Keywords

1 Introduction

Uniform interpolation is a strong form of interpolation, which says that propositional quantifiers can be defined inside the logic. More precisely, a left uniform interpolant of a formula \(\varphi \) with respect to a variable p is a p-free formula, denoted \(\forall p \varphi \), which entails \(\varphi \), and is a consequence of any p-free formula that entails \(\varphi \). The dual notion is that of a right uniform interpolant, denoted \(\exists p \varphi \), and a logic is said to have uniform interpolation if both left and right uniform interpolants exist for any formula. Said otherwise, uniform interpolation means that for any \(\varphi \) and p, the logic has a strongest formula without p that implies \(\varphi \), and a weakest formula without p that is implied by \(\varphi \).

The uniform interpolation property was first established for intuitionistic propositional logic \(\textsf{IL}\) by Pitts [23], and then for a number of modal logics, including basic modal logic \(\textsf{K}\) and Gödel-Löb provability logic \(\textsf{GL}\) [10, 25, 27]. Since then, uniform interpolation has been shown to hold in various modal fixpoint logics [1, 22] and substructural logics [2], and connections have been developed with description logic [11], proof theory [12, 18], model theory [10, 19], and universal algebra [16, 20].

Existing proof methods for uniform interpolation can be divided, roughly, into two strands: one is syntactic and relies on the existence of a well-behaved sequent calculus for the logic (see e.g. [18]), the other is semantic and uses Kripke models to establish definability of bisimulation quantifiers (see e.g. [10]). An advantage of the syntactic method over the semantic one is that, at least in theory, it provides better bounds on the complexity of computing uniform interpolants. In practice, however, it is not feasible to compute uniform interpolants by hand, as the calculations quickly become complex even on small examples. The algorithms for computing uniform interpolants are often intricate, and it is a non-trivial task to implement them correctly. The first- and third-named author recently developed the first verified implementation of Pitts’ algorithm for computing uniform interpolants in the case of \(\textsf{IL}\), using The Coq Proof Assistant in order to formally prove the correctness of the implementation [9].

In this article, we provide mechanised proofs of the uniform interpolation property for the classical modal logics \(\textsf{K}\) and \(\textsf{GL}\) and for an intuitionistic version of strong Löb logic, \(\textsf{iSL}\). Of these three contributions, we discuss the first one in Sect. 3, which serves as a warm-up for what follows. The formalisation of uniform interpolation for \(\textsf{GL}\) starts from a sequent-style proof of this theorem [5]. During our work on formalising this proof in Coq, we uncovered an incompleteness in it, and our formalisation contains a corrected version of the construction of [5], as we will explain further in Sect. 4. Finally, the uniform interpolation result for \(\textsf{iSL}\) is new to this paper, and resolves an open question of [13]. (T. Litak and A. Visser have shared a draft paper with us in which they obtain a different, semantic, proof of the same result, available in preprint [28].) The proof we give extends the syntactic method of Pitts, while taking advantage both of the robustness of the earlier Coq formalisation for the case of \(\textsf{IL}\), and of a recently developed sequent calculus for \(\textsf{iSL}\) [26].

All definitions and proofs that we describe in this paper are implemented in the constructive setting of the Coq proof assistant; the code is available online at https://github.com/hferee/UIML. In particular, this means that the definitions of the uniform interpolants for the three logics at hand here are effective, which allows us to extract from the Coq implementation an OCaml program that can generate interpolants from input formulas. Throughout the paper, links to an online-readable version of the Coq proofs are given by a clickable symbol . Finally, a demonstration webpage is available at https://hferee.github.io/UIML/demo.html where the uniform interpolants for each logic can be computed.

2 Sequent Calculi and Uniform Interpolation

In this section, we recall some standard notions that we need in this paper, pertaining to the classical modal logics \(\textsf{K}\) and \(\textsf{GL}\), and intuitionistic modal logic \(\textsf{iSL}\). We mostly follow the same notations as in [12, Ch. 1], and we refer the reader to that chapter for more details.

It will be convenient to use a more economical language for the classical setting than for the intuitionistic setting, so we define the precise syntax in some detail now. Both languages contain boolean constant \(\bot \), connective \(\rightarrow \), modality \(\Box \) and a set \(\mathcal V\) of countably many (propositional) variables, denoted \(p,q, \dots \).

In the classical modal language we use the following standard classical constructors, \(\lnot \), \(\vee \), \(\wedge \), and \(\Diamond \), which should be read as abbreviations: \(\lnot \varphi := \varphi \rightarrow \bot \), \(\varphi \vee \psi := (\varphi \rightarrow \bot ) \rightarrow \psi \), \(\varphi \wedge \psi := (\varphi \rightarrow (\psi \rightarrow \bot )) \rightarrow \bot \), and \(\Diamond \varphi := \Box (\varphi \rightarrow \bot ) \rightarrow \bot \). The intuitionistic modal language, instead contains the connectives \(\wedge \), \(\vee \) (no \(\Diamond \)) ; only \(\lnot \) and \(\top \) are abbreviations: \(\lnot \varphi := \varphi \rightarrow \bot \), \(\top := \lnot \bot \). In both the classical and intuitionistic setting, we denote modal formulas by lowercase Greek letters \(\varphi , \psi , \ldots \) and we write \(\text {Vars}\,(\varphi )\) to denote the set of all propositional variables occurring as subformulas in the formula \(\varphi \).

We briefly recall the axiomatisation of logics \(\textsf{K}\), \(\textsf{GL}\), and \(\textsf{iSL}\). The logics \(\textsf{K}\) and \(\textsf{GL}\) are defined over the considered classical modal language and \(\textsf{iSL}\) over the intuitionistic modal language. To do so, we recall three axioms:

  • the normal axiom \((\textsf{k}) \ \Box (p \rightarrow q) \rightarrow \Box p \rightarrow \Box q\),

  • the Gödel-Löb axiom \((\textsf{gl}) \ \Box (\Box p \rightarrow p) \rightarrow \Box p\),    and

  • the strong Löb axiom \((\textsf{sl}) \ (\Box p \rightarrow p) \rightarrow p\).

Also recall the rules modus ponens (from \(\varphi \) and \(\varphi \rightarrow \psi \) infer \(\psi \)), necessitation (from \(\varphi \) infer \(\Box \varphi \)), and substitution (from \(\varphi \) infer \(\sigma \varphi \), for any uniform substitution \(\sigma \)). Now, logic \(\textsf{K}\) is defined by the classical propositional tautologies, axiom \(\mathsf k\), and the rules modus ponens, necessitation, and substitution. The logic \(\textsf{GL}\) is the extension of \(\textsf{K}\) by the axiom \(\textsf{gl}\). Furthermore, intuitionistic propositional logic \(\textsf{IL}\) is defined by the intuitionistic tautologies, and the rules modus ponens, necessitation, and substitution; intuitionistic modal logic \(\textsf{iSL}\) is the extension of \(\textsf{IL}\) with axioms \(\mathsf k\) and \(\textsf{sl}\).

2.1 Sequent Calculi

A sequent is a pair of finite multisets of formulas \(\varGamma \) and \(\varDelta \), which we denote by \(\varGamma \Rightarrow \varDelta \). In the intuitionistic case, \(\varDelta \) will necessarily be a singleton. A sequent \(\varGamma \Rightarrow \varDelta \) is empty, if \(\varGamma \) and \(\varDelta \) are empty multisets. Given two multisets \(\varGamma \) and \(\varDelta \), we write \(\varGamma ,\varDelta \) for the multiset addition of \(\varGamma \) and \(\varDelta \), and, when \(\varphi \) is a formula, we write \(\varGamma , \varphi \) as notation for \(\varGamma , \{\varphi \}\). Analogously to formulas, we write \(\text {Vars}\,(\varGamma )\) to denote the set of all propositional variables occurring as subformulas in formulas in \(\varGamma \). For \(p \in \mathcal V\), we define \(\varGamma _p :=\varGamma \setminus \{p\}\) for any multiset \(\varGamma \).

In the intuitionistic setting we use the following notation \(\Box ^{\scriptscriptstyle {-1}}\) on formulas:

$$ \Box ^{\scriptscriptstyle {-1}}\psi :={\left\{ \begin{array}{ll} \varphi &{}\text { if } \psi = \Box \varphi \text { for some formula } \varphi , \\ \psi &{}\text { otherwise.} \end{array}\right. } $$

This notation is naturally overloaded to also apply to (multi)sets of formulas: \(\Box ^{\scriptscriptstyle {-1}}\varGamma :=\{\Box ^{\scriptscriptstyle {-1}}\varphi \ |\ \varphi \in \varGamma \}\).

Fig. 1.
figure 1

Classical sequent rules. Here, \(\varPhi \) does not contain boxed formulae.

Full size image

Now we define the sequent calculi that we use throughout the paper. The sequent calculus \(\textsf{KS}\) consists of two initial rules \((\text {IdP})\) and \((\bot \text {L})\), left and right implication rules \((\rightarrow \textrm{R})\) and \((\rightarrow \textrm{L})\), and the modal rule \((\text {KR})\); all are displayed in Fig. 1. The sequent calculus \(\textsf{GLS}\) is the variant of the calculus \(\textsf{KS}\) in which the rule \((\text {KR})\) is replaced by the rule \((\textrm{GLR})\) in Fig. 1. The sequent calculus \(\textsf{KS}\) is well-known to be sound and complete for \(\textsf{K}\), and \(\textsf{GLS}\) is sound and complete for \(\textsf{GL}\) [24]. In the rule \((\text {GLR})\), the formula \(\Box \psi \) is called the diagonal formula. We denote by \(\text {KP}(s)\) the multiset of all possible \((\text {KR})\)-premises for a given sequent s, and by \(\text {GP}(s)\) the multiset of all \((\text {GLR})\)-premises for s.

For \(\textsf{iSL}\), we work with the calculus \(\textsf{G4iSLt}\) from [26], which was specifically designed with the aim to prove uniform interpolation for \(\textsf{iSL}\). The calculus is an extension of the calculus \(\textsf{G4iP}\) for \(\textsf{IL}\) [7]. We show the calculus \(\textsf{G4iSLt}\) in Fig. 2, using the \(\Box ^{\scriptscriptstyle {-1}}\) operator to rephrase its definition slightly compared to [26].

For every sequent calculus \(\textsf{S}\), we denote by \(\vdash _{\textsf{S}}\) the set of sequents that are derivable using the rules in \(\textsf{S}\). For a sequent \(\varGamma \Rightarrow \varDelta \), we then write \(\vdash _{\textsf{S}} \varGamma \Rightarrow \varDelta \) to mean that \(\varGamma \Rightarrow \varDelta \) is an element of the set \(\vdash _{\textsf{S}}\).

The crucial fact for proving uniform interpolation is that each of the three calculi \(\textsf{KS}\), \(\textsf{GLS}\), and \(\textsf{G4iSLt}\) has a complete and terminating backward proof search strategy, which may only depend on a local loop-check. Completeness means that the strategy finds a proof for any sequent provable in the calculus. Termination means that the strategy always ends in a finite proof search tree. By a local loop-check we mean: the criterion for deciding whether or not to stop the proof search for a given sequent only depends on the sequent itself, and does not depend on other sequents, encountered earlier by the proof search strategy. Termination for \(\textsf{KS}\), \(\textsf{GLS}\), and \(\textsf{G4iSLt}\) is discussed in detail in Sects. 3.1, 4.1 and 5.1 respectively.

Fig. 2.
figure 2

The sequent calculus \(\textsf{G4iSLt}\). The sequent calculus \(\textsf{G4iP}\) is the restriction of \(\textsf{G4iSLt}\) obtained by omitting the two rules involving \(\Box \).

Full size image

2.2 Uniform Interpolation

Definition 1

A logic L has the uniform interpolation property if, for every L-formula \(\varphi \) and variable p, there exist L-formulas, denoted by \(\forall p \varphi \) and \(\exists p \varphi \), satisfying the following three properties:

  1. 1.

    p-freeness:\( \text {Vars}\,(\exists p \varphi ) \subseteq \text {Vars}\,(\varphi ) \setminus \{ p \}\) and \( \text {Vars}\,(\forall p \varphi ) \subseteq \text {Vars}\,(\varphi ) \setminus \{ p \}\),

  2. 2.

    implication:\(\vdash _L \varphi \rightarrow \exists p \varphi \text { and } \vdash _L \forall p \varphi \rightarrow \varphi ,\) and

  3. 3.

    uniformity: for each formula \(\psi \) with \(p \notin \text {Vars}\,(\psi )\):

    $$\begin{aligned} \vdash _L \varphi \rightarrow \psi \ {} &\text { implies } \ \vdash _L \exists p \varphi \rightarrow \psi ,\\ \vdash _L \psi \rightarrow \varphi \ {} &\text { implies } \ \vdash _L \psi \rightarrow \forall p \varphi . \end{aligned}$$

Lemma 1

Both classically and intuitionistically, the formulas \(\forall p (\varphi \rightarrow \psi )\) and \(\exists p (\varphi ) \rightarrow \forall p (\varphi \rightarrow \psi )\) are equivalent.

Proof

The left-to-right direction is clear. For the right-to-left direction, note that the formula \({\exists p \varphi \rightarrow \forall p (\varphi \rightarrow \psi )}\) is p-free by definition. Moreover, one easily obtains that \(\exists p \varphi \rightarrow \forall p (\varphi \rightarrow \psi )\) implies \(\varphi \rightarrow \psi \), using the implication rules and the implication properties of \(\exists p\) and \(\forall p\). Now uniformity ensures that \(\exists p \varphi \rightarrow \forall p (\varphi \rightarrow \psi )\) implies \(\forall p (\varphi \rightarrow \psi )\).   \(\square \)

To show uniform interpolation of the logics in the paper, we employ a standard proof-theoretic approach via the sequent calculi. The following definition merges the well-known definitions for intuitionistic logic from [23] and classical modal logic from [3].

Definition 2

A set of provable sequents, denoted \(\vdash \), has the uniform interpolation property if, for any sequent \(\varGamma \Rightarrow \varDelta \) and variable p, there exist modal formulas \(\textsf{E}_{p}(\varGamma )\) and \(\textsf{A}_{p}(\varGamma \Rightarrow \varDelta )\) such that the following three properties hold:

  1. 1.

    p-freeness: (a) \(\text {Vars}\,(\textsf{E}_{p}(\varGamma )) \subseteq \text {Vars}\,(\varGamma ) \setminus \{ p \}\) and (b) \(\text {Vars}\,(\textsf{A}_{p}(\varGamma \Rightarrow \varDelta )) \subseteq \text {Vars}\,(\varGamma , \varDelta ) \setminus \{ p \}\),

  2. 2.

    implication: (a) \(\vdash \varGamma \Rightarrow \textsf{E}_{p}(\varGamma )\) and (b) \(\vdash \varGamma , \textsf{A}_{p}(\varGamma \Rightarrow \varDelta ) \Rightarrow \varDelta \), and

  3. 3.

    uniformity: for any finite multisets of formulas \(\varPi \) and \(\varSigma \) such that \(p \notin \text {Vars}\,(\varPi ,\varSigma )\), if it holds that \(\vdash \varPi , \varGamma \Rightarrow \varDelta ,\varSigma \), then it also holds that:

    $$\begin{aligned} &\text {(a)}\vdash \varPi , \textsf{E}_{p}(\varGamma ) \Rightarrow \varDelta , \varSigma \text { if } p \notin \text {Vars}\,(\varDelta ), \text { and}\\ &\text {(b)} \vdash \varPi , \textsf{E}_{p}(\varGamma ) \Rightarrow \textsf{A}_{p}(\varGamma \Rightarrow \varDelta ), \varSigma . \end{aligned}$$

In the intuitionistic setting, we require \(\varDelta \) to be a singleton and \(\varSigma \) to be empty.

In this paper, we say that a sequent calculus \(\textsf{S}\) has uniform interpolation if \(\vdash _\mathsf{{S}}\) has the uniform interpolation property.

We provide some observations and facts in the following remarks.

Remark 1

When proving uniform interpolation in the classical setting, we prove a stronger statement in clause (b) of uniformity:

$$\begin{aligned} &\text {(b)} \vdash \varPi \Rightarrow \textsf{A}_{p}(\varGamma \Rightarrow \varDelta ), \varSigma \end{aligned}$$

where we omit the occurrence of \(\textsf{E}_{p}(\varGamma )\) on the left-hand side of the sequent. In fact, now we can take \(\textsf{E}_{p}(\varGamma ) := \lnot \textsf{A}_{p}(\varGamma \Rightarrow \emptyset )\) and we only have to consider clauses (b) in every property of Definition 2 as in [3]. This will be the route taken in this paper for \(\textsf{KS}\) and \(\textsf{GLS}\).

Remark 2

It is well-known that the uniform interpolation property for a sequent calculus results in the uniform interpolation property for its corresponding logic [4, 23]. Both classically and intuitionistically, we can define \(\forall p \varphi :=\textsf{A}_{p}(\emptyset \Rightarrow \varphi )\). In classical modal logic, we can define \(\exists p \varphi \) as its dual, i.e., \(\exists p \varphi :=\lnot \forall p (\lnot \varphi )\). For intuitionistic modal logic, we define \(\exists p \varphi :=\textsf{E}_{p}(\{\varphi \})\). One may then show that, for these definitions of \(\forall p\) and \(\exists p\), the three properties from Definition 1 follow from those in Definition 2, where, in the intuitionistic case, one needs to use the fact that \(\textsf{E}_{p}(\emptyset ) = \top \).

Remark 3

In the sequel of the paper we explicitly construct operators \(\textsf{A}_{p}(\cdot )\) (and also \(\textsf{E}_{p}(\cdot )\) in the intuitionistic case) using the terminating sequent calculi for the logics. These operators have the following properties which could be viewed as Remark 2 applied to sequents instead of formulas. In both the classical and intuitionistic setting, \(\textsf{E}_{p}(\varGamma )\) serves as the formula \(\exists p(\bigwedge \varGamma )\). In the classical case, the formula \(\textsf{A}_{p}(\varGamma \Rightarrow \varDelta )\) will be equivalent to \(\forall p (\bigwedge \varGamma \rightarrow \bigvee \varDelta )\). However, intuitionistically, \(\textsf{A}_{p}(\varGamma \Rightarrow \varphi )\) is not equivalent to \(\forall p (\bigwedge \varGamma \rightarrow \varphi )\), but it is computed as \(\textsf{E}_{p}(\varGamma ) \rightarrow \textsf{A}_{p}(\varGamma \Rightarrow \varphi )\). The latter does not contradict Remark 2 by Lemma 1. See also Remark 5 in [23].

3 Basic Modal Logic \(\textsf{K}\)

We start our investigations on uniform interpolation for provability logics by showcasing a simple example: the modal logic \(\textsf{K}\). We follow the strategy in [3] using calculus \(\textsf{KS}\) and provide a formalisation in Coq.

3.1 Termination of the Sequent Calculus \(\textsf{KS}\)

To compute the uniform interpolants for sequent calculus \(\textsf{KS}\), we provide a complete and terminating proof search strategy for it. For this, we define some useful notions for sequents \(\varGamma \Rightarrow \varDelta \). The size of \(\varGamma \Rightarrow \varDelta \) is the total number of symbols in the multiset \(\varGamma , \varDelta \). We call a sequent critical if there is no formula of the form \(\varphi \rightarrow \psi \) in \(\varGamma , \varDelta \), and we call a critical sequent initial if either \(\bot \in \varGamma \) or \(\varGamma \cap \varDelta \cap \mathcal V\ne \emptyset \), that is, if the sequent \(\varGamma \Rightarrow \varDelta \) can be proved with an initial rule.

A complete and terminating strategy for proof search in \(\textsf{KS}\) can easily be defined in three steps, as follows. Given a sequent, we first saturate it by maximally iterating applications of the rules \((\rightarrow \textrm{L})\) and \((\rightarrow \textrm{R})\). This step computes a finite multiset \(\text {Can}(s)\) of critical sequents, called the canopy of s. Note that, if s is not critical, then all sequents in \(\text {Can}(s)\) have strictly smaller size than s. Second, we try to apply the rules \((\text {IdP})\) and \((\bot \text {L})\), and close any branches where we have an initial sequent. Third, we try to apply the rule \((\text {KR})\) on any remaining sequents which are not initial. Since the size of sequents decreases during the execution of this strategy as long as sequents are not initial, this strategy clearly terminates.

3.2 Uniform Interpolation for \(\textsf{KS}\)

Definition 3

( ). Let \(p\in \mathcal V\) be a variable and \(s=(\varGamma , \Box \varGamma ' \Rightarrow \varDelta )\) a sequent, where no \(\varphi \in \varGamma \) is a boxed formula. We define \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(s)\) recursively, as follows:

figure c

Termination of this function is proved by an induction on the size of sequents. This definition mirrors the termination of the proof search strategy for \(\textsf{KS}\). The first case corresponds to a default where the sequent bares no content. The remaining cases obviously correspond to steps of the strategy: \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}2)\) postpones the computation of the interpolant to the sequents in the canopy via recursive calls; \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}3)\) checks for initiality; \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}4)\) is the case where we apply \((\text {KR})\). As this last case is the most complex, we motivate that definition in more detail now.

Because an application of the \((\text {KR})\) rule on a sequent s deletes the non-boxed formulas in s, we need to first record all these formulas in \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(s)\): this is the role of the first two disjuncts, \(\bigvee \limits _{q\in \varDelta _p} q\) and \(\bigvee \limits _{r\in \varGamma _p}\lnot r\), which notably discard all occurrences of variable p. The third disjunct, \(\bigvee \limits _{s'\in \text {KP}(s)}\Box \textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(s')\), contains recursive calls on all \((\text {KR})\)-premises of s, and prefixes them with a \(\Box \) to reflect the logical strength of the rule. The last disjunct \(\Diamond \textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(\varGamma '\Rightarrow )\) is needed to obtain the uniformity from Definition 2. It considers the possibility that our sequent \(s=(\varGamma ,\Box \varGamma '\Rightarrow \varDelta )\) becomes provable once the context is extended, i.e., that a sequent of the form \(\varPhi ,\Box \varPhi ',\varGamma ,\Box \varGamma '\Rightarrow \varDelta ,\varDelta '\) is provable. In a proof of the latter, suppose that the last rule applied was \((\text {KR})\), triggered by a formula \(\Box \varphi \) in \(\varDelta '\). In the premise \(\varPhi ',\varGamma '\Rightarrow \varphi \) of that application, what remains of our sequent \(\varGamma ,\Box \varGamma '\Rightarrow \varDelta \) is the sequent \(\varGamma '\Rightarrow \), on which we then perform the recursive call \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(\varGamma '\Rightarrow )\). So, the last disjunct uses a \(\Diamond \) to record the possibility for a “step aside” of the proof search tree, by considering a recursive call on what remains of s through a \((\text {KR})\) application in an extended context.

The complexity of the function \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}\) lies in its recursive calls on multisets of sequents, and in the use of the canopy function which contains similar recursive calls. Since only computable functions can be defined in Coq, termination needs to be proved whenever Coq cannot automatically derive it. In order to formalise our two functions in Coq, we synchronously need to define them and convince Coq that all recursive calls are justified, by exhibiting a quantity which decreases along a well-founded order. Because of the complex recursive calls of our two functions, the traditional pen-and-paper definition of such an order is rather intricate to formalise, involving a well-founded order on multi-sets, cf. [9, Section 3]. To circumvent this difficulty in our formalisation of Definition 3 ( ), we use the Braga method [21] of Larchey-Wendling and Monin, which separates the definition of the function from the termination proof. More precisely, using this method we can first define a function as a relation which captures the computational graph of the function, and then prove that this relation is indeed functional and terminates. While this method was initially designed to capture partial functions in Coq, we here apply this method to the definition of \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}\) and the canopy. This allows us to separate the concerns of defining these functions and proving that the definition terminates.

Given that \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}\) is connected to the proof search tree, and its definition tailored to satisfy the three correctness properties for uniform interpolants, we can now prove the correctness of the definition, and formalise it in Coq.

Theorem 1

The sequent calculus \(\textsf{KS}\) has the uniform interpolation property.

Proof

We have formalised in the Coq proof assistant the proof from [3] with no major changes. We have to check the three properties from Definition 2, i.e., p-freeness, implication, and uniformity. It is evident that \(\textsf{A}_{p}(s)\) is p-free for every sequent s, as the computations in \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}\) all make sure to discard p whenever propositional variables are recorded ( ). Second, as \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(\varGamma \Rightarrow \varDelta )\) follows closely the proof search tree of \(\varGamma \Rightarrow \varDelta \), we obtain rather straightforwardly that \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(\varGamma \Rightarrow \varDelta ),\varGamma \Rightarrow \varDelta \) is provable ( ), hence proving the implication property. Finally, we make a crucial use of the disjunct \(\Diamond \textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(\varGamma \Rightarrow )\) of the case \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}4)\) in the proof of uniformity ( ).   \(\square \)

4 Classical Provability Logic \(\textsf{GL}\)

We now shift our focus to the logic \(\textsf{GL}\). We will first provide a complete and terminating strategy for \(\textsf{GLS}\). Then, in order to construct uniform interpolants for \(\textsf{GL}\), we take inspiration from [5], but we modify the definition given there in order to fix an incompleteness in the correctness proof.

4.1 Terminating Strategy for Sequent Calculus \(\textsf{GLS}\)

In the rule \((\text {GLR})\), the multiset \(\Box \varGamma \) on the left of the premise is preserved, while the diagonal formula \(\Box \psi \) moves diagonally from the left to the right when moving from premise to conclusion. These features are known to be an obstacle to the termination of a strategy for \(\textsf{GLS}\), which can be overcome by a local loop-check. Consider the following rule, labelled \((\text {IdB})\) for ‘Identity Box’.

$$ \frac{}{\begin{array}{c} \Box \varphi ,\varGamma \Rightarrow \varDelta ,\Box \varphi \end{array}}(\text {IdB})$$

Our proof search strategy for \(\textsf{GLS}\) extends the one for \(\textsf{KS}\): first apply \((\rightarrow \textrm{L})\) and \((\rightarrow \textrm{R})\), then the initial rules \((\text {IdP})\), \((\bot \text {L})\) and \((\text {IdB})\), and finally the rule \((\text {GLR})\). When following this strategy, any application of the rule \((\text {GLR})\) is such that its conclusion is critical but not initial, where our definition of initial sequent now also includes sequents that allow for an application of \((\text {IdB})\). Note a subtlety of our strategy: while \((\text {IdB})\) is not a rule of \(\textsf{GLS}\) its presence in our strategy is justified by its admissibility [17], ensuring the completeness of this strategy.

To show termination, we define a measure on sequents which decreases, in a well-founded order, as we move upwards by applying rules according to the proof strategy. Given a sequent \(\varGamma \Rightarrow \varDelta \), its measure \(\varTheta (\varGamma \Rightarrow \varDelta )\) is a pair of natural numbers \((imp(\varGamma \Rightarrow \varDelta )\, ,\,\beta (\varGamma \Rightarrow \varDelta ))\), where the first component is the number of occurrences of the symbol \(\rightarrow \) in \(\varGamma \Rightarrow \varDelta \) and the second component is what we call the number of usable boxes, \(\beta (\varGamma \Rightarrow \varDelta )\), defined as the cardinal of the set \(\{\Box \varphi \mid \Box \varphi \in \text {Sub}(\varGamma \cup \varDelta )\}\setminus \{\Box \varphi \mid \Box \varphi \in \varGamma \}\). The idea is that \(\beta \) counts the number of boxed formulas of a sequent \(\varGamma \Rightarrow \varDelta \) which might later become the diagonal formula of an instance of \((\text {GLR})\) in a derivation of this sequent, when following the proof search strategy. To show termination of our strategy via \(\varTheta \), we use the lexicographic order \(<\!\!<\) on pairs of natural numbers, noting that, for any \(\textsf{GLS}\) rule with conclusion s and any premise \(s'\) of that rule, we have \(\varTheta (s')<\!\!<\varTheta (s)\).

4.2 Computing Uniform Interpolants for \(\textsf{GLS}\)

We now replicate the argument for \(\textsf{K}\) for \(\textsf{GL}\), using the sequent calculus \(\textsf{GLS}\) and the terminating and complete proof search strategy for it. A first try would be to use the modified notion of initiality, and to change the function \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}\) into a function \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) by exchanging the rule \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}4)\) for a similar rule that follows the rule \((\text {GLR})\) instead of \((\text {KR})\). However, this approach leads to a termination problem in the fourth case of the definition of the function, as was noticed in [3], and as we briefly explain now. In this case \(\varGamma , \Box \varGamma '\Rightarrow \varDelta \) is critical, not empty and not initial, so we would require a recursive call of the function on \(\varGamma '\Box \varGamma '\Rightarrow \) in the last disjunct. However, this recursive call could fail to terminate, as we do not have in general that \(\varTheta (\varGamma ', \Box \varGamma '\Rightarrow )<\!\!<\varTheta (\varGamma , \Box \varGamma '\Rightarrow \varDelta )\). To address this problem, [3] used an auxiliary function \(\textsf{N}\) in the definition of \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) for \(\textsf{GL}\).

We recall the definition of the function \(\textsf{N}\) as given in [5] in Fig. 3; in Definition 4 below, we will modify this table to obtain a mutually recursive definition of the function \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\). Given the function \(\textsf{N}\), the idea is, then, to replace the rule (\(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}4\)) in Definition 3 by a rule which says that, if \(s = (\varGamma , \Box \varGamma ' \Rightarrow \varDelta )\) and s is critical, not empty, and not initial, then \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}(s)\) equals

figure h
Fig. 3.
figure 3

Definition of function \(\textsf{N}_{p}(\cdot ,\cdot )\) from [3], where \(t = (\varSigma \Rightarrow \varPi )\).

Full size image

Here, in the last disjunct of \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}4)\), we apply the function \(\textsf{N}\) to all elements of the canopy of the sequent \(\varGamma ', \Box \varGamma '\Rightarrow \), which is exactly what remains of the sequent s after applying \((\text {GLR})\) upwards. The purpose of the function \(\textsf{N}\) is to attempt another unfolding of \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) in the canopy of \(\varGamma ',\Box \varGamma '\Rightarrow \). Indeed, the definition of \(\textsf{N}\) first checks whether any recursive call is necessary via the initiality check in \((\textsf{N}1)\), and then proceeds in \((\textsf{N}2)\) to recursively call \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) if we are ensured that \(\varTheta \) decreases via the first component, or goes to \((\textsf{N}3)\) if there is no such decrease. Notice that, in this last case, the definition of \(\textsf{N}\) is a truncation of \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}4)\), which omits the problematic last disjunct, as it cannot be guaranteed to decrease in the recursion. The termination of \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) is obviously ensured by definition. However, the correctness is no longer obvious, due to the truncation in the rule \((\textsf{N}3)\). The key insight for proving the correctness is the following fixed point equivalence [5] which is valid in \(\textsf{GL}\):

$$\Diamond \left( \bigwedge \limits _{i}\left[ \alpha _i\vee \Diamond \left( \bigwedge \limits _{i}\alpha _i\wedge \beta \right) \right] \wedge \beta \right) \leftrightarrow \Diamond \left( \bigwedge \limits _{i}\alpha _i\wedge \beta \right) \ . $$

This equivalence can be used to prove that the diamond disjunct from the rule \((\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}4)\) may be omitted in the rule \((\textsf{N}3)\). In order to make this work formally, one needs the following equivalence to be derivable in \(\textsf{GLS}\):

$$\begin{aligned} \Diamond \bigwedge \limits _{s'\in \text {Can}(\varGamma ', \Box \varGamma '\Rightarrow )} \textsf{N}_{p}(s,s') \quad \leftrightarrow \quad \Diamond \textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}(\varGamma ',\Box \varGamma '\Rightarrow )\ . \end{aligned}$$
(1)

Assuming this equivalence, one can show that the uniform interpolation property holds for \(\textsf{GLS}\). To justify (1), [5] relies on another equivalence between two formulas \(\textsf{N}_{p}(s,t_1)\) and \(\textsf{N}_{p}(s,t_2)\), where \(t_i = \varGamma _i, \Box \varGamma _i \Rightarrow \) for \(i = 1,2\), where the multisets \(\varGamma _1\) and \(\varGamma _2\) are known to be equal only when considered as sets, i.e., not counting multiplicities. This equivalence is not formally proved, but only “observe[d]" [5, p. 17]. Since the sequents \(t_1\) and \(t_2\) are identical modulo contraction, and contraction is an admissible rule in \(\textsf{GLS}\), this sounds reasonable, but we were unable to formally derive this equivalence, even after consulting with the author of [5].

The difficulty in formally proving the observation primarily lies in the fact that the function \(\textsf{N}\) includes computations of the canopy of our two sequents \(t_1\) and \(t_2\). However, the canopies of two sequents can vastly differ, even if they are identical modulo contraction. We give a minimal example of such a situation in Fig. 4, where the sequents \(q\Rightarrow p\) on the right find no counterparts on the left. This mismatch in canopies, then, makes it hard to prove that any call to \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) in one canopy has a counterpart in the other canopy.

Fig. 4.
figure 4

Two sequents that are equivalent up to contraction, but the canopies are not.

Full size image

In order to overcome this problem, we propose to modify the mutually recursive definition of \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) and \(\textsf{N}\) with respect to the one given in [5]: in strategic places, we fully contract sequents, notably before computing canopies. We denote by \(\overline{s}\) the fully contracted version of the sequent s; that is, when \(s = (\varGamma \Rightarrow \varDelta )\), \(\overline{s}\) denotes the sequent \((\varGamma ' \Rightarrow \varDelta ')\), where \(\varGamma '\) and \(\varDelta '\) are the multisets obtained from \(\varGamma \) and \(\varDelta \), respectively, by removing duplicates.

Definition 4

( ). Let \(p\in \mathcal V\) be a variable. We define \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}\) and \(\textsf{N}_p\) by a mutual recursion, as follows. Let \(s=(\varGamma , \Box \varGamma ' \Rightarrow \varDelta )\) be a sequent, where no \(\varphi \in \varGamma \) is a boxed formula. If s is empty or initial, then \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}(s)\) equals \(\textsf{A}_{p}^{\scriptscriptstyle {\textsf{K}}}(s)\), and

figure j

Let \(t = (\varSigma \Rightarrow \varPi )\) be a sequent. We also define ( ) the formula \(\textsf{N}_{p}(s,t)\) as in Fig. 3, but replacing the formula in the last row of the table with:

$$\bigvee \limits _{q\in \varPi _p} q \vee \bigvee \limits _{r\in \varSigma _p}\lnot r \vee \bigvee \limits _{t'\in \text {GP}(\overline{t})}\Box \textsf{A}_{p}^{\scriptscriptstyle {\textsf{GL}}}(t')\ , $$

where we note that the last disjunction is indexed by \(\text {GP}(\overline{t})\) instead of \(\text {GP}(t)\).

With this new definition, we obtain a proof of correctness of the equivalence (1), as we always fully contract sequents before computing their canopies. In our formalisation of Definition 4, we again made use of the Braga method already described in Sect. 3.

4.3 Syntactic Correctness Proof

Theorem 2

The sequent calculus \(\textsf{GLS}\) has the uniform interpolation property.

Proof

We refer to the formalised proofs of the first ( ), second ( ) and third ( ) property.   \(\square \)

5 Intuitionistic Strong Löb \(\textsf{iSL}\)

The aim of this section is to give a sequent-based proof of the uniform interpolation property for intuitionistic strong Löb logic, \(\textsf{iSL}\). We will simultaneously explain the proof method of this new result, and report on our mechanisation of the definition of the propositional quantifiers in Coq. The work in this section builds on an earlier formalisation [9] of Pitts’ theorem [23] that uniform interpolation holds for \(\textsf{IL}\). In order to make the explanation below for \(\textsf{iSL}\) understandable, we first briefly review some important points of that work. We subsequently explain how to extend that definition to deal with the modality of the logic \(\textsf{iSL}\), and how the correctness proof can be extended to work for that logic.

As for the classical modal logics considered above, the definitions of the propositional quantifiers \(\textsf{A}_{p}(\cdot )\) and \(\textsf{E}_{p}(\cdot )\) for \(\textsf{IL}\) are guided by the terminating sequent calculus, \(\textsf{G4iP}\) (see Fig. 2). In [9, 23], \(\textsf{A}_{p}(\cdot )\) and \(\textsf{E}_{p}(\cdot )\) are defined for \(\textsf{G4iP}\) as follows. Based on the rows \((\mathsf {E_p^\textsf{IL}}0)\)-\((\mathsf {E_p^\textsf{IL}}8)\) and \((\mathsf {A_p^\textsf{IL}}1)\)-\((\mathsf {A_p^\textsf{IL}}13)\) in Fig. 5, the sets \(\mathsf {\mathcal {A}_p}(\varGamma \Rightarrow \varphi )\) and \(\mathsf {\mathcal {E}_p}(\varGamma )\) are defined by pattern matching. Based on this we define,

$$\begin{aligned} \mathsf {A_p^\textsf{IL}}(\varGamma \Rightarrow \varphi ) := \bigvee \mathsf {\mathcal {A}_p}(\varGamma \Rightarrow \varphi ) \ \ \text { and } \ \ \mathsf {E_p^\textsf{IL}}(\varGamma ) := \bigwedge \mathsf {\mathcal {E}_p}(\varGamma ). \end{aligned}$$
(2)

Theorem 3

The sequent calculus for \(\textsf{IL}\) has the uniform interpolation property.

Fig. 5.
figure 5

The top part of each table, i.e., \((\mathsf {E_p^\textsf{IL}}0)\)-\((\mathsf {E_p^\textsf{IL}}8)\) and \((\mathsf {A_p^\textsf{IL}}1)\)-\((\mathsf {A_p^\textsf{IL}}13)\) define \(\textsf{E}_{p}(\varGamma )\) and \(\textsf{A}_{p}(\varGamma \Rightarrow \varphi )\) for \(\textsf{IL}\) as defined in [23]. The complete table provides definitions for \(\textsf{E}_{p}(\varGamma )\) and \(\textsf{A}_{p}(\varGamma \Rightarrow \varphi )\) for \(\textsf{iSL}\). In all clauses, \(q \ne p\).

Full size image

5.1 Termination of Sequent Calculus \(\textsf{G4iSLt}\)

The calculus \(\textsf{G4iSLt}\) has already been shown to be terminating [26], but we find it convenient to provide a different termination ordering here, which is closer to, and compatible with, the termination ordering used by Pitts in the context of the sequent calculus \(\textsf{G4iP}\), also see [7, 8]. In particular, this lets us re-use some earlier Coq engineering work [9, Thm. 3.3] that was needed to be able to apply the theorem of Dershowitz and Manna [6] that the natural order on the set of multisets of well-founded order is again well-founded. The weight of a formula is inductively defined, by adding a given weight for each symbol: \(\bot , \Box , \rightarrow \) and variables count for 1, \(\wedge \) for 2 and \(\vee \) for 3. This naturally defines a well-founded strict preorder on the set of formulas: \(\varphi \prec _f \psi \) iff \(\texttt {weight}(\varphi ) < \texttt {weight}(\psi )\).

In [7], the preorder on sequents used to prove the termination of \(\textsf{G4iP}\) is the Dershowitz-Manna ordering on multisets induced by this ordering on formulas: \(\varGamma \Rightarrow \varphi \prec \varDelta \Rightarrow \psi \) if the multiset \(\varGamma ,\varphi \) is smaller than the multiset \(\varDelta ,\psi \). However, the \(\square _R\)-rule of \(\textsf{G4iSLt}\) is not always compatible with this ordering. Indeed, with \(\varGamma = \emptyset \) and \(\varphi = \bot \), note that \(\{\Box \bot , \bot \} \not \prec \{\Box \bot \}\). The reason is that this rule both replaces a boxed formula on the right hand side with its unboxed version, which is a strict subformula, but also moves the boxed formula to the left-hand side.

We fix this issue by counting twice the right-hand side of the sequent in the multiset, accounting for the fact that a formula on the right-hand side of a sequent might be duplicated using a \(\square _R\) rule.

Definition 5

(Sequent ordering). \(\varGamma \Rightarrow \varphi \prec \varDelta \Rightarrow \psi \) whenever \(\varGamma ,\varphi ,\varphi \) is smaller than \(\varDelta ,\psi ,\psi \) for the multiset ordering induced by \(\prec _f\).

The ordering is again well-founded, as follows from an application of the Dershowitz-Manna theorem to the fact that the weight ordering on formulas is well-founded. Also, any hypothesis of an \(\textsf{G4iSLt}\) rule is smaller than its conclusion. This ensures the termination of proof search for \(\textsf{G4iSLt}\), but we will also use this ordering to construct the uniform interpolants.

Note that, although this order does not strictly speaking contain the original order, it is the case that, if two sequents were comparable for the original one in Pitts proof, then they still are for this modified order. This means that changing the definition of the ordering does not break the proof structure for the existing cases with no modality involved. This allows us to adapt the existing Coq formalisation for \(\textsf{G4iP}\) at minimal cost.

5.2 Computing Uniform Interpolants for \(\textsf{G4iSLt}\)

Following the same proof scheme as Pitts’ for \(\textsf{IL}\), we now define \(\textsf{E}_p^\textsf{iSL}(\varGamma )\) and \(\textsf{A}_p^\textsf{iSL}(\varGamma \Rightarrow \varphi )\).

Definition 6

The formulas \(\textsf{E}_p^\textsf{iSL}(\varGamma )\) and \(\textsf{A}_p^\textsf{iSL}(\varGamma \Rightarrow \varphi )\) are defined by mutual induction on the \(\prec \) ordering, respectively as a conjunction of a multiset of formulas \(\mathsf {\mathcal {E}_p}(\varGamma )\) and as a disjunction of a multiset of formulas \(\mathsf {\mathcal {A}_p}(\varGamma \Rightarrow \varphi )\), both defined by the rules from Fig. 5.

Remark 4

Our adaptation of Pitts’ construction for \(\textsf{IL}\) to \(\textsf{iSL}\) adds formulas to the sets \(\mathcal {E}_p\) and \(\mathcal {A}_p\) only in the cases where some formula in \(\varDelta ,\theta \) contains a boxed subformula. As a consequence, \(\textsf{A}_p^\textsf{iSL}(\varGamma \Rightarrow \varphi ) = \mathsf {A_p^\textsf{IL}}{(\varGamma \Rightarrow \varphi )}\) and \(\textsf{E}_p^\textsf{iSL}(\varGamma ) = \mathsf {E_p^\textsf{IL}}{(\varGamma )}\) whenever \(\varGamma \) and \(\varphi \) do not contain the \(\Box \) modality.

Remark 5

Rule \((\textsf{E}_p^{\textsf{iSL}}9)\) can be read as adding \(\Box \textsf{E}_p^\textsf{iSL}(\Box ^{\scriptscriptstyle {-1}}\varGamma )\) to the set \(\mathsf {\mathcal {E}_p}(\varGamma )\) whenever \(\varGamma \) contains at least one boxed formula (otherwise, \(\Box ^{\scriptscriptstyle {-1}}\varGamma = \varGamma \) and this definition would not be well-founded). An efficient implementation of this rule should then take care not to add multiple copies of \(\Box \textsf{E}_p^\textsf{iSL}(\Box ^{\scriptscriptstyle {-1}}\varGamma )\), i.e. for each boxed formula in \(\varGamma \).

In order to prove the implication and uniformity properties of uniform interpolation (Definition 2) we will first require some admissibility lemmas for \(\textsf{G4iSLt}\), in particular weakening and contraction. Note that, as for Pitts’ proof for \(\textsf{IL}\), the admissibility of cut is not necessary here and indeed, we do not use nor prove it in our Coq mechanisation. However, since cut is in fact admissible in \(\textsf{G4iSLt}\) [26], we allow ourselves to use this fact in our ‘paper’ explanations below. In addition, \(\textsf{iSL}\) satisfies the strongness property.

Lemma 2

(Strongness). For any formula \(\varphi \), \(\vdash _{\textsf{iSL}} \varphi \Rightarrow \Box \varphi \).

However, we will actually use the following stronger, dual lemma instead, provable by induction on the proof derivation of \(\vdash _{\textsf{iSL}} \varDelta ,\varphi \Rightarrow \varphi \).

Lemma 3

If \(\vdash _{\textsf{iSL}}\varDelta ,\varphi \Rightarrow \psi \) then \(\vdash _{\textsf{iSL}} \varDelta ,\Box ^{\scriptscriptstyle {-1}}\varphi \Rightarrow \psi \).

The following lemma highlights how the interpolant interacts with the \(\Box \) modality and its dual \(\Box ^{\scriptscriptstyle {-1}}\).

Lemma 4

For any multiset of formulas \(\varDelta \), \(\vdash _{\textsf{iSL}} \textsf{E}_p^\textsf{iSL}(\varDelta )\Rightarrow \Box \textsf{E}_p^\textsf{iSL}(\Box ^{\scriptscriptstyle {-1}}\varDelta ).\)

Proof

If \(\varDelta \) contains no boxed formulas, then \(\Box ^{\scriptscriptstyle {-1}}\varDelta = \varDelta \) and Lemma 2 lets us conclude. Otherwise, \(\varDelta \) is multiset-equivalent to \(\varDelta ' ,\Box \delta \) for some \(\varDelta '\) and \(\delta \). Then, by rule \((\textsf{E}_p^{\textsf{iSL}}9)\), \(\textsf{E}_p^\textsf{iSL}(\varDelta )\) is a conjunction containing \(\Box (\textsf{E}_p^\textsf{iSL}(\Box ^{\scriptscriptstyle {-1}}\varDelta ',\delta ))\) which is equivalent to \(\Box (\textsf{E}_p^\textsf{iSL}(\Box ^{\scriptscriptstyle {-1}}\varDelta ))\) since the definition of \(\textsf{E}_p^\textsf{iSL}(\cdot )\) is invariant under multiset-equivalence.    \(\square \)

Theorem 4

The sequent calculus \(\textsf{G4iSLt}\) has uniform interpolation.

Proof

The p-freeness property is easily proved ( ). The implication property is proved ( ) by well-founded induction of \(\prec \) on the sequent \(\varDelta \Rightarrow \varphi \) and mostly relies on weakening. The proof of uniformity ( ) is by structural induction on the derivation of \(\vdash _{\textsf{iSL}} \varGamma , \varDelta \Rightarrow \varphi \). If the last rule is an \(\textsf{IL}\) rule, then Pitts’ proof of uniform interpolation for \(\textsf{IL}\) still applies. The cases for the modal rules are handled similarly, with a critical use of Lemmas 3 and 4. We postpone a detailed pen-and-paper version to a forthcoming journal publication.   \(\square \)

6 Conclusion and Future Work

We have provided formalised sequent-style proofs of three uniform interpolation results, one well-known (\(\textsf{K}\)), a second subtle (\(\textsf{GL}\)), and a third new (\(\textsf{iSL}\)). One recent application of the verified implementation of uniform interpolation of \(\textsf{IL}\) [9] was to prove non-definability results in intuitionistic logic [19]. We hope that the implementations given in this paper and the accompanying online demo can be similarly useful in the future.

As explained in detail in Sect. 4, our effort made in formalising the argument of [5] in Coq exposed an incompleteness in the paper proof, which we were eventually able to correct. This incompleteness would not have been discovered (nor corrected) as quickly without the formalisation effort. The work in that section thus provides a further example of the usefulness of such efforts when subtle correctness proofs of algorithms in logic are concerned.

We leave to future work a more modular formal development of uniform interpolation proofs. In particular, one could formalise the theoretical results of [18] in order to obtain a general algorithm which, given as input a sufficiently well-behaved sequent calculus, produces a verified calculation of uniform interpolants for the corresponding logic. A further piece of evidence that such a general development might be possible is that the generalisation from the known result for the logic \(\textsf{IL}\) to the new result for the logic \(\textsf{iSL}\) was relatively frictionless. This shows another strength of the formalisation endeavour, allowing for an easy experimentation with the boundaries of the formalised results.

A concrete logic that we would like to capture with our work is the intuitionistic version of \(\textsf{GL}\), often referred to as \(\textsf{iGL}\), for which it is an open problem whether or not uniform interpolation holds [12].

A final problem that we leave to future work is the formalisation of the semantic approach to uniform interpolation, via the definability of bisimulation quantifiers, as e.g. in [10, 14, 15, 27]. This would allow for a comparison of the two approaches, both in terms of algorithmic complexity and ease of formalisation.