# Bisimilar and Logically Equivalent Programs in PDLAcademic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
OECD Field of science
Keywords
{Bisimulation / "Propositional Dynamic Logic" / "Modal Logic"}

## Abstract of research paper on Computer and information sciences, author of scientific article — Mario R.F. Benevides

Abstract In standard Propositional Dynamic Logic (PDL) literature [D. Harel and D. Kozen and J. Tiuryn. Dynamic Logics. MIT Press, 2000; R. Goldblatt. Logics of Time and Computation. CSLI Lecture Notes 7. Stanford, 1992; P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Theoretical Tracts in Computer Science. Cambridge University Press, 2001] the semantics is given by Labeled Transition Systems, where for each program π we a associate a binary relation R π . Process Algebras [J.A. Bergstra, A. Ponse and S.A. Smolka (editors), Handbook of Process Algebra, Elsevier, 2001; W. J. Fokkink. Introduction to Process Algebra. Texts in Theoretical Computer Science. Springer, 2000; R. Milner. Communication and Concurrency. Prentice Hall, 1989; R. J. van Glabbleek, The Linear Time – Branching Time Spectrum I: The Semantics of Concrete, Sequential Processes. In Handbook of Process Algebra (J.A. Bergstra, A. Ponse and S.A. Smolka, eds.), Chapter 1, pp. 3–99, Elsevier, 2001] also give semantics to process (terms) by means of Labeled Transition Systems. In both formalisms, PDL and Process Algebra, the key notion to compare processes is bisimulation. In PDL, we also have the notion of logic equivalence, that can be used to prove that two programs π 1 and π 2 are logically equivalent ⊢ 〈 π 1 〉 φ ↔ 〈 π 2 〉 φ . Unfortunately, logic equivalence and bisimulation do not match in PDL. Bisimilar programs are logic equivalent but the converse does not hold. This paper proposes a semantics and an axiomatization for PDL that makes logically equivalent programs also bisimilar. We prove soundness, completeness and the finite model property.

## Academic research paper on topic "Bisimilar and Logically Equivalent Programs in PDL"

﻿Available online at www.sciencedirect.com

ScienceDirect

Electronic Notes in Theoretical Computer Science 305 (2014) 5-18

www.elsevier.com/locate/entcs

Bisimilar and Logically Equivalent Programs

in PDL

Mario R. F. Benevides1'2

Computer Science Department and Systems and Computer Engineering Program Federal University of Rio de Janeiro Brazil

Abstract

In standard Propositional Dynamic Logic (PDL) literature [5,16,4] the semantics is given by Labeled Transition Systems, where for each program n we a associate a binary relation Rn. Process Algebras [1,8,10,2] also give semantics to process (terms) by means of Labeled Transition Systems. In both formalisms, PDL and Process Algebra, the key notion to compare processes is bisimulation. In PDL, we also have the notion of logic equivalence, that can be used to prove that two programs n1 and n2 are logically equivalent h (n1^ (n2Unfortunately, logic equivalence and bisimulation do not match in PDL. Bisimilar programs are logic equivalent but the converse does not hold.

This paper proposes a semantics and an axiomatization for PDL that makes logically equivalent programs also bisimilar. We prove soundness, completeness and the finite model property.

Keywords: Bisimulation, Propositional Dynamic Logic, Modal Logic

1 Motivation

In standard PDL literature [5,16,4] the semantics is given by Labeled Transition Systems, where for each program n we associate a binary relation Rn. The sequential composition and non-deterministic choice operators are defined as the composition and union of relations respectively.

Rn1 ;n2 = Rn1 ◦ Rn2 Rn1 Un2 = Rn1 U Rn2

Process Algebras [1,8,10,2] also give semantics to process (terms) by means of Labeled Transition Systems. In both formalisms, PDL and Process Algebra, the key notion to compare processes is bisimulation. In PDL, we also have the notion of logic equivalence, that can be used to prove that two programs n1 and n2 are logically equivalent h {n1 ^ {n2(where {nmeans that after the execution

1 This work was supported by the Brazilian research agencies CNPq and CAPES.

2 Email: mario@cos.ufrj.br

of program n formula ^ holds). Unfortunately, logic equivalence and bisimulation do not match in PDL. Bisimilar programs are logic equivalent but the converse does not hold. For instance, take programs = a; (n3 U n4) and n2 = a; n3 U a; n4

(a;(7T3 U ^ {a){(^3 U

^ {a)({n3)v V {ni)v) ^ {a){n3)y V {a){nA)^

^ {a; V {a; n^)^

^ {a; n3 U a; n4)<^

But it is not difficult to see that and n2 are non-bisimilar programs, for after first a step on n\ it arrives at n3 U n4, and this is matched by neither of the two possibilities on n2: n3 or n4.

One interesting discussion on trace semantics appears on [2]. They define and compare various semantics for concrete sequential processes and provide algebraic axiomatization and semantical modal characterization (no modal axiomatization) for them.

The main motivation of this work is to propose a new semantics for PDL, based on traces with context, which matches the notion of logic equivalence and with bisimulation, i. e., two programs and n2 are logically equivalent (h ^

{n2)'fi) if and only if they are bisimilar. We provide an axiomatization and prove completeness w.r.t this new semantics. The proof completeness yields finite model property and decidability.

It is important to notice that our contribution is on PDL and not on process theory.

2 Propositional Dynamic Logic

In this section, we present the syntax and semantics of PDL.

Definition 2.1 The PDL language consists of a set \$ of countably many proposition symbols, a set n of countably many basic programs, the boolean connectives — and A, the program constructors ;, U and * and a modality {n) for every program

n. The formulas are defined as follows:

y ::= p | T | —y | y i A y2 | {n)y, with n ::= a | ni; n2 | ni U n2 | n*,

where p £ \$ and a £ n.

In all the logics that appear in this paper, we use the standard abbreviations L = —T, y V \$ = —(—y A —\$), y ^ \$ = — (y A —\$) and [n]y = — {n)—y.

Definition 2.2 A frame for PDL is a tuple F = (W, R) where

- W is a non-empty set of states;

- R = {Ra | a £ n}, Ra are binary relations over W, for each basic program a £ n;

- We can inductively define a binary relation Rn, for each non-basic program n, as follows

• Rni;n2 — Rni O Rn2 ,

• RniUn2 Rni U Rn2 ,

• Rk* = Rn, where R* is the reflexive transitive closure of R.

Definition 2.3 A model for PDL is a pair M = (F, V), where F is a PDL frame and V is a valuation function V : \$ ^ 2w.

Definition 2.4 Let M = (F, V) be a model. The notion of satisfaction of a formula y in a model M at a state w, notation M,w lb y, can be inductively defined as follows:

- M, w lb p iff w £ V(p);

- M, w lb T always;

- M,w lb —y iff M, w l| y;

- M, w ll yi A y2 iff M, w ll yi and M, w ll y2;

- M, w ll {n)y iff there is w' £ W s.t. wRnw' and M, w' ll y.

Example 2.5 M, w ll {(n1; n2))p iff there is w' £ W s.t. wRnin2 w' and M, w'll p, iff there is w' £ W s.t. wRni o Rn2w' and M, w'll p

ni n2 O

3 Process Calculus

In this section, we propose a very small process (program) calculus for the PDL programs presented in the previous section 2. We prove that two processes are bisimilar if and only if they have the same set of finite possible runs with context. It is inspired on [2].

a / a — y/ a a.n — n a , nAn a , n;T An' ;t

a / nAn T A T ' a nAn

n+T A n' 1 ß / n+T At '

Table 1 Transition Relation

Let N = {a,b,c,...} be a set of names or actions, denoted by a, ft,.... The language can be defined as follows.

n ::= a | ni; n | ni + n | n*, where a £N

We use n and t to denote processes (programs) and a, ft and 7 to denote actions. We write n n' to express that the process n can perform the action a and after that behave as n'. We write n y/ to express that the process n successfully finishes after performing the action a. A process finishes when there is no possible action left for it to perform. For example, ft /.

The semantics of our process calculus can be given by the transition rules presented in the table below.

The concept of bisimulation is a key notion in any process algebra. It is an equivalence relation between processes which have mutaly similar behavior. The intuition is that two bisimilar processes cannot be distinguished by an external observer.

Definition 3.1 Let V be the set of all processes. A set Z C V x V is a strong bisimulation if (n, t) £ Z implies the following:

• If n n', then there is t' £V such that t t' and (n', t') £ Z;

• If t t', then there is n' £V such that n n' and (n',t') £ Z;

• n y/ if and only if t y/.

Definition 3.2 Two process n and t are strongly bisimilar (or simply bisimilar), denoted by n ~ t, if there is a strong bisimulation Z such that (n, t) £ Z.

Proposition 3.3 n1; (n2 + n3) ^ n1; n2 + n1; See figue 1.

3.1 Runs with Context

In this section, we introduce the key concept of finite possible runs with context of a process. This concept plays a central role in the semantics of our logics.

Definition 3.4 A sequence of action with context, denoted by —c, is a sequence of actions and finite sets of actions of the form

ai{fti •••fti1 }.a2{ft2 ■■■ft2k2}, ••• -an{ftn ••• ft^ }. ••• ,

where ai £ {ft\ • • • ft\ }, for 1 < i < n.

If 1c = a1C1.a2C2 ■ ■ ■ .anCn is a finite sequence of action with context, we say that the length of 1c is n.

Definition 3.5 Let 1 c = a1C1.a2C2 ■ ■ ■ .anCn and

11 c = ¡31D1.fi2D2 ■ ■ ■ .¡3nDn sequences of action with context of length n. We define a strict partial order over sequences of actions with context as follows

~ac — -3c iff for all i, 1 < i < n, ai = 3i,

Ci C Di,

for at least one i, Ci c Di.

Definition 3.6 Let 1 c = a1{3^...3k1 }a2{32..3l2} ...an{3]t ■ ■ ■ 3nn} be a sequence of action with context. We say that 1 c matches a process n0 if n0 —1 n1 n2 ■ ■■ nn-1 ^ nn and for all i, 0 < i < n, {ai, 3\ ■ ■ ■ 31-} are all the actions that ni can perform.

We write n ^ n' to express that ~clc matches n and the process n may perform

the sequence of actions ~ctc and after that behave as n'. We write n => y/ to express that c matches n and the process n may successfully finish after performing the sequence of actions 1 c (this, in particular, implies that 1 c is finite).

Definition 3.7 We define the set of finite possible runs with context of a process n, denoted by 'R'f (n), as 'R'f (n) = {~(\$c : n ^ /}.

In order to obtain the desired relation between bisimulation and logic equivalence, we introduce the concept of finite possible runs with context of processes, i.e., situations in which the processes successfully finish. Thus, we present some useful results about finite possible runs with context. It is important to notice that in our process calculus all processes, at any state in their execution, can only perform a finite set of actions, i.e., they are image finite.

Definition 3.8 Let R and S be sets of finite sequences of actions with context. We can define the following operations on these sets:

(i) R o S = {1c\$33c : ~3c e R and ~/\$c e S};

(ii) R U S = 1c : 1c e R or 1c e S};

(iii) R0 = {^}, Rn = R o Rn-1(n > 1);

(iv) R* = UneN Rn.

Lemma 3.9 If n ~ t, then, for every 1 c, n => / iff t /.

A proof of this lemma can be found in appendix A. This proof is based in similar one presented in [3].

Lemma 3.10 If for every 1 c, n / if and only if t /, then n ~ t

Proof. Suppose n / if and only if t / and n ^ t. Then there exists a1 such that n \$\$ n1 and for all T1 either t t1 (1) or n1 ^ t1 (2). But (1) cannot be true,

because it contradicts the hypothesis that n and t are able to perform the same set of actions, because if a1 is the first action in some sequence of action Rc, then its context contains all the actions that n and t can perform. The only remaining possibility is (2), n1 — ti. If we apply the same reasoning for n2 — t2 and so on for ni — Ti and ni and Ti must be able to perform the same set of actions. As all processes eventually terminate, we must eventually reach a pair nn and Tn such that nn — Tn and nn and Tn must be able to perform the same set of actions Yn, ■ ■ ■ Y^ and either nn = y/ or Tn = y/ or both nn = Tn = y/. The first two cases are not possible because nn and Tn must be able to perform the same set of action and y/ does not perform any action and any process different of y/ must be able to perform at least one action. Thus, the only possibility is nn = Tn = y/, which yields that nn — Tn, which is a contradiction. Therefore, n — t.

Theorem 3.11 n — t if and only if Rf(n) = R (t).

_k ——c

Proof. (—) Suppose that a c E Rj(n). Then, n — \/. As n — t, this implies, by

—i- c _y _y _y

lemma 3.9, that t —— y/, which means that a c E Rj(t). Thus, Rj(n) C Rj(t). The proof that R (t) C R (n) is entirely analogous.

Suppose that R(n) = R(t). By the definition of R(n) and R(t), n —— y/ if and only if t —— y/. And by lemma 3.10, n — t.

Next, we present some equalities between sets of finite possible runs that are useful to the soundness proof of our axiomatization.

Definition 3.12 Let Rc = a1C1.a2C2 ■ ■ ■ .anCn E R(n1),

{Yi, ••• , Ym] be the set of all actions that n2 can perform and C[ = c1^{y1, ■ ■ ■ , Ym] and Cf = C1 \{y1, ■ ■ ■ , Ym]. We define

• Rc |+n2 = a1C1 .a2C2 ■ ■ ■ .anCn

• Rc I—n2 = a1C1/.a2C2 ■ ■ ■ .anCn

• R(n1) |+n2 = Rc |+n2 I Rc E R (n1)}

• R (n1) I—n2 = Rc I—n2 I Rc E R (n1)] Theorem 3.13 The following set equalities are true:

(i) R(a) = {a];

(ii) R(n1;n2)= Rf (n1) oR (n2);

(iii) Rf (n + n2) = R(n1) I+n2 UR(n2) I+ni;

(iv) Rf (n*) = (Rff(n))*.

Proof. The proof is straightforward from table 1. □

M.R.F. Benevides / Electronic Notes in Theoretical Computer Science 305 (2014) 5—18 11

4 PDL+

In this section we present the language, semantics and an axiomatic system of our Propositional Dynamic Logic with a non-deterministic choice operator.

4-1 Language and Semantics

The language is similar to the one presented in definition 2.1, where we replace + for .

p ::= p | T | —p | p1 A p2 | {n)p, with n ::= a | ni; n2 | n1 + n2 | n*, where p G \$ and a G N.

Definition 4.1 A frame for PDL+ is a tuple F = (W, Ra) where

- W is a non-empty set of states;

- Ra is a binary relation over W, for each basic program a G n;

- We can inductively define a binary relation Rn, for each non-basic program n, as follows

• Rni Rni ◦ Rn2 ,

• Rni+n2 = {(s,t) | [(s,t) G Rn! and 3r(s,r) G Rn2] or

[(s,t) G Rn2 and 3r (s,r) G Rni]}

• Rk* = Rn, where R* is the reflexive transitive closure of Rn.

The semantical notion of PDL+ model and satisfaction for PDL+ is as defined for PDL in definitions 2.3 and 2.4

If M,w lb p for every state w, we say that p is globally satisfied in the model M, notation M lb p. If p is globally satisfied in all models M of a frame F, we say that p is valid in F, notation F lb p. Finally, if p is valid in all frames, we say that p is valid, notation lb p. Two formulas p and ^ are semantically equivalent if lb p ^

Proposition 4.2 l {n1; (n2 + n3))p ^ {ni; n2 + n1; n3)p

Proof. Let M be a model based on the frame bellow with V(p) to verify that

M, w 1/ (n-; (n2 + n3))p and M,w lb (n-; n2 + n-; n3)p

{v}. It is easy

Next definition and lemma relate our semantics with possible runs with context.

Definition 4.3 Let F = (W, Ra) be a frame, (vo,vi,..., vn), n > 1, be a finite path in F and Rc E Rf (n), of length n, be a sequence of action with context of a process n. We say that R matches path (vo,vi,..., vn) for process n iff for all i,1 < i < n, Rc)1 = a1{Pt1 } and (v1- 1,vi) E Rai and for all Pj, 1 < j < k1, there exists a w such that (v1 - 1,w) E Rj. We say that Rc matches exactly path

(v0,v1,..., vn), if there exists a unique w such that (v1 - 1,w) E RY, for all 7 E {Pi ■■■piki} and 1 < i < n.

A frame F matches a process n at state w iff for all Rc E Rf (n), there exists a path p, in F, such that R matches p.

Lemma 4.4 M, w lb {n)p iff F matches n at w, there is a finite path (v0,v1, vn), n > 1, such that v0 = w, M,vn lb p and there is Rc E R/(n) of length n such that Rc matches the path (v0,..., vn).

A proof of this lemma can be found in appendix B.

Bellow, we present the main theorem of this section, it establishes the equivalence between bisimilar and logically equivalent programs.

Theorem 4.5 R (n) = R(t) if and only if lb {n)p ^ {t)p.

Proof. Suppose that R (n) = R (t), but l| {n)p ^ {t)p. Then, we may assume, without loss of generality, that there is a model M and a state v0 in this model such that M, v0 lb {n)p (1), but M, v0 l| {t)p (2). By lemma 4.4, (1) implies that there is a path (v0,v1,..., vn), n > 1, in M such that M,vn ll p (3) and there is R c E Rf (n) that matches this path. But as R (n) = R (t), then R c E Rf (t). This and (3) imply, by definition 4.4, that M,v0 ll {t)p, which contradicts (2).

Suppose that ll {n)p ^ {t)p (1), but R(n) = R(t). Then, we may assume, without loss of generality, that there is R c such that R c E R (n), but R E Rf (t) and there is no RPc E Rf (t) such that RPc — R.

Let us build a frame F, that matches n, which consists of a finite tree and has a path (v0,vn), n > 1, such that Rc matches exactly the path (v0,..., vn) for process n.

Let M = (F, V) be a model, such that V(p) is a singleton which the only element is vn, vn E V(p). Then, we have a path (v0,... ,vn) such that M,vn ll p and R E Rf (n) matches this path. By lemma 4.4, M, v0 ll {n)p. As R c E Rf (t) and there is no Rc E Rf (t) such that

c — R c, so as R c matches exactly the path (v0,..., vn), then (v0,..., vn) is not matched by any other sequence for process t. Besides that, there is no other path (v0,...,vm), m > 1, in M such that M,vm ll p, because F is a tree. Thus, by lemma 4.4, M,v0 l {t)p, which contradicts (1). □

Corollary 4.6 n ~ t if and only if ll {n)p ^ {t)p.

Proof. It follows directly from theorems 3.11 and 4.5.

4-2 Axiomatization

We use the standard boolean abbreviations ±, V, ^ and ^ and the following abbreviations for the duals: [n]p := — (n)—p.

The axiomatization presented below is the standard PDL proof theory extended with a new axiom for non-deterministic choice.

Axioms

1. All tautologies,

2. [n](p ^ V) ^ ([n]p ^ MV),

3. [ni; ^ [ni][n2]p,

4. (ni + n2)p ^ ((ni)p V {n2)p) A ((ni)T A (n2)T) ,

5. [n*]p ^ p A [n][n*]p,

6. [n*](p ^ [n]p) ^ ([n]p ^ [п*]p),

Inference Rules

M.P. p,p ^ V/V U.G. p/[n]p SUB. p/ap

where a is a map uniformly substituting formulas for propositional variables. Axioms 1, 2, 3, 5 and 6 and the inference rules are standard in PDL for regular programs [5,16,4]. Axiom 4 deserves some explanation. It can be re-written as

(ni + n2)p ^ ((ni)p A (n2)T) V ((ni)T A (n2)p)

The intuitive meaning is "whenever we perform a non-deterministic choice ni + n2, we must be able to perform either ni or n2, but both must be available for execution. This is what (ni)T (i = 1,2) assures, i.e., it is possible to perform ni.

Example 4.7 M, w lb ((ni + n2))p and M, v l| ((ni + n2))p

p o o p o

4-3 Soundness and Completeness

In order to prove soundness it is necessary to show both that every axiom is valid in this class of frames and the inference rules also preserve the validity. The validity of axioms 1, 2, 3, 5 and 6 and the inference rules are well-known from the PDL literature [5,16,4]. Below, we present the proof for axioms 4.

Lemma 4.8 The following formula is valid:

lb (ni + n2)p ^ ((ni)p V (n2)p) A ((ni)T A (n2)T) A proof of this lemma can be found in appendix C.

14 M.R.F. Benevides /Electronic Notes in Theoretical Computer Science 305 (2014) 5—18

Theorem 4.9 (Soundness ): PDL+ is sound.

Theorem 4.10 (Completeness for Finite PDL+ Models): Propositional Dynamic Logic PDL+ is complete with respect to the class of finite PDL+ models.

A proof of this theorem can be found in appendix D. 4-4 Decidability and Complexity

Section 4.3 proves that PDL+ is complete with respect to the classes of finite PDL+ models. Hence, it has have the finite model property, and moreover, that every consistent formula V can be satisfied at a state of a model with at most 2^1, where \V\ is the number of symbols of V. A naive decision procedure for the satisfiability problem of our logic could be: given a formula V, construct all Kripke models with at most 2^1 states, verify if they belong to the appropriate class, and test if V is satisfied at some state of them. There are approximately 22'^' such models. Therefore, this algorithm establishes a double exponential time upper bound for the satisfiability problem of our logic.

The satisfiability problem for PDL is EXPTIME-complete [5]. This yields an exponential time lower bound for the satisfiability problem of our logic.

5 Conclusion

This paper presents a new semantics to PDL based on finite runs with context, as far as we know this is a new semantics and opens up new possibilities not only for PDL but for other modal logics as well. We propose an axiomatization and prove its soundness, completeness and finite model property. The main result is equivalence between bisimilar programs and logically equivalent programs.

We proved completeness with respect to the class of finite PDL+ and the complexity should be the same as for PDL.

PDL+ opens up possibilities to investigate new variants of PDL where programs are process terms from some process algebra. In [3], a Dynamic Logic for CCS programs was presented, the main criticism of this logic was the lack of equivalence between bisimilar processes and logically equivalent programs. This problem is completely solved with our new semantics. In [3], we also present a logic that uses recursion in the place of iteration. But, in order to keep decidability, we had to restrict the use of recursive equations. In the present work, we use iteration and finite runs, dealing only with terminating programs. We would like to extend this work with recursion and investigate more expressive semantics.

Another possibility for future work would be to establish the precise complexity of the satisfability problem for PDL+. We already have the EXPTIME-hardness due to PDL. We suspect it is EXPTIME-complete, as PDL, but we would like to provide an EXPTIME algorithm for the satisfability problem.

M.R.F. Benevides / Electronic Notes in Theoretical Computer Science 305 (2014) 5-18

References

[1] J.A. Bergstra, A. Ponse and S.A. Smolka (editors), Handbook of Process Algebra, Elsevier, 2001.

[2] R. J. van Glabbleek, The Linear Time - Branching Time Spectrum I: The Semantics of Concrete, Sequential Processes. In Handbook of Process Algebra (J.A. Bergstra, A. Ponse and S.A. Smolka, eds.), Chapter 1, pp. 3-99, Elsevier, 2001.

[3] M. R. F. Benevides and L. M. Schechter. A propositional dynamic logic for CCS programs. In Proceedings of the XV Workshop on Logic, Language, Information and Computation, volume 5110 of LNAI, pages 83-97. Springer, 2008.

[4] P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Theoretical Tracts in Computer Science. Cambridge University Press, 2001.

[5] D. Harel and D. Kozen and J. Tiuryn. Dynamic Logics. MIT Press, 2000.

[6] M. Dam. On the decidability of process equivalences for the pi-calculus. Theoretical Computer Science, 183(2):215-228, 1997.

[7] M. J. Fischer and R. E. Ladner. Propositional dynamic logic of regular programs. Journal of Computer and System Sciences, 18(2):194-211, 1979.

[8] W. J. Fokkink. Introduction to Process Algebra. Texts in Theoretical Computer Science. Springer, 2000.

[9] D. Harel and D. Raz. Deciding properties of nonregular programs. SIAM Journal on Computing, 22(4):857-874, 1993.

[10] R. Milner. Communication and Concurrency. Prentice Hall, 1989.

[11] R. Milner. Communicating and Mobile Systems: the n-Calculus. Cambridge University Press, 1999.

[12] R. Milner, J. Parrow, and D. Walker. Modal logics for mobile processes. Theoretical Computer Science, 114(1):149-171, 1993.

[13] D. Peleg. Communication in concurrent dynamic logic. Journal of Computer and System Sciences, 35(1):23-58, 1987.

[14] D. Peleg. Concurrent dynamic logic. Journal of the Association for Computing Machinery, 34(2):450— 479, 1987.

[15] C. Stirling. Modal and Temporal Properties of Processes. Texts in Computer Science. Springer, 2001.

[16] R. Goldblatt. Logics of Time and Computation. CSLI Lecture Notes 7. Stanford, 1992.

A Proof of lemmas 3.10

Proof. We prove by induction on the length n of —c.

• n =1, then —c = a{¡3^ • • • 3\i }, for some action a. Then, n => \J O n —— \J. By the hypothesis that n ^ t we have that {a, 3\ ••• } are the only actions n and t can perform, and n — \/ O t —— y7. Finally,

a , ac ,

T — V O T ^ y/.

• I. H.: suppose that the lemma holds for all n < k. Let — c be a sequence of length k. Let a{31 • • • 3^ } be the first action of the sequence and let —c be a sequence of length k — 1 such that — c = a{3 1 • • • 311 c.

Then, n =c \J if and only if there is a process n' such that n —— n' and n' -- ^. But if n —— n' and n ^ t, then there is a process t' such that t — t' and n' ^ t'. Moreover, as n ^ t, then {a, 3i ''' 3 1i } are the only actions that n and t can perform. Now, — c is a sequence of length shorter than k, so by the induction

-fc -Yc ■ -a c

hypothesis, as n' ^ t' and n' ^ ■sj, then t' ^ \/. This means that t ^J. □

16 M.R.F. Benevides /Electronic Notes in Theoretical Computer Science 305 (2014) 5—18

B Proof of lemma 4.4

Proof. We prove by induction on the structure of n.

The base case is for | n | = 1, for atomic program it is straightforward. Suppose it holds for | n n, so we have three possibilties.

• Suppose M,w lh (n*)p, iff iff there is v E W s. t. wRn*v and M,v II- p. But we know that R^* = . Then we get we have a path wR^v\Rn...Rnv. As Rn is transitive wR^v and M,v I p, but this is iff M,w I (n)p. By the induction Hypothesis there is a finite path (vo,vi,..., vn), n > 1, such that vo = w,vn = v, M,vn I p and there is ~cac E JTy (n) of length n such that ~cac matches the path (vo,. .. ,vn). But by theorem 3.13 we know that VJf (n) C (JjRf (n))* = Tr (n*)

• The cases for n = ni + and n = ni; are analogous to the previous case.

C Proof of lemma 4.8

Proof.

Suppose that, for some model M = (F, V) and some state w in this model, M,w I (ni + n2)p. Then, by lemma 4.4, F matches ni + n2 at w, there is a finite path (vo, vi ,...,vn), n > 1, such that vo = w,

M,vn I p and a sequence "" c E JTy (ni + that matches this path.

Now, by the third equality in theorem 3.13, either ~ca c E RTy (ni) |+n2 or ~ca c E RTy (^2) |+ni, It follows directly from definition 3.12 that c |-n2e tR(ni) or c |-ni E tR (^2).

Besides, "0.c ¡ — n2 and 0c —ni match path (vo,vi,...,vn)., which implies that M,w I (ni)P or M,w I (n2)p. Thus, M,w I (ni)p V (n2)p (1).

As F matches ni + n2 at w, so F matches ni and n2 at w. Then, there exist —Rc E tR(ni) that

v —c f

matches a path (wo,vi, ..., wk) and — 2c E Tf (^2) that matches a path (uo,vi, . ..,ui) and w = wo = uo. Which implies that M,w I (ni)T and M,w I (n2)T. Thus, M,w I (ni)T A (n2)T (2). From (1) and (2), we have M,w I ((ni)p V (n2)p) A ((ni)T A (n2)T)

Suppose M,w I (ni)p V (n2)p (1) and M,w I (ni)T A (n2)T (2). From (2) we have that F matches ni and n2 at w. From (1) we have that M,w I (ni)p (3) or M,w I (n2)p (4).

(3) implies that F matches ni at w and there is a finite path (vo, vi,. .. ,vn), n > 1, such that vo = w,

M,vn I p and a sequence —\c E Tr (ni) that matches this path.

As —Rc E TrR(ni), so —Rc |+n2 E TrR(ni) |+n2 C TrR(ni) |+n2 jR(n2) |+ni = Tf(ni + ^2) (Using

theorem 3.13(3.)). Hence, |+n2 e TjR(ni + ^2).

From (2), we have that —[c |+n2 matches path (vo,vi, ...,vn). Thus, M, w I (ni + n2)p.

Analogously, from (4) we also obtain M,w I (ni + n2)p.

D Completeness Proof for PDL+

The canonical model construction is the standard one used for PDL [5,4,16].

Definition D.1 (Fischer and Ladner Closure): Let r be a set of formulas. The closure of r, notation Cfl(r), is the smallest set of formulas satisfying the following conditions:

1. Cfl(r) is closed under subformulas,

2. if (n*)p E Cfl(r), then (p)(n*)p E Cfl(r),

3. if (ni;n2)p E Cfl(T), then (ni)(n2)p E CFL(r),

4. if (ni J n2)p E CFL(r), then (ni)p V (n2)p E Cfl(r),

5. if (ni J n2)p E CFL(r), then (ni)T and (n2)T E Cfl(^),

6. if p E Cfl(r) and p is not of the form then —p E Cfl(T).

The proof that if r is a finite set of formulas, then the closure Cfl (r) of r is also finite. We assume r to be finite from now on.

Definition D.2 Let r be a set of formulas. A set of formulas A is said to be an atom of r if it is a maximal consistent subset of Cfl(T). The set of all atoms of r is denoted by Ai(T).

Lemma D.3 Let Г be a set of formulas. If ф E Cfl(X) and ф is consistent then there exists an atom А E А£(Г) such that ф eA.

Proof. We can construct the atom A as follows. First, we enumerate the elements of Cfl(Г) as фl, • • • , фи. We start the construction making Ai = {ф}, then for 1 < i < n, we know that b f\Ai ^ (Д Ai Л Фi+l) V (Д Ai Л —фг+i) is a tautology and therefore either Ai Л фг+i or Ai Л —фг+i is consistent. We take Ai+i as the union of Ai with the consistent member of the previous disjunction. At the end, we make A = An-

Definition D.4 Let Г be a set of formulas. The canonical relations over Г on А£(Г) are defined as follows:

AS^B iff Д АЛ(п) Д B is consistent.

Definition D.5 Let Г be a set of formulas. The canonical model over Г is a tuple Mr =< А£(Г), Sr, Vr >, where for all propositional symbols p and for all atoms А E А£(Г) we have

- Vr(p) = {А E А£(Г) | p E А} is called canonical valuation;

- Sr and Sr+ are the canonical relations. 3

Lemma D.6 Let А E А£(Г). Then, for all basic programs a,

(о)ф eA iff there exists B E А£(Г) such that ASaB and ф eB.

Proof.

Suppose (а)ф E А. By definition D.2, we have that ДАЛ ()ф is consistent. Using the tautology b ф ^ ((ф Л ф) V (ф Л —ф)), we have that either ДА Л (а)(ф Л ф) is consistent or Д А Л (а)(ф Л —ф) is consistent. So, by the appropriate choice of ф, for all formulas ф E Cfl, we can construct an atom B such that ф eB and Д АЛ (a )(ф Л /\B) is consistent and by definition D.4 ASaB.

Suppose there is B such that ф eB and ASaB. Then Д АЛ (a) ¡\B is consistent and also Д АЛ (а)ф is consistent. But (а)ф E Cfl and by maximality (а)ф E А.

Lemma D.7 Let А, Be А4(Г). Then if ASn*B then ASl B.

Proof. Suppose ASntB. Let C = {C E А4(Г) | ASn *C}. We want to show that Be C. Let C0 =

(ЛCi V- • • V f\Cn).

It is not difficult to see that C0 Л (n)—C0 is inconsistent, otherwise for some D not reachable from А, C0 Л (n) f\D would be consistent, and for some Ci, Д Ci Л (n) f\D was also consistent, which would mean that D E C, which is not the case. From a similar reasoning we know that Д АЛ (n)—C) is also inconsistent and hence b /\А —^ [n]C0 is a theorem.

As C0 Л (n)—C0 is inconsistent, so its negation is a theorem I--'(C0 Л (n)—C0) and also b (C0 —

[n]C0) (1), applying generalization b [n*](C0 — [n]C0). Using Segerberg axiom (axiom 6), we have b ([n]C0 — [n*]C0) and by (1) we obtain b (C0 — [nl]C0). As b Д А — [n]C0 is a theorem, then b Д А — [n*]C0. By supposition, ДАЛ (nl) f\B is consistent and so is Д BЛC0. Therefore, for at least one C E C, we know that Д B^/\C is consistent. By maximality, we have that B = C. And by the definition of C0, we have ASn *B.

Definition D.8 Let Г be a set of formulas. The PDL+ model over Г is a tuple M =< АЬ(Г),Яп, V >, where for all propositional symbols p and for all atoms А E А^Г) we have

- V(p) = {Ae А£(Г) | p E А};

- Ra = Sa, for all basic programs a

- Rn is inductively defined as in definition 4.1.

Lemma D.9 Sn Q Rn.

Proof. Induction on the straucture of n.

Base case is straightforward as Ra — Sa, for basic programs a.

Suppose it holds for programs n such that | n \ < n. We only prove the case where n = ni + П2. The case for n = ni; П2 and are standard in PDL literature.

Suppose AsXi+x2B, iff д АЛ (ni + П2) д B) is consistent. By axiom 4. дАЛ (((ni^BA (П2)Т) V ((П2) f\B/\ (ni)T)) is consistent. Either

Д АЛ (((ni) Д BЛ (n2)T) is consistent (1) or ((п2) Д B Л (ni)T)) is consistent (2). From (1) Д А Л (((ni) Д B) is consistent (3) and ДАЛ ((n2)T) is consistent (4)

From (3 and (4) we get ASni B and there exists an atom C s.t. ASni C.

By the Induction Hypothesis

AR 7Г!B and there exists C s.t. ARniC (5).

3 For the sake of clarity we avoid using the r subscripts

Analogously, from (2) we can obtain

ARni B and there exists C s.t. ARniC, which together with (5) allows us to conclude AR^i+^2B.

Lemma D.10 Exixtence Lemma: Let A E At(r). Then,

(n)p eA iff there exists B E At(r) such that ARnB and p eB.

Proof.

This direction follows is analogous to the one presented for basic programs in lemma D.6 and the previous lemma that states that Sn C Rn. <=: Induction on the straucture of n.

Base case is straightforward from lemma D.6, for basic programs a.

Suppose it holds for programs n such that \n | < n. We only prove the case where n = ni + n2. The case for n = ni; n2 and n* are standard in PDL literature.

Suppose ARni+n2B (1) and p eB (2). That means that either ARni B and there exists C s.t. AR^2C (3) or AR^2B and there exists C s.t. ARniC (4)

From (2), (3 and (4) and the Induction Hypothesis we have that either

(ni)p E A and (p2)T E A (5) or (n2)p E A and (ni)T E A (6)

By (5) and (6) and axiom 4., we have that /\ A A (ni + n2)p is consistent. And by maximality

(ni + n2)p E A

Lemma D.11 Truth Lemma: Let M = (W,Sn, V) be a finite canonical model for For all atoms A and all p E Cfl(\$), M, A |= p iff p eA.

Proof. : The proof is by induction on the construction of p.

• Atomic formulas and Boolean operators: the proof is straightforward from the definition of V.

• Modality (x), for x E {a,ni;n2,ni + n2,n*}.

• Suppose M, A |= (x)p, then there exists A! such that ASxA! and

M, A! |= A. By the induction hypothesis we know that p E A!, and by lemma D.10 we have (x)p E A.

• <: Suppose M, A |= (x)p, by the definition of satisfaction we have

M, A |= —(x)p. Then for all A;, ASxA! implies M, A! = p. By the induction hypothesis we know that p E A!, and by lemma D.10 we have (x)p E A.

Theorem D.12 (Completeness for Finite PDL+ Models^: Propositional Dynamic Logic PDL+ is complete with respect to the class of finite PDL+ models.

Proof. For every consistent formula p we can build a canonical finite PDL+ model M^. By lemma D.3, there exist an atom A E At(p) such that p eA, and by the truth lemma D.11 M, A |= p. Therefore, our modal system is complete with respect to the class of finite PDL+ models.