Simplifying Pointer Kleene Algebra Han-Hing Dang∗, Bernhard Möller Institut für Informatik, Universität Augsburg D-86135 Augsburg, Germany {dang,moeller}@informatik.uni-augsburg.de Abstract Pointer Kleene algebra has proved to be a useful abstraction for reasoning about reach- ability properties and correctly deriving pointer algorithms. Unfortunately it comes with a complex set of operations and defining (in)equations which exacerbates its practicability with automated theorem proving systems but also its use by theory developers. Therefore we provide an easier access to this approach by simpler axioms and laws which also are more amenable to automatic theorem proving systems. 1 Introduction Nowadays many first-order automated theorem proving systems are powerful enough and hence applicable to a large variety of verification tasks. Algebraic approaches especially have already been successfully treated by automatic reasoning in different application ranges [7, 8, 9, 16]. This work concentrates on an algebraic calculus for the derivation of abstract properties of pointer structures, namely pointer Kleene algebra [5]. This approach has proved to be an appropriate abstraction for reasoning about pointer structures and the deduction of various pointer algo- rithms [12, 13, 14]. Moreover the algebra enables by its (in)equation-based axioms the use of automated theorem provers for deriving and proving assertions about pointer structures, e.g., concerning reachability, allocation and destructive updates. When analysing reachability, pro- jections are used to constrain the links of interest. For instance, in a doubly linked list the set of links in forward and backward direction each must be cycle-free, whereas, of course, the overall link set is cyclic. Unfortunately the existing pointer algebra turns out to be difficult to handle and to hinder automation. Therefore we provide a simplified version of pointer Kleene algebra which, additionally, is more suitable for automation. The paper is organised as follows: In Section 2, we define a concrete graph-based model of pointer structures and illustrate the operations of pointer algebra in Section 3. Moreover some basics are given on which these specific operations build. Section 4 then gives more suitable axioms for automated deduction systems which are also easier to understand than the original theory. We conclude with an outlook on further applications of this approach in Section 5. 2 A Matrix Model of Pointer Kleene Algebra We start by giving a concrete model of pointer Kleene algebra that shows how to treat various typical concepts of pointer structures algebraically. This model is based on matrices and rep- resents the graph structure of storage with pointer links between records or objects. In [4] the model is also called a fuzzy model because it builds on some notions from the theory of fuzzy sets. We assume a finite set L of edge labels of a graph with the known operations ∪, ∩. Moreover, let V be a finite set of vertices. Then the carrier set P(L)V ×V of the model consists of matrices ∗ Research was partially sponsored by DFG Project ALGSEP — Algebraic Calculi for Separation Logic 20 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller with vertices in V as indices and subsets of L as entries. An entry A(x, y) = M ⊆ L in a matrix A means that in the represented graph there are |M | edges from vertex x to vertex y, labelled with the elements of M . The complete algebraic structure is (P(L)V ×V , ∪, ; , 0, 1, >) with greatest element > and operators, for arbitrary matrices A, B ∈ P(L)V ×V and x, y ∈ V , (A ∪ B)(x, y) =df A(x, y) ∪ B(x, y) , S (A; B)(x, y) =df z∈V (A(x, z) ∩ B(z, y)) , >(x, y) =df L, 0(x, y) =df ∅,  L if x = y , 1(x, y) =df ∅ otherwise . As an example consider a tree structure with L =df {left, right, val}. Clearly, the labels left and right represent links to the left and right son (if present) of a node in a tree, respectively. The destination of the label val is interpreted as the value of such a node. We will use “label” and “link” as synonyms in the following. Figure 1 depicts a sample matrix and its corresponding labelled directed graph, i.e., a tree with V =df {vi , ci : 1 ≤ i ≤ 3}. v1 v2 v3 c1 c2 c3 v1 ∅ {left} {right} {val} ∅ ∅ v2 ∅ ∅ ∅ ∅ {val} ∅ v3 ∅ ∅ ∅ ∅ ∅ {val} c1 val v1 c1 ∅ ∅ ∅ ∅ ∅ ∅ left right c2 ∅ ∅ ∅ ∅ ∅ ∅ c2 val v2 v3 val c3 c3 ∅ ∅ ∅ ∅ ∅ ∅ Figure 1: Example matrix and the corresponding labelled graph Multiplication with the > matrix turns out to be quite useful for a number of issues. Left- multiplying a matrix A with > produces a matrix where each column contains the union of the labels in the corresponding column of A. Dually, right-multiplying a matrix A with > produces a matrix where each row contains the union of the labels in the corresponding row of A. Finally, multiplying A with > from both sides gives a constant matrix where each entry consists of the union of all labels occurring in A.         L11 ··· L1n L1 · · · Ln L11 ··· L1n M1 ··· M1  .. ..  =  .. ..   .. ..  · > =  .. ..  (1) >· . ··· .   . ··· .   . ··· .   . ··· .  Ln1 · · · Lnn L1 · · · Ln Ln1 · · · Lnn Mn · · · Mn S S where Li = 1≤j≤n Lij and Mj = 1≤i≤n Lij . This entails     L11 ··· L1n M ··· M  .. ..  · > =  .. ..  >· . ··· .   . ··· .  (2) Ln1 ··· Lnn M ··· M S S where M = Lij . Such matrices can be used to represent sets of labels in the model. 1≤j≤n 1≤i≤n 21 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller 3 Basics and the Original Approach Abstracting from the matrix model of pointer Kleene algebra we now define some fundamental notions and explain special operations of the algebra. The basic algebraic structure of pointer Kleene algebra in the sense of [4] is a quantale [1, 15]. This is, first, an idempotent semiring, i.e., a structure (S, +, ·, 0, 1), where + abstracts ∪ and · abstracts ; , and the following is required: • (S, +, 0) forms an idempotent commutative monoid and (S, ·, 1) a monoid. This means, for arbitrary x, y, z ∈ S, x + (y + z) = (x + y) + z , x + y = y + x , x + 0 = 0 , x + x = x , x · (y · z) = (x · y) · z , x·1=x , 1·x=x . • Moreover, · has to distribute over + and 0 has to be a multiplicative annihilator, i.e., for arbitrary x, y, z ∈ S, x · (y + z) = (x · y) + (x · z) , (x + y) · z = (x · z) + (y · z) , x·0=0 , 0·x=0 . The natural order ≤ on an idempotent semiring is defined by x ≤ y ⇔df x + y = y. It is easily verified that the matrix model indeed forms an idempotent semiring in which the natural order coincides with pointwise inclusion of matrices. Second, to form a quantale, (S, ≤) has to be a complete lattice and multiplication · has to distribute over arbitrary joins. By this, + coincides with the binary supremum operator t. The binary infimum operator is denoted by u ; in the model it coincides with the pointwise ∩ of matrices. The greatest element of the quantale is denoted by >. This structure is now enhanced to a Kleene algebra [10] by an iteration operator ∗ , axioma- tised by the following unfold and induction laws: 1 + x · x∗ = x∗ , x · y + z ≤ y ⇒ x∗ · z ≤ y , 1 + x∗ · x = x∗ , y · x + z ≤ y ⇒ z · x∗ ≤ y . Besides this, the algebra considers special subidentities p ≤ 1, called tests. Multiplication by a test therefore means restriction. Tests can also be seen as an algebraic counterpart of predicates and thus have to form a Boolean subalgebra. The defining property is therefore that a test must have a complement relative to 1, i.e., an element ¬p that satisfies p + ¬p = 1 and p · ¬p = 0 = ¬p · p. In the matrix model tests are matrices that have non-empty entries at most on their main diagonal; multiplication of a matrix M with a test p means pointwise intersection of the rows or columns of M with the corresponding diagonal entry in p. 3.1 The Original Theory An essential ingredient of pointer Kleene algebra is an operation that projects all entries of a given matrix to links of a subset L0 ⊆ L. This is modelled by scalars 1 [4], which are tests α, β, . . . that additionally commute with >, i.e., α · > = > · α. Analogously to (1) and (2) these are diagonal matrices which are constant on the main diagonal. We will use the notation L(α) to denote the unique set of labels that a scalar α comes with. By this, a scalar α in the model corresponds to the matrix  L(α) if x = y , α(x, y) = ∅ otherwise . 1 The origin of this term lies in fuzzy relation theory and has similar behaviour as scalars in vector spaces. 22 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller It is immediate from the axioms that 0 and 1 are scalars. Describing projection needs additional concepts. First, for arbitrary element x and scalar α, α\x = x + ¬α · > . (3) In the matrix model this adds the complement of L(α) to every entry in x. More abstractly, the operation is a special instance of the left residual defined by the Galois connection x ≤ y\z ⇔df x · y ≤ z; but this is of no further importance here. The next concepts employed are the completion operator ↑ and its dual ↓ , also known from the algebraic theory of fuzzy sets [18]. For arbitrary x, y ∈ S they are axiomatised as follows. x↑ ≤ y ⇔ x ≤ y ↓ , (x · y ↓ )↑ = x↑ · y ↓ , (4) α is a scalar and α 6= 0 implies α↑ = 1 , (x↓ · y)↑ = x↓ · y ↑ . In the matrix model they can be described for a matrix M as follows   ↑ L if M (x, y) 6= ∅ , ↓ L if M (x, y) = L , M (x, y) = M (x, y) = ∅ otherwise , ∅ otherwise . In both cases each node x is either totally linked or not linked at all with another node y. Such matrices containing only the entries ∅ and L are also called crisp [4]. They behave analogous to Boolean matrices where ∅ plays the role of 0 and L the one of 1. In the abstract algebra crisp elements are characterised by the equation x↑ = x. In particular, M ↑ maps a matrix M to the least crisp matrix containing it, while M ↓ maps M to the greatest crisp matrix it contains. Based on these operations and the particular elements of the algebra, projections Pα ( ) to label sets L(α) represented by a scalar α can be abstractly defined for arbitrary x ∈ S by Pα (x) =df α · (α\x)↓ . (5) In the matrix model, projections w.r.t. scalars α are used to restrict each entry of a matrix exactly to L(α). As an example consider the resulting matrix of the following projection with L(α) = {left, right}     ∅ {right} {left} {val} ∅ ∅ ∅ ∅  ∅ ∅ ∅ {left, right} ) = ∅ ∅ ∅ {left, right}  P{left,right} ( {val} {left, right} . ∅ ∅  ∅ {left, right} ∅ ∅  ∅ {val} ∅ ∅ ∅ ∅ ∅ ∅ To see that this is achieved by Equation (5) consider first the term α\x in the matrix model. This can be rewritten using Equation (3) into the term x + ¬α · >. Hence residuals add to each entry of x all labels not in L(α). The operation ↓ is then used to keep only those entries in α\x that contain the full set of labels L while all other label sets will be mapped to ∅. Finally the multiplication with the scalar α again reduces all remaining L entries to L(α). Finally we turn to the most important operator of pointer Kleene algebra. It calculates all reachable nodes from a given set of nodes. The definition uses domain and codomain operations p and q . They are characterised by the following equations, for arbitrary element x and test p, x ≤ px · x , p(p · x) ≤ p , x ≤ x · xq , (x · p)q ≤ p . We note that a third pair of axioms, the modality laws p(x · y) = p(x · py) and (x · y)q = (xq · y)q , is omitted here, because they are implied by another special property that holds for the matrix 23 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller model and also the algebra of binary relations. For domain, it reads x · > = px · > and is called subordination of domain, since the direction x · > ≤ px · > follows from the above axioms, but the reverse one does not. This is equivalent [4] to px = x · > u 1, which we postulate as an additional axiom. This and the dual one for codomain then entail the above-mentioned modality laws. Both operations are mappings from general elements to tests, i.e., the resulting matrices in the model are diagonal matrices. More concretely, the domain operation extracts for every vertex the set of labels on its outgoing edges while the codomain operator returns the labels on the incoming edges. As a simple example for domain consider p ∅ {right} {left}   {left, right} ∅ ∅   ∅ ∅ {left, right} =  ∅ {left, right} ∅ . {val} {left, right} ∅ ∅ ∅ {left, right, val} In [4] reachability is now defined by a mapping that takes two arguments: One argument represents the set of starting nodes or addresses from which the reachable vertices are computed. The other argument represents the graph structure in which the reachability analysis takes place. Address sets are represented in this approach by crisp tests: an address belongs to the set represented by p iff the corresponding entry in the main diagonal of p is L. Now assume that m represents an address set. Then reach(m, x) is defined using the iteration operator ∗ by ∗ reach(m, x) = (m · (x↑ ) )q . (6) The mapping reach calculates a test representing the set of vertices that are reachable from m using arbitrarily labelled graph links of x. This “forgetting” of the concrete label sets is modelled by completing the graph using the completion operator ↑ . Sample properties one wants to prove about reach are reach(m + n, x) = reach(m, x) + reach(n, x) , reach(reach(m, x), x) = reach(m, x) . To restrict reachability analysis to a subset of labels, projections are combined with reach into the mapping reach(m, Pα (x)) for a scalar α. By this, non-α links are deleted from x. Finally, an important operation in connection with pointer structures is overriding one struc- ture x by another one y, denoted y|x =df y + ¬py · x. Here entries of x for which also y provides a definition are replaced by these and only the part of x not affected by y is preserved. This operator enjoys a rich set of derived algebraic properties. For instance, it is interesting to see in which way an overwriting affect reachability. One sample law for this is py ↑ u reach(m, x) = 0 ⇒ reach(m, y|x) = reach(m, x) , i.e., when the domain of the overriding structure is not reachable from the overridden one it does not affect reachability. 3.2 A Discussion on Automation One sees that it is very onerous to define the domain specific operations of pointer Kleene algebra from the basic operations. For example projections already include special subidentities of the algebra, residuals and completion and its dual, where each operator itself comes with lots of (in)equations defining behaviour. Furthermore by Equation (6) reach also uses crisp subidentities and moreover includes the ↑ , iteration ∗ and the codomain operation. The inclusion of that many axioms often irritates the proof systems and additionally increases the search space. 24 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller A naive encoding of these operations in the first-order automated theorem proving system2 Prover9 [11] already revealed that only a small set of basic properties for projections and reacha- bility calculations could be derived automatically. We used this theorem prover since it performs best for automated reasoning tasks within the presented basic algebraic structures [2]. Moreover, it comes with the useful counterexample search engine Mace4 and outputs semi-readable proofs, which often provide helpful hints. Of course, any other first-order ATP system could also be used with the abstract algebraic approach, e.g., through the TPTP problem library [17]. The resulting ineffective automation could be due to the indirect axiomatisation of ↓ through ↑ by a Galois connection (cf. Definition (4)). In particular, deriving theorems for ↓ will often require to show results for ↑ and vice versa. Furthermore, encoding subtypes as tests and scalars by predicates may be another hindrance to a simple treatment of the axioms by ATP systems. Such an encoding is also inappropriate for ATP systems like Waldmeister [6] which works completely equation-based. Moreover, using the Galois characterisation of residuals instead of the explicit characterisa- tion in Equation (3) seems to additionally exacerbate the proof search. However, including that characterisation does not seem to simplify the proof search significantly. Therefore we also got a similar result with the application of ATP system when reasoning about restricted reachability. Finally the given axiomatisations of the specific operators for this particular domain are also difficult to grasp and handle for theory developers due to their complexity. Therefore, in the next section we provide a simpler approach to pointer Kleene algebra which is easier to understand and more amenable to ATP systems. 4 A Simpler Theory for Pointer Kleene Algebra The preceding section has shown that the original pointer algebra uses quite a number of concepts and ingredients. The present section is intended to show that one can do with a smaller toolbox which also is more amenable to automation. As a first simplification we drop the assumption that address sets need to be interpreted by crisp elements. Plain test elements also suffice to represent source nodes for reach(p, x) since x is by definition already completed. 4.1 Projection We continue with the notion of projecting a graph to a subgraph that is restricted to a set of labels. For this we first want to find representatives for sets of labels in our algebra. It is clear that constant matrices and sets of labels are in one-to-one correspondence. By intersecting a constant matrix with the identity matrix one obtains a test which in the main diagonal contains the represented set M of labels, see (1). Multiplying another matrix A with this test from either side intersects all entries in A with M and hence projects A to the label set M . The considered test can also be got by taking the domain of the resulting matrix. Note that neither scalars nor residuals nor the operator ↓ are involved here. The difference of the just described way to project matrices and projections Pα (x) can be made clear in the example given after Equation (5). By our approach only the {val} entries of the original matrix will be deleted while single {left} and {right} entries remain. It is reasonable also to consider such entries in reachability calculations. 2 We abbreviate the term “automated theorem proving system” to ATP system in the following. 25 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller 4.2 Domain and Codomain As a further simplification, plain test elements can be represented in the algebra by domain or codomain elements. In particular, such elements form Boolean subalgebras, resp. We give their axiomatisation through a(x) and ac(x) which are the complements of the domain and codomain of x, resp. From these domain and codomain can be retrieved as px = a(a(x)) and xq = ac(ac(x)). The axioms read as follows: a(x) · x = 0 , x · ac(x) = 0 , a(a(x)) + a(x) = 1 , ac(ac(x)) + ac(x) = 1 , a(x · y) ≤ a(x · a(a(y))) , ac(x · y) ≤ ac(ac(ac(x)) · y) . The idea with this approach is to avoid explicit subsorting, i.e., introducing the set of tests as a sort of its own, say by using predicates that assert that certain elements are tests, and to characterise the tests implicitly as the images of the antidomain/anticodomain operators. The axioms entail that those images coincide and form a Boolean algebra with + and · as join and meet, resp. The given characterisation seems to be still difficult to handle for ATP systems in that form. Often a lot of standard Boolean algebra properties have to be derived first. Therefore we propose an equivalent but more “efficient” axiomatisation at the end of the next section. 4.3 Completion Next, we turn to the completion operator ↑ which is useful in analysing link-independent reach- ability in graphs. Rather than axiomatising it indirectly through a Galois connection we char- acterise it jointly with its complement ↑ similarly to domain and antidomain in Section 4.2. In particular, we axiomatise x↑ as a left annihilator of x w.r.t. u, paralleling the statement that a(x) is a left annihilator for x w.r.t. composition · . The axioms show some similarity to the domain/antidomain ones, but also substantial dif- ferences on which we will comment below. However, we still have, analogously to px = a(a(x)), that x↑ = (x↑ )↑ ; for better readability we use this as an abbreviation in the axioms: 1↑ ≤ 1 , x↑ u x ≤ 0 , > ≤ 0↑ , x↑ u y ↑ = (x + y)↑ , x↑ + y ↑ = (x↑ u y ↑ )↑ , (x · y ↑ )↑ = x↑ · y ↑ , (x↑ · y)↑ = x↑ · y ↑ . Notice that the inequations can be strengthened to equations. The most striking difference to antidomain are the De-Morgan-like axioms and the axioms concerning multiplication. We cannot use the axiom x · y ↑ ≤ (x · y ↑ )↑ instead because it is not valid in the matrix model. Therefore the De Morgan laws do not follow but rather have to be put as additional axioms. They clearly state that the image of ↑ is closed under u and +. We list a number of useful consequences of the axioms; they are all very quickly shown by Prover9. A sample input file can be found in the appendix. x ≤ x↑ , >↑ = > , 0↑ = 0 , ↑ ↑ ↑ (x ) = x , ↑ > =0, 0↑ = > , (x↑ + y ↑ )↑ = x↑ u y ↑ , (x↑ u y ↑ )↑ = x↑ + y ↑ , (x↑ + y ↑ )↑ = x↑ u y ↑ , (x↑ u y ↑ )↑ = x↑ + y ↑ , x ≤ y ⇒ y ↑ ≤ x↑ , x ≤ y ⇒ x↑ ≤ y ↑ , x↑ = 0 ⇔ x = 0 , x↑ = > ⇔ x = 0 , x↑ = 0 ⇔ x = 0 , ↑ ↑ ↑ (x ) = x , ↑ ↑ ↑ ↑ ↑ (x · y ) = x · y , (x + y)↑ = x↑ + y ↑ . 26 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller In particular, the image of ↑ and hence of ↑ , i.e., the set of crisp elements, forms a Boolean algebra. Moreover, ↑ is a closure operator. By general results therefore ↑ preserves all existing suprema and, in a complete lattice, has an upper adjoint, which of course is ↓ . To axiomatise ↓ we can use the Galois adjunction x↑ ≤ y ⇔ x ≤ y ↓ . This entails standard laws as e.g. (x · y ↓ )↑ = x↑ · y ↓ , (x↓ · y)↑ = x↑ · y ↓ , (x↓ )↑ ≤ x , x ≤ (x↑ )↓ . With the help of ↓ one can show that the image of ↑ is also closed under the iteration ∗ . A last speciality concerns the domain/codomain operation. By the subordination axiom for domain it can be verified that p(x↑ ) = (px)↑ . Altogether we retrieve Ehm’s result that, in a semiring with domain, the image of ↑ , forms again a Kleene algebra with domain. Extending that, our axiomatisation yields that this algebra is even Boolean. Inspired by the above axiomatisation, we now present a new axiomatisation of antidomain and anticodomain that explicitly states De-Morgan-like dualities to facilitate reasoning. a(x) · x = 0 , a(0) = 1 , x · ac(x) = 0 , ac(0) = 1 , a(x) · a(y) = a(x + y) , ac(x) · ac(y) = ac(x + y) , a(x) + a(y) = a(a(a(x)) · a(a(y))) , ac(x) + ac(y) = ac(ac(ac(x)) · ac(ac(y))) , a(x · y) ≤ a(x · a(a(y))) , ac(x · y) ≤ ac(ac(ac(x)) · y) . Using Prover9 we have shown that this axiomatisation is equivalent to the standard axiomati- sation of antidomain/anticodomain. And indeed, the automatic proofs of the Boolean algebra properties of tests as well as of the mentioned properties of reach are much faster with it. 5 Outlook This work provides a more suitable axiomatisation of special operations used in pointer Kleene algebra. These axioms are more applicable for ATP systems since less operations and less subtypes of the algebra has to be considered. Moreover the (in)equations of our approach enables a simpler encoding of the algebra for ATP systems due to explicit subsorting. This will also partially include the usage of ATP systems as Waldmeister for such particular problem domains. It can be seen that the axiomatisations of antidomain (or anticodomain) and anticompletion are very similar. This motivates to further abstract from the concrete involved operations and to define a restriction algebra that replays general derivations. Moreover, this approach will be used to characterise sharing and sharing patterns in pointer structures within an algebraic approach to separation logic [3]. This will include the ability to reason algebraically about reachability in abstractly defined data structures. References [1] J. H. Conway. Regular Algebra and Finite Machines. Chapman & Hall, 1971. [2] H.-H. Dang and P. Höfner. First-order theorem prover evaluation w.r.t. relation- and Kleene algebra. In R. Berghammer, B. Möller, and G. Struth, editors, Relations and Kleene Algebra in Computer Science — PhD Programme at RelMiCS 10/AKA 05, number 2008-04 in Technical Report, pages 48–52. Institut für Informatik, Universität Augsburg, 2008. [3] H.-H. Dang, P. Höfner, and B. Möller. Algebraic separation logic. Journal of Logic and Algebraic Programming, 80(6):221–247, 2011. 27 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller [4] T. Ehm. The Kleene Algebra of Nested Pointer Structures: Theory and Applications. PhD thesis, Fakultät für Angewandte Informatik, Universität Augsburg, 2003. [5] T. Ehm. Pointer Kleene algebra. In R. Berghammer, B. Möller, and G. Struth, editors, RelMiCS, volume 3051 of Lecture Notes in Computer Science, pages 99–111. Springer, 2004. [6] T. Hillenbrand, A. Buch, R. Vogt, and B. Löchner. WALDMEISTER - High-Performance Equational Deduction. Journal of Automated Reasoning, 18:265–270, 1997. [7] P. Höfner and G. Struth. Automated reasoning in Kleene algebra. In F. Pfenning, editor, Automated Deduction — CADE-21, volume 4603 of Lecture Notes in Artificial Intelligence, pages 279–294. Springer, 2007. [8] P. Höfner and G. Struth. On automating the calculus of relations. In A. Armando, P. Baumgartner, and G. Dowek, editors, Automated Reasoning (IJCAR 2008), volume 5159 of Lecture Notes in Computer Science, pages 50–66. Springer, 2008. [9] P. Höfner, G. Struth, and G. Sutcliffe. Automated verification of refinement laws. Annals of Math- ematics and Artificial Intelligence, 55:35–62, February 2009. [10] D. Kozen. A completeness theorem for Kleene algebras and the algebra of regular events. Information and Computation, 110(2):366–390, 1994. [11] W. McCune. Prover9 and Mace4. . (accessed July 26, 2011). [12] B. Möller. Some applications of pointer algebra. In M. Broy, editor, Programming and Mathematical Method, number 88 in NATO ASI Series, Series F: Computer and Systems Sciences, pages 123–155. Springer, 1992. [13] B. Möller. Calculating with pointer structures. In Proceedings of the IFIP TC2/WG 2.1 International Workshop on Algorithmic Languages and Calculi, pages 24–48. Chapman & Hall, 1997. [14] B. Möller. Calculating with acyclic and cyclic lists. Information Sciences, 119(3-4):135–154, 1999. [15] K. I. Rosenthal. Quantales and their Applications, volume 234 of Pitman Research Notes in Mathe- matics Series. Longman Scientific & Technical, 1990. [16] G. Struth. Reasoning automatically about termination and refinement. In S. Ranise, editor, 6th International Workshop on First-Order Theorem Proving, volume Technical Report ULCS-07-018, Department of Computer Science, pages 36–51. University of Liverpool, 2007. [17] G. Sutcliffe. The TPTP Problem Library and Associated Infrastructure: The FOF and CNF Parts, v3.5.0. Journal of Automated Reasoning, 43(4):337–362, 2009. [18] M. Winter. A new algebraic approach to L-fuzzy relations convenient to study crispness. Information Sciences, 139(3-4):233–252, 2001. A Prover9 Encoding of Pointer Kleene Algebra 1 op(450, infix, "+"). % Addition 2 op(440, infix, ";"). % Multiplication 3 op(420, infix, "^"). % Meet 4 op(400, postfix, "*"). % Iteration 5 op(410, prefix, "@"). % Antidomain 6 op(410, prefix, "!"). % Anticodomain 7 op(410, prefix, "?"). % Anticompletion 8 % --- Additive commutative and idempotent monoid 9 x+(y+z) = (x+y)+z. 10 x+y = y+x. 11 x+0 = x. 12 x+x = x. 13 % --- Order 14 x <= y <-> x+y = y. 15 % --- Definition of top 16 x <= T. 28 Simplifying Pointer Kleene Algebra H.-H. Dang, B. Möller 17 % --- Multiplicative monoid 18 x;(y;z) = (x;y);z. 19 1;x = x. 20 x;1 = x. 21 % --- Distributivity laws 22 x;(y+z) = x;y + x;z. 23 (x+y);z = x;z + y;z. 24 % ---Annihilation 25 0;x = 0. 26 x;0 = 0. 27 % --- Definition of meet 28 (x<=y & x<=z) <-> x <= y^z. 29 x^(y+z) = x^y + x^z. 30 % --- Definition of domain 31 @0 = 1. 32 @x;x = 0. 33 @x;@y = @(x+y). 34 @x+@y = @(@@x;@@y). 35 @(x;y) = @(x;@@y). 36 @@x = (x;T) ^ 1. % --- Subordination of domain 37 % --- Definition of anticodomain 38 !0 = 1. 39 x;!x = 0. 40 !x;!y = !(x+y). 41 !x+!y = !(!!x;!!y). 42 !(x;y) = !(!!x;y). 43 !!x = (T;x) ^ 1. % --- Subordination of codomain 44 % --- Definition of completion 45 ??1 = 1. 46 ?0 = T. 47 ?x^x = 0. 48 ?x ^ ?y = ?(x + y). 49 ?x + ?y = ?(??x ^ ??y). 50 ??(x ; ??y) = ??x ; ??y. 51 ??(??x ; y) = ??x ; ??y. 52 % --- Iteration - Unfold laws 53 1 + x ; x* = x*. 54 1 + x* ; x = x*. 55 % --- Iteration - Induction laws 56 x;y + z <= y -> x* ; z <= y. 57 y;x + z <= y -> z ; x* <= y. 58 % --- Reachability 59 reach(x,y) = !!(@@x;(??y)*). 60 % --- Projection 61 P(x,y) = @@((T;x);T);y. 29