Constructive Game Logic ⋆

. Game Logic is an excellent setting to study proofs-about-programs via the interpretation of those proofs as programs, because constructive proofs for games correspond to e(cid:27)ective winning strategies to follow in response to the opponent’s actions. We thus develop Constructive Game Logic , which extends Parikh’s Game Logic (GL) with constructivity and with (cid:28)rst-order programs (cid:224) la Pratt’s (cid:28)rst-order dynamic logic (DL). Our major contributions include: 1. a novel realizability semantics capturing the adversarial dynamics of games, 2. a natural deduction calculus and operational semantics describing the computational meaning of strategies via proof-terms, and 3. theoretical results including soundness of the proof calculus w.r.t. realizability semantics, progress and preservation of the operational semantics of proofs, and Existential Properties on support of the extraction of computational artifacts from game proofs. Together, these results provide the most general account of a Curry-Howard interpretation for any program logic to date, and the (cid:28)rst at all for Game Logic.


Introduction
Two of the most essential tools in theory of programming languages are program logics, such as Hoare calculi [29] and dynamic logics [45], and the Curry-Howard correspondence [17,31], wherein propositions correspond to types, proofs to functional programs, and proof term normalization to program evaluation.Their intersection, the Curry-Howard interpretation of program logics, has received surprisingly little study.We undertake such a study in the setting of Game Logic (GL) [38], because this leads to novel insights, because the Curry-Howard correspondence can be explained particularly intuitively for games, and because our rst-order GL is a superset of common logics such as rst-order Dynamic Logic (DL).
Constructivity and program verication have met before: Higher-order constructive logics [16] obey the Curry-Howard correspondence and are used to ⋆ This research was sponsored by the AFOSR under grant number FA9550-16-1-0288.
The authors were also funded by the NDSEG Fellowship and Alexander von Humboldt Foundation, respectively.
develop veried functional programs.Program logics are also often embedded in constructive proof assistants such as Coq [48], inheriting constructivity from their metalogic.Both are excellent ways to develop veried software, but we study something else.
We study the computational content of a program logic itself.Every fundamental concept of computation is expected to manifest in all three of logic, type systems, and category theory [27].Because dynamics logics (DL's) such as GL have shown that program execution is a rst-class construct in modal logic, the theorist has an imperative to explore the underlying notion of computation by developing a constructive GL with a Curry-Howard interpretation.
The computational content of a proof is especially clear in GL, which generalizes DL to programmatic models of zero-sum, perfect-information games between two players, traditionally named Angel and Demon.Both normal-play and misère-play games can be modeled in GL.In classical GL, the diamond modality ⟨α⟩ϕ and box modality [α]ϕ say that Angel and Demon respectively have a strategy to ensure ϕ is true at the end of α, which is a model of a game.The dierence between classical GL and CGL is that classical GL allows proofs that exclude the middle, which correspond to strategies which branch on undecidable conditions.
CGL proofs can branch only on decidable properties, thus they correspond to strategies which are eective and can be executed by computer.Eective strategies are crucial because they enable the synthesis of code that implements a strategy.Strategy synthesis is itself crucial because even simple games can have complicated strategies, and synthesis provides assurance that the implementation correctly solves the game.A GL strategy resolves the choices inherent in a game: a diamond strategy species every move made by the Angel player, while a box strategy species the moves the Demon player will make.
In developing Constructive Game Logic (CGL), adding constructivity is a deep change.We provide a natural deduction calculus for CGL equipped with proof terms and an operational semantics on the proofs, demonstrating the meaning of strategies as functional programs and of winning strategies as functional programs that are guaranteed to achieve their objective no matter what counterstrategy the opponent follows.While the proof calculus of a constructive logic is often taken as ground truth, we go a step further and develop a realizability semantics for CGL as programs performing winning strategies for game proofs, then prove the calculus sound against it.We adopt realizability semantics in contrast to the winning-region semantics of classical GL because it enables us to prove that CGL satises novel properties (Section 8).The proof of our Strategy Property (Theorem 2) constitutes an (on-paper) algorithm that computes a player's (eective) strategy from a proof that they can win a game.This is the key test of constructivity for CGL, which would not be possible in classical GL.We show that CGL proofs have two computational interpretations: the operational semantics interpret an arbitrary proof (strategy) as a functional program which reduces to a normal-form proof (strategy), while realizability semantics interpret Angel strategies as programs which defeat arbitrary Demonic opponents.
While CGL has ample theoretical motivation, the practical motivations from synthesis are also strong.A notable line of work on dGL extends rst-order GL to hybrid games to verify safety-critical adversarial cyber-physical systems [42].
We have designed CGL to extend smoothly to hybrid games, where synthesis provides the correctness demanded by safety-critical systems and the synthesis of correct monitors of the external world [36].

Related Work
This work is at the intersection of game logic and constructive modal logics.
Individually, they have a rich literature, but little work has been done at their intersection.Of these, we are the rst for GL and the rst with a proofs-asprograms interpretation for a full rst-order program logic.
Constructive Modal Logics.A major contribution of CGL is our constructive semantics for games, not to be confused with game semantics [1], which are used to give programs semantics in terms of games.We draw on work in semantics for constructive modal logics, of which two main approaches are intuitionistic Kripke semantics and realizability semantics.
An overview of Intuitionistic Kripke semantics is given by Wijesekera [52].
Intuitionistic Kripke semantics are parameterized over worlds, but in contrast to classical Kripke semantics, possible worlds represent what is currently known of the state.Worlds are preordered by w 1 ≥ w 2 when w 1 contains at least the knowledge in w 2 .Kripke semantics were used in Constructive Concurrent DL [53], where both the world and knowledge of it change during execution.A key advantage of realizability semantics [37,33] is their explicit interpretation of constructivity as computability by giving a realizer, a program which witnesses a fact.Our semantics combine elements of both: Strategies are represented by realizers, while the game state is a Kripke world.Constructive set theory [2] aids in understanding which set operations are permissible in constructive semantics.
Modal semantics have also exploited mathematical structures such as: i) Neighborhood models [8], topological models for spatial logics [7], and temporal logics of dynamical systems [20].ii) Categorical [3], sheaf [28], and pre-sheaf [23] models.iii) Coalgebraic semantics for classical Propositional Dynamic Logic (PDL) [19].While games are known to exhibit algebraic structure [25], such laws are not essential to this work.Our semantics are also notable for the seamless interaction between a constructive Angel and a classical Demon.
CGL is rst-order, so we must address the constructivity of operations that inspect game state.We consider rational numbers so that equality is decidable, but our work should generalize to constructive reals [11,13].
Intuitionistic modalities also appear in dynamic-epistemic logic (DEL) [21], but that work is interested primarily in proof-theoretic semantics while we employ realizability semantics to stay rmly rooted in computation.Intutionistic Kripke semantics have also been applied to multimodal System K with iteration [14], a weak fragment of PDL.
Constructivity and Dynamic Logic.With CGL, we bring to fruition several past eorts to develop constructive dynamic logics.Prior work on PDL [18] sought an Existential Property for Propositional Dynamic Logic (PDL), but they questioned the practicality of their own implication introduction rule, whose side condition is non-syntactic.One of our results is a rst-order Existential Property, which Degen cited as an open problem beyond the methods of their day [18].
To our knowledge, only one approach [32] considers Curry-Howard or functional proof terms for a program logic.While their work is a notable precursor to ours, their logic is a weak fragment of PDL without tests, monotonicity, or unbounded iteration, while we support not only PDL but the much more powerful rst-order GL.Lastly, we are preceded by Constructive Concurrent Dynamic Logic, [53] which gives a Kripke semantics for Concurrent Dynamic Logic [41], a proper fragment of GL.Their work focuses on an epistemic interpretation of constructivity, algebraic laws, and tableaux.We dier in our use of realizability semantics and natural deduction, which were essential to developing a Curry-Howard interpretation for CGL.In summary, we are justied in claiming to have the rst Curry-Howard interpretation with proof terms and Existential Properties for an expressive program logic, the rst constructive game logic, and the only with rst-order proof terms.
While constructive natural deduction calculi map most directly to functional programs, proof terms can be generated for any proof calculus, including a wellknown interpretation of classical logic as continuation-passing style [26].Proof terms have been developed [22] for a Hilbert calculus for dL, a dynamic logic (DL) for hybrid systems.Their work focuses on a provably correct interchange format for classical dL proofs, not constructive logics.

Syntax
We dene the language of CGL, consisting of terms, games, and formulas.The simplest terms are program variables x, y ∈ V where V is the set of variable identiers.Globally-scoped mutable program variables contain the state of the game, also called the position in game-theoretic terminology.All variables and terms are rational-valued (Q); we also write B for the set of Boolean values {0, 1} for false and true respectively.Denition 1 (Terms).A term f, g is a rational-valued computable function over the game state.We give a nonexhaustive grammar of terms, specically those used in our examples: where q ∈ Q is a rational literal, x a program variable, f +g a sum, f •g a product.Division-with-remainder is intended for use with integers, but we generalize the standard notion to support rational arguments.Quotient f /g is integer even when f and g are non-integer, and thus leaves a rational remainder f mod g.Divisors g are assumed to be nonzero.
A game in CGL is played between a constructive player named Angel and a classical player named Demon.Our usage of the names Angel and Demon diers subtly from traditional GL usage for technical reasons.Our Angel and Demon are asymmetric: Angel is our player, who must play constructively, while the opponent Demon is allowed to play classically because our opponent need not be a computer.At any time some player is active, meaning their strategy resolves all decisions, and the opposite player is called dormant.Classical GL identies Angel with active and Demon with dormant; the notions are distinct in CGL.Denition 2 (Games).The set of games α, β is dened recursively as such: In the test game ?ϕ, the active player wins if they can exhibit a constructive proof that formula ϕ currently holds.If they do not exhibit a proof, the dormant player wins by default and we informally say the active player broke the rules.
In deterministic assignment games x := f, neither player makes a choice, but the program variable x takes on the value of a term f .In nondeterministic assignment games x := * , the active player picks a value for x : Q.In the choice game α ∪ β, the active player chooses whether to play game α or game β.In the sequential composition game α; β, game α is played rst, then β from the resulting state.In the repetition game α * , the active player chooses after each repetition of α whether to continue playing, but loses if they repeat α innitely.
Notably, the exact number of repetitions can depend on the dormant player's moves, so the active player need not know, let alone announce, the exact number of iterations in advance.In the dual game α d , the active player becomes dormant and vice-versa, then α is played.We parenthesize games with braces {α} when necessary.Sequential and nondeterministic composition both associate to the right, i.e., α ∪ β ∪ γ ≡ {α ∪ {β ∪ γ}}.This does not aect their semantics as both operators are associative, but aids in reading proof terms.Denition 3 (CGL Formulas).The set of CGL formulas ϕ (also ψ, ρ) is given recursively by the grammar: The dening constructs in CGL (and GL) are the modalities ⟨α⟩ϕ and [α]ϕ.
These mean that the active or dormant Angel (i.e., constructive) player has a constructive strategy to play α and achieve postcondition ϕ.This paper does not develop the modalities for active and dormant Demon (i.e., classical) players because by denition those cannot be synthesized to executable code.We assume the presence of interpreted comparison predicates ∼ ∈ {≤, <, =, ̸ =, >, ≥}.
The standard connectives of rst-order constructive logic can be derived from games and comparisons.Verum (tt) is dened 1 > 0 and falsum (ff ϕ, and existential quantication ∃x ϕ is dened ⟨x := * ⟩ϕ.As usual in logic, equivalence ϕ ↔ ψ can also be dened (ϕ → ψ) ∧ (ψ → ϕ).As usual in constructive logics, negation ¬ϕ is dened ϕ → ff, and inequality is dened by f ̸ = g ≡ ¬(f = g).We will use the derived constructs freely but present semantics and proof rules only for the core constructs to minimize duplication.Indeed, it will aid in understanding of the proof term language to keep the denitions above in mind, because the proof terms for many rst-order programs follow those from rst-order constructive logic.
For convenience, we also write derived operators where the dormant player is given control of a single choice before returning control to the active player.
The dormant choice α ∩ β, dened {α d ∪ β d } d , says the dormant player chooses which branch to take, but the active player is in control of the subgames.We write ϕ y x (likewise for α and f ) for the renaming of x for y and vice versa in formula ϕ, and write ϕ f x for the substitution of term f for program variable x in ϕ, if the substitution is admissible (Denition 9 in Section 6).

Example Games
We demonstrate the meaning and usage of the CGL constructs via examples, culminating in the two classic games of Nim and cake-cutting.Nondeterministic Programs.Every (possibly nondeterministic) program is also a one-player game.For example, the program n := 0; {n := n + 1} * can nondeterministically sets n to any natural number because Angel has a choice whether to continue after every repetition of the loop, but is not allowed to continue forever.Conversely, games are like programs where the environment (Demon) is adversarial, and the program (Angel) strategically resolves nondeterminism to overcome the environment.Demonic Counter.Angel's choices often must be reactive to Demon's choices.Coin Toss.Games are perfect-information and do not possess randomness in the probabilistic sense, only (possibilistic) nondeterminism.This standard limitation is shown by attempting to express a coin-guessing game: {coin := 0 ∩ coin := 1}; {guess := 0 ∪ guess := 1}; ?guess = coin The Demon player sets the value of a tossed coin, but does so adversarially, not randomly, since strategies in CGL are pure strategies.The Angel player has perfect knowledge of coin and can set guess equivalently, thus easily passing the test guess = coin, unlike a real coin toss.Partial information games are interesting future work that could be implemented by limiting the variables visible in a strategy.
Nim. Nim is the standard introductory example of a discrete, 2-player, zerosum, perfect-information game.We consider misère play (last player loses) for a version of Nim that is also known as the subtraction game.The constant Nim denes the game Nim.
The game state consists of a single counter c containing a natural number, which each player chooses (∪) to reduce by 1, 2, or 3 (c := c − k).The counter is nonnegative, and the game repeats as long as Angel wishes, until some player empties the counter, at which point that player is declared the loser (?c > 0).
Proposition 1 (Dormant winning region).Suppose c ≡ 1 (mod 4), Then the dormant player has a strategy to ensure c ≡ 1 (mod 4) as an invariant.That is, the following CGL formula is valid (true in every state): This implies the dormant player wins the game because the active player violates the rules once c = 1 and no move is valid.We now state the winning region for an active player.
Proposition 2 (Active winning region).Suppose c ∈ {0, 2, 3} (mod 4) initially, and the active player controls the loop duration.Then the active player can achieve c ∈ {2, 3, 4}: At that point, the active player will win in one move by setting c = 1 which forces the dormant player to set c = 0 and fail the test ?c> 0.
Cake-cutting.Another classic 2-player game, from the study of equitable division, is the cake-cutting problem [40]: The active player cuts the cake in two, then the (initially-)dormant player gets rst choice of a piece.This is an optimal protocol for splitting the cake in the sense that the active player is incentivized to split the cake evenly, else the dormant player could take the larger piece.Cake-cutting is also a simple use case for fractional numbers.The constant CC denes the cake-cutting game.Here x is the relative size (from 0 to 1) of the rst piece, y is the size of the second piece, a is the size of the active player's piece, and d is the size of dormant player's piece.
The game is played only once.The active player picks the division of the cake, which must be a fraction 0 ≤ x ≤ 1.The dormant player then picks which slice goes to whom.
The active player has a tight strategy to achieve a 0.5 cake share, as stated in Proposition 3.

Proposition 3 (Active winning region). The following formula is valid:
⟨CC⟩ a ≥ 0.5 The dormant player also has a computable strategy to achieve exactly 0.5 share of the cake (Proposition 4).Division is fair because each player has a strategy to get their fair 0.5 share.
Proposition 4 (Dormant winning region).The following formula is valid: Computability and Numeric Types.Perfect fair division is only achieved for a, d ∈ Q because rational equality is decidable.Trichotomy (a < 0.5∨a = 0.5∨a > 0.5) is a tautology, so the dormant player's strategy can inspect the active player's choice of a. Notably, we intend to support constructive reals in future work, for which exact equality is not decidable and trichotomy is not an axiom.Future work on real-valued CGL will need to employ approximate comparison techniques as is typical for constructive reals [11,13,51].The examples in this section have been proven [12] using the calculus dened in Section 5.

Semantics
We now develop the semantics of CGL.In contrast to classical GL, whose semantics are well-understood [38], the major semantic challenge for CGL is capturing the competition between a constructive Angel and classical Demon.We base our approach on realizability semantics [37,33], because this approach makes the relationship between constructive proofs and programs particularly clear, and generating programs from CGL proofs is one of our motivations.
Unlike previous applications of realizability, games feature two agents, and one could imagine a semantics with two realizers, one for each of Angel and Demon.However, we choose to use only one realizer, for Angel, which captures the fact that only Angel is restricted to a computable strategy, not Demon.
Moreover, a single realizer makes it clear that Angel cannot inspect Demon's strategy, only the game state, and also simplies notations and proofs.Because Angel is computable but Demon is classical, our semantics has the avor both of realizability semantics and of a traditional Kripke semantics for programs.
The semantic functions employ game states ω ∈ S where we write S for the set of all states.We additionally write ⊤, ⊥ ∈ S (not to be confused with formulas tt and ff) for the pseudo-states ⊤ and ⊥ indicating that Angel or Demon respectively has won the game early by forcing the other to fail a test.
Each ω ∈ S maps each x ∈ V to a value ω(x) ∈ Q.We write ω v x for the state that agrees with ω except that x is assigned value v where v ∈ Q.
Denition 4 (Arithmetic term semantics).A term f is a computable function of the state, so the interpretation

Realizers
To dene the semantics of games, we rst dene realizers, the programs which implement strategies.The language of realizers is a higher-order lambda calculus where variables can range over game states, numbers, or realizers which realize a give proposition ϕ.Gameplay proceeds in continuation-passing style: invoking a realizer returns another realizer which performs any further moves.We describe the typing constraints for realizers informally, and say a is a ⟨α⟩ϕ-realizer (a ∈ ⟨α⟩ϕ Rz) if it provides strategic decisions exactly when ⟨α⟩ϕ demands them.Denition 5 (Realizers).The syntax of realizers a, b, c ∈ Rz (where Rz is the set of all realizers) is dened coinductively: x is a ϕ-realizer for every v ∈ Q; Demon tells Angel the desired value of x, which informs Angel's continuation b.The higher-order realizer (Λx : ϕ Rz. b) realizes [?ϕ]ψ when b c x realizes ψ for every ϕ-realizer c.Demon announces the realizer for ϕ which Angel's continuation b may inspect.Tuples are inspected with projections π L (a) and π R (a).A lambda is inspected by applying arguments a ω for state-lambdas, a v for rst-order, and a b for higher-order.Realizers for sequential compositions ⟨α; β⟩ϕ (likewise [α; β]ϕ) are ⟨α⟩⟨β⟩ϕ-realizers: rst α is played, and in every case the continuation must play β before showing ϕ.Realizers for repetitions α * are streams containing α-realizers, possibly innite by virtue of coinductive syntax.Active loop realizer ind(x.a) is the least xed point of the equation b = [b/x]a, i.e., x is a recursive call which must be invoked only in accordance with some well-order.We realize dormant loops with gen(a, x.b, x.c), coinductively generated from initial value a, update b, and post-step c with variable x for current generator value.
Active loops must terminate, so ⟨α * ⟩ϕ-realizers are constructed inductively using any well-order on states.Dormant loops must be played as long as the opponent wishes, so [α * ]ϕ-realizers are constructed coinductively, with the invariant that ϕ has a realizer at every iteration.

Formula and Game Semantics
A state ω paired with a realizer a that continues the game is called a possibility.
A region (written X, Y, Z) is a set of possibilities.We write [[ϕ]] ⊆ ϕ Rz × S for the region which realizes formula ϕ.A formula ϕ is valid i some a uniformly realizes every state, i.e., {a} × S ⊆ Γ → ϕ is valid, where Γ is the conjunction of all assumptions in Γ .
The game semantics are region-oriented, i.e., they process possibilities in bulk, though Angel commits to a strategy from the start.The region X⟨⟨α⟩⟩ : ℘(Rz × S) is the union of all end regions of game α which arise when active Angel commits to an element of X, then Demon plays adversarially.In

X[[α]
] : ℘(Rz×S) Angel is the dormant player, but it is still Angel who commits to an element of X and Demon who plays adversarially.Recall that pseudo-states ⊤ and ⊥ represent early wins by each Angel and Demon, respectively.The denitions below implicitly assume ⊥, ⊤ / ∈ X, they extend to the case ⊥ ∈ X (likewise ⊤ ∈ X) using the equations Denition 6 (Formula semantics).[[ϕ]] ⊆ Rz × S is dened as: Comparisons f ∼ g defer to the term semantics, so the interesting cases are the game modalities.Both [α]ϕ and ⟨α⟩ϕ ask whether Angel wins α by following the given strategy, and dier only in whether Demon vs. Angel is the active player, thus in both cases every Demonic choice must satisfy Angel's goal, and early Demon wins are counted as Angel losses.
Denition 7 (Angel game forward semantics).We inductively dene the region X⟨⟨α⟩⟩ : ℘(Rz × S) in which α can end when active Angel plays X: Denition 8 (Demon game forward semantics).We inductively dene the region X[[α]] : ℘(Rz × S) in which α can end when dormant Angel plays X: Angelic tests ?ϕ end in the current state ω with remaining realizer π R (a) if Angel can realize ϕ with π L (a), else end in ⊥.Angelic deterministic assignments consume no realizer and simply update the state, then end.Angelic nondeterministic assignments x := * ask the realizer π L (a) to compute a new value for x from the current state.Angelic compositions α; β rst play α, then β from the resulting state using the resulting continuation.Angelic choice games α ∪ β use the Angelic projections to decide which branch is taken according to π L (a).The realizer π R (a) may be reused between α and β, since π R (a) could just invoke π L (a) if it must decide which branch has been taken.This denition of Angelic choice (corresponding to constructive disjunction) captures the reality that realizers in CGL, in contrast with most constructive logics, are entitled to observe a game state, but they must do so in computable fashion.
Repetition Semantics.In any GL, the challenge in dening the semantics of repetition games α * is that the number of iterations, while nite, can depend on both players' actions and is thus not known in advance, while the DL-like semantics of α * as the nite reexive, transitive closure of α gives an advancenotice semantics.Classical GL provides the no-advance-notice semantics as a xed point [38], and we adopt the xed point semantics as well.The Angelic choice whether to stop (Z ⟨0⟩ ) or iterate the loop (Z ⟨1⟩ ) is analogous to the case for α ∪ β.
Duality Semantics.To play the dual game α d , the active and dormant players switch roles, then play α.In classical GL, this characterization of duality is interchangeable with the denition of α d as the game that Angel wins exactly when it is impossible for Angel to lose.The characterizations are not interchangeable in CGL because the Determinacy Axiom (all games have winners) of GL is not valid in CGL: Remark 1 (Indeterminacy).Classically equivalent determinacy axiom schemata ¬⟨α⟩¬ϕ → [α]ϕ and ⟨α⟩¬ϕ ∨ [α]ϕ of classical GL are not valid in CGL, because they imply double negation elimination.
Remark 2 (Classical duality).In classical GL, Angelic dual games are characterized by the axiom schema ⟨α d ⟩ϕ ↔ ¬⟨α⟩¬ϕ, which is not valid in in CGL.It is The determinacy axiom is not valid in CGL, so we take ⟨α d ⟩ ↔ [α]ϕ as primary.

Demonic Semantics
Demon wins a Demonic test by presenting a realizer b as evidence that the precondition holds.If he cannot present a realizer (i.e., because none exists), then the game ends in ⊤ so Angel wins by default.Else Angel's higher-order realizer a consumes the evidence of the pre-condition, i.e., Angelic strategies are entitled to depend (computably) on how Demon demonstrated the precondition.Angel can check that Demon passed the test by executing b.The Demonic repetition game α * is dened as a xed-point [42] with Demonic projections.Computationally, a winning invariant for the repetition is the witness of its winnability.
The remaining cases are innocuous by comparison.Demonic deterministic assignments x := f deterministically store the value of f in x, just as Angelic assignments do.In demonic nondeterministic assignment x := * , Demon chooses to set x to any value.When Demon plays the choice game α ∪ β, Demon chooses classically between α and β.The dual game α d is played by Demon becoming dormant and Angel become active in α.
Semantics Examples.The realizability semantics of games are subtle on a rst read, so we provide examples of realizers.In these examples, the state argument ω is implicit, and we refer to ω(x) simply as x for brevity.
Recall that [?ϕ]ψ and ϕ → ψ are equivalent.For any ϕ, the identity function (Λx : ϕ Rz. x) is a ϕ → ϕ-realizer: for every ϕ-realizer x which Demon presents, Angel can present the same x as evidence of ϕ.This conrms expected behavior per propositional constructive logic: the identity function is the proof of selfimplication.
In example formula ⟨x := * d ; {x := x ∪ x := −x}⟩x ≥ 0, Demon gets to set x, then Angel decides whether to negate x in order to make it nonnegative.It is realized by Λx : Q. ((if (x < 0) 1 else 0), ()): Demon announces the value of x, then Angel's strategy is to check the sign of x, taking the right branch when x is negative.Each branch contains a deterministic assignment which consumes no realizer, then the postcondition x ≥ 0 has trivial realizer ().
Consider the formula ⟨{x := x + 1} * ⟩x > y, where Angel's winning strategy is to repeat the loop until x > y, which will occur as x increases.The realizer is ind(w.(if (x > y) (0, ()) else (1, w), ())), which says that Angel stops the loop if x > y and proves the postcondition with a trivial strategy.Else Angel continues the loop, whose body consumes no realizer, and supplies the inductive call w to continue the strategy inductively.
Consider the formula [?x > 0; {x := x + 1} * ]∃y (y ≤ x ∧ y > 0) for a subtle example.Our strategy for Angel is to record the initial value of x in y, then maintain a proof that y ≤ x as x increases.This strategy is represented by Λw :

z). That is, initially
Demon announces a proof w of x > 0. Angel species the initial element of the realizer stream by witnessing ∃y (y ≤ x∧y > 0) with c 0 = (x, ((), w)), where the rst component instantiates y = x, the trivial second component indicates that y ≤ y trivially, and the third component reuses w as a proof of y > 0. Demon can choose to repeat the loop arbitrarily.When Demon demands the k'th repetition, z is bound to c k−1 to compute c k = (π L (z), ((), π R (π R (z)))), which plays the next iteration.That is, at each iteration Angel witnesses ∃y (y ≤ x ∧ y > 0) by assigning the same value (stored in π L (z)) to y, reproving y ≤ x with (), then reusing the proof (stored in π R (π R (z))) that y > 0.

Proof Calculus
Having settled on the meaning of a game in Section 4, we proceed to develop a calculus for proving CGL formulas syntactically.The goal is twofold: the practical motivation, as always, is that when verifying a concrete example, the realizability semantics provide a notion of ground truth, but are impractical for proving large formulas.The theoretical motivation is that we wish to expose the computational interpretation of the modalities ⟨α⟩ϕ and [α]ϕ as the types of the players' respective winning strategies for game α that has ϕ as its goal condition.Since CGL is constructive, such a strategy constructs a proof of the postcondition ϕ.
To study the computational nature of proofs, we write proof terms explicitly: the main proof judgement Γ ⊢ M : ϕ says proof term M is a proof of ϕ in context Γ , or equivalently a proof of sequent (Γ ⊢ ϕ).We write M, N, O (sometimes A, B, C) for arbitrary proof terms, and p, q, ℓ, r, s, g for proof variables, that is variables that range over proof terms of a given proposition.In contrast to the assignable program variables, the proof variables are given their meaning by substitution and are scoped locally, not globally.We adapt propositional proof terms such as pairing, disjoint union, and lambda-abstraction to our context of game logic.To support rst-order games, we include rst-order proof terms and new terms for features: dual, assignment, and repetition games.
We now develop the calculus by starting with standard constructs and working toward the novel constructs of CGL.The assumptions p in Γ are named, so that they may appear as variable proof-terms p.We write Γ y x and M y x for the renaming of program variable x to y and vice versa in context Γ or proof term M, respectively.Proof rules for state-modifying constructs explicit perform renamings, which both ensures they are applicable as often as possible and also ensures that references to proof variables support an intuitive notion of lexical scope.Likewise Γ f x and M f x are the substitutions of term f for program variable x.We use distinct notation to substitution proof terms for proof variables while avoiding capture: [N/p]M substitutes proof term N for proof variable p in proof term M .Some proof terms such as pairs prove both a diamond formula and a box formula.We write ⟨M, N ⟩ and [M, N ] respectively to distinguish the terms or ⟨[M, N ]⟩ to treat them uniformly.Likewise we abbreviate ⟨[α]⟩ϕ when the same rule works for both diamond and box modalities, using [⟨α⟩]ϕ to denote its dual modality.The proof terms ⟨x := f y x in p. M ⟩ and [x := f y x in p. M ] introduce an auxiliary ghost variable y for the old value of x, which improves completeness without requiring manual ghost steps.
The propositional proof rules of CGL are in Figure 1.Formula [?ϕ]ψ is constructive implication, so rule [?]E with proof term M N eliminates M by supplying an N that proves the test condition.Lambda terms (λp : ϕ.M ) are introduced by rule [?]I by extending the context Γ .While this rule is standard, it is worth emphasizing that here p is a proof variable for which a proof term (like N in [?]E) may be substituted, and that the game state is untouched by [?]I.
Constructive disjunction (between the branches ⟨α⟩ϕ and ⟨β⟩ϕ) is the choice ⟨α ∪ β⟩ϕ.The introduction rules for injections are ⟨∪⟩I1 and ⟨∪⟩I2, and caseanalysis is performed with rule ⟨∪⟩E, with two branches that prove a common We now begin considering non-propositional rules, starting with the simplest ones.The majority of the rules in Figure 2, while thoroughly useful in proofs, analogy to the iso-recursive treatment of recursive types [50], where an explicit operation is used to expand and collapse the recursive denition of a type.
Rules ⟨ * ⟩C,⟨ * ⟩S,⟨ * ⟩G are the destructor and injectors for ⟨α * ⟩ϕ, which are similar to those for ⟨α ∪ β⟩ϕ.The duality rules (⟨[ d ]⟩I) say the dual game is proved by proving the game where roles are reversed.The sequencing rules (⟨[;]⟩I) say a sequential game is played by playing the rst game with the goal of reaching a state where the second game is winnable.Among these rules, monotonicity M is especially computationally rich.The notation Γ ⃗ y BV(α) says that in the second premiss, the assumptions in Γ have all bound variables of α (written BV(α)) renamed to fresh variables ⃗ y for completeness.In practice, Γ usually contains some assumptions on variables that are not bound, which we wish to access without writing them explicitly in ϕ.
Rule M is used to execute programs right-to-left, giving shorter, more ecient proofs.It can also be used to derive the Hoare-logical sequential composition rule, which is frequently used to reduce the number of case splits.Note that like every GL, CGL is subnormal, so the modal modus ponens axiom K and Gödel generalization (or necessitation) rule G are not sound, and M takes over much of the role they usually serve.On the surface, M simply says games are monotonic: a game's goal proposition may freely be replaced with a weaker one.From a computational perspective, Section 7 will show that rule M can be (lazily) eliminated.Moreover, M is an admissible rule, one whose instances can all be derived from existing rules.When proofs are written right-to-left with M, the normalization relation translates them to left-to-right normal proofs.Note also that in checking M • p N, the context Γ has the bound variables α renamed freshly to some ⃗ y within N, as required to maintain soundness across execution of α.
Next, we consider rst-order rules, i.e., those which deal with rst-order programs that modify program variables.The rst-order rules are given in Figure 3.In ⟨: * ⟩E, FV(ψ) are the free variables of ψ, the variables which can inuence its meaning.Nondeterministic assignment provides quantication over rational- (y fresh) While this notation is suggestive, the dierence vs. the function proof term (λp : ϕ.M ) is essential: the proof term M is checked (resp.evaluated) in a state where the program variable x has changed from its initial value.For soundness, [: * ]I renames x to fresh program variable y throughout context Γ, written Γ y x .
This means that M can freely refer to all facts of the full context, but they now refer to the state as it was before x received a new value.Elimination [: * ]E then allows instantiating x to a term f .Existential quantication is introduced by ⟨: * ⟩I whose proof term ⟨f y x : * p. M ⟩ is like a dependent pair plus bound renaming of x to y.The witness f is an arbitrary computable term, as always.We write ⟨f x : * M ⟩ for short when y is not referenced in M .It is eliminated in ⟨: * ⟩E by unpacking the pair, with side condition x / ∈ FV(ψ) for soundness.The assignment rules ⟨[:=]⟩I do not quantify, per se, but always update x to the value of the term f, and in doing so introduce an assumption that x and f (suitably renamed) are now equal.In ⟨: * ⟩I and ⟨[:=]⟩I, program variable y is fresh.

CGL proof calculus: loops
The looping rules in Figure 4, especially ⟨ * ⟩I, are arguably the most sophisticated in CGL.Rule ⟨ * ⟩I provides a strategy to repeat a game α until the postcondition ϕ holds.This is done by exhibiting a convergence predicate φ and termination metric M with terminal value 0 and well-ordering ≻.Proof term A shows φ holds initially.Proof term B guarantees M decreases with every iteration where M 0 is a fresh metric variable which is equal to M at the antecedent of B and is never modied.Proof term C allows any postcondition ϕ which follows from convergence φ ∧ M = 0. Proof term for(p : φ(M) = A; q.B; C){α} suggests the computational interpretation as a for-loop: proof A shows the convergence predicate holds in the initial state, B shows that each step reduces the termination metric while maintaining the predicate, and C shows that the postcondition follows from the convergence predicate upon termination.The game α repeats until convergence is reached (M = 0).By the assumption that metrics are well-founded, convergence is guaranteed in nitely (but arbitrarily) many iterations.
A naïve, albeit correct, reading of rule ⟨ * ⟩I says M is literally some term f .If lexicographic or otherwise non-scalar metrics should be needed, it suces to interpret φ and M 0 ≻ M as formulas over several scalar variables.
Rule FP says ⟨α * ⟩ϕ is a least pre-xed-point.That is, if we wish to show a formula ψ holds now, we show that ψ is any pre-xed-point, then it must hold as it is no lesser than ϕ.Rule [ * ]I is the well-understood induction rule for loops, which applies as well to repeated games.Premiss O ensures [ * ]I supports any provable postcondition, which is crucial for eliminating M in Lemma 7. The elimination form for [α * ]ϕ is simply [ * ]E.Like any program logic, reasoning in CGL consists of rst applying program-logic rules to decompose a program until the program has been entirely eliminated, then applying rst-order logic principles at the leaves of the proof.The constructive theory of rationals is undecidable because it can express the undecidable [47] classical theory of rationals.Thus facts about rationals require proof in practice.For the sake of space and since our focus is on program reasoning, we defer an axiomatization of rational arithmetic to future work.We provide a (non-eective!)rule FO which says valid rst-order formulas are provable.
An eective special case of FO is split (Figure 4), which says all term comparisons are decidable.Rule split can be generalized to decide termination metrics (M = 0 ∨ M ≻ 0).Rule iG says the value of term f can be remembered in fresh ghost variable x: Rule iG can be dened using arithmetic and with quantiers: What's Novel in the CGL Calculus?CGL extends rst-order reasoning with game reasoning (sequencing [32], assignments, iteration, and duality).The combination of rst-order reasoning with game reasoning is synergistic: for example, repetition games are known to be more expressive than repetition systems [42].
We give a new natural-deduction formulation of monotonicity.Monotonicity is admissible and normalization translates monotonicity proofs into monotonicityfree proofs.In doing so, normalization shows that right-to-left proofs can be (lazily) rewritten as left-to-right.Additionally, rst-order games are rife with changing state, and soundness requires careful management of the context Γ .The extended version [12] uses our calculus to prove the example formulas.
6 Theory: Soundness Full versions of proofs outlined in this paper are given in the extended version [12].We have introduced a proof calculus for CGL which can prove winning strategies for Nim and CC.For any new proof calculus, it is essential to convince ourselves of our soundness, which can be done within several prominent schools of thought.In proof-theoretic semantics, for example, the proof rules are taken as the ground truth, but are validated by showing the rules obey expected properties such as harmony or, for a sequent calculus, cut-elimination.While we will investigate proof terms separately (Section 8), we are already equipped to show soundness by direct appeal to the realizability semantics (Section 4), which we take as an independent notion of ground truth.We show soundness of CGL proof rules against the realizability semantics, i.e., that every provable naturaldeduction sequent is valid.An advantage of this approach is that it explicitly connects the notions of provability and computability!We build up to the proof of soundness by proving lemmas on structurality, renaming and substitution.
Lemma 1 (Structurality).The structural rules W, X, and C are admissible, i.e., the conclusions are provable whenever the premisses are provable.W Γ ⊢ M : ϕ Γ, p : ψ ⊢ M : ϕ X Γ, p : ϕ, q : ψ ⊢ M : ρ Γ, q : ψ, p : ϕ ⊢ M : ρ C Γ, p : ϕ, q : ϕ ⊢ M : ρ Γ, p : ϕ ⊢ [p/q]M : ρ Proof summary.Each rule is proved admissible by induction on M .Observe that the only premisses regarding Γ are of the form Γ (p) = ϕ, which are preserved under weakening.Premisses are trivially preserved under exchange because contexts are treated as sets, and preserved modulo renaming by contraction as it suces to have any assumption of a given formula, regardless its name.The context Γ is allowed to vary in applications of the inductive hypothesis, e.g., in rules that bind program variables.Some rules discard Γ in checking the subterms inductively, in which case the IH need not be applied at all.Lemma 2 (Uniform renaming).Let M y x be the renaming of program variable x to y (and vice-versa) within M , even when neither x nor y is fresh.If Γ ⊢ M : ϕ then Γ y x ⊢ M y x : ϕ y x .Proof summary.Straightforward induction on the structure of M .Renaming within proof terms (whose denition we omit as it is quite tedious) follows the usual homomorphisms, from which the inductive cases follow.In the case that M is a proof variable z, then Γ y x (z) = Γ (z) y x from which the case follows.The interesting cases are those which modify program variables, e.g., ⟨z := f w z in p. M ⟩.The bound variable z is renamed to z y x , while the auxiliary variable w is α-varied if necessary to maintain freshness.Renaming then happens recursively in M .Substitution will use proofs of coincidence and bound eect lemmas.Lemma 3 (Coincidence).Only the free variables of an expression inuence its semantics.
Lemma 4 (Bound eect).Only the bound variables of a game are modied by execution.Summary.By induction on the expression, in analogy to [43].
Denition 9 (Term substitution admissibility).For simplicity, we say ϕ f x (likewise for context Γ, term f, game α, and proof term M ) is admissible if ϕ binds neither x nor free variables of f .The latter condition can be relaxed in practice [44] to requiring ϕ does not mention x under bindings of free variables.
Lemma 5 (Arithmetic-term substitution).If Γ ⊢ M : ϕ and the substitu- and ϕ f x are admissible, then Γ f x ⊢ M f x : ϕ f x .Summary.By induction on M .Admissibility holds recursively, and so can be assumed at each step of the induction.For non-atomic M that bind no variables, the proof follows from the inductive hypotheses.For M that bind variables, we appeal to Lemma 3 and Lemma 4.
Just as arithmetic terms are substituted for program variables, proof terms are substituted for proof variables.Proof.By induction on M, appealing to renaming, coincidence, and bound effect.When substituting N for p into a term that binds program variables such as ⟨z := f y z in q.M ⟩, we avoid capture by renaming within occurrences of N in the recursive call, i.e., [N/p]⟨z := f y z in q.M ⟩ = ⟨z := f y z in q. [N z y /p]M ⟩, preserving soundness by Lemma 2.
Soundness of the proof calculus exploits renaming and substitution.
Proof summary.By induction on M .Modus ponens case A B reduces to Lemma 6.
Cases that bind program variables, such as assignment, hold by Lemma 5 and Lemma 2. Rule W is employed when substituting under a binder.
We have now shown that the CGL proof calculus is sound, the sine qua non condition of any proof system.Because soundness was w.r.t. a realizability semantics, we have shown CGL is constructive in the sense that provable formulas correspond to realizable strategies, i.e., imperative programs executed in an adversarial environment.We will revisit constructivity again in Section 8 from the perspective of proof terms as functional programs.

Operational Semantics
The Curry-Howard interpretation of games is not complete without exploring the interpretation of proof simplication as normalization of functional programs.
To this end, we now introduce a structural operational semantics for CGL proof terms.This semantics provides a view complementary to the realizability semantics: not only do provable formulas correspond to realizers, but proof terms can be directly executed as functional programs, resulting in a normal proof term.
The chief subtlety of our operational semantics is that in contrast to realizer execution, proof simplication is a static operation, and thus does not inspect game state.Thus the normal form of a proof which branches on the game state is, of necessity, also a proof which branches on the game state.This static-dynamic phase separation need not be mysterious: it is analogous to the monadic phase separation between a functional program which returns an imperative command vs. the execution of the returned command.While the primary motivation for our operational semantics is to complete the Curry-Howard interpretation, proof normalization is also helpful when implementing software tools which process proof artifacts, since code that consumes a normal proof is in general easier to implement than code that consumes an arbitrary proof.For the sake of space, this section focuses on the β-rules (Figure 5).The full calculus, given inthe extended version [12], includes structural and commuting-  [roll] is essential for normalization: when (M rep p : J. N in O) is understood as a coinductive proof, it is clear that normalization would diverge if repβ were applied indenitely.Rule forβ for for(p : φ(M) = A; q.B; C){α} checks whether the termination metric M has reached terminal value 0. If so, the loop ⟨stop⟩'s and A proves it has converged.Else, we remember M's value in a ghost term M 0 , and ⟨go⟩ forward, supplying A and ⟨r, rr⟩ to satisfy the preconditions of inductive step B, then execute the loop for(p : φ(M) = π 1 t; q.B; C){α} in the postcondition.Rule forβ reects the fact that the exact number of iterations is state dependent.
We discuss the structural, commuting conversion, and monotonicity conversion rules for left injections as an example, with the full calculus in [12].Structural rule ℓ•S evaluates term M under an injector.Commuting conversion rule ⟨[ℓ•]⟩C normalizes an injection of a case to a case with injectors on each branch.Monotonicity conversion rule ⟨[ℓ•]⟩• simplies a monotonicity proof of an injection to an injection of a monotonicity proof.

Theory: Constructivity
We now complete the study of CGL's constructivity.We validate the operational semantics on proof terms by proving that progress and preservation hold, and We gave two understandings of proofs in CGL, as imperative strategies and as functional programs.We now give a nal perspective: CGL proofs support synthesis in principle, one of our main motivations.Formally, the Existential Property (EP) and Disjunction Property (DP) justify synthesis [18] for existentials and disjunctions: whenever an existential or disjunction has a proof, then we can compute some instance or disjunct that has a proof.We state and prove an EP and DP for CGL, then introduce a Strategy Property, their counterpart for synthesizing strategies from game modalities.It is important to our EP that terms are arbitrary computable functions, because more simplistic term languages are often too weak to witness the existentials they induce.
Example 1 (Rich terms help).Formulas over polynomial terms can have nonpolynomial witnesses.

Conclusion and Future Work
In this paper, we developed a Constructive Game Logic CGL, from syntax and realizability semantics to a proof calculus and operational semantics on the proof terms.We developed two understandings of proofs as programs: semantically, every proof of game winnability corresponds to a realizer which computes the game's winning strategy, while the language of proof terms is also a functional programming language where proofs reduce to their normal forms according to the operational semantics.We completed the Curry-Howard interpretation for games by showing Existential, Disjunction, and Strategy properties: programs can be synthesized that decide which instance, disjunct, or moves are taken in existentials, disjunctions, and games.In summary, we have developed the most comprehensive Curry-Howard interpretation of any program logic to date, for a much more expressive logic than prior work [32].Because CGL contains constructive Concurrent DL and rst-order DL as strict fragments, we have provided a comprehensive Curry-Howard interpretation for them in one fell swoop.The key insights behind CGL should apply to the many dynamic and Hoare logics used in verication today.
Synthesis is the immediate application of CGL.Motivations for synthesis include security games [40], concurrent programs with demonic schedulers (Concurrent Dynamic Logic), and control software for safety-critical cyber-physical systems such as cars and planes.In general, any kind of software program which must operate correctly in an adversarial environment can benet from game logic verication.The proofs of Theorem 2 and Theorem 3 constitute an (on-paper) algorithm which perform synthesis of guaranteed-correct strategies from game proofs.The rst future work is to implement this algorithm in code, providing much-needed assurance for software which is often mission-critical or safetycritical.This paper focused on discrete CGL with one numeric type simply because any further features would distract from the core features.Real applications come from many domains which add features around this shared core.
The second future work is to extend CGL to hybrid games, which provide compelling applications from the domain of adversarial cyber-physical systems.This future work will combine the novel features of CGL with those of the classical logic dGL.The primary task is to dene a constructive semantics for dierential equations and to give constructive interpretations to the dierential equation rules of dGL.Previous work on formalizations of dierential equations [34] suggests dierential equations can be treated constructively.In principle, existing proofs in dGL might happen to be constructive, but this does not obviate the present work.On the contrary, once a game logic proof is shown to fall in the constructive fragment, our work gives a correct synthesis guarantee for it too!
Consider the game c := 10; {c := c − 1 ∩ c := c − 2} * ; ?0 ≤ c ≤ 2 where Demon repeatedly decreases c by 1 or 2, and Angel chooses when to stop.Angel only wins because she can pass the test 0 ≤ c ≤ 2, which she can do by simply repeating the loop until 0 ≤ c ≤ 2 holds.If Angel had to decide the loop duration in advance, Demon could force a rules violation by guessing the duration and changing his choices of c := c − 1 vs. c := c − 2.

Fig. 6 .
Fig. 6.Operational semantics: structural, commuting conversion, monotonicity rules The Roman a, b, c should not be confused with the Greek α, β, γ which range over games.Realizers have access to the game state ω, expressed by lambda realizers (λω : S. a(ω)) which, when applied in a state ν, compute the realizer a with ν substituted for ω.State lambdas λ are distinguished from propositional and rst-order lambdas Λ.The unit realizer () makes no choices and is understood as a unit tuple.Units () realize f ∼ g because rational comparisons, in contrast to real comparisons, are decidable.Conditional strategic decisions are realized by if (f (ω)) a else b for computable function f : S → B, and execute a if f returns truth, else b.Realizer (λω : S. f (ω)) is a ⟨α ∪ β⟩ϕ-realizer if f (ω) ∈ ({0} × ⟨α⟩ϕ Rz) ∪ ({1} × ⟨β⟩ϕ Rz) for all ω.The rst component determines which branch is taken, while the second component is a continuation which must be able to play the corresponding branch.Realizer (λω : S. f (ω)) can also be a ⟨x := * ⟩ϕ-realizer, which requires f (ω) ∈ Q × (ϕ Rz) for all ω.The rst component determines the value of x while the second component demonstrates the postcondition ϕ.The pair realizer (a, b) realizes both Angelic tests ⟨?ϕ⟩ϕ and dormant choices [α ∪ β]ϕ.It is identied with a pair of realizers: (a, b) ∈ Rz×Rz.
where x is a program (or realizer) variable and f is a term over the state ω.
[4] operational semantics consist of two main judgments: M normal says that M is a normal form, while M → M ′ says that M reduces to term M ′ in one step of evaluation.A normal proof is allowed a case operation at the top-level, either⟨case A of ℓ ⇒ B | r ⇒ C⟩ or ⟨case * A of s ⇒ B | g ⇒ C⟩.Normal proofs Mwithout state-casing are called simple, written M simp.The requirement that cases are top-level ensures that proofs which dier only in where the case was applied share a common normal form, and ensures that β-reduction is never blocked by a case interceding between introduction-elimination pairs.Top-level case analyses are analogous to case-tree normal forms in lambda calculi with coproducts[4].Reduction of proof terms is eager.Denition 10 (Normal forms).We say M is simple, written M simp, if eliminators occur only under binders.We say M is normal, written M normal, if M simp or M has shape ⟨case A of ℓ ⇒ B | r ⇒ C⟩ or ⟨case * A of s ⇒ B | g ⇒ C⟩ where A is a term such as (split [f, g] M )that inspects the state.Subterms B and C need not be normal since they occur under the binding of ℓ or r (resp.sor g).That is, a normal term has no top-level beta-redexes, and state-dependent cases are top-level.We consider rules [ * ]R, [: * ]I, [?]I, and ⟨[:=]⟩I binding.Rules such as ⟨ * ⟩I have multiple premisses but bind only one.While [ * ]R does not introduce a proof variable, it is rather considered binding to prevent divergence, which is in keeping with a coinductive understanding of formula [α * ]ϕ.If we did not care whether terms diverge, we could have made [ * ]R non-binding.
conversion rules, as well as what we call monotonicity conversion rules: a proof term M • p N is simplied by structural recursion on M .The capture-avoiding substitution of M for p in N is written [M/p]N (Lemma 6).The propositional cases λϕβ, λβ, caseβL, caseβR, π 1 β, and π 2 β are standard reductions for applications, cases, and projections.Projection terms π 1 M and π 2 M should not be confused with projection realizers π L (a) and π R (a).Rule unpackβ makes the witness of an existential available in its client as a ghost variable.Rule FPβ, repβ, and forβ reduce introductions and eliminations of loops.Rule FPβ, which reduces a proof FP(A, s.B, g.C) says that if α * has already terminated according to A, then B proves the postcondition.Else the inductive step C applies, but every reference to the IH g is transformed to a recursive application of FP.If A uses only ⟨ * ⟩S and ⟨ * ⟩G, then FP(A, s.B, g.C) reduces λϕβ (λp : ϕ