diamond \llbracket {e, \varDelta }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond \llbracket {f, \varDelta }\rrbracket ) \\ &\ \ \ \ \Leftrightarrow A \restriction b \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {e, \varDelta }\rrbracket \text { or } A \restriction \overline{b} \subseteq \llbracket {f, \varDelta }\rrbracket , \end{aligned}$$

where the first equivalence holds due to Lemma 4.(ii), and the second due to \(A \diamond \llbracket {\varGamma }\rrbracket = (\llbracket {b}\rrbracket \diamond A \diamond \llbracket {\varGamma }\rrbracket ) \cup (\llbracket {\overline{b}}\rrbracket \diamond A \diamond \llbracket {\varGamma }\rrbracket )\) and Lemma 4.(i).

The other rule we will treat is \(\textsf{k}\). Suppose first that some application of \(\textsf{k}\) does not have priority. The only rule of higher priority than \(\textsf{k}\) which can have a conclusion of the form \(p, \varGamma \Rightarrow _A p, \varDelta \) is \(\bot \). In this case \(A = \emptyset \), which means that the conclusion must be valid. Hence any application of \(\textsf{k}\) that does not have priority is vacuously sound. It need, however, not be invertible, as the following rule instance demonstrates

figure b

Next, suppose that some application of \(\textsf{k}\) does have priority. This means that the set A of atoms in the conclusion \(p, \varGamma \Rightarrow _A p, \varDelta \) is not empty. We will show that under this restriction the rule is both sound and invertible. Let \(\alpha \in A\). We have

$$\begin{aligned} A \diamond \llbracket {p, \varGamma }\rrbracket \subseteq \llbracket {p, \varDelta }\rrbracket &\Leftrightarrow A \diamond \llbracket {p}\rrbracket \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {p}\rrbracket \diamond \llbracket {\varDelta }\rrbracket &\text {(seq. int.)}\\ &\Leftrightarrow {\alpha } \diamond \llbracket {p}\rrbracket \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {p}\rrbracket \diamond \llbracket {\varDelta }\rrbracket &\text {(}\alpha \in A\text {, Lem.} 3\text {)}\\ &\Leftrightarrow \llbracket {p}\rrbracket \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {p}\rrbracket \diamond \llbracket {\varDelta }\rrbracket &\text {(Lem. }3\text {)} \\ &\Leftrightarrow \llbracket {\varGamma }\rrbracket \subseteq \llbracket {\varDelta }\rrbracket , &\text {(}\dagger \text {)} \end{aligned}$$

as required. The step marked by \(\dagger \) is the following property of guarded languages: \(\llbracket {p}\rrbracket \diamond L = \llbracket {p}\rrbracket \diamond K\) implies \(L = K\).

Proposition 1 entails that all finite proofs are sound. We will now extend this result to non-well-founded proofs, closely following the treatment in [7]. We first recursively define a syntactic abbreviation: \([e^{(b)}]^0 := \overline{b}\) and \([e^{(b)}]^{n + 1} := be[e^{(b)}]^n\).

Lemma 5

For every \(n \in \mathbb {N}\): if we have \(\textsf{SGKAT} \vdash ^\infty e^{(b)}, \varGamma \Rightarrow _A \varDelta \), then we also have \(\textsf{SGKAT} \vdash ^\infty [e^{(b)}]^n, \varGamma \Rightarrow _A \varDelta \).

We let the while-height \(\textsf{wh}(e)\) be the maximal nesting of while loops in a given expression e. Formally,

  • \(\textsf{wh}(b) = \textsf{wh}(p) = 0;\)              − \(\textsf{wh}(e \cdot f) = \textsf{wh}(e +_b f) = \max \{\textsf{wh}(e), \textsf{wh}(f)\};\)

  • \(\textsf{wh}(e^{(b)}) = \textsf{wh}(e) + 1.\)

Given a list \(\varGamma \), the weighted while-height \(\textsf{wwh}(\varGamma )\) of \(\varGamma \) is defined to be the multiset \([\textsf{wh}(e) : e \in \varGamma ]\). We order such multisets using the Dershowitz-Manna ordering (for linear orders): we say that \(N < M\) if and only if \(N \not = M\) and for the greatest n such that \(N(n) \not = M(n)\), it holds that \(N(n) < M(n)\).

Note that in any \(\textsf{SGKAT}\)-derivation the weighted while-height of the antecedent does not increase when reading bottom-up. Moreover, we have:

Lemma 6

\(\textsf{wwh}([e^{(b)}]^n, \varGamma ) < \textsf{wwh}(e^{(b)}, \varGamma )\) for every \(n \in \mathbb {N}\).

Finally, we can prove the soundness theorem using induction on \(\textsf{wwh}(\varGamma )\).

Theorem 1

(Soundness). If \(\textsf{SGKAT} \vdash ^\infty \varGamma \Rightarrow _A \varDelta \), then \(A \diamond \llbracket {\varGamma }\rrbracket \subseteq \llbracket {\varDelta }\rrbracket \).

Proof

We prove this by induction on \(\textsf{wwh}(\varGamma )\). Given a proof \(\pi \) of \(\varGamma \Rightarrow _A \varDelta \), let \(\mathcal {B}\) contain for each infinite branch of \(\pi \) the node of least depth to which a rule (b)-l is applied. Note that \(\mathcal {B}\) must be finite, for otherwise, by Kőnig’s Lemma, the proof \(\pi \) cut off along \(\mathcal {B}\) would have an infinite branch that does not satisfy the fairness condition.

Note that Proposition 1 entails that of every finite derivation with valid leaves the conclusion is valid. Hence, it suffices to show that each of the nodes in \(\mathcal {B}\) is valid. To that end, consider an arbitrary such node labelled \(e^{(b)}, \varGamma ' \Rightarrow _{A'} \varDelta '\) and the subproof \(\pi '\) it generates. By Lemma 5, we have that \([e^{(b)}]^{n}, \varGamma ' \Rightarrow _{A'} \varDelta '\) is provable for every n. Lemma 6 gives \(\textsf{wwh}([e^{(b)}]^{n}, \varGamma ') < \textsf{wwh}(e^{(b)}, \varGamma ') \le \textsf{wwh}(\varGamma )\), and thus we may apply the induction hypothesis to obtain

$$ A' \diamond \llbracket [e^{(b)}]^{n} \rrbracket \diamond \llbracket \varGamma \rrbracket \subseteq \llbracket \varDelta \rrbracket $$

for every \(n \in \mathbb {N}\). Then by

$$\begin{aligned} \bigcup _{n} (A' \diamond \llbracket [e^{(b)}]^{n} \rrbracket \diamond \llbracket \varGamma \rrbracket ) = A' \diamond \bigcup _{n} (\llbracket [e^{(b)}]^{n} \rrbracket ) \diamond \llbracket \varGamma \rrbracket = A' \diamond \llbracket e \rrbracket ^{\llbracket b \rrbracket } \diamond \llbracket \varGamma \rrbracket , \end{aligned}$$

we obtain that \(e^{(b)}, \varGamma ' \Rightarrow _{A'} \varDelta '\) is valid, as required.

5 Regularity

Before we show that \(\textsf{SGKAT}^\infty \) is not only sound, but also complete, we will first show that every \(\textsf{SGKAT}^\infty \)-proof is finite-state, i.e. that it contains at most finitely many distinct sequents.

The results of this section crucially depend on the fact that we are only applying rules to the leftmost expressions of cedents. Indeed, otherwise one could easily create infinitely many distinct sequents by simply unravelling the same while loop \(e^{(b)}\) infinitely often.

Our treatment differs from that in [7] in two major ways. First, we formalise the notion of (sub)occurrence using the standard notion of a syntax tree. Secondly, and more importantly, we obtain a quadratic bound on the number of distinct sequents occurring in a proof, rather than an exponential one. In fact, we will show that the number of distinct antecedents (succedents) is linear in the size of the syntax tree of the antecedent (succedent) of the root. We will do this by showing that each leftmost expression of a cedent in the proof (given as node of the syntax tree of a root cedent) can only occur in the proof as the leftmost expression of that unique cedent.

Definition 5

The syntax tree \((T_e, l_e)\) of an expression e is a well-founded, labelled and ordered tree, defined by the following induction on e.

  • If e is a test or primitive program, its syntax tree only has a root node \(\rho \), with label \(l_e(\rho ) := e\).

  • If \(e = f_1 \circ f_2\) where \(\circ = \cdot \) or \(\circ = +_b\), its syntax tree again has a root node \(\rho \) with label \(l_e(\rho ) = e\), and with two outgoing edges. The first edge connects \(\rho \) to \((T_{f_1}, l_{f_1})\), the second edge connects it to \((T_{f_2}, l_{f_2})\).

  • If \(e = f^{(b)}\), its syntax tree again has a root node \(\rho \) with label \(l_e(\rho ) = e\), but now with just one outgoing edge. This edge connects \(\rho \) to \((T_{f}, l_f)\).

Definition 6

An e-cedent is a list of nodes in the syntax tree of e. The realisation of an e-cedent \(u_1, \ldots , u_n\) is the cedent \(l_e(u_1), \ldots , l_e(u_n)\).

Given the leftmost expression of a cedent, we will now explicitly define the cedent that it must be the leftmost expression of.

Definition 7

Let u be a node in the syntax tree of e. We define the e-cedent \(\textsf{tail}(u)\) inductively as follows:

  • For the root \(\rho \) of \(T_e\), we set \(\textsf{tail}(\rho )\) to be the empty list \(\epsilon \).

  • For every node u of \(T_e\), we define \(\textsf{tail}\) on its children by a case distinction on the main connective \(\textsf{mc}\) of u:

    • if \(\textsf{mc} = \cdot \), let \(u_1\) and \(u_2\) be, respectively, the first and second child of u. We set \(\textsf{tail}(u_1) := u_2, \textsf{tail}(u)\) and \(\textsf{tail}(u_2) := \textsf{tail}(u)\).

    • if \(\textsf{mc} = +_b\), let \(u_1\) and \(u_2\) again be its first and second child. We set \(\textsf{tail}(u_1) := \textsf{tail}(u_2) := \textsf{tail}(u)\).

    • if \(\textsf{mc} = (-)^{(b)}\), let v be the single child of u. We set \(\textsf{tail}(v) := u, \textsf{tail}(u)\).

An e-cedent is called \(\textsf{tail}\)-generated if it is empty or of the form \(u, \textsf{tail}(u)\) for some node u in the syntax tree of e.

Example 6

Below is the syntax tree of \((p(p +_b 1))^{(b)}\) and a calculation of \(\textsf{tail}(u_3)\).

figure c

The following lemma embodies the key idea for the main result of this section: every leftmost expression is the leftmost expression of a unique cedent.

Lemma 7

Let \(\pi \) be an \(\mathsf {SGKAT^\infty }\)-derivation of a sequent of the form \(e \Rightarrow _A f\). Then every antecedent in \(\pi \) is the realisation of a \(\textsf{tail}\)-generated e-sequent, and every succedent is the realisation of a \(\textsf{tail}\)-generated f-sequent or 0-sequent.

Proof

We first prove the following claim.

Let e be an expression and let u be a node in its syntax tree. Then \(\textsf{tail}(u)\) is a \(\textsf{tail}\)-generated e-sequent.

We prove this by induction on the syntax tree of e. For the root \(\rho \), we have \(\textsf{tail}(\rho ) = \epsilon \), which is \(\textsf{tail}\)-generated by definition. Now suppose that the thesis holds for some arbitrary node u in the syntax tree of e. We will show that the thesis holds for the children of u by a case distinction on the main connective \(\textsf{mc}\) of u.

  • \(\textsf{mc} = \cdot \). Let \(u_1\) and \(u_2\) be the first and second child of u, respectively. We have \(\textsf{tail}(u_1) = u_2, \textsf{tail}(u) = u_2, \textsf{tail}(u_2)\), which is \(\textsf{tail}\)-generated by definition. Moreover, we have that \(\textsf{tail}(u_2) = \textsf{tail}(u)\) is \(\textsf{tail}\)-generated by the induction hypothesis.

  • \(\textsf{mc} = +_b\). Then for each child v of u, we have \(\textsf{tail}(v) = \textsf{tail}(u)\) and thus we can again invoke the induction hypothesis.

  • \(\textsf{mc} = (-)^{(b)}\). Then for the single child v of u, it holds that \(\textsf{tail}(v) = u, \textsf{tail}(u)\), which is \(\textsf{tail}\)-generated by definition.

Using this claim, the lemma follows by bottom-up induction on \(\pi \). For the base case, note that e and f are realisations of the roots of their respective syntax trees. Such a root \(\rho \) is \(\textsf{tail}\)-generated, since \(\rho = \rho , \epsilon = \rho , \textsf{tail}(\rho )\). The induction step follows by direct inspection of the rules of \(\textsf{SGKAT}\).

The number of realisations of \(\textsf{tail}\)-generated e-sequents is clearly linear in the size of the syntax tree of e, for every expression e. Hence we obtain:

Corollary 1

The number of distinct sequents in an \(\textsf{SGKAT}^\infty \)-proof of \(e \Rightarrow _A f\) is quadratic in \(|T_e| + |T_f|\).

Note that the above lemma and corollary can easily be generalised to arbitrary (rather than singleton) cedents, by rewriting each cedent \(e_1, \ldots , e_n\) as \(e_1 \cdots e_n\).

Recall that a non-well-founded tree is regular if it contains only finitely many pairwise non-isomorphic subtrees. The following corollary follows by a standard argument in the literature (see e.g [16, Corollary I.2.23]).

Corollary 2

If \(\varGamma \Rightarrow _A \varDelta \) has an \(\textsf{SGKAT}^\infty \)-proof, then it has a regular one.

We define a cyclic \(\textsf{SGKAT}\)-proof as a regular \(\textsf{SGKAT}^\infty \)-proof. Cyclic proofs can be equivalently described using finite trees with back edges, but this is not needed for the purposes of the present paper.

6 Completeness and Complexity

In this section we prove the completeness of \(\textsf{SGKAT}^\infty \). Our argument uses a proof search procedure, which we will show to induce a \(\textsf{NLOGSPACE}\) decision procedure for the language inclusion problem of \(\texttt{GKAT}\) expressions. The material in this section is again inspired by [7], but requires several modifications to treat the tests present in \(\texttt{GKAT}\).

First note the following fact.

Lemma 8

Any valid sequent is the conclusion of some rule application.

Note that in the following lemma A and B may be distinct.

Lemma 9

Let \(\pi \) be a derivation using only right logical rules and containing a branch of the form:

figure d

such that (1) \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) is valid, and (2) every succedent on the branch has \(e^{(b)}, \varDelta \) as a final segment. Then \(\varGamma \Rightarrow _B 0\) is valid.

Proof

We claim that \(e^{(b)} \Rightarrow _B 0\) is provable. We will show this by exploiting the symmetry of the left and right logical rules of \(\textsf{SGKAT}\) (cf. Remark 8). Since on the branch (*) every rule is a right logical rule, and \(e^{(b)}, \varDelta \) is preserved throughout, we can construct a derivation \(\pi '\) of \(e^{(b)} \Rightarrow _B 0\) from \(\pi \) by applying the analogous left logical rules to \(e^{(b)}\). Note that the set of atoms B precisely determines the branch (*), in the sense that for every leaf \(\varGamma \Rightarrow _C \varTheta \) of \(\pi \) it holds that \(C \cap B = \emptyset \). Hence, as the root of \(\pi '\) is \(e^{(b)} \Rightarrow _B 0\), every branch of \(\pi '\) except for the one corresponding to (*) can be closed directly by an application of \(\bot \). The branch corresponding to (*) is of the form

figure e

and can thus be closed by a back edge. The resulting finite tree with back edges clearly represents an \(\textsf{SGKAT}^\infty \)-proof.

Now by soundness, we have \(B \diamond \llbracket e^{(b)} \rrbracket = \emptyset \). Moreover, by the invertibility of the right logical rules and hypothesis (1), we get

$$ B \diamond \llbracket \varGamma \rrbracket \subseteq B \diamond \llbracket e^{(b)}\rrbracket \diamond \llbracket \varDelta \rrbracket = \emptyset , $$

as required.

Lemma 10

Let \((\varGamma _n \Rightarrow _{A_n} \varDelta _n)_{n \in \omega }\) be an infinite branch of some \(\textsf{SGKAT}^\infty \)-derivation on which the rule (b)-r is applied infinitely often. Then there are nm with \(n < m\) such that the following hold:

  1. (i)

    the sequents \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) and \(\varGamma _m \Rightarrow _{A_m} \varDelta _m\) are equal;

  2. (ii)

    the sequent \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) is the conclusion of (b)-r in \(\pi \);

  3. (iii)

    for every \(i \in [n, m)\) it holds that \(\varDelta _n\) is a final segment of \(\varDelta _i\).

Proof

First note that \(\textsf{k}_0\) is not applied on this branch, because if it were then there could not be infinitely many applications of (b)-r.

Since the proof is finite-state (cf. Corollary 1), there must be a \(k \ge 0\) be such that every \(\varDelta _i\) with \(i \ge k\) occurs infinitely often on the branch above. Denote by \(|\varDelta |\) the length of a given list \(\varDelta \) and let l be minimum of \(\{|\varDelta _i| : i \ge k\}\). In other words, l is the minimal length of the \(\varDelta _i\) with \(i \ge k\).

To prove the lemma, we first claim that there is an \(n \ge k\) such that \(|\varDelta _n| = l\) and the leftmost expression in \(\varDelta _n\) is of the form \(e^{(b)}\) for some e. Suppose, towards a contradiction, that this is not the case. Then there must be a \(u \ge k\) such that \(|\varDelta _u| = l\) and the leftmost expression in \(\varDelta _u\) is not of the form \(e^{(b)}\) for any e. Note that (b)-r is the only rule apart from \(\textsf{k}_0\) that can increase the length of the succedent (when read bottom-up). It follows that for no \(w \ge u\) the leftmost expression in \(\varDelta _w\) is of the form \(e^{(b)}\), contradicting the fact that (b)-r is applied infinitely often.

Now let \(n \ge k\) be such that \(|\varDelta _n| = l\) and the leftmost expression of \(\varDelta _n\) is \(e^{(b)}\). Since the rule (b)-r must at some point after \(\varDelta _n\) be applied to \(e^{(b)}\), we may assume without loss of generality that \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) is the conclusion of an application of (b)-r. By the pigeonhole principle, there must be an \(m > n\) such that \(\varGamma _n \Rightarrow _{A_n} \varDelta _n\) and \(\varGamma _m \Rightarrow _{A_m} \varDelta _m\) are the same sequents. We claim that these sequents satisfy the three properties above. Properties (i) and (ii) directly hold by construction. Property (iii) follows from the fact that \(\varDelta _n\) is of minimal length and has \(e^{(b)}\) as leftmost expression.

With the above lemmas in place, we are ready for the completeness proof.

Theorem 2

(Completeness). Every valid sequent is provable in \(\textsf{SGKAT}^\infty \).

Proof

Given a valid sequent, we do a bottom-up proof search with the following strategy. Throughout the procedure all leaves remain valid, in most cases by an appeal to invertibility.

  1. 1.

    Apply left logical rules as long as possible. If this stage terminates, it will be at a leaf of the form \(\varGamma \Rightarrow _A \varDelta \), where \(\varGamma \) is exposed. We then go to stage (2). If left logical rules remain applicable, we stay in this stage (1) forever and create an infinite branch.

  2. 2.

    Apply right logical rules until one of the following happens:

    1. (a)

      We reach a leaf at which no right logical rule can be applied. This means that the leaf must be a valid sequent of the form \(\varGamma \Rightarrow _A \varDelta \) such that \(\varGamma \) is exposed, and \(\varDelta \) is either exposed or begins with a test b such \(A \restriction b \not = A\). We go to stage (4).

    2. (b)

      If (a) does not happen, then at some point we must reach a valid sequent of the \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) which together with an ancestor satisfies properties (i) - (iii) of Lemma 10. In this case Lemma 9 is applicable. Hence we must be at a leaf of the form \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) such that \(e^{(b)} \Rightarrow _A 0\) is valid. We then go to stage (3).

    Since at some point either (a) or (b) must be the case, stage (2) always terminates.

  3. 3.

    We are at a valid leaf of the form \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \), where \(\varGamma \) is exposed. If \(A = \emptyset \), we apply \(\bot \). Otherwise, if \(A \not = \emptyset \), we use the validity of \(\varGamma \Rightarrow _A e^{(b)}, \varDelta \) and \(e^{(b)} \Rightarrow _A 0\) to find:

    $$ A \diamond \llbracket {\varGamma }\rrbracket \subseteq A \diamond \llbracket {e^{(b)}}\rrbracket \diamond \llbracket {\varDelta }\rrbracket = \emptyset . $$

    We claim that \(\llbracket {\varGamma }\rrbracket = \emptyset \). Indeed, suppose towards a contradiction that \(\alpha x \in \llbracket {\varGamma }\rrbracket \). By the exposedness of \(\varGamma \) and item (i) of Lemma 3, we would have \(\beta x \in \llbracket {\varGamma }\rrbracket \) for some \(\beta \in A\), contradicting the statement above. Therefore, the sequent \(\varGamma \Rightarrow _\textsf{At} 0\) is valid. We apply the rule \(\textsf{k}_0\) and loop back to stage (1).

    Stage (3) only comprises a single step and thus always terminates.

  4. 4.

    Let \(\varGamma \Rightarrow _A \varDelta \) be the current leaf. By construction \(\varGamma \Rightarrow _A \varDelta \) is valid, \(\varGamma \) is exposed, and \(\varDelta \) is either exposed or begins with a test b such that \(A \restriction b \not = A\). Note that only rules \(\textsf{id}\), \(\bot \), \(\textsf{k}\), and \(\mathsf {k_0}\) can be applicable. By Lemma 8, at least one of them must be applicable. If \(\textsf{id}\) is applicable, apply \(\textsf{id}\). If \(\bot \) is applicable, apply \(\bot \). If \(\textsf{k}\) is applicable, apply \(\textsf{k}\) and loop back to stage (1). Note that this application of \(\textsf{k}\) will have priority and is therefore invertible.

    Finally, suppose that only \(\textsf{k}_0\) is applicable. We claim that, by validity, the list \(\varGamma \) is not \(\epsilon \). Indeed, since A is non-empty, and \(\varDelta \) either begins with a primitive program p or a test b such that \(A \restriction b \not = A\), the sequent

    $$ \epsilon \Rightarrow _A \varDelta $$

    must be invalid. Hence \(\varGamma \) must be of the form \(p, \varTheta \). We apply \(\textsf{k}_0\), which has priority and thus is invertible, and loop back to stage (1).

    Similarly to stage (3), stage (4) only comprises a single step and thus always terminates.

We claim that the constructed derivation is fair for (b)-l. Indeed, every stage except stage (1) terminates. Therefore, every infinite branch must either eventually remain in stage (1), or pass through stages (3) or (4) infinitely often. Since \(\textsf{k}\) and \(\textsf{k}_0\) shorten the antecedent, and no left logical rule other than (b)-l lengthens it, such branches must be fair.

By Corollary 2 we obtain that the subset of cyclic \(\textsf{SGKAT}\)-proofs is also complete.

Corollary 3

Every valid sequent has a regular \(\textsf{SGKAT}^\infty \)-proof.

Proposition 2

The proof search procedure of Theorem 2 runs in \(\textsf{coNLOGSPACE}\). Hence proof search, and thus also the language inclusion problem for \(\texttt{GKAT}\)-expressions, is in \(\textsf{NLOGSPACE}\).

Proof

(sketch). Assume without loss of generality that the initial sequent is of the form \(e \Rightarrow _A f\). We non-deterministically search for a failing branch, at each iteration storing only the last sequent. By Lemma 7 this can be done by storing two pointers to, respectively, the syntax trees \(T_e\) and \(T_f\), together with a set of atoms. The loop check of stage (2) can be replaced by a counter. Indeed, stage (2) must always hit a repetition after \(|\textsf{At}| \cdot |T_f|\) steps, where m is the number of nodes in the syntax tree. After this repetition there must be a continuation that reaches a repetition to which Lemma 9 applies before this stage has taken \(2 \cdot |\textsf{At}| \cdot |T_f|\) steps in total. Finally, a global counter can be used to limit the depth of the search. Indeed, a failing branch needs at most one repetition (in stage (2), to which \(\textsf{k}_0\) is applied) and all other repetitions can be cut out. Hence if there is a failing branch, there must be one of size at most \(4 \cdot |T_e| \cdot |\textsf{At} | \cdot |T_f|\).

7 Conclusion and Future Work

In this paper we have presented a non-well-founded proof system \(\textsf{SGKAT}^\infty \) for \(\texttt{GKAT}\). We have shown that the system is sound and complete with respect to the language model. In fact, the fragment of regular proofs is already complete, which means one can view \(\textsf{SGKAT}\) as a cyclic proof system. Our system is similar to the system for Kleene Algebra in [7], but the deterministic nature of \(\texttt{GKAT}\) allows us to use ordinary sequents rather than hypersequents. To deal with the tests of \(\texttt{GKAT}\) every sequent is annotated by a set of atoms. Like in [7], our completeness argument makes use of a proof search procedure. Here again the relative simplicity of \(\texttt{GKAT}\) pays off: the proof search procedure induces an \(\textsf{NLOGSPACE}\) decision procedure, whereas that of Kleene Algebra is in \(\textsf{PSPACE}\).

The most natural question for future work is whether our system could be used to prove the completeness of some (ordered)-algebraic axiomatisation of \(\texttt{GKAT}\). We envision using the original \(\texttt{GKAT}\) axioms (see [22, Figure 1]), but basing it on inequational logic rather than equational logic. This would allow one to use a least fixed point rule of the form

figure f

eliminating the need for a Salomaa-style side condition. We hope to be able to prove the completeness of such an inequational system by translating cyclic \(\textsf{SGKAT}\)-proofs into well-founded proofs in the inequational system. This is inspired by the paper [6], where a similar strategy is used to give an alternative proof of the left-handed completeness of Kleene Algebra.

Another relevant question is the exact complexity of the language inclusion problem for \(\texttt{GKAT}\)-expressions. We have obtained an upper bound of \(\textsf{NLOGSPACE}\), but do not know whether it is optimal.

Finally, it would be interesting to verify the conjecture in Remark 9 above.