Branching Time and Partial Order in Temporal Logics

Branching Time and Partial Order in Temporal Logics Wojciech Penczek Institute of Computer Science Polish Academy of Sciences Ordona 21, 01-237 Warsaw, Poland

Abstract

The aim of this paper is to present existing propositional temporal logics with branching and partially ordered time. These logics are used for specifying and proving properties of programs and systems. The branching time approach is useful e.g. for non-deterministic programs and can be applied also for concurrent programs. The partial order approach is especially useful for concurrent programs and allows one to study more subtle properties than those based on branching time. A survey of branching time logics, computation tree logics, partial order temporal logics and logics based on event structures is given. The following issues are concerned in this paper: the completeness of proof systems, the nite model property, decidability, model checking and expressiveness of the logics.

1 Introduction

The aim of this paper is to present existing formal languages of propositional temporal logic with frames based on branching time structures or, more general, partial orders. Branching time and partial order logics do not only dier in their underlying frames, but also in the way the logics are linked to the behaviour of concurrent systems. Therefore, the formal systems studied comprise both a syntax and a semantics of a logic; our motive for their study This

work has been partly supported by The Technical University of Eindhoven and a grant from The Wolfson Research Awards Scheme in The United Kingdom.

203

Introduction

204

derives from the way that frames correspond to diering behavioural aspects of concurrent systems. In the branching time approach, which adopts a tree structured time, every time instant may have several immediate successors which correspond to dierent futures, for instance those resulting from non-determinism from modelling concurrency by interleaving. In a partial order approach, where any partial order structure can be applied, the situation is similar except that every time instant may have also several immediate predecessors corresponding to dierent pasts, resulting from interleaved or non-interleaved concurrency. It has to be stressed that the dierence in the approaches has very little to do with the philosophical question of the structure of physical time and problems of determinancy versus free will. Instead, it is pragmatically based on the choice of the type of systems and on the choice of properties to be formalized and proved. There are several reasons to develop logics based on branching time or partial order structures. The branching time approach considers, for a given program and a given input, an execution tree generated by the program. Over the execution tree, universal properties involving all computations (maximal sequences of states) can be studied as well as existential properties referring to a speci c computation. This approach is very useful for non-deterministic programs and can be also applied for concurrent programs. The partial order approach considers, for a given program and a given input, the set of trees or partial orders representing full runs. Over these structures universal and existential properties of computations as well as properties involving runs can be studied. The use of the latter ability makes this approach especially useful for concurrent programs. Partial order logics can be divided into two groups with respect to the structures serving as frames. These are con guration structures and event structures. Con gurations represent states of an entire system whereas events in event structure models represent local states of sequential agents. The rst ideas about branching time logics appeared in the papers of Abrahamson [1], [2]. One year later Ben-Ari, Manna, and Pnueli de ned the Uni ed Branching Time System (UB) [3]. In the same year, Clarke and Emerson extended expressiveness of UB by de ning Computation Tree Logic (CTL) [4]; their results are fully described in [5]. In 1983, Emerson and Halpern gave the de nition of CTL* [12]. The rst logic based on partial orders (POTL) was de ned by Pinter and Wolper in 1984 [34] and then extended by Kornatzky and Pinter [18]. Three years later Katz and Peled presented Interleaving Set Temporal Logic [21] based on con guration structures. The history of event structure logics is much shorter. The rst logic dealing with n-sequential event

Introduction

205

structures was de ned by Lodaya and Thiagarajan [25] in 1987. Then, Penczek [29] presented a temporal logic based on unrestricted event structures. This logic has been extended and re ned consequently in [30], [27], and [28]. In this paper the logics mentioned above are presented. The same pattern of presentation is followed for each logic. Firstly, the syntax and the semantics of a logic is given. Then, it is shown how frames of the logic are linked with the behaviour of a concurrent system, if this is not obvious. At the end, expressiveness, a proof system and a characterization of the logic are presented and discussed. The following issues are concerned: the completeness of proof systems, the nite model property, decidability, and model checking. The rst part of this chapter deals with the following branching time logics: UB - Uni ed System of Branching Time, CTL - Computation Tree Logic, CTL* - Computation Tree Logic*. The second part contains descriptions of the following partial order logics: POTL - Partial Order Temporal Logic, POTL[U ; U ] - Partial Order Temporal Logic with Until and Since, ISTL - Interleaving Set Temporal Logic, and temporal logics based on event structures: SESL - Sequential Agent Event Structure Logic, ESL - Event Structure Logic, ESL[] - Event Structure Logic with a run proposition, DESL - Discrete Event Structure Logic, ESL[C] - Event Structure Logic with a concurrency operator.

Branching Time Temporal Logics

2 Branching Time Temporal Logics

206

This section begins with a de nition of a Computation Tree Logic* (CTL*) formal language, restrictions of which constitute the formal systems UB and CTL. CTL* is a very powerful temporal logic which can be used for specifying a variety of program properties due to its modal operators. These allow for quantifying over paths of CTL* models as well as over states of the paths. Trees are canonical models of CTL*. They can be easily de ned as unwindings of standard Kripke models. The semantics of CTL* formulas is given now, but its characterization is postponed until UB and CTL have been de ned.

2.1 Formal Language of CTL* [12]

The language of CTL* is composed of state and path formulas. As the names indicate state formulas are interpreted over states and path formulas are interpreted over paths. In fact, path formulas contain all state formulas. There are two path quanti ers 9 and 8 with the intuitive meaning: there is a path and for all paths, respectively. Path modalities are: - at the next state, U Until, 3 - eventually and 2 - always.

2.1.1 Syntax of CTL*

Let AP be a set of atomic propositions. Then, the set of state formulas and the set of path formulas is de ned inductively: The set of state formulas is de ned by S-1 every member of AP is a state formula, S-2 if p and q are state formulas, then so are :p and p ^ q, S-3 if p is a path formula, then 9p is a state formula, and the set of path formulas is: P-1 any state formula p is also a path formula, P-2 if p, q are path formulas, then so are p ^ q and :p, P-3 if p, q are path formulas, then so are p and (pU q). The other connectives and modalities are used as abbreviations:

p _ q def = :(:p ^ :q), p ! q def = :p _ q,


207

p $ q def = (p ! q) ^ (q ! p), T def = p _ :p, for any p, 8p def = :9:p, 3 p def = (TU p), def 2 p = : 3 :p.

2.1.2 Semantics of CTL* Let M = (W; R; V ) be a model, where W is a non-empty set of states, R W W is a total binary (successor) relation on W (i.e., each state has at least one R-successor), and V : W ?! 2AP is a valuation function which

assigns to each state a set of atomic propositions which are assumed to be true of this state. A (forward) fullpath starting at w0 is an in nite sequence x = (w0; w1; :::) of states such that (wi; wi+1) 2 R for each i 0. xi denotes the sux (wi; wi+1; : : :) of x. M; w k{p (M; x k{p) denotes that the state (path) formula p holds at the state w (in the fullpath x, resp.) in the model M. M is omitted, if it is implicitly understood. w k{p (x k{p) is de ned inductively for an arbitrary state w (a fullpath x = (w0 ; w1; :::), resp.) as follows: S-1 w k{p i p 2 V (w) for any atomic proposition p 2 AP, S-2 w k{p ^ q i w k{p and w k{q; w k{:p i not w k{p, S-3 w k{9p i x k{p for some forward fullpath x starting at w, P-1 x k{p i w0 k{p for any state formula p, P-2 x k{p ^ q i x k{p and x k{q; x k{:p i not x k{p, P-3 x k{ p i x1 k{p; x k{(pU q) i (9i 0) xi k{q and (8j : 0 j < i) xj k{p. A state formula p is valid in the model M (written M k{p), if for every state w in M, M; w k{p. A set of state formulas L is valid in the model M (written M k{L), if for every formula p 2 L, M k{p. A state formula p is said to be valid (written k{p), if for every model M, M k{p. A state formula p is satis able, if for some model M and some state w in M, M; w k{p. In this case M is said to be a model of p. A state formula p is said to be a semantical consequence of a set of state formulas L (written L j= p), if M k{L implies M k{p, for every model M. The above notions are de ned similarly for path formulas.


208

In what follows, proof systems composed of axioms and inference rules are given for restrictions of CTL*. As usual L ` p denotes that the formula p can be derived from the set of formulas L using axioms and inference rules. A proof system is said to be sound and complete, if L j= p i L ` p, for any nite set of formulas L and any formula p. Before discussing logical features of CTL*, its restrictions UB and CTL are considered.

2.2 Uni ed System of Branching Time (UB) [3]

The rst system discussed here, contained in CTL*, is the Uni ed System of Branching Time (UB). UB was introduced by Ben-Ari, Manna and Pnueli [3]. The UB basic modalities are 9 3, 9 , and 9 2 (and their duals 8 2; 8 , and 8 3). Now, the formal syntax of a UB language is given. As this language contains state formulas only, they are simply called formulas.

2.2.1 Syntax of UB

The set of UB formulas is the maximal one generated by the rules: S-1 every member of AP is a formula, S-2 if p and q are formulas, then so are :p and p ^ q, S-3 if p is a formula, then so are 9 2 p, 9 3 p, and 9 p. The derived basic modalities are: 8 2 p def = :9 3 :p, def 8 3 p = :9 2 :p, 8 p def = :9 :p.

2.2.2 Semantics of UB

The semantics of UB is the subset of the semantics of CTL* concerning UB formulas. It follows from the semantics of CTL* that UB formulas 9 3 p and 9 2 p have the following semantic meaning: M; w0 k{9 2 p i there is a forward fullpath x = (w0; w1; ::) such that for all i 0, M; wi k{p, M; w0 k{9 3 p i there is a forward fullpath x = (w0 ; w1; ::) such that for some i 0, M; wi k{p.


209

2.2.3 Expressiveness of UB

The system UB (as well as CTL and CTL*) is used to specify properties of concurrent (or non-deterministic) programs. A frame of the logic represents an execution tree generated by a program. Therefore, for veryfying program properties, the class of all possible models is restricted to the class of all execution trees of a given program. Now, the properties which can be expressed about these execution trees are listed. A safety property is expressible as an invariance assertion of form 8 2 p which expresses that p holds at all states of a computation tree. For example, mutual exclusion can be speci ed by the formula 8 2(:(CS1 ^ CS2 )), where CSi holds at a state if the process i entered a critical section. A liveness property is expressible as an inevitability assertion 8 3 p which says that p holds at some state of each path. For example, the absence of starvation can be expressed by the following formula (TRYi ! 8 3(CSi )), where TRYi holds at a state, if the process i is ready to enter the critical section. A possibility property is expressed by a formula of form 9 3 p. Fairness constraints are not expressible in UB.

2.2.4 A proof system for UB

The proof system for UB that can be extracted from the proof system for CTL is shown below. This proof system is equivalent to the original proof system for UB given in [3].

Axioms: A-1 All substitution rules of propositional calculus A-2 9 (p _ q) $ 9 p _ 9 q A-3 9 3 p $ p _ 9 9 3 p A-4 9 2 p $ p ^ 9 9 2 p A-5 9 T Inference rules: (a) p ; p ! q ` q (b) p ! q ` 9 p ! 9 q (c) r ! (:q ^ 9 r) ` r ! 9 2 :q (d) r ! (:q ^ 8 (r _ :9 3 q) ` r ! :9 3 q Axioms A-3 and A-4 show that 9 3 p and 9 2 p can be de ned by xed point

equalities. A-5 says that each state does have a successor.


210

2.2.5 A characterization of UB

A logical characterization of UB is now presented. It contains results concerning completeness of the given proof system, the nite model property and complexity of checking satis ability. Firstly, it is stated formally that the proof system for UB are satisfactory.

Theorem 2.1 The proof system for UB is sound and complete.

2 The nite model property is an important feature of a logic enabling to apply standard constructions for checking satis ability. Theorem 2.2 UB has the nite model property. 2 Below, it is shown that the satis ability problem for UB is decidable and the complexity of the algorithm is given. Theorem 2.3 There is a deterministic algorithm for deciding whether a UB formula is satis able of exponential complexity in the length of the tested formula. 2 It turns out that there is no better algorithm for testing satis ability since the complexity of the algorithm matches a lower bound for satis ability. Theorem 2.4 ([11, 17]) There is a deterministic exponential time lower bound for UB satis ability. 2 The proof sketches of the above theorems are given for CTL - an extension of UB.

2.3 Computation Tree Logic (CTL)

Computation Tree Logic (CTL) was de ned in [4], [5] and also in [1]. It extends UB by introducing the new path modality U. In the language of CTL, the single linear time operator (3; 2; or U ) can follow the path quanti er (8 or 9). Below, the formal syntax and semantics of CTL is given.

2.3.1 Syntax of CTL

The set of CTL formulas FORM is the maximal one generated by the rules: S-1 every member of AP is a formula,


211

S-2 if p and q are formulas, then so are :p and p ^ q, S-3 if p; q are formulas, then so are 8(pU q); 9(pU q), and 9 p.

The derived basic modalities are: 9 3 p def = 9(TU p),

8 3 p def = 8(TU p).

2.3.2 Semantics of CTL

The semantics of CTL is the subset of the semantics of CTL* (de ned in the section 2.1.2) concerning CTL formulas.

2.3.3 Expressiveness of CTL

All the properties expressible in UB are obviously expressible in CTL. Formulas expressing new properties contain the modality U. For example, the relative order of events can be speci ed e.g., the fact that the process i must enter its trying region (TRYi ) before gaining access to its critical region (CSi ) along all computation paths, can be expressed as 8((:CSi )U (TRYi )). Like in UB fairness constraints are not expressible in CTL.

2.3.4 A proof system for CTL

The proof system is given in terms of state formulas since CTL formulas are state formulas, only.

Axioms: A-1 All substitution rules of propositional calculus A-2 9 (p _ q) $ 9 p _ 9 q A-3 9(pU q) $ q _ (p ^ 9 9(pU q)) A-4 8(pU q) $ q _ (p ^ 8 8(pU q)) A-5 9 T Inference rules: (a) p; p ! q ` q (b) p ! q ` 9 p ! 9 q (c) r ! (:q ^ 9 r) ` r ! :8(pU q) (d) r ! (:q ^ 8 (r _ :9(pU q)) ` r ! :9(pU q)


212

2.3.5 A characterization of CTL [11]

CTL is shown to have the nite model property, to be decidable and to possess a complete proof system. The rst step consists in establishing that CTL has the nite model property, i.e., that if a formula p is satis able, then it is satis able in a nite model which size is bounded by some function f of the length of the formula p. Having established this property a non-deterministic algorithm to determine the satis ability of the formula p is given. This algorithm runs in time polynomial in the size of a model for p: it guesses a model of size no more than f(length(p)) and checks whether it is a model for p. However, it turns out that it is possible to nd a faster algorithm testing CTL satis ability. This is shown in Theorem 2.11.

Theorem 2.5 CTL has the nite model property. 2 Proof: There are two stages. Stage 1 de nes the quotient structure of a Hintikka structure. Then in stage 2 the quotient structure is unwound in order to get a nite model.

Stage 1

The notion of a structure and a Hintikka structure has to be de ned. A structure is a triple M = (W; R; L), where W is a non-empty set of states, R W W is a binary relation on W, and L : W ?! 2FORM is a function assigning to each state a set of formulas. Notice that a structure M is a model, if (8w 2 W)(8p 2 L(w)) (M; w k{p i p 2 L(w)). Hintikka structures are dealt with. Roughly speaking, a Hintikka structure is a structure, where the formulas of L(w) "true" at the state w satisfy certain consistency conditions which seem weaker than those required for L in the case of a model. However, it is shown that the notions of a model and of a Hintikka structure are in some sense equivalent.

De nition 2.6 A Hintikka structure (for p0) is a structure M = (W; R; L), where R is a total relation (and p0 2 L(w) for some w 2 W) and L satis es the following conditions:


213

H-1 H-2 H-3 H-4 H-5 H-6 H-7 H-8 H-9 H-10 H-11

if :p 2 L(w) then p 62 L(w), if ::p 2 L(w) then p 2 L(w), if p ^ q 2 L(w) then p; q 2 L(w), if :(p ^ q) 2 L(w) then :p 2 L(w) or :q 2 L(w), if 9(pU q) 2 L(w) then q 2 L(w) or p; 9 9(pU q) 2 L(w), if :9(pU q) 2 L(w) then :q; :p 2 L(w) or :q; :9 9(pU q) 2 L(w), if 8(pU q) 2 L(w) then q 2 L(w) or p; :9 :8(pU q) 2 L(w), if :8(pU q) 2 L(w) then :q; :p 2 L(w) or :q; 9 :8(pU q) 2 L(w), if 9 p 2 L(w) then 9v ((w; v) 2 R and p 2 L(v)), if :9 p 2 L(w) then 8v (((w; v) 2 R) implies :p 2 L(v)), if 9(pU q) 2 L(w) then there is a forward fullpath x starting at w and a state v on x such that for all v0 before v on x, q 2 L(v) and p 2 L(v0 ), H-12 if 8(pU q) 2 L(w) then for all forward fullpaths x starting at w there is a state v on x such that for all v0 before v on x, q 2 L(v) and p 2 L(v0 ).

2

It can easily be proved that a CTL formula p is satis able i there is a Hintikka structure for p. Now, looking for a nite model for a satis able formula p0, the Fischer-Ladner closure (see [17]) of p0 is de ned. Let C(p0 ) be the least set of formulas containing p0 and satisfying the following conditions: C-1 if :p 2 C(p0) then p 2 C(p0), C-2 if p ^ q 2 C(p0) then p; q 2 C(p0), C-3 if 9 p 2 C(p0) then p 2 C(p0 ), C-4 if 9(pU q) 2 C(p0) then q; p; 9 9(pU q) 2 C(p0), C-5 if 8(pU q) 2 C(p0) then q; p; :9 :8(pU q) 2 C(p0). Let FL(p0) = C(p0) [ :C(p0), where :C(p0) = f:p j p 2 C(p0 )g. It can be shown by induction on the length of the formula that card(FL(p0)) 2jp0j, where card(S) denotes the number of the elements of a set S. Let M = (W; R; V ) be a model for p0, and let $FL(p0 ) be an equivalence relation on W de ned as follows: w1 $FL(p0 ) w2 i (8q 2 FL(p0)) (w1 k{q i w2 k{q). [w] denotes the set fv 2 W j w $FL(p0 ) vg. The quotient structure of M by $FL(p0 ) is the structure M0 = (W 0 ; R0; L0), where W 0 = f[w] j w 2


214

W g, R0 = f([w]; [v]) 2 W 0 W 0 j 9w0 2 [w]; 9v0 2 [v] : (w0 ; v0) 2 Rg, L0([w]) = fq 2 FL(p0) j w k{qg. Unfortunately, M0 does not need to be a Hintikka structure for p0 . The satis ability of formulas of the form 8(pU q) may be unpreserved. However, the quotient structure M0 provides some useful information. It is easy to check that M0 satis es all the conditions of the de nition of a Hintikka structure except possibly H-12. Instead, M0 satis es another important condition which makes it possible to prove M0 to be modally equivalent to some Hintikka structure. The de nition of modally equivalent structures is as follows. Two structures M = (W; R; L) and M0 = (W 0; R0; L0 ) are said to be modally equivalent, if (8p 2 FORM) ((9w 2 W) p 2 L(w) i (9w0 2 W 0 ) p 2 L0 (w0)). The following de nitions are used in the next part of the proof. De nition 2.7 Given a structure M = (W; R; L), an interior (frontier) node of M is one having (not having, resp.) an R-successor. The root of M is the unique node (if it exists) from which all other nodes are accessible by the relation R. 2 Directed acyclic graphs are known as dag's. De nition 2.8 A fragment N = (W; R; L) is a rooted structure for which all the interior nodes satisfy H1-10 and all the frontier nodes satisfy H1-8 and whose graph is a nite dag. Given M1 = (W1 ; R1; L1) and M2 = (W2 ; R2; L2), M1 is said to be contained in M2 , written M1 M2 , i W1 W2 ; R1 R2 and L1 = L2 =W1 . 2 Remember that M = (W; R; V ) is a model for p0 and M0 = M= $FL(p0 ) = (W 0; R0; L0 ). Lemma 2.9 Suppose 8(pU q) 2 L0([w0]). Then, there is a fragment N rooted at [w0] contained in M0 such that for all the frontier nodes v of N , q 2 L0 (v) and for all the interior nodes u of N , p 2 L0 (u). Now, a pseudo-Hintikka structure can be de ned. De nition 2.10 A pseudo-Hintikka structure (for p0) is a structure M = (W; R; L) with R total (such that p0 2 L(w) for some w 2 W, resp.) which satis es H1-11 and such that for all w 2 W the following condition holds: H-12' 8(pU q) 2 L(w) implies that there is a fragment N rooted at w, contained in M such that for all the frontier nodes v of N , q 2 L(v), and for all the interior nodes u of N , p 2 L(u). 2


215

It can be proved that the quotient structure M0 is a pseudo-Hintikka structure.

Stage 2

The only thing to show in the second stage of the proof is that the pseudoHintikka structure M0 for p0 is modally equivalent to some Hintikka structure for p0. This is done by "unwinding" the pseudo-Hintikka structure in the way described fully in [11]. Here, the main steps of the proof are presented. Formulas of form 9 p, 8(pU q), and 9(pU q) are said to be eventuality formulas. Firstly, notice that for each w of W 0 and each eventuality formula p 2 L0 (w), there is a fragment, call it DAG[w; p], contained in W 0 in which p is satis ed. This follows from the de nition of a pseudo-Hintikka structure. Secondly, it is shown how to use these DAGs to construct for each node w of W 0 a fragment, call it FRAG[w], such that every eventuality formula from L0(w) is satis ed in FRAG[w]. It can be noticed that if p 2 L0 (w), then for every fragment containing w, either an appriopriate condition H holds for p in the fragment (e.g. H-11 for 9(p1U q), or H-12 for 8(p1U q)) or the conditions required to ful l it are propagated to the frontier nodes. For 8(p1 U q) this means that for every path in the fragment from w to a frontier node v, either q 2 L0 (w0) for some w0 on the path and p1 2 w00 for all w00 on the path before w and w0, or p1 ; 8(p1U q) 2 L(v0 ) for every v0 at the path. FRAG[w] is constructed in an inductive way. Let p1 ; : : :; pn be a list of all eventuality formulas from L0 (w). FRAG0 consists of w and enough successors to ensure H-9. FRAGj +1 is obtained from FRAGj by extending the frontier nodes as follows. If pj +1 is ful led for w in FRAGj , then FRAGj = FRAGj +1. Otherwise, every or some (it depends on pj +1 ) frontier node v is replaced by a copy of DAG[v; pj +1]. Moreover, new frontier nodes being copies of the same node are identi ed. Then, it is shown how to get a Hintikka structure from FRAGs. The construction is performed inductively, in stages. Let M1 be FRAG[w0] with w0 2 W 0 and p0 2 w0 . Now, for each frontier node w of Mi , if there is an interior node w0 of Mi such that L0 (w) = L0 (w0 ) and FRAG[w0] is contained in Mi, and the only arcs from nodes of FRAG[w0] to nodes of Mi begin at frontier nodes of FRAG[w0], then w and w0 are identi ed. Otherwise, w is replaced by a copy of FRAG[w] constructed before. The construction terminates at the least m, when Mm has an empty set of frontier nodes; Mm is a Hintikka structure for p0. It can be shown that if jp0j = n, then the pseudo-Hintikka structure for p0 is of size not larger than 2n and the Hintikka structure for p0 is of size not larger than n8n. 2


216

Next, it is shown that there is a better algorithm for testing the satis ability of p0 than the one, which would examine all the nite pseudo-Hintikka structures of size less than 2jp0 j in order to nd one for p0 .

Theorem 2.11 There is a deterministic algorithm for deciding whether a CTL

formula is satis able of exponential complexity in the length of the tested formula. 2

Proof: Let p0 be a given formula which is to be tested for satis ability. A pseudo-Hintikka structure for p0 of size not larger than 2jp0 j is constructed.

Step 1 The rst step starts with building a structure M0 = (W0 ; R0; L0 ), where W0 = fw j w FL(p0), w is maximal and satis es H1-8g, (maximality means that 8p 2 FL(p0) (p 2 w or :p 2 w)); L0 (w) = w, R0 W0 W0 such that for every w; v 2 W0 , (w; v) 2 R0 i :9 p 2 w implies :p 2 v, Step 2 The next step consists in building a structure M1 obtained from M0 by repeatedly eliminating all nodes for which the conditions H9-11, H-12' are not satis ed or that do not have at least one successor. If the resulting structure is not empty and contains a state w0 such that p0 2 w0, then it is a pseudoHintikka structure for p0 . Thus p0 is satis able. The complexity of such an algorithm is DTIME(2cn ) for c 1 and jp0j = n. 2 Note that there is a deterministic exponential time lower bound for CTL satis ability as UB is contained in CTL.

Theorem 2.12 The proof system for CTL is sound and complete. 2 Proof: It has to be shown that any consistent formula p (i.e., 6` :p) is satis-

able. So, p0 is supposed to be a consistent CTL formula. A pseudo-Hintikka structure for p0 is built as in the proof of the decidability theorem. Let w 2 WV0 and de ne the formula pw as the conjunction of formulas in w, i.e., pw = q2w q. By maximality of w, it follows that, if q 2 FL(p0), then q 2 w i ` pw ! q. The proof consists in showing that if a state w 2 W0 is eliminated in the algorithm of the decidability theorem proof, then pw is inconsistent. As this is shown, the continuation is as follows. It can be easily observed that: _ ` p0 $ pw fw j p0 2w; pw is consistentg


217

Thus, if p0 is consistent, some pw is consistent as well. This w is not eliminated in the construction. A pseudo-Hintikka structure for p0 is obtained. Therefore p0 is satis able. Next, it is proved by induction on when a state is eliminated, that if a state w is eliminated, then ` :pw . It is easy to check that if w is eliminated at step 1, then pw must be inconsistent. Then, it is shown that if the formula pw is consistent, then w is not eliminated at step 2. Firstly observe that if (w; v) 62 R0, then pw ^ 9 pv is inconsistent. By de nition, :9 p 2 w and p 2 v for some p. Now, ` (pw ^9 pv ) ! (:9 p ^ 9 p). Thus, pw ^ 9 pv inconsistent. Secondly, it is shown that if a state w is eliminated at step 2, then ` :pw . Only the case when H-11 is not satis ed at w is considered here. The other cases have similar proofs. Therefore, suppose w is eliminated at step 2 on account H-11 failing at w with respect to 9(pU q). The formula pw is shown to be inconsistent. Let V = fv j 9(pUq) 2 v and v is eliminated at step W 2 because H-11 failsg. Since H-11 fails, ` pv ! :q for each v 2 V . Let r = v2V pv . Of course, ` r ! :q. Suppose it can be shown ` r ! 8 (r _ :9(pU q)). Then, by the inference rule (d), ` r ! :9(pU q). Since w 2 V , ` pw ! :9(pU q). But, by assumption 9(pU q) 2 w, so pw must be inconsistent. In order to show ` r ! 8 (r _ :9(pU q)), it suces to show that for each v 2 V , ` pv ! 8 (r _ :9(pU q)). Suppose, this is not true. W Then for some v 2 V , pv ^ 9 (:r ^ 9(pU q)) is consistent. As (:r) $ v 62V pv , so pv ^9 (pv ^9(pU q)) is consistent for some v0 62 V . Therefore, both pv ^9 pv and pv ^9(pU q) are consistent. The former implies (v; v0 ) 2 R0 and the latter implies 9(pU q) 2 v0 (by maximality). But if 9(pU q) 2 v0 and v0 62 V , then H-11 must hold for v0 . Since (v; v0 ) 2 R0, p 2 v (as 9(pU q) 2 v), then H-11 must also hold for v, contradicting the fact that v 2 V . In this way it has been shown that only states w with pw inconsistent are eliminated. This ends the proof. 2 0

0

0

0

0

2.3.6 Model checking for CTL [5]

Model checking is a method of verifying algorithmically a formula against a model. Given a nite model (representing behaviour of a concurrent system) M and given a CTL formula p representing a property. In order to establish whether the concurrent system satis es the property it is checked whether the formula p holds in the model M. It turns out that the complexity of this problem is polynomial.


218

Theorem 2.13 There is a deterministic algorithm for determining whether a CTL formula p holds at the state w in the nite model M = (W; R; V ), of complexity O(jpj (card(W) + card(R))). 2 Proof: Let M = (W; R; V ) be a nite model. It is checked whether M is a model for a formula p. The algorithm shown here is designed so that when it nishes, each state w of M is labelled with the subformulas of p which hold at w. The algorithm operates in stages. The i ? th stage handles all subformulas of p of length i for i jpj. Thus, at the end of the last stage each state is labelled with all subformulas of p holding at it. It can be easily noticed that the following equivalence holds:

8(p1 U p2) $ :(9(:p2U (:p1 ^ :p2)) _ 9 2(:p2)): Because of that only six cases have to be considered, depending on whether p is atomic or has one of the following forms: :p1; p1 ^ p2 ; 9 p1; 9(p1 U p2), or 9 2 p1 . The algorithm is discussed for the last two cases, as the others are straightforward. To handle a formula of the form p = 9(p1 U p2 ), the algorithm rst nds all states which are labelled with p2 and labells them with p. Then, it goes backwards using the relation R?1 and nds all states which can be reached by a path in which each state is labelled with p1 . All such states are labelled with p. This step requires time O(card(W) + card(R)). Now, the case when p = 9 2 p1 is considered. Firstly, a structure M0 = (W 0 ; R0; V 0) is constructed, where W 0 = fw 2 W j M; w k{p1g, R0 = R \ (W 0 W 0 ) and V 0 = V=W 0. Secondly, the graph (W 0; R0) is partitioned into maximal strongly connected components, i.e., maximal subgraphs in which there is a path of arrows between each two nodes. Those states which belong to components of size greater than 1 or with a self loop are selected. Consequently, the algorithm goes backwards using R?1 and nds all those states which can be reached by a path in which each state is labelled with p1 . This step also requires time O(card(W) + card(R)). In order to handle an arbitrary CTL formula p, the state-labelling algorithm is successively applied to the subformulas of p, starting with the shortest and most deeply nested one. Since each pass takes time O(card(W) + card(R)) and since p has at most jpj dierent subformulas, the algorithm requires time O(jpj (card(W) + card(R))). 2 Next, the most powerfull branching time logic CTL* is discussed. It subsumes UB as well as CTL.


219

2.4 Computation Tree Logic* (CTL*) - again

UB and CTL cannot be used for specifying many important properties of concurrent programs since their languages are too week. Therefore if one wants to specify more properties including e.g. fairness requirements, then CTL* has to be applied.

2.4.1 Expressiveness of CTL*

All the properties expressible in CTL are obviously expressible in CTL*. The followingcombinations of linear time operators are useful for expressing fairness constraints in CTL*:

3 2 p (abr. 21 p), and 2 3 p (abr. 31 p). Consider, for example, a simple computation fullpath, and let enabledi hold at all moments at the fullpath at which process i is ready for execution, and let executedi hold at each state at which it is actually scheduled for execution. Then, the fairness assumptions for a family of m processes are expressed by the following formulas: Vi=1:::m 31 executedi - impartiality, Vi=1:::m (31 enabledi ! 31 executedi ) - fairness, Vi=1:::m (21 enabledi ! 31 executedi) - justice. Now, some examples of CTL* formulas that are not CTL formulas are given.

9((pU q) _ 2 p), which expresses the weak until property along a path, 9 21 executedi , which describes an unfair computation path along which

after a certain point in time, only process i is scheduled for execution. Similarly, the condition that all execution sequences of a family of m V processes are impartial, given by 8 i=1::m 31 executedi ; is not a CTL formula.

The question concerning axiomatizability of CTL* is still open. Checking whether a CTL* formula is satis able is much more dicult than in the case of CTL. But this is still decidable.

Temporal Logics on Partial Orders

220

Theorem 2.14 [13] There is an algorithm for deciding whether a CTL* formula is satis able of deterministic double exponential complexity in the length of the formula. 2 The proof of this theorem consists in showing that the satis ability problem can be reduced to testing non-emptiness of tree automata. A lower bound of deterministic double exponential time has also been established [42]. In [6], a deterministic double exponential algorithm for CTL* interpreted over fair structures has been de ned.

2.4.2 Model checking for CTL*

Model checking problem for CTL is solvable in deterministic linear time. The situation is dierent for CTL*. Unfortunately, the method of assigning the subformulas of a tested formula to the states of the model cannot be applied. One has to use more powerful automata theoretic methods.

Theorem 2.15 [36] Model checking for CTL* is PSPACE-complete.

2 The main reason that CTL* is not broadly applied is the high complexity of checking satis ability and performing model checking. There are, however, many logics \between" CTL and CTL* (which were not mentioned here) like CTL+ [11], ECTL and ECTL+ [10], [7], and FCTL [14], which extend expressiveness of CTL, but have still less complicated algorithms of testing satis ablity and of model checking than CTL*. It should also be mentioned that there are branching time logics with syntax like CTL or CTL*, the formulas of which are interpreted over fair structures [6], Abrahamson structures (sux and fusion closed) [2] and probabilistic structures [24]. These logics have also been shown to be decidable and to have the nite model property.

3 Temporal Logics on Partial Orders

The aim of this section is to present the existing formal languages of temporal logic which are used to specify behaviours of concurrent systems represented by partial orders. These logics have either partial order frames (event structure logics and ISTL) or pre-order frames (POTL, POTL[U ; U ]) representing partially ordered computations. Firstly, the formal systems POTL, POTL[U ; U ], and ISTL are discussed. Their frames can be linked with behaviours of concurrent systems represented


221

by general partial order structures. Then, the logics interpreted over event structures: SESL, ESL, ESL[], DESL, and ESL[C] are presented. There are two ways in which a frame can represent behaviour of a concurrent system. The rst possibility is like it is de ned for branching time temporal logics, i.e., a frame represents an entire concurrent system (see SESL, ESL, DESL, ESL[C]). The second option is like it is de ned for linear time temporal logics, i.e., a frame represents one run (full execution) of a concurrent system. In this case, a structure representing the full behaviour of a concurrent system is de ned as a set of frames, one for each run (see POTL, POTL[U ; U ], ISTL).

3.1 Partial Order Temporal Logic (POTL)

Firstly, the de nitions of temporal logics for reasoning about partially ordered computations are given. These logics, called POTL and POTL[U ; U ], were de ned by Pinter and Wolper [34], and Kornatzky and Pinter [18]. POTL[U ; U ] is the extension of POTL obtained by introducing Until and Since. POTL is intended to describe partially ordered computations directly. Thus, it is able to specify that states have several successors and several predecessors. A state with several successors can be viewed as corresponding to fork (creating new processes) and a state with several predecessors as representing join (merging processes). Hence POTL includes temporal operators to talk about several successors and several predecessors. POTL can be also viewed as a branching time temporal logic (UB) with \past" operators 9 , 9 3, and 9 2. The language of POTL is an extension of the language of UB by allowing quanti cation over backward paths. Therefore, POTL has got also basic modalities 9 , 9 3, and 9 2 (and their duals 8 , 8 2, and 8 3). Now, a formal syntax of POTL formulas is given.

3.1.1 Syntax of POTL

Let AP be a set of atomic propositions. The set of POTL formulas is de ned inductively: S-1 every member of AP is a formula, S-2 if p; q are formulas, then so are :p and p ^ q, S-3 if p is a formula, then so are 9 p; 9 3 p; 9 2 p, S-4 if p is a formula, then so are 9 p; 9 3 p, and 9 2 p. The other connectives _; ! and $ are de ned in the standard way. The derived basic forward paths modalities are like for UB. These dealing with backward paths are de ned below:


222

= :9 3 :p, 8 2 p def = :9 2 :p, 8 3 p def def 8 p = :9 :p.

3.1.2 Semantics of POTL Let M = (W; R; V ) be a model, where W is a non-empty set of states, R W W is a binary relation on W. R and R?1 are assumed to be total (i.e., each state has at least one R-successor and one R-predecessor), and V : W ?! 2AP

is a valuation function which assigns to each state a set of atomic propositions. A forward (backward) fullpath is an in nite sequence x = (w0 ; w1; :::) of states such that (wi ; wi+1) 2 R (2 R?1 , resp.) for each i 0. As before, xi denotes the i ? th state of the fullpath x and M; w k{p (M; x k{p) denotes that the state (path) formula p holds at the state w (in the fullpath x, resp.) in the model M. M is omitted, if it is implicitly understood. Let x = (w0 ; w1; :::) be a forward or backward fullpath, w0 k{p is de ned inductively for an arbitrary state w0 as follows:

S-1 w0 k{p i p 2 V (w0) for any atomic proposition p 2 AP, S-2 w0 k{:p i not w0 k{p, w0 k{p ^ q i w0 k{p and w0 k{q, S-3 w0 k{9 p i for some forward fullpath x starting at w0, w1 k{p, w0 k{9 3 p i for some forward fullpath x starting at w0 , wi k{p for some i 0, w0 k{9 2 p i for some forward fullpath x starting at w0, wi k{p for all i 0, S-4 w0 k{9 p i for some backward fullpath x starting at w0 , w1 k{p, w0 k{9 3 p i for some backward fullpath x starting at w0, wi k{p for some i 0, w0 k{9 2 p i for some backward fullpath x starting at w0, wi k{p for all i 0. It can be noticed that the semantics of POTL is identical to the semantics of UB except for the rules incorporating the new backward path modalities. The other notions like satis ability, validity, and validity in the model are de ned similarly to the case of UB.


3.1.3 Expressiveness of POTL

223

POTL can be used in the same framework as UB, where a structure represents an entire concurrent system. Then, it extends the expressiveness of UB by making it possible to refer to the past. For example, a formula 9 3 p expresses that there is an earlier state at which p holds, a formula 8 3 p says that at each backward fullpath there is a state at which p holds, whereas 8 2 p speci es that p holds at all states in the past. However, POTL was de ned to be applied into a dierent framework, where a structure represents one possible run of a system composed of sequential processes. A run of such a system of processes can be viewed as a directed acyclic graph. Each node represents a process state, and an edge from a node w to a node w0 represents that w0 immediately follows w. In this framework POTL is used to specify properties involving all runs. Therefore, a concurrent system P is represented by a POTL structure AP = fM j M represents a run of the system P g. Let A be a POTL structure. A is said to validate a formula p (written A k{ p) i M k{p for each model M in A. Now, the meaning of POTL formulas is as follows. A k{p formulates that for every model of A, for every state in it, p holds. For example, A k{q ! 8 3 p expresses that for every run, for every backward fullpath ending at states where q holds, there is a state at which p holds.

3.1.4 A proof system for POTL Axioms: A-1 All substitution rules of propositional calculus A-2 9 (p _ q) $ 9 p _ 9 q A-3 9 3 p $ p _ 9 9 3 p A-4 9 2 p $ p ^ 9 9 2 p A-5 9 T A-6 9 (p _ q) $ 9 p _ 9 q A-7 9 3 p $ p _ 9 9 3 p A-8 9 2 p $ p ^ 9 9 2 p A-9 9 T A-10 p ! 8 9 p A-11 p ! 8 9 p


224

Inference rules: (a) p ; p ! q ` q (b) p ! q ` 9 p ! 9 q (c) r ! (:q ^ 9 r) ` r ! 9 2 :q (d) r ! (:q ^ 8 (r _ :9 3 q) ` r ! :9 3 q (e) p ! q ` 9 p ! 9 q (f) r ! (:q ^ 9 r) ` r ! 9 2 :q (g) r ! (:q ^ 8 (r _ :9 3 q) ` r ! :9 3 q

The above proof system can be viewed as composed of three parts: the rst part (A 1-5, (a)-(d)) contains the axioms and the inference rules for UB, the second one (A 6-9, (e)-(g)) is its mirror image. The third part consists of the axioms (A-10) and (A-11) relating past and future.

3.1.5 A characterization of POTL [34]

It turns out that adding backward operators to UB results in the lost of the nite model property. Theorem 3.16 POTL does not have the nite model property.

Proof: The formula q def = p ^ 8 8 2 :p ^ 8 2 8 3 p is shown to be satis able in in nite models only. A model of the formula q contains a state w0 , where p holds and for all states forward accessible from w0 the formulas :p and 8 3 p

hold. As R is a total relation, then either there are in nitely many states accessible from w0 in a model or one state, say v, accessible from w0 is also accessible from itself. The latter is however impossible because then it would be an in nite backward fullpath from v, at which p does not hold; contradicting 8 3 p holding at v. 2 The direct consequence of this theorem can be found in the proof of completeness, where the in nite model for a formula is built. Checking whether a formula is satis able requires an exponential time algorithm like in the case of CTL. Theorem 3.17 There is a deterministic algorithm for deciding whether a POTL formula is satis able of exponential complexity in the length of the tested formula. 2


225

Theorem 3.18 The proof system for POTL is sound and complete.

2 The proof sketches of the above theorems are given for POTL[U ; U ] | an extension of POTL.

3.2 Partial Order Temporal Logic with Until and Since

POTL[U ; U ] is a similar extension of POTL as CTL is an extension of UB. However, in the case of POTL[U ; U ] a new path modality Since is also introduced.

3.2.1 Syntax of POTL[U ; U ]

The set of POTL[U ; U ] formulas is the maximal set generated by the following rules: S-1 every member of AP is a formula, S-2 if p; q are formulas, then so are :p and p ^ q, S-3 if p; q are formulas, then so are 9 p; 9(pU q), and 8(pU q), S-4 if p; q are formulas, then so are 9 p; 9(pU q), and 8(pU q). The derived basic modalities are: 9 3 p def = 9(TU p),

8 3 p def = 8(TU p), 9 3 p def = 9(TU p), = 8(TU p). 8 3 p def The other derived modalities are de ned like for POTL. The de nition of a model for POTL[U ; U ] is like for POTL, with the difference that the relations R and R?1 are not required to be total. This is motivated by the fact that the initial or the terminal state of some process may have no predecessors or successors, respectively. This kind of frames is required, for example, for reasoning about Petri Nets [20]. The semantics of POTL[U ; U ] formulas (except for the new ones) is like for POTL, involving the following new de nition of a forward (backward) fullpath. A forward (backward) fullpath is a maximal sequence of states x = (w0; w1; : : :) such that (wi ; wi+1) 2 R (2 R?1 ; resp:) for each i 0. Notice that a forward


226

(backward) fullpath x is nite if and only if its last ( rst) state does not have any R-successor (R-predecessor, resp.). Next, the semantics of formulas containing Until and Since is given. Let M = (W; R; V ) be a model and w0 2 W.

S-3 w0 k{9(pU q) i for some forward fullpath x starting at w0, (9i 0) wi k{q and (8j : 0 j < i) wj k{p, w0 k{8(pU q) i for all forward fullpaths x starting at w0, (9i 0) wi k{q and (8j : 0 j < i) wj k{p, S-4 w0 k{9(pU q) i for some backward fullpath x starting at w0 , (9i 0) wi k{q and (8j : 0 j < i) wj k{p, w0 k{8(pU q) i for all backward fullpaths x starting at w0 , (9i 0) wi k{q and (8j : 0 j < i) wj k{p. 3.2.2 Expressiveness of POTL[U ; U ]

POTL[U ; U ] extends the expressiveness of POTL similarly to the way in which CTL extends the expressiveness of UB. All properties expressible in POTL are expressible in POTL[U ; U ]. Moreover, properties concerning the relative order of events in the future and in the past can be expressed using formulas of the form 9(pU q), 8(pU q), 9(pU q), and 8(pU q). It has been shown in [18] that POTL[U ; U ] is a strict extension of POTL.

3.2.3 A proof system for POTL[U ; U ] Axioms: A-1 All substitution rules of propositional calculus A-2 9 (p _ q) $ 9 p _ 9 q A-3 9(pU q) $ q _ (p ^ 9 9(pU q)) A-4 8(pU q) $ q _ (p ^ 8 8(pU q) ^ 9 T) A-5 9 (p _ q) $ 9 p _ 9 q A-6 9(pU q) $ q _ (p ^ 9 9(pU q)) A-7 8(pU q) $ q _ (p ^ 8 8(pU q) ^ 9 T) A-8 p ! 8 9 p A-9 p ! 8 9 p


227

Inference rules: R-1 p; p ! q ` q R-2 p ! q ` 9 p ! 9 q R-3 r ! (:q ^ 9 r) ` r ! :8(pU q) R-4 r ! (:q ^ 8 (r _ :9(pU q)) ` r ! :9(pU q) R-5 p ! q ` 9 p ! 9 q R-6 r ! (:q ^ 9 r) ` r ! :8(pU q) R-7 r ! (:q ^ 8 (r _ :9(pU q))) ` r ! :9(pU q) The above proof system can be viewed as composed of three parts: the rst part (A 1-4, R 1-4) contains the axioms and the inference rules for CTL (except for 8 T), the second one (A 5-7, R 5-7) is its mirror image and the third one contains axioms A-8 and A-9 relating past and future.

3.2.4 A characterization of POTL[U ; U ]

Since POTL does not have the nite model property, as one could expect, POTL[U ; U ] does not have it either. Theorem 3.19 POTL[U ; U ] does not have the nite model property. 2 The proof is the same as for POTL using the formula p ^ 9 T ^8 8 2(:p ^ 9 T) ^8 2 8 3 p, which diers from the formula q used in the proof for POTL in the subformulas 9 T. These subformulas were added in order to require that the relation R is total. It is shown now how to check whether a POTL[U ; U ] formula is satis able. Theorem 3.20 There is a deterministic algorithm for deciding whether a POTL[U ; U ] formula is satis able of exponential complexity in the length of the tested formula. 2 Proof: The proof of this theorem is similar to the proof for CTL. It consists in de ning an algorithm which constructs a pseudo-Hintikka structure for a satis able POTL[U ; U ] formula. This construction is not repeated, but it is shown how to de ne a pseudo-Hintikka structure for a POTL[U ; U ] formula and how to \unwind" it into a Hintikka structure. As POTL[U ; U ] does not have the nite model property, a nite pseudo-Hintikka structure for a POTL[U ; U ] formula has to be unwound into an in nite Hintikka structure. This makes the construction slightly more complicated than it was in the case of CTL.


228

Firstly, the de nition of a Hintikka structure for a POTL[U ; U ] formula p0 is given.

De nition 3.21 A Hintikka structure (for p0) is a structure M = (W; R; L), where R W W is a relation (and p0 2 L(w) for some w 2 W) and L satis es the conditions H1-12 in de nition 2.6 and the following conditions:

H-13 if 9(pU q) 2 L(w) then q 2 L(w) or p; 9 9(pU q) 2 L(w), H-14 if :9(pU q) 2 L(w) then :q; :p 2 L(w) or :q; :9 9(pU q) 2 L(w), H-15 if 8(pU q) 2 L(w) then q 2 L(w) or p; :9 :8(pU q) 2 L(w), H-16 if :8(pU q) 2 L(w) then :q; :p 2 L(w) or :q; 9 :8(pU q) 2 L(w), H-17 if 9 p 2 L(w) then 9v ((w; v) 2 R?1 and p 2 L(v)), H-18 if :9 p 2 L(w) then 8v (((w; v) 2 R?1) implies :p 2 L(v)), H-19 if 9(pU q) 2 L(w) then there is a backward fullpath x starting at w and a state v on x such that for all v0 before v on x, q 2 L(v) and p 2 L(v0 ), H-20 if 8(pU q) 2 L(w) then for all backward fullpaths starting at w there is a state v on x such that for all v0 before v on x, q 2 L(v) and p 2 L(v0 ). 2 It can be easily proved that a POTL[U ; U ] formula p is satis able i there is a Hintikka structure for p. Now, looking for a nite pseudo-Hintikka structure for the satis able formula p0 , the Fischer-Ladner closure (see [17]) of p0 and then the quotient structure of a model is de ned. Let C(p0) be the least set of formulas containing p0 and satisfying the conditions C1-5 for CTL and moreover: C-6 if 9 p 2 C(p0) then p 2 C(p0 ), C-7 if 9(pU q) 2 C(p0) then q; p; 9 9(pU q) 2 C(p0), C-8 if 8(pU q) 2 C(p0) then q; p; :9 :8(pU q) 2 C(p0). Let FL(p0) = C(p0) [ :C(p0), where :C(p0) = f:p j p 2 C(p0 )g. It can be shown by induction on the length of the formula that card(FL(p0)) 2jp0j. Let M = (W; R; V ) be a model for p0, and let $FL(p0 ) be an equivalence relation on W de ned as follows: w1 $FL(p0 ) w2 i (8q 2 FL(p0 )) (w1 k{ q i w2 k{q). The set fv 2 W j w $FL(p0 ) vg is denoted by [w]. The


229

quotient structure of M by $FL(p0 ) is the structure M0 = (W 0 ; R0; L0), where W 0 = f[w] j w 2 W g, R0 = f([w]; [v]) 2 W 0 W 0 j 9w0 2 [w]; 9v0 2 [v] : (w0; v0 ) 2 Rg, L0([w]) = fq 2 FL(p0) j w k{qg. As in the case of CTL, M0 does not need to be a Hintikka structure for p0 . The satis ability for formulas of the form 8(pU q) and 8(pU q) may not be preserved. However, analogously, the quotient structure M0 provides useful information. It is easy to check that M0 satis es all the conditions of the de nition of a Hintikka structure except possibly H12 and H20. Instead, M0 satis es another important condition which makes it possible to prove M0 to be modally equivalent to some Hintikka structure. The following de nitions are useful in the next part of the proof. De nition 3.22 A (backward) fragment N = (W; R; L) is a (backward, resp.) rooted structure for which all the interior nodes satisfy H 1-10, H 13-16, H-18 (H 1-8, H-10, H 13-18, resp.) and all the frontier nodes satisfy H 1-8, H 13-16, H-18 (H 1-8, H-10, H 13-16, resp.) and whose graph is a nite dag. Given M1 = (W1 ; R1; L1 ) and M2 = (W2 ; R2; L2), M1 is said to be contained in M2, (written M1 M2), i W1 W2 , R1 R2 and L1 = L2 =W1 . 2 De nition 3.23 A pseudo-Hintikka structure (for p0) is a structure M = (W; R; L) (such that p0 2 L(w) for some w 2 W, resp.), which satis es H 1-11, H 13-19 and such that for all w 2 W the following conditions hold: H-12' 8(pU q) 2 L(w) implies that there is a fragment N rooted at w contained in M such that for all the frontier nodes v of N , q 2 L(v), and for all the interior nodes u of N , p 2 L(u). H-20' 8(pU q) 2 L(w) implies that there is a backward fragment N rooted at w contained in M such that for all the frontier nodes v of N , q 2 L(v), and for all the interior nodes u of N , p 2 L(u). 2 Now, it can be easily proved that M0 is a pseudo-Hintikka structure. It is shown in the second stage of the proof that the pseudo-Hintikka structure M0 for p0 is modally equivalent to some Hintikka structure for p0. This is done by \unwinding" the pseudo-Hintikka structure in the way described fully in [34]. The method is based on the fact that for each state in a pseudoHintikka structure, a "forward tree" (ftree) and a "backward tree" (btree) can be built. These trees satisfy all formulas of the form 8(pU q) and 9(pU q), or 8(pU q) and 9(pU q). A ftree is simply a tree whereas a btree would be a tree, if the directedness of edges is changed. The combination of a ftree and a btree is called fbtree. The construction proceeds by alternating and combining these forward and backward trees. The de nition of a backwardforward unwinding BFU of the pseudo-Hintikka structure is given inductively


230

on the i-step backward-forward unwinding BFU . The de nition of BFUi can S iBFU be found in [34]. Then, BFU is de ned as 1 2 i. i=1 There is a deterministic exponential time lower bound for POTL[U ; U ] satis ability since POTL[U ; U ] includes UB for which such a lower bound has been shown.

Theorem 3.24 The proof system for POTL[U ; U ] is sound and complete. 2 The proof is similar to that given for CTL using the new de nition of a pseudoHintikka structure for a POTL[U ; U ] formula. The main change is in adding symmetrical claims to handle the past components of POTL[U ; U ] formulas and in not requiring R and R?1 to be total. When the POTL[U ; U ] models are required to have the relation R and R?1 total (as in the case of POTL), then the proof system has to be extended by formulas of the form 9 T, 9 T, and all the results are still valid with small changes in the proofs.

3.2.5 Model checking for POTL[U ; U ] [19]

Model checking for POTL[U ; U ] is more complicated than for CTL. There are two reasons for this. Firstly, formulas contain backward modalities. And secondly, formulas are interpreted over models corresponding to runs of concurrent systems.

Theorem 3.25 Model checking for POTL[U ; U ] is exponential in the size of

2 The proof of the above theorem is very complicated. The interested reader is referred to [19]. POTL and POTL[U ; U ] constitute a bridge between branching time and partial order logics. They can be viewed as extensions of branching time logics UB and CTL by past modalities. However, their semantic structures can be linked with partial orderings representing runs of concurrent systems. the model and doubly exponential in the length of the tested formula.

3.3 Interleaving Set Temporal Logic (ISTL) [21],[22]

So far, temporal logics have been interpreted over pre-order structures. Now, Interleaving Set Temporal Logic, interpreted over partial order structures of global states, is introduced. The main aim for de ning this logic was to express properties inherent in the partial order interpretations, more speci cally to distinguish concurrency from non-determinism.


231

3.3.1 Syntax of ISTL

The formal language of ISTL is the same as that of CTL, i.e., it contains basic formulas of the form: p 2 AP, p ^ q, :p, 8(pU q), 9(pU q), and 9 p. The derived basic modalities are: 8 3 q abbreviating 8(TU q), 9 3 q abbreviating 9(TU q), 8 2 p abbreviating :9 3 :q, 9 2 q abbreviating :8 3 :q, and 8 q abbreviating :9 :q To de ne the semantics for ISTL a lot of new notions have to be introduced. This is so, because frames of ISTL and CTL are connected with possible executions of distributed systems in dierent ways. In the case of CTL (as well of UB and CTL*) an entire concurrent system is considered as de ning one large partial order or branching structure. The branching modalities (9(pU q) or 9 3 p) can distinguish between dierent paths (interleaved runs). In the other view, which is given by ISTL, whenever there is an explicit nondeterministic choice in the code of a program, a single partial order includes only one speci c choice made in that execution. Note that POTL and POTL[U ; U ] were connected with concurrent systems in the same way. Thus, a concurrent program is represented by a set of partial orders (or branching structures) each representing the separate run of a system. Next, a structure representing one possible run of a system is de ned. The approach of [21] is followed here, for the more general de nition (concerning also non-discrete and uncountable systems) the reader is referred to [26].

De nition 3.26 Let (E;