Program Logics: theory and applications 1 Games

Program Logics: theory and applications Nikolay V. Shilov ROPAS Institute KAIST of Informatics Systems Kusong-dong Lavrent'ev av., 6 Yusong-gu 373-1 Taejon 305-701 Novosibirsk 630090 Korea Russia [email protected] [email protected]

Abstract

Program logics are modal logics used in software/hardware speci cation/veri cation for sound reasoning about programs. Program logics comprised dynamic logics, temporal logics, logics of process(es), and their extensions by means of xpoints. A more recent addition to the family of program logics are logics of knowledge and belief. The talk introduces (on an informal level) several popular program logics (including Computation Tree Logic and Mu-Calculus), surveys fundamental results and research problems for this logics. Some links to software tools and experimental systems based on program logics are included. Several well-known computer scientists and mathematicians have contributed to this research domain, ex., E.M.Clarke, D.Harel, J.Halpern, D.Kozen, L.Lamport, Z.Manna, R.Parikh, A.Pnueli, V.R. Pratt, J.Sifacis, M.Vardi, etc. Their research are well known around the world. In contrast, research of scientists from former Soviet Union are less known abroad in spite of their importance for progress of program logics. The talk surveys some related results of several researchers: M.K. Valiev, V.M.Glushkov, V.A. Nepomniaschy, A.L. Semenov, A.P. Stolboushkin and M.A. Taisclin. The talk also presents several of forthcoming international conferences related to Theoretical Computer Science, Theory of Computing, and Theory of Computations which are organized under auspice of Russian Academy of Science in Russia in 2001.

1 Games with Dynamic Logic 1.1 Finite games

In spite of the importance of Formal Methods for development of a reliable hardware and software, this domain is not well acquainted to non-professionals. In particular, many hacker programmers suppose that Formal Methods are too pure for their poor mathematics, while many mathematical purists suppose that Formal Methods are too poor for their pure mathematics. 1

Maybe, a de cit of a popular papers on Formal Methods is the main reason for this ignorance. I would like to begin with a popular (but mathematically sound) presentation of Program Logics tributary creek of a powerful stream called Formal Methods. The basic ideas, de nitions and properties are illustrated by simple game examples. In particular, by the following Millennium Game Puzzle: On the eve of New 2000 Year Alice and Bob play the millennium game. Positions in the game are dates of 2000 and 2001 years. An initial position is a random date of the year 2000. Then Alice and Bob made moves in their turn: Alice, Bob, Alice, Bob, etc. Available moves are one and the same for both Alice and Bob: if a current position is a date then the next calendar date and the same day of the next month are possible next positions. A player win the game i his/her counterpart is the rst who launches the year 2001. Problem: Find all initial positions where Alice has a winning strategy. A mathematical model for the millennium game is quite obvious. It is a oriented labeled graph G2000=2001 . Nodes of this graph correspond to game positions | dates of years 2000 and 2001. All dates of the year 2001 are marked by fail while all other dates are unmarked. Edges of the graph correspond to possible moves and are marked by move. We would like to consider fail and move as variables for collections of nodes and sets of edges and call them propositional and action variables respectively. The model xed interpretation (i.e. values) of these variables in the manner described above. In general, a nite game of two plays A and B is tuple (P; MA ; MB ; F ) where P is a nonempty nite set of positions, MA; MB P P are (possible) moves of A and B , F P is a set of nal positions. A session of the game is a nite sequence of positions s0 ; ::: sn (n > 0) where all even pairs are moves of one player (ex., all (s2i ; s2i+1 ) 2 MA ) while all odd pairs are moves of another player (ex., all (s2i+1 ; s2i+2 ) 2 MB ). A pair of consequentive moves of two players in a session comprises three consequentive positions (ex., (s2i ,s2i+1 ,s2(i+1) ) is called a round. A player loses a session i after a move of the player the session enters a nal position for the rst time. A player wins a session i another player loses the session. A strategy of a player is a subset of the player's possible moves. A winning strategy for a player is a strategy of the player which always leads to the player's win: the player wins every session which he/she begins and in which he/she implement this strategy instead of all possible moves. The millennium game is just an example of a nite game. 2

Finite games of two players can be presented as oriented labeled graphs easily. Nodes correspond to game positions, all nodes which correspond to nal positions are marked by fail while all other nodes are unmarked. Edges of these graphs correspond to possible moves of players and are marked by moveA and moveB respectively. Let us denote by G(P;MA ;MB ;F ) the labeled graph corresponding to a game (P; MA ; MB ; F ). We would like to consider fail, moveA and moveB as variables for sets of nodes and sets of edges respectively.

1.2 Elementary Propositional Dynamic Logic

Let ftrue; falseg be boolean constants, Prp and Act be disjoint nite alphabets of propositional and action variable respectively. (In the previous section they are ffailg and fmove, moveA , moveB g.) The syntax of the classical propositional logic consists of formulae and is constructed from propositional variables and boolean connectives : (negation), ^ (conjunction) and _ (disjunction) in accordance to standard rules: 1. all propositional variables and boolean constants are formulae; 2. if is a formula then (:) is a formula; 3. if and are formulae then ( ^ ) a formula, 4. if and are formulae then ( _ ) a formula. Elementary Propositional Dynamic Logic (EPDL)[14] has additional features for constructing formulae | modalities which are associated with action variables: 5. if a is an action variable and is a formula then ([a]) is a formula1, 6. if a is an action variable and is a formula then (hai) is a formula2. We would like to use several standard abbreviations ! and $ in the usual manner: if and are formulae then ( ! ) and ( $ ) are abbreviations for formulae (:) _ ) and (( ! ) ^ ( ! )) respectively. Then we would like to avoid extra parenthesis and use a standard priorities for connectives and modalities: :; hi; [ ]; ^; _; !; $. We also would like to use a meta-symbol for syntactical equality. The semantics of EPDL is de ned in models, which are called labeled transition systems by computer scientists and Kripke structures by mathematicians. A model M is a pair (DM ; IM ) where the domain DM is a nonempty set, while the interpretation IM is a pair of special mappings (PM ; RM ). Elements of the domain DM are called states. The interpretation maps propositional variables into sets of states and action variables into binary relations on states: PM : Prp ! P (DM ) ; RM : Act ! P (DM DM ) 1 2

which is read as \box a " or \after a always " which is read as \diamond a " or \after a sometimes "

3

where P is a power-set operation. We write IM (p) and IM (a) instead of PM (p) and RM (a) frequently whenever it is implicit that p and a are propositional and action variables respectively. Models can be considered as oriented labeled graphs with nodes and edges marked by sets of propositional and action variables respectively. For a model M = (DM ; IM ) nodes of the corresponding graph are states of DM . In this graph a node s 2 DM is marked by a propositional variable p 2 Prp i s 2 IM (p). A pair of nodes (s1 ; s2 ) 2 DM DM is an edge of the graph i (s1 ; s2 ) 2 IM (a) for some action variable a 2 Act; in the last case the edge (s1 ; s2 ) is marked by this action variable a. Vice versa, labeled graphs with nodes and edges marked by sets of propositional and action variables respectively can be considered as models also. In this setting the graph G2000=2001 of the millennium game is really a model for EPDL as well as the graph G(P;MA ;MB ;F ) of a game (P; MA ; MB ; F ). For every model M = (DM ; IM ) the validity relation j=M between states and formulae can be de ned inductively with respect to the structure of formulae: 1. for every state s j=M true and not s j=M false; for all state s and propositional variables p: s j=M p i s 2 IM (p) ; 2. for all state s and formula : s j=M (:) i it is not the case s j=M ; 3. for all state s, formulae and : s j=M ( ^ ) i s j=M and s j=M ; 4. for all state s, formulae and : s j=M ( _ ) i s j=M or s j=M ; 5. for all state s, action variable a and formulae : s j=M (hai) i (s; s0 ) 2 IM (a) and s0 j=M for some state s0 ; 6. for all state s, action variable a and formulae : s j=M ([a]) i (s; s0 ) 2 IM (a) implies s0 j=M for every state s0 .

1.3 Finite games in EPDL

First let us illustrate the above de nition by several examples in the model

G2000=2001 . The formula fail is valid in those states where the game is lost. Then the formula [move]fail is valid in those states from which all possible moves lead to the lost game. Hence the formula :fail ^ [move]fail is valid in

the states where the game is not over but all possible moves lead to the lost game. Consequently, the formula hmovei(:fail ^ [move]fail) is valid i there is a move after which the game is not lost while then all possible moves always lead to the lost game. Finally we get: the formula

:fail ^ hmovei(:fail ^ [move]fail) is valid in those states where the game is not over, where exists a move after which the game is not lost while then all possible moves always lead to the lost 4

game. So the last EPDL formula is valid in those states of G2000=2001 (i.e. dates of years 2000 and 2001) where Alice has a 1-round wining strategy where Bob loses the game3 . So it is natural to denote this formula by win1 . It becomes quite clear from the above arguments that the following formula ?

:fail ^ hmovei :fail ^ [move](fail _ win ) 1

is valid in those states of G2000=2001 where Alice has a wining strategy with 2-rounds at most. So it is natural to denote this formula by win2 . Let us de ne formulae wini for all i 1 similarly to win1 and win2 : for every i 1 let ?

wini+1 :fail ^ hmovei :fail ^ [move](fail _ wini ) : Let win0 be false in addition. After the above discussion about win1 and win2 it becomes quite simple to prove by induction the following Assertion 1 For every i 1 the formula wini is valid in those states of G2000=2001 where Alice has a wining strategy against Bob with i-rounds at most. The following proposition is just a generalization of the above assertion 1. Proposition 1 Let (P; MA ; MB ; F ) be a nite game of two players, a formula WIN ? 0 { be false and for every i 1 let WINi+1 be a formula :fail ^ hmoveA i :fail ^ [moveB ](fail _ WINi ) . For every i 0 the formula WINi is valid in those states of G(P;MA ;MB ;F ) where a player A has a wining strategy against a counterpart with i-rounds at most.

1.4 Model checking and abstraction

Model checking is a testing a model against a formula. The global checking problem consists in calculation of the set of all states of an input model where an input formula is valid. The local checking problem consists in testing the boolean value of an input formula in an input state of an input model. Thus the corresponding model checking algorithms as well as their implementations (called model checkers) can be characterized by there inputs and outputs as in the Fig. 1. We are especially interested in model checking problem for nite models, i.e. models with nite domains. For these models both model checking problems are algorithmically equivalent: for global checking just check locally all states and then collect states where a formula is valid, for local checking just check globally and check whether a state is in the validity set of a formula. 3

Alice has all odd moves while Bob has all even moves.

5

inputs

outputs

all states of the model where the formula is valid a boolean value of the formula in the state of the model

global a model and a formula a model, a formula, local and a state

Figure 1: Global vs. local model checking Of course, the above reduction of global checking to local one leads to changes of time complexity: the global checking complexity is less then or equal to the local checking complexity multiplied by amount of states. We would like to concentrate on global model checking only since this complexity dierence is not important for logics discussed in the talk. A more important topic is parameters used for measuring this complexity. If M = (DM ; (RM ; PM )) is a nite model then let dM , rM and mM be amount of states in DM , amount of edges in RM and an overall complexity (dM + rM ) respectively. (If a model M is implicit then we would like to use these parameters without subscripts.) If is a formula then let f be size of the formula presented as a string. (If a formula is implicit then we would like to use this parameter without subscript.) The following proposition is a straightforward implication of EPDL semantics. Proposition 2 Model checking problem of EPDL formulae in nite models is decidable with time complexity O(m f ) Thus model checking complexity for EPDL in nite models is linear on both arguments { model and formulae size. This upper bound seems to be pretty good and the best possible. But it is not the case due to a dis-balance between model and formula sizes which occur frequently: models of software and hardware are very big and even huge, while logical speci cations presented by formulae are comparatively small. Let us consider the millennium game just for example. If we would like to check in what initial dates of 2000 and 2001 Alice has n-round winning strategy against Bob (n is a parameter) then we can model-check EPDL formula winn in the model G2000=2001 . This model consists of d2000=2001 = 730 positions and r2000=2001 = 1415 moves, i.e., its overall size is m2000=2001 = 2145. The size of the formula winn is fn = (14 n ? 3). Intuitively it seems very likely that Alice has a winning strategy against Bob i there is a winning strategy with 12 rounds at most. But size of the formula win12 is more than 12 times smaller than the size of the model G2000=2001 . In real life examples dierence and dis-balance in model and formula sizes is much more serious. There are several techniques for curbing model size, but I would like to discuss an abstraction only. In general, let be a set of formulae, M1 = (I1 ; D1 ) and M2 = (I2 ; D2 ) be two models, and g : D1 ! D2 be a mapping. The model 6

M2 is called an abstraction of the model M1 with respect to formulae i4 for all formula 2 and state s 2 D1 the following holds: s j=1 , g(s) j=2 . In particular, let G2000 be a model where states are dates of year 2000 extended by a special state 2001, propositional variable fail is interpreted as a singleton f2001g, action variable move is interpreted as a move from a date of year 2000 to 8 < the next calendar date, if possible within year 2000, the same date of the next month, if possible within year 2000, : the special state 2001, otherwise. Let abs2001 : D2000=2001 ! D2000 be the following mapping

, if date 2 year 2000, date : date 2001, if date 2 year 2001, Assertion 2 Model G2000 is an abstraction of model G2000=2001 with respect to EPDL formulae constructed with a single propositional variable fail and a single action variable move. A corresponding abstraction mapping is abs2001 . The abstract model G2000 consists of d2000 = 366 states and r2000 = 722 moves, i.e., its overall size is m2000 = 1088. Thus it is twice smaller that the original model G2000=2001 . But the abstract model preserve all EPDL properties of the original one. Hence it is possible to model-check EPDL formulae in the abstract model instead of the original. This model checking is twice more ecient due to smaller model size.

2 Propositional -Calculus 2.1 Toward stronger logic

We has assumed that Alice has a winning strategy against Bob in the millennium game i there is a winning strategy with 12 rounds at most. The only intuition behind this conjuncture was: a number of months in a year is 12. But we have not proved that this hypothesis about 12-rounds holds. It is the rst disadvantage of the conjuncture. Size of formulae win1 , ... win12 is another disadvantage of 12-rounds assumption. Really, the formula win3 unfolds as

n

?

:f ^hmi :f ^ [m] f _ :f ^hmi :f ^ [m] f _ :f ^hmi(:f ^ [m]f )

o

where f and m are abbreviations for fail and move. Formula win12 is, approximately, 4 times larger than win3 , thus 4 lines are necessary for its presentation. 4g

is called an abstraction mapping in this case.

7

fail

NEG : ::: move ?! (?i ? 1) move ?! (|?i) move ?! :::{z(?1) move ?! (0)} NEGi

Figure 2: Model NEG Finally, it is not clear whether it is possible in principle to express in EPDL existence of winning strategies in nite games. Informally speaking, existence of winning strategies can be expressed by an in nite disjunction

WIN0 _ WIN1 _ WIN2 _ WIN3 _ WIN4 _ ::: =

_

i0

WINi

but this expression is illegal formula in EPDL. The following arguments proves formally that EPDL is too weak for expressing it. Let us consider all non-positive integers as a domain and interpret fail to be valid on 0 only, while move, moveA , and moveB to be interpreted as the successor function x:(x + 1) on negatives. Let us denote this model by NEG (Fig. 2). Let us de ne an action nesting for EPDL formulae by induction: 1. nest(fail) = nest(true) = nest(false) = 0, 2. nest(:) = nest(), 3. nest( ^ ) = maxfnest(); nest( )g, 4. nest( _ ) = maxfnest(); nest( )g, 5. nest([move]) = nest([moveA ]) = nest([moveB ]) = 1 + nest(), 6. nest(hmovei) = nest(hmoveA i) = nest(hmoveB i) = 1 + nest(). In this setting, for every EPDL formula , for all k; l > nest() the following can be trivially proved by induction on formulae structure: (?k) j=NEG , (?l) j=NEG : Thus for every formula of EPDL there exists a non-positive number W prior to which the formula is a boolean constant. But the in nite disjunction i0 WINi is valid in all even negative integers, and is invalid in 0 and all odd negative integers. Finally we can remark that no EPDL formula can distinguish nite model NEGi (Fig. 2) with i > nest() from the in nite model NEG. But every NEGi (i 0) is a nite game. Thus we have proved Assertion 3 No EPDL formula can express existence of winning strategies in all nite games NEGi , where i 0. 8

So it seems reasonable to have another logic with stronger expressive power. For it we are going to describe below a so-called -Calculus (C) [17] as an extension of the EPDL. Both syntax and semantics of this logic are more complicated then EPDL ones.

2.2

-Calculus syntax Let us extend the syntax of EPDL by two new features: 7. if p is a propositional variable and is a formula then (p:) is a formula5, 8. if p is a propositional variable and is a formula then (p:) is a formula6. Informally speaking p: and p: are \abbreviations" for in nite disjunction and conjunction

false _ p (false) _ p (p (false)) _ p (p (p (false))) _ ::: = true ^ p (true) ^ p (p (true)) ^ p (p (p (true))) ^ ::: =

_

i0 ^

i0

ip (false) i (true);

where p ( ) is a result of substitution of a formula instead of p in , 0p ( ) is and ip+1 ( ) is p (ip ( )) for every i 0. In particular, if is a formula ?

:fail ^ hmoveA i :fail ^ [moveB ](fail _ win)

where win is a new propositional variable, then the formula WIN0 is just win (false), the formula WIN1 is equivalent to ?

1win (false) :fail ^ hmoveA i :fail ^ [moveB ](fail _ false) and for every i 0 formula WINi+1 is equivalent to ?

+1 iwin (false) :fail ^ hmoveA i :fail ^ [moveB ](fail _ iwin (false)) :

W

Finally, the in nite disjunction i0 WINi should be equivalent to

?

win: win: :fail ^ hmoveA i :fail ^ [moveB ](fail _ win) : Let us denote the last formula by WIN . The above de nition of formulae is too loose. We would like to impose some context-sensitive restriction. In formulae (p:) and (p:) the range of p and p is the formula and all instances of the variable p are called bounded in 5 6

which is read as \mu p " or \the least xpoint p of " which is read as \nu p " or \the greatest xpoint p of "

9

(p:) and (p:). An instance of a variable in a formula is called free i it is not bounded. In a formula (:) the range of negation is the formula . An instant of a propositional variable in a formula is called positive/negative i it is located in an even/odd number of negation ranges. The context-sensitive restriction follows: No bounded instance of a propositional variable can be negative. Thus the de nition of the syntax of the -Calculus formulae is over. But, as usual, we would like to avoid extra parenthesis and extend a standard list of priorities: :; hi; [ ]; ; ; ; ^; _; !; $.

2.3

-Calculus semantics The semantics of -Calculus is de ned in the same models as EPDL in terms of sets of states where formulae are valid. For every model M = (DM ; IM ) let us denote by M (formula) a set of all states of the model where a formula is valid. The rst 6 closes of the de nition deal with EPDL features: 1. for boolean constants M (true) = DM and M (false) = ;; for every propositional variable p, M (p) = IM (p); 2. for every formula , M (:) = DM n M (); 3. for all formulae and , M ( ^ ) = M () \ M ( ); 4. for all formulae and , M ( _ ) = M () [ M ( ); 5. for all action variable a and formula , M (hai) = fs 2 DM : (s; s0 ) 2 IM (a) and s0 2 M () for some state s0 2 DM g; 6. for all action variable a and formula , M ([a]) = fs 2 DM : (s; s0 ) 2 IM (a) implies s0 2 M () for every state s0 2 DM g. As far as new features and are concerned, let me de ne their semantics for nite models only since it is the major domain for model checking applications: S 7. for every formula , M (p: ) = i0 M (ip (false)), T

8. for every formula , M (p: ) = i0 M (ip (true)). Let us de ne the validity relation j=0M for all formula and state s in a natural way: s j=0M i s 2 M (). Let us remark also that we can use in the framework of the -Calculus the same notation j=M as in a framework of EPDL since the following holds: Proposition 3 The -Calculus is a conservative extension of EPDL: s j=0M i s j=M , for all EPDL formula , model M and state s.

10

In accordance with the de nition of C semantics in nite models, p: (p) W and p: (p) reallyVare \abbreviations" for an in nite disjunction i0 ip (false) and conjunction i0 i (true). InWparticular the formula WIN is really equivalent to the in nite disjunction i0 WINi . Hence, this formula of the Calculus expresses existence of winning strategies in nite games of two players. In accordance with assertion 3, it is not equivalent to any formula of EPDL. These arguments prove the following Proposition 4 The -Calculus is more expressive then EPDL. A particular example of C formula which is not expressible in EPDL is the following for? mula WIN win: :fail ^ hmoveA i :fail ^ [moveB ](fail _ win) which expresses existence of winning strategies in nite games. The above formula WIN is not a single C formula of interest. For example, let us consider another formula ? FAIR q: [a]q ^ r:(p _ [a]r) : A sub-formula r:(p _ [a]r) of this formula is valid in a model in states where every in nite a-path eventually leads to p. A formula q:([a]q ^ x) is valid in a model in states where every a-path always leads to x (x is a propositional ? variable). Hence, FAIR q:([a]q ^ ) q: [a]q ^ r:(p _ [a]r) is valid in a state of a model i every in nite a-path in nitely often visits states where p holds. An in nite sequence is said to be fair with respect to a property i the property holds for an in nite amount of elements of the sequence. In these terms FAIR holds in a state of a model i every in nite a-path is fair with respect to p. For example, a scheduler of CPU time among several permanent resident jobs job1 ,... jobn is fair with respect to a concrete jobi i it schedules this job for CPU in nitely often. This fairness can be expressedby the following ? instance q: [scheduler]q ^ r:(active(jobi ) _ [scheduler]r) of the formula FAIR.

2.4 Properties of C semantics

Semantics of formulae as well as the semantics of propositional variables are sets of states. It gives us a new opportunity to consider semantics of C formulae as functions which map interpretations of a propositional variables into sets where formulae are valid in corresponding interpretations. For example, let be C formula with a free propositional variable x. In every model M we can consider a function S: MS=x() : P (DM ) ?! P (DM ) where MS=x is a model which agrees with M everywhere except x: x is interpreted as S in MS=x. It maps each S DM to MS=p () DM . Let us illustrate this new approach to the ?-Calculus semantics by a game example. Let be a formula :fail ^ hmoveA i :fail ^ [moveB ](fail _ win) . 11

Let (P; MA ; MB ; F ) be a nite game of two players and M = G(P;MA ;MB ;F ) be a corresponding model. Let S0 = ; and for every i 1 let Si be a set of all positions where the player A has a wining strategy against B with i-rounds at most. Since Si = G(P;MA ;MB ;F ) (WINi ) (Proposition 1) and ?

WINi+1 :fail ^ hmoveA i :fail ^ [moveB ](fail _ WINi )

for every i 1 then MSi=win () = Si+1 for every i 0. For every i 1 a natural inclusion Si Si+1 holds, since a i-rounds at most winning strategy is automatically a (i + 1)-rounds at most winning strategy. Let us summarize it all as follows: argument S : ; S1 S2 ::: Si ::: ? S: MS=win() : # # # # result MS=win(): S1 S2 S3 ::: Si+1 ::: ?

As follows from the table, the mapping S: MS=win() non-decreases monotonically on fSi : i 0?g. This S mapping S: MS=win () has another important xpoint property: if S = i0 Si then S is a xed point of M (), i.e. MS=win () = S . Informally speaking the above equality is very natural: if the player A is in a position where he/she has a winning strategy then he/she has a move prior to and after which the game is not lost, but after which every move of another player B leads to a position where the game is lost or A has a winning strategy. Are the above monotonicity and xpoint accidental properties of special formulae in special models? { Not at all! Monotonicity is a basic property of the -Calculus: Proposition 5 For all model M , sets of states S 0 S 00, propositional variable p and formula if p has not negative instances in then MS =p () MS =p (), if p has not positive instances in then MS =p () MS =p (). This property property has very important semantical implications. In particular it leads to a fixpoint characterization of semantics of and : Proposition 6 For all propositional variable p, formula of the -Calculus without negative instances of p, and model M = (DM ; (RM ; PM )), M (p:) and M (p:) are the? least and the greatest xpoints with respect to subset inclusion of a function S DM : MS=p() : P (DM ) ?! P (DM ) which maps each S DM to MS=p () DM . 0

00

12

00

0

3 Algorithmic problems for the -Calculus

3.1 Model checking

Let us return to the Millennium Game Puzzle. In this puzzle we are interested in a set of positions where a winning strategy exists, i.e., in states of the model G2000=2001 where the formula WIN holds. It is a typical model checking problem but for the -Calculus this time. Let us rst remind parameters used for measuring model checking complexity and then formulate a statement about complexity of this model checking algorithm. If M = (DM ; (RM ; PM )) is a nite model then dM and rM are amounts of states in DM and edges in RM , and m is an overall model size (dM + rM ). If is a formula then f is formula size. In addition, let n be and nesting depth of a formula . We would like to skip the subscripts with d, r, m, f , and n whenever a model and/or a formula are implicit. In contrast to EPDL, the semantics of the -Calculus de ned in the section 2.3 is not a model checking algorithm for the -Calculus in nite models, due to non-ecient semantics of and . But thanks to monotonicity property 5, we can revise semantics of and in nite models as follows: S 70 . for every formula , M (p: ) = 0idM M (ip (false)), T

80 . for every formula , M (p: ) = 0idM M (ip (true)). in every nite model M . These arguments imply Proposition 7 Model checking problem for the -Calculus in nite models is decidable with an upper time bound O(m f dn ). In particular, a computer-aided solution of the Millennium Game Puzzle, becomes just technical: implement the above model checking algorithm for the -Calculus, code the model G2000=2001 and then \plug and play", i.e. model check the formula WIN . The only problem is model size, but abstraction can help us again. In accordance with the revised semantics above, every C formula in every nite model M is equivalent to some EPDL formula (which just unfold dM times all xpoints in ). Hence we have Proposition 8 For all nite models M1 and M2, M1 is an abstraction of M2 with respect to C formulae written within propositional and action variables Prp and Act i M1 is an abstraction of M2 with respect to EPDL formulae written within the same propositional and action variables. Combined with assertion 2, it leads to another more ecient computer-aided solution of the Millennium Game Puzzle: just model-check formula WIN in the model G2000 . A big or huge model size is not a single critical factor in the upper bound of model checking complexity in the above proposition 7. This time another 13

critical factor is an exponent which power depends on formula. A problem how to leap a complexity gap between linear model checking EPDL (proposition 2) and exponential model checking the -Calculus (proposition 7) in nite models is important research topic. Unfortunately, best known model checking algorithms for the -Calculus and nite models are exponential. For example, a time bound of Faster Model Checking Algorithm (FMC-algorithm) [7] is roughly a?1 O(m f ) m a f where an alternating depth a of a formula is a maximal amount of alternating nesting and with respect to the syntactical dependences and formally is

de ned by induction. A formal de nition is out of scope of the talk due to space limitations. I would like to point out only that the alternating depth is always less then or equal to the nesting depth for every formula: a n . The best known complexity Tclass for model checking problem of the Calculus in nite models is NP co ? NP [10], i.e., the problem is not more complicated then checking formulae of the propositional calculus to be a tautology and a satis able formula. Due to this reason it seems to be very hard to prove an exponential lower bound for the model checking problem for the -Calculus in nite models. Since it is not known whether the problem is complete in NP then it seems to be more realistic to try to nd a polynomial model checking algorithm for the -Calculus in nite models. At least several expressive fragments of the -Calculus which have polynomial hard model checking problem for nite models have been identi ed [10, 1]. As follows from the upper bound for the FMC-algorithm, formulae with a bounded alternating nesting depth form a fragment of this kind.

Problem 1 (a) Describe new fragments of the -Calculus with a polynomial

model checking in nite models. (b) Prove a polynomial upper or an exponential lower time bound for model checking the -Calculus in nite models.

3.2 Decidability and Axiomatizations

Decidability is another important algorithmic problem. The problem is how to check whether a given formula of the -Calculus is valid in all models. It is known that it is possible to check the validity not in all models but in all nite models only due to a so-called nite-model property of the -Calculus formulae: a formula is satis able in a model i it is satis able in a nite model [26, 11]. But this reduction does not make the problem trivial! Moreover, the reduction itself is just a corollary of the decidability of the -Calculus with an exponential upper bound. In principle, an exponential decidability for this logic can be proved by means of an automata-theoretic technique [31, 11]. This and other impressive applications of the automata-theoretic technique lead the program logic community to the opinion [32] that the automata-theoretic approach is the 14

unique paradigm for proving decidability for complicated propositional program logics. In spite of this opinion, the successful applications of another technique called Program Scheme Technique (PST) were reported several times. This technique [26] is a powerful approach for proving decidability of program logics. It is completely self-contained, automata-free technique yielding one-exponential upper time bounds. A revised version of the Program Scheme Technique is presented in the paper [27]. In brief it is sketched below in the next subsections 3.3, 3.4, and 3.5. A more complicated algorithmic problem for -Calculus is axiomatization in general and how to axiomatize -Calculus on based on PST in particular. In this context we would like to remark that in the paper [17] a natural sound axiomatization for -Calculus was proposed, but the completeness of the axiomatization was proved for a fragment of this logic only7 . The completeness problem for -Calculus was an open problem during 10 years. Finally it was solved by I. Walukiewicz in 1993 [32, 33, 34] on base of theory of in nite game and theory of automata on in nite trees. Nevertheless the completeness proof is very complicated and any simpli cation suggestions are welcome!

Problem 2 A complete axiomatization of the -Calculus made easy.

3.3 Generalized Halting Assertions

We would like to de ne an auxiliary logic, which we would like to refer as Second-Order Propositional Dynamic Logic (SOPDL). The syntax of SOPDL is constructed from the same alphabets PrP and Act as the syntax of C. It consists of program schemata and formulae. In brief, program schemata are nondeterministic owcharts with a xed single program variable (which can be omitted), program symbols instead of monadic function symbols in assignments and boolean combinations of propositional variables instead of predicate symbols in conditions. The syntax of SOPDL formulae is very similar to the syntax of C formulae, but it uses program schemata instead of program symbols, additional reachability modalities, strong and weak quanti ers instead of xpoints: ([]) {z j (hi}) j

|

schemata modalities

(|2) {zj (3})

reachability modalities

j (|9p:){zj (8p:}) j (|9f p:){zj (8f p:}) strong quantifiers

weak quantifiers

where p, , and stay for a propositional variable, a scheme, and a formula. The semantics of SOPDL is de ned in the same models as semantics of C. The semantics of program schemata in models are input-output binary relations on Some mathematicians use the term calculus for systems de ned syntactically by axioms, rewriting rules, etc., not semantically like logics or algebras, i.e. by validity in models, equalities, etc. For example, -Calculus is de ned syntactically by means of equational axiomatization or in terms of - and -reductions, while the First-Order Logic is usually de ned semantically in terms of validity of formulae in models. From a viewpoint of this conventional terminology, -Calculus in this paper is rather a logic then a calculus. 7

15

..................................................... ............................................. f - %g ........... f - %g

ff

f-

gf fg

f

%g

f-

f-

g

gg

%g

%g

Figure 3: DH and RH for Act = ff; gg states which can be de ned in dierent but equivalent manners [15, 16]. For a program scheme the semantics of the associated modalities [] and hi is the same as for usual EPDL modalities [a] and hai (where a is an action variable) but with respect to the input-output semantics of instead of interpretation of a. Modalities 2=3 are the \in every/some reachable state", where reachability refer to the graph representation of models. The semantics of quanti ers is straightforward from their names { \for every/some interpretation of a propositional variable as a ( nite) set of states". We are especially interested in the class of Herbrand Models. All Herbrand Models have xed domain and xed interpretation of action variables Act, while interpretation of propositional variable Prp can vary. The Herbrand Domain DH is Act { a set of words in Act. It can be presented as a full in nite nfold tree. The Herbrand Interpretation RH of every monadic function symbol f is a total function RH (f ) : DH ! DH such that RH (f )(w) = fw for every w 2 Act . For example, Herbrand Domain and Herbrand Interpretation for Act = ff; gg are depicted in Fig 3. A scheme is said to be free i every path in the scheme ?is consistent with some model. A (generalized) halting assertion is a formula (Q p) (hitrue) where (Q p) is a quanti er pre x and is a program scheme. Proposition 9 The validity problem in Herbrand Models for generalized halting assertions with free schemata is decidable with exponential upper bound.

3.4 Games with fairness constraints

A background idea of proposition 9 is: reduce the problem to a problem of a winning strategy in nite games with fairness constraints; solve this game-theoretic problem by means of model checking of a special formula of C in the corresponding model. A fairness constraint for a nite game (P; MA ; MB ; F ) is a property of positions, i.e., it holds in some positions and does not hold in others. A nite game 16

with fairness constraints is a tuple (P; MA ; MB ; F; C ) where (P; MA ; MB ; F ) is a nite game, while C is a nite set of fairness constraints. Fairness constrains prohibit sessions where some constraint holds in nitely often. (In contrast, fairness conditions prohibit sessions where some condition holds nitely often only.) The following Traveling Couple Puzzle can be presented as a game with fairness constraints. A Country consists of major cities and small towns connected by an one way road network. Every road has either scenic views, or (exclusive) a shopping center. Some towns have either a historic cite, or (exclusive) a movie theater. All other towns have a police station, or (exclusive) trac jams. A family couple is traveling around the Country, Husband would like to reach the Capital, while Wife has not any desired destination. Every time when they are in a city, they discuss their further road preferences in turns: 1. Wife de nes roads after historic cites, 2. Husband de nes roads after police stations, 3. Wife de nes roads after movies theaters, 4. Husband de nes roads after trac jams. Then the couple moves through the road network in accordance with their preferences until they reach a city again. Husband and wife are free in their preferences but but they can select roads with shopping centers after visiting towns with movie theaters or police stations nite times at most. Problem: From what cities the couple can eventually reach the Capital while carry out all their preferences along a trip? This puzzle can be presented as a nite game between Husband and Wife with a single fairness constraint: the couple is in a shopping center located on a road from a town with a movie theater or a police station. Let me explain how to reduce to the Traveling Couple Puzzle a validity problem in Herbrand Models for a generalized halting assertion ?

8 h c: 9f p s: 8f m t: 9 t j: hitrue

with a free scheme and propositional variables h c, p s, m t, and t j . We can adopt in the free scheme the exit label as the Capital, all assignments as major cities, all tests with condition h c as towns with a historic cites, 17

all tests with condition p s as towns with a police station, all tests with condition m t as towns with a movie theater, all tests with condition t j as towns with a trac jam, all then alternatives as roads with shopping centers, all else alternatives as roads with scenic views. In these settings nite interpretations for m t and p s correspond to nite selections of shopping centers located on roads from towns with movie theaters or police stations. We have discussed a formula WIN for winning strategies in nite games and a formula FAIR which expresses that every in nite sequence generated by an action variable is fair with respect to a property, presented by propositional variable. It is possible (just similar to model checking of fair executions in [6]) to combine these formulae WIN and FAIR to another formula single formula FAIRWIN , which is valid in those positions of (P; MA ; MB ; F ) where the player A has a wining strategy against the counterpart B for sessions which meets the fairness constraints C [28].? Thus a validity in Herbrand Models of the assertion 8 h c: 9f p s: 8f m t: 9 t j: hitrue can be checked by model checking the formula FAIRWIN in positions of a nite game, which corresponds to the Traveling Couple Puzzle.

3.5 Program Schemata Technique

Proposition 10 -Calculus is decidable with exponential upper bound. Really, the decidability problem for C can be reduced to the validity problem for C in Herbrand Models This fact has been proved in [26] and is closely related to a so-called tree model property [31]. At the same time, all C formulae are equivalent to some SOPDL formulae, since xpoints are expressible in terms of second-order quanti cation as (p: ) $ (8p:(2( ! p) ! p)) and (p: ) $ (9p:(2(p ! ) ^ p)): But SOPDL can be decided in Herbrand Models in exponential time. Let us consider the following overall example. A formula (haitrue_[a]:folse) is valid in all models i 8 h: (hf ; gih _ [f ; g]:h) is. Validity of the last formula can be encoded by schemata halting in Herbrand Models as follows8 in Fig. 4. In this example p, m and t are new propositional variables, A? stays for a scheme which halts i A holds, and structured operations for sequential composition (;), for deterministic choice (if ? then ? else) and deterministic loop (while ? ? do) are in use. The nal formula has the form 8 h c: 9f p s: 8f m t: 9 t j: hitrue 8

a given name Program Schemata Technique is due to this encoding

18

8h: (hf ; gih _ [f ; g]:h l 8h: (hf ; gihh?itrue _ [f ; g] h:h?itrue) l 8h: (9f p: (hwhile p do f ; gihh?itrue) _ 8f m: (hwhile m do f ; gih:h?itrue)) l 8h: (9f p: (hwhile p do f ; g ; h?itrue) _ 8f m: (hwhile m do f ; g ; :h?itrue)) l 8h: 9f p: 8f m: 9 t: hif t then (while p do f ; g; h?) else (while m do f ; g; :h?)itrue Figure 4: Program Schemata Technique encoding which was discussed in subsection 3.4. Hence the validity problem in Herbrand Models for this generalized halting assertion can be interpreted as a particular instance of the Traveling Couple Puzzle and solved by model checking a formula FAIRWIN in the corresponding nite game.

4 Program Logics at all

4.1 What are \Program Logics"

All logics which we discussed so far are Elementary Propositional Dynamic Logic and the -Calculus. An experienced mathematician can remark that EPDL is just a polymodal variant the classical and basic modal logic K [3] as well as the -Calculus is just a polymodal variant of the K, i.e. K extended by xpoints. Really, in terms of EPDL, K is a variant of EPDL with a unique action variable. Since in this case a name of this variable is not important then it is possible to omit the variable in formulae and write 2 and 3 instead of [:::] and h:::i respectively. This \new" modalities are read \box" or \always" and \diamond" or \sometimes". In particular, the formulae wini (i 0) for positions in the millennium game where Alice has a i-round at most winning strategy, | all these formula are formulae of K and can? be rewritten in 2 and 3 notation as win0 false and wini+1 :fail ^3 :fail ^2(fail _wini ) for every i 1. ? In this notation the following formula win: :fail ^3 :fail ^2(fail_win) of the K characterizes the set of all game positions where Alice has a winning strategy. So it is really reasonable to consider EPDL as a polymodal variant the modal logic K and the -Calculus as a polymodal variant of the K. Why do people call them Program logics? And why do we give non-mathematical names for them? The answers are quite simple. Program logics are modal logics used in soft19

ware and hardware veri cation and speci cation for reasoning about programs. In 1980-ies program logics comprised dynamic logics [15, 18, 16], temporal logics [29, 9], and their extensions by means of xpoints. EPDL is the simplest dynamic logic, C is a very expressive extension of EPDL by xpoints and . Temporal logics are fragments of C with a single action variable next for discrete next-time. A more recent addition to the family of program logics is logic of knowledge [12]. The utility of this logic for application is: it provides a language that formalizes notions that are used informally in reasoning about multi-agent systems when a pure dynamic/temporal approach is not very convenient. The \given names" of program logics are sometimes traditional and closely related to their mathematical names9 , sometimes they are invented with respect to intuition about veri cation and speci cation application domain10 . Situation with \given names" is quite similar to the situation with a generic name of models for program logics: some researchers prefer a mathematical name Kripke structures while other prefer the application-oriented name labeled transition system. What is better? { Up to you!

4.2 Why we should know program logics?

The role of Formal Methods in the development of computer hardware and software increases since systems become more complex and require more eorts for their speci cation and veri cation. A logical approach to the veri cation and speci cation comprises of the following choices: a speci cation language for properties presentation, a formal proving technique for speci ed properties. Speci cation languages which are in use for presentation of properties rage from propositional to high-order logics while a proving technique is either model checking (a semantical approach) or deductive reasoning (a syntactical approach). It is possible (in principle) to construct a complete rst-order axiomatization for each nite model and then try to prove a desired property (semi)automatically by means of any available logical framework [2, 21, 8]. But this purely deductive approach is sometimes not practical for complexity reasons. Let us consider a nite model of a moderate size with approximately 100; 000 states. If it has a \clear" structure then it is reasonable to try to \catch" the model on the whole by means of a sound axiomatization and then to try to prove a 9 10

Ex., temporal is a program logic, while tense is a basic one. Ex., dynamic is a program logic, while K is a basic one.

20

desired property in a (semi)automatic style. But if a model has a \vague" structure which can be generated automatically (e.g. all possible con gurations of a \small" distributed system) then it is reasonable to apply an automatic model checker to the generated system and a desired property, presented as a formula of a propositional program logic. In this case decidability and complexity issues of model checking for a particular logic arise. A choice of an ecient model checking algorithm and an implementation problem follow. Eciency issues become more important as soon as model checking is applied to huge models with, say, 10100 states, since large sets representation problem arises. I would like to give some recommendations on further reading on program logics. Some books and special chapter of handbooks can be recommended for those who is interested in theory of program logics11: rst [12], then [15, 16, 29, 18, 9] (in any order). There are also several books which discuss pragmatics and applications of program logics. A comprehensive survey (from implementation perspective) on automatic model checking techniques and applications is given in [6]. Temporal logic approach to speci cation and to manual deductive veri cation of reactive and concurrent systems is presented in [19, 20].

4.3 People and ideas in program logics

Program logics became a legitimate part of theoretical computer science and essential element of information processing culture in mid of 1970-ies [15, 29, 18, 9]. A decade later, in mid of 1980-ies they were adopted by formal method community as a convenient framework for specifying and reasoning about properties of a broad class of systems which can be presented or simulated by computer programs [19, 20, 12, 6]. Thus it is absolutely natural to pay a tribute to some people whose research were milestones in history of program logics. Program logics as a special research domain were launched by V.R. Pratt in 1976 when he suggested the First-Order Dynamic Logic [23]. He realized that Hoare-Dijkstra weakest pre-conditions are modalities and incorporated weakest pre-conditions into the rst-order logic as follows: for a program and a postcondition let ([]) be a formula which is valid in a state i every computation of starting in this state either diverges or terminates in another state where holds. Thus we can celebrate 25th anniversary of program logics this year. A decidable propositional variant of dynamic logic { the Propositional Dynamic Logic { was suggested by M.J. Fisher and R.E. Ladner in 1997 [13]. A couple of years later K. Segerberg developed a sound and complete axiomatization for this logic. A. Pnueli was the rst who proposed to use temporal logic for reasoning about programs [22]. His approach for speci cation of concurrent and reactive systems is now well developed [19] as well as a manual deductive methodology for proving special properties [20]. This approach consists in proving properties 11

especially for those who have not a special logical background

21

of a program from a set of axioms that describe the behavior of the individual statements and problem-oriented inductive proof principles. Since it is a deductive approach where proofs are constructed by hand, the technique is often dicult to automate and use in practice. Part of the reason for further success of program logic is based on automatic model checking of speci cations expressed on propositional level temporal logics for nite state systems [6]. Branching temporal logic CTL and polynomial model checking algorithms were developed as a new mathematical background for a new veri cation methodology for nite state systems by E.M. Clarke and E.A. Emerson [5], J.-P. Queille and J. Sifacis [24] in the early 1980-ies. An improved model checking algorithm for CTL was implemented in the EMC model checker which were able to treat models with up to 100,000 states. At fall of 1980-ies model checking researchers encouraged by polynomial complexity of model checking for CTL in nite models, and success of model checking veri cation experiments for systems of a moderate size had moved on further research topics, such that model checking for more expressive program logics (like the -calculus) in nite huge (1020 states and far beyond) and in nite models. As far as concerns a handling of huge nite models then an advantage of Ordered Binary Decision Diagrams (OBDD) was realized in 1987-92 [4]. OBDDs provides a canonical form for boolean formulas that is often more compact then conjunctive or disjunctive normal form, and very ecient dynamic algorithms have been developed and implemented for manipulating them. The most popular modern model checker SMV was implemented by combining CTL model checking algorithm with symbolic representation of nite models. The most recent versions of SMV for UNIX, Linux and Windows95 are free available for download [35]. The propositional -Calculus was suggested by D. Kozen in 1983 [17] as a logic which can combine and unify propositional dynamic and temporal logics due to its expressive power. As I mentioned before, several complete axiomatization were developed by I. Walukiewicz in 1990ies [32, 33, 34] on base of theory of in nite games and theory of automata on in nite trees. A complete survey of program logics is out of scope of this talk. Only some propositional program logics were discussed in the talk, while rst-order program logics were mentioned only in a brief historic survey above. Due to time limitations, there is no room for more details on program logics theory, utility, and history. Nevertheless I would like to list more people, who have contributed to theory and methodology of program logics12: D.Harel, J.Halpern, L.Lamport, Z.Manna, R.Parikh, J. Tiuryn, M.Vardi, etc. I would like to remark also, that the most recent achievement in theory of program logics is a sound and complete axiomatization for full branching time temporal logic CTL by M Reynolds [25]. 12

it is not a complete list and, of course, it represent a personal viewpoint

22

4.4 Program Logics: Russian Chapter

In this talk I did not mention till now any paper or research on program logics which was done in Soviet Union and in Russia13 . It can mislead to an opinion that researchers from former Soviet Union have not contribute to this domain, that they are newcomers or strangers. It is absolutely wrong conclusion, because it is based on incomplete information. Up to this moment I was concerned by presentation of main concepts, some important results and problems, and several of my related results. Due to space limitations, I did not pretended to give a comprehensive survey of neither theory of program logics, nor program logics applications, or history of program logics. Now it is high time for some comments on program logic research in former Soviet Union. It is also my moral duty to pay tribute to my teachers, advisers, colleagues and some outstanding Russian-speaking scholars who contributed program logics research domain. First I should mention Viktor M. Glushkov (Kiev). He suggested in mid of 1960-ies a so-called Algorithmical Algebras for deterministic programs. From program logics point of view, Algorithmical Algebras are algebraic models for deterministic version of Propositional Dynamic Logic. Later, in early 1970-ies, Alexey L. Semenov (Moscow) proved exponential decidability of identities for this algebras, i.e., in terms of program logics, decidability of the deterministic variant of PDL. Maybe the a part of the reason why Algorithmical Algebras had not become well-known outside Russian-reading scienti c community and stagnated in late 1970-ies was as follows: it had not been realized that Algorithmical Algebras are models of a propositional modal logic for reasoning about deterministic programs, scalar product ( ) in Algorithmical Algebras is Hoare-Dijkstra weakest pre-condition []. But the main reason for stagnation of research on Algorithmical Algebras was appearance of program logics in general and dynamic logics in particular in second half of 1970-ies. Problems in this new research domain attracted attention of several researcher in USSR. Mars K. Valiev (Novosibirsk/Moscow) suggested a deterministic version of Propositional Dynamic Logic, proved exponential decidability and axiomatized it in 1977. Mikhail A. Taisclin (Novosibirsk/AlmaAta/Tver) and his Ph.D. student Alexey P. Stolboushkin (Alma-Ata) examined in 1980-90 expressive power of rst-order dynamic logics with non-deterministic imperative programs, deterministic imperative programs, non-deterministic recursive (call-by-name) programs, and deterministic recursive (call-by-name) programs. Valery A. Nepomniaschy (Novosibirsk) and me (his former Ph. D. stu13

except some of my own results on C decidability and model checking [1, 26]

23

dent) developed in 1983-90 Program Schemata Technique for several variants of Propositional Dynamic Logic. Space and time limitations do not give me any chance for presentation details of research of my compatriots and colleagues. Nevertheless I am very interested in promoting cooperation and collaboration between researchers from former Soviet Union and from other countries in general and with Korea in particular. Especially if this cooperation and collaboration does not transform into a trivial brain-drain. From my personal point of view, joint research, workshops, conferences, visit exchange are much better and more bene cial for international scienti c community than hiring specialists from impoverished \Commonwealth of Independent States". It is much better, because collaboration can utilize potential of well-established research schools and traditions founded by outstanding computer scientists and logicians like Viktor M. Glushkov (Kiev), Boris A. Trakhtenbrot (Novosibirsk/Tel-Aviv), and Andrey P. Ershov (Novosibirsk), Anatolij I. Mal'tsev (Novosibirsk), Andrey N. Kolmogorov (Moscow), Alexy A. Lyapunov (Moscow/Novosibirsk), etc. In contrast, a brain-drain \cooperation" will lead to stagnation and eventually parish these schools and traditions. Maybe the simplest way to start cooperation with scientists from former USSR is to participate in some international conference organized somewhere in Commonwealth of Independent States. In this case you will have an opportunity to get your own opinion about spectrum of ongoing research. In particular, I would like to draw your attention to 3 forthcoming international conferences related to Computer Science which will take place in the second half on 2001 in Novosibirsk. Participants are welcome! The rst conference is Andrei Ershov Fourth International Conference on Perspectives of System Informatics PSI'01 (2 - 6 July 2001, Novosibirsk, Russia) [36]. The rst three conferences were held in Novosibirsk in 1991, 1996, and 1999 and proved to be signi cant international events. Papers presented at the Conference are expected to be published by Springer-Verlag in the Lecture Notes in Computer Science series. One can nd the Proceedings of the previous two conferences in LNCS, v.1181, and 1755. A report of the previous conference can be found in Bulletin of EATCS, n. 69 (October 1999). Another conference is Sixth International Conference Parallel Computing Technologies PaCT-2001 (3-7 September, 2001, Novosibirsk, Russia) [37] Five previous conferences have been held in Novosibirsk (1991), Obninsk (1993), St.Petersburg (1995), Yaroslavl (1997) and St.-Petersburg (1999). The Conference Proceedings is planned to be published as the volume of Springer Verlag Lecture Notes in Computer Science also. Proceedings of the last three conferences were published in LNCS, v.964, 1277 and 1662. The third conference is the Conference devoted to the 90th anniversary of Alexei A. Lyapunov (Novosibirsk, Russia, 8-11 October, 2001) [38]. Maybe, few people abroad former Soviet Union know who is Alexei A. Lyapunov and what is his contribution to Computer Science. A.A. Lyapunov is among the three Soviet citizens awarded the golden medal "Computer Pioneer" of the IEEE Computer 24

Society . The legend on the opposite side of the medal reads: "The Computer Society recognizes Alexei A. Lyapunov as the founder of the Soviet cybernetics and programming". It is also remarkable that he was in 1952-1956 the adviser of Iu.I. Ianov { the author of the rst Ph.D. Thesis on Theoretical Computer Science. In contrast to PSI'01 and PaCT-2001, this conference is not a serial event, the proceedings will be published in electronic journal it Computational Technologies [39], and (the most important) a deadline for paper submissions has not passed yet.

References [1] Berezine S.A., Shilov N.V. An approach to eective model-checking of realtime nite-state machines in Mu-Calculus. Lecture Notes in Computer Science, v.813, 1994, p.47-55. [2] Boyer R.S., Moor J.S. A Computational Logic. Academic Press, 1979. [3] Bull R.A., Segerberg K. Basic Modal Logic. Handbook of Philosophical Logic, v.II, Reidel Publishing Company, 1984 (1-st ed.), Kluwer Academic Publishers, 1994 (2-nd ed.), p.1-88. [4] Burch J.R., Clarke E.M., McMillan K.L., Dill D.L., Hwang L.J. Symbolic Model Checking: 1020 states and beyond. Information and Computation, v.98, n.2, 1992, p.142-170. [5] Clarke E.M., Emerson E.A. Design and Synthesis of synchronization skeletons using Branching Time Temporal Logic. Lecture Notes in Computer Science, v.131, 1982, p.52-71. [6] Clarke E.M., Grumberg O., Peled D. Model Checking. MIT Press, 1999. [7] Cleaveland R., Klain M., Steen B. Faster Model-Checking for Mu-Calculus. Lecture Notes in Computer Science, v.663, 1993, p.410-422. [8] Crow J., Owre S., Rushby J., Shankar N., Srivas M. A tutorial introduction to PVS. http://www.csl.sri.com/sri-csl-fm.html [9] Emerson E.A. Temporal and Modal Logic. Handbook of Theoretical Computer Science, v.B, Elsevier and The MIT Press, 1990, p.995-1072. [10] Emerson E.A., Jutla C.S., Sistla A.P. On model-checking for fragments of Mu-Calculus. Lecture Notes in Computer Science, v.697, 1993, p.385-396. [11] Emerson E.A., Jutla C.S. The Complexity of Tree Automata and Logics of Programs. SIAM J. Comput., v.29, n1, 1999, p.132-158. 25

[12] Fagin R., Halpern J.Y., Moses Y., Vardi M.Y. Reasoning about Knowledge. MIT Press, 1995. [13] Fisher M.J. Ladner R.E. Propositional dynamic logic of regular programs. J. Comput. System Sci., v.18, n.2, 1979, p.194- 211. [14] Harel D. First-Order Dynamic Logic. Lecture Notes in Computer Science, v.68, 1979. [15] Harel D. Dynamic Logic. Handbook of Philosophical Logic, v.II, Reidel Publishing Company, 1984 (1-st ed.), Kluwer Academic Publishers, 1994 (2-nd ed.), p.497-604. [16] Harel D., Kozen D., Tiuryn J. Dynamic Logic. MIT press, 2000. [17] Kozen D. Results on the Propositional Mu-Calculus. Theoretical Computer Science, v.27, n.3, 1983, p.333-354. [18] Kozen D., Tiuryn J. Logics of Programs. Handbook of Theoretical Computer Science, v.B, Elsevier and The MIT Press, 1990, p.789-840. [19] Manna Z., Pnueli A. The temporal logic of Reactive and Concurrent Systems. Springer-Verlag, 1991. [20] Manna Z., Pnueli A. Temporal veri cation of reactive systems: safety. Springer-Verlag, 1995. [21] Paulson L.S. Logic and Computation: Interactive Proof with Cambridge LCF. Cambridge University Press, 1987. [22] Pnueli A. Temporal Logic of Programs. Theoretical Computer Science, v.13, n.1, 1981, p.45-60. [23] Pratt V.R. Semantical Considerations on Floyd-Hoare Logic. Proc. 17th IEEE Symposium on Foundations of Computer Science, 1976, p.109-121. [24] Queille J.-P., Sifakis J. Speci cation and Veri cation of Concurrent Systems in CESAR. LNCS, v.137, 1982, p.337-351 [25] Reynolds M. An axiomatization of full computation tree logic. To appear in Journal of Symbolic Logic, 2001 (a draft is available at URL http://www.it.murdoch.edu.au/mark/research/online). [26] Shilov N.V. Program schemata vs. automata for decidability of program logics. Theoretical Computer Science, v.175, n.1, 1997, p.15-27. [27] Shilov N.V. Games with Second-Order Quanti ers which Decide Propositional Program logics. Accepted for presentation on Logic and Games, a Satellite Workshop of ESSLLI, August 20-24, 2001, Helsinki, Finland (available at URL http://ropas.kaist.ac.kr/shilov/LandG.ps) 26

[28] Shilov N.V. and Yi K. Model Checking Puzzles in -Calculus. Joint Bulletin of the Novosibirsk Computing Center and A.P.Ershov Institute of Informatics Systems, n. 13, 2001 (to appear). [29] Stirling C. Modal and Temporal Logics. Handbook of Logic in Computer Science, v.2, Clarendon Press, 1992, p.477-563. [30] Streett R.S. Emerson E.A. An Automata Theoretic Decision Procedure for the Propositional Mu-Calculus. Information and Computation, v.81, n.3, 1989, p.249-264. [31] Vardi M.Y. Reasoning about the past with two-way automata'. LNCS, v.1443, 1998, p.628-641. [32] Walukiewicz I. A Complete Deduction System for the - Calculus. Doctoral Thesis, Warsaw, 1993. [33] Walukiewicz I. On completeness of the -calculus. IEEE Computer Society Press, Proc. of 8-th Ann. IEEE Symposium on Logic in Computer Science, 1993, p.136-146. [34] Walukiewicz I. Completeness of Kozen's Axiomatization of the Propositional -Calculus. Inform. and Comp., v. 157, n 3, 2000, 142-182. [35] http:/www-cad.eecs.berkley.edu/kenmcmil/smv/ [36] Fourth International Conference on Perspectives of System Informatics PSI'01. http://www.iis.nsk.su/PSI01/index e.shtml [37] Sixth International Conference Parallel Computing Technologies PaCT2001. http://www-sbras.nsc.ru/win/anons/461.html [38] Conference devoted to the 90th anniversary of Alexei A. Lyapunov. http://www-sbras.nsc.ru/ws/Lyap2001/index.en.html

[39] Computational Technologies.

http://www.ict.nsc.ru/mathpub/comp-tech/eng/

27