#### DMCA

## Temporal and modal logic (1995)

Venue: | HANDBOOK OF THEORETICAL COMPUTER SCIENCE |

Citations: | 1289 - 17 self |

### Citations

1623 | The temporal logic of programs - Pnueli - 1977 |

1009 | Design and synthesis of synchronization skeletons using branching-time temporal logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ...corresponds to what one might naturally rst think of as a branching time logic. CTL is closely related to branching time logics proposed in [La80], [EC80], [QS81], [BPM81], and was itself proposed in =-=[CE81]-=-. However, as we shall see, its syntactic restrictions signi cantly limit its expressive power. We therefore also consider the much richer language CTL*, which is sometimes referred to informally as f... |

744 | A Mathematical Introduction to Logic - Enderton - 1972 |

570 | Knowledge and common knowledge in a distributed environment
- Halpern, Moses
- 1990
(Show Context)
Citation Context ...ted systems, it is a natural metaphor to refer to what a process knows. Logics of knowledge represent an e ort to provide a formal basis for such reasoning. Anumber of systems have been proposed (cf. =-=[HM84]-=-, [Le84], [LR86], [DM86]). Typical modalities include K ip which means that \process i knows p" and Cp which means that \p is common knowledge" in the sense that \all processes know p, all processes k... |

542 | Introduction to VLSI systems - Mead, Conway - 1980 |

439 |
Propositional dynamic logic of regular programs.J
- Fischer, Ladner
- 1956
(Show Context)
Citation Context ...tates are identi ed to collapse a possibly in nite model to a small nite one. An example of a quotient construction is its application to yield a decision procedure for Propositional Dynamic Logic of =-=[FL79]-=-, discussed in [KT89]. There the equivalence relation is de ned so that, in essence, two states are equivalent when they agree (i.e., have the same truth value) on all subformulae of the formula p0 be... |

334 |
Sometimes” and “Not Never” revisited: On branching versus linear time temporal logic
- Emerson, Halpern
- 1986
(Show Context)
Citation Context ...by allowing quanti cation over possible futures. Both approaches have been applied to program reasoning, and it is a matter of debate as to whether branching or linear time is preferable (cf. [La80], =-=[EH86]-=-, [Pn85]) 2.4 Points versus Intervals Most temporal logic formalisms developed for program reasoning have been based on temporal operators that are evaluated as true or false of points in time. Some f... |

301 |
Tense Logic and the Theory of Linear Order
- Kamp
- 1968
(Show Context)
Citation Context ...il P U > q X(p U q) is of particular interest. Note that false U > q X(false U q) Xq. The single modality strict, strong until is enough to de ne all the other linear time operators (as shown by Kamp =-=[Ka68]-=-.) Remark: One other common variation is simply notational. Some authors use 2p for Gp, 3p for Fp, and p for Xp. Another minor variation is to change the underlying structure to be any initial segment... |

286 | Intensional logics - Garson - 1998 |

271 |
On the temporal analysis of fairness
- Gabbay, Pnueli, et al.
(Show Context)
Citation Context ...0) j= q]. Theorem 3.2. As measured with respect to initial equivalence, PLTLB is equivalent inexpressive power to PLTLF. This can be proved using results regarding the theory of linear orderings (cf. =-=[GPSS80]-=-): We also note the following relationship between i and g: Proposition 3.3. p g qi Gp i Gq. By convention we shall take satis able to mean initially satis able and valid to mean initially valid, unle... |

270 |
Counter-free Automata
- McNaughton, Papert
- 1971
(Show Context)
Citation Context ...r expression (d) L + is de nable by a nite state automaton The equivalence of conditions (b), (c), and (d) was established using lengthy and di cult arguments in the monograph of McNaughton & Pappert =-=[MP62]-=-. The equivalence of conditions (a) and (b) in Theorem 6.4 was established in Kamp [Ka68], while for Theorem 6.5 it was established in [LPZ85]. Direct translations between PLTL and star-free regular e... |

259 | A.: Checking that Finite State Concurrent Programs Satisfy their Linear Specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...essible within FairCTL, although they are describable in CTL* or even PLTL. The PSPACEcompleteness of these latter logics, on rst hearing, would seem to be a serious drawback. Lichtenstein and Pnueli =-=[LP85]-=- noted, however, that model checking is a problem with two input parameters, the structure and the speci cation, and then proceeded to develop a model checking algorithm for PLTL of complexity exponen... |

240 |
P.: Automata-Theoretic Techniques for Modal Logics of Programs
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ... by the automaton.) General automata-theoretic 48stechniques for reasoning about a number of relatively simple logics, including CTL, using Buchi tree automata have been described by Vardi and Wolper =-=[VW84]-=-. For branching time logics with richer modalities such as CTL*, the tableau construction is not directly applicable. Instead, the problem reduces to constructing a tree automaton for the branching ti... |

228 |
Using branching time temporal logic to synthesize synchronization skeletons
- Emerson, Clarke
- 1982
(Show Context)
Citation Context ...en in [Pr79], [BPM81], [BHP82], [Wo82], [Wo83], [HS84]. See also the excellent survey byWolper [Wo84]. In the sequel we describe a tableaubased decision procedure for CTL formulae, along the lines of =-=[EC82]-=- and [EH85]. The following de nitions and terminology are needed. We assume that the candidate formula p0 is in positive normal form, obtained by pushing negations inward as far as possible using de M... |

205 |
A.: The temporal logic of branching time
- Ben-Ari, Manna, et al.
- 1981
(Show Context)
Citation Context ... X (\nexttime"), or U (\until"). It corresponds to what one might naturally rst think of as a branching time logic. CTL is closely related to branching time logics proposed in [La80], [EC80], [QS81], =-=[BPM81]-=-, and was itself proposed in [CE81]. However, as we shall see, its syntactic restrictions signi cantly limit its expressive power. We therefore also consider the much richer language CTL*, which is so... |

198 |
What good is temporal logic
- Lamport
- 1983
(Show Context)
Citation Context ...Approach A great deal of work has been done investigating the proof-theoretic approach toveri cation of concurrent programs using TL (cf. e.g. [Pn81], [MP81], [MP82], [MP83], [La 80], [Ha81], [OL82], =-=[La83]-=-, [SMS82]). Typically, one tries to prove, by hand, that a given program meets a certain TL speci cation using various axioms and inference rules for the system of TL. A drawback of this approach is t... |

191 |
Synthesis of communicating processes from temporal logic specifications
- Manna, Wolper
- 1984
(Show Context)
Citation Context ...tion problems such as readers-writers and dining philophers can also be synthesized. A closely related synthesis method for CSP programs based on the use of a decision procedure for PLTL was given in =-=[MW84]-=-. In the recent [PR89] a method for synthesizing an individual component of a reactive system from a speci cation in (essentially) CTL* is described. Earlier informal e orts toward synthesis of concur... |

189 | Decision Procedures and Expressiveness in the Temporal Logic of Branching Time
- Emerson, Halpern
- 1985
(Show Context)
Citation Context ...], [BPM81], [BHP82], [Wo82], [Wo83], [HS84]. See also the excellent survey byWolper [Wo84]. In the sequel we describe a tableaubased decision procedure for CTL formulae, along the lines of [EC82] and =-=[EH85]-=-. The following de nitions and terminology are needed. We assume that the candidate formula p0 is in positive normal form, obtained by pushing negations inward as far as possible using de Morgan's law... |

185 |
Myths about the mutual exclusion problem
- Peterson
- 1981
(Show Context)
Citation Context ...n be determined by inspection, considering only the potentially falsifying transitions and ignoring those which obviously cannot make false. As an example, we nowverify safety forPeterson's solution (=-=[Pe81]-=-) to the mutual exclusion problem shown in Figure 8. Each process has a noncritical section (l0, m0, resp.) in which it idles unless it needs access to its critical section (l3, m3, resp.), signalled ... |

176 |
The Temporal Semantics of Concurrent Programs
- Pnueli
- 1981
(Show Context)
Citation Context ... 7.2 Veri cation of Concurrent Programs: Proof-Theoretic Approach A great deal of work has been done investigating the proof-theoretic approach toveri cation of concurrent programs using TL (cf. e.g. =-=[Pn81]-=-, [MP81], [MP82], [MP83], [La 80], [Ha81], [OL82], [La83], [SMS82]). Typically, one tries to prove, by hand, that a given program meets a certain TL speci cation using various axioms and inference rul... |

172 |
The glory of the past
- Lichtenstein, Pnueli, et al.
- 1985
(Show Context)
Citation Context ...xpressive power. Recently, however, it has been advanced that use of the past tense operators might be useful simply in order to make the formulation of speci cations more natural and convenient (cf. =-=[LPZ85]-=-). Moreover, past tense operators appear to play an important role in compositional speci cation somewhat analogous to that of history variables. 3 The Technical Framework of Linear Temporal Logic 3.1... |

162 |
Proving liveness properties of concurrent programs
- Owicki, Lamport
- 1982
(Show Context)
Citation Context ...rrent Programs There are a large number of correctness properties that we might wish to specify for a concurrent program. These correctness properties usually fall into two broad classes (cf. [Pn77], =-=[OL82]-=-). One class is that of \safety" properties also known as \invariance" properties. Intuitively, a safety property asserts that \nothing bad happens." The other class consists of the \liveness" propert... |

161 | The complementation problem for büchi automata with applications to temporal logic - Sistla, Vardi, et al. - 1987 |

146 |
Characterizing correctness properties of parallel programs using fixpoints
- Emerson, Clarke
- 1980
(Show Context)
Citation Context ... F (\sometime"), X (\nexttime"), or U (\until"). It corresponds to what one might naturally rst think of as a branching time logic. CTL is closely related to branching time logics proposed in [La80], =-=[EC80]-=-, [QS81], [BPM81], and was itself proposed in [CE81]. However, as we shall see, its syntactic restrictions signi cantly limit its expressive power. We therefore also consider the much richer language ... |

142 |
Knowledge and common knowledge in a Byzantine environment: crash failures
- Dwork, Moses
- 1990
(Show Context)
Citation Context ...ural metaphor to refer to what a process knows. Logics of knowledge represent an e ort to provide a formal basis for such reasoning. Anumber of systems have been proposed (cf. [HM84], [Le84], [LR86], =-=[DM86]-=-). Typical modalities include K ip which means that \process i knows p" and Cp which means that \p is common knowledge" in the sense that \all processes know p, all processes know that all processes k... |

113 | O.: Reasoning about networks with many identical finite state processes
- Browne, Clarke, et al.
- 1989
(Show Context)
Citation Context ...al successes, a potentially serious drawback totheentire model checking approach is that the size of the global state transition graph grows exponentially with the number of processes. Recent work in =-=[CG86]-=-, [SG87], [CG87] suggests that it may be possible to avoid this exponential blowup in some cases for concurrent systems with many \copies" of the same process, although this is not possible in general... |

98 |
Models of program logics
- Pratt
- 1979
(Show Context)
Citation Context ... \a fullpath x in M" is understood to refer to a fullpath x in X. In the most general case X can be completely arbitrary. However, it is often helpful to impose certain requirements on X (cf. [La80], =-=[Pr79]-=-, [Ab80], [Em83]). We saythatXissu x closed provided that if computation s0s1s2... 2 X, then the su x s1s2... 2 X. Similarly, Xisfusion closed provided that whenever x1sy1, x2sy2 2 X then x1sy2 2 X. T... |

82 |
A really abstract concurrent model and its temporal logic
- Barringer, Kuiper, et al.
- 1986
(Show Context)
Citation Context ...nterpreted over a continuous (or dense) time structure such as the reals (or rationals) have beeninvestigated by philosophers. Their application to reasoning about concurrent programs was proposed in =-=[BKP86]-=- to facilitate the formulation of fully abstract semantics. Such continuous time logics may alsohave applications in so-called real-time programs where strict, quantitative performance requirements ar... |

78 | Deciding Full Branching Time Logic - Emerson, Sistla - 1984 |

69 |
Modalities for model checking: Branching time strikes back
- Emerson, Lei
- 1985
(Show Context)
Citation Context ... L(s) end end end of case end end One limitation of the logic CTL is, of course, that it cannot express correctness under fair scheduling assumptions. However, the extended logic FairCTL described in =-=[EL85]-=- can express correctness under fairness (cf. [QS83]). An FCTL speci cation (p0, 0) consists of a functional assertion p0, which is a state formula, and an underlying fairness assumption 0, which is a ... |

67 | Using reasoning about knowledge to analyze distributed systems - Halpern - 1987 |

62 |
Reasoning about digital circuits
- Moszkowski
- 1983
(Show Context)
Citation Context ...sus Intervals Most temporal logic formalisms developed for program reasoning have been based on temporal operators that are evaluated as true or false of points in time. Some formalisms (cf. [SMV83], =-=[Mo83]-=-, [HS86]),however, have temporal operators that are evaluated over intervals of time, the claim being that use of intervals greatly simpli es the formulation of certain correctness properties. The fol... |

48 |
Fairness and Related Properties in Transition Systems — A Temporal Logic to Deal with Fairness
- Queille, Sifakis
- 1983
(Show Context)
Citation Context ...e� actually, however, there are a number of technically distinct re nements of this notion. (See, for example, the book by Francez [Fr86] as well as [Ab80], [FK84], [GPSS80], [La80], [LPS81], [Pn83], =-=[QS83]-=-, [LPZ85] and [EL85].) Some of these will be described subsequently. 22sThus to model the semantics of concurrency accurately we need fairness assumptions in addition to the computation sequences gene... |

46 | Dynamic logic, in: Handbook of Philosophical Logic - Harel - 1984 |

44 |
On the complexity of omega-automata
- Safra
- 1988
(Show Context)
Citation Context ... on in nite objects have also been proposed to facilitate reasoning in TL's (cf. [St81], [VS85], [MP87a]). A particularly important advance in automata theory motivated by TL is Safra's construction (=-=[Sa88]-=-) for determinizing an automaton on in nite strings with only a single exponential blowup, without regard to any special structure possessed by the automaton. Not only is Safra's construction an expon... |

36 |
Linear and Branching Structures in the Semantics and Logics of Reactive Systems
- Pnueli
- 1985
(Show Context)
Citation Context ...ing quanti cation over possible futures. Both approaches have been applied to program reasoning, and it is a matter of debate as to whether branching or linear time is preferable (cf. [La80], [EH86], =-=[Pn85]-=-) 2.4 Points versus Intervals Most temporal logic formalisms developed for program reasoning have been based on temporal operators that are evaluated as true or false of points in time. Some formalism... |

35 |
Deterministic Propositional Dynamic Logic: Finite Models
- Ben-Ari, Halpern, et al.
- 1982
(Show Context)
Citation Context ...nd intoagenuine model. We remark that the tableau construction is a rather general one, that applies to many logics. Tableau-based decision procedures for various logics are given in [Pr79], [BPM81], =-=[BHP82]-=-, [Wo82], [Wo83], [HS84]. See also the excellent survey byWolper [Wo84]. In the sequel we describe a tableaubased decision procedure for CTL formulae, along the lines of [EC82] and [EH85]. The followi... |

34 | Verifying Concurrent Processes Using Temporal Logic - Hailpern - 1982 |

34 | Probabilistic temporal logics for finite and bounded models
- Hart, Sharir
- 1984
(Show Context)
Citation Context ... remark that the tableau construction is a rather general one, that applies to many logics. Tableau-based decision procedures for various logics are given in [Pr79], [BPM81], [BHP82], [Wo82], [Wo83], =-=[HS84]-=-. See also the excellent survey byWolper [Wo84]. In the sequel we describe a tableaubased decision procedure for CTL formulae, along the lines of [EC82] and [EH85]. The following de nitions and termin... |

34 | A temporal logic for reasoning about partially ordered computations - Pinter, Wolper - 1984 |

27 |
Yet another process logic
- Vardi, Wolper
- 1984
(Show Context)
Citation Context ...It was proposed as a unifying framework in [EH86], subsuming both CTL and PLTL, as wellasanumber of other systems. Related systems of high expressiveness are considered in [Pa79], [Ab80], [ST81], and =-=[VW83]-=-. Syntax We now give a formal de nition of the syntax of CTL*. We inductively de ne a class of state formulae (true or false of states) using rules S1-3 below and a class of path formulae (true or fal... |

25 | The taming of converse: Reasoning about two-way computations - Vardi - 1985 |

22 | The logic of distributed protocols
- Ladner, Reif
- 1986
(Show Context)
Citation Context ...is a natural metaphor to refer to what a process knows. Logics of knowledge represent an e ort to provide a formal basis for such reasoning. Anumber of systems have been proposed (cf. [HM84], [Le84], =-=[LR86]-=-, [DM86]). Typical modalities include K ip which means that \process i knows p" and Cp which means that \p is common knowledge" in the sense that \all processes know p, all processes know that all pro... |

20 | Decidability and expressiveness of logics of processes - Abrahamson - 1980 |

20 | An elementary proof of the completeness of PDL. Theor - KOZEN, PARIKH - 1981 |

18 |
Melliar-Smith. From state machines to temporal logic: specification methods for protocol standards
- Schwartz, Michael
- 1982
(Show Context)
Citation Context ... A great deal of work has been done investigating the proof-theoretic approach toveri cation of concurrent programs using TL (cf. e.g. [Pn81], [MP81], [MP82], [MP83], [La 80], [Ha81], [OL82], [La83], =-=[SMS82]-=-). Typically, one tries to prove, by hand, that a given program meets a certain TL speci cation using various axioms and inference rules for the system of TL. A drawback of this approach is that proof... |

15 | Veri cation of Concurrent Programs: The Temporal Framework - Manna, Pnueli - 1981 |

12 |
Checking the correctness of sequential circuits
- Clarke, Dill
- 1985
(Show Context)
Citation Context ...sulted in the detection of a previously unknown error in a circuit for a self-time queue element published in the text [MC78]. Other applications to the design of sequential circuits are discussed in =-=[BCD85]-=-, [BCDM86a], and [DC86], as well as the overview article [CG87]. Finally, model checking is applicable to largescale network communication protocols. Indeed, one project in France [Si87] has bought de... |

12 | Reasoning about fair concurrent programs - Courcoubetis, Vardi, et al. - 1986 |

12 | Verifying network protocols using temporal logic - Hailpern, Owicki - 1980 |

11 | Recursive program schemes: semantics and proof theory - Roever - 1976 |

10 |
Generalized fair termination
- Francez, Kozen
- 1984
(Show Context)
Citation Context ...ch process be executed in nitely often|su ce� actually, however, there are a number of technically distinct re nements of this notion. (See, for example, the book by Francez [Fr86] as well as [Ab80], =-=[FK84]-=-, [GPSS80], [La80], [LPS81], [Pn83], [QS83], [LPZ85] and [EL85].) Some of these will be described subsequently. 22sThus to model the semantics of concurrency accurately we need fairness assumptions in... |

10 |
Testing Containment of omega-regular Languages", Bell Labs
- Kurshan
- 1986
(Show Context)
Citation Context ...asoning applications such as program synthesis and mechanical veri cation of nite state programs in a conceptually uniform fashion. Veri cation systems based on automata have also been developed (cf. =-=[Ku86]-=-). We note that not only has the eld of TL bene ted from automata theory, but the converse holds as well. For example, the tableau concept for the branching time logic CTL, particularly the state/pres... |

10 | Reasoning about time and chance - Lehmann, Shelah - 1982 |

10 |
Weak monadic second order theory of one successor is not elementary recursive
- Meyer
- 1975
(Show Context)
Citation Context ...e may bemuch more succinct than the other. For example, while FOLLO and PLTL have the same raw expressive power,itisknown that FOLLO can be signi cantly (nonelementarily) more succinct than PLTL (cf. =-=[Me74]-=-). 30 ! is6.1.4 Branching Time Expressiveness Analogy with the linear temporal framework suggests several formalisms for describing in nite trees that might be compared with branching temporal logic. ... |

9 |
Now you may compose temporal logic speci cations
- Barringer, Kuiper, et al.
- 1984
(Show Context)
Citation Context ...m by specifying and verifying its 2sconstituent subprograms, and then combining them into a complete program together with its proof of correctness, using the proofs of the subprograms as lemmas (cf. =-=[BKP84]-=-, [Pn84]). 2.3 Branching versus Linear Time In de ning a system of temporal logic, there are two possible views regarding the underlying nature of time. One is that the course of time is linear: At ea... |

9 |
Applications of temporal logic to the speci - cation and veri cation of reactive systems: A survey of current trends
- Pnueli
- 1986
(Show Context)
Citation Context ...Temporal Logic has been suggested as a formalism especially appropriate to reasoning about ongoing concurrent programs, such as operating systems, which have areactive nature, as explained below (cf. =-=[Pn86]-=-). We can identify two di erent classes of programs (also referred to as systems). One class consists of those ordinarily described as \sequential" programs. Examples include a program to sort a list,... |

7 |
Automatic Veri cation of Sequential Circuits Using Temporal Logic
- Browne, Clarke, et al.
- 1984
(Show Context)
Citation Context ... the detection of a previously unknown error in a circuit for a self-time queue element published in the text [MC78]. Other applications to the design of sequential circuits are discussed in [BCD85], =-=[BCDM86a]-=-, and [DC86], as well as the overview article [CG87]. Finally, model checking is applicable to largescale network communication protocols. Indeed, one project in France [Si87] has bought dedicated har... |

7 |
Star-free regular sets of omega-sequences
- Thomas
- 1979
(Show Context)
Citation Context ...le in the form _i=1 ( 1 F [ i]H ^: 1 F [ i]H) where i, i are star-free regular expressions. Result 6.7 (c0) analogous to Result 6.6 (c0) was intentionally omitted|because it does not hold as noted in =-=[Th79]-=-. It is not the case that [ m ! i=1 i i=1 where i, i are star-free regular expressions, must itself denote a star-free regular set. For example, consider the language L = (00 [ 1) ! .Lis ! expressible... |

6 |
Automatic Veri - cation of Finite State Concurrent Systems Using Temporal Logic Speci cations: A Practical Approach
- Clarke, Emerson, et al.
- 1983
(Show Context)
Citation Context ...h fresh proposition Q and model check EFQ. 2 For example, CTL* can be reduced to PLTL since the basic modalities of CTL* are of the form A or E followed by aPLTL formula. As a consequence we get (cf. =-=[CES83]-=-): Corollary 6.27. The model checking problem for CTL* is PSPACE-complete. Thus the increased expressive power of the basic modalities of CTL* incurs a signi cant complexity penalty. However, it can b... |

6 | Automatic Veri cation of Asynchronous Circuits Using Temporal Logic - Dill, Clarke - 1985 |

5 |
editors. RealTime: Theory
- Bakker, Huizing, et al.
- 1992
(Show Context)
Citation Context ...e at all even moments along all futures, which is captured by Z.P ^ AXAXZ. Related systems were considered in [EC80] and [PR81]. Other proposals for formalisms based on xpoints can be found in, e.g., =-=[deBS69]-=-, [Pa70], [deRo76], [Di76], and [Pa80]. 8.5 Knowledge There has recently been interest in the development of modal and temporal logics for reasoning about the states of knowledge in reactive systems. ... |

5 |
Dynamic logic: axiomatics and expressive power
- Harel
- 1979
(Show Context)
Citation Context ...ted by Dynamic Logic, originally proposed by Pratt [Pr76] in the rst order version, specialized to the propositional version by Fischer and Ladner [FL79], and, in general studied intensively by Harel =-=[Ha79]-=- and others. (Detailed treatements of Dynamic logic can be found in [KT89] and [Ha84].) The basic modalities of Propositional Dynamic Logic (PDL) are of the form < >p where is a regular expression ove... |

5 |
Computation tree logic CTL
- Hafer, Thomas
- 1987
(Show Context)
Citation Context ...L 0 )suchthatM 0 ,s j= f and L 0 di ers from L at most in the truth assignments to each Qi, 1 i m. Similarly, EQCTL consists of formulae 9Q1 :::Qmf, where f is a CTL formula. A related result is from =-=[HT87]-=-: Theorem 6.9. CTL* is exactly as expressive as the monadic second order theory of two successors with set quanti cation restricted to in nite paths, over in nite binary trees. Remark: By augmenting C... |

5 |
Synthesis of Synchronization Code for Data Abstractions
- Laventhal
- 1978
(Show Context)
Citation Context ...ng an individual component of a reactive system from a speci cation in (essentially) CTL* is described. Earlier informal e orts toward synthesis of concurrent programs from TL-like formalisms include =-=[La78]-=- and [RK80]. There are a numberofadvantages to this type of automatic program synthesis method. It obviates the need to compose a program as well as the need to construct a correctness proof. Moreover... |

5 |
Theoretical Issues in the Design of Distributed and Concurrent Systems
- Sistla
- 1983
(Show Context)
Citation Context ... models of G2Q. This relation with formal languages is discussed in more detail subsequently. Quanti ed PLTL Another way to extend PLTL is to allow quanti cation over atomic propositions (cf. [Wo82], =-=[Si83]-=-). The syntax of PLTL is augmented by the formation rule: if p is a formula and Q is an atomic proposition occurring free in p, then 9Qp is a formula also. The semantics of 9Qp is given by M,x j= 9Qp ... |

5 |
A Lattice-Theoretical Fixpoint Theorem and its Applications
- Tarksi
- 1955
(Show Context)
Citation Context ..... implies ([iPi) =[i (Pi). is said to be \-continuous provided that P1 P2 P3... implies (\iPi) =\i (Pi). A predicate P is said to be a xpoint of functional if P = (P). The theorem of Tarski-Knaster (=-=[Ta55]-=-) ensures that a monotonic functional : PRED(S) ! PRED(S) always has a least xpoint, Z. (Z) = \f Y: (Y) = Yg, and a greatest xpoint Z. (Z) = [f Y: (Y) = Yg. Whenever is [-continuous then Z. (Z) = [i i... |

4 | A Propositional Modal Logic of Time - Halpern, Shoham - 1991 |

4 | On the semantics of' fair parallelism," in Abstract Software Specifications - Park - 1980 |

4 | On Characterization of Safety and - Sistla - 1985 |

3 |
How to Cook a Proof System for your Pet Language
- Manna, Pnueli
- 1983
(Show Context)
Citation Context ...urrent Programs: Proof-Theoretic Approach A great deal of work has been done investigating the proof-theoretic approach toveri cation of concurrent programs using TL (cf. e.g. [Pn81], [MP81], [MP82], =-=[MP83]-=-, [La 80], [Ha81], [OL82], [La83], [SMS82]). Typically, one tries to prove, by hand, that a given program meets a certain TL speci cation using various axioms and inference rules for the system of TL.... |

3 | Adequate Proof Principles for Invariance and Liveness - Manna, Pnueli - 1984 |

3 |
Speci cation and veri cation of concurrent programs by 8-automata
- Manna, Pnueli
- 1987
(Show Context)
Citation Context ...tiness algorithm, motivated by program synthesis applications is given in [PR89]. New types of automata on in nite objects have also been proposed to facilitate reasoning in TL's (cf. [St81], [VS85], =-=[MP87a]-=-). A particularly important advance in automata theory motivated by TL is Safra's construction ([Sa88]) for determinizing an automaton on in nite strings with only a single exponential blowup, without... |

3 | On The Extremely Fair Termination of Probabilistic Algorithms - Pnueli - 1983 |

3 |
Speci cation and Veri cation of Concurrent Programs in CESAR
- Queille, Sifakis
- 1982
(Show Context)
Citation Context ...lynomial time) model checking algorithm for the branching time logic CTL, and rst proposed that it could be used as the basis of a practical automatic veri cation technique. At roughly the same time, =-=[QS82]-=- gave amodelchecking algorithm for a similar branching time logic, but did not analyze its complexity. To illustrate how modelchecking algorithms work, we now describe a simple model checking algorith... |

3 |
The Complexity of Propositional Linear
- Sistla, Clarke
- 1985
(Show Context)
Citation Context .... Then p0 is satis able i p1 is satis able. We can in fact do better for PLTL and various fragments of it. The following results on the complexity of deciding linear time are due to Sistla and Clarke =-=[SC85]-=-: Theorem 6.17. The problem of testing satis ability for PLTL is PSPACE-complete. Proof Idea. To establish membership in PSPACE, we design a nondeterministic algorithm that, given an input formula p0,... |

3 |
Cellular Automata
- Thomas
(Show Context)
Citation Context ...+ , rather than . Languages of Finite Strings Before presenting the results we brie y review regular expression notations and certain concept concerning nite state automata. The reader is referred to =-=[Th89]-=- for more details. There are several types of regular expression notations: the restricted regular expressions which are those built up from the alphabet symbols , for each 2 ,and , [, and *, denoting... |

3 | Veri cation of concurrent programs: The automata-theoretic framework - Vardi - 1987 |

2 |
Program proving considered as hand simulation plus induction
- BURSTALL
- 1974
(Show Context)
Citation Context ...mplication, as described below. An intermittent assertion is expressed by G( (atl ^ ) ) F(atl 0 ^ 0 )) meaning that whenever is true at location l, then 0 will eventually be true at location l 0 (cf. =-=[Bu74]-=-, [MW78]). An important special type of intermittent assertion is total correctness of a program with respect to a precondition and postcondition . It is expressed by atl0 ^ ) F(atlh ^ ) which indicat... |

2 |
Avoiding the State Explosion Problem
- Clarke, Grumberg
(Show Context)
Citation Context ...it for a self-time queue element published in the text [MC78]. Other applications to the design of sequential circuits are discussed in [BCD85], [BCDM86a], and [DC86], as well as the overview article =-=[CG87]-=-. Finally, model checking is applicable to largescale network communication protocols. Indeed, one project in France [Si87] has bought dedicated hardware to use for model checking network protocols. F... |

2 |
Alternative Semantics for Temporal Logics, Theor
- Emerson
- 1983
(Show Context)
Citation Context ...n M" is understood to refer to a fullpath x in X. In the most general case X can be completely arbitrary. However, it is often helpful to impose certain requirements on X (cf. [La80], [Pr79], [Ab80], =-=[Em83]-=-). We saythatXissu x closed provided that if computation s0s1s2... 2 X, then the su x s1s2... 2 X. Similarly, Xisfusion closed provided that whenever x1sy1, x2sy2 2 X then x1sy2 2 X. The idea is that ... |

2 | Sometimes is sometimes \not never"-on the temporal logic of programs - Lamport - 1980 |

2 |
Impartiality, Justice and Fairness: The Ethics
- Pnueli, A, et al.
(Show Context)
Citation Context ...nitely often|su ce� actually, however, there are a number of technically distinct re nements of this notion. (See, for example, the book by Francez [Fr86] as well as [Ab80], [FK84], [GPSS80], [La80], =-=[LPS81]-=-, [Pn83], [QS83], [LPZ85] and [EL85].) Some of these will be described subsequently. 22sThus to model the semantics of concurrency accurately we need fairness assumptions in addition to the computatio... |

2 | A Model and Temporal Proof System for - Nguyen, Demers, et al. - 1986 |

2 |
A Decidable Mu-Calculus, 22nd FOCS
- Pratt
- 1981
(Show Context)
Citation Context ...actical terms it also allows expression of extended modalities such as P is true at all even moments along all futures, which is captured by Z.P ^ AXAXZ. Related systems were considered in [EC80] and =-=[PR81]-=-. Other proposals for formalisms based on xpoints can be found in, e.g., [deBS69], [Pa70], [deRo76], [Di76], and [Pa80]. 8.5 Knowledge There has recently been interest in the development of modal and ... |

2 |
An Interval Logic for HigherLevel Temporal
- Schwartz, Melliar-Smith, et al.
(Show Context)
Citation Context ...oints versus Intervals Most temporal logic formalisms developed for program reasoning have been based on temporal operators that are evaluated as true or false of points in time. Some formalisms (cf. =-=[SMV83]-=-, [Mo83], [HS86]),however, have temporal operators that are evaluated over intervals of time, the claim being that use of intervals greatly simpli es the formulation of certain correctness properties.... |

1 |
Limits for Automatic Veri cation of Finite State
- Apt, Kozen
- 1986
(Show Context)
Citation Context ...7], [CG87] suggests that it may be possible to avoid this exponential blowup in some cases for concurrent systems with many \copies" of the same process, although this is not possible in general (cf. =-=[AK86]-=-). Other work on reducing the size of the state graph based on hierarchical speci cation and hiding of states at lower levels of abstraction is presented in [MC85]. 64s8 Other Modal and Temporal Logic... |

1 |
De ning Safety and Liveness
- Alpern, Schneider
- 1985
(Show Context)
Citation Context ...ds to the intuitive characterization of liveness, that \something good will happen," of [OL82]. Further work on syntactic and semantic characterizations of safety and liveness properties are given in =-=[AS85]-=- and [Si85.] One important generic liveness property has the form G(p ) Fq) for past formulae p and q, and is called temporal implication (cf. [Pn77], [La80]). Many speci c correctness properties are ... |

1 | Research on Automatic Veri cation of Finite State - Clarke, Grumberg - 1987 |

1 |
Probabalistic Temporal Logics for Finite and Bounded
- Hart, Sharir
- 1984
(Show Context)
Citation Context ... remark that the tableau construction is a rather general one, that applies to many logics. Tableau-based decision procedures for various logics are given in [Pr79], [BPM81], [BHP82], [Wo82], [Wo83], =-=[HS84]-=-. See also the excellent survey byWolper [Wo84]. In the sequel we describe a tableaubased decision procedure for CTL formulae, along the lines of [EC82] and [EH85]. The following de nitions and termin... |

1 | The Emptiness Problem For Automata on - Hossley, Racko - 1972 |

1 |
Specifying Message Bu ers Requires Extending Temporal Logic
- Koymans
(Show Context)
Citation Context ... large sequence of messages, thereby permitting the nite automaton to become \confused." Moreover, the problem is not alleviated by extending the formalism to be pure (i.e., uninterpreted) FOLTL (cf. =-=[Ko87]-=-). However, as noted in [SCFM84] there exist partially interpreted FOLTL's which make it possible to capture correct behavior for a message bu er. One such logic provides history variables that 54sacc... |

1 |
Veri cation of Concurrent Programs
- Manna, Pnueli
- 1981
(Show Context)
Citation Context ...i cation of Concurrent Programs: Proof-Theoretic Approach A great deal of work has been done investigating the proof-theoretic approach toveri cation of concurrent programs using TL (cf. e.g. [Pn81], =-=[MP81]-=-, [MP82], [MP83], [La 80], [Ha81], [OL82], [La83], [SMS82]). Typically, one tries to prove, by hand, that a given program meets a certain TL speci cation using various axioms and inference rules for t... |

1 | A Hierarchy ofTemporal Properties - Manna, Pnueli |

1 |
Is \sometimes" sometimes better than \always"?: Intermittent assertions in proving program correctness
- Manna, Waldinger
(Show Context)
Citation Context ...on, as described below. An intermittent assertion is expressed by G( (atl ^ ) ) F(atl 0 ^ 0 )) meaning that whenever is true at location l, then 0 will eventually be true at location l 0 (cf. [Bu74], =-=[MW78]-=-). An important special type of intermittent assertion is total correctness of a program with respect to a precondition and postcondition . It is expressed by atl0 ^ ) F(atlh ^ ) which indicates that ... |

1 |
Testing and Generating In nite Sequences by a Finite Automaton
- McNaughton
- 1966
(Show Context)
Citation Context ...Somewhat surprisingly, the only known way to build the tree automaton involves di cult combinatorial arguments and/or appeals to powerful automata-theoretic results such as McNaughton's construction (=-=[McN66]-=-) for determinizing automata on in nite strings. The principal di culty manifests itself with just the simple modality Ap. The naive approach of building the string automaton for p and then running it... |

1 | A Decidability Result for Second Order - Parikh - 1978 |

1 |
Speci cation and
- Ramarithram, Keller
- 1980
(Show Context)
Citation Context ...idual component of a reactive system from a speci cation in (essentially) CTL* is described. Earlier informal e orts toward synthesis of concurrent programs from TL-like formalisms include [La78] and =-=[RK80]-=-. There are a numberofadvantages to this type of automatic program synthesis method. It obviates the need to compose a program as well as the need to construct a correctness proof. Moreover, since it ... |

1 |
Can Message Bu ers be Axiomitized
- Sistla, Clarke, et al.
(Show Context)
Citation Context ...viz., that the sequence of messages output on channel y equals to the sequence of messages input on channel x. An important limitation of PLTL and related formalisms was established by Sistla et. al. =-=[SCFM84]-=- which shows that an unbounded FIFO bu er cannot be speci ed in PLTL. Essentially, the problem is that any particular formula p of PLTL is of a xed size and corresponds to a bounded size nite state au... |

1 | Propositional Dynamic Logic of Looping and Converse, Information and Control 54 - Streett - 1982 |