A Linear Logic Approach to Consistency

A Linear Logic Approach to Consistency Preserving Updates N. Bidoit, S. Cerrito, Ch. Froidevaux 1

Abstract

The aim of this paper is to propose linear logic as a proof system allowing to perform updates of databases containing incomplete information. In our approach, a database is speci ed by facts, deduction rules (among which default rules) and update constraints. Updates will always preserve consistency, i.e. any update of a \consistent" database will produce a new base which is \consistent". The calculus of the \static semantics" of a database DB corresponds to the construction of a proof in a logical theory Th(DB) associated to the database. Similarly, the calculus of the \update semantics" of a database DB w.r.t. the insertion of a literal L, is the construction of a proof in Th(DB). Key words : Deductive Databases, Incomplete Information, Linear Logic, Updates.

Resume Ce papier propose la logique lineaire comme un systeme de preuve permettant de mettre a jour des bases de donnees qui contiennent des informations incompletes. Selon notre approche, une base de donnees est speci ee par des faits, des regles de deduction (parmi lesquelles on a des regles par \defaut") et des contraintes de transition. Les mises a jours preserveront toujours la coherence, ce qui veut dire que n'importe quelle mise a jour d'une base \coherente" produira une nouvelle base qui est coherente. Le calcul de la \semantique statique" d'une base de donnees BD correspond a la construction d'une preuve par rapport a une theorie logique Th(BD) associee a la base. De m^eme, le calcul de la \semantique de mise a jour" d'une base de donnees BD relativement a l'insertion d'un litteral L est la construction d'une preuve par rapport a Th(BD). Mots cles : Bases de Donnees Deductives, Information Incomplete, Logique Lineaire, Mises a jour.

N. Bidoit, LIPN, URA 1507 CNRS, Universite de Paris-Nord, Villetaneuse, FRANCE F-93430. email: [email protected]. S. Cerrito, Ch. Froidevaux, LRI, URA 410 CNRS, B^at. 490 - Universite de Paris-Sud, FRANCE F-91405. email:fserena, [email protected]. Work supported by the French project Inter-PRC, Gestion de l'Incertain et de l'Evolutif dans une Base de Connaissances. 1

1

1 Introduction The concern in this paper is to formalize update under transition constraints in an incomplete information setting. A wide variety of proposals for formalizing database (knowledge base) update semantics exists (e.g. [9] [11] [15] [4] [12] [13]). In this paper we investigate a substantially dierent proposal exploiting some features of linear logic [7]. Our aim is to provide a mechanism to perform updates such that if we start with a \consistent database" then the result of an update is a new database which is always \consistent". The database is speci ed by three kinds of information :  Atomic facts : intuitively, the database stores explicitly two kinds of facts, true ones and false ones. We deal with incomplete information in a very simple and nave way, that is, for an information (proposition) A, if neither A nor the negation of A is stored then A has the status unknown.  Deduction rules : we deal with two kinds of deduction rules. Intuitively, stating the \strong" deduction rule A ) B means, as usual, that if A is derived then it is mandatory to deduce B . The second kind of deduction rules are default rules A ! B which have the usual meaning, that is, if A is derived then we can derive B unless it contradicts some other derived information.  Update constraints or rules : the \strong" deduction rules A ) B play also the role of update constraints. The update constraint A ) B aims at having the following eects, depending on the context : - if we already know that A holds and we want to insert the negation of B , then A has to be deleted, - if we already know that the negation of B holds and we want to insert A, then the negation of B has to be deleted. Let us stress here that, in our framework, deleting a piece of information A means that A should not hold anymore but it does not mean that its negation holds. Notice also that updates are driven by giving priority to the new inserted information. Deduction rules will be activated to complete the (explicitly stored) information after performing an update operation (controlled by the update constraints). A database DB is speci ed by a pair < F; G > where the rst component F contains the \facts" explicitly stored in DB and the second component G is a directed graph of deduction and update rules. Roughly, the \static" semantics of the database < F; G > is the set of facts derivable from F via the deduction rules in G. The semantics of updating the database < F; G > by inserting the information A is the set of facts derivable from F and A via the deduction rules and the update rules. Updating a database speci cation < F; G > by inserting A produces a new database speci cation < F 0 ; G > such that the \static" semantics of < F 0 ; G > coincides with the semantics of updating < F; G > by the insertion of A.

A Running Example

Below we give an example of a database, its static semantics, and the expected eects of some updates. This provides some motivation for the formal presentation. Notice that the negation of a proposition A will be expressed by the \negative atom" Aneg rather than by the logical negation of A. This technical choice is motivated by the fact that we deal with incomplete information where A may also have the status \unknown". Let us consider the following graph G: B L ) A C ! Lneg . Assume that L and C are the facts in F of our database DB1=< F; G >. From DB1 we can deduce that A and B are true, by following the arcs whose sources are the literals of F . The arc C ! Lneg rises no problem, since it is a default rule : given C , this arc allows us to deduce that L is false only if this does not contradict previously derived knowledge. In this case, a contradiction arises with 2

L which belongs to F , our starting set of facts. The static semantics of our database DB1 says that L; A; B; C are true (and nothing else is known). Now let us update DB1 by inserting the negation of B (i.e. B neg ). This will not force us to give up L, since the arc L ! B is a default. The semantics of updating DB1 by inserting B neg will state that L; A; C and B neg are true (nothing else is known). The new base (speci cation) resulting from the insertion of B neg in DB1 is DB2=< F2; G > where F2 = fL; C; B neg g. The static semantics of DB2 coincides with the semantics of updating the database DB1 by inserting B neg . On the other hand, if we want to update DB1 by inserting Aneg , this will force us to give up L, since L ) A is an update arc. The semantics of updating DB1 by inserting Aneg will state that C; Aneg are true. Moreover, since L has disappeared, we have lost B and we can now safely deduce Lneg from C , by using the corresponding default arc. The new base (speci cation) resulting from the insertion of Aneg in DB1 is DB20 =< F20 ; G > where F20 = fAneg ; C g. The contribution of the paper is the following:  the database (speci cation) resulting from an update is de ned syntactically using (a portion of) the graph G and the inserted literal;  the static semantics and the update semantics are both de ned through deduction in a linear logic theory;  the static semantics of the updated database speci cation coincides (modulo a minimal change property) with the update semantics of the database (i.e. the diagram below commutes). Old Base + insertion of A

?! New Base & # Static semantics of New Base

Figure 1 (The horizontal arrow means that the (speci cation of the) new base may be syntactically de ned from the (speci cation of ) the old one. The vertical arrow means that a static semantics for the new base does always exist. The oblique arrow means that the static semantics of the new base may be recovered by computing the update semantics of the old base w.r.t. to the insertion of A.) Linear logic, introduced by Girard in [7] can be seen as a logic allowing to express the notion of bounded resource. (See also [8] and [14]). Formally speaking, the main dierence between the notion of linear proof and the notion of classical proof is the absence of contraction and weakening as structural rules in the associate sequent calculus. The elimination of these two structural rules allows to formulate a logical calculus which takes into account the exact number of uses of hypotheses in proofs. Indeed, the validity of the following instance of the (left) contraction rule A; A ` B (l ? contraction) A`B can be justi ed as follows : if we can get B by using the hypothesis A twice, then we can also get B by using just one occurrence of A, which we can freely duplicate. On the other hand, the 3

validity of the following instance of (left) weakening ? ` B (l ? weakening) ?; A ` B is implicitly based on the possibility of ignoring useless hypotheses : if we can get B by using a multiset of hypotheses ?, then we can also get B from ? and A, because we can always \ignore" the useless A. As a consequence, a linear deduction of a formula B from a multiset of formulae fA1 ;


; Ang may be seen as a process which consumes the resources A1 ;


; An to get B ; once the process is over, A1 ;


; An are \burnt out" and they are no longer available to be used in another deduction. What we exploit here is the ability of linear logic to properly express the replacement of (an occurrence of) a formula A by another formula B via a deduction. This allows to logically de ne update operations, which replace a given bulk of pieces of information by new ones. In particular, there is a linear formula, namely !(A  1), able to express an instruction of erasing A (see section 7). A nal remark : a fact will be, as usual, an expression of the form R(t1;


; tn) where R is a predicate of arity n and for 1  i  n; ti is either a variable or a constant. However, we make the simplifying hypothesis that what we actually manipulate is the ( nite) closed instantiation of the DB (this approach is quite standard). Hence, for clarity of exposition, we will use a propositional language. The outline of the paper is the following. In Section 2 we provide some preliminary de nitions. In Section 3 we properly de ne the notion of database. In Section 4 we de ne a formal system containing rewrite rules which allows to syntactically manipulate databases; we note U ? G the system associated to the graph G of a DB =< F; G >. In Section 5 we formally de ne the notions of static and update semantics of databases. In Section 6 we show how U ? G can be used to compute static and update semantics and to de ne updated databases so to preserve consistency. Section 7 shows that actually deductions in U ? G can be seen as formal deductions in a logical theory whose internal logic is linear logic. We conclude by discussing several aspects of our approach, indicating some perspectives of future work and comparing our proposal to some related works. This paper is the full version of [1].

2 Preliminary De nitions In the following, L is a set of propositional variables p; q; r; :::. Access literals (formally de ned below) constitute the vertices of the graph G of rules. Intuitively, they represent \potential facts". A potential fact A is actually asserted when the vertex A is \passed through" in a graph traversal (so that the successors of A are reached). For instance, if G contains the arc A ) B and A is passed through to reach B , then the fact A is asserted while B is not yet asserted (it remains a potential fact). De nition 1 An access positive (resp. negative ) literal over L is an element of L (resp. an expression of the form pneg , where p is an element of L). Updates of a database DB will be performed via insertion or deletion of literals. In order to be able to express these operations in the syntax, we introduce also a second type of literals, called the update literals. De nition 2 An insertion (resp. deletion) literal over L is an expression of the form LINS (resp. LDEL ) where L is an access literal. An update literal over L is either an insertion literal or a deletion literal. 4

The dierence between the insertion of a negative literal pneg , expressed by pneg INS , and the deletion of p, expressed by pDEL , should be stressed. The component F of a database will contain three kinds of information. Given p 2 L, if p 2 F , then p is true; if pneg 2 F , then p is false (its negation is true); if neither p nor pneg are in F then p is unknown (at least according to the knowledge provided by F alone). Given this \three-valued" approach, the expression pneg INS corresponds to inserting the information that p is false, while pDEL just indicates that we do not know any longer that p is true. In order to de ne the static and update semantics of a DB we will need a third type of atoms : the so called signed atoms. These atoms will also be used in order to compute semantics.

De nition 3 Let L be an element of L. A signed positive (resp. negative) literal over L is an expression of the form L+ (resp. L? ). A signed erasing literal over L is an expression of the

form L? .

De nition 4 An interpretation I for L is a set of signed positive and negative literals over L such that if the signed positive literal p+ is in I , then p? is not in I . Intuitively speaking, an interpretation I for L indicates which elements of L are true and which elements are false (some elements may be unknown). Hence if p 2 L and p+ 2 I , p is true according to I , while if p? 2 I , then p is false. The analogy with the standard notion of partial interpretation is straightforward. Erasing literals L? do not appear in any interpretation I , but they will play a technical role in the computation of those interpretations M which constitute the intended models of a given DB .

3 Databases As we already mentioned, the deduction and update rules of a DB are represented via a graph G whose vertices are the access literals and whose arcs are default rules and update rules.

De nition 5 A rule-graph over L is a directed graph < V; U; D > such that : 1) The set of vertices V is the set of the access literals over L. 2) U is a binary relation on V ; we use the notation L ) L0 to indicate an arc of type U from L to L0 ; L is said to be the source of the arc and L0 the target. 3) D is a binary relation on V ; we use the notation L ! L0 to indicate an arc of type D from L to L0 . Once again, L is said to be the source of the arc and L0 the target. 4) If L and L0 are two distinct vertices of V , then if L ) L0 2 U , L ! L0 is not allowed in D and viceversa. 5) No vertex is the target of an arc of type D and the source of an arc of type U . (At the end of the paper we discuss the restrictions put on the the graph). We recall that our aim is to provide a mechanism to perform updates such that if we start with a \consistent DB " then the result of the update is a new DB which is always consistent. In order to do this, we will consider only DB where the associate graph is safe.

De nition 6 Let G =< V; U; D > be a rule-graph. Let G0 be the non-directed graph < V; A >, where A is the binary relation on V de ned by : A = ffL; L0 gj U (L; L0 ) or U (L0 ; L) or D(L; L0 ) or D(L0; L)g. The rule-graph G is said to be safe if there are no vertices of the form p; pneg connected by a path in G0.

5

Example 1

The simple rule-graph : qneg ( p ) q is not safe. Intuitively, if p is inserted then q has to be taken as both true and false. De nition 7 A database (over L) is a pair < F; G > where F is a set of access literals and G is a safe rule-graph.

4 A Formal System to Reason about Updates In this section we de ne a system of rewrite rules - System U - which allows to compute the static semantics and the update semantics of databases in a unique framework. In what follows, we will make the simplifying hypothesis that the rule-graph G of the DB is safe and acyclic. The cyclic case is under study. De nition 8 The formulae of U (over L) are all the literals over L and all the expressions ERASE (L) where L is an access literal over L. An expression ERASE (L) is also called an erase instruction. The general form of a rewrite rule is E1;


; En ` E10 ;


; Em0 , fE1;


; Eng and fE10 ;


; Em0 g being two multisets of expressions of U . The intended reading is : the rst multiset of expressions may be replaced by the second one. Let L be a literal over L and p be an element of L; to simplify the notation, we will often use the abreviations L and Not(L) de ned below : L p pneg L p pneg p+ p? + ?  p p L Not(L) pneg p p? p+

De nition 9 Let G =< V; U; D > be a rule-graph. The binary relation SUCC over V is de ned by : SUCC = f< L; L0 > j < L; L0 >2 U g. The binary relation succ over V is de ned by : succ = f< L; L0 > j < L; L0 >2 Dg. The binary relation allsuc over V is the union of succ and SUCC . For each relation R de ned above, R is the re exive and transitive closure of R.

4.1

U -rules Associated to the Rule-Graph Let DB =< F; G > be a database. The rewrite rules given below formalize the intuitive reading of U -arcs and D-arcs already introduced. All the rules hold for any vertex L of G; their use will be illustrated by several examples in the next section.

4.1.1 Access Rules Let f L1


Ln g be the set of elements V such that < L; Li >2 allsuc and let fS1 ;


Smg be the subset of those elements such that < L; Si >2 SUCC .

We have the rule L ` L ; L1 ;


; Ln ; (Not(S1))?;


; (Not(Sm))? if Not(L) is not the target of any D-arc and the rule L ` L ; L1 ;


; Ln ; (Not(S1))?;


; (Not(Sm))?; ERASE (Not(L)) otherwise. Thus, once we pass through the vertex L, we can \ state that L is true" (i.e. produce L ) and reach the targets of arcs issued from L. If < L; Si > is an U -arc, we will be forced to erase Not(Si) whenever we encounter it (the presence of (Not(Si))? will be declared incompatible with the signed literal (Not(Si)) : see later on the de nition of consistent signed multiset). Since L is declared \true" it will be possible to erase its opposite (via ERASE (Not(L))) whenever it is produced by a D-arc (a default rule). 6

4.1.2 Insertion Rules Let S1 ;


Sm be the set of elements of V such that < L; Si >2 SUCC . We have the rule LINS ` L; S1 INS


; SmINS ; (Not(L))DEL.

Insertion of L causes the access to the vertex L and propagates forwards. One should notice that insertion of L is propagated to all the literals which are targets of U -arcs whose source is L, but not to those which are targets of D-arcs. Insertion of L causes also the ability to delete the opposite literal NOT (L) (for consistency preservation); the following rules handle deletions.

4.1.3 Deletion Rules Let f L1


Ln g be the the set of elements of V such that < Li ; L >2 SUCC . We have the

rule : LDEL ` ERASE (L); L? ; L1DEL ;


; LnDEL . The idea is that the presence of LDEL makes possible to delete L via the operation ERASE (L) and actually forces such a deletion whenever the literal L is actually met (since L? will be declared incompatible with the signed literal L ). Moreover, deletion propagates backwards along U -arcs.

4.2

U -rules independent of the rule-graph While the previous rewrite rules depend on the structure of the rule-graph G, the following rules are independent of G.

4.2.1 Erase Rules

We have the rule : L; ERASE (L) ` ERASE (L). This rule allows to erase an occurrence of a literal L in a multiset of expressions, while keeping the erase instruction for possible future use.

4.2.2 Dispose Rules

We have the rule : ERASE (L) ` ;. Whenever an erase instruction is no longer useful, it will be possible to get rid of it via a dispose rule.

5 Computing in U We can know de ne how to compute semantics of databases and updates. De nition 10 Let G be a rule-graph and let ?;
be two multisets of expressions over L. An U -(G) deduction of
from ? is a nite sequence of multisets of expressions M1;


; Mn such that :  M1 = ? and Mn =
 for 1  i  n ? 1, Mi+1 is obtained from Mi by rewriting a (multi) subset S1 of Mi by a multiset S2 of expressions such that S1 ` S2 is any U -rewrite rule.

De nition 11  The literals L; L0 over L are said incompatible if either L0 = Not(L) or else L is a signed erasing literal A? and L0 = A . Otherwise, they are said compatible.  A consistent signed multiset over L is a multiset of signed literals over L such that its elements are pairwise compatible.

7

Below we formally de ne the notions of static semantics and update semantics of databases. We have already said that the static semantics of an updated database will coincide with the update semantics of the old base. However, this statement is only half correct : as we will see, when several update semantics are available, it is not the case that all of them correspond to the static semantics of the new database resulting from the update; only some of these update semantics, enjoying a certain \minimality" property will do so.

5.1 Static semantics

De nition 12 An interpretation M for L is a static model of a database < F; G > if 1) There exists a consistent signed multiset M such that there is a U -G deduction of M from F [ F  where F  = f(Not(L))?jL 2 F g; 2) M is obtained from M by removing all signed erasing literals L? . Observe that our de nition of the \semantics" of a DB via a \proof-theoretical approach" is quite analogous to what is done in the context of logic programming. The \minimal Herbrand model" of a set of Horn-clauses P is usually taken to be the canonical model of the corresponding program P . Now, such a \model" may as well be characterized as the set of atoms which can be derived (via classical logic) from P . Notice also that to \compute" a static model the only relevant rewrite rules associated to the graph G are the access rules. The role of F  will be illustrated by example 4 (see later on).

Example 2 (running example revisited)

Let us consider again the rule-graph of our running example (section 1). The access rewrite rules associated to G are :

1) L ` L+ ; A; B; Aneg ? ; ERASE (Lneg ) 2) C ` C + ; Lneg 3) A ` A+ 4) B ` B + 5) Aneg ` A? 6) B neg ` B ? ; ERASE (B ) neg ? 7) C ` C 8) Lneg ` L? Let F = fL; C g and F  = fLneg ? ; C neg ? g. The only static model M of the database < F; G > is fL+ ; A+ ; B +; C + g. This model is obtained by eliminating the erasing literals from the multiset M = fL+ ; A+; B + , Aneg ? , C + ; Lneg ? ; C neg ? g conclusion of the following deduction :

Sequence of multisets

L; C; Lneg ? ; C neg ? L+ ; A; B , Aneg ?, ERASE (Lneg ); C; Lneg ? ; C neg ? L+ ; A+; B , Aneg ? , ERASE (Lneg ); C; Lneg ? ; C neg ? L+ ; A+; B , Aneg ? , ERASE (Lneg ); C +; Lneg ; Lneg ? ; C neg ? L+ ; A+; B + , Aneg ? , ERASE (Lneg ); C + ; Lneg ; Lneg ? ; C neg ? L+ ; A+; B + , Aneg ? , ERASE (Lneg ); C + ; Lneg ? ; C neg ? L+ ; A+; B + Aneg ? ; C + ; Lneg ? ; C neg ?

Justi cation F [ F

by rule 1 by rule 3 by rule 2 by rule 4 neg L erased by a dispose rule

Notice that other deductions from F [ F  are possible, but the only derivable consistent signed multiset is fL+; A+ ; B + Aneg ? ; C + ; Lneg ? ; C neg ? g.

8

Example 3

Let G be : A ! B C ! B neg . Now let F = fA; C g (hence F  = fAneg ? ; C neg ? g). The base < G; F > has two static models : M1 = fA+ ; B +; C + g and M2 = fA+ ; B ?; C + g, because two deductions are possible. In the rst deduction, the literal B neg is erased since the access rule rewriting B as B + and ERASE (B neg ) is used. In the second deduction, B is erased, since the access rule allowing to get both B ? and ERASE (B ) from B neg is used. The analogy with the neg A : B C : B extensions of the default theory (f B ; Bneg g; fA; C g) is obvious.

Example 4

Let us consider again the graph of the previous example, but let us take F to be fA; B neg g. Intuitively, we do want M1 = fA+ ; B ?g as a semantics, but we do not want M2 = fA+ ; B +g, since this contradicts the explicit information B neg provided by F . However, M2 would be computable from F alone, since the access rule for B , producing B + and ERASE (B neg ), can be used, even if F explicitly stated that the negation of B is true. This is why we introduce F  = f(Not(L))? j L 2 F g to compute the static semantics of a DB =< F; G > : its role is to \protect" the elements L of F , by introducing a (Not(L))? which is incompatible with (Not(L)). Indeed, if we start from F [ F  for our example, the access rule for B neg is the only applicable one and the only possible semantics for the given example will be M1.

De nition 13 A database DB is said consistent if it has at least one static model.

5.2 Update semantics

De nition 14 Let LINS be an insertion literal over L. An interpretation M for L is an update

model of < F; G > with respect to the insertion of L if : 1) There exists a consistent signed multiset M such that there is a U -G deduction of M from F [ fLINS g; 2) M is obtained from M by removing all signed erasing literals A? .

5.2.1 Example 5 : running example continued

Let us consider again the database DB1 of our running example. We recall that F = fL; C g and that the only static semantics of DB1 is fL+ ; A+ ; B +; C + g. The update semantics of DB1 w.r.t. the insertion of Bneg is fL+ ; A+ ; C + ; B ?g, while the update semantics of DB1 w.r.t. the insertion of Aneg is fC + ; L? ; A? g.

6 Databases Constructed by Updates

De nition 15 Let G =< V; U; D > be a rule-graph over L and let A be an element of V . CONS (A) = fB j B 2 V and < A; B >2 SUCC  g ANC (A) = fB j B 2 V and < B; A >2 SUCC  g The next de nition allows to syntactically de ne the new database resulting from an insertion by considering just the inserted literal L and a part of the graph G which depends on L. Intuitively, the set Reject(G; LINS ) represents the facts which the insertion of L forces to delete.

De nition 16 Let DB =< F; G > be a database and let LINS be an insertion literal.  Reject(G; LINS ) = fA j A 2 V and 9B [B 2 CONS (LINS ) ^ A 2 ANC (Not(B ))]g 9

 The result of updating DB by inserting L, is the database DB 0 =< Res(F; G; LINS ); G >, where Res(F; G; LINS ) = fLg [ (F ? Reject(G; LINS )) Below, we introduce a notion of \minimality" for update models. Its intuitive role will be illustrated by a forthcoming example.

De nition 17 Let DB =< F; G > be a database over L, and let LINS be an insertion literal over L. Let S be the set of the models of DB w.r.t. to the insertion of L. Let F  = fA jA 2 F g.  The binary relation F over S is de ned by : M F N i (N \ F  )  (M \ F  ).  An element M of S is said to satisfy the minimal change property w.r.t. F if it is minimal w.r.t. the order F over S . Example 6

Let us consider a database DB1 where the rule-graph G is the one of example 3, but the language L contains also D; let F be fA; B neg g. Suppose that we want to insert D. DB1 will have two update semantics w.r.t. this insertion, i.e. M1 = fD+; A+ ; B ?g and M2 = fD+; A+ ; B + g . M1 is strictly smaller than M2 w.r.t. the order F ; thus the minimal update model of DB1 w.r.t. the insertion of D is M1. Observe that the new base resulting from the update is DB2 =< fA; B neg ; Dg; G > and that the only static model of DB2 is M1. In this example, only the update minimal model of DB1 coincides with the static semantics of the updated base. This phenomenon is a general one, as stated by the next theorem. The idea is that the \good" update models are those preserving as much as possible the \old facts" in F .

Theorem 1 Let L1 ;


; Lk be a sequence of insertion literals. Let < F0 ; G >; < F1; G >;


; < Fk ; G > be a sequence of databases such that G is safe and acyclic, F0 = ; and 8i; 0  i, Fi+1 = Res(Fi ; G; Li+1). The following properties hold :  8i; 0  i; < Fi ; G > has at least one update model with respect to the insertion of Li+1 .  8i; 0  i, < Fi+1; G > is consistent. The static models of < Fi+1; G > are exactly the update models of < Fi ; G > with respect to the insertion of Li+1 satisfying the minimal change property w.r.t. Fi . In order to prove this theorem, we need some preliminary de nitions and lemmas. The proofs of the lemmas can be found in the Appendix.

De nition 18 Let G be a rule-graph and D =< M1;


; Mn > be a U -G deduction. 1. An inference step Mi ; Mi+1 of D is called access step if the rewrite rule L ` ? used is an

access rule; it is called erase step if the inference rule used is an erase rule. 2. Any occurrence of an access literal A produced via an insertion rule is said to be a strong occurrence of A in D; any access step rewriting such an occurrence of A by a multiset of expressions ? is said to be a strong access step provided that G contains a U -arc A ) L (hence L 2 ?). The other cases of strong occurrences of access literals are inductively de ned :  Let L be an access literal occurring in M1 . Let Mi ; Mi+1 be an access step in D rewriting any of these occurrences of L via a rule L `
such that there exists at least an acces literal A in
with < L; A >2 SUCC . The step Mi ; Mi+1 is said to be strong in D.

10

Any occurrence of a literal A in
such that < L; A >2 SUCC is said to be a strong occurrence of A in D.

 Any access step Mi ; Mi+1 of D rewriting a strong occurrence of an access literal A is a strong access step of D, provided that A is the source of a U -arc in G. If A is rewritten as the multi-set ?; A0;
where A0 is an access literal and A ) A0 is a U -arc in G, then the occurrence of A0 produced by such a step is said to be strong in D. 3. An erase step Mi; Mi+1 is strong in D if the used rule L; ERASE (L) ` ERASE (L)

satis es both the following conditions (a) 9j  i such that LDEL 2 Mj (b) The occurrence of L which is erased is a strong occurrence, or else it belongs to M1. 4. An access step (resp. an erase step) is called weak when it is not strong.

Intuitively, a sequence of strong access steps allows to follow a path of U -arcs whose root is an element of M1 (or an access literal produced by an inserion rule). The last arc traversed via such a sequence of steps may be a D-arc whose source has been obtained via a U -arc.

De nition 19 Let F be a set of access literals, let M be a consistent signed multiset and let INS be either empty or equal to fLINS g for an insertion literal LINS . A deduction D of M from F [ INS is said to be canonical if D is the concatenation of 5 \segments" D1 ; D2; D3; D4; D5 such that : 1. If INS is not empty, then D1 = M1;


; Mk with k > 1 and for 2  i  k, Mi is obtained from Mi?1 by using an insertion rule. If INS = ;, then D1 is empty. 2. If D1 is not empty, then D2 = N1;


; Nt. For 2  i  t, Ni is obtained from Ni?1 via a deletion rewrite rule; the multiset N1 is likewise obtained from the last element of D1 If D1is empty, D2 is empty too. 3. D3 = X1 ;


; Xv . For 2  i  v, Xi is obtained from Xi?1 either by a strong access step or by a strong erase step. Similarly for X1 w.r.t. the last element of de D2. 4. D4 = Z1 ;


; Zp . For 2  i  p, Zi is obtained from Zi?1 either by a weak access step or by a weak erase step. Similarly for Z1 w.r.t. the last element of D3. 5. D5 is obtained by applying just dispose rewrite rules; its last element is the consistent signed multiset M . We call update hat of a canonical deduction D its initial segment D1; D2 and strong acces hat its initial segment D1; D2; D3. The update basis of a canonical deduction D is the last element of the sequence D2, i.e. its conclusion. The strong access basis of D2 is the conclusion of the sequence D3.

In all the lemmas below, we suppose that the underlying rule-graph G is safe and acyclic; we use the word \deduction" as synonimus with U ? G deduction.

Lemma 1 Let G be a rule-graph,let F be a multiset of access literals and let INS be either empty or equal to fLINS g. If there is a deduction D of M from F [ INS , then there is a canonical deduction D' of M from F [ INS . 11

Lemma 2 Let F be a multiset of access literals, let M1; M2 be two consistent signed multisets, let INS be either empty or equal to fLINS g. 1. Given any two canonical deductions D and D' of M1; M2 from F [ INS , D and D' have the same update basis and the same strong access basis. 2. If there exists two canonical deductions of M1; M2 from F [ INS , then there exists two canonical deductions Da and Db of, respectively, M1 and M2 having the same update hats and the same strong access hats.

Lemma 3 Let F be a multiset of access literals, let F  be f(Not(L))? j L 2 F g. If there is a deduction D of a consistent signed multiset M from F [ F  then there is also a deduction D0 of a consistent signed multiset M 0 from F where M 0 is the multiset obtained removing from M one occurrence of each element of F  .

Lemma 4 Let LINS be an insertion literal. 1. Given any deduction D : M1 = LINS ;


; Mn = M of a consistent signed multiset M from LINS , the following properties hold for all i, 1  i  n, : (a) If ERASE (A) 2 Mi , then A 62 Mi

(b) if A and A0 are two access or signed literals in Mi , then A et A0 are compatible. 2. There exists one (and only one) consistent multiset M such that there is a deduction of M from LINS . No deduction of M from LINS make any use of erase rules.

Lemma 5 Let G be a safe and acyclic rule-graph and let < Fi ; G > be a database. Let D be a canonical deduction of a consistent signed multiset M from Fi [ fLi+1INS g. The update basis UB of D satis es the following property : fL j ERASE (L) 2 UB g = fL j L? 2 UB g = fL j L 2 Reject(G; Li+1 INS ). Lemma 6 Let F be a multiset of literals containing no update literal and such that there is a

canonical deduction of a consistent signed multiset M1 from F . Let LINS be an insertion literal and let M2 be a consistent signed multiset deducible from LINS . Then there is a consistent signed multiset M3 such that : 1. M3 can be deduced from F [ LINS 2. Let F 0 be the multiset of literals F ? Reject(G; LINS ). For each literal A 2 F 0 , the signed literal A has an occurrence in M3.

Lemma 7 . Let G be a safe and acyclic rule-graph and let < Fi; G > be a database. Let < Fi+1; G > be such that Fi+1 = Res(Fi ; Li+1 INS ). Let M be an update model of Fi w.r.t. the insertion of Li+1. Let us note Fi  the multiset fL j L 2 Fi g; similarly for Fi+1 w.r.t. Fi+1. 1. M \ Fi   Fi+1 ? fLi+1  g. 2. If M is a static model of < Fi+1; G >, then M \ Fi = Fi+1 ? fLi+1 g. 3. If the update model M sati es the minimal change property w.r.t. Fi and < Fi ; G > is consistent, then M \ Fi = Fi+1 ? fLi+1 g. We can nally prove Theorem 1, by using the above lemmas. The proof is by induction on i. Below, we use the expression \c.s.m" as an abbreviation of \consistent signed multiset". 12

Proof of theorem 1

Base : i = 0. F0 = ;. The existence of at least one (and only one ) update model M of F0 with respect to the insertion of L1 is assured by lemma 4, item 2. Now, consider F1 [ f(Not(L1))?g, where F1 is fL1 g. Which are the possible static models of < F1; G > ? Consider a canonical deduction D of M from L1INS provided by the lemma 4, item 3. We have the following properties : 1. no instruction of the form ERASE (A) plays any role in the deduction D (no erase step takes place). 2. all the possible strong access steps are performed. 3. M is the only c.s.m deducible from the strong access basis AB of D; M is produced by applying all possible weak access steps to AB . If we consider the strong access basis AB of D, we have as elements : 1. All the signed literals B  such that < L1 ; B >2 SUCC  2. All the signed erasing literals (Not(B ))? where B is as above. 3. All the instructions ERASE (Not(B )) where B is as above. 4. All the access literals A such that < B; A >2 succ where B is as above. 5. Some other erasing signed literals and erasing instructions produced by the backwards propagation of the DEL label provided by the delete rules. 6. In AB , we may have more than one occurrence of a A , because of duplications possibly created by insertion rules. Now consider the process of performing all the possible strong access steps starting from F1 [ f(Not(L1))?g. At the end of this process, we nd a multiset of expressions C which contains exactly the same expressions as AB , with only two possible exceptions : 1. Some occurrences of erasing instructions (caused in D by the presence of deletion literals) can be missing; 2. Some occurrences of erasing signed literals (caused in D by the presence of insertion and deletion literals) can be missing. It follows that we can develop C by performing rst all possible weak accesses, then all the possible dispose rules, and actually this will be the only possible way of developing C , exactly as in the case of AB . ( Reasoning as in the proof of lemma 4, we can exclude the possibility of applying erase rules). We will nd a consistent signed multiset M 0 which can dier from M just because M may contain some redundancies of signed literals w.r.t. M 0. Hence the unique model M corresponds both to M and M 0. We can conclude that < F1 ; G > has exactly one static model M which coincides with the only update model of F0 w.r.t. the insertion of L1.

13

Inductive step : i > 0.

Part I

By inductive hypothesis, < Fi ; G > has (at least) one static model M. By lemma 1, this implies that there exists a canonical deduction of a c.s.m. M1 from Fi [ Fi  (see def. 12, section 5.1) and, by lemma 3, there is also a canonical deduction of M10 from Fi , where M10 is equal to M1 ? Fi . By lemma 4, item 2, there is a canonical deduction of a c.s.m. M2 from Li+1INS . By lemma 6, item 1, this implies the existence of a canonical deduction of a c.s.m. M3 from Fi [ fLi+1 INS g. Thus Fi has (at least) one update model w.r.t. Li+1.

Part II

Now, assume that M is a static model of < Fi+1; G > and let us show that M is an update model of < Fi ; G > w.r.t. Li+1 which satis es the minimal change property w.r.t. Fi. By lemma 3 there is a deduction D from Fi+1 of a c.s.m. M associated to M; by lemma 1 we can assume that D is canonical. We are going to build a deduction from Fi [ fLi+1 INS g of a c.s.m. M' associated with M as follows :  apply (as long as possible) insertion rules to < Fi [ fLi+1 INS g >,  apply (as long as possible) deletion rules; the multiset E1 obtained satis es the property stated in lemma 5.  apply the erase rules such that ERASE (L) is in the multiset E1 and L is in Fi . Note here that erase rules are \ red" for a literal L such that L 2 Fi and L 2 Reject(G; Li+1INS ). The multiset E2 obtained is formed of (and only of): { the access literals in Fi+1 (easy to check), { the access literals L such that < Li+1 ; L >2 SUCC (generated by the insertion inferences). Let us call this multiset ACCESS. { the signed literals L? and the expressions ERASE(L) for all L in Reject(G,Li+1INS ). Let us call these multisets of expressions respectively QUEST and ERASE.  Thus one can see the multiset E2 as Fi+1 [ ACCESS [ QUEST [ ERASE. Let us now nish our deduction by making use of the inferences r1


rk in D. For i=1


k, we proceed as follows, thereby constructing a new deduction D : { Apply the inference ri as done in D, and then { if ri is an access rule with L in its left part, and if L has n occurences in ACCESS then apply ri n times to L and consider the access literal generated to be added in ACCESS (this is just a trick to get rid of the redundant access literals successors of Li+1) { if ri is an erase rule with ERASE (L) in its left part and if L has n occurences in ACCESS then apply ri n times to L, { if ri is a dispose rule for ERASE (L) and if there exists n occurrences of ERASE (L) in ERASE then apply n times ri . 1. Each inference ri 2 D is done at leat once in D 2. the access inferences performed always introduce compatible signed literals. To prove this property we reason pretty much as in the proof of lemma 7. 14

 Assume that ri is a strong access inference using the rule A ` A ; Not(S )?; ? from D; then we know that there exists L in Fi+1 such that < L; A > is in SUCC. We

reason by reductio ad absurdum, by considering all the possible cases where the signed literals A ; Not(S )? could be incompatible with previously introduced signed literals. Case 1 : A is incompatible with an erasing literal A? which has an occurrence in E2. Such an occurrence of A? implies that A is in Reject(G; Li+1 INS ); thus there is a B in CONS (Li+1) such that A is in ANC (Not(B )). Since L 2 ANC (A), this implies L 2 Reject(G; Li+1 INS ), a contradiction with L 2 Fi+1. Case 2 : A is incompatible with an erasing literal A? which has been produced by a strong access inference rj (j is in allsucc . The proof is similar to the one indicated for the case where ri is a strong access inference. 3. The multiset M 0 obtained at the end of the deduction D is free of access literals (obvious). 4. each signed not erasing literal L occuring in M occurs in M 0 and vice versa (obvious by construction of the deduction D from D). In conclusion, M is an update model of Fi w.r.t. the insertion of Li+1. It remains to show that M satis es the minimal change property w.r.t. Fi .

Note rst that, since by hypothesis M is a static model of Fi+1, by lemma 7 the equation M \ Fi  = Fi+1 ? fLi+1 g holds. Assume that there exists an update model of Fi with respect to the insertion of Li+1, say M0, such that M0 be a rule-graph. The linear axioms Ax(G) associated to G are all the sequents of the form tr(A) ` tr(B1)


tr(Bn) where A ` B1;


; Bn is a rewrite rule depending on G (i.e. either an insertion rule or a delete rule or an access rule).

Theorem 2 Let G =< V; U; D > be a rule-graphe and let Th(G) be the linear theory whose non-logical axioms are Ax(G). If there is a U -G deduction D of a multiset fB1 ;


; Bm g from a multiset fA1 ;


; An g then the sequent tr(A1);


; tr(An) ` tr(B1)


tr(Bm) is a theorem of Th(G).

Proof of Theorem 2 Let D be M1;


; Mk with M1 being the multiset fA1 ;


; Ang and Mk being the multiset fB1;


; Bmg. The proof is by induction on k. Base : k = 1. In this case n = m and Ai = Bi . The sequent

tr(A1);


; tr(An ) ` tr(B1)


tr(Bm) is trivially provable in Th(G) via a sequence of -r rules. Inductive Step : k = p + 1. 16

The U -G deduction D has the form : M1 = fA1 ;


; An g .. . Mp = fC1 ;


; Cr g Mp+1 and by inductive hypothesis there is a Th(G)-proof P ' of the sequent

tr(A1);


; tr(An) ` tr(C1)


tr(Cr ) We have the following cases. 1. Mp+1 is obtained from Mp by using a rewriting rule associated to the rule-graph G (i.e. insertion, deletion, access), say a rule replacing Cj with Bi1 ;


Biz . Then

Mp+1 = tr(C1);


; tr(Bi1 );


; tr(Biz );


; tr(Cr ) Let P " be the trivial Th(G)-proof deriving the sequent

tr(C1 )


Cj


tr(Cr ) ` tr(C1)


tr(Bi1 )


tr(Biz )


tr(Cr ) from the Th(G) axiom

tr(Cj ) ` tr(Bi1 )


tr(Biz ) An application of the cut-rule between the conclusions of P ' and P " gives the required Th(G) proof P of the sequent tr(A1);


; tr(An) ` tr(C1)


tr(Bi1 )


tr(Biz )


tr(Cr ) 2. Mp+1 is obtained from Mp via an erase rule replacing two formulae Ci = A and Cj = ERASE (A) with Cj (Ci being destroyed). Then

Mp+1 = tr(C1);


tr(Ci?1); tr(Ci+1);


; tr(Cr ) By an appropriate application of the rules for the ! operator, the linear \tautology" tr(A); !(tr(A)  1) `!(tr(A)  1), i.e. the sequent Ci ; Cj ` Cj , is easily provable. Hence there exists a linear proof P " of the sequent

tr(C1);


; tr(Ci?1); tr(Ci); tr(Ci+1);


; tr(Cr ) ` tr(C1)


tr(Ci?1) tr(Ci+1)


tr(Cr ) Again, an application of the cut-rule between the conclusions of P ' and P " gives the required Th(G) proof. 3. Mp+1 is obtained from Mp via a dispose rule, destroying a formula Cj of the form ERASE (A). Since tr(ERASE (A) is !(tr(A)  1), by using the !-weakening rule, we can easily deduce

tr(C1)


Cj


tr(Cr ) ` tr(C1)


tr(Cj ?1) tr(Cj +1)


tr(Cr ) Hence we can use a cut as in the above cases.

17

8 Conclusions As we announced in the introduction, the main results of this paper may be illustrated by the diagram of gure 1. In that diagram : 1) The horizontal arrow means that the (speci cation of the) new base may be syntactically de ned from the (speci cation of ) the old one. Such a de nition depends only on the inserted literal A and on the inspection of a small part of the rule-graph G (see de nition 16). 2) The vertical arrow means that a (static) semantics for the new base does always exist (see theorem 1); it is the result of a deduction from the facts F 0 of the new base in the linear theory Th(G) (see theorem 2). 3) The oblique arrow means that the static semantics of the new base may be recovered by computing the update semantics of the old base w.r.t. to the insertion of A. More precisely, it can be recovered by selecting only those update models which satisfy the minimal change property w.r.t. the facts F of the old base (see theorem 1). The computation of the update semantics is the construction of a deduction from F [ fAINS g in the linear theory Th(G) (see theorem 2). Such a result shows the existence of a logical proof-system allowing to compute the semantics of updates by preserving consistency, no matter which new fact is inserted. It has been obtained under some hypotheses on the structure of the rules in DB : 1) Both the source and the target of a default arc are literals; for instance, we cannot have a default rule of the form (L1 and


and Ln ) ! A. 2) Also in the case of the update arcs, both the source and the target are literals. 3) The rule-graph G is acyclic. 4) A pattern A ! B ) C is not allowed in a rule graph G. 5) The rule-graph G is safe. The rst hypothesis is not really crucial. It would not be dicult to slightly modify our work so to allow default arcs of the form (L1 and


and Ln) ! A. For instance, we could express the \and" operation via the linear connective . Things do not go so smoothly in the case of update arcs : the second hypothesis is really a restrictive one. Allowing \more expressive" update rules does cause well-known problems of non-determinism of the update process. For instance, suppose that G contains an update arc of the form (A and B ) ) C , that F = fA; B g and that we want to insert C neg . Such an insertion will cause an ERASE instruction with respect to C , which should propagate backwards to the conjunction of A and B , the source of the ) arc. But erasing the conjunctive information (A and B ) can be done in at least two ways : either by erasing A or by erasing B . This kind of considerations leads to think that the problem of handling \generalized" update rules is a delicate one; it could be the subject of future work. The third hypothesis is not hard to eliminate. We are presently working on the de nition of an additional group of rewrite-rules (an additional set of non-logical axioms of the corresponding linear theory) which enables us to handle cycles in G. The fourth hypothesis re ects the separation between those deduction rules playing also the role of update constraints ()) and those which do not. Concerning the last hypothesis, it does seem necessary to impose some restriction on the structure of G, so to eliminate \meaningless" graphs as, for instance, the one given in example 1, section 3. However, our \safety" condition is perhaps too strong, and we are working on the de nition of more liberal conditions. We would like to stress that although in the paper we do insist on insertion of positive and negative facts as the typical update operation, our approach allows also to deal with deletion of facts. 18

In [5] and [6] the equivalence between linear logic and default logic w.r.t. taxonomic default theories is proved. Although the kind of problems addressed in those papers, namely the representation of inheritance in semantic networks containing default and exception arcs, is quite dierent from the updating problem, we are strongly indebted to them at the technical level. For instance, our use of signed literals to compute the semantics of a DB has been largely inspired by those works. Truth Maintenance Systems (TMS) have been introduced by Doyle [2] and developed in the context of Arti cial Intelligence. The aim of such systems is similar to ours as far as they oer an automatic procedure for restoring consistency of knowledge bases after updates. The main dierence between the two approaches lies in the kind of bases handled. In TMS, pieces of information are of the same form as rules in extended logic programs [3]; default rules are missing. Moreover, in TMS the graph of rules can be modi ed in order to recover consistency. Finally, they do not provide a formal system to de ne the update semantics. There are several similarities between the \philosophy" of [10] and our approach to the update problem, although the two works are quite independent. \Passive Rules" in [10] correspond in some way to our deduction rules, while \Active Rules" do recall our update rules. However [10] does not address at all the problem of how generate the dierent models of a database corresponding to the activation of \rival" default rules. For instance, a situation as that one described in our example 3, section 5, is not explicitly treated. What constitutes perhaps a more crucial dierence between the two approaches is the fact that [10] does not propose a logical proof system to compute the \semantics" of databases; the semantics is rather de ned as the xed point of a particular operator on partial interpretations.

References [1]

[2] [3] [4] [5] [6] [7] [8] [9]

N. Bidoit, S. Cerrito, C. Froidevaux, Consistency Preserving Updates, Proceedings of the Post-ILPS'94 Workshop on Uncertainty in Databases and Deductive Systems (available as Technical Report of the department of Computer Science, Concordia University). J. Doyle, 1979. A Truth Maintenance System, Arti cial Intelligence, 12. C. Elkan, 1990. A Rational Construction of Nonmonotonic Truth Maintenance Systems, Arti cial Intelligence 43. R. Fagin, J.D. Ullman, M.Y. Vardi, 1983. Updating Logical Databases. Proceedings of the ACM PODS Conference. C. Fouquere, J. Vauzeilles, 1993. \Taxonomic Linear Theories" ECSQARU-93, Grenade, Spain, november 1993, LNCS 747, Springer Verlag. C. Fouquere, J. Vauzeilles, 1993. \Linear Logic and Exceptions", to appear in Journal of Logic and Computation. J-Y. Girard, 1987. Linear logic, Theoretical Computer Science, 50. J-Y. Girard , Y. Lafont and P. Taylor, 1989. Proofs and types, Cambridge tracts in theoretical computer science, Cambridge University Press, Cambridge. G. Grahne, 1991. Updates and Counterfactuals. In J. Allen, R. Fikes, E. Sandewall eds., Proceedings of the Second International Conference on Principles of Knowledge Representation and Reasoning (KR '91), Los Altos, CA. 19

[10] [11]

[12] [13] [14] [15]

M. Halfeld-Ferrari-Alves, D. Laurent, N. Spyratos, 1994. Passive and Active Rules in Deductive Databases, Proceedings of 19th Int. Symp. on Mathematical Foundations of Computer Science, LNCS 841, Springer-Verlag. H. Katsuno, A. O. Mendelzon, 1991. On the Dierence Between Updating a Knowledge Base and Revising it. In J. Allen, R. Fikes, E. Sandewall eds., Proceedings of the Second International Conference on Principles of Knowledge Representation and Reasoning (KR '91), Los Altos, CA. R. Reiter, 1992. Formalizing Database Evolution in the Situation Calculus, in Proceedings of FGCS `92. R. Reiter, 1992. On Formalizing Databases Updates : Preliminary Report, in Proceedings of EDBT `92 A.Troelstra, 1992. Lectures on Linear Logic, CSLI Lecture Notes No.29. M. Winslett, 1988. Reasoning about Action Using a Possible Models Approach. In Proceedings of the National Conference on Arti cial Intelligence.

20

Appendix

Proof of Lemma 1

We show that it is always possible to permute inferences of D so to eventually get the structure of a canonical deduction. Let < Mi?1; Mi ; Mi+1 > be a segment of D such that Mi is obtained from Mi?1 by an inference inf while Mi+1 is obtained from Mi by an inference inf' . We indicate some cases where such a segment may be replaced in D by a new segment < Mi?1; Mi0; Mi+1 > where Mi0 is obtained from Mi?1 via inf' and Mi+1 is obtained from Mi0 via inf.

 Applications of insertion rules can be permuted above all the other inferences.

Here, inf does not use an insertion rule while inf' does use such a rule. We distinguish several cases, according to the nature of inf. 1. inf uses a delete rule. In this case, Mi?1 has the form ? [ fAINS ; LDEL g because the insertion literal appearing on the left of the insertion rule corresponding to inf 0 cannot be produced by a delete rule. Thus, Mi has the form : ? [ fAINS ; ERASE (L); L? ; L1DEL ;


; LmDEL g. Hence we can rst apply the insertion rule to Mi?1 so to get : Mi0 = ? [ fAINS ; A; A1INS ;


; AnINS ; (Not(A))DEL; LDEL g then the delete rule so to get : Mi+1 = ?[fA; A1INS


; AnINS ; (not(A))DEL ; ERASE (L); L? ; L1DEL ;


; Lm DEL g: 2. inf is an access inference. Again, such an inference cannot produce an insertion literal AINS , hence one can permute inf and inf' so to get the very same Mi+1: 3. inf is an application of an erase rule allowing to erase A by using ERASE (A). The application of the insertion rule corresponding to inf' cannot destroy the access literal A; henceforth we can permute inf above inf'. 4. inf is a dispose inference. This case is trivial.  We can permute any inference inf' using a deletion rule (i.e. a rule triggered by a LDEL literal) above any other inference inf provided that inf does not use an insertion rule.. We distinguish three possible cases : 1. inf is an access step 2. inf is an erase step 3. inf is a dispose inference. The arguments showing that inf' can permute above inf are similar to the case where inf' uses an insertion rule.  We can permute all strong access steps and strong erase steps inf' above any other inference inf which does not use insertion or deletion rules. Let us rst consider the case where inf' is a strong access step rewriting an occurrence of a literal B as a multiset of expressions fB1 ;


; Bk g. We consider several possibilities for inf. 1. inf is a weak access step using a rule A ` A1 ;


; Am, where A is an access literal. By de nition of strong access step, the occurrence of B rewritten via inf' is strong in D or else it belongs to F . Hence, either it belongs to F [ INS or it is produced by an insertion rule, or else it is produced via a strong access step. In all these cases, this occurrence of B is not produced by the inference inf and it does not belong to 21

the multiset fA1 ;


; Am g. Hence, this occurrence of B was already in Mi?1 and we have the following situation : { Mi?1 = ? [ fA; B g { Mi = ? [ fA1 ;


; Am ; B g { Mi+1 = ? [ fA1 ;


; Am ; B1;


; Bk g We get the new deduction segment by taking Mi0 = ? [ fB1;


; Bk ; Ag 2. inf is a (weak) erase step destroying an access literal A by using an ERASE (A) instruction. The situation is the following : { Mi?1 = ? [ fA; ERASE (A); B g { Mi = ? [ fERASE (A); B g { Mi+1 = ? [ fERASE (A); B1 ;


; Bk g We get the new deduction segment as follows : Mi0 = ? [fA; ERASE (A); B1 ;


; Bk g As a matter of fact, it is always possible to permute any access step above any erase step. 3. inf is a dispose rule. This case is trivial. Now we consider the case where inf' is a strong erase inference, destroying a given occurrence of an access literal B . We consider several possibilities for inf. 1. inf is a weak access inference. Since we would like to erase our occurrence of B before the creation of new access literals via the weak access inference inf, the only possible diculty would be the case where the erased occurrence of B had been produced by the very access rule used by inf. But this contradicts the very de nition of strong erase inference, which requires such an occurrence of B to be strong in D. 2. inf is a weak erase inference. It is clear that one can always permute two consecutives erase inferences. 3. inf is a dispose inference. This case is trivial.

Remark 1 As the above proof shows, one can re ne lemma 1 by forcing D03 to be the concatenation

of two segments q1; q2 where q1 contains only strong access inferences and q2 contains only strong erase inferences (it is always possible to permute any access step above any erase step).

Proof of Lemma 2

We start by proving the property 1. Let D be D1; D2; D3; D4; D5 and let D0 be D01; D20 ; D30 ; D40 D50 . The proof is articulated in three main steps : 1. We can show that in D1 et D10 the very same insertions rules have been used; therefore the respective conclusions of D1 et D10 are the very same multiset. This step is trivial. 2. We can show that in D2 et D20 the very same delete rules have been used; therefore the respective conclusions of D2 et D20 are the very same multiset E . Also this step is trivial. Notice that a litteral L? 2 E i ERASE (L) 2 E . Moreover, if L? 2 E , then the expression LDEL appears in D2 et D20 . E constitutes the common update basis of D and D0. 22

3. We have already noticed that we can take D3 = p1; p2 and D30 = q1; q2 where p1; q1 are constitued only of strong access steps and p2; q2 are constitued only of strong erase steps. 3a) Let p1 consist of the strong access steps s1 ;


; sn and let q1 consist of the strong access steps t1;


; tm. We show, by induction on i, that if si uses a rule A ` ? to rewrite a given occurrence of A, then there is a j , 1  j  m, such that the step tj uses the very same rule to rewite an \analogous" occurrence of A. Since a symmetrical reasoning can be done when we exchange p1 and q1 , it will follow that n = m and p1 = q1 modulo the order of application of rules. The deductions p1 and q1 share the same conclusion E 0 . Basis : i = 1. Either the rewritten occurrence of A is in S , the common starting multiset of D and D0, and it is the source of at least one U -arc, or else it is strong in D, which implies that it has been produced via an insertion rule in D1 of D. Hence, either the rewritten occurrence of A is in S and it is the source of at least one U -arc, or else it is strong also in D0. Now, suppose (by reductio ad absurdum) that 8j; 1  j  m, no tj rewrites such an occurrence of A by A ` ?. Since M2 contains only signed literals, this means that the given occurrence of A has been anyway \destroyed" in the segment q2 ; D40 of D0. This cannot be the eect of a weak access step in D40 , since the considered occurrence either is strong also in D0 or else it belongs to S and it is the source of at least a U -arc. Now, suppose that this occurrence has been erased via a strong erase step in q2; in this case, E must contain the expressions ADEL and A? . In this case, the strong access s1 in p1 has produced an occurrence of A , incompatible with A? , but this contradicts the hypothesis that M1 is consistent. Finally, suppose that the considered occurrence of A has been erased via a weak erase step in D40 . By de nition of weak erase step, either ADEL does not belong to E or else the erased occurrence in not strong in D0 and it does not belong to S either. The second case can be immediately ruled out. In the rst case, the instruction ERASE (A) must be produced in D0 by an access step using a rule Not(A) `
where A is the target of a D-arc in G. Now, since s1 is a strong access in D, A must be the source of a U -arc. The situation where A is, at the same time, the target of a D-arc and the source of a U -arc is incompatible with our general hypothesis that the rule-graph G is safe. Hence it is not possible that the considered occurrence of A has been erased via a weak erase step in D40 . Thus, we can conclude that there is a j; 1  j  m such that the strong access step tj uses the access rule A ` ? to rewrite our occurrence of A. Inductive Step : i = k + 1. Assume that, for i; 1  i  k, if si uses A ` ? in p1 to rewrite a given occurrence de A, then 9j , 1  j  m such that tj rewrites a corresponding occurrence of A via the rule A ` ?. Now consider the step sk+1 and let A0 ` ?0 be the rule used. Since sk+1 is a strong access step, either the rewritten occurrence of A0 is a strong one in D or else it belongs to S and it is the source of a U -arc. Hence either it is already in E , or else it has been produced by a si where i; 1  i  k (and the arc whose target is A0 involved in this inference is a U -arc). Hence either the considered occurrence belongs to S and it is the source of a U -arc or else a corresponding strong occurrence of A0 appears also in q1 (we use here our inductive hypothesis). Now assume that 8j; i; 1  j  m no tj rewrites this occurrence of A0 via A ` ?. We can deduce a contradiction from this hypothesis by a reasoning quite similar to the one we did in the basis of the induction. Since M2 contains only signed literals, the given occurrence of A0 has been \destroyed" in D0. This cannot be the eect of a weak access step in D40 , because either the considered occurrence belongs to S and it is the source of a U -arc or else the corresponding strong occurrence of A0 appears also in q1 and it is the source of at least a U -arc (otherwise sk+1 would not be strong in D). The case where the given occurrence of A0 in D0 has been \destroyed" by a weak erase step is such that either the rewritten occurrence of A0 is not strong in D0 and it does

23

not belong to S , or else A0DEL 62 E . The rst case can be immediately ruled out. For the second case, if A0DEL 62 E , then the instruction ERASE (A0 ) used by the weak erase step of D0 has been produced via an access rule of the form Not(A0) `
where A0 is the target of a D-arc in G. But A0 must be the source of at least one U -arc (otherwise sk+1 would not be a strong access), hence, once again, we get a contradiction with with our general hypothesis that the rule-graph G is safe. Let us consider now the case where the considered occurrence of A0 has been erased via a strong erase step in q2 . In this case, A0DEL and A0? belong to E , and, since sk+1 produces A0 , we get a contradiction with the hypothesis that M1 is consistent. We can conclude to the existence of a tj , (1  j  m) which rewrites the considered occurrence of A0 via the rule A0 ` ?0 . 3b) Similarly, we want to show that if p2 contains a strong erase step using an erasing rule A; ERASE (A) ` ERASE (A) to erase a given occurrence of A, this kind of step appears also in q2 to erase a corresponding occurrence of A. Thus p2 and q2 will be equal modulo the order of strong erase steps and will have the same conclusion, constituting the common strong access basis of D and D0. As a consequence of the de nition of strong erase step : (a) E must contain an occurrence of ADEL and an occurrence of A? . (b) Either the erased occurrence of A is strong in D or else it belongs to S , the multiset which is the starting point of D and D0. Because of the rst property, the signed literal A cannot appear in the consistent multiset M2, hence A must have been \destroyed" in p2; D40 . This cannot be the eect of a weak access step (in D40 ), because such a step would produce the signed literal A . Thus the \destruction" of A in D0 must be the result of an erase step. The two above properties imply that such a step is a strong one, taking place in q2. The second part of the lemma is now quite easy to prove. If there exists two canonical deductions of M1; M2 from F [ INS , by the rst part of the lemma they share a common strong access basis. Since one can always replace a segment of a deduction from F [ INS by another segment having the same conclusion, one can conclude to the existence of two canonical deductions sharing the very same update hat and the very same strong access hat.

Proof of Lemma 3

It is clear that the only role of literals having the form L? is to prevent inferences leading to L in proofs of consistent signed multisets (L? and L being incompatible). If we remove the occurences of literals in F  from D we get D0.

Proof of Lemma 4

Proof of 1(a). First, let us recall that an expression of the form ERASE (A) can be produced only by a deletion rule or by an access rule. Now, given any i, if an expression of the form ERASE (A) appearing in Mi is produced by application of a deletion rule, then there is an access literal B such that :  < L; Not(B ) >2 SUCC  (where L is the inserted literal)

 < A; B >2 SUCC 

24

Now, if A 2 Mi , then < L; A >2 allsucc , hence also < L; B >2 allsucc ; this last fact together with < L; Not(B ) >2 SUCC  contradicts our hypothesis tha G is safe. On the other hand, if ERASE (A) is produced by application of an access rule Not(A) ` ?, the presence of ERASE (A) in Mi implies that A is the target of a D-arc and < L; Not(A) >2 allsucc . Now, if A were in Mi , we should have both < L; Not(A) >2 allsucc and < L; A >2 allsucc which, once again, woud contradict our hypothesis that G is safe. Proof of 1(b). The impossibility of having both A and Not(A) in Mi is again a consequence of the fact that G is safe. The other possible case of incompatible literals is that of A? and A . Now suppose that A? 2 Mi . Either A? has been produced by applying a deletion rule or else by applying an access rule. In the rst case we can reason exactly as above (proof of 1(a)) to rule out the possibility that A is also in Mi. In the second case, we must have < L; Not(A) >2 SUCC  and, once again, the possibility that A is also in Mi is ruled out by the hypothesis that G is safe. Hence the rst item of our lemma is proved. Proof of 2. We can deduce two facts :  Fact 1. Consider the process of building up a deduction from LINS by rst applying all the insertion and deletion rules as far as possible (this operation necessarily terminates, given the form of such rules), then performing access inferences as far as we can ( rst the strong ones, then the weak ones). The process necessarily halts, since G is acyclic. The nal subset of expressions S so obtained is such that its only literals are signed and, because of the rst item of the lemma, they are pairwise compatible. (The remaining expressions of S are of the form ERASE (L) and can be disposed of).  Fact 2. No deduction whatsoever from LINS can use an erase rule (since we can never have both A and ERASE (A)). The rst fact implies the existence of a consistent signed multiset M which can be deduced from LINS . The second shows the unicity of M , since the absence of erase rules implies that all the possible canonical deductions from LINS have the same conclusion.

Proof of Lemma 5 Almost immediate.

Proof of Lemma 6

To build up the desired proof from F [ LINS , we start by rst applying (as long as possible) insertion rules and deletion rules. The multiset of expressions E1 obtained has the properties described by 5. Let us call D the segment of deduction so far obtained. To extend D proceed as follows. 1. Apply the erase rules such that ERASE(A) is in the multiset E1 and A is in F . Note that here erase rules are \ red" for literals belonging to Reject(G; LINS ). The multiset E2 obtained is made of (and only of):  the access literals in Res(F; G; LINS ),  the access literals A such that < L; A >2 SUCC (generated by the insertion inferences).  the signed literals A? and the expressions ERASE (A) for all A in Reject(G; LINS ). 25

Let us denote by D+ the extended deduction. 2. By hypothesis, we know that there is a deduction of the consistent signed multiset M1 from F . Hence, by lemma 1, there is a canonical deduction d1d2d3d4d5 of such a multiset. It is immediate to note that d1d2 is empty. By hypothesis we know also that there is a deduction of consistent signed multiset M2 from LINS ; thus (again by lemma 1), we can consider a canonical deduction i1i2i3i4 i5 of such a multiset from LINS . Note that the update base E10 of this deduction satis es the properties of lemma 5. We extend D+ as follows.

 First extend D+ with the strong access inferences a1


a of i3 (in the order they are

applied for building i3). Note that each strong access inference aj is applicable and all signed literals introduced by these inferences are compatible with existing signed literals.  Then extend the deduction D+a1


a with the applicable strong access inferences a01


a0 of d3 (in the order they are applied for building d3). Clearly the multiset obtained after this deduction D++ contains an occurrence of A for each A in F 0 . Let us show that the signed literals introduced by a01


a0 are compatible with the previously generated literals. Thus assume that a0j is a strong access inference using a rule A ` A ; Not(B )?; ? from d3. We make a reductio ad absurdum, considering all possible cases of incompatibility of A or Not(B )? with previously generated literals. Case 1 : A is incompatible with a signed literal introduced by an inference a0k (k2 SUCC  . { If the signed literal occurring in E2 were A? , then A 2 Reject(G; LINS ). Hence all the occurrences of A would have been erased in the construction of D+. Hence the inference a0j would not be applicable. { If the signed literal introduced in E2 were (Not(A)), then such a signed literal would have been introduced by an insertion rule, which is impossible. Case 4 : Not(B )? is incompatible with a signed literal introduced by an inference a0k (k2 SUCC . Once again, this implies ERASE (A) 2 E1. Same argument as in the subcase just above. 26

3. Consider the multiset E3 resulting from the extended deduction D++. By costruction, E3 contains an occurrence of A for each access literal A in F 0 . It is simple to check that if any access literal A whatsoever has still an occurrence in E3, this occurrence is a weak one and should be red by a weak access inference step or else erased by a weak erase step. To end the proof, it suces to show that from E3 we can build a deduction of a consistent signed multiset M3 by weak access and weak erase inference steps. Each step of the deduction is de ned as follows, assuming that Ni is the current multiset :  Choose an access literal A in Ni and then,  if there is an occurrence of an ERASE (A) already present in the update base then perform an erase inference  else if Not(A) or A? is in Ni then perform an erase inference. Note that this is always possible because in the case where Not(A) 2 Ni, an access inference has red Not(A), producing an expression ERASE (A) and in the case where A? 2 Ni , Not(A) is the target of a U -arc, the access rule for Not(A) has been red and it has produced an expression ERASE (A).  Otherwise perform a (weak) access step and produce A . Notice that depending on the choices of the access literals made along the deduction, we can obtain several distinct consistent signed multisets. (But we are just interested in the existence of at least one consistent signed multiset). We can concludeto the existsence of a deduction D from F [ fLINS g of a consistent signed multiset M 3 such that, for each A 2 F 0 , the signed non-erasing literal A has an occurrence in M3l.

Proof of Lemma 7

Proof. The rst item of the lemma is immediate by the de nition of Res(Fi ; Li+1INS ). To

prove the second and the third item we need to prove that under the assumption that either the update model M is also a static model of < Fi+1; G > or it sati es the minimal change property w.r.t. Fi and < Fi ; G > is consistent, also the converse inclusion holds. Let us assume that the update model M is also a static model of < Fi+1; G >. Then the consistent signed multiset M associated to M is deductible from Fi+1 [ Fi+1, where Fi+1 = fNot(L)? j L 2 Fi+1g. It is easy to check that this implies that M contains each L such that L 2 Fi+1. Thus this case of the second item of the lemma is easily established. We still need to show that if < Fi ; G > is consistent and M is a an update model of Fi w.r.t. the insertion of Li+1 which satis es the minimal change property w.r.t. Fi, then Fi+1 ?fLi1  g  M \ Fi  . We stat by recalling that, by de nition of Fi+1, Fi+1 = [Fi ? R ] [ fLi+1 g where R = fA jA 2 Reject(G; Li+1INS )g. Thus, it suce to show that Fi  ? R  M \ Fi  . Let us abbreviate Fi ? Reject(G; Li+1 INS ) by F 0 . Our goal is to build a deduction of a consistent signed multiset M 0 from Fi [ Li+1 INS such that, for each L 2 F 0 , the signed non-erasing literal L has an occurrence in M 0. In fact, let M1 be the update model of Fi w.r.t. to the insertion of Li+1INS associated to such an M 0. The minimality of our original update model M will then allow us to conclude that , for each L 2 F 0 , the signed non-erasing literal L has an occurrence also in the consistent signed multiset associated to M, henceforth establishing the desired inclusion. 27

Now, by hypothesis, we know that < Fi ; G > is consistent. By de nition of consistency and lemma 3 and lemma 1 there is a canonical deduction of a consistent signed multiset from Fi . Also, from lemma 4(2), we know that there exists a (unique) consistent signed multiset which is deducible from Li+1INS ; again by lemma 1, there is a canonical deduction of such a multiset from Li+1INS . Hence, by lemma 6, there is a deduction of a consistent signed multiset M 0 from Fi [ Li+1INS such that, for each L 2 F 0 , the signed non-erasing literal L has an occurrence in M 0.

28