for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty

Transcription

1 An Automata-Theoretic Decision Procedure for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty Department of Electrical and Computer Engineering Department of Computer Science University of California, Santa Barbara Abstract We present an automata-theoretic decision procedure for Since/Until Temporal Logic (SUTL), a linear-time propositional temporal logic with strong non-strict since and until operators. The logic, which is intended for specifying and reasoning about computer systems, employs neither next nor previous operators. Such operators obstruct the use of hierarchical abstraction and renement and make reasoning about concurrency dicult. A proof of the soundness and completeness of the decision procedure is given, and its complexity is analyzed. AMS Subject Classication: 03B25, 03B35, 03B45, 68Q40, 68Q68, 68T15 1 Introduction Since/Until Temporal Logic (SUTL) is a linear-time temporal logic based on propositional calculus and the temporal operators until U and since S. The U operator is a strong non-strict until in that f U g requires g to be true either now or at some future point; furthermore, from now up to the point at which g is true f must be true. Likewise, the S operator is a strong non-strict since in that f S g requires g to be true either now or at some point in the past; furthermore, from now back to the point at which g is true f must be true. The eventually operator can be expressed in SUTL as 3f true U f and the henceforth operator as 2f :3:f. The weak until U can be expressed in terms of the strong until U as f U g f U g _ 2f. Unlike the strong until, the weak until does not require g ever to be true. There is no loss (or gain) in expressiveness in considering a logic with a strong, rather than a weak, until operator. The weak since, past henceforth and past eventually operators are similarly dened. There is neither a next nor a previous operator in SUTL, as in the logics of [7, 10, 12, 15, 16]. It is widely recognized by computer scientists [1, 2, 3, 6, 8, 9] that the next operator is not necessary and, moreover, is not conducive to good specications. Although a This work was partially supported by NSF grant CCR with cooperation from DARPA.

2 next operator is potentially useful when describing a single sequential program at the statement level, it is less useful for describing concurrent computer systems. In the design of a concurrent system, we must reason separately about the behavior of each process and its interactions with other processes. Specications containing the next operator are at risk of prescribing an order of execution on unsynchronized processes, an order that may overspecify the system by excluding other equally acceptable orders and that may be dicult or impossible to implement. Another drawback of the next operator is that it obstructs the use of hierarchical abstraction and renement in temporal reasoning. A computation may be viewed at dierent levels of abstraction with dierent granularities of time. The next for one level of abstraction may be quite dierent from the next for another level of abstraction. While it is possible to envisage a mapping between levels for the next operator, as is provided for state predicates, the problems of specifying such a mapping are substantial. In [5] Burgess provided an axiomatization for a since/until temporal logic. logic diers from SUTL in that his until operator is a strict until; its eventuality requirement cannot be satised in the current state and must be satised in a future state. In eect, his logic distinguishes the present from the future, whereas SUTL does not. The increased expressiveness of the logic of Burgess appears attractive, but for reasoning about concurrent systems that expressiveness is counterproductive. In reasoning about one process in the system, it is not possible to know whether the transition into the future is the result of an action by this process or some other. Indeed, in the view of one process, the most likely \rst state of the future" is one in which some other process has acted and in which the state of this process has remained unchanged. Consequently, we are most likely to reason correctly about concurrency in a system if the present merges seamlessly into the future without any dividing line. Burgess has provided a version of his logic that is based on a discrete time line. The combination of a discrete time line and a strict until operator yields a next operator that can be expressed as next(f) false U f. For the reasons given above, SUTL does not provide a next (or previous) operator, and uses non-strict versions of the since and until operators. Although SUTL involves the since operator S that refers to the past, the automaton for our decision procedure always proceeds forward on its input. The automaton carries forward enough information in its (local) state to decide if a given formula involving the since operator should be accepted at any point in its run. Crucial to this approach for logics involving a past operator is the careful denition of the subformula closure set and the transition conditions on the automata. This is particularly true of the local automaton. The eventuality automaton is less aected by the presence of the since operator (except through its interaction with the local automaton) because it is responsible for progress properties that involve the sux of a computation. The decision procedure presented in this paper is the rst automata-theoretic decision procedure known to us for a logic with since and until operators but without next and previous operators. The rest of this paper is organized as follows. In Section 2 we present the syntax, models and semantics for SUTL. Section 3 contains the denitions of the subformula closure set and the size of a well-formed formula. Section 4 introduces the concept of worlds and describes the decision procedure in terms of Buchi automata operating on His

3 !-sequences of worlds. In Section 5 we outline a proof of the completeness and soundness of the decision procedure, and in Section 6 we characterize its complexity. Finally, in Section 7 we use the decision procedure to show that, for the class of!-sequences, the logic is transparent to nite stuttering, thereby demonstrating that the next (or previous) operator cannot be fabricated within the logic. Section 8 contains concluding remarks. 2 Syntax, Models and Semantics 2.1 Syntax The syntax of SUTL is dened relative to a nite set P of primitive propositions in terms of its well-formed formulas (w) as follows :? true and false are w? if p 2 P then p is a w? if f is a w then so is :f? if f and g are w then so are f ^ g; f U g; f S g? nothing is a w except if obtained by nite application of these rules As is customary, we use f _ g as an abbreviation for :(:f ^ :g). 2.2 Models The structures on which w of SUTL are interpreted are the usual!-sequences of states, where a state is an element in 2 P. Such an!-sequence is a satisfying model for a SUTL formula if the formula is satised at the initial state of the sequence under the semantic interpretation outlined below. We shall represent a model for SUTL as a mapping M :!! 2 P. For technical reasons we shall extend M to a mapping from! to the power set of a larger set of w of SUTL in some parts of the sequel and, where required, this will be done as usual by means of the semantics of w. 2.3 Semantics The semantics for SUTL formul are dened at a state M(i) in an!-sequence M as follows :? hm; ii j= true and hm; ii 6j= false? hm; ii j= p for p 2 P i p 2 M(i)? hm; ii j= :f i hm; ii 6j= f? hm; ii j= f ^ g i hm; ii j= f and hm; ii j= g? hm; ii j= f U g i there exists k i such that hm; ki j= g and for all j, i j < k; hm; ji j= f? hm; ii j= f S g i there exists k i such that hm; ki j= g and for all j, k < j i; hm; ji j= f

4 A formula f is satisable i there exists a model M 2 (2 P )! such that hm; 0i j= f. We then say that M is a satisfying model for f. A formula f is valid i every model in (2 P )! is a satisfying model for f. 1 3 Preliminary Denitions 3.1 Subformula Closure As is usually done for automata-theoretic decision procedures, we now dene the subformula closure for a given SUTL formula f, whose satisability we intend to check. The subformula closure scl(f) captures the idea that in deciding the satisability of a formula f, one need only consider formul in the set scl(f). Denition 3.1 The subformula closure scl(f) of a formula f is the smallest set such that 2? f 2 scl(f)? true 2 scl(f) and false 2 scl(f)? f 1 2 scl(f) i :f 1 2 scl(f)? if f 1 ^ f 2 2 scl(f) then f 1 2 scl(f) and f 2 2 scl(f)? if f 1 U f 2 2 scl(f) then f 1 2 scl(f) and f 2 2 scl(f)? if f 1 S f 2 2 scl(f) then f 1 2 scl(f) and f 2 2 scl(f) To characterize the complexity of the decision procedure and to facilitate the inductions used in the proofs of correctness, we shall use the notion of the size of a well-formed formula in our language. The size of a formula is the number of primitive propositions and logical connectives in the formula, as dened below. Denition 3.2 The size of a formula is dened by? size(true) = 1 and size(false) = 1? size(p) = 1 for p 2 P? size(:f) = 1 + size(f)? size(f ^ g) = 1 + size(f) + size(g)? size(f U g) = 1 + size(f) + size(g)? size(f S g) = 1 + size(f) + size(g) We use card to denote the cardinality of a set. Lemma 3.3 For a formula f of size n, card(scl(f)) = O(n). Proof. The proof is by induction on the size n of the formula f and a case analysis of the subformula closure rules. 1 This is the \anchored version" [11] of the logic. In the alternative unanchored version, f is satisable i there exists a model M 2 (2 P )! and i 2! such that hm; ii j= f. This denition is, however, subsumed by the anchored version by noting that f is satisable in the unanchored version i true U f is satisable in the anchored version. 2 As usual we identify ::f1 with f1, true with :false and false with :true.

5 4 Automata on World Models The automata-theoretic approach to the satisability problem is to construct a Buchi automaton for a formula f. This automaton takes models of the logic as input. A model is accepted by the automaton if and only if it satises f. The decision procedure consists of checking if there is any model that is accepted by the automaton for f. To describe the construction of the automata, and subsequently to prove the correctness of the decision procedure, we shall use the following concepts of worlds and world models. 4.1 Worlds and World Models Denition 4.1 A world with respect to a formula f is any subset of scl(f). Denition 4.2 A world model M f respect to f. :!! 2 scl(f) is an!-sequence of worlds with Denition 4.3 A world s with respect to f is complete if for every f 1 2 scl(f) either f 1 2 s or :f 1 2 s. Denition 4.4 A C(f)-world is a world s with respect to f that satises the following conditions :? true 2 s and false 62 s? for all f 1 2 scl(f); f 1 2 s i :f 1 62 s? for all f 1 ^ f 2 2 scl(f); f 1 ^ f 2 2 s i f 1 2 s and f 2 2 s? for all f 1 U f 2 2 scl(f); if f 2 2 s then f 1 U f 2 2 s? for all f 1 U f 2 2 scl(f); if f 1 U f 2 2 s then f 1 2 s or f 2 2 s? for all f 1 S f 2 2 scl(f); if f 2 2 s then f 1 S f 2 2 s? for all f 1 S f 2 2 scl(f); if f 1 S f 2 2 s then f 1 2 s or f 2 2 s Intuitively, a C(f)-world is closed under semantic consequence up to the elements in scl(f) and contains no propositional inconsistencies. Clearly, a C(f)-world is a complete world. We shall refer to the set of all C(f)-worlds by C(f). Denition 4.5 An initial world s is a C(f)-world such that for all f 1 S f 2 2 s it is the case that f 2 2 s. Informally, a world is initial if it does not contain any \unsatised past eventualities." Denition 4.6 A C(f)-world model M f :!! C(f) is an!-sequence of C(f)-worlds such that M f (0) is initial. Denition 4.7 The label F(s) for any world s is the conjunction V f 1 2s f 1.

6 Lemma 4.8 If a complete world s with respect to f is not a C(f)-world, then F(s) is unsatisable. Proof. We use a case analysis of the condition in Denition 4.4 which was violated, and the semantics of the formul involved. Consider for instance the last condition. Assume that f 1 S f 2 2 s but that f 1 62 s and f 2 62 s. Since s is complete, :f 1 2 s and :f 2 2 s, whence the semantics yield an immediate contradiction. The remaining cases are similar and are therefore omitted. Denition 4.9 (Extension) Given a model M and a formula f, the extension of M with respect to f is the world model M f :!! 2 scl(f) satisfying M f (i) = ff 1 j f 1 2 scl(f) and hm; ii j= f 1 g: Lemma 4.10 For any model M and any formula f, the extension of M with respect to f is a C(f)-world model. Proof. For any f 1 2 scl(f) either hm; ii j= f 1 or hm; ii j= :f 1 so M f (i) is a complete world. Initiality of M f (0) follows from the semantics of the S operator. The remainder of the proof follows from the denition of extension and Lemma 4.8. Note, however, that not every C(f)-world model is the extension of a model. This is the case since the temporal formul in C(f)-worlds may impose restrictions on their sequencing. Of course, if a world model M f is the extension of a model M, then M is simply the restriction of each world in M f to P. 4.2 Automata for the Decision Procedure All the automata used in this paper are Buchi Sequential Automata, rst used by Buchi [4] to give a decision method for S1S, generalized by Rabin in the classic paper [13] for his decision procedure for S2S, and used with variations subsequently by many other researchers (see [16] for a comprehensive survey). The following denition of a Buchi Automaton is the standard one recast in our notation and terminology. Denition 4.11 (Buchi Sequential Automaton) A Buchi Automaton is a tuple h; S; ; S I ; S F i where? is a nite input alphabet? S is a nite set of states? : S! 2 S denes a transition function specifying for each state and input symbol the set of possible next states? S I S is the set of initial states? S F S is the set of accepting states. A run of the automaton on an!-string 2! is an!-string 2 S! such that (0) 2 S I and for all i 2!; (i + 1) 2 ((i); (i)). The run is accepting i the set fi 2! j (i) 2 S F g is innite. An automaton in state s 2 S consumes an input symbol t 2 i (s; t) 6= ;. We shall say that an automaton consumes a string if it has a run (not necessarily accepting) on that string.

7 We are now ready to dene the construction of the automata that will be used in our decision procedure. For any formula f, the local automaton A L (f) will be responsible for ensuring that local consistency conditions are not violated. These will essentially guarantee that, starting in a \legal" initial state, the automaton can only enter states that are consistent with its previous state. The eventuality automaton A E (f) will be responsible for ensuring that eventualities are met. For instance, if the formula f 1 U f 2 is to be satised in a run, the semantics require that there exists a state in the future that satises f 2. Where it is clear from context, we shall often omit the parameterization of the automata. 4.3 Local Automaton The local automaton checks the consistency of local transition conditions. We represent the local automaton by A L (f) = h2 scl(f) ; C(f); L ; N(f); C(f)i, where? L : C(f) 2 scl(f)! 2 C(f) is the non-deterministic transition function such that t 2 L (s; i) i the following conditions are satised? i = s? if f 1 U f 2 2 s and :f 2 2 s, then f 1 U f 2 2 t? if :(f 1 U f 2 ) 2 s and f 1 2 s, then :(f 1 U f 2 ) 2 t? if f 1 S f 2 2 s and f 1 2 t, then f 1 S f 2 2 t? if :(f 1 S f 2 ) 2 s and :f 2 2 t, then :(f 1 S f 2 ) 2 t? N(f) = fs j s 2 C(f); s is initial and f 2 sg is the set of initial states. Observation A L is non-deterministic and, in a sense, \drives" the model-generation procedure by making choices, wherever they are available, without violating local consistency conditions. 2. In any state, A L accepts a unique symbol from its alphabet corresponding to that state. In particular, no world that is not a C(f)-world is ever consumed by A L. 3. For all s 2 C(f); s 2 L (s; s); i.e. each state of A L has a self-loop. 4.4 Eventuality Automaton The eventuality automaton is required for checking whether eventuality requirements for formul containing the U operator are fullled. We represent the eventuality automaton by A E (f) = h2 scl(f) ; 2 U(f) ; E ; f;g; f;gi, where? U(f) is the subset of scl(f) that contains all formul of the form f 1 U f 2? E : 2 U(f) 2 scl(f)! 2 U(f) is the deterministic transition function such that t = E (s; i) i? if s = ; then for all f 1 U f 2 2 U(f), f 1 U f 2 2 t i f 1 U f 2 2 i and f 2 62 i? if s 6= ; then for all f 1 U f 2 2 U(f), f 1 U f 2 2 t i f 1 U f 2 2 s and f 2 62 i

8 Observation A E is fully deterministic. In particular, in any state s 2 2 U(f), there is a transition specied for any i 2 C(f). A E ensures that unsatised eventualities continue to be remembered. 2. If s 6= ; and E (s; i) = t, then t s. 3. For all s 2 2 U(f) and i 2 2 scl(f), if E (s; i) = t then either s = t or E (t; i) = t, i.e. for any state on any input, either there is a self-loop on that input or the state that is reached on that input has a self-loop for that input. In the terminology of fundamental-mode asynchronous automata, A E does not cycle. 4.5 Model-Checking Automaton The model-checking automaton A M (f) is the product A L (f) A E (f) of the local and eventuality automata : A M (f) = h2 scl(f) ; C(f) 2 U(f) ; L E ; N(f) f;g; C(f) f;gi where L E : (C(f) 2 U(f) ) 2 scl(f)! 2 C(f) 2 U(f) is dened by L E (hs L ; s E i; i) = L (s L ; i) E (s E ; i): The decision procedure now follows by checking for the existence of an innite accepting path in the product automaton's state graph. The formula f is satisable i such a path exists. A satisfying model is then simply the!-sequence of worlds corresponding to the input labels on such a path. This sequence is actually a world model, but as we show in the next section, the restriction of such a world model to P gives us the required satisfying model. Theorem 4.14 (Decision Procedure) A SUTL formula f is satisable i the language of the model-checking automaton A M (f) is non-empty. Whether the language of A M (f) is non-empty can be checked in time polynomial in the number of states of the automaton. Proof. The rst part follows from Theorem 5.3 (Completeness) and Theorem 5.5 (Soundness) which we prove in the next section. The second part is a well-known result [16] for Buchi automata.

9 5 Proof of Correctness of the Decision Procedure 5.1 Completeness Our strategy for the completeness proof is to show that the extension with respect to f of any satisfying model for f will be accepted by A M. In Lemmas 5.1 and 5.2, M f denotes the extension with respect to f of a satisfying model M for f. A L and A E represent the local and eventuality automata for f as described earlier. Lemma 5.1 A L accepts M f. Proof. We need only show that there is an innite run of A L that consumes M f, since all states of A L are accepting states. By Lemma 4.10, any world in M f is a state of A L and, by Observation , A L can consume the input symbol M f (n) i it is in the state M f (n). Thus, if there is an innite run consuming M f, then it must be unique. That there is an innite run can be demonstrated as follows: Initial Consumption : Since hm; 0i j= f, we have that f 2 M f (0) by the denition of an extension. That M f (0) is an initial C(f)-world is straightforward from the semantics. Thus, M f (0) is an initial state of A L. Continuing Consumption : We need to show that M f (n + 1) 2 L (M f (n); M f (n)). Assume not. Then M f (n + 1) violates one of the four transition conditions for A L. It is then easy, using the semantics of the logic and the denition of an extension, to exhibit a contradiction. For example, consider the last condition. Suppose that :(f 1 S f 2 ) 2 M f (n), :f 2 2 M f (n+1) but that :(f 1 S f 2 ) 62 M f (n+1). By the completeness of M f (n + 1), f 1 S f 2 2 M f (n + 1) and, by the denition of an extension, hm; n + 1i j= f 1 S f 2. Thus, by the SUTL semantics, there exists k n + 1 such that hm; ki j= f 2 and for all j, k < j n + 1, hm; ji j= f 1. But k 6= n + 1 since :f 2 2 M f (n + 1) and, thus, hm; n + 1i 6j= f 2. Therefore, there exists k n such that hm; ki j= f 2 and for all j, k < j n, hm; ji j= f 1. Consequently, by the SUTL semantics, hm; ni j= f 1 S f 2. However, :(f 1 S f 2 ) 2 M f (n) and, thus, by the denition of an extension hm; ni j= :(f 1 S f 2 ), which is a contradiction. The proofs for the other conditions are similar. Lemma 5.2 A E accepts M f. Proof. By Observation there is a unique innite run of A E that consumes M f, call it. If is not accepting, then there is a largest i such that (i) = ;. By Observation and because the states of are nite, there is some formula f 1 U f 2 2 scl(f) such that for all j > i; f 1 U f 2 2 (j). By the denition of E, f 1 U f 2 2 M f (i) and f 2 62 M f (j) for all j i. However, since M f (j) is complete, :f 2 2 M f (j) for all j i whence the denition of an extension and the semantics yield hm; ii j= :(f 1 U f 2 ). Thus f 1 U f 2 62 M f (i), which is a contradiction. Theorem 5.3 (Completeness) For any formula f, if f is satisable, then the language accepted by A M is nonempty. Proof. The statement follows immediately from Lemmas 5.1 and 5.2 and the denition of A M.

10 5.2 Soundness Lemma 5.4 Let M f be a C(f)-world model accepted by A M and let M be its restriction to P. Then, for any i 2! and f 1 2 scl(f), f 1 2 M f (i) i hm; ii j= f 1. Proof. The proof is by induction on the size of f 1 for all i. The base case is obvious since if p 2 P then p 2 M f (i) i hm; ii j= p. The inductive step makes use of the presence of certain subformul in scl(f), as well as the denitions of A L and A E. For example, if f 1 U f 2 2 M f (i) then, by the transition conditions of A L and the transition and acceptance conditions of A E, there exists j i such that f 2 2 M f (j). Consider the least such j. Then, f 2 62 M f (k) for all k, i k < j, and the transition conditions of A L and the denition of C(f)-world imply that f 1 2 M f (k). Thus, by the inductive assumption, hm; ji j= f 2 and for all k, i k < j, hm; ki j= f 1. Hence, by the semantics, hm; ii j= f 1 U f 2. The proof that hm; ii j= f 1 U f 2 implies f 1 U f 2 2 M f (i) is similar, as are the proofs for the other cases. Theorem 5.5 (Soundness) For any formula f, if the language accepted by A M is nonempty, then f is satisable. Proof. The statement follows immediately from Lemma 5.4 and the fact that f 2 M f (0). 6 Complexity Let f be a SUTL formula of size n. By Lemma 3.3, card(scl(f)) = O(n). Therefore, the number of states in each of A L and A E is at most 2 O(n) and, therefore, so is the number of states in their product A M. Thus, the construction of the state transition tables for the automata may be done in 2 O(n) time, since the construction of a transition table requires checking each state against every other and each state has O(n) formul, each of size at most n. Since checking for emptiness of the language of a Buchi automaton is polynomial in the number of states of the automaton, the complexity of the decision procedure is 2 O(n). This is also the best one can do, unless P = PSPACE, since it is known that the decision problem for UTL, which is subsumed by SUTL, is PSPACEhard [14]. It is easy to rene the given automata-based method into a tableau-based method which has a better average-case complexity. That method essentially consists of incrementally building the states of the automaton beginning with the initial states, while exploiting the \don't care" conditions on states to search all possible futures from a set of states at once. The intuitive complexity of such an algorithm is usually much lower than a direct implementation of the automata method, which has a complexity of (2 n ). 7 Small Stuttering Models The above decision procedure for SUTL can now be used to prove the properties of existence of small models and invariance under nite stuttering. Both properties are readily proved from the properties of the model-checking automaton.

11 The rst property follows trivially from the fact that the model-checking automaton for a formula f of size n is a nite automaton with 2 O(n) states and therefore has an exponential (small) representation. Thus, any satisable formula has a set of models that have a small representation (by the corresponding model-checking automaton). For the second property, we shall show that if A M accepts an!-string M, then it also accepts any string M 0 obtained by nitely stuttering any set of states in the string. This result follows directly from our earlier observations. By Observation , each state of A L has a reexive arc and is accepting. The language accepted by A L is thus closed under (nite or innite) stuttering. By Observation , A E does not cycle. Thus, in any state for a given input, A E has either a self arc or a transition to a new state with a self arc on that input. Thus, all stuttering strings are consumed, establishing that if a formula is satisable in a model it is satised in any model isomorphic to it up to nite stuttering. However, arbitrary innite stuttering is ruled out since not all states of A E are accepting. For instance, the model = (:p) k p(:p)! satises 3p, but = (:p)! obtained by innite stuttering of does not. 8 Conclusion We have presented a decision procedure for Since/Until Temporal Logic, a linear-time propositional logic with strong non-strict since and until operators. An important feature of this logic is the absence of next and previous operators or the ability to manufacture such operators from the existing machinery in the logic. This makes the logic transparent to nite stuttering and is a desirable feature of a logic that is intended for specifying and reasoning about computer systems, both because it supports the use of hierarchical abstraction and renement and because it facilitates reasoning about concurrency in such systems. References [1] H. Barringer, R. Kuiper and A. Pnueli, Now You May Compose Temporal Logic Specications, in: Proc. 16th ACM Symp. on Theory of Computing, Washington, DC (April 1984), pp [2] H. Barringer, R. Kuiper and A. Pnueli, A Really Abstract Concurrent Model and Its Temporal Logic, in: Proc. 18th ACM Symp. on Principles of Programming Languages, St. Petersburg Beach, FL (January 1986), pp [3] M. C. Browne, E. M. Clarke and O. Grumberg, Reasoning about Networks with Many Identical Finite State Processes, Information and Computation 81 (1) (1989), pp [4] J. R. Buchi, On a Decision Method in Restricted Second Order Arithmetic, in: Proc Congress on Logic, Methodology and Philosophy of Science, Stanford University Press, Stanford, pp

12 [5] J. P. Burgess, Axioms for Tense Logic I. `Since' and `Until,' Notre Dame Journal of Formal Logic 23 (4) (October 1982), pp [6] E. M. Clarke and O. Grumberg, Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, in: Proc. 6th ACM Symp. on Principles of Distributed Computing, Vancouver, BC (August 1987), pp [7] D. Gabbay, A. Pnueli, S. Shelah and J. Stavi, On the Temporal Analysis of Fairness, in: Conf. Record Seventh Annual ACM Symp. Principles of Programming Languages, Las Vegas, NV (January 1980), pp [8] L. Lamport, What Good is Temporal Logic, in: Proc. International Federation of Information Processing Congress, Paris, FR (1983), pp [9] L. Lamport, Specifying Concurrent Program Modules, ACM Trans. Programming Languages and Systems 5 (2) (1983), pp [10] O. Lichtenstein, A. Pnueli and L. Zuck, The Glory of the Past, in: Proc. Conf. on Logics of Programs, LNCS 193, Springer-Verlag (1985), pp [11] Z. Manna and A. Pnueli, The Anchored Version of the Temporal Framework, in: Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, eds: J. de Bakker, W. P. de Roever and G. Rozenberg, LNCS 354, Springer-Verlag (1989), pp [12] A. Pnueli, The Temporal Semantics of Concurrent Programs, Theoretical Computer Science 13 (1981), pp [13] M. O. Rabin, Decidability of Second Order Theories and Automata on Innite Trees, Trans. AMS 141 (1969), pp [14] A. P. Sistla and E. Clarke, The Complexity of Propositional Linear Temporal Logics, J. ACM 32 (3) (1985), pp [15] P. Wolper, Temporal Logic Can Be More Expressive, Information and Control 56 (1983), pp [16] P. Wolper, On the Relation of Programs and Computations to Models of Temporal Logic, in: Proc. Conf. on Temporal Logic in Specication, Altrincham, England, LNCS 398, Springer-Verlag (1987), pp