the tableau method for temporal logic: an overview ... tableau.pdf · the tableau method 1 2 3 for...

THE TABLEAU METHOD FOR TEMPORAL LOGIC:AN OVERVIEW

Pierre WOLPER

Abstract: An overview of the tableau decision method for propositio-nal temporal logic is presented. The method is described in detail forlinear time temporal logic. It is then discussed how it can be applied toother variants of temporal logic like branching time temporal logic andextensions o f linear time temporal logic. Finally, applications o ftemporal logics to computer science are reviewed.

I. Int roduc t ion

Temporal logic (TL ) has been studied as a branch o f logic fo rseveral decades. It was developed as a logical framework to formalizereasoning about time, temporal relations such as "before— o r " a f t e r " ,and related concepts such as tenses. TL is closely related to the modallogic of necessity ([HC68]) which attempts to formalize the notions ofpossible and necessary truth. As temporal logic can in fact be viewedas a special case of modal logic, its origins can also be traced to thoseof that theory. Tableau decision procedures for temporal and modallogic have been known for some time. An account of earlier work ontemporal logic can be found in either the book of Prior ([Pr67]) or ofRescher and Urquhart ([RU711).

In [P677], it was suggested that temporal logic could be a useful toolto formalize reasoning about the execution sequence of programs andespecially of concurrent programs. In that approach, the sequence ofstates a machine goes through during a computation is viewed as thetemporal sequence o f worlds described by TL . Since then, severalresearchers have been using TL to state and prove properties o fconcurrent programs (e.g. [GPSS801, [La80], [0L80 ] , [BP80],[MP8 I], [CES831, [MP83], [MW84]), protocols (e.g. [Ha80], [H081],[SM81], [SM82], [Vo82], [SS82], [SMV83], [SPE841, and hardware(e.g. [Bo821 , [M081], [HMM83], [Mo831).

120 P . WOLPER

In this paper, we first define the propositional version of linear timetemporal logic. We then describe the tableau decision procedure forPTL. We also review other variants o f temporal logics and stateresults about their decision problems. And finally, we discuss the useof temporal logic in computer science.

The formation rules are:

2. Propositional Temporal Logic

We define here the propositional version of temporal logic (PTL).We have chosen one of the most common versions appearing in thecomputer science literature. In contrast to the temporal logics studiedin philosophical logic it contains only temporal operators dealing withthe "future" and no operators concerning the "past".Syntax: PTL formulas are built from

• A set Y of atomic propositions: pl, p2, p3,

• Boolean connectives: A,• Temporal operators: 0 ("next"), 0 ("eventually"),

U ("until'').

• An atomic proposition p e Y is a formula.• I f ft a nd 1.2 are formulas, so are

Ah, O A , 01.1, f i 1 1 . 1.2 •

We use El ("always") as an abbreviation for --10 W e also use Vand D as the usual abbreviations, and parentheses to resolve ambi-guities.Semantics: A structure fo r a PTL formula (with set 64 o f a t o m i cpropositions) is a triple .337 = ( S , N , a ) w h e r e

• S is a finite or enumerable set of states.• N : (5' —) S ) is a total successor function that for each state

gives a unique next state.• a : (S—>2) assigns truth values to the atomic propositions of

the language in each state.

For a structure vl and a state s S we have

(71, , $ )p i f f p En(s)(d ,$) A f2 i f f , $ )f f , and ç 1,$ )f.2

(cl i f n o t (cl,$)(cl, s) O f i f f (cV ,N ( s ) ).In the following definitions, we denote by N

e( s ) t h e i t ' s t a t e i n t h e

sequence

s , N (s), N(N(s)), N(N(N(s))),of successsors of a state s.

(91i,$)<>1' i f f ( 0 ) “ 2 1 , N l ( s ) )./ )(5zi, s ) u f 2 i f f ( 3 i 0 )((iz i,N (s ) ) f f2 A j (0 < i D ( , Ni (s ) )1

71))

An interpretation J = (ci „vo) f o r P T L c o n s i s t s o f a s t r u c tu r e d a nd

an initial state so e S . W e w i l l s ay t ha t an i n t er p r et a t io n J = ( 37 1, s0)

satisfies a formulaf iff 1. 5 V , s0 •f . S i n c e a n i n t e r p r et a t i o n f u n i qu e l y

determines a sequence

o = so, N( s0) , AP( so) , N3( s0) ,

we will often say "the sequence o satisfies a formula" instead of "theinterpretation . / satisfies a formula". The satisfiability problem forPTL is, given a formulai', to determine if there is some interpretationthat satisfies f (i.e., a model off). In the next section, we describe thetableau method for the satisfiability problem of PTL.

Exaniples:

I) The formula

THE TABLEAU METHOD 1 2 1

is satisfied by all sequences in which p is true in the first state.2) The formula

Lfp Oc. i)

is satisfied by all sequences where each state in which p is true isfollowed by a state in which q is true.

122 P . WOLPER

3) The formula

Dp D ( - - - q Ur))

is satisfied by all sequences where if p is true in a given state, then,from the next state on, q is always false until the first state where r istrue.4) The formula

▪ Op

is satisfied by all sequences in which p is true infinitely often.5) The formula

Dp A 0 - p

is not satisfied by any sequence.6) The formula

Op ( — p p )

is satisfied by all sequences (it is valid).

3. The Tableau fil' ethod fin- P H .

The tableau method foi- P T L i s a n e x t e n s io n o f t he t a b le a u m e th o d

for propositional logic (see [Sm681). Boolean connectives are handledexactly as fo r propositional logic and temporal connectives arehandled by decomposing them into a requirement on the "currentstate— a nd a r equ ir emen t on "the rest of the sequence—. This

decomposition of the temporal connectives makes the tableau into astate by state search for a model of the formula being considered. Thedecomposition rules fo r the temporal operators are based on thefollowing identities:

=./. V 0 O f ( I)uf2 ( 1.2 v V I A 0 VI U .f 2) )• (2)

Given that decomposing formulas using identities (1-2) does not makethem smaller, the tableau might be infinite. However, we will insurethat the tableau is f in i t e b y i d e n t i f yi n g t h e n o de s of t he t a bl e au t ha t are

labeled by the same set of formulas. Note that in the tableau method


for propositional logic this is not necessary as the tableau is always afinite tree. Another difference is that obtaining a tableau with nopropositional inconsistencies for a formulaf is not a guarantee thatf issatisfiable. Indeed, formulas of the form Oh or 1f) U1.2 1 w h i c h w e c a l leveuttlalitie,s' might not be satisfied. The problem is that, for instancefor a formula O ft, t h e t a b l e au r u le b a se d on ( I) w il l a ll ow us to

continuously postpone the point at wh ich fl i s s a t i s f i e d . T h i s c o r r e s -

ponds to always choosing the 0 O f disjunct in ( I). We will thus haveto add an extra step to the tableau method which will eliminate nodescontaining eventualities that are not satisfiable.

More precisely, to test a PTL formulaf for satisfiability, the tableaumethod constructs a directed graph. Each node tt o f the graph islabeled by a set of formulas T„. Initially, the graph contains exactlyone node, labeled by t n . To describe the construction of the graph,we distinguish between elementary and non-elementary formulas.Elementary formulas are those whose main connective is 0 (we callthese 0-formulas) or that are either atomic propositions or negationsof atomic propositions. The construction of the graph proceeds byusing the following decomposition rules which map each non-ele-mentary formulai into a set E of sets 5'1 o f f o r m u l a s fi: - O f

- 1 t f l{0

fl A .f2 , f 2 11- A 1.2) —> I t —A I, I —1 /.2 11

O f -› , (0 OM

•Of — ) 1 - - , 0./11U.f2 t f 2 0 (fl uf211

—(f1 u 1.2) —4 2 , v U f2 )1

During the construction, to avoid decomposing the same formulatwice, we will mark the formulas to which a decomposition rule hasbeen applied we don't simply discard them as we will need themwhen checking i f eventualities are satisfied). Once the graph isconstructed, we eliminate unsatisfiable nodes.

The graph construction proceeds as follows:

11 Start with a node labeled by t f l where/is the formula lobe tested.We will call f the initial fimmtla and the corresponding node the

124 P . WOLPER

initial node. Then repeatedly apply steps 2) and 3). In these steps,when we say —c r e a t e a s o n o f n o de n l a be l ed by a set of f or mu la s

we mean create a node if the graph does not already contain anode labeled by T. I f it does, we just create an edge from n to thealready existing node.

2) I f a node n labeled by T„ contains an unmarked non-elementaryformula f and the tableau rule for f is f —› IS,1, then, for each S,,create a son of n labeled by (T„ — t f l ) U S, U W I where P is fmarked.

3) I f a node n contains only elementary and marked formulas, thencreate a son o f tt labeled b y the 0-formulas ST„ with the iroutermost 0 removed.

A node containing only elementary or marked formulas will be calledastute. And, a node that is either the initial node or the immediate son

of a state will be called a pre-state.Given the form of the tableau rules, the formulas labeling the nodes

of the graph are subformulas or negations of subformulas of the initialformula o r such formulas preceded by O. The number o f theseformulas is equal to 4/, where! is the length of the initial formula. Thenumber of nodes in the graph is then at most equal to the number ofsets of such formulas, that is 24 /.

At this point, to decide satisfiability, we have to eliminate theunsatisfiable nodes of the graph. We repeatedly apply the followingthree rules.

El: I f a node contains both a proposition p and its negationeliminate that node.

E2: I f all the successors of a node have been eliminated, eliminatethat node.

E3: I f a node which is a pre-state contains a formula of the form O fo rfl U.L. that is not satisfiable (see below), eliminate that node.

To determine if a formula O f or fl U f2 i s s a t i s f i a b l e , o n e u s e s t h e

following rule:

FI: A formula O f o r fl L i f2 i s s a t i s f i a bl e i n a p r e -s t a t e, if t he re is a

path in the tableau leading from that pre-state to a node contai-ning the formulah. •The decision procedure ends after all unsatisfiable nodes have been

tp,OlEp

4O p A <> i pOp* , —ip-x•p,0111p

•

O p A - - p,k 1

Op» ,, 0 Op

--p 0 0 —p


eliminated. I f the initial node has been eliminated, then the initialformula is unsatisfiable, if not it is satisfiable.

Eximiple

Consider the formula Op A 0 —p . The tableau obtained fo r thisformula by the algorithm we have just described is the one appearingin ligure 1.

I t O p A 0----121

2 lL ip A 0.—p-xl

Op, 0 --,p

3 lOp A <> -x-

Ep-x-,p , 0 Op

Figure I

6 {Op , 0 -1 , }4

1111p*, <>-1717

p,0111p

9 1 Elp•IF. 0 —p-x-I/p, 0 Dp 10 0 --p i

126 P . WOLPER

In this tableau, the initial node is 1: the states are 4, 5.8 and 9: andthe pre-states are 1 and 6. Nodes 4 and 8, contain a proposition (p) andits negation. they are thus unsatisfiable and are eliminated by rule El.Node 6 is a pre-state and contains an eventuality formula (0 p ) thatis not satisfiable as there is no path leading from 6 to a node containing-ill (node 8 is eliminated). The other nodes are then eliminated by

rule E2 and the formula is found to be unsatisfiable.It is easy to see that the decision procedure requires time and space

exponential in the length I of the initial formula. Actually. it is possibleto test a PTL formula for satisfiability using only polynomial space.The satisfiability problem for PTL is in fact complete in PSPACE. Fora discussion of the complexity of PTL, see [SC821 and [WVS83]. Thecorrectness of the tableau method we have just described is establis-hed by the following theorem:

Theorem I : An PTL formulai i s s a t i s f i a b l e i f f t h e i n i t i a l n o de o f t he

graph generated by the tableau decision procedure for that formulais not eliminated.

Proof:a) I f the initial node is eliminated, then f is unsatisfiable.

We prove by induction that i f a node in the tableau labeled by. . . , fsl i s e li mi na ted , then VI, )• is unsatisfiable.

Case 1: The node was eliminated by rule E l . I t thus contains aproposition and its negation and is unsatisfiable.

Case 2: The node is eliminated by rule E2 and is not a state. The sonsof that node were created using a tableau rule f t Sil . I t i s e a s y t o

check that for each of these tableau rules, f is satisfiable iff at leastone of the Si i s s a t i s fi a b l e . As a ll the s uc ce ss or nodes have been

eliminated, they all contain unsatisfiable sets of formulas and theinitial node contains the unsatisfiable formulaf.

Case 3: The node is eliminated by rule E2 and is a state. Thus, the setof all the 0-formulas in the node is unsatisfiable and so is the set ofall formulas in the node.

Case 4: The node was eliminated by using rule E3. Hence, there is aneventuality in the node that is not satisfiable on any path in thetableau. As any model corresponds to some path in the tableau, theeventuality is unsatisfiable and so is the set of all formulas in thenode.


b) I f the initial node is not eliminated, then _f is satisfiable.To prove this, we have to show that i f the initial node is not

eliminated, there is a model of the initial formula. First notice thatexcept for satisfying evenualities, a path through the tableau startingwith the initial node defines a model of the initial formula. We thusonly have to show that we can construct a path through the tableau onwhich all eventualities are satisfied. It can be done as follows.

For each pre-state in the graph, unwind a path from that pre-statesuch that all the eventualities it contains are satisfied on that path.This is done by satisfying the eventualities one by one. I f one of theeventualities is selected, it is possible to find a path on which thateventuality is satisfied and whose last node is a pre-state (if not thenode would have been eliminated). Now, given the tableau rules, theeventualities that are not satisfied will appear in the last node of thatpath and hence the path can be extended t o satisfy a secondeventuality. By repeating this construction, one obtains a path onwhich all eventualities are satisfied. Once all these paths are cons-tructed, we link them together. The model obtained has the followingform:

S - ) S S 2 - - > ,

A complete axiomatization of PTL can be obtained from the tableaumethod in the usual way. The only point worthy o f interest is theaxiom corresponding t o the elmination ru le E3. That axiom isbasically an induction axiom for the 0 operator. [Wo83] contains acomplete axiomatization of PTL and a proof of completeness.

4. Other Temporal Logics

Extensions of Linear Time Temporal LogicA simple property like even (p), meaning that p is true in every even

state o f a sequence and might be true or false in odd states is notexpressible in the temporal logic we have discussed in the previoussection. This led to the def init ion of an extended temporal logic (ETL)in [Wo831. The extended temporal logic is based on the observationthat one can extend PTL with operators corresponding to arbitraryright-linear grammars. The operators 0, 0 , and U of PTL are in fact

128 P . WOLPER

special cases o f this more general class o f operators. One o f theimportant features o f E TL is that i t also has a tableau decisionprocedure similar to the one we have described for PTL (see [Wo831).In [WVS831, several alternative definitions of ETL are considered andtheir expressiveness and complexity are characterized.

Quantified Temporal LogicAnother way to extend linear time propositional temporal logic is to

allow quantification o f propositional variables. The resulting logic,quantified propositional temporal logic (QPTL) is decidable, bu tunfortunately is of non-elementary complexity. The known decisionprocedures are by reduction to S n S or by using automata theoretictechniques ([Si83], [Wo82]). Interestingly, the expressiveness o fQPTL and of ETL is the same [WVS83].

Branching Time Temporal Logics

In the interpretations of linear time temporal logic, each state hasexactly one successor. That is the reason for the name "linear time".If one deals with a situation where there are several possible futures(in computer science, this is the case if one deals with a non-determi-nistic program). the "linear time" assumption no longer holds. Thisled to the development of branching time temporal logics (BTL) thatare interpreted over structures where each state can have severalsuccessors.

Formulas of branching time temporal logic are similar to formulas oflinear time temporal logic with the addition of path quantifiers. Pathquantifiers V and 3) are used to specify to which paths the temporallogic formula applies. For example, V Op is true in a state, if on allpaths from that state there is a state satisfying p. Depending on howthe path quantifiers and temporal logic formulas are allowed t ointeract, one defines a variety of branching time temporal logics.

One of the simplest of the branching time temporal logics is the logicUB described in IBMP81]. In that logic, path quantifiers and temporaloperators are required to always appear together. In other words, UBcan be viewed as PTL where each of the temporal operators 0 , 0 ,and U is replaced by two operators, VO and 3 0 , V <> and 2 0. VUand U . The logic UB also has a tableau decision procedure similar tothe one described here for PTL, though slightly more complicated as


the logic is interpreted over branching rather than linear structures.UB also has a simple complete axiomatization. However, the com-plexity o f the decision problem fo r UB is EXPTIME rather thanPSPACE as it is for the linear time temporal logics. In [E1-182]. onecan find a thorough description of tableau-like decision procedures forbranching time temporal logic.

At the other end o f the spectrum is the logic CTL* described inIEH831. In CTL*, one allows path quantifiers to apply to arbitrarylinear t i m e t e mp o ra l l o g i c f o rmu la s . F o r in s t a n ceV (0 Op A q U (0 r)) is a CTL''' formula. CTL * is strict ly moreexpressive than UB. Also, it is possible to define several logics thatare in between CTL* and UB as fa r as expressiveness. [EH831discusses all these logics and compares their expressiveness. As far asdecision procedures, the tableau method that we presented here doesnot extend naturally to CTL*. At this point the only decision procedu-res that are known for CTL* are based on automata theoretic methodsand require time triply or quadruply exponential (see [ES84], [VW831and [VW841 for a description of these decision procedures). No simplecomplete axiomatization is known for CTL*. Also, no precise caracte-rization of its complexity is known. The best lower bound obtained isexponential, whereas the best upperbound is triply exponential.

Interval Tenzporal Logic

A variation of temporal logic that has appeared recently is intervaltemporal logic. Interval temporal logic is a variant o f linear timetemporal logic that allows explicit description o f intervals. Twovariants are currently in existence. One described in 1 SMV831 wasdeveloped as a more convenient higher level extension of PTL for thespecification and verification of protocols. Its formulas combine thedescription of an interval and a temporal logic statement concerningthat interval. For instance the formula [i] Op states that the first timethe interval I appears, it satisfies Elp (i.e., all its states satisfy p). It isnot more expressive than PT L and there is a translation from itsformulas to PTL formulas. This gives a decision procedure for thelogic though it is no more a tableau decision procedure closely linkedto the syntax of the logic [P183]. This interval temporal logic has noknown simple complete axiomatization.

A second interval temporal logic is described in [HMM83] and

130 P . WO L PER

Mo831. It was designed with the description of hardware as a goal. Inthis logic, all statements are about intervals. Its fundamental opera-

tions are 0 which here maps an interval into its tail (the same intervalwith the first state removed) and concatenation of intervals ( ;). Thesetwo simple constructs make it into a very powerful language. Unfor-tunately, it is undecidable in the general case and, the only knowndecidable subset is of non-elementary complexity (see [Mo831).

Probabilistic Temporal Logic

Yet another variant of temporal logic is probabilistic temporal logic.Its development has been motivated by the appearance of probabilis-tic algorithms. As branching time temporal logic, probabilistic tempo-ral logic is interpreted over structures in which states have more thanone successor. The difference is that a probability is associated witheach transition. The formulas of the logic then state that a given lineartime temporal logic formula holds on a set of paths that has probabilityone. Three different variants. of probabilistic temporal logic aredescribed in 1L.S821. For each of these a complete axiomatization isgiven. I n1K1-831 double exponential decision procedures are given forthese logics.

First Order Temporal Logic

Up to this point we have been talking about propsitional temporallogics. However, first order temporal logics are often used when forinstance stating properties of programs. Unfortunately, though axio-matizations for first order temporal logics have been proposed (e.g.,Ma811), they are not complete.

5. Use of Temporal Logic in Computer Science

In the last few years, temporal logic has been used in severaldifferent areas of computer science. The main ones are the following.

Slating and Proving Properties o f Concurrent Programs This was the initial motivation when temporal logic was introducedto the computer science community in [Pn771. When reasoning abouta concurrent program, it is not sufficient to deal with its input output


behavior, one has to consider the entire computation sequence. Astemporal logic is geared towards describing sequences, it appearedwell suited for this problem.

In this approach, one views the execution sequence of a program asthe sequence of states TL describes and one can state properties ofthat sequence. As TL formulas do not allow us to explicitely representthe program, it has to be encoded in a set of statements that basicallyrepresent the allowable transitions in each state. This approach hasbeen further developed in [MP811, and [MP83].

Related methods fo r specifying and proving the correctness o fconcurrent programs are described in [01,821 and [La83]. In [01,821 aproof method called proof lattices was introduced.

A method to check that finite state programs satisfy some temporallogic specifications was proposed in [CES83]. The idea is (hat a finitestate program can be viewed as a structure over which temporal logicformulas can be interpreted. The problem o f checking that theprogram satisfies a given temporal formula is then equivalent to theproblem of checking that the structure corresponding to that programis a model of the formula. In [CES831, it was pointed out that if oneuses the branching time logic UB, this problem is in polynominal time,which leads to attractive algorithms. Similar ideas were developed inIQS821.

Another application related to the one we are now describing is thestudy of fairness conditions and properties. When several processesare running concurrently, the outcome of executing the program candepend on how ressources are allocated to the various processes. Forexample, i f ressources are allocated evenly to a ll processes, theprogram might terminate whereas if one o f the processes does notreceive any ressources the program might get blocked. This had led tospecifying fairness conditions on the execution o f concurrent pro-grams. These fairness conditions require a somewhat even distribu-tion of ressources among the various processes. A large number o fdifferent conditions have been proposed. Temporal logic has appea-red to be a useful tool for stating and reasoning about these conditions(see [LPS811, [QS8213], and [Pn831).

132 P . WOLPER

Synthesis o f Concurrent Programs

A direct use of the decision procedure we described in this paperhas been the synthesis o f the synchronization part o f concurrentprograms. I f one assumes that the various parts o f a concurrentprogram only interact through a finite number of signals, then theirinteraction can be specified in propositional temporal logic. Now, ifone applies the tableau decision procedure to this specification, oneobtains a graph that can be viewed as a program satisfying thosespecifications. Indeed, all executions of the program (paths throughthe graph) satisfy the specification (if one ensures that eventualitiesare satisfied). This approach was developed in [Wo82] and [MW84]using a linear time temporal logic and in [CE81] using a branching timetemporal logic. A more informal approach to synthesis from temporallogic specifications appears in [RK80].

Specification and Correctness of Protocols

Communication protocols are another area where temporal logichas been applied. Protocols can often be hard to implement correctlyand analyse. This is due to the fact that they are often quite intricateand can exhibit unexpected behaviors. This has led to a lot of interestin formal methods to specify and reason about protocols. Amongthese methods temporal logic has played an important role. Again it isits ability to describe sequences (e.g., the sequence of communica-tions a protocol performs) that has made it attractive for this applica-tion (see [Hai801, [H0811, [SM811, [SS82], [SMV831, [SPE84]).

Hardware

The development of always larger integrated circuits has made theneed for tools to specify and reason about such circuits more andmore necessary. Several researchers have tried to apply temporallogic to th is problem ([Bo82], [M081], [HMM83[, [Mo831). Thetechnique o f model checking introduced in [CES83] fo r concurrentprograms was applied to circuits in [CM841.

A T&T Bell Laboratories P i e r r e WOLPERMurray Hill, NJ 07974


REFERENCES

IBMP8 M . Ben-Ani. Z. Manna. A . Pnueli, "The Temporal Logic o f BranchingTime". Eighth ACM Symposium on Principles o f Programming Languages,Williamsburg, VA, January 1981, pp. 164-176.

[B082] G.V. Bochmann, "Hardware Specification with Temporal Logic: An Exam-ple", IEEE Transactions on Computers, C-31(3). March 1982, pp. 223-231.

[BP80] M. Ben-Ari, A. Pnueli. "Temporal Logic Proofs of Concurrent Programs".Technical Report, Department of Mathematical Sciences, Tel-Aviv University.1980.

[CE8Il E.M. Clarke. E.A. Emerson, "Synthesis of Synchronization Skeletons fromBranching Time Temporal Logic '', in Logics of Programs. Lecture Notes inComputer Science vol. 131, Springer-Verlag, Berlin, 1982. pp. 52-71.

ICES831 E.M. Clarke, E.A. Emerson, A.P. Sistla, "Automatic Verification of Finite-state Concurrent Systems Using Temporal Logic Specifications: A PracticalApproach", Proc, o f t h e 1 0 t h A CM S y mp o s iu m on P r in c ip l es of P ro gr am mi ng

Languages. Austin, January 1984, pp. 117-126.[CM84I E. Clarke. S. Mishra, '' Automatic Verification of Asynchronous Circuits", in

Logics o f Programs. Springer-Verlag Lecture Notes in Computer Science.Vol. 164. Berlin, 1984. pp. 101-115.

[ECM] E.A. Emerson, E.M. Clarke, "Characterizing Correctness Properties of Paral-lel Programs as Eixpoints", Proc. 7th Int. Colloquiwn on Automata, Languagesand Programming, Lecture notes in Computer Science vol. 85, Springer-Verlag, Berlin. 1981. pp. 169-181.

[EH82] E.A. Emerson, J.Y. Halpern, "Decision Procedures and Expressiveness in theTemporal Logic of Branching Time'', Proceedings of the 14th Symposium onTheory of Computing, San Francisco, CA, May 1982. pp. 169-180.

[EH83] E.A. Emerson, J.Y. Halpern, "Sometimes and Not Never Revisited: OnBranching Versus Linear Time", Proceedings o f the Uniz Symposium onPrinciples of Programming Languages, Austin. January 1983, pp. 127-140.

I ES84I E.A. Emerson, A.P. Sistla, "Dec iding Branching Time Logic ", Proc. 16thACM Symposium on Theory of Computing, Washington, May 1984, pp. 14-24.

[GPSS80] D. Gabbay, A. Pnueli, S. Shelah and J. Stavi, "The Temporal Analysis ofFairness", Seventh ACM Symposium on Principles of Programming Langua-ges, Las Vegas, NV, January 1980, pp. 163-173.

tHai801 B.T. Hailpern, "Verify ing Concurrent Processes Using Temporal Logic ",Ph.D. Thesis, Stanford University, 1980.

IHC681 G.E. Hughes. M.J. Cresswell, An Introduction to Modal Logic. Methuen andCo, London, 1968.

H MM83I J. Halpern, Z . M a n n a , B . M o s z ko w s k i. "A H a rd w ar e S em an t ic s Based on

temporal Intervals". Froc', loth International Colloquium on Automata Lan-guages and Programming, Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1983.

134 P. WOLPER

[1-10811 B.T. Hailpern, S. Owicki, "Modular Verification of Computer CommunicationProtocols... R e s ea r c h R ep or t RC 8726. IBM T.I. Watson Research Center.

March 81.[KL83] S. Kraus, D. Lehman, "Decis ion Procedures for Time and Chance", !'roc.

24th IEEE Symposium on Foundations of Computer Science, Tucson, Novem-ber 1983, pp. 202-209.

1Lam801 L . Lampait, "Sometimes is Sometimes Not Never", Seventh ACM Sympo-NiUM on Principles of Programming Languages, Las Vegas, NV. January 1980,pp. 174-185.

[LPS81] D. Lehman, A. Pnueli. J. Stavi, "Impart iality , Justice and Fairness: TheEthics o f Concurrent Termination". Ploc. 81h International Colloquium outAutomata languages. a n d P r o g r a mm i n g . L e c tu r e N ot es in C om p ut e r S ci en ce ,

Springer-Verlag, Berlin 1981, pp. 264-277.1LS82j D. Lehman. S. Shelah. "Reasoning with Time and Chance". hifOrmation and

Control, Vol. 53, 1982. pp. 165-198.[Ma81] Z. Manna. "Verification of Sequential Programs: Temporal Axiomatisation",

Theoretical Fmmdations o f Programming Methodology (E L . Bauer, E.W.Dijkstra. C.A.R. Hoare, eds.), NATO Scientific Series, D. Reidel Pub. Co.,Holland, 1981.

[Mo831 B. Moszkowski, "Reasoning about Digital Circuits ", Ph.D. Thesis. Depar-tment of Computer Science. Stanford University. July 1983.

[M0811 Y. Malachi and S. Owicki "Temporal Specifications of Self-Timed Systems"in VLSI Systems and Computations., H . T . K l i n g, B o b S p r o u l , a n d G u y S t e e le

editors, Computer Science Press 1981. pp. 203-212.IMPS I] Z. Manna, A. Pnueli, "Verification o f Concurrent Programs: the Temporal

Framework'', The Correctness Problem in Computer Science (R.& Boyer andJ.S. Moore, eds.), International Lecture Series in Computer Science, AcademicPress, London, 1981. pp. 215-273.

[MP83] Z. Manna, A. Pnueli, "How to Cook a Temporal Proof System for your PetLanguage, Proc. o f the lOth ACM Symposium on Principles of PrograntmingLanguages. Austin, January 1984. pp. 141-154,

EMW841 Z. Manna, P. Wolper, "Synthesis of Communicating Processes from Tempo-ral Logic Specifications", ACM Transactions on Programming Languages andSystems. V o l . 6 , No . I. J an ua ry 1984, pp. 68-93.

10L821 S. Owick i, L. Lamport, "Prov ing Liveness Properties o f Concurrent Pro-grams", ACM Transactions on Programming Languages arid Systems, Vol. 4.No. 3, 1982. pp. 455-496.

[P183] D. Plaisted, "An Intermediate-Level Language for Obtaining Decision Procedu-res for a Class of Temporal Logics", Technical Report. Computer ScienceLaboratory, SRI. 1983.

[Pn77] A . Pnueli. "The Temporal Logic of Programs", Proceedings of the EighteenthSymposium on Foundations of Computer Science, Providence, RI. November1977. pp. 46-57.


[Pn83] A. Pnueli. "On the Extremely Fair Treatment of Probabilistic Algorithms'',Proc. 15th ACM Symposium on Theory o f Computing, Boston, April 1983.pp. 278-289.

[Pr67] A . Prior, Past, Present and Future, Oxford University Press, 1967.IQS821 .I.P. Quellle, J. Sifakis, "Specification and Verification of Concurrent Systems

in CESAR'', Lecture Notes in Computer Science, Vol. 137 Springer-Verlag,Berlin, 1982. pp. 337-351.

[QS82b] J.P. ( )mi lk . J . Sifakis. " A Temporal Logic t o Deal wit h Fairness inTransition Systems", Proc. IEEE Symposium on .f o u n d a t i o n s o f C o m p u t e rScience, Chicago, 1982, pp. 217-225.

IRK801 K . Ramamritham, R.M. Keller, "Specification and Synthesis of Synchroni-zers'•, Proceedings haernatimud Syt»posium on Parallel Processing, August1980, pp. 311-321.

[RU711 N. Rescher, A. Urquart. Temporal Logic, Springer-Verlag, 1971.ISC821 A.P. Sistla, E.M. Clarke, "The Complexity of Propositional Linear Temporal

Logic", Proceedings o f the Nth ACM Symposium on Theory of Computing,San Francisco, CA, May 1982, pp. 159-168.

15i831 A.P. Sistla, "Theoretical Issues in the Design and Verification of DistributedSystems", Ph.D. Thesis, Harvard University, 1983.

1Sm681 R.M. Smullyan, First Order Logic, Springer-Verlag. Berlin, 1968.[SM81] R.L. Schwartz. P.M. MeIliar-Smith. "Temporal Logic Specification of Distri-

buted Systems'', Proceedings o f the Second haernational Conference onDistributed Systems. Paris. France. April 1981.

ISM821 R.L. Schwartz. P.M. Me Iliar-Smith, "From State Machines to TemporalLogic: Specification Methods for Protocol Standards", IEEE Transactions onCommunications., D e c e m be r 1 9 8 2.

ISMV83I R.L. Schwartz, P.M. MeIliar-Smith, F.H. Vogt, "A n Interval Logic forHigher-Level Temporal Reasoning'', Prot-. 2 n d A C M S y m p o s i u m o n P r i n c i p l es

of Distributed Computing, Montreal, Canada, August 1983. pp. 173-186.ISPE84I D.E. Shasha. A.Pnueli, W. Ewald, "Temporal Verification of Carrier-Sense

Local Area Network Protocols". Noe. I 1th ACM Symposium on Principles ofProgramming Languages, Salt Lake City, January 1984, pp. 54-65.

ISS82I K . Sabnani, M. Schwartz, "Verification of a Multidestination Protocol UsingTemporal Logic ", in Protocol Specification Testing and Verification. C .Sunshine ed., North-Holland, 1982, pp. 21-42.

[Vo821 F.H. Vogt. "Event-Based Temporal Logic Specification o f Services andProtocols", in Protocol Specification, Testing and Verification. North-HollandPublishing. 1982.

IVW831 M.Y. Vardi, P. Wolper. "Ye t Another Process Logic-, i n L o g i c s o f P r o -

grams, Springer-Verlag Lecture Notes in Computer Science. Vol. 164. Berlin.1984, pp. 501-512.

IVW841 W Y . Vardi, P. Wolper, "Automata Theoretic Techniques for Modal Logics ofPrograms", Proc. 16th ACM Symposium on Theory of Computing. Washington.May 1984, pp. 446-456.

136 P . WOLPER

IWo82] P. Wolper. -S y n t h e s i s o f C o m m u ni c a t i n g P r o ce s s es f ro m T em po r al Logic

Specifications-. P h . D . T h e s is . S t an f o rd U n iv e rs i ty . Augus t 1982.

[Wo83] P. Wolper. "Temporal Logic Can Be More Expressive-. h d O r m a t i o n a n d

Control, Vol. 56, Nos. 1-2, 1983. pp. 72-99.I WVS83I P. Wolper. MY . Vardi, A.P. Sistla. "Reasoning about Infinite Computation

Paths-. P ru e . 24th IEEE Symposium on Foundations of Computer ,Science,

Tucson, 1983. pp. 185-194.

the tableau method for temporal logic: an overview ... tableau.pdf · the tableau method 1 2 3 for...

Documents