An Epistemic Separation Logic with Action Models

In this paper we present an extension of (bunched) separation logic, Boolean BI, with epistemic and dynamic epistemic modalities. This logic, called action model separation logic (AMSL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathrm {AMSL}$$\end{document}), can be seen as a generalization of public announcement separation logic in which we replace public announcements with action models. Then we not only model public information change (public announcements) but also non-public forms of information change, such as private announcements. In this context the semantics for the connectives ∗\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$*$$\end{document} and -∗\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathrel {-*}$$\end{document} from separation logic are epistemic versions of their usual semantics. This is because formulas are interpreted in states, not in resources, and agents may be uncertain between different states representing the same resource. We present the logic AMSL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathrm {AMSL}$$\end{document} and its semantics, with a detailed case study that highlights its interest for modeling. We also prove the elimination of the dynamics modalities and discuss some alternative epistemic semantics for the separation connectives.


Introduction
Epistemic Logic is the logic of knowledge and belief, which models and expresses properties of knowledge that multiple agents may have about themselves and about each other (Hintikka, 1962;van Ditmarsch et al., 2015). The models of epistemic logic are based on possible worlds, that encode the possible states/configurations of a considered system. The analysis of Moorean phenomena (Moore, 1942) played an important role, for example that you cannot know that some fact p is true and that you do not know this. On the one hand, this multi-agent logic of knowledge was extended with group epistemic notions such as common knowledge (Aumann, 1976; B Hans van Ditmarsch hans.vanditmarsch@ou.nl 1 Open University of the Netherlands, Heerlen, The Netherlands 2 CNRS, LORIA, University of Lorraine, Nancy, France McCarthy, 1990) and distributed knowledge (Hilpinen, 1977). On the other hand, there was increased interest in the analysis of multiple agents informing each other of their ignorance and knowledge, often inspired by logic puzzles (McCarthy, 1990;Moses et al., 1986). This culminated in public announcement logic (PAL) (Plaza, 1989), wherein such informative actions became full members of the logical language besides the knowledge modalities; parallel developments of dynamic but not epistemic logics of information change are van Emde Boas et al. (1984) and van Benthem (1989). A further generalization was to non-public information change such as private or secret announcements to some agents while other agents only partially observe that, in Action Model Logic (AML) (Baltag et al., 1998); parallel, now lesser known, developments are Gerbrandy and Groeneveld (1997) and van Ditmarsch (2000). Extensions of action model logic with factual change have been proposed in van Benthem et al. (2006) and . An independent quite successful line of research involving knowledge dynamics, that we will bypass in this investigation, is the runsand-systems approach (Fagin et al., 1995(Fagin et al., , 1997. In this context we want to enrich the models of such logics with more structure, namely by considering the possible worlds as resources that can be combined or separated. For that we consider the logic of Bunched Implications (BI) and its variants, like Boolean BI (BBI) (O'Hearn & Pym, 1999;Pym, 2002), that mainly focus on resource sharing and separation. The logics BI and BBI combine propositional classical additive (∧, →, ∨) and multiplicative ( * , − * ) connectives. The multiplicative conjunction * expresses separation of resources and the multiplicative implication − * expresses resource update (Galmiche et al., 2005;Pym, 2002). 1 The semantics for BI and BBI is interpreted on resources rather than states, where the main idea is that resources, unlike states, can be used up, so to speak. To satisfy a standard implication p → q in a given state it is sufficient to satisfy either ¬ p or q in that state. In particular p → p is trivial, a tautology. Whereas to satisfy p − * p it is far from guaranteed that after having satisfied p in a resource, p is still satisfied in an updated resource. Let us remark that we use here the term "separation logics" to denote the class of logics based on BI and BBI and their modal extensions, even if originally separation logic (SL) is a bunched logic, based on BBI, with resources being memory areas (Ishtiaq & O'Hearn, 2001), and that successfully improved verification of programs with mutable data structures (Reynolds, 2002).
Among extensions of separation logics with other modalities we can mention Dynamic Modal BI (DMBI) (Courtault & Galmiche, 2018) and Epistemic Resource Logic (ERL) . The first one is a BBI extension with the modalities , ♦, and a dynamic modality a , that allows us to investigate how resource properties change when dynamic processes are taking place, with an emphasis on concurrent processes (Courtault & Galmiche, 2018). The second one is a BBI extension with epistemic modalities, that makes a modelling difference between ambient resources and local resources (assigned to each agent), and investigates their composition .
Two other extensions of separation logic are Epistemic separation logic (ESL) (Courtault et al., 2015) and the related Public announcement separation logic (PASL) (Courtault et al., 2019). These works present resource semantics including ways to model uncertainty about resources and to model information updates reducing such uncertainty. The first extends the language of separation logic with knowledge modalities K a (where a is one out of a finite set of agents), and the second extends it as well with public announcement modalities representing reliable public observations, as in PAL. In these logics the states or worlds represent resources, and the members of the domain should represent a resource monoid. The monoidal structure entails inclusion of a neutral element (neutral, or unit resource). The PASL semantics of public announcement are therefore different from the usual model restricting PAL semantics. A domain restriction risks eliminating the state representing the neutral resource, in which case the domain of the resulting updated model would no longer correspond to a resource monoid. However, as dynamic processes are carried out it is vital that-in any case-the structure of our updated model still contains the neutral element, so that the monoidal structure is preserved. In PASL the issue was resolved by a so-called refinement semantics for public announcement (van Benthem & Liu, 2007), that ensures that no state (and therefore no resource) is ever removed from the model.
In action model separation logic (AMSL) that we present in this paper we generalize the dynamic aspects of PASL by replacing public announcements with action models. In AMSL we not only model public information change (public announcements) but also non-public forms of information change, such as private announcements, multicasts, etc. Also, we can model factual change. Unlike in PASL, we cannot identify states with resources, as uncertainty about the actual state may involve uncertainty between different states representing the same resource. As a consequence, our semantics for * and − * cannot be as in BBI but are necessarily 'epistemic' versions of that, where we detailedly motivate different choices. In the semantics of AMSL a state still represents a resource, as in PASL, but different states can now be mapped to the same resource. The updated epistemic model-obtained after action model execution-preserves all state-to-resource mappings. But even if in some initial model only a single state was mapped to some resource, the updated model may contain several copies of that state still mapped to that same resource. Additionally, to preserve the resource monoid part of our structure we also require that our action model is covering, a technical requirement ensuring that the updated model always contains a state assigned to the neutral resource. Just as for PASL, for this logic AMSL we show that we can eliminate the dynamic modalities. In other words: every formula in the language with dynamic modalities is equivalent to a formula in the language without these modalities. We also provide a detailed case study of the use of our logic.
Section 2 presents the logic AMSL, its syntax, semantics, and associated structures, with a focus on the motivation for the proposed semantics in comparison with the BBI semantics. The expressivity is also analyzed. Section 3 provides a modelling example in which we compare PASL and AMSL with regard to their abilities to model public and private communications. Section 4 provides a reduction of dynamic modalities for action models, thus demonstrating that AMSL and ESL have the same expressivity. Section 5 investigates alternative epistemic semantics for resource composition and separation. Finally, Sect. 6 gives some conclusions and perspectives.

Action Model Separation Logic
Throughout the contribution, given are a finite set of agents A (with members denoted a, b, c, . . . ) and a countable set of propositional variables (atoms) P (with members denoted p, q, p , q , p 1 , p 2 , . . . ).

Syntax
The language L * K ⊗ (A, P) of action model separation logic (AMSL) is defined as where E e is an epistemic action (for language L * K ⊗ (A, P)) as defined below. Members of a language are denoted formulas and denoted with lower case Greek letters ϕ, ψ, η, ϕ , . . . .
Other propositional connectives are defined by abbreviation, such as ϕ → ψ := ¬(ϕ ∧¬ψ). Dual modalities are also defined by abbreviation, such asK a ϕ := ¬K a ¬ϕ and E e ϕ := ¬[E e ]¬ϕ. Connective * (resp. ∧) is the multiplicative (resp. additive) conjunction and connective − * (resp. →) is the multiplicative (resp. additive) implication. Expression K a ψ stands for "agent a knows that ψ." Expression [E e ]ϕ stands for "after execution of action E e , ϕ is true.". Parentheses in formulas, and parameters A and P in L * K ⊗ (A, P), are omitted unless confusion results. The K a in formula K a ψ is an epistemic modality and the [E e ] in formula [E e ]ψ is a dynamic modality.
The following language fragments are also of interest. The fragment of the language without the [E e ] modalities is denoted L * K , and without K a modalities as well it is denoted L * (the language of separation logic). The fragment without * and − * is denoted L K ⊗ (the language of action model logic) and without [E e ] as well we get L K (the language of epistemic logic).

Structures
Definition 1 (Resource monoid) A partial resource monoid (or resource monoid) is a structure R = (R, •, n) where R is a set of resources (with members denoted r , r , r 1 , r 2 , . . . ) containing a neutral element n, and where • : R × R → R is a resource composition operator that is associative, that may be partial and such for all r ∈ R, r • n = n • r = r . If r • r is defined we write r • r ↓ and if r • r is undefined we write r • r ↑. When writing r • r = r we assume that r • r ↓.
Definition 2 (Epistemic frame) An epistemic frame (frame) is a structure (S, ∼) such that S is a set of states (with members denoted s, t, s , t , . . . ) and ∼ : A → P(S × S) is a function that maps each agent a to an equivalence relation ∼(a) denoted as ∼ a .
Definition 3 (Epistemic resource model) Given a resource monoid R = (R, •, n), an epistemic resource model (or plainly model) is a structure M = (S, ∼, r , V ) such that S is a domain of states (or worlds), ∼ : A → P(S × S) is a function that maps each agent a to an equivalence relation ∼ a , surjection r : S → R is a resource function, that maps each state to a resource and where we write r s for r (s), and V : P → P(S) is a valuation function, where V ( p) denotes the set of states where variable p is true. Given s ∈ S, the pair (M, s) is a pointed epistemic resource model, denoted M s .
Definition 4 (Action model) Given a logical language L, an action model E is a structure E = (E, ≈, pre, post), such that E is a finite domain of actions (denoted e, f , g, . . . ), ≈ a an equivalence relation on E for all a ∈ A, pre : E → L is a precondition function, and post : E → P → L is a postcondition function such that every post(e) is only finitely different from the identity: we can see its domain as a finite set of variables Q ⊆ P. Given e ∈ E, a pointed action model (or epistemic action) is a pair (E, e), denoted E e . An action model is covering if e∈E pre(e) is a validity of the logic of L. We require all action models to be covering.

Motivation for the Semantics
Before we present the epistemically motivated semantics for * and − * , we first wish to motivate our deviation from the standard BBI semantics. In this subsection, for extra clarity, instead of mathematical English terminology we write ∀ for 'for all', ∃ for 'there is', & for 'and' and ⇒ for 'implies'.
The standard BBI semantics for * and − * is as follows. Let a resource monoid R = (R, •, n) be given and let r ∈ R and let ϕ, ψ ∈ L * (by '∃r r ' we mean ∃r r ∈ R, etc.): The AMSL semantics that we will propose is for states (worlds), not for resources. This means that r | ϕ is replaced by M s | ϕ. Multiple states can be mapped to a single resource. This implies that we can either require all states mapped to a resource to satisfy a given formula or that we require some state mapped to this resource to satisfy that formula. Any r | ϕ under the scope of a declared resource r can thus be replaced by either ∀s : r s = r ⇒ M s | ϕ or by ∃s : This straightforwardly gives us four versions for the * semantics, denoted * ∀∀ , * ∀∃ , * ∃∀ , * ∃∃ , and four versions for the − * semantics, denoted − * ∀∀ , − * ∀∃ , − * ∃∀ , − * ∃∃ .
Let us make this computation for * ∃∃ , as an example. Assume M = (S, ∼, r , V ) with r : S → R, and s ∈ S. By '∃t' we mean ∃t ∈ S, etc.
There are different ways to write this. For a compositional semantics specifiying what is true in a state it seems preferable that the decomposition is also by quantifying over states and not over resources. One can easily transform the above into an equivalent description in terms of states. For the final paraphrase we revert to mathematical English again.
Not all versions of * and − * have such straightforward paraphrases in terms of states and epistemic models, and not all versions of * and − * seem to make modelling sense. We privilege the combination of * ∃∃ with − * ∃∃ in the continuation, and we therefore continue to write * and − * for those, as usual in BBI. In a later section we also discuss the combination of * ∀∀ with − * ∀∀ . The ∃∃ pair models the intuition that we separate/update the resources as well as the epistemics, where the ∀∀ version models that we separate/updates resource despite the uncertainty about resources. Section 5 will explain the difference in detail.

Definition 5 (Satisfaction relation)
The satisfaction relation | between pointed epistemic resource models M s , where M = (S, ∼, r , V ), for resources R = (R, •, n), and where s ∈ S, and formulas in L * K ⊗ (A, P), is defined by induction on formula structure.
where in the clause for [E e ]ϕ, E is a covering action model, (M ⊗ E) is defined below, and (s, e) ∈ D(M ⊗ E). A formula ϕ is valid on model M, notation M | ϕ, iff for all s ∈ S, M s | ϕ, and ϕ is valid, notation | ϕ, iff ϕ is valid on all models M.

Public and Private Announcement as Action Models
Three common epistemic actions are the public announcement (Plaza, 1989), the semiprivate announcement (also known as semi-public announcement) (van Ditmarsch, 2002), and a version of the semi-private announcement where the non-informed agents are uncertain if the announcement has been made (as described in for example , that we denote the suspected semi-private announcement. The last epistemic action is non-deterministic so that multiple states in updated models may then map to the same resource. For the public announcement we use the 'refinement' semantics of van Benthem and Liu (2007), also employed in Courtault et al. (2019). The standard semantics of Plaza (1989) that restricts the domain is unsuitable as we require the action model to be covering. Whereas the refinement semantics for public announcement makes it a covering action model.
Given some domain of states S, the identity relation is the binary relation on S defined as I := {(s, s) | s ∈ S}, and the universal relation is the relation defined as We define the public announcement E e where E = (E, ≈, pre, post) and e ∈ E, the semi-private announcement E e where E = (E , ≈ , pre , post ) and e ∈ E , and the suspected semi-private announcement E e where E = (E , ≈ , pre , post ) and e ∈ E . In all three cases the postconditions are trivial, i.e., for any action point e of their respective domains E, E , E , we have that post(e)( p) = p for any p ∈ P. Postconditions are therefore omitted from the definitions.
By notational abbreviation for their respective modalities binding formulas, we denote public announcement of ϕ binding ψ as represents that nothing happened (precondition ); and similarly for their diamond versions: has the same meaning as [¬ϕ] − B ψ and that ϕ − B ψ has the same meaning as ¬ϕ − B ψ: either way, the precondition is , the notation is merely to evoke the preconditions for the informative part of the action model.

Expressivity
The extension of the epistemic language with * and − * enhances the expressivity. Given two logical languages L and L (and a logical semantics), L is at least as expressive as L if for every formula in L there is an equivalent formula in L , notation L ≥ L . If L ≥ L and L ≥ L, then L and L are equally expressive (as expressive). If L ≥ L and L L, then L is more expressive than L . As L K is a sublanguage of L * K , it is trivial that L * K is at least as expressive as L K . By example we now show that L K is not at least as expressive as L * K . And from both then follows that L * K is more expressive then L K .
Consider the following epistemic resource model M = (S, ∼, r , V ) for a single agent a and a single atom p, with S = {s, t, u}, ∼ a = S 2 , r s = 0, r t = 1, r u = 2, and V ( p) = {1}. The resource monoid R = {{0, 1, 2}, •} represents agent a (Alice) being allowed to borrow 0, 1, or 2 books from a library, where 2 is the maximum (we anticipate on a more detailed subsequent example in Sect. 3). Unfortunately Alice forgot how many books she still has at home, and she is therefore uncertain between all three options. The resource composition • is defined as: r • r ↑ if r + r > 2, and otherwise r • r = r + r . Note that 0 is the neutral element n. A depiction of the model is: We now have, for example, that: However, in the language without * and − * , we cannot distinguish the states s and u. It is easy to show by formula induction that for all ϕ where we note that for the inductive case 'knowledge' according to the semantics both s and u satisfy the same formulas of form K a ϕ, because: On the other hand we can distinguish state t from states s and u, namely by the atom p that is only true in t: Therefore L K is not at least as expressive as L * K .

The Library Example
In this section we illustrate the semantics with a detailed example. It recalls the 'library' example from Courtault et al. (2019), where we now can give a much greater variety of dynamics, not only for public information change (public announcements) as in Courtault et al. (2019) but for any type of epistemic action, such as also private announcements. Alice and Bob want to borrow books from a library. They are allowed to borrow at most two books. Their book requests are known to the librarian. The librarian can carry at most two requested books.
Formally, there two agents a, b (Alice and Bob) and three propositional variables p a , p b , c, standing for 'Alice requests one book and Bob requests no books', 'Alice requests no books and Bob requests one book', and 'the librarian can carry the requested books'. Resources are pairs (i, j) representing that Alice requests i books and Bob requests j books. The resource monoid R = (R, •, n) is such that: It encodes that agents are aware of the previous scenario and otherwise only know how many books they requested themselves.
The model is depicted in Fig. 1. In the figure we use the following conventions. Links for Alice (a) are solid and links for Bob (b) are dashed. Grey means 'cannot carry'. States are labelled with resources they map to. Model M 1 is the initial model; M 2 is the result of the public announcement whether the librarian can carry the books; M 3 is the result of the semi-private announcement of that to Alice; M 4 is the result of the suspected semi-private announcement of that to Alice. The dashes between the two submodels of M 4 represent that states mapping to the same resource are indistinguishable for Bob.
We now model check some formulas in this setting, in particular involving dynamics.
• Alice and Bob both request one book.
The ordinary conjunction is not satisfied here, only the multiplicative conjunction. The ordinary conjunction is unsatisfiable on this model for the given set of resources, as a state cannot be mapped to (0, 1) and (1, 0) simultaneously.
• …but neither Alice nor Bob knows that! For example: This is because Alice does not know that Bob has requested one book, although she knows that she has one book herself. Alice also considers it possible that Bob has requested two books, that is: Or that Bob has not requested any book.
• Even if Alice and Bob request one book, they are both uncertain whether the librarian will be able to handle (carry) their request. Let us abbreviate K a ϕ ∨ K a ¬ϕ (Alice knows whether ϕ) by Kw a ϕ, and similarly for Kw b ϕ (Bob knows whether ϕ).
Note that this is a model validity (only a single state, 11, satisfies the antecedent). • However, after the librarian informed them whether can he carry the requested books, they know that (where the resulting model is M 2 ).
In our public announcement semantics, the update due to some ϕ (such as c) is the same as the update due to ¬ϕ. The [ϕ] versions of the announcement modality are conditional to the truth of the announcement. Only the dual versions of the announcement modality assume the truth of the announcement. So, for example: • Let Alice request two books and Bob one book, as above. We will now illustrate the different ways for the librarian to inform them. The public announcement way is as above: shouting "Are you out of your mind, I cannot carry that". This has other interesting consequences as well, for example: We can decompose the resource 21 into 01 and 20, and the (state labelled with the) 01 satisfies p b whereas 20 satisfies K a c, formally: M 2 01 | p b and M 2 20 | K a c, because 20 is the only state Alice considers possible in M 2 .
• However, the librarian might also have chosen to inform Alice privately that he cannot carry the requested books. For example, because the librarian might find it more reasonable that Alice changes her order and requests fewer books than that Bob changes his order. We now get: Again, afterwards p b * K a c is true in the state labeled 21, however this is now in model M 3 . A difference between M 2 and M 3 is, of course, that Bob does not know that Alice knows that the librarian cannot carry the books: but he knows that Alice now knows whether c: • For a further complication, Bob may be uncertain whether Alice is privately informed, what we defined as 'suspected semi-private announcement'. We now again have that: The model resulting from this action is M 4 , with as designated state the right one from the two labelled with (2, 1) in Fig. 1. Similarly, we obtain in which case ¬K a c is validated by the left state labelled with (2, 1) in the figure.
Let the 'name' of suspected semi-private announcements with modality ϕ + B be ϕ + B , and analogously for ϕ − B . Then in accordance with our notational conventions the right (2, 1) is formally state (21, ¬c + a ) in the modal product and the left (2, 1) is is formally state (21, ¬c − a ).
| K a c because Alice is uncertain between (2, 0), (2, 1) and (2, 2) in that part of the model. Also, to continue our previous example, unlike before we now have that Bob does not know that Alice knows whether c, because Bob is uncertain which of c + a and c − a took place. That is: • If Alice and Bob both did not request a book, then if they both were to request a book, the librarian can carry the requested books: Consider M 1 00 . The unique resource satisfying p a * p b is (1, 1), (0, 0) • (1, 1) = (1, 1), and indeed M 1 11 | c. However, Alice does not know this, nor does Bob: because in fact they consider it possible that the librarian is the unable to carry the books: This is because Alice and Bob both consider it possible that the other agent already requested as least one book. For example, Alice considers possible that the actual state is (0, 1), and (0, 1) • (1, 1) = (2, 1), in which case ( p a * p b ) − * ¬c is true.

Expressivity revisited
The library example of this section is not so different from the example in the previous section demonstrating that * and − * increase the expressivity of the logical language. Like in that example, also here we have few atoms, namely only p a and p b representing the request of one book by a respectively b, where all other states can be described by composition of these 'basic' resources; and additionally atom c. A fair question is whether without * and − * we can still distinguish all the states of the models involved in the library example. It is easy to see that if we can distinguish all states in the initial model, then also in any of its subsequent updates due to announcements. Like before, we can distinguish all states in the initial model M by a formula in the language of separation logic L * . In other words, for all states i j in domain S of M there is unique formula in L * that is only true in i j. This is elementary, as any i j has a (not necessarily unique) decomposition into other resources distinguishing it from all other resources. For example: Unlike before, all states in the initial model M can also be distinguished by a (purely) epistemic formula, that is, in the language L K (without * and − * ). This is maybe not so evident. Note the (diagonal) mirror symmetry in the formulas below.
Postconditions and factual change The reader may observe that we did not model factual change in our examples, although our logical semantics allow for that, as the action models have postconditions that can change the value of factual propositions. The presence of factual change seems slightly more suitable for different combinations of resource update and information update, wherein the resource functions r can map states to different resources before and after the update (thus reflecting a simultaneous resource update). This is deferred to future research. As a mere example of factual change, and to ponder about the consequences this may have, consider a singleton action model with trivial precondition, accessible for all agents, and with postcondition (for the single event e): post(e)( p a ) = p a * p a . This has the effect that the denotation of p a is changed, for example, in the model M 1 above it was (1, 0) but it now becomes (2, 0). In such an updated model, it is now the case that p a * p a − * ⊥, unlike above, because the truth of p a * p a no longer means that Alice wants 1 + 1 = 2 books but that she wants 2 + 2 = 4 books, which, as we know, is definitely not permitted by the librarian: (2, 0) • (2, 0) ↑.

Eliminating Dynamic Modalities
In this section we show that every formula in L * K ⊗ is equivalent to a formula in L * K wherein therefore no action model modality occurs. In order words, we reduce any given formula to an equivalent formula without dynamic modalities. From this it follows that the expressivity of the two languages is the same. The usual strategy for such reductions is to show that whenever a dynamic modality x binds a given formula with a main logical connective y, this is equivalent to some formula wherein the main connective is y but where the constituent or constituents bound by y may involve dynamic modality x. If we then also have some basic case where x binds an propositional variable that can be shown to be equivalent to some formula not containing x, we can formally define some recursive rewriting procedure for which we 'merely' have to show termination in the fragment without modalities x. To prove termination one defines a complexity or weight measure on formulas, which allows to compare a formula with formulas that are not subformulas of it.
A first step towards such a proof for our current logic is to show that whenever an action model modality binds a multiplicative conjunction * or multiplicative implication − * , this is equivalent to a formula with main connective * or − * , respectively, and where the action models occur in the constituents of that. This is formalized in the following lemma, wherein we use diamond versions of the modalities to obtain a smoother proof. We recall that * means * ∃∃ and that − * means − * ∃∃ . By ' f ' we mean ' f ∈E ', etc.

Lemma 1 The following schemas are valid in AMSL:
We first show the validity for * . Let M = (S, ∼, r , V ) and s ∈ S be arbitrary.
(⇒) Assume M s | E e (ϕ * ψ). Then M s | pre(e) and (M ⊗ E) (s,e) | ϕ * ψ. Therefore, there are (t, f ), (u, g) ∈ D(M ⊗ E) such that r (s,e) = r (t, f ) • r (u,g) , (u,g) , r (s,e) = r s , r (t, f ) = r t and r (u,g) = r u we obtain that r s = r t • r u . Finally, from and together with the already obtained M s | pre(e) we get the required M s | pre(e) ∧ f ,g ( E f ϕ * E g ψ). ( We follow a fairly similar argument but now in the other direction. From the assumption we obtain that M s | pre(e) and that there are f , g ∈ E such that M s | E f ϕ * E g ψ. Therefore there are t, u ∈ S such that r s = r t • r u , M t | E f ϕ and M u | E g ψ). From that we obtain, as before, that (M ⊗ E) (t, f ) | ϕ and (M ⊗ E) (u,g) we get that (s, e) ∈ D(M ⊗ E) and from that and r s = r t • r u we now obtain r (s,e) = r (t, f ) • r (u,g) . Therefore (M ⊗ E) (s,e) | ϕ * ψ so that with M s | pre(e) we also have M s | E e (ϕ * ψ), as required.
We now show the validity for − * . Again, let M = (S, ∼, r , V ) and s ∈ S be arbitrary.
(⇒) Assume M s | E e (ϕ − * ψ). Then M s | pre(e) as well as (M ⊗ E) (s,e) | ϕ − * ψ. In order to prove the required, let f ∈ E and let t ∈ S be such that r s • r t ↓, and assume that M t | E f ϕ. We now wish to prove that there is a u ∈ S such that r u = r s • r t and M u | g E g ψ, where the latter means that there is a g ∈ E such that M u | E g ψ. We prove this as follows. From We recall that t and f were arbitrary and therefore (t, f ) as well. From (M ⊗ E) (s,e) | ϕ − * ψ and r (s,e) • r (t, f ) ↓ for arbitrary (t, f ) we obtain that there is a (u, g) ∈ D(M ⊗ E) (which implies that M u | pre(g)) such that r (u,g) In order to prove M s | E e (ϕ − * ψ), and given that M s | pre(e), it remains to prove (M ⊗ E) (s,e) | ϕ − * ψ. In order to prove that, let us assume arbitrary (s,e) • r (t, f ) ↓ we obtain that r s • r t ↓ (and that t is also arbitrary). Also, from M ⊗ E) (t, f ) Then, from that, from r s • r t ↓ and from M s | E f ϕ − * g E g ψ it follows that there is u ∈ S such that r u = r s • r t and M u | g E g ψ. Choose such g ∈ E. Then M u | E g ψ, so that (as before) (M ⊗ E) (u,g) | ψ. As we also have r (u,g) = r (s,e) • r (t, f ) , this fulfils our requirement.
Although the lemma is formulated for the diamond version of the modalities, this is-nearly, but not quite-irrelevant. There are equivalent versions using the box version primitive modalities of the logical language. Now to get these box versions we cannot simply use that E e ϕ is equivalent to ¬[E e ]¬ϕ, thus getting: There are no axioms in BBI for the interaction between negation and the multiplicative conjunction and implication: ¬(ϕ * ψ) is not equivalent to a formula with main connective * , and ¬(ϕ − * ψ) is not equivalent to a formula with main connective − * . Therefore, it is also unclear how, for example, [E e ]¬(ϕ * ψ) is equivalent to a formula where [E e ] binds a formula with main connective * . And therefore, the iteratively defined reduction cannot proceed.
As pointed action models are deterministic programs, like public announcement, there is however an alternative road leading to our goal. We then use that for any E e and ϕ, E e ϕ is equivalent to pre(e) ∧ [E e ]ϕ, and [E e ]ϕ is equivalent to pre(e) → E e ϕ. Thus we obtain which have the required shape of reduction axioms. As the diamond formulation is more elegant, we stick to that. Later proofs by formula induction require us to show that the right equivalent of the above box version is less complex than the left equivalent, and we will then use the box formulation again.
Proposition 2 (Reduction axioms for action models) The following schemas are valid.
The validities involving * and − * were shown in Lemma 1. All the remaining are well-known validities of action model logic, see for example   We note that the instantiation of the reductions of * and − * for public announcement are therefore those already reported before in Courtault et al. (2019). They are as follows.
Next, we define the complexity c : L * K ⊗ → N and the translation t : L * K ⊗ → L * K . These extend similarly defined c and t in van Ditmarsch et al. (2008, p. 194-196).
Definition 7 (Translation) The translation t : L K * ⊗ → L K * is defined by induction on the structure of formulas.
Definition 8 (Complexity) The complexity measure c : L K * ⊗ → N is defined by induction on the structure of formulas.
It seems appropriate to explain why this seemingly haphazard weight is exactly right, that is, the minimum needed.
• The 2 is needed to show the cases atoms p, I and negation. We note that 1 would be insufficient. The minimum weight of an action model is 5, as |E| ≥ 1 and max{c(pre(e)), c(post(e)( p)) | e ∈ E, p ∈ P} ≥ 1.
• The 2|E| 2 is needed to show the case * . We note that 2|E| 2 −1 would be insufficient, a big disjunction with |E| disjuncts, by notational abbreviation, contributes with 2|E| 2 − 1 to the weight. • The max{c(pre(e)), c(post(e)( p)) | e ∈ E, p ∈ P} is needed in any case where a precondition or postcondition occurs (all but the case conjunction), as we then need that c(pre(e)) < c(E), which is guaranteed by c(pre(e)) ≤ max{c(pre(e)), c(post(e)( p)) | e ∈ E, p ∈ P} < c(E); and similarly for c(post(e)( p). So this is also minimal.
We are now fully prepared to show the following proposition.
Theorem 5 Every formula in L * K ⊗ is equivalent to a formula in L * K .
Proof Let ϕ ∈ L * K ⊗ . Consider an innermost dynamic modality in ϕ, that is, a formula of shape [E e ]ψ that is a subformula of ϕ and such that ψ ∈ L * K and also all preconditions and postconditions in E are in L * K . Using the reduction axioms we obtain t([E e ]ψ) ∈ L * K . Lemmas 3 and 4 guarantee that the translation is a terminating procedure: either the translation clause uses subformula structure, which is obviously terminating as the number of subformulas is limited (also note that c(ξ ) > c(η) if some η is a strict subformula of some ξ ), or the translation clause involves an action model modality in which case we have that c(ξ ) > c(η) because of Lemma 3. This race to the bottom is bounded by 0.
Repeat the procedure on the formula ϕ wherein subformula [E e ]ψ of ϕ is replaced by t([E e ]ψ). Note that this formula ϕ contains one less dynamic modality, and that it is equivalent to ϕ. We continue to repeat the procedure for all of the (remaining) finite number of action model modalities originally in ϕ.
Let the resulting formula be ϕ . It is clear that ϕ is equivalent to ϕ, and that the construction terminates.
The above proof is a bit sneaky, as the translation is defined outside-in whereas the proof finds the dynamic modalities inside-out. So it is unclear (and even unlikely) that the ϕ we find is identical to t(ϕ), although it will of course be equivalent to it. We can get away with this, because our result is in semantics and not in proof theory. We are not proving the completeness of a Hilbert-style axiomatization of a logic. In that case we would be obliged to have an outside-in proof which requires an additional reduction axiom [E e ][E e ]ϕ ↔ [E e • E e ]ϕ. That would have been possible but would have resulted in a technically more complex proof. Our inside-out proof assumes 'replacement of equivalents' (from ϕ ↔ ψ, infer χ [ p/ϕ] ↔ χ [ p/ψ]), by all means validity preserving, but required as an additional derivation rule for inside-out proof theoretical arguments.
Despite the main result of Theorem 5 that every formula with action model modalities is equivalent to a formula without action model modalities, in the language of ESL, a puzzling observation remains. A sound and complete tableau system for PASL is a main result of Courtault et al. (2019). It is therefore also sound and complete for its fragment ESL. Does this mean we could contemplate a tableau system for AMSL that is a direct extension of the tableau system for ESL? Not really. Here we recall that the ESL and PASL semantics are with respect to a class of models X where states exactly correspond to resources: the resource function is a bijection. But our reduction of AMSL to ESL is with respect to a class of models Y where the resource function is a surjection. As an X model is also a Y model, it is clear that ESL-valid with respect to Y implies ESL-valid with respect to X . But it is unclear to us if ESL-valid with respect to X always implies ESL-valid with respect to Y . 3 5 Other Semantics for * and − * So far our results were for * ∃∃ and − * ∃∃ . We recall that for each connective we could choose between no less than four different semantics. In this section we argue that there are sound modelling reasons for the above combination and for (only) one other combination, namely * ∀∀ and − * ∀∀ , but not for any other of the 16 different combinations. We also give a reduction for this ∀∀ version of the multiplicative connectives, merely to demonstrate the complex interactions when quantifying over states as well as resources.

Semantics for * ∀∀ and − * ∀∀
We first recall the semantics for the ∃∃ version (Definition 5 on page 6), now using the prior semi-formal notation again.
We get the following for the ∀∀ version.
Intuitively the difference between the ∃∃ and the ∀∀ versions is clear. The reductions for * ∀∀ also display the perfect duality with − * ∃∃ one might expect:

Proposition 6
The following schemas are valid in AMSL: Proof We first show the validity for * ∀∀ . Let M = (S, ∼, r , V ) and s ∈ S be given.
On the assumption that M s | pre(e), it is sufficient to prove: (u ,g ) = r (u,g) then M (u ,g ) | ψ.
Concerning item 1, we recall that for any t, f , u, g: r (s,e) = r (t, f ) • r (u,g) iff r s = r t • r u , where from the right to the left equivalent it is implicit that (t, f ) and (u, g) are in the domain of M ⊗ E (where we note that it was a given that (s, e) is in that domain). Therefore, 1 is equivalent to There are t, u ∈ S such that r s = r t • r u and there are f , g ∈ E such that M t | pre( f ) and M u | pre(g).
As action models are required to be covering (the disjunction of all preconditions of actions in the domain is a validity) there always are such f and g. As this part of the requirement is therefore always fulfilled in our semantics it can be removed from the above formulation, we thus we have shown that item 1 is equivalent to 1. there are t, u ∈ S such that r s = r t • r u .

Item 2 is equivalent to
and therefore also to-where for convenience we renamed f as f Similarly to item 2, item 3 can be rephrased as For all g ∈ E, for all u ∈ S, if r u = r u then M u | [E g ]ϕ.
Combining the three items again, and moving the quantification over f ∈ E and over g ∈ E to the beginning of the statement, we obtain For all f , g ∈ E: By definition of the semantics of * ∀∀ this is equivalent to as required to fulfil the proof obligation.
We now show the validity for − * ∀∀ (wherein we use somewhat more succinct notation on the meta-level). On the assumption of M s | pre(e), this time we have to show that: . By definition, the first is equivalent to: The second is equivalent to: There is f ∈ E such that: • ∀t : r s • r t ↓ and • ∀t : and therefore, internalizing f into the antecedent of the second item and replacing f for f , to: Similarly to the proof of the previous validity, the second and third items of these transcriptions are equivalent (on the implicit assumption that M t | pre( f )), and concerning the first item we note that where the part ∀ f : M t | pre( f ) can just as well be an explicit assumption in the second item, so that we can replace the above by ∀t : r s • r t ↓ and we again obtain equivalent descriptions, as required to close the proof.

Comparing the ∃∃ Semantics to the ∀∀ Semantics
The remainder of this section compares the modelling advantages of the ∃∃ and ∀∀ versions, illustrated by the library example from Sect. 3.
All versions of the multiplicative connectives * and − * go beyond the original BI semantics, as they combine aspects of separation of resources with aspects of uncertainty about resources. It seems that the ∃∃ version emphasizes the epistemic aspect of the semantics whereas the ∀∀ version emphasizes the separation aspect of the semantics. For example, consider * ∀∀ .
A formula ϕ * ∀∀ ψ is true in a state s mapped to resource r if r can be decomposed in resources r and r such that all states mapped to r satisfy ϕ and all states mapped to r satisfy ψ, disregarding their possibly different epistemic properties. As (really) different states mapped to the same resource typically differ in epistemic properties, the requirements to satisfy ϕ * ∀∀ ψ are stronger than the requirements to satisfy ϕ * ∃∃ ψ. Given s and t both mapped to r , maybe s satisfies that agent a knows that the resource is r , exemplified in K a p for some p interpreted as r , whereas in t the same agent does not know that. In that case, a separation in a given state (world) u such that K a p * ∀∀ ψ cannot be satisfied, nor ¬K a p * ∀∀ ψ. The left multiplicative conjunct must be satsfied in s and in t. Whereas neither K a p * ∃∃ ψ nor ¬K a p * ∃∃ ψ are problematic. In the first case we choose s and in the second case we choose t, and p is true because both map to r .
Dually, in order to satisfy some ϕ * ∃∃ ψ we focus on the epistemic differences between states, while satisfying the resource separation requirements. In applications focussing on 'epistemic' safety requirements the ∀∀ version seems more appropriate whereas 'epistemic' liveness appears to favour the liberty from the ∃∃ version. This is illustrated in the further developed library example below.
For any other of the 16 semantic variations we could not think of obvious modelling advantages. However, their might be certain technical logical advantages, for example if the reductions for the different versions are most elegantly formulated in axioms combining several versions. However, this is not born out by our experience so far.
For restricted language fragments the difference between the semantic variations vanishes. We make two observations on that count, in the form of propositions without (elementary) proof. As we need to be explicit on the syntax, let for any ϕ ∈ L * K ⊗ the formula ϕ ∃ be ϕ wherein all * and − * are substituted for * ∃∃ and − * ∃∃ and let ϕ ∀ be ϕ wherein all * and − * are substituted for * ∀∀ and − * ∀∀ .
The first observation is that for non-epistemic formulas, it does not matter which version we use.
The second observation concerns public announcements. In the semantics of PASL, if we restrict the language to action models that are public announcements, and if we restrict the models to those where the domain of the epistemic resource model corresponds to the domain of the resource monoid, there is no difference between ∃∃ and ∀∀ (or any other version). Let us call an epistemic resource model with a one-one correspondence between states and resources rigid.
Proposition 8 Let M be a rigid epistemic resource model, let state s be in the domain of M, and let ϕ ∈ L * K ⊗ only contain dynamic modalities for public announcements.
This is because the PASL semantics required a one-one correspondence between states and resources. So if there is one state satisfying a given formula, all states mapped to that resource satisfy that formula, and if all states mapped to a certain resource satisfy a certain formula, there must be at least one because the carrier set of the resource monoid is the entire domain of the model. As long as this property of 'rigidity' is preserved after update, any ϕ ∃ is equivalent to ϕ ∀ .
This does not imply that in AMSL there is no difference between the ∃∃ and ∀∀ semantics for public announcements, not even in the comforting presence of public announcement, because in general its models need not be rigid.
We now continue by demonstrating these issues in the library example. We recall that M 1 21 | ¬c + a ( p a * ∃∃ K a c) as well as M 1 21 | ¬c + a ( p a * ∃∃ ¬K a c) and in both cases we now have made explicit that * means * ∃∃ . We further recall that the former is justified by M 4 (21,¬c + a ) | K a c whereas the latter is justified by M 4 (21,¬c − a ) | ¬K a c. As a consequence, this plays out differently for * ∀∀ . We then have, for example: The truth of that would require both states mapping to (2, 0) in M 4 to satisfy K a c, or both to satisfy ¬K a c.
For a different example, consider M 4 (the model resulting from the suspected semiprivate announcementof c) once more. For the convenience of the reader this example is quite dual to the previous one, but formulated in terms of resource update instead of resource separation. We now have:

Conclusion and Further Research
We proposed a dynamic epistemic separation logic with action models, AMSL, containing modalities to reason about knowledge, multiplicative conjunctions and implications as in separation logic, as well as dynamic modalities (parameterized by action models) for uncertainty about knowledge and resources. We have shown that the dynamic modalities can be eliminated from the logical language: every formula containing them is equivalent to a formula not containing them. Our proposal is the expected generalization of public announcement separation logic, PASL (Courtault et al., 2019), that indeed now is a special case in our logic.
In our proposal the separation aspects are completely orthogonal to the dynamic aspects: we only model uncertainty about resources and their composition and update. A very different approach to combining change of knowledge with change of resources is to let the resource update correspond to the information update (the action model execution). In that case, while updating states, we can simultaneously update resources, that is, map the resulting states in the modal product to different resources. We expect to pursue this in subsequent research.
Another perspective consists in designing a tableaux calculus with labels and constraints for AMSL from the semantics, in the spirit of the labelled calculi developed for Modal BI and PASL (Courtault & Galmiche, 2018;Courtault et al., 2019), with a study of its soundness and completeness from a countermodel extraction method. It could be also interesting to define a Hilbert-style axiomatization of BBI and its modal extensions, including AMSL, and to relate them to the existing proof calculi.
Finally, even if BBI has been proved undecidable (Larchey-Wendling & Galmiche, 2010, 2013, a complementary perspective is the study of some sublogics of AMSL that would be expressive enough to model systems, but that would still be decidable.