Contents 1 Introduction A historical note : : : : : : : : : : : : : : : : : : : : : : : : : Modal logic : : : : : : : : : : : : : : : : :

Transcription

1 On Axiomatizations for Propositional Logics of Programs P.M.W. Knijnenburg RUU-CS November 1988

2 Contents 1 Introduction A historical note : : : : : : : : : : : : : : : : : : : : : : : : : Modal logic : : : : : : : : : : : : : : : : : : : : : : : : : : : : Dynamic logic : : : : : : : : : : : : : : : : : : : : : : : : : : : Outline : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 2 Propositional Dynamic Logic Syntax and semantics : : : : : : : : : : : : : : : : : : : : : : Axiomatization : : : : : : : : : : : : : : : : : : : : : : : : : : An innitary axiom system : : : : : : : : : : : : : : : : : : : A completeness technique : : : : : : : : : : : : : : : : Application: PDL with concurrency : : : : : : : : : : Discussion : : : : : : : : : : : : : : : : : : : : : : : : : 19 3 A Universal Model Theorem for Kripke Structures The Universal Model Theorem : : : : : : : : : : : : : : : : : Some model theory : : : : : : : : : : : : : : : : : : : : The Universal Model : : : : : : : : : : : : : : : : : : : Some consequences : : : : : : : : : : : : : : : : : : : : Some more model theory : : : : : : : : : : : : : : : : Completeness of AX : : : : : : : : : : : : : : : : : : : : : : : 30 1

3 3.3 The Small Model theorem : : : : : : : : : : : : : : : : : : : : 33 4 PDL with Repeat Computation trees : : : : : : : : : : : : : : : : : : : : : : : : Bisimulation : : : : : : : : : : : : : : : : : : : : : : : : : : : : On decidability of PDL with repeat and other philosophical topics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 43 5 Propositional Dynamic Logic of Context-Free Programs The Validity Problem : : : : : : : : : : : : : : : : : : : : : : Syntax and semantics : : : : : : : : : : : : : : : : : : : : : : Axiomatization : : : : : : : : : : : : : : : : : : : : : : : : : : Completeness : : : : : : : : : : : : : : : : : : : : : : : : : : : 50 6 Related Topics Propositional Algorithmic Logic : : : : : : : : : : : : : : : : : Syntax, semantics, axiomatization : : : : : : : : : : : Completeness : : : : : : : : : : : : : : : : : : : : : : : Temporal Logic : : : : : : : : : : : : : : : : : : : : : : : : : : Background : : : : : : : : : : : : : : : : : : : : : : : : Linear Time : : : : : : : : : : : : : : : : : : : : : : : : Branching time : : : : : : : : : : : : : : : : : : : : : : 63 Bibliography 66 2

4 Chapter 1 Introduction Logics of Programs are formal systems for reasoning about the behavior of computer programs. To this end, computer programs are viewed as a means to enable certain logical formulae. The formulae may be propositional or rst order, giving rise to propositional and rst order program logics, respectively. In this paper, we focus attention on a propositional program logic, namely Propositional Dynamic Logic or PDL in short. 1.1 A historical note Elements of the logic of programs can be traced back to the nineteen forty's where they appear in work by A.M. Turing and J. McCarthy. The subject, as we view it nowadays, originated with papers of Engeler [5] and of Floyd [7]. The ideas of Floyd were developed further by many authors and the logic of partial correctness, also called Floyd-Hoare logic, has been studied intensively. In 1969 Salwicki [31] formulated the algorithmic logic AL, following the work of Engeler. AL was developed further by a group in Warsaw. Later, Mirkowska [19] gave a propositional version of AL. In 1976, Pratt [25] introduced Modal Logic to computer science, which proved to be very fruitful. Fisher and Ladner [6] gave the denition of Propositional Dynamic Logic, following Pratt, and proved decidability of the logic by means of a ltration technique, borrowed from Modal Logic. Segerberg [33] gave a complete axiomatization for PDL and several completeness proofs have now appeared in the literature, notably a proof by Berman [3], using in fact a standard 3

5 completeness technique from Modal Logic (c.f. [8]). 1.2 Modal logic The origins of Modal Logic seem to date back to Aristotle; it was the subject of intensive research in the Middle Ages. In the rst half of the twentieth century, Modal Logic appeared in its commonly known form. Modal Logic can be viewed as an extension of classical propositional logic, by introducing the operator. This operator has several readings (which in turn dene dierent logics such as Temporal Logic or Deontic Logic) but is always of a dynamic nature. Given a formula, the readings of include: is always true; It is necessarily true that ; ought to be true; It is known that ; After the program terminates, holds. We dene the operator to be ::. Readings of follow from the interpretations of. The precise nature of is given by axioms like!. Dierent sets of such axioms dene dierent Modal Logics. In 1959, Kripke introduced the notion of the (later called) Kripke model as any structure underlying Modal Logic. Basicly, a Kripke model is a triple M = (S; R; V ) where S is a set of states; R S S is a binary relation on S; V is a valuation for the predicate symbols. We can now dene the relation j=, where M; s j= means that \ holds in M at state s" by induction on the complexity of : M; s j= p i s 2 V (p) for p a primitive predicate symbol; M; s j= _ i M; s j= or M; s j= ; 4

6 M; s j= : i M; s 2. A formula is interpreted in a Kripke model as M; s j= i for each t 2 S, if (s; t) 2 R, then M; t j=. Dierent sets of axioms for were proved to coincide with dierent rstorder denable properties of R (e.g.,! coincides with the property of R being transitive). It can be shown, however, that there are rst-order denable properties of R that are not axiomatizable in Modal Logic, irreexivity of R is a noteworthy example. On the other hand, there exist schemata for that do not dene any rst-order property of R; the schema is one example.! An immediate extension is obtained by allowing a set of relations fr i j i 2 Ig to be incorporated in the logic, with each relation R i having its own necessity operator i. This is called multimodal logic. 1.3 Dynamic logic Pratt [25] recognized the possibility of modeling program logics by means of Multimodal Logic. If we view a program to be dened by its input/output, or before/after, behavior then Modal Logic provides a natural framework in which we can develop such a program logic. Each program has associated its \own" modal operator, or []. For a propositional program logic we can take a set of primitive programs and rules that determine how more complex programs can be built. With each rule we can dene how the modal operator for the more complex program relates to the modal operators of the building blocks. For instance, program composition is dened by the rule: at a state s, [; ] holds if and only if [][] holds. The modal operators for the primitive programs are parameters in this approach. Propositional Dynamic Logic is dened to be the Multimodal Logic in which the programs are regular expressions over the set of primitive programs. Thus the program connectives are \;", \[" and \?" which are usually interpreted as composition, choice and iteration, respectively. Note, however, that we can take any program construction as long as we can express their 5

7 modality. An important restriction, however, is the requirement of the algorithmic solvability of the validity problem of the resulting logic. PDL with regular programs is known to be decidable, but PDL with linear contextfree programs is not decidable. In fact, the latter problem is known to be 1 1-complete, that is, highly undecidable. Furthermore, it can be proved that PDL with all r.e. programs equals the innitary logic of equality L!1!. Several variants have been proposed of the original denition of PDL. These variants include only allowing deterministic primitive programs (DPDL); a primitive assertion repeat for programs, which holds of a program if that program can be executed ad innitum (RPDL); a primitive assertion loop for programs, which holds of a program if that program may never terminate (LPDL); a converse operator for programs which yields a program that executes the original program \backwards" (CPDL). See [10] for precise denitions and results and for references to the original literature. 1.4 Outline This paper is organized as follows. In chapter 2, the basic denitions, syntax and semantics for PDL are given. We give the Segerberg axiomatization which we prove complete in chapter 3. We also give an innitary axiom system which we prove complete using a technique proposed by Berman [3]. We then state a slightly more general technique for proving completeness of axiomatizations for (variants) of PDL based on this innitary axiom system and give applications. In chapter 3, we prove the existence of a Universal Model using model theoretic arguments and prove completeness of the axiomatization using this Universal Model. We also use the Universal Model to give a dierent proof of the Small Model theorem of Fisher and Ladner [6]. In chapter 4 we discuss the above mentioned assertion repeat and show that this assertion is denable in the innitary logic. In chapter 5, we describe a fragment of Propositional Dynamic Logic of Context-Free Programs. We give an axiomatization and prove it complete using the technique of chapter 6

8 2. In chapter 6, some related topics are discussed. We review Propositional Algorithmic Logic as formulated by Mirkowska [19] and compare the proof of completeness from that paper with ours. Finally, we discuss two dierent approaches to the problem of introducing time in the logic, namely, the linear time and the branching time approach. Acknowledgements The author wishes to thank Jan van Leeuwen for introduction to the subject and Pim Kars for references to Modal and Temporal Logic. 7

9 Chapter 2 Propositional Dynamic Logic In this chapter we give the denitions of the syntax and semantics of a formal system for reasoning about programs. To this end, we dene a class of programs which can enable propositions by means of a possibility operator. Thus, when is a program and is a proposition, (which we will abbreviate as hi) states \program can terminate with holding upon termination". The resulting logic is interpreted over Kripke structures and we will give an axiomatization for the logic that is complete, i.e. validity and derivability coincide. 2.1 Syntax and semantics The syntax of Propositional Dynamic Logic PDL has as its basis two disjoint countable sets of primitive symbols, namely the set 0 = fp 0 ; p 1 ; : : :g of primitive predicate symbols, and the set 0 = fa 0 ; a 1 ; : : :g of primitive program symbols. From these base sets we recursively dene the sets of PDL propositions and programs : 1. 0 ; 2. if ; 2 then _ ; : 2 ; 8

10 3. if 2 and 2 then hi 2 ; 4. 0 ; 5. if ; 2 then [ ; ; ;? 2 ; 6. if 2 then? 2. In addition we abbreviate :(: _ : ) to ^ ; : _ to! ; (! ) ^ (! ) to $. We further abbreviate :hi: to []. First we give an informal semantics for the above constructions: the meaning of the propositional connectives is exactly like in ordinary, classical propositional logic CPC. Therefore, PDL can be seen as an extension of CPC, i.e. all tautologies of CPC are valid PDL formulae. Primitive programs are exactly what their name suggests: uninterpreted programs or input/output relations, which is essentially the way we view programs in general. That is, programs are black boxes and their input/output behavior completely characterizes their relevant aspects; we identify two programs if and only if they constitute the same input/output relation. The meaning of the operator ; is program concatenation; thus, ; means \rst execute program and then execute ". [ means nondeterministic choice; [ means \choose nondeterministically program or and execute it". The?-operator is a nondeterministic looping operator and? means \execute a nondeterministically chosen number of times". In the sequel we often abbreviate ; ; ; (n times) to n. Thus? can be viewed as \choose n nondeterministically and execute n ". The operator? is a testing operator and? means \test and proceed if true". The operator is the usual modal operator and the meaning of hi is \program can be executed with holding upon termination". Its dual, [], therefore means \whenever program terminates, holds". Note that these operators give rise to two important aspects of programs, namely, when hitrue is valid, then can terminate, and when []false is valid, then never terminates. We are also able to express partial correctness of programs,! []. Formally, PDL formulae are interpreted over Kripke structures. Denition 2.1 A Kripke structure is a triple A = (W A ; A ; A ) where W A is a set of states; 9

11 A : 0 7! 2 W A is an interpretation function for the primitive predicate symbols; A : 0 7! 2 W A W A is an interpretation function for the primitive program symbols. Usually we write a Kripke structure as A = (W; ; ) when no confusion can arise. We further use the terms \Kripke structure", \Kripke model", \structure" and \model" interchangeably. The interpretation functions extend to the whole sets and : ( [ ) = () [ (); (; ) = () (), where is relation composition; (? ) = S i<! (i ), the reexive transitive closure of (); (?) = f(s; s) 2 W W j s 2 ()g; ( _ ) = () [ ( ); (:) = W? (); (hi) = fs 2 W j 9t 2 W:((s; t) 2 () ^ t 2 ())g; We say that a proposition is satisable in a structure A if and only if there exists a state s in A such that s 2 () and we write A; s j=. We omit A when it is clear from the context. We say that is A-valid and write A j= if A; s j= for each s 2 W. We say that is valid and write j= if is A-valid for every structure A. Clearly, is valid if and only if : is not satisable. In the sequel of this paper we use ; ; : : : to denote propositions and ; ; : : : to denote programs. 2.2 Axiomatization In this section we present an axiomatization for PDL as proposed by Segerberg [33]. He claimed this axiomatization to be complete and several completeness theorems are established in the literature. In the next chapter we give another proof of completeness of the axiom system by a technique which resembles the proof method proposed by Berman [3], which we review below. 10

12 Denition 2.2 The set of axioms AX for PDL contains 1. axioms for propositional logic; 2. hi ^ []! hi( _ ); 3. hi( _ ) $ hi _ hi ; 4. h [ i $ hi _ hi; 5. h; i $ hihi; 6. h?i $ ^ ; 7. _ hih? i! h? i; 8. h? i! _ h? i(: ^ hi). In addition we have the following inference rules: 1. modus ponens: from,!, infer ; 2. modal generalization: from, infer [], for any 2. As usual, we dene a derivation to be a nite sequence of well-formed formulae, each of which is an instance of an axiom or the conclusion of an inference rule whose premisses occur earlier in the derivation. The last formula occurring in the derivation is called the conclusion of the derivation. If, for any formula, there exists a derivation of which is the conclusion, we say that is derivable and write `. Axioms 1{3 are not particular for PDL but hold in all modal systems. Axiom 2 is easier in its dual form [](! )! ([]! [] ): This is the axiom K of Modal Logic and any logic which satises K and has a modal generalization rule, is called normal (c.f. [8]). Axiom 8 is called the induction axiom, and is better known in its dual form ^ [? ](! [])! [? ]: Note the resemblance between this axiom and the induction axiom in arithmetic. The intuition behind axiom 8 is that if a program? enables a 11

13 proposition, then the proposition is always true or there is a point in the looping of the program where the proposition becomes true for the rst time. Note that we may not assume and then infer, with modal generalisation, `! [] for all propositions and programs. This schema is obviously unsound. This derivation is only valid when is. Inspection of the system AX immediately gives us the next proposition. Theorem 2.3 (Soundness Theorem) If ` then j=. A familiar fact of PDL is its lack of compactness. For an easy example, consider the innite set?:? = f:; :hi; :h 2 i; : : :g [ fh? ig = [ fh? ig Every nite subset? 0? has a model: suppose h? i 2? 0 and let i be the largest integer such that :h i i 2? 0. Then each model M that satises :h j i for j i and h i+1 i, satises? 0. Yet the whole set? cannot have a model, for is precisely the denition of :h? i. 2.3 An innitary axiom system Intuitively, the nature of the?-operator requires an innitary axiom system. We dene the system AX 1 as such an innitary system. The induction axiom is replaced by an inference rule with an innite set of premisses. Denition 2.4 The innitary axiom system AX 1 contains the following axioms. 1. All PDL axioms, except the Induction Axiom; 2. [? ]! [ i ], for each i <!; In addition, we have the following inference rules: 1. modus ponens: from,!, infer ; 2. modal generalization: from, infer [], for any 2 ; 12

14 3. 1-rule: from f! [ i ]g i<!, infer! [? ]. V We treat [? ] as an abbreviation for i<![ i ]. have, for each i <!, h i i! h? i: By contraposition, we We dene a derivation in AX 1 to be a countable sequence of well-formed formulae, each of which is either an instance of an axiom or the conclusion of an inference rule whose premisses occur earlier in the sequence. The last formula in the sequence is called the conclusion of the derivation and any formula for which such a derivation exists is called derivable or provable and we write `1. From the Soundness Theorem for AX, we immediately get a Soundness Theorem for AX 1. Theorem 2.5 (Soundness Theorem) If `1, then j=. Theorem 2.6 derivable. 1. In the innitary system AX1, the induction axiom is 2. In the Segerberg system AX, ` [? ](! [])! (! [ n ]) for each n <!. Proof. 1. Let = ^ [? ](! []). Then, by CPC, `1!, or `1! ^ [? ](! []): An instance of Axiom 7 in its dual form is Hence and and by Axiom 3, ([? ](! []))! ((! []) ^ [][? ](! [])): `1! ^ ((! []) ^ [][? ](! [])): `1! [] ^ [][? ](! []) `1! []( ^ [? ](! [])): 13

15 So `1! []. With induction, we can show `1! [ n ] for each n <!. We now may infer `1! [? ] from which, with propositional reasoning, follows 2. Using axiom 7, we have `1 ([? ](! []))! (! [? ]): ` [? ]! ( ^ [][? ] ) where =! []. Assume ` [? ]. Then `! [] and ` [][? ](! []). Another application of axiom 7 yields We may now infer ` [](! []) ^ [ 2 ][? ](! []): []! [ 2 ]: As we have `! [], we can deduce `! [ 2 ]: And the theorem follows by induction on n. One sound inference rule in the system AX is the so-called reexive transitive closure rule (c.f. [17]) which reads: ( _ hi )! h? i! When we substitute h? i for in the premise of this rule, the conclusion is true, for the premise is valid by axiom 7. Thus this rule says that h? i is the least (with respect to logical implication) PDL proposition to do so, which is consistent with the innitary axiomatization for the?-operator A completeness technique In the following chapter we prove the completeness of the Segerberg axiom system using a Universal Model. A model U is called universal (c.f. [21]) if, for each model M, there exists a mapping M : W M 7! W U such that for each state s 2 W M and each PDL formula : 14

16 M; s j= i U; M (s) j=. Berman [3] gave a completeness technique for PDL which we review in this section. We use this technique to prove completeness of AX1. We rst give some denitions. Let Pr(AX 1 ) = f j`1 g be the set of all provable formulas of the axiom system AX 1. Denition 2.7 Let be a set of formulas and a formula. 1. `1 if and only if there is a (nite or countable) subset 0 such that `1 V 0!. 2. We say that is inconsistent i `1 false. 3. We say that is consistent i is not inconsistent. 4. is maximally consistent i is consistent and for each 2, either or : 2. We now dene a model A by: W A = fs j Pr(AX1) s and s is maximally consistent g; A (p) = fs j p 2 sg for primitive predicate p; A (a) = f(s; t) j 8 :([a] 2 s =) 2 t)g for primitive program a. Lemma 2.8 For each proposition, Proof. A; s j= i 2 s. We proceed by induction on the complexity of. For a primitive predicate, the theorem holds by denition. ( = _ ): A; s j= _ i A; s j= or A; s j= i, by induction hypothesis, 2 s or 2 s i _ 2 s, by construction. ( = : ): A; s j= : i A; s 6j= i 62 s i : 2 s. 15

17 ( = hi ): The only nontrivial case. We prove this case by induction on the structure of. First let = a be a primitive program. A; s j= hai i there exists a state t such that (s; t) 2 (a) and A; t j=. By induction hypothesis, 2 t and by the denition of (a), hai 2 s. Conversely, suppose hai 2 s. Consider the set? = f j [a] 2 sg: Claim.? is consistent. Proof of claim. Suppose? is inconsistent. Then there exists? 0? such that `1 ^?0! false or `1 1 ^ ^ n ^! false `1 [a] 1 ^ ^ [a] n ^! [a]false As `1 false! for all, we get, by Modal Generalization and axiom 2, `1 [a]false! [a]: `1 [a] 1 ^ ^ [a] n ^! [a]: Hence [a]: 2 s or :hai 2 s. Contradiction. Extend? to the set? 0 =? [ f g. Claim.? 0 is consistent. Proof of claim. Suppose? 0 is inconsistent. The only way inconsistency can occur is by f g. So suppose there are 1 ; : : : ; m ; : : : 2? such that `1 1 ^ ^ m ^ ^! false Hence, Hence [a]: 2 s. Contradiction. `1 1 ^ ^ m ^! : `1 [a] 1 ^ ^ [a] m ^! [a]: It is easy to see that the set Pr(AX1) [? 0 is consistent. Hence this set can be extended to a maximally consistent set t. 16

18 Claim. (s; t) 2 (a). Proof of claim. t 2 W A by denition. And for all propositions : [a] 2 s =) 2?? 0 t Hence (s; t) 2 (a) by the denition of. By the last claim, since 2 t, A; s j= hai and the case is primitive, is proved. The other cases follow easily. A; s j= h?i i A; s j= ^ i, by induction hypothesis, ^ 2 s i h?i 2 s. A; s j= h[i i A; s j= hi _hi i hi _hi 2 s i h[i 2 s. A; s j= h; i i A; s j= hihi i hihi 2 s i h; i 2 s. Dually we prove [? ] 2 s i A; s j= [? ]. A; s j= [? ] i, by denition of Kripke models, A; s j= [ n ] for each n <!, i, by induction hypothesis, [ n ] 2 s for each n <!, i, by the 1-rule [? ] 2 s. Corollary 2.9 For each program and proposition, hi 2 s i there exists a t 2 W such that (s; t) 2 () and 2 t. With Lemma 2.8 we can easily prove the completeness of the system AX 1 : Theorem 2.10 (Completeness Theorem) For each PDL formula, `1 i j=. Proof. One direction is the Soundness Theorem; for the other direction: let be such that 6`1. Then Pr(AX 1 ) [ f:g is consistent and can be extended to a maximally consistent set s by Lindenbaum's Theorem. Hence, s 2 W A and A; s j= : by Lemma 2.8, which implies that is not valid or 6j=. The following theorem abstracts our technique for proving completeness. Lemma 2.11 (Completeness Lemma) Let AX 0 be any sound axiomatization for (a variant of) PDL, that is, AX 1 AX 0. Construct the model A as indicated using AX 0. Then, if 17

19 A; s j= if and only if 2 s then 1. AX 0 is complete; 2. A is a Universal Model. Proof. 1. Suppose is such that 6`. Then Pr(AX 0 ) [ f:g is consistent and can be extended to a maximally consistent set s by Lindenbaum's Theorem. Then s 2 W A and A; s j= :. So is not valid. 2. For each model M dene the mapping M : W M 7! W A by M (s) = f j M; s j= g: M (s) is maximally consistent, for if 62 M (s) then M; s 6j= ; hence M; s j= : and : 2 M(s). By Soundness, Pr(AX 0 ) M(s). Hence M (s) 2 W A. Then M; s j= i 2 M (s) i A; M (s) j= which implies that A is universal Application: PDL with concurrency In this section we give an application of our completeness technique for a variant of PDL. In this application we use the innitary system AX 1 and the variant is an addition of axioms to this system. Peleg [22] dened a variant of PDL by introducing the concurrency operator \ : 7! which has the following semantics for any Kripke model M: M; s j= h \ i i M; s j= hi and M; s j= hi. An axiomatization for the resulting logic follows easily. Denition 2.12 The set AX C of axioms for PDL with concurrency contains: 18

20 1. the system AX 1 ; 2. h \ i $ hi ^ hi. Using the technique from the previous section, we readily get a completeness result for the logic. Theorem 2.13 The system AX C is complete. Proof. By the Completeness Lemma, we only need to consider the additional case = h \ i. This can be proved by a simple extension of the proof of Lemma 2.8. Let = h \ i. Then A; s j= i, by denition, A; s j= hi and A; s j= hi i, by induction hypothesis, hi 2 s and hi 2 s i, by construction, hi ^ hi 2 s i h \ i 2 s. In chapter 4 another application of this completeness technique is given for the case of an innitary axiom system for a fragment of Propositional Dynamic Logic of Context-Free Programs Discussion We have introduced a completeness technique for PDL which rests on an innitary axiom system. One might ask whether this technique is applicable to the \normal" axiomatization as well. The answer to this question is \No". The diculty in proving a lemma such as Lemma 2.8 lies in the case = [? ]. Let us see what happens when we try to prove the case. We can prove that A; s j= [? ] implies [ n ] 2 s for each n <!, but we may not infer that then [? ] 2 s. In fact, we can prove the following theorem. Theorem 2.14 Let Then? is consistent. Proof.? = Pr(AX) [ f; [a]; [a 2 ]; : : :g [ f:[a? ]g = Pr(AX) [ [ f:[a? ] g 19

21 Suppose? inconsistent. Then for some nite subset? 0 = f 0 ; 1 ; : : : ; n g?,? 0 ` false: Or ` 0 ^ ^ n! false: Without loss of generality, we may assume that n = :[a? ] and the other j 2. By Soundness, then, for all models M and states s 2 W M, M; s j= 0 ^ ^ n?1! [? ]. But counterexamples are easily found. Hence? is consistent. Essentially, this is the same argument as we used for proving incompactness. There we saw that an innite, semantically inconsistent set could not be proved to be inconsistent, by proving inconsistency of each of its nite subsets. In fact, each of its nite subsets was consistent. For exactly the same reason, namely syntactic consistency of each of the nite subsets of?, we must conclude that? itself is syntactically consistent. Yet it surely is not semantically consistent. We therefore conclude that syntactic and semantic consequence are two dierent notions in the case of the axiom system AX. The Theorem does not hold, however, in the case of an innitary axiom system. We may infer [a? ] from and? proves inconsistent. In this case, syntactic and semantic consequence do coincide. It is interesting to compare the discussion which arose between Kozen and Pratt concerning the equational denition of an algebraic structure underlying PDL and the above remarks. Pratt dened a Dynamic Algebra which had the Segerberg axiom system as its equational denition; Kozen proposed a?-continuous Dynamic Algebra which incorporated the innitary system AX1. Kozen proved the following theorem. Theorem Standard Kripke models and?-continuous Dynamic Algebras share the same L!1! theory. 2. There exists an rst-order sentence such that for each standard Kripke model A, A j=, but there exists a Dynamic Algebra D such that D j= :. Kozen then concluded that looping is \inherently innitary", which agrees with our ndings using model theoretic arguments. The Segerberg axiom system is, however, complete for PDL [16] (see also Chapter 3 of the present paper). As a result we have, for each 2, 20

22 ` i j= i `1 since both logics are interpreted in the same class of models. Hence provability in both axiom systems coincide. 21

23 Chapter 3 A Universal Model Theorem for Kripke Structures In this chapter we prove the existence of a Universal Model for PDL in a very natural and intuitively appealing way following Parikh [21]. Using this model, we prove a Completeness Theorem for the Segerberg axiom system AX and give a dierent proof for the Small Model Theorem. 3.1 The Universal Model Theorem In this section we establish a nontrivial property of Kripke structures, namely the existence of an structure U that is universal in the sense that every other structure can be isomorphically embedded in it. We further exhibit some immediate consequences of this fact Some model theory In this section we establish some facts about models for PDL and the theory of Kripke models. Denition 3.1 For each model M, the theory of M is the set T h(m) = f j 9s 2 W M :M; s j= g: 22

24 This denition gives a notion of equivalence of models: two models M 1 and M 2 are equivalent i T h(m 1 ) = T h(m 2 ). Notice, however, that M 1 and M 2 need not be isomorphic, as the following example shows. Example. Let W M 1 = W M 2 = f0; 1; 2; : : : ;!g. Let M 1 ; n j= p i i M 2 ; n j= p i i i < n. M 1 ;! j= p j and M 2 ;! j= p j for all j. Now let M 1 (a) = f(0; n) j n <!g and M 2 (a) = f(0; n) j n!g. Then M 1 and M 2 are not isomorphic but T h(m 1 ) = T h(m 2 ) and both models even have the same formulae holding at the same states of W. Denition 3.2 For each model M the relation on the state space W M is dened by: s t i M; s j= () M; t j=. For each model M we now dene the collapse of M to be the model M c = M= : s c = ft j s tg W Mc = fs c j s 2 W M g Mc (p i ) = fs c j s 2 M (p i )g Mc (a j ) = f(s c ; t c ) j (s; t) 2 M (a j )g The following lemma is immediate. Lemma 3.3 For each proposition, M; s j= i M c ; s c j=. The lemma in eect states that we only need to consider models of cardinality at 1, that is, the cardinality of the power set of. Lemma 3.4 For every model M and program, 1. if (s; t) 2 (), then 8:(M; t j= =) M; s j= hi); 2. if (s; t) 2 (), then 8:(M; s j= [] =) M; t j= ); 3. 8:(M; t j= =) M; s j= hi) i 8:(M; s j= [] =) M; t j= ). 23

25 Proof. Clauses (1) and (2) follow immediately from the denition of j=. For clause (3): 8:(M; s j= [] =) M; t j= ) i 8:(M; t 6j= =) M; s 6j= []) i 8:(M; t j= : =) M; s j= :hi:) i 8 :(M; t j= =) M; s j= hi ). For each program we dene the mappings Dom() and Ran() by: Dom() = fs 2 W j 9t 2 W:(s; t) 2 ()g Ran() = ft 2 W j 9s 2 W:(s; t) 2 ()g In the light of Lemma 3.4 we can dene for each model M another model M ex, called the extension of M, by: W Mex = W M ; Mex = M ; Mex (a) = f(s; t) j 8(M; s j= [a] =) M; t j= )g for a primitive By Lemma 3.4, M (a) Mex (a) for each primitive program a. Note that M (a) need not equal Mex (a). Consider for example the case in which M; s j= [a] only if is valid. Then, for every t 2 W M, (s; t) 2 Mex (a). Obviously, Mex (a) can be substantially larger than M (a). We extend Mex to the whole set in the usual way. Lemma 3.5 For each proposition, Proof. M ex ; s j= i M; s j=. ((=) Since M (a) Mex (a) for each primitive program a, it is easy to see that for each 2, M () Mex (). The proof proceeds by induction on the complexity of. The only non-trivial case is = hi, which follows from the inclusion given above. (=)) Let M ex ; s j=. We dene the mapping R : 7! 2 W M W M by: R() = f(s; t) j 8 :(M; s j= [] =) M; t j= )g = f(s; t) j 8 :(M; t j= =) M; s j= hi g for 2. Note that, by Lemma 3.4(3), we may use both conditions interchangeably in the denition of R. 24

26 Claim 1. M; s j= i M; s j= R, where j= R is dened as the relation j= except that we use R() instead of (). Proof of claim. Induction on the structure of. The only nontrivial case is = hi. Let M; s j= hi. Then there exists a state t such that M; t j= and (s; t) 2 (). But then (s; t) 2 R() by the construction of R and M; s j= R hi. Conversely, let M; s j= R hi ; then there is a state t such that (s; t) 2 R() and t j=. Suppose that there exists no state t such that (s; t) 2 () and M; t j=. Then M; s j= []: and, by the denition of R, if (s; t) 2 R(), then t j= :. Contradiction. Claim 2. For each 2, Mex () R(). Proof of claim. Induction on the complexity of. For primitive, the claim holds by denition. Next we consider more complex programs. Case 1 : = [. Clearly, ( [ ) = () [ () R() [ R(). The last union equals: f(s; t) j 8:(t j= =) s j= hi) _ 8:(t j= =) s j= hi)g It is easy to see that this set is contained in: f(s; t) j 8:(t j= =) s j= hi _ s j= hi)g which is R( [ ). Case 2 : = ;. (; ) = () () R() R(). Now, R() R() = f(s; t) j 9u:((s; u) 2 R() ^ (u; t) 2 R())g Let (s; t) 2 R() R(). Then, for each, t j= =) s j= hihi hence (s; t) 2 R(; ) and R() R() R(; ). Case 3 : =?. By the former argument we get ( n ) R( n ) 25

27 for each n <!. We further have, for each n <!, R( n ) R(? ) Suppose (s; t) 2 R( n ); then t j= =) s j= h n i for all. Surely t j= =) s j= h? i for all, by the denition of (? ). Hence (s; t) 2 R(? ). [ Hence, by induction [ on n, (? ) = ( i ) R( i ) R(? ): i<! Note that this is the place where we use the innitary properties of?. Case 4 : =?. Clearly, (?) = R(?) follows immediately by the denitions of and R. The proof of the lemma now follows by induction on the structure of. Again, the only non-trivial case is = hi. If M ex ; s j= hi then, by claim 2, M; s j= R hi and hence, by claim 1, M; s j= hi. Next we dene, for each model M, the model ~M by replacing every state in W M by the set of propositions that hold at that state. We denote the state in W M ~ corresponding to s by ~s. It is easy to see that for each proposition 2. i<! M; s j= () ~M; ~s j= () 2 ~s Denition 3.6 For each model M, the canonical model for M is [M] = ~ (M c ) ex. Theorem 3.7 For each proposition and each model M, M; s j= i [M]; [s] j=. Proof. Immediate from Lemma 3.3 and Lemma

28 3.1.2 The Universal Model We can now dene a universal Kripke structure U. Consider the class K of all Kripke structures. For each M 2 K we dene the mapping M : W M 7! W U by: M (s) = f j M; s j= g: We let the set of states W U of the universal model be exactly the set of all subsets of that can be obtained this way (when M ranges over all Kripke structures). That is, for, 2 W U i = M (s) for some model M and state s 2 W M. We dene U by: U (p i ) = fs 2 W U j p i 2 sg for 0 i <!. The interpretation for the primitive programs is dened as: U (a j ) = f(s; t) 2 W U W U j 8:([a j ] 2 s =) 2 t)g for 0 j <!. Note that the states of U consist of all semantically consistent complete sets of formulae. We can also describe the Universal Model as the model which results from \pasting together" all canonical models [M] for all Kripke models M. All states in U are \copies" of states in some canonical model [M]. Lemma 3.8 For each canonical model [M] and 2, [M] () U (). Proof. It follows immediately from the denitions of [M] and U that, for primitive a, [M] (a) U (a). The lemma follows. Lemma 3.9 Consider the universal model U. 1. For each 2 and 2, 2. For each 2, Proof. hi 2 s () 9t:(s; t) 2 () ^ 2 t: U; s j= if and only if 2 s. 27

29 1. (=)) Let hi 2 s. Then there exists a canonical model [M] and a state [s] 2 W [M] such that hi 2 [s]. Then there exists a [t] 2 Ran [M] () such that 2 [t]. Hence, by Lemma 3.8, t 2 Ran U () and 2 t. ((=) Again dene the function R : 7! 2 WW as in Theorem 3.5 except that we use 2 instead of j=. By the proof of that theorem, () R(). Hence, if (s; t) 2 () and 2 t, then (s; t) 2 R() and by the denition of R, hi 2 s. 2. The proof is by induction on the structure of. For primitive, the lemma holds by denition. Case 1 : ( = _ ) s j= _ i s j= or s j= i, by the induction hypothesis, 2 s or 2 s i _ 2 s by the maximality of s. Case 2 : ( = : ) Similar. Case 3 : ( = hi ) s j= hi i there is a state t 2 W such that (s; t) 2 () and t j= i 2 t by the induction hypothesis and hi 2 s by the rst part of the lemma. The following theorem is an immediate consequence of the lemma. Theorem 3.10 There exists a universal Kripke structure U = (W U ; U ; U ) such that for each Kripke structure M = (W M ; M ; M ) there exists an embedding M : W M 7! W U such that M; s j= i U; M(s) j= for each well-formed formula. Proof. The model U constructed above and mappings M for each M are the required model and mappings. Let M be any model and s 2 W M. Then M; s j= i 2 [s] for [s] in the canonical model [M] and hence 2 s for s 2 W U by the construction of U. By Lemma 3.9, U; s j=. Conversely, let U; s j=. Then, again by Lemma 3.9, 2 s and hence, 2 [s] for some canonical model [M]. Then [M]; [s] j= and each model M such that [M] is canonical for M, satises. Note that the theorem implies that the mapping is an isomorphic embedding in the terminology of model theory. 28

30 3.1.3 Some consequences In this section we give two immediate consequences of Theorem 3.10 which will be instrumental for obtaining the results of the next two sections. Lemma 3.11 For all propositions, is satisable if and only if is U- satisable. Proof. is satisable i there exists a model M and a state s 2 W M such that M; s j= i U; M (s) j=. Lemma 3.12 For all propositions, is valid if and only if is U-valid. Proof. (=)) Immediate. ((=) Suppose not valid. Then there exists a model M and a state s 2 W M such that M; s 6j=. Hence U; M (s) 6j= and is not U-valid Some more model theory Parikh [21] dened two notions of equivalence of models. Denition 3.13 For models M and N of PDL, let 1. M N i T h(m) = T h(n ); 2. M s N i 8s 2 W M 9s 0 2 W N 8 2 :M; s j= () N ; s 0 j= and 8s 0 2 W N 9s 00 2 W M 8 2 :N ; s 0 j= () M; s 00 j=. Theorem 3.14 For all models M and N of PDL, where = denotes \is isomorphic to". M = N =) M s N =) M N : 29

31 The proof of the theorem is trivial, but note that none of the converse implications hold. However, in all equivalence classes induced by these relations we can nd canonical elements. Denition 3.15 Let C be any class of Kripke models and M 2 C. Then 1. M is canonical for C i (a) 8s; t 2 W M :(s 6= t =) 9:(s j= ^ t j= :)); (b) 8s; t 2 W M :((s; t) 2 (a) () 8:(s j= [a] =) t j= ). 2. M is canonically closed for C i (a) M is canonical for C; (b) for any M 0 2 C and s 0 2 W M0, if for all there exists a s 2 W M such that M 0 ; s 0 j= =) M; s j=, then there exists a s 0 2 W M such that for all, M 0 ; s 0 j= =) M; s 0 j=. Note that the \only if" part of condition (1b) holds in all models because of the semantics of, but in canonical models, the (a) is \packed full" so that the other direction holds as well. Condition (2b) states that if a canonically closed model M has arbitrarily close \approximations" to s 0, then M contains a \copy" s 0 of s 0, that is, a state s 0 such that f j M; s 0 j= g = f j M 0 ; s 0 j= g. In this sense the word \closed" can be given a topological meaning. Let K be the class of all Kripke models and K [M] the class of all models M such that [M] is canonical for M. Theorem [M] is canonically closed for K [M]. 2. U is canonically closed for K; Proof. Immediate from section Completeness of AX To prove completeness of AX we adapt the Lindenbaum construction [1] to PDL: We impose a Boolean algebra structure on the state space W U of U. 30

32 With each proposition we associate the set of states that satisfy : jj = fs 2 W j s j= g: Let P be the set of all such jj. We dene a partial ordering 6 on P : jj 6 j j i `! : Lemma 3.17 B = hp; 6i is a complemented distributive lattice, that is, a Boolean algebra. Proof. By propositional reasoning we have `! true ` false! for all propositions. Hence we can take jtruej = 1 and jfalsej = 0 in B. Let jj 2 P. Then its complement, jj c, is dened as: and j:j 2 P. Let jj; j j 2 P. Then: jj c = fs j s j= g c = fs j s 6j= g = fs j s j= :g = j:j jj \ j j = fs j s j= g \ fs j s j= g = fs j s j= ^ s j= g = fs j s j= ^ g = j ^ j Hence jj \ j j 2 P. By propositional reasoning, ` ( ^ )! and ` ( ^ )!. 31

33 Hence j ^ j is a lower bound for fjj; j jg. Suppose jj is a lower bound too. Then `! and `!. Hence `! ( ^ ). This shows that j ^ j is the greatest lower bound, i.e. the inmum of fjj; j jg. Similarly, j _ j is the supremum of fjj; j jg. Thus B is a lattice. Let jj; j j; jj 2 P. Then j( ^ ) _ j 2 P and because we get from the Soundness Theorem, ` (( ^ ) _ ) $ (( _ ) ^ ( _ )) j( ^ ) _ j = j( _ ) ^ ( _ )j: This shows that B is a complemented distributive lattice. Lemma 3.18 In the Boolean algebra B, 1. jj = 1 if and only if ` ; 2. j j = 0 if and only if ` :. Proof. 1. Let jj = 1. Then for each j j 2 P, j j 6 jj. Hence, for each j j, `!. Choose so that `, then, by modus ponens, `. Conversely, suppose `. Then, for each, `!. Hence, for each, j j 6 jj, so jj = 1 in B. 2. Similar. Lemma 3.19 For all proposition, if U j= then `. Proof. Suppose that is not provable in the system AX. Then, by lemma 3.18, in the Lindenbaum algebra B, jj 6= 1 and so j:j 6= 0. Hence there exists a state s 2 j:j such that U; s j= :. Hence is not U-valid. Theorem 3.20 (Completeness Theorem) j= if and only if `. Proof. One direction is the Soundness Theorem. The other direction follows from Lemmas 3.12 and Remark. Let A be the model as dened in the previous chapter from the innitary axiom system AX 1. An immediate observation leads to the next lemma. 32

34 Lemma 3.21 W A = W U. Proof. By Soundness, each s 2 W U is maximally consistent and Pr(AX 1 ) s so W U W A. Conversely, W A W U by Completeness. By the lemma and the constructions of U and A we get: Theorem 3.22 U = A. In fact we may say that U and A are only two dierent names for the same model and conclude that U = A. 3.3 The Small Model theorem We nd another application of Theorem 3.10 in a dierent proof of the Small Model theorem. This theorem is one of the basic results of the theory of PDL and was rst discovered by Fischer and Ladner [6]. It states that every proposition that is satisable, is satisable in a model with 2 jj states. This fact immediately gives rise to a nave doubly-exponential time decision procedure for the validity problem for PDL: to check whether is valid, generate all models with 2 j:j states and cycle through them in search for a model that satises :. If such a model doesn't exists, then is valid. Sherman and Harel [10, 32] proved the existence of a singlyexponential time procedure by constructing a model A that satises i is satisable. Thus we can construct a model in polynomial time and check whether this model satises : in exponential time. We rst need a notion of the \subformulae" of a PDL formula. concept is captured by the Fischer-Ladner closure of [6]. This Denition 3.23 Let 2 be a PDL formula. The Fischer-Ladner closure of, denoted by F L(), is the smallest set S of formulae containing and satisfying the following closure rules for all a 2 0, ; 2 and ; 2 : : 2 S =) 2 S _ 2 S =) ; 2 S hai 2 S =) 2 S hi 2 S =) hihi 2 S 33

35 h [ i 2 S =) hi ; hi 2 S h? i 2 S =) ; hih? i 2 S h?i 2 S =) ; 2 S The Fischer-Ladner closure of is the set of all \subformulae" that are relevant for the meaning of. The set F L() induces an equivalence relation on the state space W of any model M: s t i 8 2 F L():(s j= () t j= ) In other words, we \collapse" s and t if they are not distinguishable by any formula of F L(). We now dene the quotient model M=F L(): [s] = ft j s tg W M=F L() = f[s] j s 2 W M g M=F L() (p i ) = f[s] j s 2 M (p i )g for all p i 2 0 M=F L() (a j ) = f([s]; [t]) j (s; t) 2 M (a j )g for all a j 2 0 M=F L() and M=F L() are extended inductively to and in the usual way. The following lemma, called the Filtration Lemma, is crucial for the theorem: Lemma 3.24 (Filtration Lemma) For all 2 F L(): 1. if = hi then 8s; t 2 W M f(s; t) 2 M () =) ([s]; [t]) 2 M=F L() ()g; 2. for all states s: M; s j= () M=F L(); [s] j=. Proof. Tedious but straightforward induction on the structure of ; see [6] for details. We now consider the quotient model U=F L(). Lemma 3.25 For each 2 F L() is satisable i is U=F L()-satisable. 34

36 Proof. The lemma follows from Lemma 3.11 and the Filtration Lemma. Next we give another representation for the states of the quotient model U=F L(): for each [s] 2 W U=F L(), let ~s be the set ~s = f j [s] j= and 2 F L()g [ f: j [s] j= : and 2 F L()g That is, ~s is the set of formulae from F L() that hold at [s] together with the negations of the formulae from F L() that don't hold. We dene the model U by mapping in the ltration model U=F L() each state [s] onto ~s. The interpretation functions are adapted in the obvious way. From this construction we immediately get the following lemma. Lemma 3.26 For each formula 2 F L() and [s] 2 W U=F L(), U=F L(); [s] j= i U ; ~s j= i 2 ~s. Theorem 3.27 For each formula 2 F L(), for some state ~s 2 U. Proof. is satisable i 2 ~s Immediate from Lemmas 3.25 and The sets of formulae ~s are called atoms of F L() and play a crucial role in the denition of the model A. Denition 3.28 Let Z be the set of PDL formulae in which all formulae of F L() and their negations occur. Then an atom of F L() is dened to be a subset A Z such that for every ; 2 and ; 2 : if : 2 Z, then 2 A i : 62 A if _ 2 Z, then _ 2 A i 2 A or 2 A if hi 2 Z, then hi 2 A i hi 2 A if h [ i 2 Z, then h [ i 2 A i hi 2 A or hi 2 A if h? i 2 Z, then h? i 2 A i 2 A or hih? i 2 A if h?i 2 Z, then h?i 2 A i 2 A and 2 A. 35

37 Note that for all 2 F L(), either or : is contained in each atom. Denote the set of all atoms of F L() by At(). From the denition of atoms it follows that an A 2 At() is free of \obvious" or internal contradictions. In the construction of the model A we will eliminate the \nonobvious" or external contradictions also. This model will be constructed in phases. For the denition of the interpretation functions and we limit ourself, without loss of generality, to the primitive predicate and program symbols occurring in. A 0 = (W 0 ; 0 ; 0 ) is dened by: W 0 = At(); 0 : 0 7! 2 W 0 by A 2 0 (p) i p 2 A; 0 : 0 7! 2 W 0W 0 by (A; B) 2 0 (a) i 1. there is a hai 2 A with 2 B, and 2. for every [a] 2 A, 2 B. For i > 0, A i+1 = (W i+1 ; i+1 ; i+1 ) is dened by W i+1 = fa j A 2 W i, and for every hi 2 A, there is B 2 W i with (A; B) 2 0 i () and 2 Bg; i+1 (p) = i (p) \ W i+1 ; i+1 (a) = i (a) \ (W i+1 W i+1 ). Here 0 i is the ordinary extension of i to, except that for 2 Z we dene 0 i (?) = f(a; A) j 2 Ag. The unprimed is the usual extension. It follows from the niteness of At() and the fact that W i+1 W i that there is a j for which the construction closes up; i.e. A i = A j for each i > j. Accordingly, set A = A j. The following lemma is the main technical lemma we need for our nal result. Lemma 3.29 For every A 2 W A, 1. for each hi 2 F L(), hi 2 A i there exists a B 2 W A with (A; B) 2 () and 2 B; 36

38 2. for each 2 F L(), 2 A i A ; A j=. Proof. The proof proceeds by simultaneous induction on the structure of in (1) and the structure of in (2). See [32] for details. Theorem 3.30 (Small Model Theorem) For all 2 F L(), is satisable i 2 A for some A 2 W A. Proof. In the light of Theorem 3.27, we only need to prove that W U = W A, from which the theorem follows. W A W U : immediate from the construction of U ; suppose there exists an atom A 2 W U and A 62 W A. As we have started from the set of all atoms in W 0, there exists a phase i in which the rst such atom is removed from W i+1. Inspection of the algorithm shows that this can only happen if there exists a formula hi 2 A such that there exists no B 2 W i with (A; B) 2 0 i () and 2 B. But A 2 W U and hence there exists a state B 2 W U with (A; B) 2 () and 2 B. Because A is the rst state to be removed, B 2 W i. Contradiction. Remark. The above described ltration technique stems from Modal Logic where a somewhat stronger result has been obtained. First dene a notion of subformulae of a Modal Logic proposition. The set of all subformulae Sf() of a formula is dened by: Sf(p) = fpg Sf( _ ) = f _ g [ Sf() [ Sf() Sf(:) = f:g [ Sf() Sf() = fg [ Sf() We dene a subset? of the set of well-formed formulae to be a ltration set if? is closed under subformulae, that is, 2? implies Sf()?. 37

39 ? induces an equivalence relation? on the state space of any model M = (S; R; V ): s? t i for all 2?, M; s j= i M; t j=. We denote the equivalence class to which a state s 2 S belongs by jsj. We can dene a model M 0 = (S? ; R 0 ; V? ), called the?-ltration of M, by: S? = fjsj j s 2 Sg jsj 2 V? (p) i s 2 V (p) for primitive p and R 0 must satisfy: 1. if (s; t) 2 R, then (jsj; jtj) 2 R 0 ; and 2. if (jsj; jtj) 2 R 0, then for all, if 2? and M; s j=, then M; t j=. Note that we still have some liberty in choosing the relation R 0. We can prove the following lemma. Lemma 3.31 (Filtration Lemma) If 2?, then for any s 2 S, M; s j= i M 0 ; jsj j=. We now give some examples of ltrations. 1. The smallest ltration. 2. The largest ltration. (jsj; jtj) 2 R i 9s 0 2 jsj9t 0 2 jtj:((s 0 ; t 0 ) 2 R). (jsj; jtj) 2 R i for all, 2? and M; s j= implies M:t j=. Observe that, in the context of PDL, the Filtration Lemma is proved for a smallest ltration. Observe further, that Lemma 3.5 proves a special case of a largest ltration, namely, the case that we take? to be the whole set of well-formed formulae. 38

40 Chapter 4 PDL with Repeat In this chapter we study the eect of adding a predicate, repeat, for programs. This predicate holds of a state s 0 i there are states s i for i <! such that (s i ; s i+1 ) 2 (). That is, repeat() holds when? can diverge when executed from s 0. The main tool we employ is the notion of the computation tree of a program. We use it to show that repeat() is equivalent to an innitary formula. Thus the predicate repeat is denable in innitary PDL, that is, the variant of PDL in which we allow for innite conjunctions and disjunctions of arbitrary formulae. This logic is easily denable analogous to AX 1 : we only have to replace the 1-rule by a general innitary rule for formulae. Thus we have the following inference rule: 1-rule': from f n j n <!g, infer V n<! n. 4.1 Computation trees Denition 4.1 Let M = (W; ; ) be any Kripke structure. For each program 2 and state s 2 W, the computation tree of rooted in s is the tree T s = (V; E) where V is a set of vertices and E is a set of edges, dened by s 2 V if (t; t 0 ) 2 () and t 2 V, then (t; t 0 ) 2 E and t 0 2 V. 39

41 Note that each vertex in T s may have countably many descendants and that T s itself may be innitely deep. Note also that the same state may occur in several distinct nodes in T s and if a state lies on a cycle, then it occurs innitely often in T s. Let T be any computation tree rooted in s on any Kripke structure M. An -path departing from s is any branch in T. When s; t 1 ; : : : ; t n are the vertices on that branch, then the path is of length n. When the path is innitely long, its length is!. Intuitively, an -path is any computation sequence of?. Denition 4.2 For any program 2, repeat() holds at state s i there exists an -path of length! departing from s. Note that repeat() holds if and only if? can diverge. We can dene a partial ordering v of computation trees by setting T s v T t i there exists an embedding f : T s 7! T t such that if (t; t 0 ) 2 E, then (f(t); f(t 0 )) 2 E 0, where E (E 0 ) is the set of edges of T s (T t ). Two trees T s and T t are - equivalent, T s T t, i T s v T t and T t v T s. If, for two -trees T and T 0, T v T 0, then T 0 is at least as deep as T. This notion of equivalence between computation trees is somewhat coarse, but good enough for our purposes as we are only interested in whether the depth of a tree is nite or innite. For the rest of this section we are not interested in a particular program or structure M, so we drop sub- and superscripts. We dene a class D of computation trees over some (appropriate) Kripke structure as: by the following recursive denition: D = fd i j i!g D 1 is the -tree rooted in s 1 that contains an -path departing from s 1 of length n for each n <! but no path of length!; D i+1 is the -tree rooted in s i+1 that consists of a copy of D 1 and has a copy of D i appended to the endpoint of each nite path; D! is the -tree rooted in s! such that D i v D! for each i <!. Note that this denition is unambiguous up to -equivalence. For convenience, we set D i = (V i ; E i ). Theorem 4.3 For each i <!, 40