modal logic - derivative

8/10/2019 Modal Logic - Derivative

http://slidepdf.com/reader/full/modal-logic-derivative 1/200

LOGICS OF TIMEAND COMPUTATION



CSLILecture Notes

No. 7

LOGICS OF TIMEAND COMPUTATION

Second EditionRevised and Expanded

Robert Goldblatt

CSLICENTER FOR TH E STUDYOF LANGUAGEAND INFORMATION



Copyright © 1992Center for the Study of L anguage and InformationLeland Stanford Junior University

Printed in the United States

CIP data and other information appear at the end of the book



To my daughter Hannah



Preface to the First Edition

These notes are based on lectures, given at Stanford in the Spring Quarterof 1986, on modal logic, emphasising temporal and dynamic logics. Themain aim of the course was to study some systems that have been foundrelevant recently to theoretical computer science.

Part One sets out the basic theory of normal modal and temporalprepositional logics, covering the canonical model construction used forcompleteness proofs, and the filtration method of constructing finite modelsand proving decidability results and completeness theorems.

Part Two applies this theory to logics of discrete (integer), dense (ra-tional), and continuous (real) time; to the temporal logic of henceforth,next, and until, as used in the study of concurrent programs; and to theprepositional dynamic logic of regular programs.

Part Three is devoted to first-order dynamic logic, and focuses on therelationship between the computational process of assignment to a variable,and the syntactic process of substitution for a variable. A completenesstheorem is obtained for a proof theory with an infinitary inference rule.

There is more material here than was covered in the course, partlybecause I have taken the opportunity to gather together a number of ob-servations, new proofs of old theorems etc., that have occurred to me fromtime to time. Those familiar with the subject will observe, for instance,that in Part Two proofs of completeness fo r various logics of discrete andcontinuous time, and for the temporal logic of concurrency, as well as thediscussion of Bull's theorem on normal extensions of S4.3, all differ fromthose that appear in the literature.

In order to make the notes effective for classroom use, I have deliber-

ately presented much of the material in the form of exercises (especially inPart One). These exercises should therefore be treated as an integral partof the text.

Acknowledgements. My visit to Stanford took place during a period ofsabbatical leave from the Victoria University of Wellington which was sup-ported by both universities, and the Fulbright programme. I would liketo thank Solomon Feferman and Jon Barwise for the facilities that weremade available to me at that time. The CSLI provided generous access to

its excellent computer-typesetting system, and the Center's Editor, DikranKaragueuzian, was particularly helpful with technical advice and assistancein the preparation of the manuscript.

vu

Preface to the Second Edition

The text for this edition has been increased by more than a third. Majoradditions are as follows.

• §7, originally concerned with incompleteness, now discusses a num-ber of other metatheoretic topics, including first-order definability,(in)validity in canonical frames, failure of the finite model property,and the existence of undecidable logics with decidable axiomatisation.

• §9 now includes a study of the " branching time" system of Com-putational Tree Logic, due to Clarke and Emerson, which introduces

connectives that formalise reasoning about behaviour along differentbranches of the tree of possible future states. Completeness and de-cidability are shown by the method of filtration in an adaptation ofideas due to Emerson and Halpern.

• In §10 dynamic logic is extended by the concurrency command a fl /3,interpreted as "a and (3 executed in parallel". This is modelled bythe use of "reachability relations", in which the outcome of a singleexecution is a set of terminal states, rather than a single state. Thisleads to a semantics for [ a ] and < a > which makes them independent(i.e. not interdefinable via negation). The resulting logic is shown tobe finitely axiomatisable and decidable, by a new theory of canonicalmodels and filtrations for reachability relations.

A significant conceptual change involves the definition of a "logic" (p. 16),which no longer includes the rule of Uniform Substitution. Logics satisfyingthis rule are called Uniform, and are discussed in detail on page 23. Thechange causes a number of minor adaptations throughout the text.

A notable technical improvement concerns the completeness proof forS4.3Dum in §8 (pp. 73-75). The original Dwm-Lemma has been replacedby a direct proof that non-last clusters in the filtration are simple. This hasresulted in some re-arrangement of the material concerning Bull's Theorem,and a simplification of the completeness theorem for the temporal logic ofconcurrency in §9 (pp. 95-96).

Other small changes include additional material about the Diodoreanmodality of spacetime (p. 45), and a rewriting of the basic filtration con-struction for dynamic logic (p . 114) using a uniform method of proving the

first filtration condition that obviates the need to establish any standard-model conditions for the canonical model.

Reformatting the text has provided the opportunity to make numerouschanges in style and expression, as well as te, correct typos. I will bethankful for, if not pleased by, information about any further such errors.

rob @m ath. vuw. ac.nz

Vlll



Contents

Preface to the First Edition vii

Preface to the Second Edition viii

Part One: Prepositional Modal Logic 1

1. Syntax and Semantics 32. Proof Theory 163 . Canonical Models and Completeness 244. Filtrations and Decidability 315. Multimodal Languages 376. Temporal Logic 407. Some Topics in Metatheory 48

Part Two: Some Temporal and Computational Logics 63

8. Logics with Linear Frames 659. Temporal Logic of Concurrency 8410. Prepositional Dynamic Logic 109

Part Three: First-Order Dynamic Logic 141

11. Assignments, Substitutions, and Quantifiers 14312. Syntax and Semantics 14613. Proof Theory 154

14. Canonical Model and Completeness 162

Bibliography 169

Index 175



Part One

Prepositional Modal Logic

1 Syntax and Semantics

B N FThe notation of Backus-Naur form (BNF) will be used to define the syntaxof the languages we will study. This involves specifying certain syntacticcategories, and then giving recursive equations to show how the membersof those categories are generated. The method can be illustrated by thesyntax of standard propositional logic, which has one main category, thatof the formulae. These are generated from some set of atomic formulae (orpropositional variables), together with a constant _ L (the falsum), by the

connective — > (implication). In BNF, this is expressed in one line as< formula > ::= < atomic formula > | ± | < formula >->< formula >

The symbol ::= can be read "comprises", or "consists of", or simply "is".The vertical bar | is read "or". Thus the equation says that a formulais either an atomic formula, the falsum, or an implication between twoformulae.

The definition becomes even more concise when we use individual let-ters for members of syntactic categories, in the usual way. Let $ be adenumerable set of atomic formulae, with typical member denoted p. Theset of all formulae generated from $ will be denoted Fma(<?), and itsmembers denoted A, AI, A', B,... etc. The presentation of syntax thenbecomes

Atomic formulae: p € < 2 >

Formulae: A € Fma(4>)

A::=p\L\A-+ A

Technically, the recursive equation governs a non-deterministic rewritingprocedure for generating formulae, in which any occurrence of the symbolto the left of the ::= sign can be replaced by any of the alternative expres-sions on the right side. Thus the two occurrences of A in the expressionA —» A may themselves be replaced by different expressions, and so standfor different formulae. In some BNF presentations, this is emphasised by

4 Prepositional Modal Logic

using subscripts to distinguish different occurrences of a symbol. Then theabove equation is given as

Modal Formulae

The language of propositional modal logic requires one additional symbol,the box D. The BNF definition of the set of modal formulae generatedby < ? is

Atomic formulae: p 6 $Formulae: A € F m a ( )

A::=p\±\A 1 ->A 2 \DA

Possible readings ofIt is necessarily true that A.It will always be true that A.It ought to be that A.It is known that A.It is believed that A.

It is provable in Peano Arithmetic that A.After the program terminates, A.

Other connectives

These are introduced by the usual abbreviations.

Negation: ->A is A — » _ L-i-L(->Ai) — > A?->(Ai — > ->Az)(.Ai — » A% ) A (A2

Notational ConventionIn the case that n = 0, the expression

Bo A ... A B n -i -» B

just denotes the formula B.

Verum:Disjunction:Conjunction:Equivalence: Diamond :

TAI VA2A\ A AIAI < -» A- iO

isisisisis

simultaneously uniformly substituting £?i for pi in A, and BI for p 2 in A,and ..., and B n for p n in A. Let

.EU = {A' : A' is a substitution instance of A}.

Then a schema may be denned as a set of formulae that is equal to EA forsome formula A.

For example, if A is the formula Dp — > p, with p atomic, then SA iswhat was described above as "the schema DA — > .A".

Frames and Models

A frame is a pair f — (S,R), where S is a non-empty set, and R a binaryrelation on 5: in symbols, R C S x S.

A $-model on a frame is a triple M — (R, S, V), with V : $ —> 2 s .Hence V is a function assigning to each atomic formula p € 0 a subset V (p)of 5. Informally, V(p) is to be thought of as the set of points at which pis "true". Generally we drop the prefix $- in discussing models, providedthe context is clear.

The relation "A is true (holds) at point s in model M , denoted

M\=,A,

is denned inductively on the formation of A € Fma(< >) as follows.

M K P iff s € V(p)M ¥ s -L (i.e. not M \= s J- )M K (Ai -> A 2 ) iff Ai f=s A implies M \= s A 2

M (=„ DA iff for all t € 5, s#i implies M\= t A

Exercises 1.2

(1) A4 |=.-.4 iff A4 £, AWork out the corresponding truth conditions for A AS, AV B , A < -> B.

(2) X (= s OA iff there exists t € . S with sRt and AI (= « A.

Motivations

1. Necessity. Following the dictum of Leibnitz that a necessary truth isone that holds in all "possible worlds", S may be thought of as a setof such worlds, with sRt when t is a conceivable alternative to s, .e.a world in which all the necessary truths of s are realised. DA thenmeans "A is necessarily true", while OA means "A is possible", i.e.true in some conceivable world.

§1 Syntax and Semantics 7

2. Different notions of necessity can be entertained. Thus logical necessitymay be contrasted with physical necessity, the latter taking OA tomean UA is a consequence of the laws of physics" . Under this reading,sRt holds when t is a scientific alternative to s, i.e. a world in which allscientific laws of s are fulfilled. Hence in our world, D(x < c) is trueunder the physical reading, where c is the velocity of light and x thevelocity of a material body. On the other hand it is logically possiblethat (x < c) is false.

3. In deontic logic, D means "A ought to be true". sRt then means thatt is a morally ideal alternative to s, a world in which all moral laws ofs are obeyed. If s is the actual world, few would maintain that sRsunder this interpretation. On the other hand, any world is a logical,

and scientific, alternative to itself.4. Temporal Logic. Here the members of 5 are taken to be moments of

time. If sRt means "t is after (later than) s" , then DA means "hence-forth A", i.e. "at all future times A", while OA means "eventually(at some future time) A". Dually, if sRt means that t is before s,then D means "hitherto", and so on. Natural time frames (S, R) fortemporal logic are given by taking S as one of the number sets w (nat-ural numbers), Z (integers), Q (rationals), or R (reals), and R as one

of the relations < , < , > , > . Another interesting possibility is to con-sider various orderings on the points of four-dimensional Minkowskianspacetime (cf. page 45, and Goldblatt [1980]), or even more generalnon-linear "branchings" in time (Rescher and Urquhart [1971]).

5. Program states. Reading D as "after the program terminates", S isto be regarded as the set of possible states of a computation process,with sRt meaning that there is an execution of the program that startsin state s and terminates in state t. A non-deterministic program may

admit more than one possible "outcome" t when started in s. ThenOA means "every terminating execution of the program brings aboutj4", while OA means that the program enables A, i.e. "there is someexecution that terminates with A true" .

At the level of prepositional logic, the notion of state is formallytaken to be primitive, as in the theory of automata, Turing ma-chines, etc. A natural concrete interpretation of the notion ispossible in quantificational logic, as will be seen in Part Three.

Valuations and TautologiesGiven a #-model M, and a fixed s £ S, define

true if sfalse otherwise

§1 Syntax and Semantics

Exercises 1.4

(1) The following are true in all models, hence valid in all frames.DT

D(A -> B) -> (HA -> DB)0(A -+£)-> (DA -» 05)

> O B )

O(AVB)<^(OAV OB)

(2) Show that the following do not have the property of being valid in all

frames. D4-* ADA -+ DOAD(A ->£)-> (DA -» 05)OT

D(Q4 -» B) V D(DB -» A)

D(4 V 5) -> DA V D5D(DA A)->DA(N.B. some instances of these schemata may be valid, e.g. when A isa tautology. What is required is to find a counterexample to validityof at least one instance of each schema.)

(3) Show that OT and the schema DA — » OA have exactly the samemodels.

(4) Exhibit a frame in which DJ. is valid.(5) In any model M,

(i) if A is a tautology then M \= A;(ii) if M \= A and M (= .4 -> B , then At |= B;

(iii) if M h then M \= DA.(6) Items (i)-(iii) of the previous exercise hold if M is replaced by any

frame f.

Ancestral (Reflexive Transitive Closure)

Let T = (S, R) be a frame. Define on S the relations Rn

C S x S, forn > 0, and R*, as follows.sR°t iff s = t

sR n+1 t iff 3u(sR nu & uRt)

Submodel Lemma 1.7. If A 6 Fma(<l>), then for any u € 5*,

M* \=UA iff M K A.

Proof. By induction on the formation of A. The case A = p e # followsfrom the definition of V* , and the case A = _ L is immediate. The inductivecases A = (B —» D) and yl = D.B are given as exercises.

Corollary 1.8.

(1) M \= A implies M* \= A.(2) M \= A iff A is true in all generated submodels of M.(3 ) f (= yl iff A is valid in all generated subframes of T.

p-MorphismsLet Mi = (Si,Ri,Vi) and M 2 = (S 2 ,R 2 ,V 2) be models, and / : 5i -» S 2

a function satisfying

sRit implies f ( s ) R2 f ( t ) ;f(s)R 2u implies 3t(sR\t & f ( t ) — u);s £ Vi(p) iff /(a) e Vb(p).

Then / is called a p- morphism from .Mi to MI- A function satisfying thefirst two conditions is a p-m orphism from frame (Si,Ri) to frame (S2,R 2).

p-Morphism Lemma 1.9. If A € Fma(), then for any s e Si,

Mi\=.A iff M,\= f( .)A.

Proof. Exercise.

If there is a p-morphism / : T\ —> F2 that is surjective (onto), then frameFI is called a p-morphic image of J 7 .

p-Morphism Lemma 1.10. If J-2 is a p-m orphic image of F\, then fo rany formula A,

Fi f= A implies F2 (= A.

Proof. Suppose A is false at some point t in some model M 2 — (F2, V2)based on f2 . Take a surjective p-morphism / : Si —> S 2 and define a model

Mi = (J7

, Vi) by declaring« € V i ( p ) if f / ( * ) € Va ( p ) .

Then / is a p-morphism from Mi to 2- Choosing any s with /(s) = i,the first p-Morphism Lemma 1.9 gives A false at s in the model Mi based

Exercise 1.11Let T\ = ( { 0 ,1 } , R ) and F -z = ({0},E), where in each case R is the uni-versal relation 5 x 5 . Show that

FI\= A implies J |= - A >

( o > , < ) |=>1 implies F± (= 4.

The curious appellation "p-morphism" derives from an early use of thename "pseudo-epimorphism" in this context, and seems to have becomeentrenched in the literature.

Conditions on RThe following is a list of properties of a binary relation R that are dennedby first-order sentences.

1. Reflexive: Vs(sRs)2. Symmetric: VsVt(sRt -> tRs)3. Serial: Vs3t(sRt)4. Transitive: VsVWu(sRt A tRu -» sRu)5. Euclidean: VsVtVu(sRt A sRu -» tRu)6. Partially functional: VsVtVu(sRt A sRu -> t = u)1. Functional: Vs3\t(sRt)8. Weakly dense: VsVt(sRt -> 3u(s.Ru A uflt))9. Weakly connected: VsVtVu(sRt A sfiw -> • tRu Vt = uV uRt)10. Weakly directed: VsVtVu(sRt A sflu -* 3v(tRv A w / Z w ) )

Corresponding to this list is a list of schemata:

1. CU-^2. A-+OOA3. D.4 -» OA4. D45.6.7. OA < -> DA8.9. n(^AD^-^£10. OD -*DO

Theorem 1.12. Let T = (5, fi) be a frame. Then fo r each of the proper-ties 1-10, ifR satisfies the property, then the correspo nding schema is validinT.

Proof. W e illustrate with the case of transitivity. Suppose that R is tran-sitive. Let M be any model on f. To show that

M \= HA -» DDA,

take any s in M with M f =g DA We have to prove

M K HOA,

which meanssRt implies M \=t OA,

or, in other words,

sRt implies (tRu implies M (=„ A).

So, suppose sRt. Then if tRu, we have sRu by transitivity, so M \=u A,since M (=s DA by hypothesis.

The other cases are left as exercises.

Theorem 1.13. If a frame F — (S, R) validates any one of the schemata1-10, then R satisfies th e corresponding p roperty.

Proof. Take the case of schema 10. To show R is weakly directed, supposesRt and sRu. Let M be any model on f in which V(p) — {v : uRv}. Thenby definition,

uRv implies M [=„ p ,

so M $ =u Op, and hence, as sRu, M (=s OOp. But then as schema 10is valid in .F, M. h« P i so s » -M N < ^P- This implies that thereexists a v with tRv and M (=„ p, i.e. w € V(p), so uflz; as desired.

Next, the case of schema 8. Suppose sRt. Let M be a model on fwith V(p) = {v : t / v}. Then M ^ t P, so A'l ^ a Dp- Hence by validityof schema 8, M \£s OOp, so there exists a u with sRu and Ai fcu Dp .Then for some v, uRv and Ai ^t, p, i.e. t; = i, so that u.Ri, as needed toshow that R is weakly dense.

Exercises 1.14

(1) Complete the proofs of Theorems 1.12 and 1.13.(2) Give a property of R that is necessary and sufficient for F to validate

the schema A — > DA Do the same for D-L.

First-Order Definability

Theorems 1.12 and 1.13 go a long way toward explaining the great suc-cess that the relational semantics enjoyed upon its introduction by Kripke

[1963]. Frames are much easier to deal with than the modelling structures(Boolean algebras with a unary operator) that had been available hitherto,and many modal schemata were shown to have their frames characterisedby simple first-order properties of R. For a time it seemed that preposi-tional modal logic corresponded in strength to first-order logic, but thatproved not to be so. Here are a couple of illustrations.

(1) The schemaW : D(DA -» A) -> HA

is valid in frame (5, R) iff(i) R is transitive, and

(ii) there are no sequences SQ,...,s n ,... in S with s nRs n +i for allra>0.(for a proof cf. Boolos [1979], p.82). Now it can be shown bythe Compactness Theorem of first-order logic that there existsa frame satisfying (i) and (ii) that is elementarily equivalent to(i.e. satisfies the same first-order sentences as) a frame in which

(ii) fails. Hence there can be no set of first-order sentences thatdefines the class of frames of this schema.

(2) The class of frames of the so-called McKinsey schema

M: nOA-*enA

is not defined by any set of first-order sentences (Goldblatt [1975], vanBenthem [1975]).

(Both of the above schemata will figure in the discussion of incompletenessin §7, where there is also a further consideration of the question of first-order definability.)

Subsequent investigations demonstrated that prepositional modal logiccorresponds to a fragment of second-order logic (Thomason [1975]).

Undefinable conditions

There are some naturally occurring properties of a binary relation R thatdo not correspond to the validity of any modal schema. One such is ir-reQexivity, i.e. Vs~*(sRs). To see this, observe that the class of all framesvalidating a given schema is closed under p-morphic images (1.10), but theclass of irreflexive frames is not so closed. For instance, it contains ( u > , <),but not its p-morphic image ({0},{(0,0)}) (cf. Exercise 1.11).

§1 Syntax and Sem antics 15

Exercise 1.15Show that neither of the following conditions correspond to any modalschema.

Antisymmetry: VsVt(sRt A tR s —> s = t),Asymmetry: VsVt(sRt — > -<tRs).

Historical NoteThe concepts of necessity and possibility have been studied by philoso-phers throughout history, notably by Aristotle, and in the middle ages.The contemporary symbolic analysis of modality is generally considered tohave originated in the work of C. I. Lewis early this century (cf. Lewis andLangford [1932]). Lewis was concerned with a notion of strict implication.He defined "A strictly implies B" as 1(^4 A -i-B), where I is a primitiveimpossibility operator (later he expressed this as -<O(A A ~< B), where Oexpresses possibility). He defined a series of systems, which he called SIto 55, based directly on axioms for strict implication. The standard pro-cedure nowadays is to adjoin axioms and rules for D, or O, to the usualpresentation of prepositional logic. This approach to modal logic was firstused in a paper by Godel [1933]. The model theory described in this section

is due to Kripke [1959, 1963].To learn about the history of modal logic, the reader should first con-

sult the interesting Historical Introduction to Lemmon [1977], where fur-ther references may be found.

2 I Proof Theory

Logics

Given a language based on a countable set $ of atomic formulae, a logic isdenned to be any set A C Fma($) such that

• A includes all tautologies, and• A is closed under the rule of Detachment, i.e.,

if A, A -> B e A then B e A.

Examples of Logics(1) PL = {A e Fm ct($) :Aisa tautology }.

(2) For any class C of models, or of frames (including the cases C = {M}and C = {f}),

Ac = {A : C h A}

is a logic.(3 ) Fma($) itself is a logic.(4) If {Ai : i & 1} is a collection of logics, then their intersection

is a logic. Thus for any F C Fma() there is a smallest logic contain-ing F, namely the intersection of the collection

{A : A is a logic and r C A}.

Note that PL is the smallest logic, and Fma($) the largest, in the sensethat for any logic A,

PLCAC Fma($).

Tautological ConsequenceA formula A is a tautological consequence of formulae Ai,...,An if A isassigned true by every valuation that assigns true to all of AI, . . . , A n . Inparticular, a tautological consequence of the empty set of formulae is thesame thing as a tautology.

16

§2 Proof Theory 17

Exercise 2.1

Show that any logic A is closed under tautological consequence, i.e. ifAI, . . . , A n e A, then any tautological consequence of AI, . . . , A n belongs

to A

Instead of denning a logic A to include all tautologies, it would suffice toinclude a set of schemata from which all tautologies can be derived byDetachment, e.g. the schemata

-.-.4 -» A.

Theorems

The members of a logic are called its theorems. We write \~ A A to meanthat A is a ^1-theorem, i.e.,

Ki A iff A£A.

Soundness and CompletenessLet C be a class of frames, or of models. Then logic A is sound with respectto C if for all formulae A,

\~ A A implies C (= A.

A is complete with respect to C, if, for any A,

C \= A implies \~ A A.

A is determined by C if it is both sound and complete with respect to C.

Deducibility and ConsistencyIf r U {4} C Fma($), then A is A-deducible from F, denoted F \-A A, ifthere exist BO, • • . , 5 n -i € F such that

\- A B o -> (Si -» ( ---- - (Bn-i -» A) • • •))

(in the case n = 0, this means that \~ A A). W e write F \ fA A when A isnot ,4-deducible from F.

A set r C F m a ( ) is vl-consj'stent if F \ /A - L . A formula ^ 4 is ^1-consistent if the set {.A} is.

Exercises 2.2

(1) \- A A iff 0 hi A(2) If \- A A then r h^ A.

(3) If yl C yl', then F\- A A implies T h^. .4.(4) If A € T then F \- A A.

(5) If F C A and T (-^ /4, then 2\ h A A.

(6) If T \- A A and {yl} h^ B, then T h^ 5.(7) Detachment: If T h^ A and r h^ yl -+ B, then T h^ B.

(8) Deduction Theorem: F\J {A} \- A B iff F h A A-> B.

(9) r 1- yl iff there exists a finite sequence A 0 ,..., A m = A such that for

all t < m, either Ai € F U A, or else y l f c = ^ — » ylj) for some j, k < i(i.e. ^ 4 j follows from Aj and ^ 4 by Detachment).

(10) {A : F \- A A} is the smallest logic containing F U A.

(11) Soundness: If M \= s T U A and T \- A A, then M \= s A.

(12) If F C yl, then F is yl-consistent if, and only if, yl 7 Fma($).(13) r 1 is yl-consistent iff there exists a formula A with F \/ A A.

(14) F is yl-consistent iff there is no formula A having both F \~A A and

r \-A ^A.(15) r h^ A iff r U {->A} is not -consistent.

(16) r U {A} is yl-consistent iff F \/ A ->A.

(17) If F is yl-consistent, then for any formula A, at least one of F U {A}and P U {~<A} is yl-consistent.

Maximal SetsLet M. = (S, R, V) be a model of a logic yl, i.e. M \= A. Associate with

each s e S the set

r a = {A< = Fma($) :M\=,A}.

Then Fs is yl-consistent (why?), and moreover, for each formula A, one ofA and -< A is in F s.

In the next section we will be building models for certain logics. Sincewe have only a syntactic structure, namely yl, to begin with, we will have touse syntactic entities, such as formulae or sets of formulae, as the points of

our models. It turns out that the way to proceed is to use sets of formulaethat enjoy the properties possessed by those sets F s naturally associatedwith points of a given yl-model.

A set F C Fma(<l>) is defined to be A-maximal if

§2 Proof Theory 19

• F is /1-consistent, and

• for any A € Fmo(#), either A € F or ->A e F.

W e defineS A = {F : r is /1-maximal}.

Exercises 2.3

Suppose F is .^-maximal.

(1) r \- A A implies A e F .

(2) If A $ r, then T U {4} is not /1-consistent. Hence if F C A andA is /1-consistent, then F = A (this explains the use of the adjective"maximal").

(3) For any formula A, exactly one of A and -< A belongs to F, i.e.,

- u 4 e T iff A£F.

(4) ACT.

(5 ) lr.

(6) (A -> B) € T iff (^4 € F implies B € T).(7) AhBeFiS A,BeF.

(8 ) A v B e r i f f e r or B € r.(9 ) (A « •» J5 ) e r if f (A e r if f B € r).

Existence of Maximal Sets

We have yet to show that S A ^ 0, i.e. that there are any yl-maximal sets.

To see this, let• A o > AI, • • •) vljj,

be an enumeration of the set Fma($) (such an enumeration exists, since< ? is countable). Then if F is any /1-consistent set, define

_}A n U{A n }, \tA n \-A AA n U {-i/l n}, otherwise.

By construction, at least one of A n and -i^4n is in A, for all n.




Exercises 2.4

(1) A n is .A-consistent, for all n.

(2) Exactly one of A and ->A is in A, for all formulae A.

(3) If A \- A B, then B € A.It follows from these exercises that A is yl-consistent. For, if A \- J_ , then^ n H J _ for some n, contrary to the consistency of A n . Thus we haveestablished

Lindenbaum's Lemma 2.5. Every A-co nsistent set of formulae is con-tained in a A-maximal set.

Corollary 2.6.

(1) {A : r \- A A} = r\{A e SA

: F C A},i.e. F\~A A i f f A belongs to every A-m aximal set that includes F.

(2) A = r\{A:AeS A },i.e. \- A A i f f A belongs to every A-maximal set.

Proof. We prove only the deeper part of (1). If F \/A A, then r U {~>A}is yl-consistent (2.2(15)), so for some A € S A, r U {-.4} C A. Then Aincludes F but does not contain A, since it contains ->A and is vl-consistent.

Normal LogicsA logic A is normal if it contains the schema

K : U(A -+ B) -> (DA -+ D5),

and is closed under the rule of Necessitation , i.e.,

if \- A A, then \- A OA.

Examples of Normal Logics

(1) For any class C

of models, or of frames,AC = {A:C\=A}

is a normal logic.(2) If {Ai : i 6 /} is a collection of normal logics, then

is normal. In particular,

K = { ~ ] { A : A is a normal logic}

is the smallest normal logic. The letter K here is in honour of Kripke.

Example 1 shows that any logic determined by relational models or framesis normal, and so this is the type of logic we will be dealing with throughout.

Some Standard Logics

It has become customary to use the notation

to refer to the smallest normal logic containing the schemata Si,...,S n .Set-theoretically this logic is defined as

[}{A : A is normal and Si U . . . U S n C A}.

Historical names for some well-known schemata are

D: UA -> <X 4T: OA -> A4: HA -» DOAB: AHOA5: OA-+HOAL: O(A A D.4 -> 5) V D(B A OB -> A)W: D(D^ -» A) -> OA

Names of some well-known logics are

54 = KT455 = ATT4BG = KW

K4.3 =K±L54.3 =KT±L

Exercises 2.8(1) A is a theorem of KSi ...E n iff there is a sequence AQ , . . . , A m = A

such that for all i < m, either Ai is a tautology, an instance of schemaK, or an instance of some S it or else Ak = (Aj — > Ai) fo r some j, fc < i,or else >lj = OAj for some j < i.

(2) AT £ ) is the smallest normal logic containing the formula OT.

(3 ) KB1 = KB5.

(4) S5 = KDB4: = KDB5 = KT5.(5) In the definition of 54.3, the schema L can be simplified to

(6) A T 4 C G, i.e. 1-* CU -> DD>1 (cf. Boolos [1979], p.30).

§2 Proof Theory 23

Uniform Logics

A logic A is uniform if it is closed under Uniform Substitution, i.e.,

if A e A, then A' & A whenever A' is a substitution instance of A

(cf. page 5 for the definition of substitution instance").

Exercises 2.9

(1) A is uniform iffA € A implies SA C A,

where SA is the schema defined by A (cf. page 6).(2) If A is uniform, and A n < ? 0, then A is not consistent.

The logic AM — {A : M j= ^4} determined by a model M need not beuniform. For instance, if V(p) = 5 in M, then AM will contain the atomicformula p, but not its substitution instance ±. However, most of the logicswe will encounter are uniform, including any logic determined by a frame,or a class of frames, and any of the form KSi ...S n , where the Si areschemata. These results are covered as follows.

Exercises 2.10

(1) Associate with each atomic formula p a formula B p . Then if M =(5, R, V) is a model on a frame f — (5, R), define a new model M' =(5, R, V) on T by putting

V'(p) = {s e S : M K B p}.

Prove that for any formula A , and any s & S,

M' \= SA iff M K A> ,

where A' is the result of uniformly substituting B p fo r each atomicformula p in A.

(2) Deduce from Exercise (1) that for any frame T, the normal logic {A :f (= A} is uniform.

(3 ) Associate with each atomic formula p a formula B p , and, as in Exercise(1), for each formula A, let A' be the result of uniformly substitutingBp for each atomic p in A.

Let Si,... , S n be a list of schemata, and A 0 ,... , A m a sequence offormulae fulfilling the description given in Exercise 2.8(1). Show thatthe sequence A' 0 ,..., A' m also fulfills this description with A i in placeof At.

(4) Deduce from Exercise (3) that any logic of the form KSi ...S n isuniform.

3 I Canonical Models and Completeness

The canonical model of a consistent normal logic A is the structure

M A = (S A,R A,V A),

where SA — {s C Fma((l>) : s is yl-maximal},

sR At iff {A € Fma($) : OA € s} C t,

VA(p) = { s < E SA : p < E s } .

With regard to the definition of R A , recall the intuitive interpretation ofsRt as meaning that t is a conceivable alternative to s, a world in whichall necessary truths of s are realised.

The canonical frame for A

is FA =

(SA

,RA

). (Note that

if A

is notconsistent (i.e. h^ J_ , and hence A = Fma), then there are no A- maximalsets, so M A and F A do not exist.)

Exercise 3.1sR At iff {-.D4 : A $ t) C s iff {OA:A&t}Cs.Theorem 3.2. For any s e S A, and any B e Fma($),

HB € s iff for all t e S A, sR At implies B < E t.

Proof. We give the "if" direction only. Suppose that for all t £ S A,sR At implies Bet,

i.e.,{A : OA E s} C t implies B € t.

Then by Corollary 2.6(1),

{A : DA & s} h A B,

so by Exercise 2.7(4),

{DA : HA e s} \- A DB,

and hence by Exercise 2.2(5),

s h^ D5.

But s is yl-deductively closed (Ex. 2.3 (1)), and so OB 6 s as desired.

24



§3 Canonical Models and Completeness 25

Truth Lemma 3.3. Let A e Fma($). Then for any s e S A,

M A K A iff A e s.

Proof. By induction on the formation of A. The case A = p 6 $ is givenby the definition of V A, while the case A = _ L , and the inductive case A =(5 -> (7), follow from Exercises 2.3(5) and 2.3(6). For the case A = OB,assume inductively that the result holds for B, and apply Theorem 3.2.

Corollary 3.4. M A determines A, i.e. for all formulae A,

M A |= A iff \- A A.

Proof. By Corollary 2.6, I-A A iff A belongs to all members of SA

.

Note that Corollary 3 .4 implies that A is complete with respect to theframe F A:

F A \= A implies \~ A A.

A need not however be sound with respect to F A, i.e. it may be thatJ- A ^ A. Indeed there are some logics that are not determined by anyclass of frames. §7 will discuss examples.

Theorem 3.5. (Determination of K). \~ K A if, and only if, A is valid inall frames.

Proof.Soundness: For any frame J : , Af — {B : J - \ = B} is a normal logic, soK C Af, i.e. \ - jf A implies F (= A.Completeness: if \/K A, then by Corollary 3.4, A is false in M K , and so isnot valid in the frame F K .

Completeness TheoremsIn order to show that a logic A is complete with respect to some class o fmodels, or of frames, defined by certain conditions, it suffices to show thatM A, or .P 1, satisfies those conditions. The great power of this approachresides in the fact that the proof-theoretic properties of A have an impact onthe properties of the relation R A. To give some examples of this, recall thefirst-order properties 1-10 of R, and their corresponding modal schemata,

listed on page 12.Theorem 3.6. If a normal logic A contains any one of the schemata 1-10,then R A satisfies the corresponding first-order condition.

Proof. Generally, the proof for a universal condition, like transitivity, is arelatively straightforward application of the definitions, while cases which

involve existential assertions, such as weak density, require a deeper con-struction. We illustrate with these two properties.

Transitivity. Suppose A contains the schema

HA -» DDA

Then all members of S A contain all instances of this schema. Hence if sR Atand tR Au, DA € s implies DDyi e s, so D.4 e t as sR At, and then A e uas tR Au. This proves

{A : OA e s} C u,

i.e. sR Au as desired.

Weak density. Suppose A contains the schema

U U A -» D AAssume sR A t. We want to find some u € S A such that sR Au, i.e. {A :DA € s} C u, and M.R'1*, which is equivalent to { -<\3B : B £ t} C u (cf.Exercise 3.1). Therefore it suffices to show that the set

u 0 = {A : UA e s} U {-.OB : B $ t}

is yl-consistent. For then by Lindenbaum's Lemma 2.5, there will be someu € S A with M O C u as desired.

Suppose then that MO is not ^-consistent. Then there is a .A-theorem

\- A AI A . . . A A m A -iDBi A ... A ->OB n -> ±, (i)

for some m, n > 0, with each OAi in s, and each Bj not in t. Let B =(Si V . . V B n ). Then since

\- A D5i V ... V D5 n -+ DS (ii)

(cf. Ex. 2.7(1)), it follows from (i) and (ii) by tautological consequence that

\- A A A . . . A Am -» OB

and so by Exercise 2.7(2),

h^ CL4i A ... A DA m -» DD5.

As each D-A, is in s, this implies DD5 € s. But by hypothesis,

(DOB -» D5) e 5,

hence DS 6 s, giving B e i as afl^tf. But this implies that for some j, Bjis in t (2.3(8)), which is a contradiction.

Thus the hypothesis that MO is yl-inconsistent must be false.




Exercise 3.7Complete the proof of Theorem 3.6.

The next Theorem and Exercises exemplify the way in which canonicalmodels are used to prove completeness and determination results. Theparticular logics concerned were defined on page 22.

Theorem 3.8. 54 is determined by the class of reflexive and transitiveframes.

Proof.

Soundness. If the relation R of frame f is reflexive and transitive, thenthe normal logic

contains the schemata T and 4, and so contains KT4 = 54, i.e. h S4 Aimplies f \= A.

Completeness. By the schemata T and 4, the canonical 54-frame is reflex-ive and transitive (Theorem 3.6). Hence if A is valid in all reflexive andtransitive frames, then .F 54 |= A, and so (-54 A.

Exercises 3.9(1) KD is determined by the class of serial frames.(2) 55 is determined by the class of equivalence relations (reflexive, tran-

sitive, and symmetric frames).(3) A"4.3 is determined by the class of transitive weakly-connected frames,

and 54.3 by the class of reflexive, transitive, and weakly-connectedframes.

(4) 54.2 is the name of the smallest normal logic containing 54 and theschemaOUA-^UOA.

Prove that f84 - 2 is weakly-directed, and that 54.2 is determined bythe class of reflexive, transitive, and weakly-directed frames.

(5) Axiomatise the logics determined by(i) the class of partially-functional frames;

(ii) the class of functional frames;(iii) the class of weakly dense frames.

(6) (Harder). For all n > 0, define the formulae DM inductively by

O n+1 A = DQM.




Thus D n A = D . . . D A. Define the formula O n A similarly.n times

(i) Show that in any model M,

M \= s B n A iff sR n t implies M f=t A;M K O"^ iff 3t(sR n t & M K A).

(ii) If A is a normal logic, show that

h DM A O n B « -» D n 4 A S).

(iii) For any normal logic A, if 5, t e 5" 1, prove that

aCR' 1)"* iff { ^ : D M € « } C f iff {OM:4e

(iv) For fixed A , /, m, n, let yl contain the schema

Show that

s(R A) kt & 5(/^) m w implies aw *)'" & u(R A)nv).

(v) Show how (iv) encompasses all the completeness theorems we havementioned in the above theorems and exercises, except for K 4.3and 54.3.

55: Logical Necessity and Introspective Knowledge

55 is amongst

the most well-known

of modal logics,

and is often regarded

asthe system which characterises the notion of logical necessity. It might beargued that a possible world, representing a different way the world couldhave been, ought to satisfy all the logical laws of the actual world, and soa context in which one of our logical laws was violated should not countas a possible world at all. From this point of view, a logically necessarytruth is one which is true in all possible worlds whatsoever, suggesting thesemantic analysis

M \=s OA iff for all t e S, M \= t A.

But this is equivalent to confining our relational semantics to frames f =(5, R) in which R is universal, i.e. R = S x 5, so that any s has sRt for all

Theorem 3.10. S5 is determined by the class of universal frames.

Proof. Soundness is left as an exercise. For completeness, suppose \/s5 A.Then A is false at some point t in the canonical model M S5 . But then

by the Submodel Lemma 1.7, A is false at t in the the submodel of M S5

generated by t. This submodel is based on the set

{w 6 5 s5 : t(R S5 )*u},

where (R S5 )* is the reflexive transitive closure of JRS5. Since R S5 is reflexiveand transitive, this set is just

{u : tR S5 u},

the equivalence class o f f under the equivalence relation R S5 . But an equiv-alence relation is universal on each of its equivalence classes.

The system 55 has been the focus of attention in work on the theory ofcomputation relating to the representation of knowledge and informationpossessed by robotic systems and other "agents". Among the theorem-schemata of 55 are

UA -» DCL4

+ D-.CL4

(the latter being a variant of the schema 5). Reading OB as "the agentknows B" , the first of these says that if an agent knows something, thenit knows that it knows it, while the second states that if it does not knowsomething, then it knows that it does not know it. The principles of 55are relevant to the study of an agent that possesses full introspection as tothe content of its own knowledge. For further details of this application,cf. Parikh [1984] and Rosenchein [1985]. The paper of Rosenchein and

Kaelbling [1986] presents a system in this context with modal connectivesfor time, necessity, and knowledge.

ConnectednessA frame is connected if it satisfies

VsVt(sRt V s = i V tRs).

This property is satisfied by (S, <), where 5 is any of the number-setsw, Z, Q, or E, and the notion of connectedness will be of most interestto us in frames, such as these examples, that are also transitive. Anyconnected frame is weakly connected, but whereas the class of weakly-connected frames is characterised by the schema

L: D(yl A DA -> £) V D(B A D5 A),

4 | Filtrations and Decidability

To show that a logic A is complete with respect to a class C of structures,one may try to show that if \/& A then there is a member of C that rejectsA. Now we know that there will be some point in the canonical model M A

at which A is false, but in its capacity as a falsifying model for a particularnon-theorem A, M A provides a good deal of superfluous information. Tobegin with, to calculate the truth- value of A at points in A4 A, we need onlyknow the truth- values in M A of the members of the set S f ( A ) of subformu-lae of A, whereas M. A provides truth-values for all formulae whatsoever.Moreover, if $ is infinite, then S A will be infinite (in fact uncountable),and so a point of M A will in general be indistinguishable from many otherpoints as to how it treats the finitely many members of Sf(A). Thus we

many as well identify points that assign the same truth- values to all mem-bers of Sf(A). The identification process allows us to collapse M A, andto form a new falsifying model for A, one that has room for variety in itsdefinition. This process, known as filtration, gives a way of proving certaintechnical results (finite model property, decidability) about certain logicsA. But more importantly, it gives a new way of constructing models thatcomes into its own in cases where M. A is not in the desired class C for acompleteness theorem.

Filtrations

Fix a model M — (S, R, V) and a set F C Fma(<l>) that is closed undersubformulae, i.e.

B € r implies Sf(B) C T.

For each s e S, define

and puts ~ r t iff Fs = r t ,

so thats ~ r t iff for all B € T, M \=s B iff M \= t B.

31

Then ~/- is an equivalence relation on S. Let

\s\ = {t 6 5 : s ~ r t}

be the ~r~e(

lu

ivalence class of s, and defineS r = {\s\ :seS}

to be the set of all such equivalence classes.

Lemma 4.1. If F is finite, then Sp is finite and has at most 2 n elements,where n is the number of elements of F.

Proof. Since \s\ = \t\ iff s T t iff Fs = F t, putting

/(M) = r.gives a well-defined and one-to-one mapping of Sr into the set of subsetsof F. Hence Sr has no more elements than there are subsets of F. But ifF has n elements, then it has 2" subsets.

Exercise 4.2Sr can be finite even if F is not. Define F to be finitely based over M ifthere exists a finite set A of formulae such that

V5 6 r 3-B0 6 A (M |= B «-» 5 0 ).

Show that ST is finite if F is finitely based over M.

Now let <?r = H P be the set of atomic formulae that belong to F, anddefine

by putting

\s\ € F r(p) iff s 6 F(p)whenever p € < ?r (since then p g J 1, Fjn is well-defined).

We are going to consider $ r-models of the form M' = (Sr,R',Vr)with the property that the truth- values of members of F in M and in M'are left invariant by the correspondence s i-> \s\. Reflection on what isrequired to make this work leads to the following definition.

A binary relation R' on Sr is called a F- filtration o f R if it satisfies

(Fl) ifsRt, then \s\R'\t\; and(F2) if \s\R'\t\, then for all B,

if OB e T and Af f=s DB, then M \= t B.

Any # r-model M' = (S r , R', V r ) in which R' satisfies Fl and F2 is calleda F- filtratio n of the model M.

§4 Filtrations and Decidability 33

Filtration Lemma 4.3. If B e F, then for any s e S,

M\= SB iff M' hw B,

Proof. An important exercise for the reader. The case B — p € < £ isgiven by the definition of Vp- The inductive case for the truth-functionalconnectives is straightforward, while the case for D uses Fl and F2. Notethat the closure of F under subformulae is needed in order to be able toapply the induction hypothesis.

Exercise 4.4

Let Fb

be the Boolean closure of F, i.e. the closure of F under the preposi-tional connectives. Show that the Filtration Lemma holds for all B € F b .

Examples of Filtrations

1. The smallest filtration.

\s\R"\t\ iff 3s' £ \s\ 3t' € \t\(s'Rt').

2. The largest filtration.

\s\R x\t\ iff for all B , HB € F & M \= s UB implies M \= t B .

3. The transitive filtration.

\s\R T\t\ iff for all B, OB € F & M K n5 implies M H D-BA5.

Exercises 4.5

(1) R" and R x are always T-filtrations of R.

(2) If R' is any T-filtration of R, thenR" C R' C R x

(hence the names smallest and largest).

(3 ) R r is transitive and satisfies F2. If R is transitive, then R T is a F-filtration of R.

(4) Define a symmetric relation on Sp that is a T-filtration of R wheneverR is symmetric.

(5) Show that the following properties are preserved in passing from R toany /"-filtration of R: reflexive, serial, connected, directed.




Theorem 4.6. K is determined b y the class of all finite frames. Moreover,i f a formula A has n subformulae, then \~ K A if, and only if, A is valid inall frames having at most 2" elements.

Proof. Suppose \/K A. Then there is a point s in some model M at whichA is false (e.g. M = M K). Let F = Sf(A). Then T is closed undersubformulae, so we can construct r-filtrations M' — (Sp, R', V p) of M asabove. By the Filtration Lemma 4.3, A is false at \s\ in any such model,and hence not valid in the frame (Sr,R')- The desired bound on the sizeof Sp is given by Lemma 4.1.

Decidability

A logic A has the finite frame property if it is determined by its finiteframes, i.e.,

if \/A A, then there is a finite frame F with f f = A and F y= A.

Theorem 4.6 showed that the smallest normal logic K has the finite frameproperty, but it showed more: a computable bound was given on the sizeof the invalidating frame for a given non-theorem. This implies that theproperty of .K'-theoremhood is decidable, i.e. that there is an algorithmfor determining, for each formula A, whether or not \~ K A. If A has nsubformulae, we simply check to see whether or not A is valid in all framesof size at most 2 n . Since a finite set has finitely many binary relations (2m

relations on an ro-element set), there are only finitely many frames of size atmost 2 ™ . Moreover, to determine whether A is valid on a finite frame F, weneed only look at models V :$A 2 s on F, where $ A = $ n Sf(A). Butthere are only finitely many such models on f. Thus the whole checkingprocedure for validity of A in frames of size at most 2" can be completedin a finite amount of time.

To consider the case of logics other than K, we will say that A has thestrong finite frame property if there is a computable function g such that

if \/A A, then there is a finite .A-frame that invalidates A and has atmost g(n) elements, where n is the number of subformulae of A.

Now in adapting the above decidability argument to A, there is an extrafeature. In addition to deciding whether or not a given finite frame fvalidates A, we also have to decide whether or not F \= A. If A is finitely

axiomatisable, meaning that

A = KS l ...S n

for some finite number of schemata IT, - , then the property "F (= A" isdecidable: it suffices to determine whether each Sj is valid in f. For all of

§4 Filtrations and Decidability 35

the logics we have considered thus far, validity of Sj is equivalent to somefirst-order property of R, which can be algorithmically decided for finitef. But in any case, validity of a schema, and hence of a finite number

of schemata, on a finite frame, is always decidable. The point is that aschema, such as

D(A A HA -» B) V U(B A OB -» A),

has only finitely many atomic components A, B,.. ., and there are onlyfinitely many choices for the truth-sets

{s:M\=.A}, {s:M\=,B},

of these components in all possible models M on f. To put it anotherway: a schema is the set SA of all substitution instances of some formulaA, and validity of all members of SA in frame T is equivalent (by 2.10(2))to validity of A in F, which, as noted on the previous page, is decidablewhen T is finite. Thus we have

Theorem 4.7. Every finitely axiomatisable logic with the strong finiteframe property is decidable.

Exercises 4.8

(1) Prove that the logics KD, KT, K4, KB, 54, 55, K4.3, 54.3, 54.2(Exercises 3.9(4), 3.11(2)), are all decidable.

(2) In fact any finitely axiomatisable logic with the finite frame propertyis decidable (i.e. the result holds without invoking the computablefunction g). Prove this as follows.(i) Show that a finitely axiomatisable logic A is effectively enumer-

able, i.e. there is an algorithm fo r enumerating the members of A

(hint: cf. Exercise 2.8(1)).(ii) Show that if A has the finite frame property and is finitely ax-iomatisable, then the complement Fma($) — A of A is effectivelyenumerable (hint: enumerate all the finite A-frames and system-atically test formulae fo r validity in them).

(iii) Use the fact that A is decidable iff both A and Fma(<l>) — A areeffectively enumerable.

Finite Model Property

The topic of decidability could also be approached via the notion of thefinite model property, which states that

if \/A A, then there is a finite yl-model M with M ^ A.

It turns out that for logics that are uniform, this is equivalent to the finiteframe property. The following exercises indicate how to prove this.

36 Propositional Modal Logic

Exercises 4.9A model M is distinguished if for any two distinct points s and t in Mthere is a formula A with M \=a A and M ty=t A.

(1) Show that any filtration is distinguished. Hence show that for anymodel M, if F = Fma(<l>), then any .T-filtration of M is a distin-guished model that is equivalent to M in some suitable sense.

(2) If M is finite and distinguished, show that fo r each s in M there is aformula Aa such that for any t in M,

M\= tAs iff t = s.

(3) If M is finite and distinguished, show that for any subset X of M.there exists a formula AX such that for any t in M,

M tAx iff teX.

(4) Let M be a distinguished model on a finite frame T. If M' = (F , V)is any other model on J - , show that for all formulae A,

M\= gA' iff M'\=,A,

where A' is the result of uniformly replacing each atomic p in A byAX, where X = V'(p).Deduce that for any uniform logic A,

M\=A iff F\=A.

(5) Complete the argument showing that for uniform logics, the finitemodel property implies the finite frame property .

Decidability Without the Finite Model PropertyAlthough the finite frame property is sufficient to guarantee decidabilityfor a finitely axiomatised logic, it is not necessary. The sharpest result inthis direction would appear to be that of Cresswell [1984], which presentsan example of a uniform normal logic that is finitely axiomatisable anddecidable, but is incomplete, i.e. not determined by any class of frames atall. Such a logic cannot have the finite frame (or model) property.

The proof that Cresswell's logic is decidable uses a technique of transla-tion into a decidable fragment of monadic second-order logic, and is beyondour scope.

5 M ultimodal Languages

SyntaxThe whole theory presented so far adapts readily to languages with morethan one mo dal connective. Given a set of atomic formulae p, and anew collection of symbols {[i] : i G /} , a set Fma/($) of formulae A isgenerated by the BNF definition

so that we now have form ulae [ i } A for each A & .Fma/(< 5) and each i 6 /.

The connective [i] is to be treated in the way we treated d previously.The dual connective is defined as -i[i]->, and corresponds to O.

SemanticsA frame fo r this new language is a s t ructure

comprising a set S with a collection of binary relations Ri C S x S, onefor each i 6 /. (Equivalently, we may think of f as a pair (S, R) withR : I -> 2 SxS ). A model M = ( f , V ) on T is given by a functionV : $ — 2 s , just as before. The definition of the relation M. (=s A has theone new clause

M (=g [i]A iff for all t € S, sRit implies M (=t A,

and the definitions o f truth in a model (M |= - A ) , and validity in a frame

(F \= A), are unchanged.

LogicsThe notion of tautology is defined as previously, taking all formulae of theform [i]A, along with members of #, in the definition of "quasi-atomic"formula.



§5 Multimodal Languages 39

Generated SubmodelsGiven a model M = (S,{Ri : i £ I},V), and an element t £ S, thesubmodel M* = (S*, {R* : i £ I}, V*) generated by t is defined as follows.

A subset X of S is I-closed if it satisfies:if u £ X, then v £ X whenever there is an i £ I with uRiV.

An intersection of /-closed sets is /-closed, so we can define 5* as thesmallest /-closed subset of S that contains t. R\ and V* are the restrictionsof Ri and V to 5*.

Exercises 5.1

(1) Show that Ml

K A i f f M \=u A.(2) Show that for languages with a single modal connective (i.e. when /

is a singleton), the present definition of M* agrees with that given in§1-

(3) p-Morphisms. Formulate the appropriate notion of p-morphism formultimodal languages, and prove the analogues of the p-MorphismLemmas 1.9 and 1.10.

6 I Temporal Logic

Consider a prepositional language with two modal connectives, [F] and[P], meaning, respectively, henceforth (at all future times), and hitherto(at all past times). According to §5, a frame for this language has the form

(S,Rp,Rp), with the modellingM K [F]A iff sRpt implies M \= t A,

M \=s [P]A iff sRpt implies M \= t A.We read sRpt as "t is in the future of s" and sRpt as "t is in the past ofs" . But the intended interpretation is that [ F ] and [ P ] express propertiesof the same time-ordering, so that t should be in the past of 3 preciselywhen s is in the future of t . Thus we want

sR P t iff

tR F s(or, equivalently, that the relations Rp and Rp are each the converse of theother).

Exercise 6.1LetF = (S,R F ,R P ).(1) Show that

Ft=A->[P]<F> A iff VsW(s# P£ implies tR F s).

(2) Show that

F^=A-*[F] A iff VsVt(tRFs implies sRpt) .

(3) If a normal logic A contains the schema

then in M A,sR$t implies

(4) If a normal logic A contains the schema

thenimplies sR$t.

40

§6 Temporal Logic 41

Temporal Logics

The preceding exercises indicate that any temporal logic should at leastcontain the two schemata that they discuss. In the frames for such a

logic, RY and Rp are interdefinable, so we may as well take one relation asprimitive, and use frames F = (S, R), where R C S x 5, with the modelling

M\= S[F]A iff sRt implies M K A,

M\= S[P]A iff tRs implies M \= t A.

But it is natural also to require a temporal ordering to be transitive, sowe will now define a time-frame to be any structure T = (S, R) with Ra transitive relation on S, and with the modelling just given. A temporallogic is defined to be any normal logic in the language of [F] and [P] thatcontains the schemata

C P :CF:4 P :4 F :

Mirror ImagesNotice that these schemata come in pairs, related by interchanging past

and future connectives. Members of such pairs are called mirror imagesof each other.The smallest temporal logic, which is

in the present notation, is commonly known as Kt in the literature.

Exercises 6.2

(1) Prove that Kt is determined by the class of all time-frames.(2) Show that only one of 4p and 4p is needed in the definition of K t:

each is derivable from the remaining axioms.

AlwaysOne way to view temporal logic is as a more powerful language for ex-pressing properties of frames of the form (S,R). To this end it is useful tointroduce the connective D by definitional abbreviation, writing \3A forthe formula

DA may be read "always A", i.e. at all times, past, present, and future.The dual formula OA = -iD-iA is tautologically equivalent to

 AV AV <F> A,

meaning "at some time (past, present, or future), A".

Exercises 6.3Let T be any frame.(1) Show that

iff R is transitive. What is the mirror image of this result?

(2) Show that t= DA -> [P][F]A

if f R is weakly future-connected, i.e.

sRt A sRu -> tRu V t = u V uRt).

(3) If yl contains Cp, CF , and the schema

show that ^ is weakly future-connected.(4) Work out the mirror images of Exercises 2 and 3.(5) Explain why D behaves like an 55 modality in a connected frame.

Strict and Total Orderings

• A strict ordering is a time-frame whose transitive relation is irreflexive,and hence has the stronger property of asymmetry (cf. Exercise 1.15).

• A total ordering is a time-frame whose transitive relation is connectedand antisymmetric, like the numerical orderings < and < on R.

• A strict total ordering is therefore an irreflexive total ordering, or,more simply, a relation that is transitive, connected, and irreflexive.

We tend to use the symbol < for the relation of a strict ordering. Animmediate successor of an element x is an element y with x < y and suchthat there is no z with x < z < y. A cut in a structure (S, <) is a partitionof S into a pair (X, Y) of non-empty disjoint subsets with x < y wheneverx € X and y 6 Y. A strict total ordering is continuous if for any such cutthere is a z with x < z < y for all x € X and y € Y (where x < z iff x < zor x = z). Intuitively, this means that there are no "gaps" in the ordering.

Exercises 6.4Let f be a strict total ordering.

(1) Show thatf\=A/\[P]A-*<F> [P]A

if f every element of f has an immediate successor.

(2) Show that

iff every element except the last one (if it exists) has an immediatesuccessor. (A n element x is last if there is no y with x < y.)

(3 ) Work out the mirror images of Exercises 1 and 2.

(4) Show that

T h 0([P]A <F> [P]A) -» ([P]A

if f f is continuous.

This last exercise demonstrates that temporal logic is "more expressive"that the language we began with in §1. The real-number frame (R, < ) iscontinuous, while the rational-number frame (Q, <) is not. But when theseare used as frames for the language of a single modal connective, the sameformulae are valid in each: consult Exercises 8.8 in the next Part to see howthis is proved. W e will also see at the end of §8 how to use the schema ofExercise (4) above in a completeness proof for the temporal logic of (R, < ).

Generated Time ModelsAccording to the definition given in §5, if M — (S, R, V) is a model on atime-frame, then the submodel M* = (S*, R* , V* ) generated by an elementt € S has 5* as the smallest subset X of S that contains t and is closedunder Rp and RF, which means that

if u e X, then v £ X whenever uRv or vRu.

Exercises 6.5(1) Let R = R U R- 1 , where R' 1 = {(v, u) : uRv}. Show that

5* = {u € 5 : t(R)*u}.

(2) Suppose that R is weakly future-connected and weakly past-connected(cf. Ex. 6.3(2)). Show

5* = {u : tRu or t — u or uRt}.

(3 ) Prove that if time-frame f is weakly future-connected and weaklypast-connected, then the generated time-frame T 1 = ( 5 * , J F Z * ) is con-nected.




Temporal p-MorphismsFor temporal logic, a p-morphism / : M I — * Mi must satisfy the condi-tions

sRit implies f ( s ) R2 f ( t ) ,f(s)R 2u implies ^(sRrf & f(t) = u),uR2f(s) implies 3t(tR lS & f(t) = u),

in order for the p-Morphism LemmaMi\=.A iS Mt\= f(.)A

to hold for all formulae A in the language of [P] and [F].

Temporal FiltrationsIn defining J'-filtrations of models M = (S, R, V) on time-frames, we wantto preserve both the transitivity of R and the fact that R is RF and .R" 1

is Rp . A suitable relation for this purpose is RT C Sp x 3r, where\s\R T\t\ iff [F}B e T &ndM^ g[F]B implies M\= t[F]B/\B,

and[P]B eT and M\= t[P]B implies M K [P]5A5.

The model M T = (Sr, R T, V r) is then transitive, and the Filtration LemmaM\= SB iff AT |= M *

holds for all B 6 T.

Exercises 6.6

(1) Verify this last claim.(2) Prove that the smallest temporal logic K t is determined by the class

of finite time-frames and is decidable.(3) Axiomatise the logic determined by the class of connected time-frames,

proving that it has the strong finite frame property and is decidable.

Diodorean ModalityThe most common practice in temporal logic is to regard time as an irreflex-ive ordering, so that "henceforth", meaning "at all future times", does notrefer to the present moment. On the other hand, the Greek philosopherDiodorus proposed that the necessary be identified with that which is nowand will always be the case. This suggests a temporal interpretation of Dthat is naturally formalised by using reflexive orderings. The same inter-pretation is adopted in the logic of concurrent programs to be discussed in§9.

The Diodorean analysis leads to the study of systems containing 54,and containing 54.3 in the case of total orderings. When time is regardedas an endless discrete total ordering, the resulting logic is a system knownas S4.3Dum, which will be investigated in §8.

Minkowski SpacetimeThe Diodorean logic of four-dimensional special-relativistic spacetime hasbeen shown to be the system 54.2 of Exercise 3.9(4) (Goldblatt [1980]).

To explain this further, we first describe the structure of n-dimensionalspacetime.If x = (#1, . . . , x n) is an n-tuple of real numbers, let

Then n-dimensional spacetime, for n > 2, is the frame

T n = ( ",<),

where R ™ is the set of all real n-tuples, and for x and y in E ™ we havex <y iff (i(y - x) < 0 & x n < y n

ra-l

i f f (2/i - Xi)2 < (yn - x n)2 kx n < y n .i=l

The Minkowski spacetime of special relativity theory is T 4, in which atypical point represents a spatial location (xi, £2, 0:3) at time x$. Theintended interpretation of the relation x < y is that a signal can be sentfrom or to y at a speed at most that at which light travels, so that y is inthe "causal future" of x.

The frame T 2 is depicted in the following diagram, showing the "futurecone" {z : x < z} for a typical point x.

Observe that the future cones of any two points must overlap, so that theframe is directed and validates the 54.2 axiom schema

The formula AUB is read "A until B" , meaning that there is a future pointat which B is true, with A true at all points between now and then.

Notice that

M \=a TUB iff there exists t such that sRt and M f=( B,

so that the formula TUB is equivalent to < F > B. Hence [F]B is equiva-lent to --(TW-.B).

The formula LUB expresses that B will be true at a future point, withnothing in between, i.e. B is true at an immediate successor. Hence thisformula is read "next B", and is a natural construct to consider on discreteorderings, like (Z, <) and (w, <).

Exercise 6.7

Give a semantics for the notion "A since B", and use the notion to define B and a formula expressing "B was true at the previous moment".

The connectives since and until have been shown (Kamp [1968]) to form acomplete set of connectives for continuous orderings. In a way that can be

made precise, they suffice to define all possible prepositional connectivesthat express temporal properties of such orderings. The connective untilhas been used extensively in the temporal logic of concurrent programs,and will be studied in that context in §9.

7 I Some Topics In Metatheory

W e now take up some advanced topics: first-order definability, canonicity,incompleteness, and undecidability. (The material of this section is not

needed in later sections.)First-Order DefinabilityIn §1 a number of examples were given of modal schemata whose frameswere characterised by first-order conditions on a binary relation R. All ofthese, and many others, can be subsumed under a general class of schematadevised by Lemmon and Scott (Lemmon [1977]).

A formula y > is positive if it can be constructed using no connectivesother than A, V, D and O. Thus a BNF definition of the class of positiveformulae is

(p ::= p | < ?A ip2 | ^ V <p2 \ Dip \ Oip.

W e write y>(pi, . . . ,pk) to indicate that the atomic formulae occurring in y >are among the list pi, . . . ,pk- ^(Ai, • • • i - ^ f c ) 1S then the formula obtainedby uniformly substituting, for each 1 B i for

1 < i < k, then

Recall from Exercise 3.9(6) the notations

O nA = H...n times

On

A= O...OA.n times

Then for each positive formula tp(pi, . . . , p k ) , and pair m = (mi, . . . , m^)and n = (m, . . . , n*;) of fc-tuples of natural numbers, there is an associatedLemmon-Scott schema

" 1 ^ A - - - A

48

§7 Some Topics In Metatheory 49

Corresponding to this schema is a first-order condition R (s,t,n) on F, with "free variable s, is

defined by induction on the formation of the positive formula /p ,

as follows.jFZp4(s,t ,n) is UWs (l<i<k)

#y>lA¥ J2(s , t ,n) is ^(s.t.n) A^ 2 (s , t ,% >lV(£2(s,t,n) is flV i(s,t,n) V Rtp3(s,t,

s,t,n) is Vu(sRu — Rip(u, t ,n))

S)t , n) is 3u(sRu A R<p(u, t,n)).

Then . R < £ ™ is the first-order condition

A - - - AsR mk t k

Exercises 7.2

(1) In any model .M, if J f y > ( s , t, n) and M \= ti D"'^i for 1 < « < fc, then

(2) If J 7 satisfies R < p™ , then (= y™ .(3 ) In any model M, if M \=

s (s, t ,n) .(4) If ? (= v ? ™ , then satisfies ™.

These exercises show that the frames validating y > J J * are precisely thosesatisfying - R i /7™ an d hence in particular that the logic K ( p ™ is sound withrespect to these frames. Completeness can be shown by the canonical modelmethod, with the key result being

Lemma 7.3. If<p(pi, . .. ,pk) is positive, then the canonical frame for anynormal logic A satisfies

Proof.By induction on the formation of (p . W e give the proof for k = 1, and dropthe subscripts. The case < p — p amounts to the claim that

tR ns iff {A : DM e t} C s

which was given as Exercise 3.9(6)(iii).The most complex part of the proof concerns the inductive case of Oip,

under the hypothesis that the Lemma holds for < p . Assuming that

D n A€t}C8, (t)

we have to show that R<xp(s,t,n), i.e. that there exists a u e S A withsR Au and Rip(u,t,n). But then it suffices to show that the set

w o = {^4 : UA € s} U (<p(B) : U n B 6 t}

is yl-consistent. For, if u is an yl-maximal extension of U Q , then the defini-tion of R A and the induction hypothesis on ip ensure that u has the desiredproperties.

Now if M O is not jl-consistent, then since {A : OA e s} is closed underfinite conjunctions, it follows that there are formulae A, BI,...,BI suchthat DA € s, n n Bi € t for 1 < i < / , and

\- A A -» -.(?(Bi) A • • • A

HenceA ... A

Since DA e s, it follows that

es. t)

Now let 5 = B T . A • • • A B n . Then it may be shown that D n B £ t (cf.Exercise 3.9(6)(ii)), and so by (t), O<p(B) € s. But \- A ip(B) -»• (p(Bi) for1 < i < /, by Exercise 7.1, so

whenceh 0(5) -» 0((f li) A •

and thus

which is impossible, given (\) and the yl-consistency of s. Therefore, U Qmust be yl-consistent as desired.

The proof that R<xp(s,t,n) implies {Otp(A) : O n A £ t} C s isstraightforward, as are the inductive cases for . The caseof V 2 makes a further use of Exercise 7.1, and is also left to the reader(cf. Goldblatt [19751]).

Exercises 7.4.

(1) Complete the proof of Lemma 7.3.(2) Let A be a normal logic that contains the schema y™ . Prove that T A

satisfies the first-order condition R < f > ™ .

(3 ) If A is the smallest normal logic containing a collection { (y \)™ ' : i € /}of Lemmon-Scott schemata, show that A is determined by the class ofthose frames that satisfy all the conditions {-R(yj)™* : i € I}.

Sahlqvist's Schemata

The form of the schema y™ was generalised by Sahlqvist [1975], to considerformulae of the type

where n > 0, ^ is positive, and < p is constructed from atomic formulaeand/or their negations using at most A, V, D and O, in such a way thatno occurrence of A, V or O is inside the scope of a D.

Sahlqvist showed that the frames validating any such formula are char-acterised by a first-order condition on R, and that this condition is satisfiedby the canonical frame of the normal logic axiomatised by the schema cor-responding to the formula.

A recent discussion and proof of this result may be found in Sambinand Vaccaro [1989].

Canonicity

A normal logic A is canonical if it is validated by its canonical frame, i.e. ifF A \= A. The most accessible example of failure of canonicity is the logicKW, where W is the schema

D(Q4 -» A) -» HA

first mentioned in §1. Completeness for KW will be considered in §8 (cf.Exercises 8.7) where it is indicated that the logic has the finite frame prop-erty, so is determined by its (finite) frames and is decidable. The failure ofcanonicity is based on the following observation.

Exercise 7.5Let M — (S,R,V) be a model containing a point s such that sRs. IfV(p) = S — {s}, show that D(Dp — » p ) — » Dp is false at s in M.

This Exercise shows that W is not valid on any frame possessing a reflexivepoint, and so to show that KW is not canonical it suffices to exhibit suchan s e S KW with sR KW s. For this purpose, consider the set

sQ = {-^nA:\f KW A}.

If S Q is .KW-consistent, then any .KW-maximal extension s of SQ will solvethe problem. For, if A $ s, then \/KW A, and so as s 0 C s and s isconsistent, \3A ^ s, showing that sR KW s.

To prove that s 0 is KW-consistent, take formulae AI, . . . , A n such thatVKW Ai for 1 < i < n. We need to show that

\/ KW -.(-.D^i A • • • A -DA*). (i)

Now for each i there is some Si 6 S KW with Ai £ s,. Hence if M l =(S\ R\ V') is the submodel of M KW generated by s^ then

M i \£Si At. (ii)

W e now construct a new model M = (S, R, V) by forming the union of allthe models M 1 and adjoining an additional element oo that is not in anyof the S1*, but is ^-related to all members of all the S 1 . Formally, put

S = S 1 U • • • U S n U {00}

R = R l U • • • U R n U {{oo, s) : s € S & oo s}

Exercises 7.6

(1) If s & S\ then for any formula B,

M\= a B iff AfK#.

(2) M (= WNote: in view of Exercise (1), the heart of the matter is to show thatany instance of W is true in M at oo.

In view of 7.6(2), the normal logic

AM = {B:M\=B}

contains KW. But in view of (ii), 7.6(1) and the construction of Ai,

M Hoc -.DAi A - - - A - . D AB .

and so

-.(-.D A • • • A -.DA) £ W

It follows that (i) must be true, completing the proof that s 0 is KW-consistent, and hence that KW is not canonical.

Failure of the Finite Frame PropertyIf a logic has the finite frame property, then it complete with respect to theclass of its validating frames. The converse of this is false: we now exhibit

a logic that is first-order determined, but lacks the finite model property,and hence the finite frame property. The example is an adaptation byHughes and Cresswell [1984] of a fundamental construction introduced byMakinson [1969].

Consider the Lemmon-Scott schema

Mk : CUi A A 2 -» 0(D 2 Ai A OA 2 ).

Exercise 7.7Verify that the first-order condition corresponding to Mk is

Vs3t(sRt A tRs A Vu(tR 2u -» sRu)).

Now let A» be the logic KTMk. Then from our analysis of Lemmon-Scottschemata we know that A t is determined by the class of all reflexive framesthat satisfy the condition of 7.7. To show that A t lacks the finite model

property we prove two things:(1) If M is a finite A, -model, then the schema 4 is true in M, i.e. for any

formula A, M |= OA -> D 2 A(2) For some A, \/ A, DA -> O 2 A .

Proof of (1). Let M be a -A»-model that rejects 4. Then we show thatM must be infinite, by showing that it contains a sequence s\, . . . , s n , . . .of distinct points. To begin with, there is, by hypothesis, some formula A

and some point si such that M ^=Sl DA A ->D2

A.Now make the inductive assumption that s n has been defined and has

1)

But the formula

DM A -.D n+1 A -» 0(n n+1 A A - i

is (equivalent to) an instance of the schema Mk, so as M (= A,, from (f )it follows that there is some point s n+ i with s n Rs n+ i and

Hence, by induction, s n is defined to satisfy (f ) for all positive integersn. But then to see that the s n 's are distinct, observe that if n < m, then

is false at s n by (f ), but true at s m since O m A is true at s m , andM f = O m A -> O n+1 A from the schema T.

Proof of (2). This requires the construction of a yl»-model that rejects

schema 4. In view of (1), this model will have to be infinite. Let

where w is the set {0, 1, 2, . . .} of natural numbers, and mRn iff m < n + 1,so that each number is .R-related to all numbers big than or equal to itspredecessor. J>, which first appeared in Makinson [1969], has becomeknown as the recession frame.

Exercises 7.8(1) Show that FT validates the logic A*.

(2) Show that T T is not transitive, and so carries a model in which aninstance of schema 4 is false. Hence complete the argument showingthat A# lacks the finite model property.

IncompletenessThe canonical model construction shows that any consistent normal logic isdetermined by some model. On the other hand, there are consistent logicsthat are not determined by any class of frames. The first example of suchan incomplete logic was a temporal one, discovered by Thomason [1972]. Itcan be defined as the smallest temporal logic AT containing the schemata

D F : < F > TW P : AM F : [ F ] < F > A - K F > [ F ] A .

The import of MF is that it requires the truth-value of A to eventually"settle down" to a fixed value. For, if the antecedent is true, then at anyfuture time there will be a time after that at which A is true. But if theconsequent is false, then at any future time there will be a time after thatat which A is false. Thus if MF is to be true, then A must eventually

become either true forever or false forever.It turns out that AT has no frames at all To see this, observe firstthat any time-frame validating W p is irreflexive, for if sRs r then puttingV(A) — {s} for an atomic A would falsify W p at s. Thus if f (= AT, then Ris weakly future-connected, by LF , so for any point s the set X s = {t : sRt}is a strict total ordering (connected, irreflexive) which, by £>p, has no last

element. But then we can choose a subset Y of X s such that neither Y norXS — Y has a last element. Putting V(A) = Y then gives a model in whichMp is false at s. However this contradicts the hypothesis that f \= Ax-

To see that AT is nonetheless consistent, it suffices to construct a modelfor it (by the argument just given, the frame of this model must carry othermodels that falsify AT)- Let M = (u > , <, V), where w = {0, 1,2,. . .}, andV(p) = 0 for all p € #. The frame (w, <) validates all axioms of ATexcept Mp. An inductive argument shows that for any formula A, the set{n e u > : M. \=n A} is either finite, or cofinite (i.e. has a finite complement).Thus "as time passes", A eventually becomes either false forever (finitecase), or true forever (cofinite case). In the first case [F] < F > A is falseeverywhere, and in the second case <F> [F]A is true everywhere. Hence

M (= Afp.

Exercise 7.9Fill in all the details of the above argument.

Incomplete D-LogicsAfter the discovery of AT, a number of incomplete logics in the language ofa single modal connective D were produced (Thomason [1974], Fine [1974],

van Benthem [1978]). The latest, and seemingly simplest, example appearsin a paper by Boolos and Sambin [1985], where its discovery is attributedto R. Magari. The logic is KH, where H is the schema

D(Q4 «-» A) -» DA

Notice that KH C KW, where W, as above, is

f A) -» DA

We noted in §1 that any frame for W is transitive (Boolos [1979], p.82),and hence validates

4 : UA -> DQ4.

Boolos and Sambin show that H and W are valid on exactly the sameframes, implying that any KH-frame must validate 4. They then give amodel for H in which 4 is false, showing that 4 is not .K".H-deducible.

To spell out some details, suppose F |= H . To prove f is transitive,take a point s in order to show that

sRt & tRu implies sRu.

Let M be any model on f in which

V(p) = {t:u-eS t implies sRu}

(recall that 5* = {v : tR*v} is the subframe generated by t).

Exercise 7.10Show that M \=a D(Dp < -> p).

Since T \= H , it follows from this exercise that M \=a Dp. Hence if sRtand tRu, we have t € V(p) and u e 5*, so sRu as desired.

The following intransitive ff-model is due to M. J. Cresswell. It is anextension of the construction of Makinson's recession frame f r , and isjust one of a number of uses to which f r has been put in studies of the"pathology" of modal logics (cf. Bull and Segerberg [1984], §19; Hughesand Cresswell [1984]). Most spectacularly, ? T was used by Blok [1980]to prove that if A is any normal extension of KT, there are uncountably

many other logics having exactly the same frames as A\ All but one ofthese uncountably many logics must be incomplete.

Let M = (Z,fl, V), where V(p) = 1 - {$} for all p e $, and R is anonstandard ordering of the points of 1i got by shifting all the negativeintegers "to the right",

0 ,1 ,2 , . . . , n, , -n,..., -2, -1

and then allowing each non-negative integer to also have itself and itspredecessor as ^-alternatives (hence destroying transitivity). Formally, ifm,n € Z, then mRn iff one of the following hold.

n< 0 < m0 < m < n + l

m < n < 0.

Exercises 7.11(1) Show that Dp — > DDp is false at the point 2 in M.

(2) Show that for all formulae A, the set {m : M \= m A} is either finiteor cofinite. Use this to prove M (= H.

In conclusion, note that the axiom W p in Thomason's logic AT is a variantof the schema

(P]([P]A ^ A) ^ [P]A,

which is the past-tense version of the schema W. The latter has manifestlyplayed an important role in technical studies of the metatheory of modallogics. There is another context in which it is also important: KW is thelogic that results when D is interpreted as meaning "it is provable in PeanoArithmetic that". This is explained in the book by Boolos [1979].

UndecidabilityA logic with the finite frame property is decidable, provided that it isfinitely axiomatisable. This last qualification is essential: there exist logics

with the finite frame property that are undecidable. In fact, Urquhart[1981] showed that for any subset X of a; there exists a logic AX with thefinite frame property, such that AX has the same "degree of unsolvability"as X. We now discuss this result, using the following definitions.

• A point s in a frame (5, R) is dead if there is no t € S with sRt .

• A point is live if it is not dead.

• For n € . ui, f n is the frame depicted as

i.e. /•„ = ({- , 0 ,1, . . . , n},R), with

R = {{o, -1}} U {(m,m + 1) : 0 < m < n}.

• Q n is the frame depicted

0 _> i -> ---- > n ,

which results by removing the point — 1 from F n .• 6 is the formula ODJ. A O 2 T.

• A n is the formula 6 -+ CT+ 2 OT.

Note that if n > 2, then 0 is distinguished in f n as the only point that is^-related both to a dead point and to a live one. This accounts for the

superscript "n + 2" in the definition of A n , and the emphasis on the frames.F n+2 in what follows.

Exercises 7.12

(1) In any model,M |= g DJ- iff s is dead;M \= s OT iff s is live.

(2) For any n e w , Fn+ 2 f=g 0 iff a = 0. (Note: since 0 contains noatomic formulae, its truth at any point in Fn+ 2 is independent of anyparticular model on that frame.)

(3 ) F n+ 2 h> A n

(4 ) F n+2 \=Aj i f j / n .

(5) Q n |= -.6, and hence Q n f = A, for all j.




Now let X be an arbitrary set of natural numbers. Put

Cx = (Q n : n G w} U {JF n+2 : n $ X},

and let AX = {B : Cx |= B } be the logic determined by Cx- Since allmembers of Cx are finite, it is immediate that AX has the finite frameproperty.

Lemma 7.13. For any j e w ,

\- Ax Aj iff j e X.

Proof. Suppose j 6 X. Then if n $ X, j ^ n, so F n+z |= A,- by 7.12(4).Together with 7.12(5), this shows that Cx \= Aj, as desired.

On the other hand, if j ^ X, then .F J+2 € C x and so by 7.12(3),Cx H = -

Corollary 7.14. If X is undecidable, then so is AX-

Proof. Since formula Aj is explicitly defined in terms of j, the Lemmashows that a decision procedure fo r theoremhood in AX would yield adecision procedure fo r membership of X.

Axioms for AX

We now develop an axiomatisation for AX, and strengthen the analysisto prove Urquhart's result that there is an undecidable AX that has adecidable set of axioms. We need the following schemata

Pfun: D(OA->DA) e 0 D-L A A) -> D(D± -» A)Li: O ( O TA A ) - > D(OT-> A)

Exercises 7.15

Let A be any normal logic containing Pfun, De, and Li. Work in thecanonical model M A for A.

(1) Use Pfun to show that if sR At, then t itself is .R^-related to at most

one point in SA

.(2) Use De to show that each s e S A is .R^-related to at most one dead

point.

(3 ) Use Li to show that each s e S A is .R^-related to at most one livepoint.



Part Two

Some Temporal and

Computational Logics

8 Logics with Linear Frames

Part Two applies the techniques developed in the previous sections to somestandard temporal logics, and to some modal logics that have been em-ployed in the theory of computation. One of these, examined in §9, involves

the use of temporal logic to express properties of linear state sequences gen-erated by concurrent programs. To study this logic, it is helpful to first iso-late its "[F]-fragment", and axiomatise the logic determined by the frame(u>, <) in the language of a single modal connective. This will be done inthe present section, in the context of a general study of discrete, dense,and continuous time. §10 introduces the multimodal language of dynamiclogic, in which the modal connectives are indexed by the commands of aprogramming language.

Discrete Future TimeIn the D-language of §1, let f2 be the logic K4DLZ, with axioms

4: OA -> DOAD: HA -> OAL: H(A A HA -» B) V D(B A OB -> A)Z: D(D4-»yl)-»(on>4-»n4).

Our first goal hi this section is to prove that

\- n A iff (u,<)]=A.Each of the axioms of f i embodies a feature of the frame (w, < ). 4 corre-sponds to transitivity, D to seriality ("endless time"), and L to connect-edness. Z embodies an aspect of the discreteness of (w, <), namely thatbetween any two points there are only finitely many other points. Whatthis has to do with Z may be learned from

Exercises 8.1

(1) Show that (w, <) \= Z.(2) Soundness of J? : Prove that

\-(i A implies (u, <) \= A.

(3 ) Let T = ((jj U {oo}, R), with mRn i f f m < n e u ; o r n = oo. Show that

65

§8 Logics with Linear Frames 67

W e distinguish two types of non-degenerate (i.e. C < C) cluster. Asimple cluster consists of a single reflexive point: C = {s} with sRs.All clusters in the frame (w, <) are simple. A proper cluster is a (non-degenerate) cluster with at least two points. Observe that the relation Ris universal on any non-degenerate cluster.

If R is connected, i.e.

VsVt(sRt V s = tVtRs),

then < is a strict total ordering of clusters, and so takes the form ofa sequence of clusters, as illustrated in the following diagram, where thebullets • depict degenerate clusters, and the circles are non- degenerate ones.

If S is finite, then this sequence will have a first and a last cluster.

BalloonsA balloon is a finite transitive and connected frame whose last cluster isnon-degenerate, while all other clusters are degenerate:

(there need not actually be any non-last clusters, so a finite universal frame,comprising a single non-degenerate cluster, is counted as a balloon).

Exercises 8.3

(1) If f is a balloon, show that f (= fi.(2) If J- is a transitive frame that has a non-degenerate cluster C that is

not last (i.e. C < C' for some cluster C'), show that T Z.

Theorem 8.4. If T is a balloon, then F is a p -morphic image o f (w, <).Proof. Let S = {s 0 ,..., s n -i,t 0 ,..., t m -i}, where {s 0 }, ..., {s re _i} are thedegenerate clusters in Oorder (if there are any), and {to, • • • , m-i} is thenon-degenerate last cluster. Define / : w — > S by

f ( i ) = Si (0<i<n)

f(n + q-m + j)=tj (0 < j < m, q 6 w).

As a sequence, / looks like

So, • • • ,Sn-l,toi • • • >*m-l)^0) • • • j ^m-li^O)- • • im-li

with the last cluster repeated forever. Since R is universal on this lastcluster, the properties of a p-morphism are satisfied, as the reader shouldverify.

68 Some Temporal and Computational Logics

Completeness of K4DLZIt follows from Theorem 8.4 that if (u, <) (= A, then A is valid in allballoons. Thus to prove that the logic /? is complete with respect to (u, <),

it suffices to show that it is complete with respect to the class of balloons,i.e. that any non-theorem of J? is falsified by a model on some balloon. Thiswill also show that fl has the finite frame property, and so is decidable (cf.Theorem 4.7 and Exercise 4.8(2)).

Suppose then that \/n A. As just explained, we want to find a balloonin which A is not valid.

First Model. Since \/n A, A is false at some point SA in the canonicalmodel M n '. In virtue of the schemata 4, £), and L, M n is transitive, serial,

and weakly connected.Second Model. Let M = (S, R, V) be the submodel of M a generated bySA- Then by the Submodel Lemma 1.7, A is false at SA in M, and M (= ftbecause M n \= ft.

Also, R is transitive, serial, and connected (Exercise 3.11(1)).

Third Model. Let F = Sf(A), and let

MT = (S r ,RT,V r )

be the transitive T-filtration of M. (Exercise 4.5(3)). By the FiltrationLemma 4.3, A is false at \SA\ in M r . Also Sr is finite (4.1), while R T istransitive, serial, and connected (4.5(5)).

Thus the frame of M r consists of a finite sequence of clusters. More-over, the last cluster, C x say, is non-degenerate. For, by seriality, there issome y with xR Ty, and so C x < C y. But then C x = C y, as C x is last,making C x < C x.

However, at this point we cannot rule out the possibility that M T hassome non-degenerate cluster that is not last, so that the frame of M7 isnot a balloon. Hence M T may not be the model we are seeking.

Fourth Model. (Balloon Surgery)If M T does have a non-last cluster C that is non-degenerate, then we

could try to remove it by weakening the relation R T in C to some stricttotal ordering, so that C is replaced by a sequence of degenerate clusters.We would want to do this in such a way that the truth-values of members

of F were left unchanged, so

that our non-J?-theorem A is still

false at \SA\

in the new model.The potential problem with this idea is that formulae of the form OB

that are false at certain points in C in M T may cease to be false, becausethe /^-alternative at which B is false may no longer be an alternative inthe new model. However this turns out not to be a problem in the presenceof the axiom schema Z, which is true in the second model M.

Z-Lemma 8.5. Let C\s\ be a non-last R T-cluster. Then if OB € F andM \£ s OB, there exists a point t e S with M. fa B and C\a\ < C\ t\.

Proof. Let OB be in F and false at s in M-

Case 1. Suppose M \= s OOB. Then since M \= Z,

MfaO(OB->B),

so there exists t & S with sRt, M h t SB, and M fa B. Then |s|-RT|<|,since sRt and R T is a F-filtration of R. But since OB is true at t and falseat s in M, the definition of R T implies that we do not have |t|.R T |«|. Hencethe cluster of \t\ comes strictly after that of |s|.

Case 2. Suppose instead that M ^ a OOB. Now since C\s\ is not last,there exists u e 5 with C\s\ < C\ u\. Then we cannot have uRs or u = s,or else |u|.R T |s| or |u| = \s\, making C\u\ < C\ a \. Hence, as R is connected,sRu. Then in M, since OOB is false at s, OB is false at u, so B is falseat some t with uRt. We have C\s\ < C\u\ < Cjt|, and so the Z - Lemma isproved.

Final Model

For each non-degenerate non-last cluster C of M T, let <c be a strict totalordering of the points of C. Define

M' = (Sr,P ,Vr),

where xR'y holds if and only if xR Ty and either x and y do not belongto the same non-degenerate non-last cluster, or else x < c y fo r some such

cluster C. Then the frame of M1

is a balloon. For each B 6 F and s € 5we haveM\= 8 B iff M' |=|. B. (t)

This is proven by induction on the formation of B, using the fact that R'is contained in R r and so satisfies the second filtration condition. The onlyproblematic case in the proof is taken care of by the Z-Lemma.

It follows in particular that M' ^\ SA \ A, so we have found our falsifyingmodel on a balloon for the non-J?-theorem A. Since Sp has at most 2"elements, where n is the number of subformulae of A, we also get thestrong finite frame property for the logic J?.

Exercise 8.6

Work through the proof of (t).

Completeness for KWThe schema Z is weaker than the ubiquitous

W : D(DA -> A) -> DA,and if we had M \= W in the proof of the Z-Lemma, Case 2 would becomeredundant, therefore so too would the hypotheses that R is connected andC\s\ is not last. From this observation, a completeness proof for KW readilyemerges:

Exercises 8.7

(1) Prove that KW is determined by the class of finite strict orderings,and is decidable (remember that KW = K4W).

(2) (Alternative completeness proof.) If F is a finite set of formulae closedunder subformulae, and M is the canonical model of a normal logiccontaining KW, define

M' = (S r ,R',V r),

wherexR'y iff xR Ty and not yR Ty.

Prove that R' is a strict ordering, and that

M\=,B iff M'\.\B

for all B € F. Use this to obtain the results of Exercise (1).

Dense and Continuous Time

It was claimed in §6 that the real-number and rational-number frames(R, <) and (Q , < ) determine the same logic. This logic is K4DLX, whereX is the schema

corresponding to the condition of weak density on R (Theorems 1.12, 1.13,3.6). The following exercises show how to prove these de termination results,and also the corresponding results for reflexive time. The latter involve thelogic 54.3.

Exercises 8.8Let P be either R or Q. A right-op en interval in P is a subset of P havingone of the forms

[r,q) = \peP:r<p<q}, (r, q) = {p € P : r < p < q},

for some r and q. In each case, q is the right end-po int of the interval. Weallow q — oo here, with, as usual,

[ r , oo) = {p 6 P : r < p} and (r, oo) = {p e P : r < p} .

Observe that by the density of < in P, any right-open interval can bedecomposed as the disjoint union of n right-open intervals, for any positiveinteger n.Next, let M. be a generated submodel of the canonical model for K4DLX,and M T the transitive ^-filtration of M for a suitable finite F, as in thecompleteness proof for K^DLZ.(1) Show that for any right-open interval / in P, the frame (/, <) can be

mapped p-morphically onto any non-degenerate cluster in M T (hint:choose in the interval a strictly increasing sequence that converges tothe right end-point, and adapt the construction of Theorem 8.4).

(2) Show that M T does not contain any adjacent degenerate clusters, i.e.any degenerate cluster is immediately followed by a non-degenerateone (hint: this uses connectedness as well as weak density of R).

(3 ) Let / be a right-open interval in (P , < ) of the form [r, q). Applythe previous two exercises to show that there is a p-morphism from(/, < ) onto the frame o f MT , by mapping appropriate subintervals ontonon-degenerate clusters, and the right end-points of intervals onto anydegenerate clusters that may be present. Deduce that

(/, <) [= A iff \-KWLX A.

(4) Use the Submodel Lemma 1.7 to show that the determination resultof Exercise 3 can be extended to hold for / = (r, q) for any r, includingr = oo, and in particular for / — R and / = Q.

(5) Adapt the above constructions to show that if 7 is a right-open intervalin P , or any of the sets listed in the previous exercise, then

(/,<)M ^ I-S4.3A.

(6) Having worked through the foregoing, it should be becoming clear justwhat properties of a total ordering suffice for it to determine one ofthe logics K4DLX and 54.3. W rite down a minimal list of propertiesthat suffice in each case.

The Discrete Diodorean CaseThe logic determined by the reflexive frame (w, <) is S4.3Dum, that is tosay KT4LDum, where the schema Dum (named for M ichael Dum mett),is

U(U(A -» DA) -» A) -* (OCL4 -» A).

fl c-Lemma 8.11. If HB 6 J T and M fi a UB, then there exists t withM Y = - t B and \s\R c\t\. Moreover, i f \ s \ is no t in the head o f its P7 -cluster,then not \t\R c\s\, i.e. \t\ is in a later R°-cluster than \s\.

Proof. Let C be the .R T-cluster of \s\, and let z be a member of the headC H of C. Then \s\R cz.

Next, let X be the union of all the .R c-clusters that precede the R°-cluster C H , i.e.

X = {x € Sr '• xR?z and not zR°x}.

Then if X = { X Q , • • • , x m }, for each j < m we have not zR°Xj, and so thereexists Sj € z such that not SjRt for all t € Xj.

Now as R is connected, the Sj's are ^-ordered in some fashion, so wemay assume that s 0Rsi • • • Rs m . Then if s m Rt, we cannot have t € Xj fo rany j, or else as SjRs m , we get SjRt, contrary to the definition of Sj. Thus

s m Rt imph'es \t\ £ X.

Next observe that M \£Sm

OB. For, since M. \fcs DJ3, M\£

UB for some

u € 5 with sRu. Then |S| T |M|. But |s m |J? T |s|, since |s m and \s\ have thesame .R T-cluster C, so |s m |.R T |u|, ensuring that M \£ Sm OB by filtrationcondition (F2).

Hence M. fct B for some t such that s m Rt. But then \t\ £ X, asabove, so the .R c-cluster of |t| does not precede that of z, implying thatzR c \t\, and hence |s|-R c |i|.

Finally, if \s\ £ C H , then not zR c \s\, and so not

Corollary 8.12. If M c = (S r , R c , V r ), then for any B € T and s € S,

M\=,B iff M C ^ M B.

Proof. Exercise.

Completeness for S4.3Dum

The construction of M c just described will give a finite falsifying model forany non-theorem of any normal logic A containing 54.3. But to use this ina completeness theorem for A we would need to show that M° validates A.In the case of 54.3£>um we achieve this by using Dum to show that everynon-last /^-cluster is simple. For this purpose, a further general result isneeded.




Definability Lemma 8.13. For any X C Sr, there is a formula Bx(atruth-functional combination of members of F ) such that for all s £ S,

M K B x iff M G X.

Proof. For each t € S, let B t be the conjunction of the (finitely many)formulae in the set

ThenM K B t iff s ~ r t iff \s\ = \t\.

Now Sr is finite, since F is finite. So if

A' = {|t 1 |,...,|t B |},we can take 5x to be

B tl V - - - V Bt » .

£>um-Lemma 8.14. If At (= Dum, then every no n-last R c-cluster is sim-ple.Proof. Let (7 be a non-last U c-cluster, and take x & C. Then there mustbe some y € Sr such that xflcj/ but not yR cx.

By 8.13, there is a formula B that defines in M the set X = {s : \s\ x}. In other words, for all s € S,

M\= a B iff s£x. (i)

Since not yR cx, there exists some t & y such that if £.Rti then u £ x and soM K B by (i)- Thus

At H D-B. (ii)Now pick any s e x . Then not tRs, so by ^-connectedness sRt. Hence

from (ii),M \=s ODB. (iii)

But M ^ s B by (i), so from (iii) and M (= Dum it follows that

M fi s D(D(B -f DB) -» 5).

Hence there exists u £ S with sJ?u,

At h tt D (B -» D5), (iv)

and At \ u B. Whence u & x by (i).Now suppose, for the sake of contrad iction, that C is not simple. Thenthere exists some z € C with z ^ x. Thus xR cz, and so as u € x, uRvfor some v € z. It follows from (iv) that At |=^ B — » OB . But At |=w B,since v e z x, so this leads to At |= v DB. H owever, since z, x e C wehave zl? cx, so vEw for some u; 6 a;. Then At \=w B , which is our desiredcontradiction in view of (i).

Finite Frame Property for 54.3DumBy 8.12 and 8.14, each non-theorem of 54.3Dum can be invalidated bya finite reflexive transitive and connected frame in which every non-last

cluster is simple (has only one element). But every such frame is a p-morphic image of (L J , <) (by a construction similar to that in Theorem8.4), and hence is an S4.3£>um-frame. This establishes the finite frameproperty for 54.3Dum, and the fact that the logic is determined by (u, <).(A t this point the reader could proceed directly to §9.)

Exercises 8.15

(1) Fill in all the details of the argument just given.

(2) A variant of Dum is the schema

Dum* : n(Q(A^> DA) -+A ) -» (O D A -» OA).

Use the completeness theorem just given to show that S4.3Dum =54.3-Dum*.

(3 ) Show that the smallest normal logic containing 54.3 and the schema

H(O(A -» OA) -f A) -» A

is determined by the class of finite reflexive total orderings, and alsoby the frame (u>, >). Show further that an alternative to this schemafor the logic in question is

H(D(A -» OA) -A) DA

Bull's Theorem

One of the more striking results in the metatheory of propositional modallogic is that every uniform normal extension 0/54.3 has the finite modelproperty. This was shown by Bull [1966], using algebraic models (Booleanalgebras with a unary operator interpreting D). A frame-theoretic argu-ment was given by Fine [1971]. By utilising our description of the relation-ship between R° and R r clusters, it is possible to give a very clear accountof how Fine's proof works.

Let A be any uniform normal logic containing S4.3, i.e. containing the

schemata T, 4, and L. Suppose that \f& A. We want then to constructa finite A-model that falsifies A. Let M = (S, R, V) be the submodel ofthe canonical .A-model generated by some point SA with A £ SA- PutF = Sf(L\A) (the reason for including DA in F will be revealed later).

Now we saw in the completeness proof for S'4.3£)um that the modelsM T and M° will falsify A, but neither can be guaranteed to be a .A-model.




To construct a .A-model that rejects A, we will remove all but the headfrom each .R T-cluster.

A point z € Sp is called essential if it belongs to the head of its own.R T-cluster. Let

E = {x : x is essential}

be the union of all the heads of J? T-clusters. Notice that the relations R r

and R c are identical when restricted to E.Now define a map / : S —» E, as follows. For each .RT-cluster C,

let xc be a fixed, but arbitrarily chosen, member of the head of C. Putf ( s ) = \s\ if \s\ is essential, and otherwise let f ( s ) = xc, where C is the# T-cluster of \s\. In both cases, \s\ and f ( s ) are in the same .RT-cluster, so

f(s)Rr

\s\ and \s\RT

f ( s ) . Moreover, since f ( s ) is in the head, we invariablyhave \s\R cf(s).

Lemma 8.16. / is a p-m orphism from (S, R) onto (E, R T).

Proof. First, if sRt, then f(s)R T\s\R r \t\R Tf(t), and so f ( s ) RTf ( t ) as R r

is transitive.Second, suppose f(s)R Tx, with x € E. Then f(s)R cx. But \s\R cf(s),

so |s|.R c£, implying that there is a t with sRt and t 6 x, hence f ( t ) = x.This establishes the two p-morphism conditions for /.

Lemma 8.17. For any Y C E, there is a formula By such that for allses,

M S B Y iff f(s)£Y.

Proof. By the way / was constructed, using the fixed elements xc, f pre-serves T-equivalence classes, i.e.

t € |s| implies f ( t ) = f ( s ) .

Thus the set {s : f ( s ) € Y} is a union of equivalence classes, and so thereis an X C Sp such that

f ( s ) e Y iff |«| 6 X.

But then taking By to be the formula BX of D efinability Lemma 8.13 givesthe desired result.

The Finite ^-ModelA model ME = (E, R T, VB) on E is now defined by putting VE(P) = E ifp ^ F, and otherwise

VB(P ) = {|*| e E •. s e v (p )} = vr(P) n E,

so that VE is defined on the whole of Fma($) (the definition on $ — F isimmaterial). By Lemma 8.17, for each p e $ there is a formula B p suchthat

M\=.B P iff f(s)€VE(p).For any formula B, let B' be the result of uniformly replacing each atomicp occurring in B by B p . Precisely:

p ' = B p , J-' = J-, (B -»£>)' = B' -» £>', (DB)' = n(B').

Then for all B e Fma(<2>), we get

B. t)

The case B = p € $ of this result is given by the definition of B p , and theinductive cases are straightforward, as / is a p-morphism.

It now follows that ME is a yl-model. For if \-ji B, then since A is auniform logic, h^ B'. Thus M (= B' (because .M is a generated submodelof .M yl ), and hence ME \= B by (f) . It remains to show that ME rejectsthe non-vl-theorem A.

Lemma 8.18. If DB e T and .M s DB, then .M t B for some t such

that \s\RT

\t\ and \t\ € E.Proof. If M ¥ =s OB, then M fa B for some t with sRt and so |s|-R T |*|.If \t\ € E, we are done. Otherwise, since M |= (DB -» B), we haveM \£t DB, and so by the R c-Lemma 8.11, M \£ u B for some u with|w| in a later .R c-cluster than |t|. If \u \ g E, we repeat the argument toobtain M ^ v B for some v with |t;| in a later .R c-cluster than |u|. Since thesequence of -R c-clusters is finite in length, this process cannot move forwardad infinitum, and must end, in the very last fl c-cluster if not before, with

the desired conclusion.Corollary 8.19. I f \ s \ e E, then for any B e T,

M\= S B iff ME N|.| B -

Proof. The atomic case holds by definition of VE- The inductive case of Dis taken care of by the definition of R T and Lemma 8.18.

It is now apparent why we put the formula OA into F . For, since M is a

T-model and M y=SA A we get M \£ SA OA, so by Lemma 8.18 there existst such that |t| e E and M t A. Then by Corollary 8.19, M E H = | t | Ashowing that the finite .A-model ME falsifies the non-yl-theorem A. Thiscompletes the proof of Bull's Theorem that every uniform normal logiccontaining 54.3 has the finite model property, and hence has the finiteframe property (Exercise 4.9(5)).

Linear Temporal LogicsFor the remainder of this section we return to the [F]-[P]-language oftemporal logic, in which the formula HA is introduced as short-hand for

(at this point it would be appropriate to review the material of §6).A linear temporal logic is any normal logic in this language that con-

tains the smallest temporal logic K t , and also the schemata

and

The smallest linear temporal logic will be denoted Lin. In view of Exercises6.3, it follows that Lin is determined by the class of transitive, weaklyfuture-connected, and weakly past-connected frames. Indeed, the canonicalmodel M A of any linear temporal logic A has these properties. Henceany generated submodel M of such a canonical model is transitive andconnected (Exercise 6.5(3)). Consequently, a temporal filtration M T ofsuch a generated subframe will also be transitive and connected (M r wasdefined just prior to Exercises 6.6).

W e will consider the completeness problem for the three standard typesof irreflexive linear time.

Discrete TimeLet LinDisc be the smallest linear temporal logic containing the schemata

D F : < F > TDp: TZ F :

Then LinDisc is determined by the integer frame (Z, <). The proof of thisis a straightforward adaptation of the proof that the modal logic K4DLZis determined by the frame (w, <). In LinDisc there is complete symmetrybetween the past and future operators. Dp makes the last cluster in afinite filtration M T be non-degenerate, while D P does the same to the firstcluster. Zp allows all non-last clusters to be modifiable without affectingthe truth- values of formulae of the type [ F ]B from F. Similarly, by the Zp-analogue of the Z-Lemma 8.5, Zp allows all no n-first clusters to be modifiedwithout affecting [P]B-type formulae. So, we replace each cluster exceptthe first and last by a strict total ordering of its elements, treat the lastcluster in the same manner as in Theorem 8.4, and apply the mirror imageof this treatment to the first cluster, to get a temporal p-morphism from(Z, <) onto the frame of M T .

Beginning Time

Let LinDisc" be the logic that results when the schema Zp in the definitionof LinDisc is replaced by

W P : [ P ] ( [ P ] A ^ A ) - * [ P ] A ,

and Dp is deleted.WP allows a ny cluster in M r to be modified without affecting truth of

[P]B-type formulae from F. Hence the K4DLZ construction of Theorem8.4 applies directly to show that LinDisd^ is determined by the time- frame(w, < ). In fact, by including the formula [P]-L in F, we can obtain this

result using only the special case A = ± of W p, for then the first cluster isalready in the desired form:

Exercise 8.20

Let M7 be a finite temporal Infiltration of a generated submodel of thecanonical LinDisc u -model. Suppose [P ] _ L € F. Then if \s\ belongs tothe first cluster of A4 T, show that [P] ±€ s. Deduce that this first clusteris degenerate. (It might be useful here to note that when A =_L, W P is

equivalent to [ P ] _ L V

Rational TimeLet LinRat be the smallest normal extension of Lin that contains theschemata Dp, Dp, and

XF : [F][F]A-+[F]A.

Then LinRat is the temporal logic determined by the rational-numberframe (Q, < ) .

The effect of axioms Dp and Dp has already been noted: they forcethe first and last clusters to be non-degenerate in any finite filtration M T

of a generated submodel of the canonical LinRat-model. The effect of X Fis then to force any degenerate cluster in M r to be immediately followedby a non-degenerate one (cf. Exercise 8.8(2)). Knowing this, the followingresult can be obtained, and gives the asserted completeness theorem.

Theorem 8.21. There is a temporal p-morphism from (Q, <) onto theframe of M T .

Proof. By a rational open interval we mean a set of the form

( r,q) - {x 6 Q : r <x < q},

Real TimeLinRe is the smallest normal extension of LinRat that contains the schema

Cont: D([P]A -><F> [P]A) -» ( [P]A -» [F]A).

Exercise 6.4(4) asked the reader to show that Cont is valid in the real-number time-frame (R, <). To prove that LinRe is determined by thisframe, we adapt the argument given in Theorem 8.21 for LinRat, this timeusing real open intervals

(r,q) = {x e R : r < x < q},

where again the end-points are either reals, or ±00.Working now with a finite temporal -T-filtration M.T of a generated

submodel M = (S,R,V) of the canonical LinRe-model, we try to map(R , <) onto the frame of M T by a temporal p-morphism. A problem comesup if we strike a non-degenerate cluster C in M T that is immediatelysucceeded by a cluster D that is also non-degenerate. Having mapped areal open interval (r, q) p-morphically onto C, we cannot then treat Dsimilarly without leaving out the end-point q.

This problem would not arise if in M r there were no adjacent non-degenerate clusters (for D would then have to be degenerate, and we couldmap q to its unique element). However it does not seem possible to preventpairs

. . . - O - O - - - -of adjacent non-degenerate clusters from occurring. Instead we will haveto show that the model M T has a certain property that allows it to bemodified, by inserting a new degenerate cluster between any such pair,creating the configuration

•••-0---0----

and thereby removing the problem - without altering the truth-values ofmembers of F at any of the old points of M T . The idea of this constructioncomes from Segerberg [1970], although the axiom Cont we use, and theargument in which it is applied (in Lemma 8.23), are different.

So, let C and D be non-degenerate clusters in M T that are adjacent,with C < D. An element s of the sub-canonical model M will be calledC-greatest if

\s\ € C, and V i e S (sRt implies \t\ $ C).

Dually, s is D-least if\s\ € D, and V* € 5 (tRs implies \t\ £ D).

These notion may be intuitively related to the situation in the real-numberframe (R, <), where the element z that fills a cut (X, Y) (i.e. has x < z < yfor x € X and y € Y) must be either a greatest element of X, or a leastelement of Y.

Filling The CutArmed now with Lemma 8.23, we enlarge the model M r to a new modelM' as follows. Suppose that there is a C-greatest element 7 in M- M' isthen based on the frame (S',R'), where

S' = S r U {7}, and

R' = RT U {(z,7) : x 6 S r & C x < C} U { (7,3;) : x € S r & D < C x}.

Let / : S' —> • Sr have 7(7) = |7|, and otherwise f(x) = x. For each x e S',put

M'Kp ^ A-T =/(*) P -Thus M' arises by inserting 7 as a new irreflexive element (degenerate

cluster) between C and D in MT

.Lemma 8.24. For any B 6 F , and any x £ S ',

M'\= XB iff M T\= f(x) B.

Proof. Since C is non-degenerate, we have that

xR'y implies f(x)RTf(y), ( f )

for all x, y € S', and this suffices to prove the inductive cases of [P]5 and

[F]B from right to left. For the converses, suppose first that Mr

ty=f(x)[F]B. A little reflection reveals that the only problematic case is whenx = 7. But then f(x) = |7|, and so by the Filtration Lemm a, M ^ 7 [F].8,hence M t B for some t with Rt. Since 7 is C -greatest, \t\ £ C, so as|7|fi r |f|, C < C\t\, and therefore -jR'\t\ in M'. But M r ft\ t\ B, so applyingthe induction hypothesis on B, we then get M 1 7 [F]B.

Finally the inductive case that M' \=X[P]B implies M T (=/(x) [P]-Bis straightforward, since (t) holds for all x € S' when y = 7.

Exercise 8.25Adapt the construction of M' to the case that there is instead a D-leastelement, and prove Lemma 8.24 for that case.

Now by iterating the .M'-construction a finite number of times, we ob-tain a model M." with no adjacent non-degenerate clusters, no adjacentdegenerate ones, and non-degenerate first and last clusters. A temporalp-morphism can then be constructed from (R, < ) onto the frame of M", as

discussed above. But by Lemma 8.24 (iterated), any .T-formula falsifiablein M.T is falsifiable in M", and hence falsifiable in a model based on (R, < ).

Exercise 8.26Axiomatise the temporal logics determined by (Z , < ), (w, <), and (E, <)(cf. Segerberg [1970] for some answers).



9 Temporal Logic of Concurrency

Consider the following description of a "concurrent" program (adaptedfrom Pnueli [1981]). There are n different processes acting in parallel,using a shared memory environment, so that each can alter the values ofvariables used by the others. For illustrative purposes, the processes maybe thought of as disjoint flowcharts, with labelled nodes. A typical node ofthe i-th process is denoted m* . Each process has an entry node m 0 . If theprogram variables are w1 ( . . . , Vk, then a state may be defined as a vector

specifying a label fo r each process (denoting the point that the process iscurrently at), and a current value a, for each variable V i- Predicates at t oflabels will be used, with the semantics

\= s ati(m) iff m = m 1.

Each successive state is to be obtained from its predecessor by exactly oneprocess being chosen to execute one transition in its flow chart. Thus froman initial state

s 0 = (mj, . . . , m o , a i , . . . , a f e ) ,

many different execution sequences SQ,SI, ...... may be generated, depend-ing on which process gets chosen to act at each step. Some interestingproperties of such sequences can be formulated by reading the connectiveD as "at all states from now on" .

Deadlock FreedomDeadlock occurs when no processor can act. The requirement that deadlockdoes not occur at (m 1, . . . , m n ) can be expressed by

D(a*i(m1) A • • • A at n(m n) -> EI V • • • V E n),

where Ei is the exit condition for node m 1 consisting of the disjunction ofthe propositions labelling edges out of m ' (the tru th of such a propositionbeing the requirement for the process to be able to proceed along thatedge).

84



§9 Temporal Logic o f Concurrency 85

Mutual Exclusion

D->(ati(m) Aaf j (m ' ) )

asserts that the program can never simultaneously access m and m'.

Accessibility

D(oti(m) -> Oatj(m ))

expresses that if the program ever reaches m it will eventually proceed fromthere to m'.

Correctness

A partial correctness assertion about a program states that if the programworks as was intended, then a certain condition V must be true after ter-mination, given that some condition ( f was true at the start. Illustratingwith a program having a single entry label mo, and exit m e , this can beformalised as

A (p — » D(a£(me) — \[>).

Total correctness includes the assertion that the program will halt:

at(mo) A ( f — > O(at(m e) A t / > ) .

Responsiveness

An operating system may receive requests (r j) from various agents, towhom it will signal (9,) when it grants the request. The formula

expresses that a request is always eventually honoured.

Absence of Unsolicited Response

This example, from Gabbay et. al. [1980], uses the connective U (until) toexpress the requirement that if a response is to occur, it will not do so untila request has been received:

Further explanations of how temporal logic is used in applications to com-puter science may be found in Manna and Pnueli [1981], Hailpern [1982],Moszkowski [1986], and several articles in Galton [1987] and de Bakker et.al. [1989].

§9 Temporal Logic of Concurrency 87

Axioms

Let © be the smallest logic in the language just described that containsthe schemata

K: O(A -» B) -» (DA -» DB)# 0 : O(A -* B)Fun: O--A < -+ -OAMia;: DA -> A AJnd: D(A -> OA) -> (A -> OA)W l: AWJ3 -» OS

and is closed under Necessitation for D and O, i.e.,

A e 0 implies DA, OA € 0.

The roles of K, K 0 , and the Necessitation rules are now familiar. Theaxiom Fun expresses the interpretation of O by a total function, whileMix and Ind together correspond to the interpretation of D by the reflexivetransitive closure of the interpretation of O- The reflexivity schema T :DA — > A is immediately implied by Mix. For the transitivity schema 4,

see Theorem 9.2 below. Ind by itself expresses the induction principle thatany set which contains < j j and is closed under the taking of successor statesmust contain all states from CTJ on.

Exercises 9.1

(1) (Soundness). Prove that T [= 0 for any state sequence T.(2) Show that h e A -> QA implies h e A -» D A .

(3 ) h e ODA -» OA.(4) he D A -» OA .

Theorem 9.2. The following schemata are 0-derivable.

(1) 4: D -» D D A(2) OIHA -» DOQA

(3 ) ODA -» O(A A ODA)

(4) A A Q n A - > D A(5) ODA -» D (A -* DA)(6) Dum: D (D(A -* DA) -> A) -> (ODA -» A)

Proof. We indicate the main points. The rest involves tautological reason-ing, and principles that hold for all normal logics.




(1) From DA -> ODA (by Mix) and Exercise 9.1(2).(2) Prom Mix, .K"0-principles, and 9.1(2).(3 ) Use 9.1(3), Mix, and /C0-principles.(4) Using (3) and 9.1(2) gives

he A A ODA -» D(A A ODA).

But h D(A A ODA)(5) From (4),

he ODA -> (A

and hence he DODA -> D(A -» DA).

Then use (2).

(6) An instance of schema K is

D(O(A -* DX ) - » > * ) - > (DD(>1 -» D>1) -

which by result (5) and the schema 4 yields

h e D(D(A -» D A ) -» X ) -» (ODA -» DA). (f)

Now an instance of Ind is

D(-.Dyl -> O~>DA) -» (-.DA -> D-.DA),

which, with the help of Fun, leads to

he D(--DA -» -.ODA) -» (-.DA -» - .ODA),

and hencehe D(ODA -> DA) -» (ODA -» DA).

But this, together with (f ) and schemata 4 and T , yields he Dum.

Deriving L t

The schema Dum will be used in the completeness theorem for 0, alongwith

L i : D ( D A -> B) V D(D5 -> A),

which is also 0-derivable. The following exercises give a guided tour of aproof of this which is due to Martin Abadi.




Exercises 9.3Let X be (\3A -» B) and Y be (QB -> .4). Define the following formulae.

L I : me v nyA I : nx v v n y v .y v c o yA2 : n y v y v nx v i X v onxA3 : OX V X V DY V YA4 . o x v > x v on x v n y v .y v

(1) Show that AI and A 2 are deducible in any logic that is D-normal.

(2) Show that A 3 is deducible in any logic containing the schema T for D.

(3 ) Use Theorem 9.2(4) and tautological reasoning to show that

\~e AI A AI A A 3 A At — > LI.

Conclude that\-e A 4 -^ LI.

(4) Use Fun to 0-deduce-» A4.

(5) With the help of the last two results, obtain

\ 14 O 1 ^)

and then use Ind to get

(6) Show that OA is deducible in any D-normal logic containing schemaT for D. Conclude that

To gain an intuitive understanding of the formulae Ai,...,A that col-lectively imply I/i, suppose that LI were false at some state. Then bothconjuncts of

0->X A 0-Y

would be true. For each conjunct, the state at which X (respectively, y)will be false could either be the present state, or some future state, in whichcase the conjunct is still true at the next state. This gives four possiblesituations, each of which falsifies one of AI, . . . , A& .

Exercises 9.4

(1) Show thath e A -» B A OA

impliesh e A -» OB.

(2) Show thathe A -> OB A (B V (D A CX 4)),

implies

(3 ) The following are 0-deducible:

OA -* OAO(AVB)-OQA +OOA*-

+ O ADA A OB^ AKB

Induction ModelsAn induction frame is a structure f — (S,f), with / : 5 — > S, i.e. / is afunction from 5 to 5. The "graph"

{(M) :* = /(*)}

of / is denoted R/. R ** is the ancestral of R/ (§1). Thus s R * f t iff thereis an Rf-list linking s to t, i.e. a finite sequence s = s 0 ,..., s n = t, withf(si) = Sj+i for all i < n . Models on induction frames give a semantics for0, as follows.

M K O A i f f M H / w AM K OB iff sR*ft implies X \= t AM \=s AUB iff there exists an .R/-list s = S Q , ..., Sk, with

M \=sk B , and M. f=8i A whenever 0 < i < k .

Exercise 9.5If M is an induction model, show that M f = 0.




Completeness of O.Fix a formula A such that \/e A. We want to find a falsifying model for Aon a state sequence, and for this we adapt the canonical model construction.

The relations R® and Rf on the set Se

of ©-maximal subsets ofFma($) are given by

sflf t iff {B : OB 6 s} C t, and

sRf t iff {B : OB € s} C t.

Now .Rf is reflexive (since Mix implies the schema T for D), transitive(since schema 4 is ©-derivable), and weakly-connected (since schema LI,and hence L, is ©-derivable). By Fun, Rf is functional.

Since l/e A, there is some SA € S 0 with A £ SA- Let

5 = {u € 5 e : s A (flf )*u}.

As himplies ufi^v,

so 5 is closed under Rf, i.e.

u e 5 & u.R et; implies t; € S1.

Also, when restricted to 5, R 0 is reflexive, transitive, and connected (cf.Exercise 3.11(1)).

W e will work with the structure

f = (S,R D ,R 0 ),

which is in essence the subframe of the canonical ©-frame generated bySA- But R® is not the ancestral of Rf (cf. Exercise 9.6(2) below), and wewill have to collapse T by filtration to achieve that property. Moreover, wecannot work with the canonical model on F, since it is not apparent thatthe Truth-Lemma (3.3) can be proved for formulae involving the connectiveU. Instead therefore, we work directly with the relation of membership of©-maximal sets, using such properties as

UB 6s iff W 6 5 (sR®t implies B e t ) ,O-B 6 s iff Vt € S (sRft implies B € t) , _

he B implies B € s, for all s 6 5

(cf. Exercise 2.3(1), Theorem 3.2, etc.).




Exercises 9.6

(1) Show that (Rf)* C R% .(2) Show that the set

to = {O np : n > 0} U {-Dp}

is ©-consistent, by showing that each finite subset of to is true at somepoint of some ©-model. Deduce that there exist f , u € S 6 with tR^ubut not t(Rf)*u.

Filtration

Our nitration set F will have to contain more than just the subformulae ofA. We define

T =Sf(A) U {QHB : OB 6 Sf(A)}

U {Q(BUD), D-.D, OD-.D, -.D : BUD & Sf(A)}.

Then F is finite: it has fewer than 6n elements, where n is the number ofelements of Sf(A). The purpose of this definition is to ensure that F has

the following closure properties:

A&F;

F is closed under subformulae;

DBEF implies QOB £ F;

B UD e T implies O(B UD), EhD € F .

The definition of T-filtration is adapted as follows.

s ~ r t iff s n r = t n r,\s\ = {t:s~ r t},S r = {\s\ :s£S}.

Definability Lemma 9.7. If X C 5r, tiere is a formula BX such thatfor all s € 5,

B x € s iff |s| € ^T.

Proof. For each t € . S, let 5t be the conjunction of the members of

{B £ T : B £ t} U {-.5 : B € T & 5 $ t},

and then ifX = {\t 1 \,...,\t n \},



§9 Temporal Logic of Co ncurrency 93

putB X = B tl V • • • V B tn

(the construction is just as for the Definability Lemma 8.13).

Now a relation R D on Sr is defined to be a F-filtration of R® if, andonly if,

(Fl) sR^t implies |s|.R n |t|, and

(F2) \s\R a \t\ implies {B : OB & s n T} C t.

Replacing D by O throughout this definition gives the notion of a F-filtration R 0 ofRf.

Ancestral Lemma 9.8. If a relation RO on Sp is a F-filtration of Rf,then the ancestral .R* o f RO is a L -filtration of R® .

Proof.(Fl). Let s 6 5. To show that sR®t implies |s|fl*|f|, let

Xa = {x £ S r : \s\R*x}.

First we prove€ s, (t)

where Ag is a formula, given by the Definability Lemma 9.7., having

As € u iff \s\R*\u\.

To prove this, suppose that sR®t and A s £ t. We want QA S £ t toconclude (t). But |s|.R*|t|, by the definition of A s , so |s|JfZJ|t| for some

n > 0. Then if tRfu, we have |f|flo|w|, since RO is a T-filtration of Rf ,and so |s|B" +1 |u|. This gives |u| € X a , and hence A s 6 u. We have thusshown

tRfu implies A s £ u,

and hence QA g £ t as required.Since s contains all instances of the induction axiom Ind, (t) then

yields(A, -» D4 S ) e s.

But A s e s, since |s|.R*|s|, and so

U A8 e s.

Hence if sR®t, then A s € t, and so |a|.R*|t|.

(F2). We want to prove that

\a\RZ\t\ implies {B : OB & s n F } C t.

First we show, for all n > 0, that

M/Z£ | t | implies {OB : OB £ s n F } C t. (})

The case n = 0 is immediate, since |s| — |t| implies sC\F — tr\F. Assumingthe result fo r n, suppose |s|.R™+1|t|. Then |s|.R™|u| and |u|fio|i|, fo r someu. Thus if OB € s fl r, we have OB € u by the hypothesis on n, and

so OOB € u f l r by the axiom Mix and the definition of F. But thenOB e t, as R O is a T-filtration of Rf. This completes the inductive proofo f ( t ) .

Finally then, if |s|.R*|£|, we have |s|.R™ |i| for some n, so that if OB es n r, ($ ) gives OB e i, and then Mix gives B € t.

This completes the proof of the Ancestral Lemma, a result which substan-tiates the earlier remark that the axioms Mix and Ind characterise the

interpretation of D as the ancestral of the interpretation of O- This factwill feature again in the study of dynamic logic in the next section.

The Role of FunThe axiom Fun ensures that Rf is a functional relation, but this propertymay be lost in passing to RQ . To deal with this, we will use the smallest.T-nltration of R% , defined by

\a\Ro\t\ iff 3s' e |s| it' e |*| (s'Rff).

Fun-Lemma 9.9. Let RO be the smallest F-filtration o f Rf. Then ifOB e F and s 6 S, the following are equivalent.(1) OB e s.(2) V<(|s|-Ro|t| implies B 6 t).(3 ) 3t(|«|flo|*| and B £ t).

Proof. First, note that (1) and (2) are equivalent for any filtration of Rf.Next, F un guarantees that Rf is serial, and hence R O is serial. But

this is enough to make (2) imply (3).Finally, assume (3). Then there are s' € \s\ and t' € \t\ with s'Rft'.

Thus if OB < £ s, then OB $ s', as s ~ r »', and so O~*B e s' by Fun.But then -iB 6 t', contradicting the fact that B £ t and t ~r t'. Hence (1)must hold.




Exercise 9.10

Show that the Fun-Lemma holds for any P-filtration of Rf, smallest ornot, provided that

if OB 6 r, then either Q-^B e f, or else B = -> C with OC £ f.Show that F can be made to satisfy this additional condition and still befinite.

Another way to explain the main point of the Fun-Lemma is that, underits hypotheses, if OB £ s, then B $ t for any t with |s|.Ro|£|. The importof this will be that although \s\ may have a number of /Jo-alternatives, wecan remove all but one of them, in an arbitrary way, without altering thefalsity of P-formulae of the form QB at |s|.

The Role of Dum

Consider the properties of the structure

where R Q is the smallest T-filtration of Rf. RO is serial, since Rf is, butmay not be functional. R is reflexive and transitive (by definition), andalso connected, by the Ancestral Lemma, since R^ is connected. Since Sris finite, it follows that the structure takes the form of a finite sequence of.R*-clusters.

We now recall the analysis of extensions of 54.3 given in §8, and definethe relation R % on Sp by

xR°0y iff Vs € x 3t € y (sR®t).

Then R % is reflexive, transitive, and connected, with R % C .R* (this isproven just as in Lemma 8.10). Thus the fig-cluster of each point is con-tained in the fi*-cluster of that point, and so each fi£-cluster decomposesinto a sequence of fig-clusters, as in the diagram on page 72. Moreover,the following result can be proved just as for the fi c-Lemma 8.11.

fig-Lemma 9.11. If OB e T and QB £ s e S, then there exists t € St and \s\Rc

0\t\.

Now by Theorem 9.2(6), each member of S contains all instances of Dum.From this we show, just as for the Dum-Lemma 8.14:

Dum-Lemma 9.12. Every non-last R^-cluster is simple.

Unwinding the Last Cluster

An Ro-list is a finite sequence X Q , . . . , XH such that XiRoXi+i for all i < n.Now if C is the last ^-cluster in our structure, then C may not be simple,

i.e. may have more than one element. In that case, we will "unwind" C intoa finite .Ro-list. This can be done starting from any prescribed point x £ C,as follows. First pick some y £ C. Then xR^y, so xR^y, and so there isan U 0-list x = X Q , ..., x n = y, with each x» in C as C is last. If thereis an element z of C that does not appear in this list, then since x nR^zwe can extend the list to x nR 0xn+\Ro • • • RoXk = z, for some k. And soon. Eventually we build a finite .Ro-list xo,...,Xj in which every memberof C appears at least once, and possibly more often. Since repetitions areallowed, we can arrange to end the list at any prescribed z £ C. Especially,we can arrange for the list to start and finish at the same point of C.

Now to define our state-sequence a : u > —> Sp- Let CQ,. ..,C n -\ be thesequence of non-last .R£-clusters in the order induced by RC

0. Then for eachi < n, from 9.12 it follows that d has the form {&i} with a £ Sp- Thisgives an .Ro-list (ToR0 • • • Ro&n-i- Then if C is the last .R£-cluster, theremust be some x £ C with ffn-iRoX. Let a n — x, and unwind C, as above,into an .Ro-list crn, f n +1 , . . . , a r , that has a n = • a r . Finally, we repeat thislast list ad infinitum:

cr n ,..., oy — < rn, (T r+1 —

( f o r all q £ u and 0 j;

(2) if the ^-cluster of x comes after that of Uj, then x — a*, for somek > j; and

(3) if CTJ s in the last ^-cluster, and so is x, then x = a for some k > j.

Theorem 9.13. Let M = (S r , a, V r ). IfBeF, then for any j £ u ands 6 CTJ,

B € s iff M\=j B .

Proof.For B = p £ # n T, M \= j p iff aj £ V r(p) iff p e s. The truth-

functional cases are straightforward as usual.For the inductive case for O, suppose QB £ s n F, with \s\ = < T J .

Pick any t € ffj+i- Then as ffjR 0aj+^ the second filtration condition givesB € t, whence the induction hypothesis on B gives M (=j+i B, so thatM K- O B

Exercises 9.14

(1) Compute an upper bound on r for the induction frame T n ,r invalidat-ing a prescribed non-©-theorem.

(2) Modify the state-sequence semantics to readM \=j DA iff for all k > j, M \= k AM \= j AUB iff for some k > j, M (=* B and

M \= i A whenever j < i < k.

Modify the given ©-axioms to axiomatise the resulting set of validformulae. (Do not introduce any essentially different axioms: deduceas a theorem the appropriate analogue of Dum.) Prove that this newlogic is decidable.

Branching TimeThe theory discussed so far has been concerned with logical properties ofa single execution sequence SQ, «i , generated by processes acting inparallel. As mentioned at the outset, each state will have several possiblesuccessor states, and so there will be many different sequences that havea given starting state SQ. Thus any particular sequence will be but one"branch" of the "tree" of all possible future states. If we consider this tree

as a whole, there a number of interesting new modal connectives that canbe used to formalise reasoning about future behaviour:

[VFJ.A: along any future branch there is a state at which A is true,i.e. A is inevitable.

along some branch there is a state at which A is true,i.e. A is potentially true.

[VG]A: along all branches, A holds at all states,i.e. A is true at all possible future states.

[3G]A: along some branch, A holds at all states.

[VX]vl : along every branch, A holds at the next state,i.e. A holds at all possible successor states.

[ 3X }A: A holds at some successor state.

\f(AUB): along every branch, it will be A until B.

3(AUB): along some branch, it will be A until B.

A logical system embodying these notions, known as Computational TreeLogic (CTL), was introduced by Clarke and Emerson [1981,1982]. A sim-ilar system without the until operator was considered by Ben-Ari, Pnueli,

100 Some Temporal and Com putational Logics

and Manna [1983]. Emerson and Halpern [1985] established decidabilityand completeness for CTL, using a method of elimination of states from"psuedo-Hintikka structures". W e will now see how to adapt their approach

to the context of nitrations of canonical models.Syntax and SemanticsThe syntax for CTL is given by

A ::= p 1 11 Ai -> A2 \ [VX]A | V(Ai UA2] \ 3(A lUA 2)

The other connectives mentioned above are given by the following abbre-viations.

[VF]A is V ( T Z M )[3F]A is[\/G]A is

isis

To define CTZ/-models, consider a frame T = (S, R) in which R is serial,i.e. Vs3t(sRt). Here sRt will be interpreted to mean that t is a possible

immediate successor to s. An R-branch starting at s in T is an infinitesequence a 0 , . . . , a n , . . . with s = s 0 and s nRs n+i for all n. An R-path isa finite version of a branch, i.e. a sequence S Q , • • • , S fe with s n Rs n+ i for alln < k. By seriality, any path extends to a branch.

Given the usual notion of a model M = (S, R, V) on such a frame,satisfaction of CTL-formulae is given by

M (=, [VX]4 iff for all t e S, sRt implies M \= t A.

M |= s V(AUB) iff for all ^-branches s = soRs^R• • •there exists k with M. \=Sk B andM. \=Si A whenever 0 < i < k.

M. t=s 3(AUB) i f f for some .R-branch s = sgRsiR- • •there exists k with M \=Sk B andM. ^=Si A whenever 0 < i < k.

AxiomsLet CTL be the smallest logic in the language just described that containsthe schemata

K K:

Dx: [ 3 X ] T3U:

V W :

Proof.Suppose first that there is an R-path of the type described. Then we

show that 3(A KB) € FXi for 0 < i < k, by reverse induction on i, givingthe desired conclusion when i = 0. We use the CTL-theorem (derived fromaxiom 3U)

» 3(AUB).

For the base case z = k, we have B € FXk by assumption, so this CTL-theorem gives 3 (AUB) € r xk by tautological consequence.

Now make the inductive hypothesis that 3 (AUB) € r xi+l . Chooses € Xi and t e # j+i with sR\t (since R is the least filtration of RX). But3(AUB) € t, so [ 3 X ]3 ( AW £ ) e s by the second filtration condition (F2).

Hence our CTL-theorem gives 3(AKB) € s, and so 3 (AUB) € r xi asdesired.

For the converse direction, let X be the set of all points x £ Sp forwhich there exists an .R-path starting from x of the type described in thestatement of the Lemma. W e will show that whenever 3 (AUB) € Fx thenx£X.

Now by the Definability Lemma 9.7, there is a formula C that is char-acteristic for X, i.e.

C € s iff \s\EX.Let E be the formula

W e show that E is a CTL-theorem, by showing that E e s for any s € S c .First, if BV (AA[ 3X ]C) ^ s, then it follows directly from the properties

of s as a maximal set that £ e s (Exercises 2.3). Thus we are reduced tothe case that B V (A A [ 3 X ]C ) € s, and so either

B e s, (i)

or elseA A [ 3 X ] C ' e s . (ii)

Now if (i) holds, then putting fc = 0 and x — X Q = \s\ gives B € FXk andprovides an .R-path that makes \s\ 6 X. Thus C e s, whence S € s bymaximality of s (Ex. 2.3).

If, on the other hand, (ii) holds, then [ 3X ]C e s, so there exists t e S c

such that sRxt and C € t. Then |s|jR|t| (by the first filtration condition(Fl)) and \t\ 6 X, so there is an .R-path of the desired type starting from\t\. But since A € F \a\ from (ii), appending \a \ to the beginning o f this pathgives a new .R-path that ensures that \s\ € X, and so again E € s.

This finishes the proof that E is a CTL-theorem. It then follows bythe rule 3-Ind that 3(AUB) — > C is a CTL-theorem, and so belongs toevery CTL-maximal set. Thus for any s 6 S°, if 3(AUB) e F \s\ thenJ(AUB) £ s, so C € s, giving \s\ € X as desired to complete the proof ofLemma 9.17.

Exercise 9.18

Let V(AUB) e r. Show that if V(AUB) < £ F x, then there exists an R-branch x = X Q , ... , Xk, • • • such that for no k do we have B £ FXk simulta-neously with A € FXi for all i < k.

If the converse of Exercise 9.18 were true, then in combination with Lemma9.17 we would obtain a Filtration Lemma for the model (Sp, R, Vr) similarto Theorem 9.13, and completeness for CTL would follow. However itcould be that while V(AUB) € F x, a branch of the type described in 9.18nonetheless exists to prevent V(AUB) being "true" at x. We are going tohave to "unravel" R to get around this, and the structure we use for thisunravelling is a special type of tree.

T-Trees

Let (T, p) be a frame with p irreflexive. The members of T will be callednodes. If npm, then m is a successor of n, while n is a predecessor ofm. The frame will be called a tree if each of its nodes has at most onepredecessor.

A tree is rooted if it has a unique element r, the root, that generatesit, i.e. has T = {m : rp*m}. Note that for each node m, there will be aunique p-path from the root r to m.

A leaf in a tree is a node that has no successors. Non-leaf nodes aresaid to be interior.

For finite trees, the word "branch" will be used in a modified way tomean a path (i.e. a p-path) whose last node is a leaf.

W e will work with trees who nodes are labelled by members of Sp, i.e.there is a function assigning to each n € T a label n 6 Sr- Then a formulaB is said to be realised at n if B 6 r a , while B fails at n if B < £ F^.

A F-tree is a finite rooted tree who nodes are labelled by member ofSr in such a way that

(PI) if m is a successor node to n, then nRm;

(F2) if [VX ],4 6 r, and [VX]4 fails at an interior noden, then A failsat some successor node of n.

A F-tree is rooted at x € Sp if x is the label of its root node.




Fulfilment

Let T be a P-tree.

• A path in T realises AUB if there is a node on the path at which B

is realised, while all earlier nodes on the path realise A.• The formula 3(AUB) is fulfilled at node n in T if either it fails at n,

i.e. 3(AUB) $ Fn, or else there exists a path in T that starts from nand realises AUB.

• The formula V (A UB) is fulfilled at node n in T if either it fails at n,or else every branch in T that starts from n realises AUB.

Formulae of the form 3(AUB) and V(AUB) will be called eventuality for-mulae.

Fulfilment Lemma 9.21. Let T be a F-tree, and C an eventuality for-mula in F that is not fulfilled at node n in T.(1) If C — 3(AUB), then there is a branch in T starting from n with A

and 3(AUB) realised at all nodes of th e branch.(2) IfC = V(AUB), then for every branch in T starting from n, either the

branch realises AUB, or else A and V(AUB) are realised at all nodesof th e branch.

Proof.(I). Since 3(AUB) is not fulfilled at n, 3(AUB) € A. Moreover, if

B were realised at n, then 3(AUB) would be fulfilled there, contrary tohypothesis. Hence B $ Fn- But the formula

3(AUB) -» (B V (A A [3 X ] 3 (A M B ) ))

is CTL-derivable from axiom 3U, and [ 3X]3(AUB) € F, so it follows thatboth A and [3X]3(AUB) are realised at n.Now if n is an interior node, then by Exercise 9.19 it has a successor

node m that realises 3(AUB). Since 3(AUB) is not fulfilled at n while Ais realised at n, B cannot be realised at m, so the above argument appliesto give that both A and [ 3 X ]3 ( A U B ) are realised at m. If m in turn isinterior, the construction repeats, generating a path of the desired kind,and stopping only when a leaf is reached.

Exercise 9.22Prove part (2) of Fulfilment Lemma 9.21.

Theorem 9.23. For any x E Sp there exists a F-tree T x with root rlabelled by x, such that(I) if [V X L 4 6 F and [V X ]A fails at r, then A fails at some successor o f r ;

(2) every eventuality formula in F is fulfilled at r.

Proof.First Stage: Construct a T-tree by taking a root node r, labelled by

x, and for each formula [ V X ] A in F that fails at r, take some y e Sp withxRy and A $ F y, and add a successor node to r labelled by y. This ensuresalready that (1) holds.

Next make a series of extensions to the tree to establish (2), at eachstage adding new nodes or sub-trees below the leaves of the tree thus farcreated (the reader should be visualising trees as growing downwards).It follows that at all stages r continues to be the root of the tree beingconstructed.

To see how this works, let T be the tree that has been created at somestage, and suppose C is an eventuality formula in F that is not fulfilled atr inT.Case of 3U: If C = 3(AUB), then by (1) of Fulfilment Lemma 9.21there is a branch in T from r to a leaf m having 3(AUB) and A realised atevery node. By Lemma 9.17 there is an fl-path TO = X Q , ... ,Xk in Sp withB realised at Xk, and A realised at X j for 0 < z < k. Extend T by adjoininga path mo , . . . , m of nodes with m = TOO, and put ntj — Xi for 0 < i < k.Then for each i < k, repeat the First Stage construction to adjoin enoughsuccessor nodes to mj to ensure that whenever a [ V X ]D-type formula fromF fails at TOJ, then D fails at a successor of mi. When this is done, we havea new T-tree with 3(AUB) fulfilled at the root r.

Case ofVU: If C = V(AUB), proceed as follows. Let TO be any leaf ofT and consider the branch from r to TO n T. If this branch realises AUB,leave TO alone. Otherwise, by (2) of 9.21, A and V(AUB) are realised atevery node of the branch. Hence V(AUB) e F,n, so by Lemma 9.20 thereis is a -T-tree T^ rooted at m with A realised at every interior node of Tm,and B realised at every leaf. Adjoin this tree, by identifying m with theroot of Tm- The result is a structure in which every branch passing throughm realises AUB.

By applying this procedure to each leaf m of T, we end up with aT-tree fulfilling \/(AKB) at r.

Notice that once a formula 3(AUB) becomes fulfilled at r, it remainsso if any new nodes are added. But the same is true for a formula \/(AKB),because of the crucial fact that in each extension the new nodes are always

added below an old leaf. Thus any branch from r in the new tree mustbe an extension of a branch from r in the old tree, so that if all the oldbranches realise V(AUB), then all the new ones will as well.

The upshot of all this is that by making finitely many repetitionsof these constructions, a tree will be produced in which all eventualityformulae from F are fulfilled at r.

Final ModelWe are now at the final stage of our construction of a finite CTL-model.This is done by joining together copies of the trees described in Theorem9.23 (the result need not itself be a tree: it may contain cycles).

Begin with the tree T x of any x € Sp, as provided by 9.23. Replaceeach leaf m of T x by the tree Tm (i.e. identify m with the root of T^).Repeat this process for the leaves of the newly adjoined trees, except inthe case of a leaf n for which T,, has already been adjoined. In this case,delete n and draw an edge from the predecessor of n to the root of T« , i.e.make the root of Tn a successor of the predecessor of n (this is the part ofthe construction that may introduce cycles).

Since each tree T x is finite, and there are finitely many labels x € Sp,

this process terminates in the construction of a finite frame (T, p) whosepoints are all labelled by members of Sp, and whose relation is given bythe successor relation on the trees T x. Now make this frame into a modelA /" by putting

N\=np iff per a .

Exercise 9.24Use the fact that [3X]T € F to prove that p is serial.

Theorem 9.25. If A € F, then for any node n&T,

M\= nA iff AeFn.

Proof. W e consider only the major inductive cases.

[VX ]-Case: Suppose the result holds for A, and [ V X ] A < E T. If N fin[VXJ-4, then A / " ^ =T O A fo r some successor m of n. Then by the definitionof .T-trees, nRm, while A £ Fm by the induction hypothesis, so as R is a

/"-filtration of -R x, [VX]A g r a .Conversely, if [V X ]A ^ F^, the definition of-T-trees (when n is interior)and 9.23(1) (when n is a root) ensure that A fails at some successor of n,making [ V X ] A false in A /" at n by the induction hypothesis.

ElW-Case: Suppose the result holds for A and B, and 3(AUB) e F.If A /" \=n 3(AUB), then there is a /o-path n = no , . . . , n/t such that,

by the induction hypothesis, B is realised at n f e , and A realised at n, forall i < k. But then no , . . . , U fc is an R-path in Sp, so Lemma 9.17 gives

l(AUB) e r a .Conversely, let 3 (AUB) e Fn- Suppose n e T x. Now either AUB isrealised in T x by a path starting at n, or else by 9.21(1) there is a branchfrom n to a leaf m of T x with A and 3(AUB) realised at all nodes, includingm. But in that case, since 3(AUB) is fulfilled at the root of T^ (9.23(2))there must be a path from the root in T m that realises AUB.

In either case, we get a path in T, starting from n, that realises AUB.Hence by the induction hypothesis, this path makes A/" \=n 3(AUB).

VU-Case: Suppose that V(AUB) € 7 1,,, where n is a node in some T x.

Consider any p-branch from n in T. Then there must be a leaf m of T x

such that this branch passes through the root of Tm • Now either A UB isrealised by the path from n to m in T x, or else by 9.21(2) A and V(AUB)are realised by all nodes of this path. But the p-branch must pass throughTm, and so by (9.23(2)), AUB will be realised along the part of the p -branch that lies in Tm, and hence be realised along the p-branch itself.With the induction hypothesis, this shows that M \=n M(AUB).

For the converse, suppose that V(AUB) $ /"„. To prove that jV \^ n

V(AUB), we use the one part of the axiomatisation of CTL that has yetto play a role: the implication

( B V ( A A [ V X ] V 0 4 W 5 ) ) )- > V ( 4 W 5 ) ( f )

that is part of axiom VU. Since 'i(AUB) ^ Fn, this immediately yieldsB £ p and hence A /" « B by induction hypothesis.

Now if A £ r», then tf fi n A, so astf fi n B we have A /" £„ V(AUB)immediately. If, on the other hand, A € T a, ( f ) yields [V X ]V ( AW 5 ) $ /VBut [VK]V(AUB) € r, so by the definition of jT-trees (when n is interior)and 9.23(1) (when n is a root), there must be a p-successor n\ of n withV(AUB) t /V

The argument now repeats itself: if A $ f n , , then A/" ^ rei ^4, soA/" t^ Bl \/(AUB) as B 0 T and hence A A £ ni B. ITyl e T, then there isa successor n of n\ with V(^4 UB) £ F n2 , and so on. The argument eithergenerates a p-path n — no,...,nk with A /" \£ nic A and M \£ ni B for alli < k, or else it generates a p-branch n = H Q , ... , n / t , . . . with A /" ni B forall i. In either case, it follows that A/" n V(AUB).

This completes our discussion of the proof of Theorem 9.25.

Exercise 9.26

Finish the argument showing that CTL has the finite model property andis decidable.

10 I Prepositional Dynamic Logic

Dynamic logic (Pratt [1976]) is based on the idea of associating with eachcommand a of a programming language a modal connective [a], with theformula [ a ] A being read "after a terminates, A", i.e. "after every ter-minating execution of a, A is true" (allowing that a non-deterministic amay be executed in more than one way). The dual formula <a>A thenmeans "there is an execution of a that terminates with A true" (recall thediscussion of motivations in §1).

In this way we obtain a multi-modal language, with a set of modalconnectives indexed by the set of programs. An interesting theory emergesabout the ways in which properties of complex programs can be expressedby the modal connectives of their constituent programs. The programs

themselves are generated from some set H of "atomic" programs, whosenature is not examined further, so that we can concentrate on the behaviourof operations that generate new commands from given ones. Thus U playsthe same role for programs that < £ plays for formulae of prepositional logic.What happens when we replace II by actual commands will be the subjectof Part Three.

Syntax

Atomic formulae: p € $Atomic programs: T T e IIFormulae: A € Fma($, 77)Programs: a € Prog(4>, II)

a ::= T T | ai; 0:2 | ai U a -2 \ a* \ A

Intended meanings are:

[a]A after a, A,ai;a2 do ai and then a j (composition),ai U 0:2 do either QJ or a non-deterministically (alternation),a* repeat a some finite number (> 0) of times (iteration),AI test A: continue if A is true, otherwise "fail" .

109

Further constructs are introduced by definitional abbreviation:

<a>A is -i[a]-i.A,if A then a else /? is (At; a) U ( -> A i ; j 3 ]while A do a is (A?;a)* ;-u4?repeat a until A is a; ( ~ < A f ; a)*skip is T?abort is _ L ?a° is skipa n+1 is (a;a n )

Standard ModelsAccording to §5, a model for the language just described should be a struc-ture of the form

M = (S,{R a :a€Prog($,II)},V),

with R a a binary relation on S for each program a, and

M |= s [ a ] A iff sR a t implies M \=t A.

We want the binary relations ,RQ to reflect the intended meanings of pro-grams a. Thus a model M will be defined to be standard if it satisfies thefollowing conditions:

Ra;/3 = R a °R0 = {(*,*)

RaU/3 — Ra U R/3j

Ra* — .R* = ancestral of R a ;-? = {( S ,s):M\= 8 A}.

There are no constraints on the .R^'s. This means that given a structure

which assigns a binary relation to each atomic program, a uniquely de-termined standard model is obtained by using the above standard model

conditions to inductively define R a for non-atomic programs a.

Exercises 10.1

(1) In a standard model M, show:(i) R ski P = {(s,s):seS};

(ii) -Rabort = 0;

§10 Prepositional Dynamic Logic 111

(iii) AI has the same meaning as

if A then skip else abort;

( iv ) R a n = (R a )n;

(v) M (= [a n ]A < -> [a] n yl (recall the definition of D ™ from Exercise3.9(6));

(v i ) M\=.[a* ]A iff for all n > 0, M \= s [a n}A.

(2) In a standard model, determine the nature of R a when a is a while-command (while A do ai), or a conditional command (if A then a ielse a 2 ).

(3 ) Formulate precisely the observation that in a standard model, any

execution of a program consists of a finite sequence of "atomic execu-tions" .

Axioms

Let PDL be the smallest normal logic in Fma($,II) that contains theschemata

Camp: [a;P]A~ [ a ] [ 0 ] A ,Alt: [ a \ J p ] A * - > [ a ] A * [ P ] A ,

Mix: [a*]A-4 A A [ a ] [ a * ] A ,Ind: ja*](A-»[a]A)->(4-»[a*]4) ,Test: [A1]B~(A-+B).

Notice the correspondence between [ a* ] and [ a ] in the present language,and D and O in temporal logic. The axioms Mix and Ind here correspondexactly to the axioms with the same names in §9. This is to be expected,since in each case, one connective is interpreted as the ancestral of theinterpretation of the other.

We will show that PDL is determined by, and has the finite modelproperty with respect to, the class of standard models.

Exercises 10.2

(1) \- P DL[a n ]A~[a] n A.(2)(3 ) (Soundness) If \~PDL A, then A is true in all standard models.

Completeness of PDL

Let M p = (S P ,{R% : a € Prog($,n)},V p) be the canonical PDL-model, with S p the set of P£>Z /-maximal sets,

sR p t iff {B: [a]B(=s}Ct,

andVp(p) = {s£S p :peS}.

Although M p verifies all PDL-theorems, and falsifies all non-theorems, ithas the same inadequacy that occurred with the temporal logic of §9: R p ,is not the ancestral of R p . However we do have:

Theorem 10.3. M p satisfies all standard-model conditions except

R p , C (R P Y.

Proof. W e discuss briefly only part of one condition, namely,

Suppose sR p .pt. We need to find a u € S p with sR p u and uR^t. Itsuffices, by Lindenbaum's Lemma, to show that

M O = {B : [a]B <= s} U {->[P]D :D$t}

is PDL-consistent, and for this the PDL-theorem

is used. The proof is very similar to the use of the schema

DCU -> HA

in Theorem 3.6 to derive the weak density condition.

Exercise 10.4

Complete the proof of Theorem 10.3.(The completeness theorem to follow will not depend on 10.3.)

Now let A be a fixed non-theorem of PDL. To obtain a standard modelthat falsifies A we will collapse M p by a suitable F that contains A. Theclosure rules for F that will be needed are:

F is closed under subformulae;

[B1]D e F implies B € F ;[a;/3]B e F implies [a][j9]S € F ;[aU^lSe-Timplies [a]B, [0]B € T;

[ a* ] B < = F implies [a] [a*]B € F .

A set F satisfying these conditions will be called closed.

where Sr and V T are as usual, while R* is any ./""-filtration of R p ,

RB-, = { ( M , M ) : M p K B},

and otherwise R a is given inductively by the standard-model condition ona.

Exercise 10.6Show that if B? occurs in F, then B e F, and hence that R B - ? is welldefined.

Theorem 10.7. Mr is a F-filtration of M p .

Proof.We have to show that R a is a .T-filtration of R p whenever a G Progr- Thecase of atomic a holds by definition.Tests. Suppose Bl £ Progr- Let sR t. Then if D € s, (B -» • D) € s, so[B?]D e s by axiom Test, hence D e i . Thus s C £ , and therefore s = ias s is maximal (2.3(2)). Moreover, as Test implies \ ~ P D L [B"?]B, we getB € t = s. Thus we have s = £ and M p \=s B, implying |S|.RB?|£| by

definition of RBI- Hence (Fl) holds for B .For the second filtration condition, suppose that |S|.RB?|<|. Then |s| =|*| and M p K B. Thus if [£?]£> e F and M p \=s [B1}D, we haveM p \= B(B-*D),asM p \= Test, and so M p |=. D. But then M p K ^ > .since s ~r i and D £ F.

This completes the proof that RB I is a T-filtration of Rg?.

The proof of the first filtration condition (Fl) in the inductive cases willuse the following idea (which was used in the Ancestral Lemm a 9.8). G ivens e S p , let A

a be a formula having

As e t iff \t\Ra\t\

(As exists by Definability Lemma 9.7). Then to show that

sR p t implies |s|.R Q |i|,

it suffices to prove that [a].Ag e s, for then if sR p t we get Aa € t asdesired.Composition. Suppose that (a;/3) 6 Progr, and, inductively, that R a andRp are T-filtrations of R p and Rp, respectively.

Let A s be a formula having

A s £ t iff s # a j t .




Now if sR p uR p t, then by the induction hypothesis la lBalul /J^j t l , hence|s|/Z a;j 3|t| as Mr is standard for (a; /3), and so Ag e t. This shows that[a][/3],As € s, and so by axiom Comp, [a;(3]Aa 6 s as needed to ensurethat sR p .pt implies |s|.Ra;0|t|.

If |s|# Q;/ 3|i| then fo r some u, \s\R a \u\ and lul /fylt l . Then if formula[a;/3]5 is in F and true at s in M p , [a][/3]B is true at s, as M ^= Comp,and also a member of F by a closure condition. But then the hypotheseson a and /3 give [/3]B true at u in M p , and thence B true at t.Alternation. The inductive case for (a U 0) is similar to that fo r (a; /3) . IfAa is a formula having

A a £t iff \s\R aU/3 \t\,

then using the inductive hypothesis on a and /3, and the fact that Mris standard for (a U /3), we get A s € t whenever sR p t or sRgt. Hence[a]./lg,[/J].Ag e s, so [a U /3 ]AS e s by axiom .Ait.

The proof that Ra(j0 satisfies (F2) is left as an exercise.Iteration. The proof that R a *, i.e. R#, satisfies (Fl) in relation to R p . isexactly the same as the proof of the Ancestral Lemma 9.8., using Ind. For(F2), we need to show that

if |4Ro«|*|, then for allB,

if [a* }B e F and Mp

\= . [a* ]B, then Mp

K B.But if R a is a .T-filtration of R p , we can show that for all n > 0,

if |a S|t|, then for all B,if [ a* ]B e F and M p \=s [ a* }B, then M p \= t [ a* ]B ,

by an argument just like that in 9.8, using M p \= [a*]B — > [a][a*]B(from Mix). Thus if |s|JRQ. |t|, then |s|.R™ |t| fo r some n, so that if M p \=a

[a* }B, we get M p \= t [a* ]B, and so M p \= t B as M p \= [a* ]B -> B byMix again.

Filtration Lemma 10.8. For any B e F ,M P ^ S B iff Mr\=\ s \B.

Proof. From 10.7, in the usual way.

Corollary 10.9. Mr is a standard model.

Proof. The Filtration Lemma, and the definition o f R B > , give

for Bl € Progr, which was the only standard-model condition not alreadyguaranteed by the definition of Mr-

The final step in the argument that PDL has the finite model property withrespect to standard models, and is decidable, should by now be familiar tothe reader.

116 Some Temporal and Com putational Logics

Exercises 10.10

(1) Extend the syntax to include programs of the form a" 1 , with thesemantics

fl Q -i ={(t,s):sR a t}.

(2) Adapt the syntax to take the construction "while A do a" as primitiveinstead of a*. Define standard models appropriately, and show thatthe resulting logic is axiomatised by replacing Mix and Ind by theschemata

A -> ([while A do a]B -> [a][while A do a]B),

-< A -> < while A do a>T,

and the well known Iteration Rule of Hoare:

from \-A/\B-*[a]Binfer h B -» [while A do a](B A ->A)

(cf. Goldblatt [1982i]).

Concurrent Dynamic LogicWe now consider an extension of PDL, due to Peleg [1987], which intro-duces the combination a fl /3 of commands a and /3, interpreted as "a and/3 executed in parallel". Thus, whereas the theory of §9 envisaged a col-lection of processes taking turns to act, here we imagine processes actingindependently at the same time. For example, we might contemplate acommand of the form goto I and m, which causes a program to executethe commands labelled by I and m simultaneously and in parallel.

In this context, the result of an execution started in state s will notbe a single terminal state t, but rather a set T of states representing theterminal situations of all the parallel processes involved. Thus the relationR a interpreting command a is no longer a set of pairs (s,t), but rathera set of pairs (s, T), with s a member of the state-set S, and T C S. Soinstead ofR a CS*S, we have R a CSx2 s .

To keep the two types of relation distinct, we will refer to a subsetof S x S simply as a binary relation on 5, and a subset of S x 2 s as a

reachability relation on 5. When sR 0 T, this signifies that T is "reachable"from s by an execution of a. There may be many ways of executing a, andhence many different state-sets T reachable from s by doing a.

To model the meaning of < a >A as "there is an execution of a thatterminates with A true", we specify

M K «*>A iff there exists T C S with sR 0 T and T C M(A), (i)

whereM(A) = {t 6 S : M |=t A}.

If [a] is identified with -i<a>-i, as in Peleg [1987], the condition for truth

of [ a ] A at s becomessR a T implies Tr\M(A)?V>.

Nerode and Wijesekera [1990] suggest that in this context a more appropri-ate modelling of "after every terminating execution of a, A is true", wouldbe

M\=,[a]A iff sR a T implies T C M(A), (ii)

making [a] and < a > no longer interdefinable via -> .

The extension of PDL with [ a ] and < a > interpreted according to (i)and (ii) has not been investigated in the literature to date. Here we willdemonstrate finite axiomatisability and decidability for this extension, bydeveloping a new theory of canonical models and nitrations for reachabilityrelations.

Notice that if a binary relation R a is defined by

sR^t iff t € \J{T : sR a T},

then (ii) becomesM |= s [ a ] A iff sR a t implies M \= t A.

This observation will allow us to relate much of the new theory of [ a ] givenby (ii) to our earlier analysis of the binary relation semantics for PDL. Atthe same time, a whole new analysis is needed for <a> .

Syntax and SemanticsThe formal language of Concurrent Prepositional Dynamic Logic (CPDL)

is as for PDL, with the addition of fl and the independent treatment of[a] and <a>:

Atomic formulae: p £ $Atomic programs: T T E HFormulae: A € Fma(, II)Programs: a € Pro</(<£, II)

A ::= p | -L | AI -» A 2 \ <a>A \ [a]A

a : :— w\ ai; a 2 | «i U 0:2 | oti n 0:3 | < * * \ A?A CPDL-model is a structure

M = (5, {R a : a £ Prog($, 17)}, V),

with R a a reachability relation on S for each program a, i.e. R a C S x 2 s ,and the truth relation M (=s A determined by (i) and (ii) above.

Operations on Reachability RelationsLet R and Q be reachability relations on a set S.

Composition. The relation R • Q C S x 2s

is denned by

s(R • Q )T iff there exist U C S with sRU, and a collection{Tu : u 6 U} of subsets of T with wQ Tu for allueU, such that T = \J{TU :u£U}.

Combination.

R®Q = {(s,T\J W) : sRT and sQW}.

Iteration. LetId = {(*, {«}):«€£},

and define a sequence of reachability relations R (n) inductively by

R m = Idfl<" +1 > =Id\JR-R (n \

Then put: n € w}.

Exercises 10.11

(1) QCQ 1 implies R-QCR-Q'.

(2) ( f l U #) - Q = fl-QU#-Q.(3) Give a counter-example to the assertion

(4) R m C jR( n+1 '. Hence the operation #<"' is monotonic in n: n < mimplies fi(n) C .R<m).

Standard Models

A CP£>-L-model is standard if it satisfies

Rot\J0 = Ra U R/3',

Thus in a standard model, RaMp = Id. The standard-model condition onn ensures that < a f l /3 >A gets the meaning "a and /3 can be executed inparallel so that on termination (in both computations) A is true" .

To understand the meaning of the new iteration operation R thatinterprets a* , consider the schema

< a * > A < - > AV<ctXa*>A, (iii)

which intuitively is true under the intended meaning of a* as "repeat asome finite number .(> 0) of times". In the binary relation semantics forPDL, where Ra* is the ancestral #* , truth of this schema in standardmodels is a consequence of the fact that

whereid= {(s,s) : s € S}.

(Note also that in such standard models, id = RsMp, and A «-> <skip>Ais true.)

Now in fact to have (iii) come out true in a PDL-model, it suffices tointerpret a* by any binary relation Q satisfying

Q = id\JR a °Q . (iv)

The characteristic property of the ancestral R^ is that it is the least solutionof equation (iv), i.e. if (iv) holds then R^ C Q (cf. Exercise 1.5(4)). Thusin a model in which (iii) is true, we must have fl* C R a . . But then byrequiring Ra* itself to be the least solution of (iv) we add the converseinclusion Ra* C R*a , which is just what is necessary to verify the PDL-

axiom Ind.Now if we putF ( Q ) = id(JR a °Q

for an arbitrary binary relation Q, then (iv) asserts that Q is a fixed pointof the operator F, i.e. F ( Q ) = Q. There is a general theory about fixedpoints of operators like F that is fundamental to the study of recursivedefinitions: putting F <0) = F(0), and F (ra+1> = F(F<n> ), then knowingonly that F is monotonic, i.e. that

QCQ' implies F(Q) C F(Q'),

it can be shown that F must have a least fixed point, namely the relation

\J{F W : n € u}.

Theorem 10.14. For any reachability relations Ri, R, Q:

( i ) U^P* = U6/ft. _(2) R C Q implies RCQ.

(3 ) TTQ CRoQ.(4) If Id C Q ,(5) #"+»

(6) #<»> =R°\J---UR n .

(7)3^ = 5*.

Proof. (1) and (2) are straightforward, and left as exercises.

(3) Suppose that sR • Qt. Then s(R • Q)T for some T with t € T. Fromthe definition of R- Q, it follows that there exists U with sRU, andsome u_ e U for which there is a T u C T with uQT u and i € T u . Butthen s.Ru and uQt, showing that sR o Qt.

(4) If /d C Q, we want the converse of (3). Suppose then that sR o Qt,so that sRu and uQt for some u. Then s.R[/ for some U with u & U,and u<5Tu for some T u with < 6 T u . Let

Since Id C Q, we have vQ{v} in general, so it follows (with T v = {u}for v u) that s(R • Q)T, and hence as t 6 T that sR • Qt.

(5) Since Id C #">, fi • fl<"> = 1 o fiw by (4). But as 7d = id, (5) thenfollows from the definition of fl (ra+1 > and (1).

(6) By induction on n. The case n = 0 asserts that . R < ° > = fl , which isjust the true statement that Id — id.Assuming the result for n, from (5) and this induction hypothesis wethen get

= idUR°(R°U---UR n )

= R°\j(R°R 0 \J---URoR n )

which gives the result for n + 1.(7) From the definition of . R < * > , applying (1) and then (5), w e calculate

Corollary 10.15. In a standard model M,

M\=s[ot*]A iff sR^*t implies M\= t A.

Proof. In a standard model, 10.14(7) implies R a - = R a , so the resultfollows from Lemma 10.13.

This Corollary simplifies the determination of truth- values of formulae con-taining [a* ]. For instance, it makes it easy to show that the P£>L-axiomInd is true in standard CPLD-mode\s.

Exercises 10.16

Let M be standard.(1) Prove by induction on n that

M [= [a*](<a>A -> A) -> [a*}(<a w >A -> A).

(2) Use (1) and 10.12(5) to deduce that

M \=[

Axioms for CPDLLet CPDL be the smallest logic in Fma(, 77) that contains the schemata

B-K:B-Comp:B-Alt:B-Comb:B-Mix:B-Ind:

B-Test:D-K:D-Comp:D-Alt:D-Comb:D-Mix:D-Ind:D-Test:

B-D:

[a](A-+B)^((a]A-*[a]B),( a ; p } A ~ [a ] [ / 3 ] A ,[a\Jp]A~[a]A*[p]A,[ar \P]A<-* (<a>T -> [P]A) A (<[a*] A -> A A [ a ][a* ] .A,[a*](^-»[a]A)-+(A-»[a*]A),

[ ^? ]B^(A-» B) ,[a ] (A -» S) -> ( < a > v 4 — > < a >£< a ; ^ > A < - > < a>< /9>^,<aU / 3 » l < -f <a>AV</3>^,<an,9>A < - » • <a>^l A </3>A,AV<aXa*>A-* <a*>A,[a*](<a>A-+A) -+ (<a*>^->< A ? > B ^ ( A A 5 ) ,

[ a ] lV<a>T,

A),

and is closed under Necessitation fo r [a]. Thus CPDL is a normal logic.(The B- and D- prefixes stand for Box and "Diamond".) For the sake oflegibility we will abbreviate ^CPDL A simply to h A.

It will be shown that this logic has the finite model property withrespect to standard CPDL-models.

Exercises 10.17

(1) (Soundness) If h A, then A is true in all standard CPDL-models.

(2) h - A -> B implies \-[a]A[a]B.

(3) \- A-+ B implies h <a>A

(4) I- [ a ] AV < a >T.

(5 ) H [ a ] J 4 ^ ( < a > B

Maximal Sets

Let S m be the set of all CPDL-maximal subsets of Fma(< £, I I ) . For eachformula A, let

For each s € 5 m and program a, let

s a = {A : [ a ] A € s}, and

Thus ||* a ||=n{M|: H A G *} .Note that the condition "SQ C t" is equivalent to u sR%t" , which defines

the binary relations in the canonical model for PDL.

Theorem 10.18.

(1) hAiff | |A| | = S m .(2) \-A^ Biff \\A\\C \\B\\.

(3 ) ||AVB|| = ||A||U||B||. 4) \\A*B\\ = \\A\\H \ \B\\

(5) ||S Q || C ||A|| implies [ a ] A € s.

(6) If \\s a \\ n | |5| C || A|| and <a>B € s, then <a>A € s.

(7) I f s , u & S m and s a C u , then ||u || C ||s a ||.

8) Haau/jINKIIUlla/jH.

(9) J f<a>T,</3>T e s, then ||s an || = ||s a || U ||s/3||.

Proof. (l)-(4) are now familiar properties of maximal sets.

(5) This is essentially as in Theorem 3.2. If ||s a || C ||jl||, then everymaximal extension of s a contains A, and so by 2.6(1), s a h A. Hence

for some n, and some formulae B i with [a]Bj € s. Then using Neces-sitation (directly if n = 0) and axiom B-K,

h [a]J50 ( [a]f l i - » ( . • • - » ([a]B n _ -» [ a ]A) - • - ) ) ,

from which [a] A 6 s follows because s contains all theorems and isclosed under Detachment.

(6) Let t e 5 have s a C t. Then if B £ t, t € ||s a || n ||B||, so as \\sa\\ nI I - B I I Q p|, then A e t. Thus (B -» A) € t. This shows that ||s a || C\\B -> • A||, so by (5), [a](B -> A) e s. But then by axiom D-K,(<a>B — » < a> . A ) € s, giving the desired result that if <a>B € s

then <a>A e s.(7) Let s a C u. Then if t 6 \\U0\\, we reason as follows. If A 6 sQ;/3, then[a ; /? ]A € s, so [a][ /3]>l € s by axiom B-Comp, whence [/9]4 € s a Cu, giving A E up C t. This shows sa.:p C t, i.e. t £ \\sQ;p\\.

(8) Here we want to show that

* iff s a £ t or s^ C i.

The implication from right to left is straightforward, w ith the aid ofB-Alt. For the converse, suppose that s a £ t and s@ < £ t. Then theremust be formulae A and B with [a]A, [/3]B 6 s, but A ^ t and B $.t.N o w [ a ] A - > [ a ] ( AV B ) is atheorem(cf . 10.17(2)), so [ a] ( AV B ) € s.Similarly, [/3](yl V B) e s. Hence by E-Alt, [a U /3](A V B) € s. Since(A V B) ^ s, this shows that saU/3 2 *•

(9) If < a>T, </3>T 6 s, then by axiom B-Comfc,

s iff [ a ]AeBut this allows us to prove that

S a n / 3 Qt iff s a Ct o r sp Ct,

in the same manner as for (8).

Reachability for Maximal SetsLet s e S m and T C S m . For each program a, put

s# Q T iff there exists B with < a>J3 e sand T = ||S Q || H

Theorem 10.19.(1) <a>A € s iff there exists T with sR a T and T C \\A\\.

(2) <a>T e s implies sR a \\s a \\.

(3 ) sR^tiffsa Ct.

(4) [ a ] A £ s iffsRaT implies T C \\A\\.

Proof.(1) If <a>A e s, then defining T = \\sa\\ fl \\A\\ immediately gives sR a T

and T C \\A\\. Conversely, if sR a T C ||4||, then there exists B with<a>B e s and T = ||a a || n ||B||. But then \\sa\\ l~ l ||B|| C \\A\\, soTheorem 10.18(6) gives <a>A € s, as desired.

(2) From the definition of R a , since ||s a || n ||T|| = \\s a \\.

(3 ) If sR^t, then t 6 T for some T of the form ||S Q || n ||J3||. But then

t € ||s a ||, i.e. s a C i.Conversely, if s a C t, then since -L ^ £ , we get [a]± ^ s, so by axiomB-D, <a>T € s. Hence by (2), s.R a ||s Q ||. Since t € ||s a ||, this gives

(4) By Theorem 10.18(5) and the definition of s a , it follows that to have[ a }A 6 s it is necessary and sufficient that

s a C t implies A £ t,

which is equivalent by (3) to

sR a t implies A e t,

which in turn holds if, and only if,

sR a T implies T C \\A\\.

Corollary 10.20. If there exists some t with sR a t, then < a>T € s.

Proof. IfsR^t, there must be some T with sR a T. Since T C ||T||, 10.19(1)then gives < a>T € s.

Canonical Model

The canonical model for CPDL is the structure

M m = (S m ,{R a : a € Prog($,II)},V m),

where S m is the set of all CPDL-maximal sets, R a is as defined prior toTheorem 10.19, and Vm(p) = {s 6 S m : p £ s} as usual.

Note that in this model the relation R a is identical to R% , by 10.19(3).

10.18(8), \\s a \\ C \\Saup\\, so W C T. Similarly, if </3>A e a, we takeW = \\sp\\ H ||B||, and get aJfyW C T. In either case, s(R a \jR 0)W CT.

(4) If sR an 0T, then T = ||san/3l l n ||A|| for some A with <an/3>,4 €s. Then by D-Comb, <a>A,<0>A 6 a, so s-R a(||s a || n \\A\\) anda-R/3(||a/3|| n \\A\\). Hence s(R a ® fl/j)t/, where

u = (\\sa\\ n \ \A \ \) u (|M n p||) - (||s a|| u |MI) n p||.

Since h <a>;4 -» <a>T (10.17(3)) and <a>A € s, it follows that<a>T € s. Similarly < / 3 > T e s . But then by 10.18(9) U = T.

Execution RelationsIf sR a t, then intuitively there is an execution of a from s that producesa set T of terminal states including t. We may regard this execution asgenerating a tree of states, with T being the set of leaves of the tree. Therewill be a path through this tree from s to t, comprising a sequence ofexecutions of atomic programs and/or tests (cf. §2.2 of Peleg [1987i] for anindication of how to formalise this idea).

If further tRpu, then there will be a similar computation tree contain-ing a path from t to u as a result of executing /3 from t. We then havesR a o .R^u, but we cannot conclude that sRa-tp t without first showing that/^-computation trees can be attached to every state in T, and not just t.Nonetheless one might suggest that u has been arrived at from s by aninstance of "doing a and then /3" .

These observations may provide some motivation for the followingtechnical definition of relations R* whose chief purpose is to give a rep-resentation of program composition a; /3 by binary relation composition o,

and which will be used in defining filtrations of CPDL-models.

Given a CPDL-model

define a family {R+ : a € Prog(<l>, I I ) } of binary relations on S inductivelyby



Some Temporal and Computational Logics28

andsR* npt iff for some T, either

(i) sR+t and sRpT, or

(ii) sR a T and sR^t.Theorem 10.23. In a model that is standard except possibly for tests,R^CR+.

Proof. By induction on the formation of a. The cases a = T T and a = Atare immediate by definition of R+. For the inductive cases, assume theresult for a and ft.

Composition:

= R a • Rp standard condition for a ; ft lg y 1014 3)

C R+ o R+ hypothesis on a and ft

Alternation:

— R a U Rp standard condition for a U ft

= Rg\JR^ 10.14(1)C fi+ U Rt hypothesis on a and ft

Iteration:Rn — standard condition for a*

10.14(7)hypothesis on a

Combination: If sR ar \pt, then by the standard condition there are T, Wwith sR a T, sRpW, and t 6 T U W. Now if t 6 T, then sR^t, so sR+t bythe hypothesis on a, whence as sRpW we get sR* npt. On the other hand,if t e W we similarly get sRgt and sR a T, leading again to the desiredconclusion

Theorem 10.24. Let M be a model that is standard except possibly fortests. If a is any program, then for all formulae A we have

M\= s[a]A iff sR+t implies M\= t A.

Proof. Since in general

M [=s [a]4 iff sR a t implies M \=t A

(Lemma 10.13), the fact that R a C R+ implies directly that the statementof the Theorem holds from right to left. We prove the converse by inductionon the formation of a.

The cases a = - IT and a = A1 are immediate, as then R+ = R a . Forthe inductive cases, assume the result for a and /?.

Composition. Let M ^=8 [a;f3]A and sR^.pt. Then there exists u withsR+u and uRgt. Since M. is standard for composition, it verifies B-Comp,and so M. \=s [a][/3]A. The induction hypothesis on a then gives M \= u

[@}A, from which the hypothesis on /3 yields the desired conclusion M \= tA.

Alternation. If M (= s [a U 0}A and sR t, then either sR+t or sR^t, so

as M verifies B-Alt, the hypothesis on a and 1 3 leads to M \= t A.Iteration. Let M \=s [ a* ]A. Then we first show that for any n,

s(R+) n t implies M (= « [a*L4. (t)

The base case n = 0 is immediate, since then s = t. Assuming the resultfor n, suppose that s(R^) n+1 t. Then for some u, s(R^) nu and uR^t. Bythe hypothesis on n, M (=„ [a*]A Hence M \= u [ a ] [ a * ] A , since M

verifies B-Mix, so by the hypothesis on a, M \= t [a*]A. This completesthe inductive proof of ( f) .

Now if sR+.t, then s(R+) n t for some n, and so M \= t [a* ]A by (t).Again since M verifies B-Mix, this implies M (=* A.

Combination. Let M \=a [an(3}A and sR^ n/3 t. Then there exists T such

that either (i) sR+t and sRpT, or else (ii) s.R aT and sRt.Now if (i) holds, then sRpT implies M. \= s </3>T, so as M verifies

B-Comb, M (=« [a]A. But then the hypothesis on a gives M \= t A.Similarly, if (ii) holds we are led to M (= < A by the other conjunct ofB-Comb and the hypothesis on /3.

Filtrations

To define filtrations of CTDL-models, a set F of formulae is defined to beclosed if

F is closed under subformulae;[ B 1 }Der implies B £ T;[a;P]B € r implies [a ] [ /3]# 6 T;[a \ J f 3 ] B e r implies [a}B, [/3]B € T;[a n /9]B € T implies [a}B, [/3]B, <a>T, <^>T € T;

[ a* ]B € r implies [ a ][ a* ]B € F;

<B1>D e P implies B € T;

<a;/?>B e r implies <a><(3>B e T;

< a U / JxBe-T implies < a >£,< /?>£ 6 T;< a n / 9 > B e r implies <a>B,</3>B € T;

< a* >B e r implies < a >< a* >B € T.

By the same method as used in Lemma 10.5, it can be shown for thelanguage of CPDL that

Lemma 10.25. For any A £ Fma(<l>, II) there is a finite closed set F withAer.

Now let r be a finite closed set. Put $r — & H F, and let Progr bethe smallest set of programs that includes all atomic programs and testsoccurring in members of F, and is closed under ; , U, fl, and *. For s, t 6 S "™ ,put

s ~ r t iff s n r = t n r,\s\ = {t € S m : s ~ r t},

5 r = {|«| : s e Sm

},as usual, and for T C S m , and X C S r , put

|T| = {\s\ : s € r},

5 X = {s e 5 m : \s\ 6 X}.

Exercises 10.26

(1) T C [7 implies |T| C |C/|.(2) XCY implies 5 X C 5y.(3 ) S x C T implies X C \T\.(4 ) X = \S X\.

(5 ) TC5 m .

6) |s| = 5{| 8 |}.

Now letM = (5 r , (pa : a e Progr}, V T),

be a model based on Sp, with V r the usual $r-valuation. Then the reach-ability relation pa on Sp is denned to be a F- filtration of the relation R a

from the canonical model M m if, and only if, the following four conditionsare satisfied.

(Bl) sRat implies \s\p+\t\. B 2 ) \s\pa\t\ implies {B : [ a ] B 6 s r\F} C t.(Dl) sR a T implies \s\p a X for some X C |T|.

D 2 ) if \s\p a X and S* C \\B\\, then <a>B € T implies <a>B € s.pa will be called strong if it satisfies

sR a T implies |s|p a |r|-Any strong relation pa obviously satisfies (Dl). But it also satisfies (Bl)when ~ p ~ a C p+ , e.g. when .M is standard except possibly for tests (10.23).For then if sR a t, we have sR a T for some T with t e T, hence |s|p a |T| and|t| € |T|, showing |s|p |t|. But then |s|/9+|t| since ~ p ~ a C p+ .

The model M will be called a F-filtration of the canonical model Mm

ifpa is a /" -filtration of R a for all a £ Progr-

Filtration Lemma 10.27. Let M be a F -filtration of M m that is stan-dard except possibly for tests. Then for any B € F and s e S m ,

M m \= s B iff M\=\.\B.

Proof. By induction on the formation of B.

For the inductive case for [a] , assume the result for B. Then if [ a ] B €F and M. \=\a\ [Q]-Bj since M. is standard except possibly for tests we getthat

\s\p+\t\ implies M |=|t| -B,

by Theorem 10.24. From (Bl) and the induction hypothesis on B, we thenget

sR a t implies M m (=t B.

This in turn gives M m (=„ [ a ] B by Lemma 10.13.Conversely, if M m K [ a ] B , i.e. [ a ] B e s, then from (B2) and the

induction hypothesis we get that

\s\pa\t\ implies M |=|t| -B,

which implies M f=|s| [ a ] B by 10.13 again.Now for the inductive case of < a >. First, if < a >B £ F and M m \= s

<a>B, then there exists T C S m with sR a T C \\B\\. Thus if the Lemma

holds for B, then for t e T we have B e t , whence M \= \t\ B, showing that|T| C M(B). But by (Dl), \s\p aX for some X C |T|. Then X C M(B),giving >t \=\B\ <a>B.

Conversely, if M \=\a\ <a>B, then |s|/a aX fo r some X C M(B).The inductive hypothesis on B then yields Sx C ||B||, and so (D2) givesM m t=

Existence of FiltratiousFor a € Progr, define

\s\p*X iff (i) |*| € X implies {B : [a]B <=sr\F}Ct; and(ii) S x C \\B\\ and <a>B € T implies <a>B € s.

Theorem 10.28. If p* C (Pa) + , then p^ is a F-filtration ofR a , and is infact the largest one.

Proof. First we show that p % is strong, taking care of (Bl) and (Dl) sincePa - (Pa)+> ^ explained above. So, let sR a T, with the objective ofshowing that |s|p£|T|, i.e. that (i) and (ii) above hold with X = \T\. Wehave T = \\s a \\ D \\C\\, for some C with <a>C £ s.

Now for (i), if \t\ € \T\, then t ~ r u for some u 6 T, so that if[a]B 6 sHf then T C | |5| as s/2 0T, hence B £ u, and so B € t as B € T.

For (ii), suppose that S\ T\ C | |£| and <a>B e f. Then as T C S\ T\,we have sR a T C ||J3||, and so <a>B € s follows by Theorem 10.19(1).This completes the proof that p^ is strong.

Next we show that (B2) holds for p*: if \s\p*\t\ then \s\pfcX and |i| € Xfor some X, so that by part (i) of the definition of ffe,{B :[a]B € sCiF} C t.

Noting that (D2) fo r p*, is immediate from (ii), we have now shownthat p^ is a filtration. The proof that it is the largest is left as an exercise.

The Finite ModelGiven a finite closed F, construct a model

Mr = (Sr, {p a : a € Prog r }, V r ),

by letting p v be any -T-filtration of R* (such existing by 10.28),

i = {(\'\,{\*\}):M m \=.B},

and otherwise defining p a inductively by the standard-model condition ona. Thus Mr & standard except possibly for tests.

Theorem 10.29. Mr is a F-Bltration of the canonical CPDL-modelM m .

Proof. We have to show that p a is a T-filtration of R a for each a 6 Progr-

Tests. Suppose 5? € Progr- If sRsiT, then by 10.22(1), T = {s} andM m K B. Hence |T| = {\s\}, and so |s|p B ?|^l by definition of p B1 . Thisshows that p sf is strong, and so fulfils (Bl) and (Dl).

For (B2), let |S|/OB?|*|, so that \s\ = \t\ and B & s. Then if \B1\D es n r, we get D 6 s via B-Test, and so D e t as s ~r t-

For (D2), let \a\pgjX and S x C \\D\\. Then X = {\s\} and B € s, sothat s e S x , giving D e s. Hence by D-Test, <B1>D e s.

Composition. Suppose that (a;/3) € Progr, and, inductively, that p a and

p/3 are T-filtrations of # a and #0, respectively.(Bl): The argument is just as for PDL in Theorem 10.7. For s € S,

let A s be a formula having

A s et iff Mp+01* .

IfsRûlfyt, then by (Bl) for a and /3, \s\p+ \u\p+ \t\. Hence |s|p+op+|*|, i.e.|s|/9+0|t| by definition of p+;/ 9, and so A s € f . This shows that [ a ] [ /3 ]A8 €s, and hence by axiom B-Comp, [a;/3]As e s as needed to ensure thatsR a .pt implies |a|pa;/j |<|.

( B 2 ) : Let |s|p |*|, i.e. \s\pa • pp\t\. Then \s\pô~pj\t\ by 10.14(3), sofor some u, \s\pZ\u\ and \u \p~f j \ t \ . Then if [a;/3]B € sOT, [a][/3]S £ sf lTby Comp, so (B2) for a and /3 give [0]B £ u and thence Bet.

(Dl): Let sR a -0T. Then by Theorem 10.22(2), there exists U C S m

with sR a U, such that for each u 6 U there exists T u CT with uRpT u . By(Dl) for a there exists X C S r with |s|/9«X C |t/|. Then if x & X, wehave x = \u \ for some u € C/, so by (Dl) for /3, there exists Yx C Sr withxp/j^x C |T U | C |T|. Thus putting

Z \J{YX :x£X},

we have \s\(pa • pp)Z, hence \s\pa-tpZ C |T|.( D 2 ) : If \s\pa-tpX, i.e. |a|(p a • P0)X, then there exists K C Sr with

|a|p a r, such that X = \J{Xy : y e Y}, with j /p^X y for all y&Y.Now suppose S x C ||B|| and <a;/3>B € T. We want <a;/3>B e s.

But if < 6 5y, then |t| e Y and Sjc m C 5x C \\B\\, so as </3>5 € F and|*|pÂ"|t|, (D2) fo r /9 gives <j3>B &t. This shows that SV C ||</3>B||.Since <a><j3>B € Tand |s|p a y, (D2) for a then gives <a></3>B € s,so D-Comp yields <a;f3>B 6 s as desu-ed.

Alternation.(Bl). Let AS be a formula having

A a et iff |s

Using (Bl) for a and f3 and the definition of P^ U;3 , we get A s € t whenever

sRot or st. Hence [ c t ] As , [P]AS € s, so [a U fi]A 3 £ s.by B-Alt.

( B 2 ) . If |s|pau^|t|, then either |s|pa"|<| or else |s|pa|t|. Since B-Altgives [a U P]B 6 s only if [a]B, [ /3]B 6 s, (B2) for a and /3 then readilyyield {B : [ a U / 3 ] B e s n T} C t.

13 4 Some Temporal and Computational Logics

(Dl). If sR QU/} T, then by 10.22(3) there exists W C T with sR a W orsRpW. Assuming (Dl) for a and /?, it follows that there is some X C \W\with |s|p QA" or \s\ppX. Hence \s\paupX C \T\.

(D2). Let \s\p aU0 X, S x C ||B||, and <a U /3>5 € F. Then either\s\p a X or \s\ppX, and <a>B, </3>B e F. Hence by (D2) for a and /3 ,one of <a>B, and </3>B is in s, implying <a U 0>B G s by D-A/t.

Combination.(Bl). Let .As be a formula having

A.et iff \s\pttv\t\.

We show that(<a>T -» [ /3]Aa), ( < / 3 > T -+ [a]^) € s, (t)

which gives [a fl 0]A 8 € s by B-Comb.To prove ( f ) , let < a>T e s. Then sfl^T for some T, and so by (Dl)

for a, |s|p aJC for some X . Then if sRpt we have |s|/9 |i| by (Bl) for /3 , so

with |s|p aX we get |s|/0a n«|f|, hence A g € t. This shows that [(3}Aa € s.W e have now shown that (<a>T — > [/?]> «) € s. The proof that

(</3>T — > [a].<4s) e s is similar.

(B2). Let |s|j5^n |i|. Then there exist X, Y with \s\p a X, \s\ppY, andeither \t\ € X or |t| e F.

Now suppose [ar\/3]B e s n T. Then <a>T, </3>T € T. SinceSX,S Y C ||T||, (D2) for a and /? then give <a>T,</3>T e s. Henceaxiom B-Comb implies [ /3}B, [a]B € s. But if |t| € X, then |s|A*|t|, so(B2) for a gives 5 € t. If however |i| 6 Y, we get the same conclusion from(B2) for /3.

(Dl). If sR an0 T, then by 10.22(4) there exist Wi,W 2 with sR a Wi,sRpW-i, and T = Wi U PF2. By (Dl) for a and /?, it follows that there existXi,X 2 with |s|p Q Xi C |Wi| and \s\ppX2 C |W 2 |. Hence

J S f2) C | ^i| U \W t\ C |T|.

(D2). Let |s|p Qn ^^", 5 C \\B\\, and < a n / 3 > B e T. Then bydefinition of p ar\0, there exist Y , Z with |s|/9 ay, \s\p@Z, and X = Y U .£.But <a>B, </3>B £ F, and 5y, S z C S x C ||B||, so by (D2) for a and /?we get <a>B,</3>B e s. Axiom D-Comb then implies <a n /?>J3 e s.

Iteration.(Bl). This is essentially as in the Ancestral Lemma 9.8. Let Aa be a

formula havingA s &t if f p + . t .

We show that\-A s (a]A a . (t)

For, if t € S m and A s € . t, then |s|(/o+)*|t|, and so |s|(p+)n|< | for some

n > 0. Then if tR a u, (Bl) for a implies |<|pj|u|, hence |s|(p+)n+1

|u|, so|s|/9+,|u|, and therefore A s € u. This shows [a]^ls 6 t, as required for (f).By the rule of Necessitation for [ a* ] and axiom B-/nd, we then have

(As -c [o*]4 a ) e s. But A s € s as |s|(p+)°|s|, so [a*}As 6 s, yielding(Bl) for a*.

(B2). Since ~p = p(£ = (p^)* , we want to show that

|s|G^)*|t| implies {B : [ a * ] B e sr\T} Ct.

Using (B2) for a and the CPDL-theorem [a* ]B -> [a][a* }B (by B-Mix),we show, in similar fashion to 9.8 and 10.7, that for all n > 0,

|s|(^) n |f| implies {[a*]B : [a*]B € s n T} C t.

Then if |s|(p^)* |< |, we have |s|(p^) n |i| for some n, so if [a* }B e sDT then[a* ]B € t, hence B 6 t as h [a* ]B -> B by B-Mix.

(Dl). For any set T C Sm

, let A T be a formula such that for alls € S m ,AT € s iff \s\p a .X fo r some X C |T|.

We will proveTC \\AT\\, (t)

and

From these we derive (Dl) for a* as follows. If sR a *T, then from (f) weget <a*>A T € s (10.19(1)). But from ($ ) by Necessitation for a* andaxiom D-/nd,

h

so AT € s, giving |s|/9a«X for some X C \T\ as desired.

To prove (t), let t e T. Then |t|p a-{|<|}, since Id C p^ = p a ,, and{|*|} C |T|, so with X = {|t|} we fulfill A T e t, and hence < € ||A T ||.

For (|) it suffices to show that any maximal set containing <O.>ATmust also contain AT- So, let s € S m have <a>Ar € s. Then sR a U forsome [/ C ||A r||. By (Dl) for a, |s|p aX fo r some X C \U\. Thus for somek e a> we have X = {|wo|, • • • , |wfc-i|} , for some u0, . . . , Uk-i 6 [/.

Now for each i with 0 < i < k we have AT 6 M J , since U C \\AT\\, andso |wi|/9a*^i for some Y j C |T|. Since Mr is standard for a*, it follows that

j for some n». Let n be the maximum of no , . . . , n / f c - i - Then sincethe reachability relations p(™} increase monotonically with m (Exercise10.11(4)), we have Mpg" for alii < k. Thus if Y = |J{*i : 0 < t < *},then \s\(p

a • p£ })Y, hence \s\pg +1) Y, and so \s\p(*>Y. Therefore we have

|s|p a*y C \T\, which ensures that AT € s as desired.

(D2). If \s\pa* X, then [al/o^X for some n. Hence it suffices to provethat for all n > 0, and all s e S m ,

if \a\pWX and S x C ||B||, then <a* >B e T implies <a* >B € s. (f )

For the case n = 0, if \s\p (^X, i.e. |s|/dJf, then X = {\s\}, so if S x C \\B\\,then as s € Sjr it follows that B £ s, and hence that < a* >B e s by axiomD-Mix.

Now make the inductive assumption that (f ) holds for n, and let\s\p£ +1 >X, S x C ||B||, and <a*>B e F. Then either \s\p^X, whencethe desired result follows as above, or else \s\(pa • p(£})X . In the latter casethere must then be some Y with |s|paF such that X = \J{X y : y e Y},with ypg> Xv for all y&Y.

Then if t € Sy, we have |*| € Y, so Sx w C 5 X C ||B||, whence as|<|^ n) jL| t|, the hypothesis on n gives <a* >B 6 i. Thus S Y C ||<o:* >B||.But <a><o*xB 6 T, and |s|/9 aF, so by (D2) for a, <a><a*>B € s.

Hence by D-Mix we get our desideratum < a* >B € s.This show that ( f ) holds for n + 1, completing the inductive proof that

it holds for all n, and hence completing the proof of Theorem 10.29.

Corollary 10.30. Mr is a standard CPDL-model.

Proof. By definition, Mr is standard except possibly for tests. Since it isa filtration of M m , the Filtration Lemma 10.27 then implies that

for B? e Progr, so that Mr is also standard for tests.

From this Corollary it follows in the usual way that any non-theorem ofCPDL is falsifiable in a finite standard CPDL-model Hence CPDL hasthe finite model property with respect to standard models, and is decidable.

Normality for < a >A natural condition to impose on models is that

sR a T implies T 0,

i.e.not-s.R a0,

since if sR a T then T is the result of a terminating execution of a from s:termination implies the existence of a terminal state.

The corresponding axiom schema is

D-N : - i < a > _ L ,

which is always true under the binary relation semantics. Indeed it requiresonly the schema

to derive D-JV from [a]T, and the latter is a theorem of any logic that isnormal for [ a ] .

Exercises 10.31

(1) Let A be a normal logic containing CPDL.(i) Show that relative to A, the schema D-N is equivalent to each of

the schemata

i.e. A contains one of these three schemata if, and only if, it con-tains the others.

(ii) Suppose that \~ A -> < 7 r> _ L for all atomic programs T T . Prove that\- A -i<a>± for all programs a.

(Hi) If hyi -i<a>.L, then in the canonical model for A, not-s.R Q0.

(2) Show that in a standard model, if not-sR^® for all atomic T T , thennot-s.R a0 for all a.

To prove the finite model property for the smallest normal logic obtained byadding D-JV to CPDL, we modify the closure conditions on F to requirethat < T T > ± 6 F whenever •K occurs in F. Then in the finite filtration.Mr it can be shown that not-|s|/9 T0 for all atomic T T e Progr- To seethis, observe that if |s|p»0, then since 50 = 0 = ||±||, property (D2) of p v

implies < T T> ± e s, which is inconsistent with D-N.By Exercise 10.31(2) above, it then follows that not-|s|/9 Q0 for all a £

Progp, and so Mr is a D-A^-model.

Sequential AtomsThe reachability relation R a will be called sequential if

sR a T implies T — {t} for some t.

13 8 Some Temporal and Computational Logics

The corresponding axiom schema is

Seq a • [a]-iA «-> -i<a>^4,

from which - i< a > _ L is derivable (10.31(l)(i)).

Lemma 10.32. In the canonical model for a normal logic containingCPDL and Seq a ,

< a >A £ s iff there exists t with sR a t and A€t.

Proof. Recall that sR a t iff s a C t. Thus if <a>A 6 s, it suffices to shows a U {A} is consistent. But if it were not, then s a I—< A, hence [a]-i>l 6 s(10.18(5)), so -><a>A € s by Seq a , contrary to the consistency of s.

Conversely, if s a C t and A € t, then ->A £ t, so [a]->v4 ^ t, whenceby Seq a and maximality of s, <a>A e s.

By a sequential model we will mean one in which the atomic relations R^are sequential, so that parallelism depends on the presence of the combi-nation connective a D /3 on programs. The (normal) logic determined by

the class of sequential models is decidable, and is generated by adding theschemata Seq, for all atomic •K to CPDL. To show this, we modify the def-inition of Pa in Mr, by denning it as the following sequential reachabilityrelation on Sp-

xPv{y} iff 3s e x 3t e y (sRnt).

Thus

xp*y iff xp^y iff 3s e x 3t e y(s v C t),

from which it follows readily that pv meets filtration conditions (Bl) and(B2) (indeed the point is that p+ is the smallest filtration of R, in thesense of binary relation semantics).

To prove (Dl) for p^, let sR^T in the canonical model. Then T ^ 0,since -><7r>-L is derivable from Seq^. Taking any t 6 T, we get sR^t, andso \a\p,{\t\} C \T\.

For (D2), let \s\p,X, S x C \\B\\, and <7r>.B_e T. Then there is some

s' € \a\ and some t such that X = {\t\} and s'R^t. But then t € Sx, soBet and hence by Lemma 10.32, <n>B e s'. Since <w>B € F, wethen get <ir>B € s as desired.

This completes the proof that p v is a P-filtration of R^ wheneverT T G Progr- Thus Mr in this case is a finite sequential model that is afiltration of the canonical model. The rest of the story is as usual.

Further StudiesDynamic logic is an extensive subject, with much to be learned by varyingthe class Prog of programs and its properties (cf. H arel [1984] and Kozen

and Tiuryn [1989] for extensive surveys). One natural variation is to requireatomic programs to be deterministic, so that, in terms of binary relationsemantics, R^ becomes a partial function and the schema

<Tr>A — » [ i r ] A

is valid (the quantificational logic of Part Three will have this property).Now a logic A containing this schema will have a canonical model

in which R% is a partial function, but that feature will generally be lost

in passing to a nitration Mr- The problem of "unwinding" the atomicrelations in Mr into functions, while preserving the standard-model con-ditions and the Filtration Lemma, is not easily solved. A solution is givenin Ben-Ari, Halpern, and Pnueli [1982].

For an indication of the origin of dynamic logic, c f. Goldblatt [1986].



Part Three

First-Order

Dynamic Logic

11 Assignments, Substitutions, andQuantifiers

In Part Three we study the language that results when the formalism ofdynamic logic is added to a first-order language. The atomic programs T Tof PDL are replaced by assignment commands (v := a), where v is anindividual variable, and a a term. Such a command has the meaning "setv equal to cr", i.e. "assign to v the current value of < r", and is deterministic.

There is an intimate connection between the computational processof assignment to a variable, and the syntactic process of substitution fora variable. If Av

a is the result of replacing the free occurrences of v in afirst-order formula A by a, then

[v:= a]A < r + Ava

is valid. Because of this connection, we are able to use modal formulae ofthe form [v :— a \A in places where the standard theory of first-order logicuses Av

a: it turns out that this is easier than trying to develop a theory ofsyntactic substitution in formulae that contain modal connectives.

In this context, the notion of state can be given a concrete interpre-tation. The current state of a computation is determined by saying whatvalues all the variables currently have. Thus a state can be identified witha vaJuation of the individual variables, the same notion of valuation onwhich Tarski's definition of satisfaction in a first-order model is founded.Programs can then be interpreted as binary relations between valuations,and first-order dynamic logic becomes an enriched language fo r definingsubsets of the space of valuations of a first-order model.

Defining an equivalence relation

s ~« t

to mean that states s and t differ only in the value they assign to v, we seethat the Tarskian semantics translates to

(= s 3vA iff for some state t, s ~ v t and \= t A;

(=s VvA iff for all states t such that s ~ v t, \= t A.

143

144 First-Order Dy nam ic Logic

This makes 3v and V u look like modal connectives, and indeed it is wellknown that formally they obey the laws of an S5-type O and D. In factwe could (but won't) pursue this, and replace 3v and V w altogether by

< v =?> and [« = ? ] , where the command (v :=?) means "assign a randomvalue to u" (Pratt [1976]).

Exercise 11.1Explain informally why the following should be valid when v does not occurin ff.

<v:=(r > A *-> 3v(v = ff A ,4)[v := ff]A < -> Vv(v = a — > A)

ExpressibilityThe expressive power of first-order dynamic logic is greater than that offirst-order logic itself. To see this, consider the following formula in thelanguage of the arithmetic of natural numbers.

Vw<v := 0;while v w do v :— v + 1 >T

This asserts that for all w, the displayed program has a terminating ex-ecution, i.e. that any w can be obtained by starting at 0 and repeatedlyapplying the successor operation £(n) = n + 1. In other words: any set ofnumbers that contains 0 and is closed under £ must contain everything. Butthis is a version of the Peano Induction Postulate, a postu late which cannotbe expressed in the first-order language of the structure (u, C, 0). There isa single formula of dynamic logic which characterises this structure up toisomorphism, and from this it follows by standard arguments that the set ofvalid dynamic formulae is not effectively enumerable, unlike the first-ordercase (cf. Goldblatt [1982], §3 .6, for details). This in turn means that therecan be no adequate proof theory for first-order dynamic logic based onan enumerable set of axioms and an enumerable set of decidable inferencerules. To develop a proof theory then, we will have to use infinitary rulesof inference. The rule-schema we need is:

i f \- A -» [0; a n}B for alln£u>, then h A -> [0; a* ]B.

Exercises 11.2(1) Verify that this rule preserves truth in standard PDL-models.

(2) The Archimedean Property of the real-number field R asserts that

V x 3n G w (x < ri) .

§11 Assignments, Substitutions, and Quantifiers 145

Express this as a sentence in the dynamic logic of an appropriate first-order structure based on E.

(3) In the first-order dynamic logic of the language of groups, write a

formula that expresses the notion of a cyclic group. Do the same forthe notion of divisible group.

It would be possible to develop a theory in which (v := a) induces apartial function on states, allowing that evaluation of the term a mayfail to terminate. This would require the use of atomic formulae (<r|),expressing "< r is defined", which would be true in precisely those states inwhich a had a value. However for expository and paedogogical purposes,the system discussed in these notes is going to be kept as simple, andas close to standard first-order model theory, as possible. A version of thetheory with partially defined terms is worked out in full in Goldblatt [1982],Chapter 3.




L-structuresLet 21 = (X, I) be an //-structure in the usual sense, i.e. / is a functionwith domain L such that:

for each n-ary P € Rel L , I(P) C X n ;

for each n-ary f€ Fun L , I(f) : X n -» X;

for each c € Coni, I(c) 6 X.

An 2l-va7uation is a function V : Var^ — X, assigning to each variable va "value" V(v) in X. Such a function extends in a unique way to Termx,,assigning a value V(a) € X to each term a. The set of all 21-valuationswill be denoted 5 a .

If V and V' are 21-valuations, we write

V~ V V

to mean that V and V are identical except (possibly) in the value theyassign to v. The notation V(v/x) denotes that 2l-valuation V such thatV ~ v V and V'(v) = x.Familiarity is assumed with the definition of the relation

of satisfaction of first-order formula A in 21 by 21- valuation V. In particular,

21 (= VwA iff for all x 6 X, 21 1= A[V(t;/a;)] .

A standard procedure in first-order model-theory is to expand the alphabet

L relative to a given L-structure 21 = (X, I) by adding a new constant c x foreach x G X . The resulting alphabet will be denoted La .The interpretationfunction I extends to L% by putting I(c x) = x. It will be convenient tocontinue to refer to the resulting La-structure as 31.

Note that any 21-valuation V : Var L — X will assign a value V(cr) 6 Xto any La-term, with, in particular, V(c x) — x.

Models

An L-model for dynamic logic is a structure

where

• 21 is an L-structure, as above;

148 First-Order Dynamic Logic

• S is a non-empty set (of states);• V : S — » • S a , i.e. V is a function assigning to each s € S an 21- valuation

y s : Var L -* X;

• R is a function assigning to each program a € ProgL a binary relationR a C 5 x S.

For s,t € . S, we writes(«/x)t

to mean that V t = Vs(v/x), i.e. that V t ( w ) = x and Vt(w;) = VB(w) wheneverw v. More generally, we will use the notation

s(v/a)tto mean that s(v/V8(cr))t, i.e. that Vs and Vt differ only in that Vt(v) =Vs(a).

The definition of the truth-relation

M\=.A

can now be given as follows.

M\=s<f iffAt ^ =8 AI — > A2 iff A |= s AI implies jM |= s ^ 42X (=s [«]> iff for alH € 5, sfiQHmplies M (=t A1 |= s V?;A iff for all a ; 6 A " , if s(w/a:)t then .M )= < ,4

As usual, we write M \= A if M |= s ^ 4 for all s £ 5.

Having Enough StatesThe model .M will be said to have enough states if

for all v e Vari,, s & S, and x & X, there exists t € 5 with s(v/x)t.This condition is clearly going to be required if the quantifier V t> is to getits intended meaning "for all x e X" at each state.

Exercises 12.1

(1) M \= Vv(A -* B) -» (V*M -* V wB).

(2) If X |= , then A |= Vw^.(3 ) If M has enough states, and A is first-order:

(i) M K ^ i f f a M t K ] ;(ii) 21 ^= A implies M |= A;

(iii) If A is a sentence (no free variables), and M\= s A for some s & S,then A-l |= A.

We now examine the relationship between an L-model M = (21, S, R, V)and the associated natural model A1 a. Observe that for each state s inM., the valuation Va is a state in M*, with the value assigned by V 91 to

variable v in the .Ma

-state Va being Vg(v), which is the same as the valueassigned to v in the A^-state s. That is:

Exercises 12.2

(1) s(v/x)t in M iff V s(v/x)V t in M a .

(2) For any L-term < r ,

V?» = Wso s(v/a)t in M iff Va (v/a)V t in M a .

(3) If A is a BooJean //-formula,

M K iff A<a \= v. A.

(4) If .M has enough states, the result of Exercise 3 holds for all first-orderA.

p-Morphisrn Lemma 12.3. If M is a standard model, with underlyingstructure 21, then the function V : S -» 5 a is a p-morphism from M toAi a .

Proof. What is meant by "p-morphism" here is that for each program a:

sR a t implies V a R^V t, and

VsR*u implies 3t(sR a t & V t = u).

For an assignment (v :— a), the standard-model conditions and the defini-tion of -R a.=(T yield

sRv—fft implies V sR*. =ff Vt.

For the second condition, suppose V sR*. =a u, with u e 5 a . Since .R ^ — c r isserial, there exists a t 6 5 with sR,,~ a t, so that

Vt = V s(v/V s(v)) = u.Thus the desired result holds when a is an assignment. The inductive casesfor structured commands use the fact that both models are standard.

Exercise 12.4Complete the proof of 12.3.




Theorem 12.5. If M is standard, then for any L-formula A,

(1) M,A iff At21 [=v. A.(2) Vs = Vt implies (M (=, A iff M \= t A).(3 ) If M* |= A then M |= A.

Proof. (2) and (3 ) are easy consequences of (1). (1) itself is proven byinduction on the formation of A. The case of Boolean formulae is takencare of by Exercise 12.2(3), while the inductive case A — [ a ] B is taken careof by the p-Morphism Lemma 12.3 in the same manner as in propositionalmodal logic.

W e treat only the case A = VvB in detail, assuming the result for B.If VvB is false at s in M, then for some x e X and some t with s(v/x)t,M y =t B. Then Vs(v/x)Vt (12.2(1)), and M* ^v, B by hypothesis on B,so M* ^ Vs VvB.

Conversely, if VvB is false at Vs in Ai a , then for some x € X, andsome u 6 5 a with V s(v/x)u, M m ^« B. But then V sR*. =Cx u, so by thep-Morphism Lemma, sRv-.=cxt for some t with Vt = u. Then M \£t B ands(v/x)t, so M fi s VvB.

Corollary 12.6. The classes of standard models and natural models de-termine the same logic.

Quantifier/ Assignment Lemma 12.7. In a standard mo del M,

M (=, VvA iff for all x € X, M \= s [v := c x } A.

Proof. If M \=a VvA, then sRv—^t implies s(v/x)t, so M \=t A by thesemantic clause for V. Hence M \=B [v :— c x]A.

On the other hand, if M \£s VvA, then M fa A for some t such

that s(v/x)t for some x € X. Then Vt = V s(v/x), so in the natural modeljM a , VaR*.= .CxVt. By the p-Morphism Lemma, there is an Ai-state t'with sRv-^cJ' and Vt> = V t. Then by Theorem 12.5(2), M fa A, so

Axioms

We now list some schemata, relating quantifiers to assignments, that will beused to axiomatise the logic of natural and standard models of a countablelanguage. For this purpose, we denote by VarA the (finite) set of allvariables v that have an occurrence in A. Likewise, Vara is the set ofvariables occurring in program a.

Al: Vv(A -* B) -» (VvA -> VvB)A2: A -> VvA, for w g Far ,4A3:

Exercise 12.8Suppose s(v/a)t in an 2l-based model M.(1) Show that Va(T%) = V t(r), for any L-term T .

(2) If M has enough states, show that for all first-order A,

M\= sAv

a iff M\= tA.

The intuitive meaning of the remaining axioms is left for the reader toponder. Formal proofs of the truth of A1-A11 are tedious (although in-structive) and will not be repeated here. Full details appear on pp.130-136of Goldblatt [1982]. These proofs depend on some technical lemmas estab-lishing that the truth of a formula A is not affected by an assignment to avariable not in VarA. These lemmas are given as

Exercises 12.9

(1) Suppose that v £ Var(a). Then in A^ a , if s(v/x)t, then

tRlt' iff 3s'(sR*s' & s'(v/x)t')

(prove this by induction on a).(2) Suppose that A € FmaL< n and v ^ VarA. Then in M , if s(v/x)t,

M a K A iff M a h* A.

(3) If v £ VarA, then in any standard model M, if sR^.-c^t, then

M K A iff M K A.

(4) Use these results to prove that A1-A11 are true in any standard model.



13 Proof Theory

AxiomsThe full set Axmi, of axioms for the first-order dynamic logic over analphabet L comprises:

• all tautologies in Fmai,;

• the usual Identity Axiomsv = v,a — T — > (A — * A'), where A is atomic, and A' results by replac-

ing some occurrences of a by r in A]

• the schemata Comp, Alt, Mix, and Test as for PDL in §10;• the schemata A1-A11 from pages 151 and 152 in §12.

RulesIn addition to Detachment, and the Necessitation rule for each modal con-nective [a], the inference rule schemata we need are

Generalisation: from A deduce VvA;Omega-Iteration: from {(A -» [/?; a n }B ) : n e u} deduce (A -> [ /3; a* }B).

Note that we have left out the PDL-axiom

Ind : [a* ] (A -» ( a ] A ) -* (A -» [a* ]A).

Its place has been taken by Omega-Iteration (cf. Exercise 13.1(10)) below.

TheoremsLet AL be the smallest normal modal logic in Fma,L that contains AxniLand is closed under Generalisation and Omega-Iteration, i.e.

A € AL implies VvA 6 AL;{(A [P;a n ]B):n£u}CA L implies (A -» [ j9 ;a*]B) € >1L.

The members of A^, are the L-theorems. If A € .Az,, we write h^ A, or justh ^ 4 if the context is understood. The main result of Part Three is that thetheorems are precisely those formulae that are true in all natural models.

154

§13 Proof Theory 155

Exercises 13.1

The following are L-theorems.

1) a = a.

2) a = T > r = a. 3) a = T -> r = p -» a = p).

(4) [v :— a]~>A < -» -i[v := <r]A.

5) [ w := <r] ^ -»£)<-> [ t> := a],4 -+ [ w := a]J3).

(6) [ w := a]ip «-> « - » [ a ]4.(8) [a n ]4«-»[a]M.

(9) (4^[/3;a*]5)->(,4^[/3;a n ]S).

(10) Ind. Hint: show thath B - » [ a ] 5 ,

where B is ^ 4 A [a* ] ( -A — > [a]A). Use Omega-Iteration to obtain

\-B-+[a ]B.

Theories and Deducibility

An L- theory is a set A of L-formulae that contains AL and is closed underDetachment and Omega-Iteration (but not necessarily under Generalisa-tion or Necessitation). If F U {.A} C Fma/,, then A is deducible from F inL, F r-£ A, if A belongs to every L-theory that contains F. This type ofdefinition appears as a theorem in the finitary proof theory of prepositionalmodal logic (cf. Corollary 2.6), but since we are using an infinitary inferencerule, the finitary definition of deducibility is no longer appropriate.

A set r is L-consistent if ri/£,-L.

xer ises 13 2

1) If A e T, then h A.

2) If h A then r I A.

3) I f T h A and F C 9 hen 0 h A.

4) If T I A and T h A -+ B, then T h B.(5) If T h A -» [0; a" ]J3 for all n e w , then r h A -» [/3; a* ]B.

(6) J" is consistent iff there is no A with F \- A and T h -iA.

(7) If M is a standard model, thenh A implies M |= A

(8) If M. is a standard model, then for any M-siate s,

{A : M K A}

is a consistent theory.(9) If P is a theory, then:

(i) T € F;(ii) (Deductive Closure) if r I- A, then ,4 € T;

(Hi) itr\-A>BandAer, then B 6 T;(iv) r is consistent iff J_ £ T iff F £ Fma;(v ) [ a * ] . A e r i f f { [ a ] M : n e w } C r .

Lemma 13.3. If {[« := a\(A -* [/3;a n ]B) : n e w} C T, and T is atheory, then

[w:=(7]( ,4-»[ j8;a ' ] f l )e r.

Proof. For all n, by the axiom K for [v := a], and use of axiom Comp, weget

( [ w : = ( r L 4 - > [ ( t ; : = < r ; / 3 ) ; aB ] B ) € r .

By closure of F under Omega-Iteration, this gives

( [v := <r\A -> [ (v := a ; /3 ) ; a* ]B) e T.

and hence by Comp,

([v := ( r ] A - + [ v := <r] [ /3 ;a* ]B ) £ T.

Exercise 13.1(5) then gives the desired result.

Deduction Theorem 13.4. r\j {A}\- B iff T\- A- B.

Proof. (Note that fo r fmitary proof theory this was an easy consequence ofthe definition of deducibility (Exercise 2.2(8)).Suppose that r U {A} \- B. Let

A = {D : r h A -» D}.

W e want B £ A, so by our hypothesis it will suffice to show that A is atheory containing F U {A}.

Now since D — > (A — * D) is a tautology, it is deducible from F, andthis leads to r h A -» D, hence £ > € 4, in case that D 6 T or h D.Similarly, using the tautology A —> ^ 4 we get .A e A

Next, to show that A is closed under Detachment, suppose D andD — > I? are in /I. Then the tautology

(A - > £ > ) - » ((A -*( >-» £?)) -* (A




leads to F h A — > E, as desired.Finally, suppose

>[/3 ;a" ]£) :new}C A

Then for all n,r\-A-+(D [fca n ]E),

and so,r\-A/\D->[(3;a n ]E.

By Omega-Iteration (Exercise 13.2(5)), this gives

F\- Af\D-^ [P;a*]E,

and ultimately that( D - > [ / 3 ; a * ] £ 7 ) 6 A

This completes the proof that A is a theory, and hence the proof thatF U {A} h B implies F h A — > 5. The converse is given as an exercise.

Corollary 13.5.

(1) {A , ..., A n } h B iff h A A ... A 4 n -f B.(2) r U {4} is co nsistent iff T \/ ->A.

(3 ) T U {-1.4} is consistent iff F \f A.

Proof. Exercise.

Generalisation Lemma 13.6. I f the constant c does not occur in A orB, and

\-A [v.= c]B,

then\- A -> • VvB.

Proof. In a finitary proof-theory, we would have a finite proof sequenceending in the first formula, and so we would first replace c throughout thissequence by some fresh variable. In the infinitary situation we could alsohave used proof sequences to define deducibility, but these would be infinitein length. Such an infinite sequence might use; up all the variables, so somerelettering might be necessary to "free one up" so that it could replace c.

As it is, we are using a more abstract inductive definition of deducibil-ity, but here we can still apply the relettering idea in a way that is, ifanything, a little simpler to describe. So, pick a variable w $ {v} U VarAUVarB, and let y t— > y' be an injective mapping of Var U {c} into Varthat has c' = w, and y' = y for y in the finite set {v} U Var A U VarB.

Since Var is infinite, such a function exists. For each formula D, let D'be the result of replacing each variable y in D by y'. Then the injectivecorrespondence D i— » D' maps axioms to axioms, and instances of rules

(Detachment, Necessitation, Generalisation, Omega-Iteration) to instancesof the same rules. Thus the set

{D e Fma L : h D'}

must contain AL, and so in particular contain the theorem

A-+[v:=c]B,

implying that

By the hypothesis on c and the definition of the relettering y H -» y', thismeans that

h A-* [v:=w]B.

Then by the Generalisation rule, axioms Al and A2, and the fact thatw £ Var A, we get

h A

Axiom A4 then provides the desired conclusion.

Exercise 13.7If h Vv(A -» [/3; a" ]B), for all n, then h Vw(A -»[/?; a* ]B).

Maximal Theories

An L-maximal theory is one that is //-consistent, and contains one of Aand -<A, for each L-formula A.

Exercises 13.8If F is a maximal theory:

(1) ^ ^(2) exactly one of A , -(A belongs to F ;(3 ) (A -> B) € T iff A € T implies B € T.

Rich TheoriesIf X Q Coni, is a set of //-constants, then an L-theory is x-rich if it satisfies

i f VvB £ r, then for some c £ x, [v\= c}B < £ T .

If this holds, x ma Y De called a set of "witnesses" for F in L.

Exercise 13.9If F is a X'rich theory, then

\/vB € T iff for all c & x, [v := c}B 6 T.

Witness Lemma 13.10. If F is a \-iich maximal L-theory, then for anyL-term a there is a witness c £ x with (a = c) € jT.

Proof. Since h (a = a), - > ( a = a) $ F, and so using Exercise 13.1(6),[v := cr]-i(cr = v) $ L F. Axiom A3 then yields V v - > ( < 7 = v) $ . F, so by^-richness, -i(cr = c) ^ F for some c € x with maximality then giving < r = c) e r.

Adjoining ConstantsIn order to develop a completeness theorem, we follow the "Henkin method"used in first-order logic, and extend a given alphabet by adding new con-stants to serve as witnesses for rich theories. So, from now we fix analphabet L, and let x be a denumerable set disjoint from L. Form a newalphabet L x by adding the members of x to the set of constants. First itneeds to be checked that this process does not allow any new L-formulaeto become deducible:

Exercise 13.11Use a relettering technique, as in the proof of the Generalisation Lemma13.6, to show that if A € FmaL, then

h L A iff hLx A.

Theorem 13.12. Let L be countable. Then if I//, A, there is an L x-theorythat is x-rich and L x-maximal, and does not contain A.

Proof. Since L and x are countable, there is an enumeration

•"•0) AI, • • • , A n ,

of the set Fma,L\ of all Lx-formulae. Define an increasing sequence

A) C .. . C A n C

of finite sets as follows.A) = {^A}.

Assuming inductively that the finite set A n has been defined, if

An HL X A n ,

14 I Canonical Model and Completeness

Suppose L is a countable alphabet, and \f i A. Adjoining a denumerableset x of constants to L, apply Theorem 13.12 to obtain a x-rich maximal

Lx

-theory SA, with A £ SA- W e use SA to define a standard Lx

-modelM A = (% A,S A,R A,V A)

that falsifies A. The definition of M. A will take some time to develop.

The Diagram

W e define the diagram of the structure $LA to be the set DiagA of allatomic L*-sentences, and negations of atomic Z/ x-sentences, that belong to

SA- Thus DiagA consists of all L x-formulae that belong to SA of the formP(<TI, . . . ,< rn) or < r = r, and the negations of such formulae, where theterms involved contain no variables (only constants and function letters).The members of DiagA will a ll be true in the L*-structure 21 , and give acomplete specification of its algebraic relations.

The StructureThe definition of 21A is the standard one used, as in the Henkin complete-

ness proof for first-order logic, to build a first-order structure out of amaximal theory.

Define an equivalence relation on x by putting

c ~ d iff (c = d } € SA

(by Exercises 13.1, this is indeed an equivalence). Let

c — {d: c ~ d}

be the ^--equivalence class of c and

Then put SI"4 = (X A,I), where the interpretation function / is defined asfollows:

162



§14 Canonical Model and Completeness 163

• if P is an n-ary relation symbol,

7(P)(cl, . . . , 50 iff P (ci, • • • , «v. ) e «*;• if / is an n-ary function symbol,

7(/)(ci, . . . , $0 = c iff (/(ci, . . . , c,,) = c) € S A ;• if d is a constant,

/(d) = c i ff (d = c) € a^.

Note that in the last two cases, a suitable witness c always does exist, bythe Witness Lemma 13.10. In the case that the constant d belongs to x, wehave more simply that /(d) = d. Hence every member of 21"4 is "named"by a constant from \.

The State SetS A is denned to be the collection of all sets s C Fmai,x such that

• s is a %-rich maximal L^-theory, and

s.

Exercises 14.1

(1) SA e SA

.(2) If B is an atomic L*-sentence, or the negation o f such a sentence, thenfor any s € S A ,

B e s iff B e S A.

The Valuations

VtA(v) = c iff (w = c)e* .

Observe that for any s 6 SA

and any variable v, the Witness Lemma 13.10guarantees that there is a c 6 x with (v = c) € s.

Exercises 14.2

(1) For any L x-term a, and s € S A,

VA((7) = c iff (a = c) € s.

(2) For any Boolean L*-formula ip , and s € 5 A ,

s ^ N d Vi4] iff v e s .

In order to model assignments, we need a major preliminary result:

Assignment Lemma 14.3. For any L x -a ssignment (v := a), if s € S A

then s(v := a) e S A, where

s(v := a) = {B E Fma LX : [v := a]B e s}.

Proof. First of all, s(v := a) contains all L*-theorems, for if h B thenI- [v := a]B by Necessitation, so [v :— a]B E s, hence B € s(v := a).

Closure of s(v :— cr) under Detachment follows directly from the axiom

K : [v:= a ] ( B -* D) -» ([v := a]B -> [v := a ] D ) ,

and the closure of s under Detachment.Closure of s(v := cr) under Omega-Iteration is the substance of Lemma

13.3 on page 156.Thus s(v :— a) is an L*-theory, and so is deductively closed. Con-

sistency now follows, for if s( v := a) h± then J_ e s(v := a), and so[v := a] -L€ s, contradicting the consistency of s, since I — > [v := a] _ L byaxiom A7 (cf. Exercise 13.1(4)). A7 also implies

([v := cr]B V [v:= < r ] - > B ) £ s,

so for any formula B , one of B and ->B is in s(v := cr). Hence s(v := a) isa maximal theory.

To prove DiagA C s(v :— a), observe that if (p E Diag^, then byaxiom A8 (cf. Exercise 13.1(6)),

But, by definition, < p contains no variables, so (p "a = ip £ s. Hence[v:= ff]tp £ s, giving < p € s( v := a).It remains to show that s(v := a) is x-rich, i.e. that x is a set of

witnesses for s(v := a) in L x . This will use all the remainder of our axiomson quantifiers and assignments.

Suppose then that \/wB £ $(v := cr), i.e. [v :— a]VwB £ s. W e want[w := c]B ^ s( v := a), for some c € x- There are two cases.

Case 1: w = v. Then by A5, \/wB £ s. Since s is x-rich, [w := c]B £ s

for some c E \- But the formula

[w :— tj][w := c]B — > [w := c]B

is an instance of axiom A9, so gives

[w := a][w :— c]B £ s,

hence [w := c]B £ s(w := a) = s(v := a), as desired.

Case 2: w i= - v. By the Witness Lemma 13.10, there is a d e x wi(a — d) 6 s. Applying All gives

[v:= d}VwB i s.

Since w does not occur in (v :— d}, the "Barcan formula" A6 then yields

Vi u [ u : = d] B is

so for some witness c € Xi

[w:= c][v:= d]B ( £ s .

But as an instance of A10 we have

[v := d][w := c]B -> [w := c][v := d]B,

so that we can conclude

[v := d][w := c]B $ s .

Axiom All again then yields

[v := <r][w := c]B ^ s,

whence [w := c]B $. s(v :— a).

Corollary 14.4.

[v~a]Bes iff Bes(v:=a).

Proof. If [v := a]B £ s, then by A7, [v :- a]^B & s, so -*B e s(v := a}.

Modelling Programs

For assignments, we put

sR* =a t iff t = s(v := a),

while for structured commands, R£ is denned inductively by the standard-model condition on a. In particular, for Boolean tests,

This completes the definition of the L\- model

Lemma 14.5. M. is a standard model.

Proof. The only standard-model conditions not built in to the definitionare the ones for assignments. For these, note first that the Assignment

Lemma 14.3 ensures that R^. =a is serial, i.e. that for all s € S A thereexists t € S A with sR A.=a t.

Next, suppose that sR A.=<7 t. We have to show that s(v/a)t, i.e. thatV A and V t

A differ only in that V tA(v) = V A(o). Let V A(a) = c, so that

(a = c) e s. Now by A8,

h (a — c) -» [ v := a](v — c),

so [v := ff](v = c) € s, whence

(v = c) 6 s( v :— a) — t ,

and so V tA(v) = c = V A(a), as required. But if w is any variable other

than v, A8 givesh (w = c) — > [ w := < r ] (u > = c),

from which similar reasoning shows that if V A(w) = c, then V A(w) = c.This completes the proof.

Lemma 14.5 ensures that M A has enough states, and so interprets thequantifier V correctly. Moreover, from the Quantifier/Assignment Lemma12.7, it gives

Corollary 14.6.

M A K V VB iff for all c e X, M A K [» := c]B.

W e are heading towards a Truth Lemma for M A , and, as a final prelimi-nary, we extract a part of its proof for separate consideration. To this end,a formula B is defined to be correct if for every s € S A ,

M A\= SB iff Be s.

Program Lemma 14.7. Let a be an Lx-program. Then for any L

x

-formula B, if B is correct, then [a]B is correct.

Proof. By induction on the formation of a. Take first the case that a is anassignment (v := a). If B is correct, then in particular

M A (=,(„:=„) B iff Be s(v := a).

But by definition of M A ,

M A\=,[v:=a]B iff M A \= s(v:=<T) B,

while by Corollary 14.4,[v:=ff]B<Es iff Bes(v:=a),

and so [v :— a]B is correct.Next the case of a test (pi. The Boolean formula < p is correct (Exercise

14.2(2)), so that if B is correct it follows readily that ((p — » B ) is correctalso. Correctness of [ ipt }B is then obtained by use of the formula

which is true in the standard model M A, and a member of every s 6 S A,since it is an instance of the axiom schema Test.

Now for the case of a program a; /?, under the inductive assumptionthat the Lemma holds for a and for /3. Then if B is correct, the hypothesison /3 makes [f3]B correct, and so the hypothesis on a applied tomakes [a][/3]5 correct, i.e.

i f f [

Correctness of [a;/3]B then follows by using the instance

[a;p]B~[a][l3]B

of axiom Comp, which is true in the standard model M A.The case of a program of the form a U / 3 is similar to that of a; /?, using

the axiom Alt, and is left to the reader.Finally the case of an iterative program a*, assuming the result for a.

Suppose B is correct. First we show that [a]n

S is correct for all n € u. Ifn = 0, this is just the assumption on B. Assuming that [ a ] ™ S is correct,the hypothesis on a then gives [a][a] n B, i.e. [a] n+l B, correct. Hence,by induction on n, we get

M A\= s[a] n B iff [a]"B6«,

for all n and s. But in the standard model M A,

M A^=.[a']B iff for all n e w , M A \=.[a] nB

(Exercise 10.1(1)), while

[ a * ] B € s iff for all n e w , [a] nB €s,

by closure of s under Omega-Iteration etc. (Exercise 13.2(9)(v)). Hence[a*]J3 is correct.




Truth-Lemma for M A- Every Lx-formula B is correct, i.e. for everyseS A,

M A \= 8B iff B e s.

Proof. That Boolean formulae are correct is Exercise 14.2(2). The truth-functional cases are as usual.

If B is correct, then for any program a, correctness of [ a ]B is given bythe Program Lemma 14.7 (which was treated separately because it requiresan "inner" induction on a).

Finally, consider VvB, assuming B is correct. We have

M A\= lVvB iff for all c ex, M A |=. [v:= e]B,

by Corollary 14.6, while for each c € x, the Program Lemma gives

M A ^ s [v:=c]B iff [v:=c]Bes.

Since ^-richness and axiom A3 yield

VvB&s iff for all c € x, [u := c]B £ s,

correctness of MvB then follows.

Completeness Theorem. I f L is countable, then for any L-formula A,th e following are equivalent.

(1) ^L A.(2) A is true in all natural L-models.

(3) A is true in all standard L-models.

Proof.(1) implies (2): if M is natural, {A : M (= A} is a normal modal logic con-taining all axioms and closed under Generalisation and Omega-Iteration,hence containing

AL = {A : h A}.

(2) implies (3): Corollary 12.6 (from Theorem 12.5(3)).(3 ) implies (I): if \f A, then in the standard model M A constructed above,the Truth Lemma gives A false at SA-



Bibliography

In addition to the books and papers cited in the text, the following listincludes other items of potential interest to the student of modal and tem-poral logic.

Ben-Ari, M., Halpern, J.Y., and Pnueli, A.

[1982] Deterministic propositional dynamic logic: finite models, com-plexity, and completeness, J. Comp. Syst. Sci., 25, 402-417.

Ben-Ari, M., Pnueli, A., and Manna Z .[1983] The temporal logic of branching time, Acta Informatica, 20, 207-

226.

Blok, W.J.[1980] The lattice of modal algebras: an algebraic investigation, J. Sym-

bolic Logic, 45, 221-236.

Boolos, George[1979] The Unprovability of Consistency, Cambridge University Press.

Boolos, George, and Sambin, Giovanni[1985] An incomplete system of modal logic, J. Philosophical Logic 14 ,

351-358.

Bull, R.A.

[1966] That all normal extensions of S4.3 have the finite model property,Zeit. Math. Logik Grand. Math., 12, 341-344.

Bull, Robert A., and Segerberg, Krister[1984] Basic modal logic, in Gabbay and Guenthner (eds.), 1-88.

Burgess, John P.[1984] Basic tense logic, in Gabbay and Guenthner (eds.), 89-133.

Chellas, Brian F.[1980] Modal Logic: An Introduction, Cambridge University Press.

Clarke, E.M., and Emerson, E.A.[1981] Design and synthesis of synchronisation skeletons using branch-

ing time temporal logic, in Logics of Programs, D. Kozen (ed.),Lecture Notes in Computer Science 131, Springer-Verlag, 52-71.

169



170 Bibliography

[1982] Using branching time temporal logic to synthesize synchronisationskeletons, Science of Computer Programming, 2, 241-266.

Cresswell, M.J.

[1984] An incomplete decidable modal logic, J. Symbolic Logic, 49, 520-527.

de Bakker, J.W., de Roever, W.-P., and Rozenberg, G. (eds.)[1989] Linear Time, Branching Time, and Partial Order in Logics and

Models fo r Concurrency, Lecture Notes in Computer Science 354Springer-Verlag.

Emerson, E.A., and Halpern, Joseph Y.

[1985] Decision procedures and expressiveness in the temporal logic ofbranching time, J. Computer and Systems Sciences, 30, 1-24.

Fine, K.[1971] The logics containing S4.3, Zeit. Math. Logik Grund. Math., 17,

371-376.[1974] An incomplete logic containing S4, Theoria, 40, 23-29.[1975] Some connections between modal and elementary logic, in Proc.

Third Scandinavion Logic Symposium, Stig Kanger (ed.), Studiesin Logic 82, North-Holland, 15-31.

[19751] Normal forms in modal logic, Notre Dame J . of Formal Logic, 16,229 237

Fischer, M.J., and Ladner, R.F.[1979] Prepositional dynamic logic of regular programs, J. Comp. Syst.

Sci., 18, 194-211.

Gabbay, D., and Guenthner, F. (eds.)

[1984] Handbook of Philosop hical Logic, Volume II: Extensions of Clas-sical Logic, D. Reidel.

Gabbay, D., Pnueli, A., Shelah, S., and Stavi, J.[1980] On the temporal analysis of fairness, Proc. 7th ACM Symp. on

Principles of Programming Languages, Las Vegas, Jan. 1980,163-173.

Galton, Antony

[1987] Temporal Logics and their Applications, Academic Press.Godel, Kurt

[1933] Eine Interpretation des intuitionistischen Aussagenkalkuls, Ergeb-nisse eines mathematischens Kolloquiums, 4 (1931-32), 39-40. En-glish translation in Kurt Godel, Collected Works, vol. I , SolomonFeferman et. al. (eds.), Oxford University Press, 1986, 296-303.



172 Bibliography

Kripke, Saul A.[1959] A completeness theorem in modal logic, J. Symbolic Logic, 24,

1-14.

[1963] Semantic analysis of modal logic I: normal prepositional calculi,Zeit. Math. Logik Grand. Math., 9, 67-96.

Lemmon, E.J.[1977] An Introduction to Modal Logic, in collaboration with Dana Scott,

American Philosophical Quarterly Monograph Series 11, BasilBlackwell, Oxford.

Lewis, C.I., and Langford, C.H.[1932] Symbolic Logic, The Century Co.

Makinson, D.[1969] A normal modal calculus between T and S4 without the finite

model property, J. Symbolic Logic, 34, 35-38.

Manna, Z., and Pnueli, A.[1981] V erification of concurrent programs: the temporal framework, in

The Correctness Problem in Computer Science, R.S. Boyer andJ.S. Moore (eds), Academic Press, 215-273.

Moszkowski, Ben[1986] Executing Temp oral Logic Program s, Cambridge University Press.

Nerode, A., and Wijesekera, D.[1990] Constructive concurrent dynamic logic I, Technical Report '90-43,

Mathematical Sciences Institute, Cornell University.

Parikh, R.[1984] Logics of knowledge, games, and dynamic logic, in Foundations of

Software Technology and Theoretical Computer Science, LectureNotes in Computer Science 181, M.Joseph and R.Shyamasundar(eds.), 202-222.

Peleg, David[1987] Concurrent dynamic logic, JACM, 34, 450-479.

[1987i] Communication in concurrent dynamic logic, J . Comp. Syst. ScL,35, 23-58.

Pnueli, A.[1981] The temporal semantics of concu rrent programs, Theoretical Com-

puter Science, 13, 45-60.

Pratt, V.R.[1976] Semantical considerations on Floyd-Hoare logic, Proc. 17th IEEE

Symp. on Foundations of Computer Science, 109-121.



Bibliography 173

Prior, Arthur[1957] Time and Modality, Clarendon Press, Oxford.[1967] Past, Present, and Future, Clarendon Press, Oxford.

Rescher N., and Urquhart, A.[1971] Temporal Logic, Springer-Verlag.

Rosenchein, Stanley J.[1985] Formal theories of knowledge in AI and robotics, New Genera-

tion Computing, 3, Oshma Ltd., Tokyo. Also as Technical Note362, Artificial Intelligence Center, SRI International, Menlo Park,California.

Rosenchein, Stanley J., and Kaelbling, Leslie Pack[1986] The synthesis of digital machines with provable epistemic proper-ties, SRI International and CSLI Stanford.

Sahlqvist, H.,[1975] Completeness and correspondence in first and second order se-

mantics for modal logic, in Proceedings o f the Third ScandinavianLogic Symposium, ed. Stig Kanger, N orth-H olland, 110-143.

Sambin, G., and Vaccaro, V .,[1989] A new proof of Sahlqvist's theorem on modal definability andcompleteness, J. Symbolic Logic, 54, 992-999.

Segerberg, Krister[1970] Modal logics with linear alternative relations, Theoria, 36, 301-

322.[1971] An Essay in Classical Modal Logic, Philosophical studies pub-

lished by the Philosophical Society and the Department of Phi-

losophy, University of Uppsala, volume 13, Uppsala.[1982] A completeness theorem in the modal logic of programs, in Uni-

versal Algebra and Applications, T. Traczyk (ed.), Banach CentrePublications 9, PWN - Polish Scientific Publishers, Warsaw, 31-46.

Thomason, S.K.[1972] Semantic analysis of tense logics, J . Symbolic Logic, 37, 150-158.[1974] An incompleteness theorem in modal logic, Theoria, 40, 30-34.[1975] Reduction of second-order logic to modal logic, Zeit. Math. Logik

Grund. Math., 21, 107-114.

Urquhart, A.[1981] Decidability and the finite model property, J. Philosophical Logic,

10, 367-370.



174 Bibliography

van Benthem, J.F.A.K.,[1975] A note on modal formulas and relational properties, J. Symbolic

Logic, 40, 55-58.[1978] Two simple incomplete modal logics, Theoria, 44, 25-37.[1980] Some kinds of modal completeness, Studia Logica, 39, 125-141.[1983] The Logic of Time, D. Reidel.



Index

alphabet, 146alternation, 109always, 41ancestral, 9-10, 86, 90, 119Ancestral Lemma, 93antisymmetric, 15Archimedean property, 144assignment command, 143, 146

random, 144Assignment Lemma, 164asymmetric, 15atomic

formula, 3, 109, 146program, 109

axioms A1-A11, 151-152

B, 22Backus-Naur form (BNF), 3balloon, 67Barcan formula, 152beginning time, 79binary relation, 116Boolean formula, 146branch, 99, 100, 103branching time, 99Bull's Theorem, 75-77

canonicalframe, 24logic, 51model, 24, 38, 125, 162-165

characteristic formula, 102closed set, 112

cluster, 66degenerate, 66first, 67last, 67later, 66non-degenerate, 67

ordering of, 66proper, 67simple, 67unwinding of, 96

cofinite, 56combination, 116completeness, 17completeness theorems, 25,

Ex. 3.9(6)vcomposition, 109concurrent program, 84, 116connected, 29

weakly future-, 42consistent, 17, 155constant, 146Cant, Ex. 6.4(4), 81

continuous ordering, 42-43continuous time, 70correctness, 85

partial, 85total, 85

CPDL, 122determination of, 123-138

CPDL-model, 117CTL, 100

determination of, 101-108CTL-model, 100cut, 42

filling, 83

£>, 22dead point, 58deadlock, 84

decidability, 34-36deducible, 18, 156Deduction Theorem, 18, 156Definability Lemma, 74, 92degenerate cluster, 66degree (of a formula), 60

175

176 Index

Detachment, 16, 18dense time, 70deontic logic, 7determination of

CPDL, 123-138CTL, 101-108K, 25, 34K4.3, 27KWLZ (= fl), 68-69K4DLX, 70-71KD,27K t,41KW (= G), 70Lin, 78LinDisc, 78LinDisc", 79LinRat, 79-80Lin-Re, 81-83P£>L, 111-11554,27

54.2, 27, 30, 45-4654.3, 27, 7154.3Dum, 44, 71, 73-7555, 27, 29, 30< 9 , 91-98

deterministic program, 139diagram, 162Diodorean modality, 44, 71

discrete, 71directed, 30discrete time, 65, 71, 78disjoint union, 30distinguished model, 36Dum, 71, 87

role of, 95-Dum-Lemma, 74, 95dynamic logic, 109

concurrent, 116

elementaryclass of frames, 53equivalence 14, 53

enough states, 148

Euclidean, 12eventuality formula, 105eventually, 7execution relation, 127expressibility, 144

4 (schema), 225 (schema), 22falsum, 3filtration, 31-33, 38, 44, 92,

101, 113, 129largest, 33, 132

smallest, 33temporal, 44transitive, 33, 43

Filtration Lemma, 3 3, 3 8, 44,96, 107, 115, 131

finite frame property, 34-35failure of, 54strong, 34

finite model property, 35-36finitely axiomatisable, 34finitely based, 32first cluster, 67first-order

conditions on R, 12definability, 14, 48determined logic, 53formula, 146

Fischer-Ladner Lemma, 113, 130fixed point, 119formula, 3, 37, 86, 100, 109, 117,

146atomic, 3, 87, 146Boolean, 146characteristic, 102eventuality, 105first-order, 146fulfilled, 105modal, 4multi-modal, 37positive, 48quasi-atomic, 8, 37



Index 177

realised, 103, 105sub-, 5

frame, 6, 37canonical, 24induction, 90, 98

fulfilled formula, 105Fulfilment Lemma, 105Fun, 87

role of, 94Fun-Lemma, 94functional, 12

G (= KW), 22determination of, 70

T-tree, 103Generalisation, 154Generalisation Lemma, 157generated

submodel, 10, 39time model, 43

greatest element, 81

H, 56having enough states, 148head, 72henceforth, 7, 40, 86hitherto, 7, 40

Identity axioms, 154immediate successor, 100incomplete logics, 55-57Ind, 87, 94, 111, 115, 122,

135, 154, 155induction, 87

frame 90, 98model 90, 98postulate, 144

interior node, 103introspective knowledge, 28irreflexive, 14iteration, 109Iteration Rule, 116

K, 20, Ex. 2.7(6)determination of, 25, 34

K4.3, 22determination of 27

KWLZ, 65determination of, 68-69

KWLX, 70-71KSi • • • 27n, 22, Ex. 2.8(1)#*,41KTMk, 54KW (= G), 22, 51, 56, 57,

70 ,79determination of, 70

L, 22LI, 88labelled node, 103last cluster, 67later cluster, 66leaf, 103

least element, 81least solution, 119Lemma

Ancestral, 93Assignment, 164Definability, 74, 92Dum-, 74, 95Filtration, 33, 38, 44, 96,

107, 115, 131Fischer-Ladner, 113, 130Fulfilment, 105Fun-, 94Generalisation, 157Lindenbaum's, 20p-Morphism, 11, 44, 150Program, 166Quantifier-Assignment, 151R c-, 73Truth, 25, 126, 168Witness, 159 -Z-, 69, 78

Lemmon-Scott schema, 48Lin, 78

178 Index

Lindenbaum's Lemma, 20LinDisc, 78LinDisc?, 79linear temporal logic, 78LinRat, 79LinRe, 81live point, 58logic, 16, 38

canonical, 51decidable, 34-35dynamic, 109finitely axiomatisable, 34

first-order determined, 53incomplete, 55-57linear temporal, 78normal, 20, 38temporal, 7, 41undecidable, 58-61uniform, 23

M (see M cKinsey axiom), 14, 53maximal set, 18, 123existence of, 19-20

maximal theory, 158existence of, 159

McKinsey axiom, 14, 53Minkowskian spacetime, 7, 45-46mirror image, 41Mix, 87, 94, 111, 115, 122, 129,

135, 136modal degree, 60modal formula, 4modal logic

of (u, <), 65, 68-69of (Q, <), 43, 70-71of (E,<), 43, 70-71

model, 6, 37, 40-41, 110, 147canonical, 24, 38, 125, 162-165CPDL-, 117CTL-, 110distinguished, 36generated sub-, 10, 39, 43induction, 90, 98

natural, 149on a state sequence, 86sequential, 138

monotonic, 119standard, 110, 118, 149

natural model, 149Necessitation, 20, 38, 87, 101,

122, 154necessity, 6

logical, 7, 28physical, 7

next, 47, 86node, 103

interior, 103labelled, 103leaf, 103

non-degenerate cluster, 67normal logic, 20, 38

smallest (K), 20, 38

normality, 137

fl (= KWLZ), 65Omega-Iteration, 154-155ordering

continuous, 42-43of clusters, 66strict, 42total, 42

parallel execution, 116path, 100partial correctness, 85partially functional, 12PDL, 111

determination of, 111-115Peano induction, 144p-morphism, 11-12, 126

temporal, 44p-Morphism Lemma, 11, 44, 150PL (Prepositional Logic), 16positive formula, 48



Index 179

predecessor, 103program, 109

atomic, 109concurrent, 84, 116

deterministic, 139structured, 146test, 109, 146

Program Lemma, 166proper cluster, 67

Q , 7Quantifier-Assignment Lemma,

151quasi-atomic formula, 8, 37

R , 7fl-branch, 100, 103fl-path, 100,.R c-Lemnia, 73R T , 44random assignment, 144rational-number frame, 43, 70-71,

79-80rational open interval, 79.R c-Lemma, 73reachability relation, 116

operations on, 118real-number frame, 43, 70-71, 81-

83real open interval, 81realised formula, 103, 105recession frame, 55, 57reflexive, 12reflexive transitive closure, 10responsiveness, 85rich theory, 158right end-point, 71

right-open interval, 70root, 103rule of

Detachment, 16, 18Generalisation, 154Iteration, 116

Omega-Iteration, 154-155Necessitation, 20, 38, 87, 101,122, 154Uniform Substitution, 5, 23

54, 22determination of, 27

54.2, 27, 45-46determination of, 27, 30, 45-46

54.3, 22determination of, 27, 71

54.3Dum, 44, 71

determination of, 73-7555, 22, 28-29, 42

determination of, 27, 29, 30Sahlqvist's schemata, 51schema, 5-6, 23

Lemmom-Scott, 48Sahlqvist's, 51

sequential

model, 138relation, 137

serial, 12, 100simple cluster, 67since, 47soundness, 17, 18, 152-153standard model, 110, 118, 149state, 7, 84, 116, 143

state sequence, 86strict implication, 15strict ordering, 42strict total ordering, 42strong finite frame property, 34structure, 147structured program, 146subformula, 5

submodel, 10, 39substitution, 143

uniform, 5, 23substitution instance, 5successor, 42, 103symmetric, 12

180 Index

T, 220,87

determination of, 91-98

tautological consequence, 17tautology, 8temporal nitration, 44temporal logic, 7, 41

linear, 79of (w , < ), 78of (Q, <), 79-80of (R,<), 81-83o f ( Z , < ) , 78

temporal p-morphism, 44term, 146test program, 109, 146theorem, 17, 154theory, 155

maximal, 158rich, 158

time

beginning, 79branching, 99continuous, 70dense, 70discrete, 65, 71, 78endless, 65rational, 79real, 81

time-frame, 41total correctness, 85total ordering, 42

strict, 42transitive, 12tree, 103

truthat a point, 6, 37, 90, 100, 110,116-117, 148

at a state,

86in a model, 8Truth Lemma, 25, 126, 168

undecidable logics, 58-61undefinable conditions, 14uniform

logic, 23Substitution, 5, 23

universal relation, 28, 67until, 47, 86, 99unwinding clusters, 96

V r , 32valid in frame, 8valuation, 8, 143, 147verum, 4

W, 14, 22, 51, 56, 57, 70, 79implies transitivity, 14, 56

weakly connected, 12, 30weakly dense, 12, 70weakly directed, 12weakly future-connected, 42witness, 158

Witness Lemma, 159

Z , 7Z, 65Z-Lemma, 69, 78



CSLI Publications

ReportsThe following titles have been pub-

lished in the CSLI Reports series.These reports may be obtained fromCSLI Publications, Ventura Hall, Stan-ford University, Stanford, CA 94305-4115.

Coordination and How to Distin-guish Categories Ivan Sag, GeraldGazdar, Thomas W asow , and StevenWeisler CSLI-84-3 ($5.50)

Belief and Incompleteness K urtKonolige CSLI-84-4 ($4-50)

Equality, Types, Modules andGenerics for Logic ProgrammingJoseph G oguen and Jose MeseguerCSLI-84-5 ($2.50)

Lessons from Bolzano Johan van Ben-them CSLI-84-6 ($ / .50)

Self-propagating Search: A UnifiedTheory of Memory Pentti KanervaCSLI-84-7 ($9.00)

Reflection and Semantics in LISPBrian CantweU Smith CSLI-84-8($2.50)

The Implementation of Procedu-rally Reflective Languages Jimdes Rivieres and Brian Cantwell SmithCSLI-84-9 ($5.00)

Parameterized Programming JosephGoguen CSLI-84-10 ($5.50)Shifting Situations and Shaken At-

titudes Jon Barwise and John PerryCSLI-84-13 ( 4-50)

Completeness of Many-SortedEquational Logic Joseph Goguenand Jose Meseguer CSLI-84-1S ($2.50)

Moving the Semantic Fulcrum Terry

Winograd CSLI-84-17 ($/ .50)On the Mathematical Properties of

Linguistic Theories C. RaymondPerrault CSLI-84-18 ($5.00)

A Simple and Efficient Implementa-tion of Higher-order Functions inLISP Michael P. Georgeff and StephenF.Bodnar CSLI-84-19 ($^.50)

On the Axiomatization of if-then-else Irene Guessarian and JoseMeseguer CSLI-85-20 ($5.00)

The Situation in Logic-II: Condi-tionals and Conditional Informa-tion Jon Barwise CSLI-84-21 ($5.00)

Principles of OBJ2 Kokichi Futatsugi,Joseph A . Goguen, Jean-Pierre Jouan-naud, and Jose Meseguer CSLI-85-22($2.00)

Querying Logical Databases MosheVardi CSLI-85-23 ($/ .50)

Computationally Relevant Prop-erties of Natural Languages andTheir Grammar Gerald Gazdar andGeoff Pullum CSLI-85-24 ($5.50)

An Internal Semantics for ModalLogic: Preliminary Report RonaldFagin and Moshe Vardi CSLI-85-25($2.00)

The Situation in Logic-Ill: Situ-

ations, Sets and the Axiom ofFoundation Jon Barwise CSLI-85-26($2.50)

Semantic Automata Johan van Ben-them CSLI-85-27 ($2.50)

Restrictive and Non-RestrictiveModification Peter Sells CSLI-85-28($5.00)

Institutions: Abstract ModelTheory for Computer ScienceJ. A . Goguen and R. M. BurstallCSLI-85-30 ( 4.50)

A Formal Theory of Knowledge andAction Robert C. Moore CSLI-85-31($5.50)

Finite State Morphology: A Reviewof Koskenniemi (1983) Gerald Gaz-dar CSLI-85-32 ( 1.50)

The Role of Logic in Artificial Intel-

ligence Robert C. Moore CSLI-85-33($2.00)Applicability of Indexed Grammars

to Natural Languages Gerald Gaz-dar CSLI-85-34 ($2 .00)

Commonsense Summer: FinalReport Jerry R. Hobbs, et alCSLI-85-35 ( 12.00)



Limits of Correctness in Comput-ers Brian Cantwell Smith CSLI-85-36( 2.50)

The Coherence of Incoherent Dis-course Jerry R. Hobbs and Michael

H. Agar CSLI-85-38 ($2 .50)A Complete, Type-free Second-

order Logic and Its Philosophi-cal Foundations Christopher MenzelCSLI-86-40 ( 4.50)

Possible-world Semantics for Au-toepistemic Logic Robert C. MooreCSLI-85-41 ($2 .00)

Deduction wi th Many-SortedRewrite

Jose Meseguer and JosephA. Goguen CSLI-85-42 ( 1.50)On Some Formal Properties of

Metarules Hans Uszkoreit and Stan-ley Peters CSLI-85-43 ( 1.50)

Language, Mind, and InformationJohn Perry CSLI-85-44 ($2.00)

Constraints on Order H ans UszkoreitCSLI-86-46 ($5.00)

Linear Precedence in Discontin-uous Constituents: ComplexFronting in German H ans UszkoreitCSLI-86-47 ($2 .50)

A Compilation of Papers onUnification-Based Grammar For-malisms, Parts I and II StuartM. Shieber, Fernando C.N. Pereira,Lauri Karttunen, and Martin KayCSLI-86-48 ( 10.00)

Noun-Phrase Interpretation MatsRooth CSLI-86-51 ($2.00)

Noun Phrases, Generalized Quan-tifiers and Anaphora Jon Barw iseCSLI-86-52 ($2.50)

Circumstantial Attitudes andBenevolent Cognition John PerryCSLI-86-53 ( 1.50)

A Study in the Foundations of Pro-gramming Methodology: Speci-fications, Institutions, Chartersand Parchments Joseph A. Goguenand R. M. BurstaU CSLI-86-54($2.50)

Intentionality, Information, andMatter Ivan Blair CSLI-86-56($5.00)

Computer Aids for Compara-tive Dictionaries Mark JohnsonCSLI-86-58 ($2 .00)

A Sheaf-Theoretic Model of Con-currency Luis F. Monteiro andFernando C. N. Pereira CSLI-86-62($5.00)

Tarski on Truth and Logical Conse-quence John Etchemendy CSLI-86-64($5.50)

Categorial Unification GrammarsHans Uszkoreit CSLI-86-66 ($2.50)

Generalized Quantifiers and PluralsGodehard Link CSLI-86-67 ($2.00)

Radical Lexicalism Lauri KarttunenCSLI-86-68 ($2.50)

What is Intention? Michael B. Brat-man CSLI-86-69 ($2 .00)

The Correspondence ContinuumBrian Cantwell Smith CSLI-87-71($4.00)

The Role of Prepositional Objects

of Belief in Action David J. IsraelCSLI-87-72 ($2 .50)

Two Replies Jon Barw ise CSLI-87-74($5.00)

Semantics of Clocks Brian Cantw ellSmith CSLI-87-75 ($2 .50)

The Parts of Perception AlexanderPentland CSLI-87-77 ($4-00)

The Situated Processing of SituatedLanguage Susan Stucky CSLI-87-80($/.50)

Muir: A Tool for Language DesignTerry Winograd CSLI-87-81 ($2.50)

Final Algebras, CosemicomputableAlgebras, and Degrees of Un-solvability Lawrence S. Moss, JoseMeseguer, and Joseph A. GoguenCSLI-87-82 ($5.00)

The Synthesis of Digital Machineswi th Provable Epistemic Proper-ties Stanley J. Rosenschein and LesliePack Kaelbling CSLI-87-83 ($5.50)

An Architecture for Intelligent Re-active Systems Leslie Pack KaelblingCSLI-87-85 ($2.00)



Modular Algebraic Specifica-tion of Some Basic GeometricalConstructions Joseph A. GoguenCSLI-87-87 ($2.50)

Persistence, Intention and Com-mitment Phil Cohen and HectorLevesque CSLI-87-88 ($5.50)

Rational Interaction as the Basisfor Communication Phil Cohen andHector Levesque CSLI-87-89 ($4.00)

Models and Equality for LogicalProgramming Joseph A. Goguenand Jose Meseguer CSLI-87-91 ($5.00)

Order-Sorted Algebra Solves theConstructor-Selector, MulitpleRepresentation and CoercionProblems Joseph A. Goguen andJose Meseguer CSLI-87-92 ($2.00)

Extensions and Foundations forObject-Oriented ProgrammingJoseph A. Goguen and Jose MeseguerCSLI-87-93 ($5.50)

13 Reference Manual: Version 2.19William Poser CSLI-87-94 ($2.50)

Change, Process and Events Carol E.Cleland CSLI-88-95 ($4.00)

One, None, a Hundred ThousandSpecification Languages Joseph A.Goguen CSLI-87-96 ($2.00)

Constituent Coordination in HPSGDerek Proudian and David GoddeauCSLI-87-97 ($1.50)

A Language/Action Perspective onthe Design of Cooperative WorkTerry Winograd CSLI-87-98 ($2.50)

Implicature and Definite ReferenceJerry R. Hobbs CSLI-87-99 ($/.50)

Situation Semantics and SemanticInterpretation in Constraint-based Grammars Per-KristianHalvorsen CSLI-87-101 ($ / .50)

Category Structures Gerald Gaz-dar, Geoffrey K. Pullum, RobertCarpenter, Ewan Klein, Thomas E.Hukari, Robert D. Levine CSLI-87-102($5.00 )

Cognitive Theories of EmotionRonald Alan Nash CSLI-87-103($2.50)

Toward an Architecture forResource-bounded Agents MarthaE. Pollack, David J. Israel, andMichael E. Bratman CSLI-87-104($2.00)

On the Relation Between Defaultand Autoepistemic Logic KurtKonolige CSLI-87-105 ($5.00)

Three Responses to Situation The-ory Terry Winograd CSLI-87-106($2.50)

Subjects and Complements inHPSG Robert Borsley CSLI-87-107($2.50)

Tools for Morphological AnalysisMary Dalrymple, Ronald M. Kaplan,Lauri Karttunen, Kimmo Kosken-niemi, Sami Shaio, Michael WescoatCSLI-87-108 ($ /0 .00)

Fourth Year Report of the Situ-ated Language Research ProgramCSLI-87-111 ( f ree )

Events and "Logical Form" StephenNeale CSLI-88-113 ($2.00)

Backwards Anaphora and DiscourseStructure: Some ConsiderationsPeter Sells CSLI-87-114 ($2.50)

Toward a Linking Theory of Rela-tion Changing Rules in LEG LoriLevin CSLI-87-115 ($^.00)

Fuzzy Logic L. A. Zadeh CSLI-88-116($2.50)

Dispositional Logic and Com-monsense Reasoning L. A. ZadehCSLI-88-117 ($2.00)

Intention and Personal PoliciesMichael Bratman CSLI-88-118 ($2.00)

Unification and Agreement MichaelBarlow CSLI-88-120 ($2.50)

Extended Categorial Gram-mar Suson Yoo and Kiyong Lee

CSLI-88-121 ($ .00)Unaccusative Verbs in Dutch and

the Syntax-Semantics InterfaceAnnie Zaenen CSLI-88-123 ($5.00)

Types and Tokens in LinguisticsSylvain Bromberger CSLI-88-125($5.00)



Practical Reasoning and Acceptancein a Context Michael E. BratmanCSLI-91-158 ( 3.50)

Planning and the Stability ofIntention Michael E. Bratman

CSLI-91-159 ($£.50)Logic and the Flow of Information

Johan van Benthem CSLI-91-160($5.00)

Learning HCI Design: MentoringProject Groups in a Course onHuman-Computer InteractionBrad Hartfield, Terry Winograd, andJohn Bennett CSLI-91-161 ($5.50)

How to Read Winograd's & Flo-res's Understanding Comput-ers and Cognitiion Hugh McGuireCSLI-92-162 ($6.00)

In Support of a Semantic Accountof Resultatives Adele E. GoldbergCSLI-92-163 ($)

Augmenting Informativeness an dLearnability of Items in Large

Computer Networks Clarisse S.de Souza CSLI-92-164 ($)

Terry Winograd CSLI-92-165 ($)

A Semiotic Approach to User Inter-face Language Design Clarisse S. deSouza CSLI-92-166 ($)

Lecture NotesThe titles in this series are distributedby the University of Chicago Pressand may be purchased in academicor university bookstores or ordered di-rectly from the distributor: Order De-partment, 11030 S. Langely Avenue,Chicago, Illinois 60628.

A Manual of Intensional Logic. Johanvan Benthem, second edition, revisedand expanded. Lecture Notes No. 1.ISBN 0-937073-29-6 (paper), 0-937073-30-X (cloth)

Emotion and Focus. Helen Fay Nis-senbaum. Lecture Notes No. 2. ISBN0-937073-20-2 (paper)

Lectures on Contemporary SyntacticTheories. Peter Sells. Lecture NotesNo. 3. ISBN 0-937073-14-8 (paper),0-937073-13-X (cloth)

An Introduction to Unification-Based

Approaches to Grammar. Stuart M.Shieber. Lecture Notes No. 4. ISBN0-937073-00-8 (paper), 0-937073-01-6(cloth)

The Semantics of Destructive Lisp. IanA. Mason. Lecture Notes No. 5. ISBN0-937073-06-7 (paper), 0-937073-05-9(cloth)

An Essay on Facts. Ken Olson. Lec-

ture Notes No. 6. ISBN 0-937073-08-3(paper), 0-937073-05-9 (cloth)

Logics of Time and Computation.Robert Goldblatt, second edition, re-vised and expanded. Lecture NotesNo. 7. ISBN 0-937073-94-6 (paper),0-937073-93-8 (cloth)

Word Order and Constituent Structurein German. Hans Uszkoreit. LectureNotes No. 8. ISBN 0-937073-10-5 (pa-per), 0-937073-09-1 (cloth)

Color and Color P erception: A Studyin Anthropacentric Realism. DavidRussel Hilbert. Lecture Notes No. 9.ISBN 0-937073-16-4 (paper), 0-937073-15-6 (cloth)

Prolog and Natural-Language Analysis.Fernando C. N. Pereira and Stuart M.Shieber. Lecture Notes No. 10. ISBN0-937073-18-0 (paper), 0-937073-17-2(cloth)

Working Papers in Grammatical The-ory and Discourse Structure: Inter-actions of Morphology, Syntax, andDiscourse. M. lida, S. Wechsler, andD. Zee (Eds.) with an Introduction byJoan Bresnan. Lecture Notes No. 11.

ISBN 0-937073-04-0 (paper), 0-937073-25-3 (cloth)

Natural Language Processing in the1980s: A Bibliography. Gerald Gaz-dar, Alex Franz, Karen Osborne, andRoger Evans. Lecture Notes No. 12.ISBN 0-937073-28-8 (paper), 0-937073-26-1 (cloth)



Information-B ased Syntax and Seman-tics. Carl Pollard and Ivan Sag.Lecture Notes No. 13. ISBN 0-937073-24-5 (paper), 0-937073-23-7 (cloth)

Non-Well-Founded Sett. Peter Aczel.Lecture Notes No. 14. ISBN 0-937073-22-9 (paper), 0-937073-21-0 (cloth)

Partiality, Truth and Persittence. ToreLangholm. Lecture Notes No. 15.ISBN 0-937073-34-2 (paper), 0-937073-35-0 (cloth)

Attribute- Value Logic and the Theory ofGrammar. Mark Johnson. LectureNotes No. 16. ISBN 0-937073-36-9(paper), 0-937073-37-7 (cloth)

The Situation in Logic. Jon Barwise.Lecture Notes No. 17. ISBN 0-937073-32-6 (paper), 0-937073-33-4 (cloth)

The Linguistics of Punctuation. GeoffNunberg. Lecture Notes No. 18. ISBN0-937073-46-6 (paper), 0-937073-47-4(cloth)

Anaphora and Quantification in Situa-tion Semantics. Jean Mark Gawronand Stanley Peters. Lecture NotesNo. 19. ISBN 0-937073-48-4 (paper),0-937073-49-0 (cloth)

Prepositional Attitudes: The Role ofContent in Logic, Language, andMind. C. Anthony Anderson andJoseph Owens. Lecture Notes No. 20.

ISBN 0-937073-50-4 (paper), 0-937073-51-2 (cloth)

Literature and Cognition. Jerry R.Hobbs. Lecture Notes No. 21. ISBN0-937073-52-0 (paper), 0-937073-53-9(cloth)

Situation Theory and Its Applications,Vol. I. Robin Cooper, Kuniaki Mukai,and John Perry (Eds.). Lecture Notes

No. 22. ISBN 0-937073-54-7 (paper),0-937073-55-5 (cloth)

The Language of First-Order Logic(including the M acintosh program,Tarski's World). Jon Barwise andJohn Etchemendy, second edition, re-vised and expanded. Lecture NotesNo. 23. ISBN 0-937073-74-1 (paper)

Lexical Matters. Ivan A. Sag and AnnaSzabolcsi, editors. Lecture NotesNo. 24. ISBN 0-937073-66-0 (paper),0-937073-65-2 (cloth)

Tanki's World. Jon Barwise and John

Etchemendy. Lecture Notes No. 25.ISBN 0-937073-67-9 (paper)

Situation Theory and Its Applications,Vol. &. Jon Barwise, J. Mark Gawron,Gordon Plotkin, Syun Tutiya, editors.Lecture Notes No. 26. ISBN 0-937073-70-9 (paper), 0-937073-71-7 (cloth)

Literate Programming. Donald E.Knuth. Lecture Notes No. 27. ISBN

0-937073-80-6 (paper), 0-937073-81-4(cloth)

Normalization, Cut-Elimination andthe Theo ry of Proofs. A. M. Ungar.Lecture Notes No. 28. ISBN 0-937073-82-2 (paper), 0-937073-83-0 (cloth)

Lectures on Linear Logic. A. S. Troel-stra. Lecture Notes No. 29. ISBN0-937073-77-6 (paper), 0-937073-78-4(cloth)

A Short Introduction to Modal Logic.Grigori Mints. Lecture Notes No. 30.ISBN 0-937073-75-X (paper), 0-937073-76-8 (cloth)

Other CSLI TitlesDistributed by UCPAgreement in Natural Language: Ap-

proaches, Theories, Descriptions.Michael Barlow and Charles A. Fergu-son (Eds.). ISBN 0-937073-02-4 (cloth)

Papers from the Second InternationalWorkshop on Japanese Syntax.William J. Poser (Ed.). ISBN 0-937073-38-5 (paper), 0-937073-39-3(cloth)

The Proceedings of the Seventh WestCoast Conference on Formal Linguis-tics (WCCFL 7). ISBN 0-937073-40-7(paper)

The Proceedings of the Eighth WestCoast Conference on Formal Linguis-tics (WCCFL 8). ISBN 0-937073-45-8(paper)



The Phonology-Syntax Connection.Sharon Inkelas and Draga Z ee (Eds.)(co-published with The University ofChicago Press). ISBN 0-226-38100-5(paper), 0-226-38101-3 (cloth)

The Proceedings o f the Ninth West CoastConference on F ormal Linguistics(WCCFL 9). ISBN 0-937073-64-4(paper)

Japanese/Korean Linguistics. HajimeHoji (Ed.). ISBN 0-937073-57-1 (pa-per), 0-937073-56-3 (cloth)

Experiencer Subjects in South AsianLanguages. Manindra K. Vermaand K. P. Mohanan (Eds.). ISBN 0-

937073-60-1 (paper), 0-937073-61-X(cloth)

Grammatical Relations: A Cross-Theoretical Perspective. KatarzynaDziwirek, Patrick Farrell, ErrapelMejias Bikandi (Eds.). ISBN 0-937073-63-6 (paper), 0-937073-62-8 (cloth)

The Proceedings of the Tenth West CoastConference on Fo rmal Linguistics(WCCFL 10). ISBN 0-937073-79-2(paper)

Books Distributedby CSLIThe Proceedings of the Third West Coast

Conference on Formal Linguistics(WCCFL 3). ($10.95) ISBN 0-937073-

45-8 (paper)The Proceedings of the Fourth West

Coast Conference on Formal Lin-guistics (WCCFL 4). ($11.95) ISBN0-937073-45-8 (paper)

The Proceedings of the Fifth West CoastConference on Formal Linguistics(WCCFL 5). ($10.95) ISBN 0-937073-45-8 (paper)

The Proceedings of th e Sixth West CoastConference on Formal Linguistics(WCCFL 6). ($1S.9S) ISBN 0-937073-45-8 (paper)

Hausar Yau Da Kullum: Intermediateand Advanced Lessons in H a . -a . su Lan-guage and Culture. William R . Leben,Ahmadu Bello Zaria, Shekarau B.Maikafi, and Lawan Danladi Yalwa.($19.95) ISBN 0-937073-68-7 (paper)

Hausar Yau Da Kullum Workbook.William R. Leben, Ahmadu BelloZaria, Shekarau B. Maikan, andLawan Danladi Yalwa. ($7.50) ISBN0-93703-69-5 (paper)

Ordering TitlesDistributed by CSLITitles distributed by CSLI may beordered directly from CSLI Publica-tions, Ventura Hall, Stanford Univer-sity, Stanford, California 94305-4115 or

by phone (415)723-1712 or (415)723-1839. Orders can also be placed by e-mail ([email protected]) or FAX(415)723-0758.

All orders must be prepaid bycheck, VISA, or MasterCard (includecard name, number, expiration date).For shipping and handling add $2.50for first book and $0.75 for each addi-

tional book; $1.75 for the first reportand $0.25 for each additional report.California residents add 7% sales tax.

For overseas shipping, add $4.50for first book and $2.25 for each addi-tional book; $2.25 for first report and$0.75 for each additional report. Allpayments must be made in US cur-rency.

modal logic - derivative

Documents