Combining Propositional Dynamic Logic with Formal Concept Analysis

Proc. CS&P '06 Combining Propositional Dynamic Logic with Formal Concept Analysis (extended abstract) N.V. Shilov, N.O. Garanina, and I.S. Anureev A.P. Ershov Institute of Informatics Systems, Lavren ev av., 6, Novosibirsk 630090, Russia, {shilov, garanina, anureev}@iis.nsk.su, Abstract. Propositional Dynamic Logic (PDL) has been introduced by M.J. Fischer and R.E. Ladner as an extension of the classical propositional logic and propositional modal logic K for reasoning about partial correctness of structured nondeterministic programs. Many variants of PDL have been studied extensively especially from viewpoint of decidability and axiomatizability. In particular, recently C. Lutz and D. Walther proved that PDL with complement (negation) of atomic programs is decidable in exponential time (while it is well known that in general case PDL with complement is undecidable). In this paper we introduce and study a new variant of PDL extended by modalities inspirited by Formal Concept Analyses (FCA) of R. Wille and B. Ganter. Formal semantics of these two new modalities is intent and, respectively, extent operations (two major algebraic constructions of FCA). Informal meaning and utility of these modalities can be illustrated by the following simple example. Assume that P and G are sets of states of a computer system, A is a binary relation between states: xay means that y is reachable from x. Then sentence From every state in P the system can reach some state in G can be expressed in PDL by P A G. Another sentence From any state in P the system can not reach any state outside G can be expressed in PDL also as P [A]G. But sentences From every state in P the system can reach every state in G and Every state in G is reachable by the system from every state in P can not be expressed in PDL, but can be expressed in PDL extended by new modalities for intent and extent. We call PDL extended by new modalities for intent and extent by PDL for FCA. We denote this logic by PDL/FCA. We demonstrate in this paper that PDL/FCA is more expressive than PDL. Then we interpret a fragment of PDL/FCA without intent in PDL with complement. It implies decidability of PDL extended by extent of atomic programs with exponential upper bound. It remains an open problem whether PDL/FCA (without any restriction for intent and extent) is decidable and what the expressive power of this new logic is with respect to PDL with complement. This research is supported in parts by joint grant RFBR 05-01-04003-a - DFG project COMO, GZ: 436 RUS 113/829/0-1, by grant RFBR 06-01-00464-a, and Integration Grant n.14 Siberia Branch, Russian Academy of Science. 152

Part 2: Specification 1 Propositional Dynamic Logic (PDL) Propositional Dynamic Logic has been introduced in [1]. It has become popular due to its utility for specification and verification of program systems since it enjoys decidability and has a nice axiomatization [3, 4]. Below we start with definition of PDL syntax. Definition 1. Let Act and V ar be disjoint alphabets of action symbols and propositional variables. Syntax of PDL consists of the set of programs P rg and the set of formulas F rm. Both sets are defined by mutual induction. 1. Programs: (a) every action symbol is an (elementary) program (i.e. Act P rg); (b) if α and β are programs then sequential composition (α; β), non-deterministic choice (α β), and non-deterministic iteration (α ) are programs 1 ; (c) if φ is a formula then φ? is a program that is called test. 2. Formulas: (a) special symbols true and f alse are formulas; (b) every propositional variable is an (elementary) formula, (i.e. V ar F rm); (c) if φ and ψ are formulas then negation ( φ), conjunction (φ ψ), and disjunction (φ ψ) are formulas 2 ; (d) if α is a program and φ is a formula then pre-image ( α φ) and precondition ([α]φ) are formulas 3. Semantics of PDL is defined in models that are called Kripke models or Labeled Transition Systems. Definition 2. Transition system (or Kripke frame) is a pair (D, R) where D is called universe (or domain ) and whose elements are called worlds (or states ), R : Act 2 D D is called interpretation that interprets every action symbol a Act by a binary relation R(a) D D. Label transition system (LTS) (or Kripke model) is a triple (D, R, I) where (D, R) is a transition system, and I : V ar 2 D which is called valuation and that evaluates every propositional variable by a set of states. 1 These programs are read as follows: (α; β) α then β, (α β) α or β, (α ) iterate α. 2 These formulas are read as usual. Implication (φ ψ) and equivalence (φ ψ) are admissible as standard abbreviations. 3 These formulas are read as follows: ([α]φ) α-box φ or after α always φ, ( α φ) α-diamond φ or after α sometimes φ 153

Proc. CS&P '06 Definition 3. Let M = (D, R, I) be a model. Semantics of every program γ P rg in M is a binary relation M(γ) D D that is called input-output relation of γ in M. Semantics of every formula ξ F rm is a set of states M(ξ) D that is called validity set of ξ in M. Input-output relations and validity sets are defined by mutual induction. 1. Programs: (a) for every action symbol a Act, M(a) = R(a); (b) for all programs α, β P rg, M(α; β) = M(α) M(β) where is composition of binary relations, M(α β) = M(α) M(β) where right-hand side is set-theoretic union of binary relations, and M(α ) = (M(α)) where right-hand side * is reflexive and transitive closure of binary relations; (c) for every formula phi F rm, M(φ?) = {(s, s) : s M(φ)}. For every program α P rg and all states s, t D let us write s α M t and say that α transforms (input) s to (output) t in M iff (s, t) M(α). 2. Formulas: (a) M(true) = D and M(false) = ; (b) for every propositional variable p V ar, M(p) = I(p); (c) for all formulas φ, ψ F rm, M( φ) = D \ M(φ) where \ is the settheoretic set-minus, M(φ ψ) = M(φ) M(ψ) where is the settheoretic intersection, and M(φ ψ) = M(φ) M(ψ) where is the set-theoretic union; (d) for every program α P rg and formula φ F rm, M( α φ) = {s : for some t D, (s, t) M(α) and t M(φ)}, M([α]φ) = {s : for every t D, if (s, t) M(α) then t M(φ)}. For every formula φ F rm and every state s D let us write s = M φ and say that φ holds in/at s in M iff sinm(φ). Definition 4. For every formula φ F rm and every model M = (D, R, I) let us write M = φ and say that φ is valid in M iff s = M φ for every s D. For every formula φ F rm let us write = φ and say that φ is a tautology iff M = φ for every model M. PDL was introduced in 1978. Later many variants of PDL have been studied. Many of these variants simply extend set of programs by some special program constructs. We are most interested in the following auxiliary program constructs. Definition 5. A variant of PDL is a language L whose syntax consists of two parts: programs P rg L and formulas F rm L. Semantics of L is defined in models: in every model M = (D, R, I) the semantics of every program α P rg L is a binary relation M(α) D D, the semantics of every formula φ F rm L is a set M(φ) D. A variant L of PDL is said to be an extension of PDL, iff P rg L P rg and F rm L F rm. Definition 6. Let L be a variant of PDL. Then let L be a variant of PDL that is the closure of L with respect to a new program constructor for the inverse. Syntax of the construct follows: for every program α the inverse (α ) is 154

Part 2: Specification a program too. Also let L c be a variant of PDL that is closure of L with respect to a new program constructor for the complement (or program negation). Syntax of the construct follows: for every program α the inverse (α c ) is a program too. For every model M = (D, R, I), for every program α, M(α ) = M(α) where right-hand side is the set-theoretic inverse of binary relations 4, M(α c ) = M(α) c where right-hand side c is the set-theoretic complement of binary relations 56. In particular, PDL is an extension of PDL where programs are constructed from action symbols and tests with aid of sequential composition ;, non-deterministic choice, non-deterministic iteration *, and inverse ; PDL c is an extension of PDL where programs are constructed from action symbols and tests with aid of sequential composition ;, non-deterministic choice, non-deterministic iteration *, and complement c ; PDL c is an extension of PDL where programs are constructed from action symbols and tests with aid of sequential composition ;, non-deterministic choice, non-deterministic iteration *, inverse, and complement c. 2 Expressive power of PDL variants Definition 7. Let L 1 and L 2 be two variants of PDL. For programs α 1 in L 1 and α 2 in L 2 let us say that they are equivalent and write α 1 α 2 iff for every model M both programs have the same semantics, i.e. M(α 1 ) = M(α 2 ). For formulas φ 1 in L 1 and φ 2 in L 2 let us say that they are equivalent and write φ 1 φ 2 iff for every model M both formulas have the same semantics, i.e. M(φ 1 ) = M(φ 2 ). Observe that programs α and β are equivalent iff formulas ( α p) and ( β p) are equivalent 7 ; formulas φ and ψ are equivalent iff formula (φ ψ) is a tautology. Definition 8. Let L 1 and L 2 be two variants of PDL. Let us write L 1 L 2 and say that L 1 is expressible in L 2 iff for every formula φ in L 1 there exists an equivalent formula ψ in L 2. Let us write L 2 L 1 and say that L 2 can express L 1 iff L 1 L 2. Let us write L 1 < L 2 and say that L 1 is less expressive than L 2 iff L 1 L 2 but it is not the case L 2 L 1. Let us write L 2 > L 1 and say 4 For every binary relation R D D the inverse R is {(s, t) : (t, s) R}. 5 For every binary relation R D D the complement R c is {(s, t) : (s, t) R}. 6 Sometimes prefix is used instead of postfix superscript c, i.e. ( α) instead of (α c ). 7 Here p V ar is a fresh propositional variable. 155

Proc. CS&P '06 that L 2 is more expressive than L 1 iff L 1 < L 2. Let us write L 1 e = L2 and say that L 1 and L 2 have equal expressive power iff L 1 L 2 and L 2 L 1. Let us say that L 1 and L 2 are incompatible (in expressive power) iff neither of L 1 L 2 nor L 2 L 1 holds. It implies that the expressive power of the extensions of PDL can be represented by the diagram depicted in Figure 1, where every arrow represents between logics. PDL c? PDL?? PDL c PDL Fig. 1. Expressive power of PDL variants Proposition 1. If alphabets Act and V ar are non-empty then for all logics L 1, L 2 in Fig. 1 if there is a non-marked arrow from L 1 to L 2 then L 1 L 2 ; if there is no any 8 arrow from L 1 to L 2 then L 1 L 2 is invalid. (Arrows marked by? from PDL c to PDL and from PDL c to PDL c represent that we do not know whether PDL c PDL and PDL c PDL c.) Proof. First we observe that all non-marked arrows in Fig. 1 are inherited from inclusions for the corresponding classes of programs. Then let us prove that any logic L 2 with program complement can not be expressed in any logic L 1 without program complement. We observe that the least expressive logic with complement is PDL c, while the most expressive logic without complement is PDL. M 1: M 2: s t: p s 8 marked by? or non-marked Fig.2. Models that disprove PDL c PDL 156

Part 2: Specification Let a Act and p V ar be an action symbol and a propositional variable, respectively. Let us prove that formula ( a c p) is not expressible in PDL and any other logic without compliment. For it let us consider models M 1 and M 2 depicted in Fig. 2. In both models action symbol a is interpreted by empty binary relation. Propositional variable p is evaluated by {t} in the first model M 1. It is trivial to prove by induction on the structure of complement-free programs and complement-free formulas that s α M1 s iff s α M1 s, never s α M1 t, s = M1 φ iff s = M2 φ. At the same time s = M1 ( a c p) but not s = M2 ( a c p). Hence ( a c p) is not equivalent to any complement-free formula. It proves that neither PDL c nor PDL c can be expressed in PDL and in PDL. Finally let us remark that remaining proof (that PDL can not express PDL ) is very similar to the above proof but uses a modified model M 3 instead of M 1. It differs from M 1 by interpretation of action symbol a : I 3 (a) = {(t, s)}. It is well-know that PDL and PDL are decidable with exponential upper and lower bounds, while PDL c and PDL c are undecidable [3, 4]. It has been proved recently that a fragment of PDL c where complement is applied only to action symbols is decidable with exponential upper bound [6]. It worth to remark that it has been proved recently that an interesting fragment of PDL c, namely PDL with program inverse and program intersection PDL, is also decidable (but with a non-elementary upper bound) [5]. 3 Integrating FCA operations to PDL Basic Formal Concept Analysis (FCA) definitions below follow monograph [2]. Definition 9. A formal context is a triple (O, A, B) where O and A are sets of objects and attributes respectively and B O A is a binary relation on objects and attributes. Let us say that a formal context (O, A, B) is homogeneous 9 iff O = A, i.e. the set of objects coincide with the set of attributes. For example, for every model M = (D, R, I) and every program α one can define a formal context C(M, α) = (D, D, M(α)), where sets of objects O and of attributes A are equal to the domain D, and the binary relation B is simply input-output relation M(α). Vise verse, there is a number of ways how to define a frame for given formal contexts. For example, if we are given a family of formal contexts (O j, A j, B j ) with object set O j, attribute set A j, and binary relation B j O j A j are indexed by elements of some set J, then one can adopt the set of indexes J as the alphabet Act of action symbols, and define a frame (D, R) where D = j J (O j A j ) and R(j) = B j (O j A j ) D D for every j J. Two basic algebraic operations for formal contexts are intent and extent. 9 Homogenous is our own non-standard FCA term. 157

Proc. CS&P '06 Definition 10. Let (O, A, B) be a formal context. For every set of objects X O its upper derivation (or intent) X is the following set of attributes {t A : for every s O, if s X then (s, t) B}, i.e. the collection of all attributes that have all objects in X simultaneously. For every set of attributes Y A its lower derivation (or extent) Y is the following set of objects {s O : for every t A, if t Y then (s, t) B}, i.e. the collection of all objects that have all attributes in Y simultaneously. For example, let M = (D, R, I) be a labeled transition system, α, φ, and ψ be a program and two formulas of some variant of PDL. In accordance with definition of semantics of PDL variants, M(α) is a binary relation A D D on states, and M(φ) and M(ψ) are some sets P D and G D of states. In particular, D can be some community (at some moment of time), P and G can be two groups of people in this community, and A can be acquaintance relation between people: xay means that person x knows person y. In this particular example, M = (φ [a]ψ) iff every person in P does not know any person outside G. Unfortunately, it is impossible to express by any PDL formula the following property: all persons in G are known simultaneously to all persons in P. But this property can be expressed easily in set-theoretic terms with aid of intent operation G P in the homogenous formal context (D, D, M(α)). Similarly, it is impossible to express by any PDL formula another property: all persons in P know simultaneously all persons in G. Again this property can be expressed easily in set-theoretic terms with aid of extent operation P G in the same homogenous formal context. Alternatively, D can be the state-space of some program, P and G can be two sets of states in D, A can be reachability relation between states: xay means that y is reachable from x. In this particular example, M = (φ [a]ψ) iff from any state in P the program can not reach any state outside G. Unfortunately, it is impossible to express by PDL formula the following two properties: from every state in P the program can reach every state in G; every state in G is reachable by the program from every state in P. But these properties can be expressed easy in set-theoretic terms with aid of intent and extent operations as G P and P G respectively in the homogenous formal context (D, D, M(a)). The above examples that illustrate utility of intent and extent operations for reasoning about systems of different kinds (people in some community, states of a program, etc.) move us to the following definition that integrates intent and extent to PDL. Definition 11. Let L be a variant of PDL. Then let L/FCA be a variant of PDL that is the closure of L with respect to two new formula constructors for 158

Part 2: Specification intent and extent. Syntax of these two constructors follows: for every program α and every formula φ let (φ α ) and (φ α ) be formulas too. These formulas are read as intent of φ with respect to α and, respectively, as extent of φ with respect to α. For every model M = (D, R, I), M(φ α ) = {t : for every s D, if s M(φ) then (s, t) M(α)}, i.e. the intent of M(φ) in a homogenous formal context (D, D, M(α)); M(φ α ) = {s : for every t D, if t M(φ) then (s, t) M(α)}, i.e. the extent of M(φ) in a homogenous formal context (D, D, M(α)). In particular, PDL/FCA is an extension of PDL where intent and extent constructors are allowed. Observe that semantics of two new formula constructs is contraposition of semantics of formulas that are allowed in PDL. Compare the above semantics of φ α and φ α with semantics of ([α]φ) and ([α ]φ): M([α ]φ) = {t : for every s D, if (s, t) M(α) then s M(φ)}, M([α]φ) = {s : for every t D, if (s, t) M(a) then t M(φ)}. Proposition 2. Let L be a variant of PDL. For every program and every formula within L, for every model M = (D, R, I) the following semantic equalities hold: 1. M( (φ α )) = M( α c ψ), 2. M(φ α ) = M([α c ]( ψ)), 3. M( (φ α )) = M( α c ψ), 4. M(φ α ) = M([α c ]( ψ)). Proof. Observe that clause 2 follows from 1, and 4 - follows from 3. Thus we can concentrate on clauses 1 and 3 only. 1. M( (φ α )) = D \ {t : for every s D, if s M(φ) then (s, t) M(α)} = = {t : for some s D, s M(φ) and (s, t) M(α)} = = {t : for some s D, s M(φ) and (s, t) M(α c )} = = {t : for some s D, s M(φ) and (t, s) M(α c )} = M( α c ψ). 3. M( (φ α )) = D \ {s : for every t D, if t M(φ) then (s, t) M(α)} = = {s : for some t D, t M(φ) and (s, t) M(α)} = = {s : for some t D, t M(φ) and (s, t) M(α c )} = M( α c ψ). The proof of Proposition 1 and the above Proposition 2 have some immediate but important implications that we present in the following corollary. Corollary 1. 1. Let L be a variant of PDL. For every program and every formula within L the following semantic equivalencies hold: (a) (φ α ) α c ψ, 159

Proc. CS&P '06 (b) φ α [α c ]( ψ), (c) (φ α ) α c ψ, (d) φ α [α c ]( ψ). 2. PDL < PDL/FCA PDL c so that every formula φ in PDL/FCA is equivalent to some formula ψ in PDL c that can be constructed in linear time, and all complement c and inverse constructs occur in ψ only at outmost level 10 in combinations c and c only 11, and these combinations are applied in ψ to programs which are used in φ with extent and intent constructors respectively. In turn the above Corollary 1 and decidability of PDL c where complement is applied to action symbols [6] imply the next corollary. Corollary 2. PDL/FCA without intent is expressible in PDL c so that every formula φ in PDL/FCA without intent is equivalent to some formula ψ in PDL c that can be constructed in linear time, and all complement c constructs occur in ψ only at outmost level and are applied in to programs which are used in φ with extent constructors respectively. In particular, PDL extended by extent of action symbols is decidable with exponential upper bound and is expressible in PDL c where complement c construct is applied to action symbols only. Topics for further research: Unfortunately, we do not know exact expressive power of PDL/FCA in comparison with PDL c and/or PDL c as well as whether PDL/FCA is decidable or not. We guess that PDL/FCA is less expressive than PDL c and is interpretable in PDL c. We think that PDL extended by both intent and extent of action symbols is decidable with exponential upper bound due to its interpretability in PDL c where complement c construct is applied to action symbols only. We also hope to develop and present more detailed and interesting examples (than in this section) that motivate an utility of intent/extent constructs for program specification and verification. Acknowledgement: We would like to thank Prof. Karl Erich Wolff for fruitful discussions of the research and the draft of this paper. References 1. Fischer M.J. and Ladner R.E. Propositional dynamic logic of regular programs. J. Comput. Syst. Sci., 18(2):194-211, 1979. 2. Ganter B., Wille R. Formal Concept Analysis. Mathematical Foundations. Springer Verlag, 1996. 3. Harel D. Dynamic logic. In D. Gabbay and F. Guenther, editors, Handbook of Philosophical Logic Volume II, Reidel Publishing Company, p.497-604, 1984. 4. Harel D., Kozen D., Tiuryn J. Dynamic Logic (Foundations of Computing). MIT Press, 2000. 10 i.e. not inside programs 11 i.e. c can occur without -, but - can not occur without c 160

Part 2: Specification 5. Lutz C. PDL with intersection and converse is decidable. In Proceedings of CSL 05, Lecture Notes in Computer Science, 3634:413-427, Springer, 2005. 6. Lutz C. and Walther D. PDL with Negation of Atomic Programs. Journal of Applied Non-Classical Logic, 15(2):189-214, 2005. 161