Why Is Modal Logic So Robustly Decidable? - DocsLib

sign in sign up

<<

Home , Decidability (logic)

Why Is Mo dal Logic

So Robustly Decidable

Moshe Y Vardi

Department of Computer Science

Rice University

Houston TX

Email vardicsriceedu

URL httpwwwcsriceedu vardi

Introduction

Modal logic the logic of necessity and p ossibility of must b e and may b e was dis

cussed by several authors in ancient times notably by Aristotle in De Interpretatione

and Prior Analytics as well as by medieval logicians Like most work b efore the mo dern

p erio d it was nonsymbolic and not particularly systematic in approach The rst sym

b olic and systematic approach to the sub ject app ears to b e the work of Lewis b eginning

in and culminating in the b o ok Symbolic Logic with Langford LL Prop osi

tional mo dal logic is obtained from prop ositional logic by adding a mo dal connective

2 ie if is a formula then 2 is also a formula Intuitively 2 asserts that

is necessarily true Dually 2 abbreviated as 3 asserts that is possibly true

Mo dal logic has many applications due to the fact that the notions of necessity and

p ossibility can b e given many concrete interpretations For example necessarily can

mean according to the laws of physics or according to my knowledge or even after

the program terminates In the last years mo dal logic has b een applied to numerous

areas of computer science including articial intelligence BLMS MH program ver

ication CES Pra Pnu hardware verication Bo c RS database theory

CCF Lip and distributed computing BAN HM

The standard semantics for mo dal logic is based on the p ossibleworlds approach

originally prop osed by Carnap Car Car Possibleworlds semantics was further

developed indep endently by several researchers including Bay Hin Hin Kan

The research rep orted here was conducted while the author was visiting DIMACS and Bell Lab ora

tories as part of the DIMACS Sp ecial Year on Logic and Algorithm

Kri Mer Mon Pri reaching its current form with Kripke Kri which ex

plains why the mathematical structures that capture the p ossibleworlds approach are

called Kripke structures The intuitive idea b ehind the p ossibleworlds mo del is that

b esides the true state of aairs there are a number of other p ossible states of aairs or

worlds Necessity then means truth in all p ossible worlds For example an agent may

b e walking on the streets in San Francisco on a sunny day but may have no information

at all ab out the weather in London Thus in all the worlds that the agent considers

p ossible it is sunny in San Francisco On the other hand since the agent has no infor

mation ab out the weather in London there are worlds he considers p ossible in which it

is sunny in London and others in which it is raining in London Thus this agent knows

that it is sunny in San Francisco but he do es not know whether it is sunny in London

Intuitively if an agent considers fewer worlds p ossible then he has less uncertainty and

more knowledge If the agent acquires additional informationsuch as hearing from a

reliable source that it is currently sunny in Londonthen he would no longer consider

p ossible any of the worlds in which it is raining in London

There are two main computational problems asso ciated with mo dal logic The rst

problem is checking if a given formula is true in a given state of a given Kripke structure

This problem is known as the modelchecking problem The second problem is checking

if a given formula is true in all states of all Kripke structures This problem is known

as the validity problem Both problems are decidable The mo delchecking problem

can b e solved in linear time while the validity problem is PSPACEcomplete This is

rather surprising when one considers the fact that mo dal logic in spite of its apparent

prop ositional syntax is essentially a rstorder logic since the necessity and p ossibility

mo dalities quantify over the set of p ossible worlds and mo del checking and validity for

rstorder logic are computationally hard problems Furthermore the undecidability

of rstorder logic is very robust Only very restricted fragments of rstorder logic

are decidable and these fragments are typically dened in terms of b ounded quantier

alternation DG Lew The ability however to have arbitrary nesting of mo dalities

in mo dal logic means that it do es not corresp ond to a fragment of rstorder logic with

b ounded quantier alternation Why then is mo dal logic so robustly decidable

To answer this question we have to take a close lo ok at mo dal logic as a fragment of

rstorder logic A careful examination reveals that prop ositional mo dal logic can in fact

b e viewed as a fragment of variable rstorder logic Gab Ben This fragment

2

denoted FO is obtained by restricting the formulas to refer to only two individual

variables It turns out that this fragment is computationally much more tractable than

full rstorder logic which provides some explanation for the tractability of mo dal logic

Up on a deep examination however we discover that this explanation is not to o

satisfactory The tractability of mo dal logic is quite robust and survives for example

under various epistemic assumptions which cannot b e explained by the relationship to

2

FO To deep en the puzzle we consider an extension of mo dal logic called computation

tree logic or CTL CE This logic is also quite tractable even though it is not even

a rstorder logic We show that it can b e viewed as a fragment of variable xp oint

2

logic denoted FP but the latter do es not enjoy the nice computational prop erties of

2

FO We conclude by showing that the decidability of CTL can b e explained by the

2

socalled treemodel property which is enjoyed by CTL but not by FP We show how

the treemo del prop erty leads to automatabased decision pro cedures

Mo dal Logic

We wish to reason ab out worlds that can b e describ ed in terms of a nonempty nite set

of propositional constants typically lab eled p p q q These prop ositional constants

stand for basic facts ab out the world such as it is sunny in San Francisco or Alice

has mud on her forehead We can now describ e the set of mo dal formulas We start

with the prop ositional constants in and form more complicated formulas by closing o

under negation conjunction and the mo dal connective 2 Thus if and are formulas

then so are and 2 For the sake of readability we omit the parentheses in

formulas such as whenever it do es not lead to confusion We also use standard

abbreviations from prop ositional logic such as for and for

We take true to b e an abbreviation for some xed prop ositional tautology such

as p p and take false to b e an abbreviation for true Also we view p ossibility as the

dual of necessity and use 3 to abbreviate 2 Intuitively is p ossible if is not

necessary We can express quite complicated statements in a straightforward way using

this language For example the formula 232p says that it is necessarily the case that

p ossibly p is necessarily true

Now that we have describ ed the syntax of our language that is the set of wellformed

formulas we need semantics that is a formal mo del that we can use to determine

whether a given formula is true or false We formalize the semantics in terms of Kripke

structures A Kripke structure M is a tuple S R where S is a set of states or

S

possible worlds is an interpretation that asso ciates with each prop ositional

constant in a set of states in S and R is a binary relation on S that is a set of pairs

of elements of S

The interpretation p tells us at which state a prop ositional constant p is true the

intuition is that p is the set of states in which p holds Thus if p denotes the fact it

is raining in San Francisco then s p captures the situation in which it is raining

in San Francisco in the state s of the structure M The binary relation R is intended to

capture the p ossibility relation s t R if the state t is p ossible given the information

in the state s We think of R as a possibility relation since it denes what states are

considered p ossible in any given state

We now dene what it means for a formula to b e true at a given state in a structure

Note that truth dep ends on the state as well as the structure It is quite p ossible that

a formula is true in one state and false in another For example in one state an agent

may know it is sunny in San Francisco while in another he may not To capture this we

dene the notion M s j which can b e read as is true at M s or holds at

M s or M s satises We dene the j relation by induction on the structure

of

The interpretation gives us the information we need to deal with the base case

where is a prop ositional constant

M s j p for a prop ositional constant p if s p

For conjunctions and negations we follow the standard treatment from prop ositional

logic a conjunction is true exactly if b oth of the conjuncts and are true

while a negated formula is true exactly if is not true

M s j if M s j and M s j

M s j if M s j

Finally we have to deal with formulas of the form 2 Here we try to capture the

intuition that is necessarily true in state s of structure M exactly if is true at all

states that are p ossible in s Formally we have

M s j 2 if M t j for all t such that s t R

Note that the semantics of 3 follows from the semantics of 2 and

M s j 3 if M t j for some t such that s t R

One of the advantages of a Kripke structure is that it can b e viewed as a lab eled

graph that is a set of lab eled no des connected by directed edges The no des are the

states of S the lab el of state s S describ es which prop ositional constants are true and

false at s The edges are the pairs in R an edge from s to t says that t is p ossible at s

These denitions are p erhaps b est illustrated by a simple example

Supp ose fp q g so that our language has two prop ositional constants p and q

Further supp ose that M S R where S fu v w g p is true precisely at the states

u and w q is true precisely at the state u and b oth v and w are p ossible precisely at u

and v This situation can b e captured by the graph in Figure

Note that we have M v j q and M w j q as q holds only in the state u It

follows that M v j 2q since q holds in all states p ossible at v Also M w j 2q

since no state is p ossible at w It follows that M u j 22q since 2q holds in all

states p ossible at u

How hard it is to check if a given formula is true in a given state of a given Kripke

structure This problem is known as the modelchecking problem There is no general

pro cedure for doing mo del checking in an innite Kripke structure Indeed it is clearly

not p ossible to represent arbitrary innite structures eectively On the other hand in

nite Kripke structures mo del checking is relatively straightforward Given a formula

dene jj the length of as the number of symbols in Given a nite Kripke structure

M S R dene jjM jj the size of M to b e the sum of the number of states in S

and the number of pairs in R

p q p q

u v

w

q p

Figure The Kripke structure M

Prop osition CE There is an algorithm that given a nite Kripke structure

M a state s of M and a modal formula determines whether M s j in time

O jjM jj jj

Pro of Let b e the subformulas of listed in order of length with ties broken

1 m

arbitrarily Thus we have and if is a subformula of then i j There

m i j

are at most jj subformulas of so we must have m jj An easy induction on k

shows that we can lab el each state s in M with or for j k dep ending

j j

on whether or not is true at s in time O k jjM jj The only nontrivial case is if

j k +1

is of the form 2 where j k We lab el a state s with 2 i each state t such

j j

that s t R is lab eled with Assuming inductively that each state has already b een

j

lab eled with or this step can clearly b e carried out in time O jjM jj as desired

j j

Thus over nite structures mo del checking is quite easy algorithmically

We say that a formula is satisable in a Kripke structure M if M u j for some

state u of M We say that is satisable if it is satisable in some Kripke structure We

say that a formula is valid in a Kripke structure M denoted M j if M u j for

all states u of M We say that is valid if it is valid in all Kripke structures It is easy

to see that is valid i is unsatisable The set of valid formulas can b e viewed as a

characterization of the logical prop erties of necessity and p ossibility At this p oint we

are considering validity over al l Kripke structure b oth nite and innite We will come

back to this p oint later

We describ e two approaches to this characterization The rst approach is proof

theoretic we show that all the prop erties of necessity can b e formally derived from a

short list of basic prop erties The second approach is algorithmic we study algorithms

that recognize prop erties of necessity and we consider the computational complexity of

recognizing these prop erties

We start by listing some basic prop erties of necessity

Theorem For al l formulas and Kripke structures M

a if is an instance of a propositional tautology then M j

b if M j and M j then M j

c M j 2 2 2

d if M j then M j 2

We now show that in a precise sense the prop erties describ ed in Theorem com

pletely characterize all prop erties of necessity To do so we have to consider the notion of

provability in an axiom system AX which consists of a collection of axioms and inference

rules

Consider the following axiom system K which consists of the two axioms and two

inference rules given b elow

A All tautologies of prop ositional calculus

A 2 2 2 Distribution Axiom

R From and infer Mo dus p onens

R From infer 2 Generalization

Theorem Kri K is a sound and complete axiom system

While Theorem do es oer a characterization of the set of valid formulas it is not

constructive as it gives no indication of how to tell whether a given formula is indeed

provable in K We now present results showing that the question of whether a formula

is valid is decidable that is there is an algorithm that given as input a formula will

decide whether is valid An algorithm that recognizes valid formulas can b e viewed as

another characterization of the prop erties of necessity one that is complementary to the

characterization in terms of a sound and complete axiom system

Our rst step is to show that if a formula is satisable not only is it satisable in

some structure but in fact it is also satisable in a nite structure of b ounded size

This prop erty is called the boundedmodel property It is stronger than the nitemodel

property called nite controllability in DG which asserts that if a formula is satisable

then it is satisable in a nite structure Note that the nitemo del prop erty for implies

that is valid in al l Kripke structures if and only if it is valid in all nite Kripke

structures Thus validity and nite validity coincide This prop erty entails decidability

of validity for mo dal logic even without the b oundedmo del prop erty since it implies

that satisability is recursively enumerable and we already know from Theorem that

validity is recursively enumerable

Theorem FLa If a modal formula is satisable then is satisable in a

jj

Kripke structure with at most states

From Theorem we can get an eective although not particularly ecient pro

cedure for checking if a formula is valid ie whether is not satisable We simply

j j

construct all Kripke structures with states the number of such structures is nite

alb eit very large and then check if is true at each state of each of these structures

The latter check is done using the mo delchecking algorithm of Prop osition If is

true at each state of each of these structures then clearly is valid

Precisely how hard is the problem of determining validity We now oer an answer

to this question We characterize the inherent diculty of the problem in terms of

computational complexity

Theorem Lad The validity problem for modal logic is PSPACEcomplete

Note that the upp er b ound is much b etter than the upp er b ound that follows from

Theorem

Mo dal Logic vs FirstOrder Logic

The mo dal logic discussed in Section is prop ositional since every state is lab eled by a

truth assignment to the prop ositional constants Indeed the mo dal logic that we pre

sented is often called propositional modal logic to distinguish it from rstorder modal

logic in which every state is lab eled by a relational structure Gar HC Neverthe

less mo dal logic is more accurately viewed as a fragment of rstorder logic Intuitively

the states in a Kripke structure corresp ond to domain elements in a relational struc

tures and mo dalities are nothing but a limited form of quantiers We now describ e this

connection in more detail

Given a set of prop ositional constants let the vocabulary consist of a unary

predicate q corresp onding to each prop ositional constant q in as well as a binary

predicate R Every Kripke structure M can b e viewed as a relational structure M

over the vocabulary More formally we provide a mapping from a Kripke structure

M S R to a relational structure M over the vocabulary The domain of M

is S For each prop ositional constant q the interpretation of q in M is the set

q and the interpretation of the binary predicate R in M is the binary relation R

Essentially a Kripke structure can b e viewed as a relational structure over a vocabulary

consisting of one binary predicate and several unary predicates

We now dene a translation from mo dal formulas into rstorder formulas over the

vocabulary so that for every mo dal formula there is a corresp onding rstorder

formula with one free variable x ranging over S

q q x for a prop ositional constant q

2 y Rx y xy where y is a new variable not app earing in

and xy is the result of replacing all free o ccurrences of x in by y

The translation of formulas with 3 follows from the ab ove clauses For example 23q

is

y Rx y z Ry z q z

Note that formulas with deep nesting of mo dalities are translated into rstorder formulas

with deep quantifer alternation

Theorem Ben Ben

a M s j i M V j x for each assignment V such that V x s

b is a valid modal formula i is a valid rstorder formula

Intuitively the theorem says that is true of exactly the domain elements corresp onding

to states s for which M s j and consequently is valid i is valid

Theorem presents us with a seeming paradox If mo dal logic is essentially a rst

order logic why is it so wellbehaved computationally Consider for example Prop osi

tion which says that checking the truth of a mo dal formula in a Kripke structure

can b e done in time that is linear in the size of the formula and the size of the structure

In contrast determining whether a rstorder formula holds in a relational structure is

PSPACEcomplete CM Furthermore while according to Theorem the validity

problem for mo dal logic is PSPACEcomplete the validity problem for rstorder logic

is well known to b e robustly undecidable Lew and decidability is typically obtained

only by b ounding the alternation of quantiers DG Since as we have observed

mo dal logic is a rstorder fragment with unbounded quantier alternation why is it

then so robustly decidable

To answer this question we have to take a close lo ok at prop ositional mo dal logic as

a fragment of rstorder logic A careful examination reveals that prop ositional mo dal

logic can in fact b e viewed as a fragment of variable rstorder logic Gab Ben

2

This fragment denoted FO is obtained by restricting the formulas to refer to only

2

two individual variables say x and y Thus xy Rx y Ry x is in FO while

2

xy z Rx y Ry z Rx z is not in FO

To see that two variables suce to express mo dal logic formulas consider the ab ove

translation from mo dal logic to rstorder logic New variables are introduced there only

in the fourth clause

2 y Rx y xy where y is a new variable not app earing in

and xy is the result of replacing all free o ccurrences of x in by y

Thus each mo dal connective results in the introduction of a new individual variable For

example 22q is

y Rx y z Ry z q z

2

which is not in FO It turns out that by reusing variables we can avoid introducing

+

new variables All we have to do is replace the denition of by the denition of

+

q q x for a prop ositional constant q

+ +

+ + +

+ +

2 y Rx y xx y

+

Thus 22q is

y Rx y xx y y Rx y xx y q x

Theorem Gab

+

a M s j i M V j x for each assignment V such that V x s

+ 2

b is a valid modal formula i is a valid FO formula

2

How do es the fact that mo dal logic can b e viewed as a fragment of FO explain its

computational prop erties Consider rst the complexity of evaluating truth of formulas

By Prop osition truth mo dal formulas can b e evaluated in time that is linear in the

size of the structure and in the size of the formula How hard it is to evaluate truth of

2

FO formulas

Prop osition Imm Var There is an algorithm that given a relational structure

2

M over a domain D an FO formula x y and an assignment V fx y g D

2

determines whether M V j in time O jjM jj jj

2

Thus truth of FO formulas can b e evaluated eciently in contrast to the truth

general rstorder formulas whose evaluation as we said is PSPACEcomplete though

not as eciently as the truth of mo dal formulas It is an intriguing question whether

2

there is an interesting fragment of FO whose mo delchecking problem can b e solved in

linear time

2

Do es the embedding in FO explains the decidability of mo dal logic The rst de

2

cidability result for FO was obtained by Scott Sco who showed that the decision

2

problem for FO can b e reduced to that of the Godel class ie the class of rstorder

sentences with quantier prex of the form Since the Godelclass without equal

2

ity is decidable God Kal Sch Scotts reduction yields the decidability of FO

2

without equality This pro of do es not extend to FO with equality since the Godelclass

2

with equality is undecidable Gol The full class FO with equality was considered

by Mortimer Mor He proved that this class is decidable by showing that it has the

2

nitemo del prop erty if an FO formula with equality is satisable then it is satis

2

able by a nite mo del Thus validity and nite validity coincide for FO An analysis of

Mortimers pro of shows that he actually established a b oundedmo del prop erty prop erty

2 2

for FO if an FO formula with equality is satisable then it is satisable by a mo del

whose size is at most doubly exp onential in the length of More recently this result

was improved

2

Theorem GKV If an FO formula is satisable then is satisable in a

jj

relational structure with at most elements

2

Thus to check whether an FO formula is valid one has to check only all structures

of exp onential size By Theorem Theorem implies Theorem since the trans

2 2

lation from mo dal logic to FO is linear Note however the validity problem for FO

is hard for coNEXPTIME F ur and consequently by Theorem coNEXPTIME

complete while the validity problem for mo dal logic is PSPACEcomplete Theorem

Thus the validity problem for mo dal logic is probably easier than the validity problem

2

for FO

2

The embedding of mo dal logic in FO do es seem to oer an explanation to the

computational tractability of mo dal logic It turns out however that this explanation

is of limited scop e To see why let us recall that the versatility of mo dal logics stems

from its adaptability to many sp ecic applications Consider for example necessity as

knowledge as in epistemic logic Hin FHMV In that case we may want 2 to

have prop erties b eyond the minimal set of prop erties given by the axiom system K For

example an imp ortant prop erty of knowledge is veracity ie what is known should b e

true Formally we want the prop erty 2 to hold for necessity as knowledge

An imp ortant observation made around by mo dal logicians cf Hin Hin

Kan Kri was that the logical prop erties of necessity are intimately related to the

graphtheoretical prop erties of the p ossibility relations in Kripke structures For example

veracity is related to reexivity of the p ossibility relations Let us make this claim precise

Let M b e a class of Kripke structures We say that a mo dal formula is valid in M

if it is valid in all Kripke structures in M An axiom system AX is said to b e sound for

M if every provable formula is valid in M and it is said to b e complete for M if every

formula that is valid in M is provable

A Kripke structure M S R is said to b e reexive if the p ossibility relation R

is reexive Let M b e the class of all reexive Kripke structures Let T b e the axiom

r

system obtained from K by adding the axiom of veracity 2p p

Theorem Che T is sound and complete for M

r

Thus T characterizes all the prop erties of necessity in reexive Kripke structures Let us

now examine this characterization from the complexitytheoretic p ersp ective How hard

it is to determine validity of mo dal formulas under the assumption of veracity

Theorem Lad The validity problem for modal logic in M is PSPACEcomplete

r

2

Do es the embedding in FO explain the decidability of validity in reexive structures

2

Indeed it do es since reexivity can easily b e expressed by an FO sentence

2

Prop osition A modal formula is valid in M i the FO formula xRx x

r

+

is valid

2

So far so go o d FO still seems to explain the decidability of mo dal logic Unfor

tunately this explanation breaks down when we consider other prop erties of necessity

Consider for example the prop erties of introspection ie knowledge ab out knowledge

Positive introspection I know what I know 2p 22p

Negative introspection I know what I dont know 2p 22p

A Kripke structure M S R is said to b e reexivesymmetrictransitive if the

p ossibility relation is reexive symmetric and transitive Let M b e the class of all

r st

reexivesymmetrictransitive Kripke structures Let S b e the axiom system obtained

from T by adding the two axiom of introspection 2p 22p and 2p 22p

Theorem

Che S is sound and complete for M

r st

Lad The validity problem for modal logic in M is NPcomplete

r st

2

Note that while symmetry can b e expressed by the FO sentence xy Rx y

Ry x transitivity requires the sentence xy z Rx y Ry z Rx z which

2

is not in FO Thus validity of mo dal formulas in M cannot b e reduced to validity

r st

2

of FO formulas

In general the decidability of mo dal logic is very very robust cf HM Var

As a rule of thumb the validity problem for a mo dal logic is typically decidable one

has to make an eort to nd a mo dal logic with an undecidable validity problem cf

2

HV LR The translation of mo dal logic to FO provides a very partial explanation

for this robustness see also ABN for another partial explanation in terms of bounded

quantication but so far no general explanation for this robust decidability is known

We deep en the puzzle in the next section

Computation Tree Logic

A Kripke structure M S R can b e viewed as an op erational mo del for a program

S is the sets of states that the program can b e in where a state is a snapshot of the

relevant part of the program runtime environment ie the memory the registers the

program stack and the like describ ed which events are observable in each state and R

describ es transitions that can o ccur by executing one step of the program Such a mo del

is called a transition system Kel it abstracts away the syntax of the program and

fo cuses instead on its op erational b ehavior As such it is appropriate for mo deling b oth

software and hardware Note that transition systems are nondeterministic a no de s can

have more than one outgoing Redge This is a p owerful abstraction mechanism that

let us mo del the uncertainty ab out the environment in which the program is running

For example nondeterminism can arise from the many p ossible interleaving b etween

concurrent pro cesses For technical convenience we assume that the program never

deadlo cks by requiring that R b e total ie that every state has an outgoing Redge

This assumption do es not restrict the mo deling p ower of the formalism since we can

view a terminated execution as rep eating forever its last state by adding a selflo op

to that state In numerous applications notably integrated circuits and proto cols for

communication co ordination and synchronization the system consists of only nitely

many states Liu Rud giving rise to nitestate systems

Temporal logics which are mo dal logics geared towards the description of the temp oral

ordering of events have b een adopted as a p owerful to ol for sp ecifying and verifying

concurrent programs Pnu MP We distinguish b etween two types of temp oral

logics linear and branching Lam In linear temp oral logics each moment in time has

a unique p ossible future while in branching temp oral logics each moment in time may

split into several p ossible futures Our fo cus here is on a particular branching temp oral

logic called computation tree logic or CTL for short CE

CTL provides branching temp oral connectives that are comp osed of a path quantier

immediately followed by a single linear temp oral connective Eme The path quanti

ers are A for all paths and E for some path The lineartime connectives are

X next time and U until For example the formula E pU q says that there is a

computation along which p holds until q holds Formally given a set of prop ositional

constants a CTLformula is one of the following

p for all p

or where and are CTLformulas

E X AX E U A U where and are CTLformulas

To dene satisfaction of CTLformulas in a Kripke structures M S R we need

the notion of a path in a M A path in M is an innite sequence s s of states such

0 1

that for every i we have that s s R

i i+1

A state s in a Kripke structure M S R satises a CTLformula denoted

M s j under the following conditions

M s j p for p if s p

M s j i M s j and M s j

M s j if M s j

M s j E X if M t j for some t such that s t R

M s j AX if M t j for all t such that s t R

M s j E U if there exists a path s s with s s and some i

0 1 0

such that M s j and for all j where j i we have M s j

i j

M s j A U if for all paths s s with s s there exists some i

0 1 0

such that M s j and for all j where j i we have M s j

i j

Note that EX and AX corresp ond to the 3 and 2 of mo dal logic while EU and AU

have no such counterparts

CTL enables us to make p owerful assertions ab out the b ehavior of the program

For example E true U says that along some computation eventually holds This is

abbreviated by E F It may seem that all the temp oral connectives talk ab out nite

computations since X has to b e satised in one program step and U has to b e satised

in nitely many program steps but we can combine temp oral and Bo olean connec

tives to form assertions ab out innite computations For example consider the formula

Atrue U This formula holds in a state s if along every path starting at s eventually

holds which is abbreviated as AF Thus AF says that there is an innite

path along which always hold which is abbreviated by E G For example if cs says

i

that pro cess i is in the critical section then the formula EGcs cs says that there

1 2

is a computation along which we cannot have b oth pro cess and pro cess in the critical

section

We now consider two algorithmic asp ects of CTL First there is the mo delchecking

problem ie deciding whether a given CTLformula holds in a given state in a given

nite Kripke structure Second there is the validity problem ie deciding if a given

CTLformula holds in all states in all transition systems

We start with mo del checking

Prop osition CES cf CE QS There is an algorithm that given a

nite Kripke structure M a state s of M and a CTLformula determines in time

O jjM jj jj whether M s j

Prop osition is an extension of Prop osition since the temp oral connective AX

corresp ond to the mo dality 2 The pro of is based on the fact that one can check the

satisfaction of AU and EU formulas using graphbased algorithms that run in linear time

As simple as it seems Prop osition has an enormous implication for the verication

of nitestate programs having given rise together with the results in LP to the

p ossibility of algorithmic verication of nitestate systems cf CGL

We now consider the validity problem It turns out that Theorem applies also to

CTL

Theorem FLa If a CTLformula is satisable then is satisable in a Kripke

jj

structure with at most states

Theorem implies the decidability of the validity problem for CTL Precise lower

and upp er complexity b ounds were established in resp ectively FLa and EH

Theorem FLa EH The validity problem for CTL is EXPTIMEcomplete

Is there a rstorder explanation for the decidability of CTL As in Section Kripke

structures are essentially relational structures over a vocabulary consisting of many unary

predicates and one binary predicate CTLformulas however cannot b e viewed as rst

order formulas For example the CTLformula E F p holds at a state s if there is a path

from s leading to a state in which p hol ds It follows easy from known limitations of

the expressive p ower of rstorder logic cf Fag that this is not expressible in rst

order logic CTL however can b e viewed as a fragment of xp oint logic in fact as a

2

fragment of the variable fragment FP of xp oint logic CTL can also b e translated

into variable transitiveclosure logic see IV

We establish this corresp ondence in two steps We rst dene a modal xpoint logic

which is an extension of mo dal logic with a xp oint construct This extension was called

in Koz the propositional calculus It is known that CTL can b e viewed as a fragment

of this logic see EC We then observe that mo dal xp oint logic can b e viewed as

2

a fragment of FP

The syntax of mo dal xp oint logic is dened as follows In addition to the set

of prop ositional constants we have a set of propositional variables typically lab eled

X X Y Y The set of mo dal xp oint formulas is dened as follows

p for all p

X for all X

or where and are formulas

2 where is a formula

X where is a formula in which X o ccurs p ositively ie under an even number

of negations

All o ccurrence of a prop ositional variable X within the scop e of X are bound the

other o ccurrences are free A formula in which all prop ositional variables are b ound

is called a closed formula We denote by X X a formula all of whose free

1 k

prop ositional variables are among X X

1 k

Formulas of the mo dal xp oint calculus are interpreted with resp ect to triples M s V

S

where M S R is a Kripke structure s is a state of M and V is a variable

interpretation that asso ciates with each prop ositional variable in a set of states in S

ie V is analogous to If V is such an interpretation X is a prop ositional variable in

and S is a subset of S then V X S is a variable interpretation that agrees with

V on all prop ositional constants except for X and V X S

M s V j p for p if s p

M s V j X for X if s V X

M s V j i M s V j and M s V j

M s V j if M s V j

M s V j 2 if M t V j for all t such that s t R

T

M s V j X if s fT S j T ft j M t V X T j gg

Intuitively M s V j X if s is in the least xp oint of where the latter is viewed

as an op erator For a detailed explanation of this p ersp ective see Eme

It is easy to see that when considering the satisfaction of a formula X X

1 k

it suces to consider variable interpretations that are dened on the free prop ositional

variables X X Thus if is a closed formula then we can talk ab out holding in

1 k

a state s of a Kripke structure s denoted as usual by M s j

As mentioned earlier CTL is subsumed by the mo dal xp oint logic Clearly AX p

and E X p are simply notational variants for 2p and 3p resp ectively More signicantly

ApU q can b e written as X q p 2X and E pU q can b e written as X q p 3X

For a detailed exp osition see Eme

2

It remains to show that mo dal xp oint logic can b e viewed as a fragment of FP

Recall that FP is obtained by augmenting rstorder logic with the leastxp oint op erator

CH Let x S b e a formula with free individual variables among x x x

1 m

and in which an mary relation symbol S o ccurs p ositively ie in the scop e of an even

number of negations Over a xed relational structure the formula can b e viewed as

an op erator from mary relations to mary relations

P ft j t P holdsg

Because S o ccurs p ositively in the op erator is monotone ie if P Q then

P Q Since the p ossibly transnite sequence

is increasing it has a limit denoted which is the least xp oint of The formula

S xx S z whose free variables are those in z refers to this least xp oint For

mally we have that Sx S t holds in a given relational structure if t

2

FP is the fragment of FP obtained by restricting the formulas to refer to only two

2

individual variables say x and y For example the FP formula Qpx y Rx y

Qy describ es the set of all no des in a graph from which one can reach a no de where p

holds

2

We already saw that mo dal logic can b e translated into FO To translate mo dal

2

xp oint logic to FP we just have to add one more clause

+ +

P P

Note that we can combine the two translations from CTL to mo dal xp oint logic and

2 2

from the latter to FP to get a translation from CTL to FP For example the CTL

formula E pU q can b e written as Qq x px y Rx y xx y Qx

Theorem

+

a M s j i M V j x for each assignment V such that V x s

+ 2

b is a valid modal formula i is a valid FP formula

2

Do es the fact that CTL can b e viewed as a fragment of FP explains its computa

tional prop erties Consider rst the complexity of evaluating the truth of formulas By

Prop osition the truth of mo dal formulas can b e evaluated in time that is linear in

the size of the structure and in the size of the formula How hard it is to evaluate the

2

truth of FP formulas

2

Prop osition Var The problem of evaluating whether an FP formula x y

holds in a given relational structure M over a domain D with respect to an assignment

V fx y g D is in NPcoNP

It is an op en problem whether the b ound of Prop osition which is also the

b est known complexity b ound for the mo delchecking problem for mo dal xp oint logic

BVW EJS can b e improved Even without such an improvement we can explain

the linear b ound of Prop osition A careful analysis see EL of the translation

of CTL into mo dal xp oint logic shows that we actually need only a small fragment of

mo dal xp oint logic in which the alternation b etween xp oints and negations is limited

which is why this fragment is called alternationfree L in Eme The mo del

1

checking problem for alternationfree mo dal xp oint logic can b e solved in linear time

BVW Cle It can b e shown that the quadratic upp er b ound of Prop osition can

2 2

b e extended to alternationfree FP Thus viewing CTL as a fragment of FP do es ex

plain the tractability of mo del checking For a detailed discussion of the mo delchecking

problem for mo dal xp oint logic see Eme

2

It is not clear however that viewing CTL as a fragment of FP explains the decid

ability of the validity problem The validity problem for mo dal xp oint logic is decidable

in fact like for CTL it is EXPTIMEcomplete EJ One might have exp ected the va

2

lidity problem for FP also to b e decidable Unfortunately it was shown recently in

2 1

complete even GOR that the validity problem for FP is highly undecidable

1

under various syntactical restrictions It turns out that logics such as CTL and mo dal

xp oint logic enjoy an imp ortant prop erty called the treemodel property which do es not

2

extend to FP

The TreeModel Prop erty

Consider two Kripke structures M S R and M S R Assume u S and

1 1 1 1 2 2 2 2 1

v S A binary relation S S is a bisimilarity relation Mil Par if the

2 1 2

following hold for each pair u v of no des such that u v

fp j u pg fp j v pg

1 2

If u u R then there is some v S such that v v R and u v

1 2 2

If v v R then there is some u S such that u u R and u v

2 1 2

Two no des u v are bisimilar denoted u v if they are related by some bisimilarity

relation Intuitively two no des are bisimilar if they lo ok alike lo cally It turns out that

mo dal xp oint logic and consequently also CTL cannot distinguish b etween bisimilar

states

Prop osition HM Let M S R and M S R be Kripke structures

1 1 1 1 2 2 2 2

and assume u S and v S If u v then M u j i M v j for each

1 2 1 2

modal xpoint formula

An immediate conclusion from Prop osition is that satisfaction of mo dal xp oint

formulas is invariant under unwinding of Kripke structures For example the Kripke

structure M of Figure was obtained from the Kripke structure M of Figure by

unwinding the no de v It follows that the no des u in M and the no de u in M are

bisimilar Consequently they b oth satisfy the formula 22q

p q p q p q p q

v v v u

w w w w

p q p q q p q p

Figure The Kripke structure M

In particular Kripke structures can b e unwound into trees A tree is a set T N

here N is the set of natural numbers such that a if x T then x c T for some

c N and b if x c T where x N and c N then also x T and for all

c c also x c T The elements of T are called nodes and the empty word is

the root of T For every x T the no des x c T are the successors of x The number

of successors of x is called the degree of x and is denoted by dx A branch of the tree is

a sequence x x such that x is a successor of x for all i If all no des x of T

0 1 i i1

have the same degree n then the tree is called an nary tree Note that in this case

T f n g denoted T

n

A Kripke structure M T R where T is a tree and R is the successor relation

on T is called a tree structure It is easy to see that every Kripke structure can b e

unwound to a tree structure our assumption that the p ossibility relation is total is

imp ortant here Note that the tree structure could b e innite even when M is nite

Prop osition Let M S R be a Kripke structure and assume u S Then

there is a tree structure M T R such that u

It follows from Prop osition that if a CTLformula is satisable then it is satisable

in the ro ot of a tree structure This is called the treemodel property It should b e noted

that the treemo del prop erty is incomparable to the nitemo del prop erty there are

2

mo dal logics whether the former holds but the latter fails VW while FO has the

2

nitemo del prop erty but not the treemo del prop erty consider for example the FO

sentence xy Rx y

It turns out that one could prove an even stronger version of the treemo del prop erty

for CTL

Prop osition Eme Let be a CTLformula If CTL is satisable then it is

satisable at the root of a nary tree structure where n jj

A similar result can b e proven for mo dal xp oint logic SE but there is a subtlety

regarding the degree that wed rather not get into here

The treemo del prop erty is so imp ortant b ecause it provides us with a p owerful to ol

to prove decidability results using Rabins result ab out the logic S nS Rab S nS is a

monadic secondorder logic ab out nary tree structures In S nS we view tree structures as

relational structures that is the no des of the tree are the elements of the domain and the

prop ositional constants are viewed as unary predicates We also view the prop ositional

variables as unary predicates Instead of having however one binary predicate we

have n binary predicates R R where the interpretation of R is the relation

0 n1 i

fx x i j x T i ng Thus the atomic formulas are either of the form x y of

n

form P x where P is a unary predicate or of the form R x y In addition to Bo olean

i

connectives and rstorder quantiers we allow also monadic secondorder quantiers

such as P where P is variable predicate Intuitively P P says that there exists

a set S of no des such that the interpretation V P S satises the formula An

S nS formula is closed if all its individual variables and all its variable predicates are

quantied

Prop osition Rab The validity problem for closed S nS formulas is decidable

W

n

We now give a few examples of S nS formulas The formula R x y abbreviated

i

i=1

succx y says that y is a successor of x The formula xy P x succx y P y

abbreviated dow nP says that P is in some sense downward closed every no de that

satises P has a successor that satises P The formula xy z P x succx y

succx z P y P z y z abbreviated uniq ueP says that a no de in P has

at most one successor in P The formula dow nP uniq ueP abbreviated pathP

says that P corresp onds to a path in the tree ie the interpretation of P is a set

s s where s is the successor of s for all i The formula xP x

0 1 i i1

q x abbreviated satP q says that all elements in P satisfy q Thus the formula

P P x pathP satP q says that there is a path where q holds along the path

This corresp onds to the CTLformula E Gq

More generally every CTLformula can b e expressed as an S nS formula To express

the CTLformula ApU q we pro ceed as follows Let topQ x b e the formula Qx

y succy x Qy We can now express the CTLformula ApU q by the following

S nS formula

P QP x pathP pathQ satQ P

xQx xP x Qx px

xtopQ x q x

Since CTL can b e expressed in S nS and the validity problem for S nS is decidable

it follows by Prop osition that the validity problem for CTL is decidable It can

b e similarly shown that mo dal xp oint formulas can b e expressed in S nS yielding the

decidability of the validity problem for mo dal xp oint logic KP Thus S nS provides

us with a general framework for proving decidability results for mo dal logics Gab

Gab

Unfortunately the reduction to S nS is not to o useful since the validity problem for

S nS is nonelementary that is there is a lower b ound on the time complexity of the form

n

2

where the height of the stack is n Mey

A strategy to get around this diculty was conceived by Streett Str Streett ob

served that the crux of Rabins decidability pro of for S nS is its reduction to an automata

theoretic problem Rabin observed that a tree structure can b e viewed as a labeled tree

A lab eled tree for an alphab et is a pair T where T is a tree and T

asso ciates with every no de of T a lab el in A tree structure T R can b e viewed as

a lab eled tree T where x fp j x pg ie the lab el of a no de is the set

of prop ositional constants that hold in that no de Rabin showed that with each closed

S nS formula one can eectively asso ciate a tree automaton A such that holds in

an nary tree structure T R precisely when A accepts the lab eled nary tree

n

T

n

0

An nary tree automaton A is a tuple Q Q F where is a nite alphab et

0

Q is a nite set of states Q Q is a set of initial states F is an acceptance condition

n

Q

which will b e discussed shortly and Q is a transition function The

automaton A takes as input a lab eled nary tree T Note that u a is a set of

n

ntuples for each state u and symbol a Intuitively when the automaton is in state u and

it is reading a no de x in T it nondeterministically chooses an ntuple hu u i in

n 1 n

u x and then makes n copies of itself and moves to the no de x i in the state u for

i

i n A run r T Q of A on T is an Qlab eled nary tree such that the

n n

ro ot is lab eled by an initial state and the transitions ob ey the transition function that

0

is r Q and for each no de x we have hr x r x ni r x x The run

is accepting if r satises the acceptance condition F The language of A denoted LA

is the set of trees accepted by A

Since as mentioned ab ove holds in an nary tree structure T R precisely when

n

A accepts the lab eled nary tree T it follows that is valid i LA

n

Thus the validity problem is reduced to the emptiness problem for tree automata ie

the problem of determining whether the language accepted by a given tree automaton is

empty Streetts insight was to prop ose applying this strategy to a logic without going

through the intermediate step of reducing it to S nS rst

This strategy was carried out for CTL in VW actually it was carried out for

a closely related logic called PDL FLb who used B uchi tree automata A B uchi

0

tree automaton is a tree automaton A Q Q F where the acceptance condition

F Q is a set of accepting states A run r T Q of A on a lab eled nary tree

n

T is accepting if every branch of r visits F innitely often that is if for every branch

n

x x of T there are innitely many is such that r x F

0 1 n i

Theorem With each CTLformula and n one can eectively associate a

B uchitree automaton A such that holds in an nary tree structure T R precisely

n

when A accepts the labeled nary tree T Furthermore the number of states of

n

A is at most exponential in jj

Theorem reduces the validity problem for CTL to the emptiness problem for

B uchi tree automata Rabin describ ed a cubictime algorithm for emptiness of B uchi

tree automata Rab An improved algorithm with a quadratic running time was

describ ed in VW Combined with Theorem this provides an alternative pro of for

the exp onential upp er b ound in Theorem A similar approach though technically

quite more involved can b e used to show that the validity problem for mo dal xp oint

logic is also decidable in exp onential time EJ It is an op en question whether there is

2

a fragment of FP dened p erhaps in terms of b ounded quantication as in ABN

that is strictly more expressive than mo dal xp oint logic but whose validity problem is

still decidable If such a fragment is found it is likely that the decision pro cedure for it

will b e automatabased

In Conclusion

We describ ed the robust tractability of two computational problems asso ciated with

mo dal logic the mo delchecking problem and the validity problem We then asked why

in view of the fact that it is essentially a fragment of rstorder logic mo dal logic is

so robustly decidable In an attempt to answer this question we to ok a closer lo ok

at mo dal logic as a fragment of rstorder logic and noted that it is in fact a fragment

2

of FO which is a tractable fragment of rstorder logic Up on a deep examination

however we noted that this explanation is not satisfactory The tractability of mo dal

2

logic is quite robust and holds also for extensions that are not fragments of FO and are

not even rstorder We concluded by showing that mo dal logic and its extensions enjoy

the treemo del prop erty which leads to automatabased decision pro cedures

Acknowledgements I am grateful to Dov Gabbay Allen Emerson Neil Immerman

Phokion Kolaitis and Orna Kupferman for their comments on previous drafts of this

pap er

References

ABN H Andrika J F A K van Benthem and I Nimeti Back and forth b etween

mo dal logic and classical logic J of the IGPL

BAN M Burrows M Abadi and R Needham Authetication a practical study

in b elief and action In Proc nd Conf on Theoretical Aspects of Reasoning

about Know ledge pages

Bay A Bayart La correction de la logique mo dale du premier et second ordre S

Logique et Analyse

Ben J F A K van Benthem Some corresp ondence results in mo dal logic Rep ort

University of Amsterdam

Ben J F A K van Benthem Modal Logic and Classical Logic Bibliop olis

Naples

Ben J F A K van Benthem Temporal logic Rep ort x Institute for Logic

Language and Computation University of Amsterdam

BLMS R Brafman JC Latombe Y Moses and Y Shoham Knowledge as a

to ol in motion planning under uncertainty In R Fagin editor Theoretical

Aspects of Reasoning about Know ledge Proc Fifth Conference pages

Morgan Kaufmann San Francisco Calif

Bo c G V Bo chmann Hardware sp ecication with temp oral logic an example

IEEE Transactions on Computers C

BVW O Bernholtz MY Vardi and P Wolper An automatatheoretic approach

to branchingtime mo del checking In D L Dill editor Computer Aided Ver

ication Proc th Int Conference volume of Lecture Notes in Computer

Science pages Stanford June SpringerVerlag Berlin

Car R Carnap Mo dalities and quantication Journal of Symbolic Logic

Car R Carnap Meaning and Necessity University of Chicago Press Chicago

CCF J M V Castilho M A Casanova and A L Furtado A temp oral framework

for database sp ecication In Proc th Int Conf on Very Large Data Bases

pages

CE EM Clarke and EA Emerson Design and synthesis of synchronization

skeletons using branching time temp oral logic In Proc Workshop on Logic

of Programs volume of Lecture Notes in Computer Science pages

SpringerVerlag

CES EM Clarke EA Emerson and AP Sistla Automatic verication of nite

state concurrent systems using temp oral logic sp ecications ACM Transac

tions on Programming Languages and Systems January

CGL EM Clarke O Grumberg and D Long Verication to ols for nitestate

concurrent systems In JW de Bakker WP de Ro ever and G Rozenberg

editors Decade of Concurrency Reections and Perspectives Proceedings of

REX School Lecture Notes in Computer Science pages Springer

Verlag

CH A Chandra and D Harel Structure and complexity of relational queries

Journal of Computer and System Sciences

Che B F Chellas Modal Logic Cambridge University Press Cambridge UK

Cle R Cleaveland A lineartime mo delchecking algorithm for the alternation

free mo dal calculus Formal Methods in System Design

CM AK Chandra and PM Merlin Optimal implementation of conjunctive

queries in relational databases In Proc th ACM Symp on Theory of Com

puting pages

DG D Dreb en and W D Goldfarb The Decision Problem Solvable Classes of

Quanticational Formulas AddisonWesley

EC EA Emerson and EM Clarke Characterizing correctness prop erties of

parallel programs using xp oints In Proc th Intl Col loq on Automata

Languages and Programming pages

EH EA Emerson and JY Halp ern Decision pro cedures and expressiveness

in the temp oral logic of branching time Journal of Computer and System

Sciences

EJ EA Emerson and C Jutla The complexity of tree automata and logics of

programs In Proceedings of the th IEEE Symposium on Foundations of

Computer Science White Plains Octob er

EJS EA Emerson C Jutla and AP Sistla On mo delchecking for fragments of

calculus In Computer Aided Verication Proc th Int Workshop volume

pages Elounda Crete June Lecture Notes in Computer

Science SpringerVerlag

EL EA Emerson and CL Lei Ecient mo del checking in fragments of the

prop osoitional mucalculus In Proceedings of the First Symposium on Logic

in Computer Science pages Cambridge June

Eme EA Emerson Temporal and mo dal logic Handbook of theoretical computer

science pages

Eme E A Emerson Mo del checking and the calculus this volume

Fag R Fagin Monadic generalized sp ectra Zeitschrift f ur Mathematische Logik

und Grund lagen der Mathematik

FHMV R Fagin J Y Halp ern Y Moses and M Y Vardi Reasoning about Know l

edge MIT Press Cambridge Mass

FLa M J Fischer and R E Ladner Prop ositional dynamic logic of regular

programs Journal of Computer and System Sciences

FLb MJ Fischer and RE Ladner Prop ositional dynamic logic of regular pro

grams J of Computer and Systems Sciences

F ur M F urerThe computational complexity of the unconstrained limited domino

problem with implications for logical decision problems In Lecture Notes

in Computer Science pages SpringerVerlag

Gab D Gabbay Expressive functional completeness in tense logic In U Monnich

editor Aspects of Philosophical Logic pages Reidel

Gab D Gabbay A survey of decidability results for mo dal tense and interme

diate logics In P Supp es et al editor Proc th Intl Congress on Logic

Methodology and Philosophy of Science pages NorthHolland

Gab D Gabbay Decidability results in nonclassical logics I Annals of Mathe

matical Logic

Gar J W Garson Quantication in mo dal logic In D Gabbay and F Guenth

ner editors Handbook of Philosophical Logic Vol II pages Reidel

Dordrecht Netherlands

GKV E Gradel Ph G Kolaitis and M Y Vardi The decision problem for

variable rstorder logic Unpublished manuscript

God K Godel Ein sp ezialfall des entscheidungsproblem der theoretischen logik

Ergebn math Kol loq

Gol W D Goldfarb The Godel class with equality is unsolvable Bul l Amer

Math Soc New Series

GOR E Gradel M Otto and E Rosen Undecidability results for twovariable

logics Unpublished manuscript

HC G E Hughes and M J Cresswell An Introduction to Modal Logic Methuen

London

Hin J Hintikka Quantiers in deontic logic Societas Scientiarumi Fennica

Commentationes Humanarum Literarum

Hin J Hintikka Mo dalities and quantication Theoria

Hin J Hintikka Know ledge and Belief Cornell University Press Ithaca NY

HM M Hennessy and R Milner Algebraic laws for nondeterminism and concur

rency Journal of ACM

HM J Y Halp ern and Y Moses Knowledge and common knowledge in a dis

tributed environment Journal of the ACM

HM J Y Halp ern and Y Moses A guide to completeness and complexity for

mo dal logics of knowledge and b elief Articial Intel ligence

HV J Y Halp ern and M Y Vardi The complexity of reasoning ab out knowl

edge and time I lower b ounds Journal of Computer and System Sciences

Imm N Immerman Upp er and lower b ounds for rstorder expressibility Journal

of Computer and System Sciences

IV N Immerman and MY Vardi Mo del checking and transitive closure logic

forthcoming

Kal L Kalmar Ub er die erf ullbarkeit derjenigen zalhausdrucke welche in der

normalform zwei b enachbarte allzeichen enthalten Math Annal

Kan S Kanger Provability in Logic Sto ckholm Studies in Philosophy I

Kel RM Keller Formal verication of parallel programs Comm ACM

Koz D Kozen Results on the prop ositional calculus Theoretical Computer

Science

KP D Kozen and R Parikh A decision pro cedure for the prop ositional mu

calculus In Logics of Programs volume of Lecture Notes in Computer

Science pages SpringerVerlag

Kri S Kripke A completeness theorem in mo dal logic Journal of Symbolic Logic

Kri S Kripke A semantical analysis of mo dal logic I normal mo dal prop ositional

calculi Zeitschrift f urMathematische Logik und Grund lagen der Mathematik

Announced in Journal of Symbolic Logic

Lad R E Ladner The computational complexity of provability in systems of

mo dal prop ositional logic SIAM Journal on Computing

Lam L Lamp ort Sometimes is sometimes not never on the temp oral logic of

programs In Proc th ACM Symp on Principles of Programming Languages

pages

Lew H R Lewis Unsolvable Classes of Quanticational Formulas Addison

Wesley

Lip W Lipski On the logic of incomplete information In Proc th Interna

tional Symposium on Mathematical Foundations of Computer Science Lec

ture Notes in Computer Science Vol pages SpringerVerlag

BerlinNew York

Liu MT Liu Proto col engineering Advances in Computing

LL C I Lewis and C H Langford Symbolic Logic Dover New York nd

edition

LP O Lichtenstein and A Pnueli Checking the nitestate concurrent programs

satisfy their linear sp ecications In Proc th ACM Symp on Principles of

Programming Languages pages

LR R E Ladner and J H Reif The logic of distributed proto cols preliminary

rep ort In J Y Halp ern editor Theoretical Aspects of Reasoning about

Know ledge Proc Conference pages Morgan Kaufmann San

Francisco Calif

Mer C A Meredith Interpretations of dierent mo dal logics in the prop erty

calculus mimeographed manuscript Philosophy Department Canterbury

University College recorded and expanded by A N Prior

Mey A R Meyer Weak monadic second order theory of successor is not elemen

tary recursive In Proc Logic Col loquium volume of Lecture Notes in

Mathematics pages SpringerVerlag

MH J McCarthy and P J Hayes Some philosophical problems from the stand

p oint of articial intelligence In D Michie editor Machine Intel ligen ce

pages Edinburgh University Press Edinburgh

Mil R Milner Communication and Concurrecny PrenticeHall Englewoo d Clifs

Mon R Montague Logical necessity physical necessity ethics and quantiers

Inquiry

Mor M Mortimer On language with two variables Zeit f ur Math Logik und

Grund der Math

MP Z Manna and A Pnueli The Temporal Logic of Reactive and Concurrent

Systems Specication SpringerVerlag Berlin January

Par D Park Concurrency and automata on innite sequences In P Deussen

editor Proc th GI Conf on Theoretical Computer Science Lecture Notes

in Computer Science Vol SpringerVerlag BerlinNew York

Pnu A Pnueli The temp oral logic of programs In Proc th IEEE Symposium

on Foundation of Computer Science pages

Pra V R Pratt Semantical considerations on FloydHoare logic In Proc th

IEEE Symp on Foundations of Computer Science pages

Pri A N Prior Possible worlds idea attributed to P T Geach Philosophical

Quarterly

QS J P Queille and J Sifakis Sp ecication and verication of concurrent sys

tems in CESAR In Proc th Intl Symp on Programming Lecture Notes

in Computer Science Vol pages SpringerVerlag BerlinNew

York

Rab M O Rabin Decidability of secondorder theories and automata on innite

trees Transactions of the American Mathematical Society

Rab MO Rabin Weakly denable relations and sp ecial automata In Proc Symp

Math Logic and Foundations of Set Theory pages North Holland

RS J H Reif and A P Sistla A multiprocessor network logic with temp oral

and spatial mo dalities In Proc th International Col loq on Automata

Languages and Programming Lecture Notes in Computer Science Vol

SpringerVerlag BerlinNew York

Rud H Rudin Network proto cols and to ols to help pro duce them Annual Review

of Computer Science

Sch K Schutte Untersuchungen zum entscheidungsproblem der mathematischen

logik Math Annal

Sco D Scott A decision metho d for validity of sentences in two variables Journal

of Symbolic Logic

SE R S Street and E A Emerson An elementary decision pro cedure for the

mucalculus In Proc th Int Col loquium on Automata Languages and

Programming volume Lecture Notes in Computer Science Springer

Verlag July

Str RS Streett Prop ositional dynamic logic of lo oping and converse Informa

tion and Control

Var M Y Vardi On the complexity of epistemic reasoning In Proc th IEEE

Symp on Logic in Computer Science pages

Var MY Vardi On the complexity of b oundedvariable queries In Proceedings

of the ACM th Symposium on Principles of Database Systems June

VW M Y Vardi and P Wolper An automatatheoretic approach to automatic

program verication In Proc st IEEE Symp on Logic in Computer Science

pages

Web Analytics