Abate, Gore & Widmann, Tableaux For Predicate Dynamic Logic (26 PGS)

M4M 2007
An On-the-y Tableau-based Decision

Procedure for PDL-Satisability
Pietro Abate
a,1
, Rajeev Gore
a,2
and Florian Widmann
b,3,4
a
Computer Sciences Laboratory
The Australian National University
Canberra, Australia
b
Computer Sciences Laboratory and Logic & Computation Programme
The Australian National University and NICTA
Canberra, Australia
Abstract
We present a tableau-based algorithm for deciding satisability for propositional dynamic logic (PDL)
which builds a nite rooted tree with ancestor loops and passes extra information from children to par-
ents to separate good loops from bad loops during backtracking. It is easy to implement, with potential for
parallelisation, because it constructs a pseudo-model on the y by exploring each tableau branch indepen-
dently. But its worst-case behaviour is 2EXPTIME rather than EXPTIME. A prototype implementation
in the TWB (http://twb.rsise.anu.edu.au) is available.
Keywords: propositional dynamic logic, automated reasoning, tableau calculus, decision procedure
1 Introduction
Propositional dynamic logic (PDL) is a logic for reasoning about programs [14,8].
Its formulae consist of traditional Boolean formulae plus action modalities
built from a nite set of atomic programs using sequential composition (; ), non-
deterministic choice (), repetition (), and test (?). The satisability problem
for PDL is EXPTIME-complete [15]. Unlike EXPTIME-complete description log-
ics with algorithms exhibiting good average-case behaviour, no decision procedures
for PDL-satisability are satisfactory from both a theoretical (soundness and com-
pleteness) and practical (average case behaviour) viewpoint as we explain below.
The earliest decision procedures for PDL are due to Fischer and Ladner [8] and
Pratt [15]. Fischer and Ladners method is impractical because it rst constructs
1
Email: Pietro.Abate@pps.jussieu.fr
2
Email: Rajeev.Gore@rsise.anu.edu.au
3
Email: Florian.Widmann@rsise.anu.edu.au
4
National ICT Australia is funded by the Australian Governments Dept of Communications, Information
Technology and the Arts and the Australian Research Council through Backing Australias Ability and the
ICT Centre of Excellence program.
This paper is electronically published in
Electronic Notes in Theoretical Computer Science
URL: www.elsevier.nl/locate/entcs
Abate and Gor e and Widmann
the set of all consistent subsets of the set of all subformulae of the given formula,
which always requires exponential time in all cases. On the other hand, Pratt [15]
essentially builds a multi-pass (explained shortly) tableau method. Most subsequent
decision procedures for other x-point logics like propositional linear temporal logic
(PLTL) [18], computation tree logic (CTL) [4,7] and the modal -calculus [13] trace
back to Pratt [15], and they all share one main disadvantage as explained next.
In these multi-pass procedures, a state is a node which contains only diamond-
like-formulae (eventualities), box-likeformulae, atoms and negated atoms. The
rst pass constructs a rooted tableau of nodes containing formula-sets, but allows
cross-branch arcs from a state n on one branch to a (previously constructed) state m
on a dierent branch if applying the tableau construction to n would duplicate m.
Thus the rst pass constructs a pseudo-model which is a potentially exponential-
sized cyclic graph (rather than a cyclic tree where m would have to be an ancestor
of n). The subsequent passes check that the pseudo-model is a real model by
pruning inconsistent nodes and pruning nodes containing unfullled eventualities.
Although ecient model-checking techniques can check the pseudo-model
in time which is linear in its size, these multi-pass methods can construct an
exponential-sized cyclic graph needlessly. One solution is to check for fullled even-
tualities on the y, as the graph is built, and although such methods exist for
model-checking [6,5], we know of no such decision procedures for PDL. The only
implementation of a multiple-pass method for PDL that we know of is in LoTRec
(www.irit.fr/Lotrec) but it is not optimal as it treats disjunctions naively.
Baader [3] gave a single-pass tableau-based decision procedure for a description
logic with role denitions involving union, composition and transitive closure of
roles: essentially PDL without test. His method constructs a (cyclic tree) tableau
using the semantics of the PDL operators. To separate good loops from bad
loops, Baader must decide equality of regular languages, a PSPACE-complete prob-
lem which in practice may require exponential time. Instead of solving these prob-
lems on the y, they can be reduced to a simple check on the identity of states
in a deterministic minimal automaton created from the positive regular expres-
sions appearing in the initial formula during a pre-processing stage [3, page 27].
But since the pre-computed automaton can be of exponential size, this alternative
may require exponential time needlessly. Baaders method is double-exponential
in the worst-case. The test construct is essential to express while loops but
creates a mutual recursion between the Boolean language and the regular lan-
guage. It is not obvious to us how to extend Baaders method to test. DLP
(http://www.cs.bell-labs.com/cm/cs/who/pfps/dlp) implements this method
restricted to test-free formulae where applies only to atomic programs.
De Giacomo and Massacci [9] gave an optimal PDL-satisability test using
labelled formulae like : to capture that possible world makes formula
true. They rst give a NEXPTIME algorithm for deciding PDL-satisability and
then discuss ways to obtain an EXPTIME version using various known results. But
an actual EXPTIME algorithm, and its soundness and completeness proofs, are not
given. A deterministic implementation of their NEXPTIME algorithm by Schmidt
and Tishkovsky struck problems with nested stars, but a solution is forthcoming [16].
Other decision procedures for x-point logics use resolution calculi, translation
2
methods, automata-theoretic methods, and game theoretic methods: see [1] for
references. We know of no implementations for PDL based on these methods.
Here, we give a sound, complete and terminating decision procedure for PDL
with the following advantages and disadvantages:
One-pass nature: our method constructs a single-rooted nite tree (with loops from
leaves to ancestors). As there are no cross-branch edges, we can use depth-rst,
left-to-right search, reclaiming the space used for each branch via backtracking.
Proofs: Full elementary proofs of soundness and completeness are available.
Ease of implementation: our rules are easy to implement since our tableau nodes
contain sets of formulae and some easily dened extra information whose manip-
ulation requires only set intersection, set membership, and min/max on integers.
But these low-level details make the rules cumbersome to describe.
Potential for optimisation: there is potential to optimise our (tree) tableaux using
successful techniques from (one-pass) tableaux for description logics [11].
Ease of generating counter-models: the soundness proof immediately gives an eec-
tive procedure for turning an open tableau into a PDL-model.
Ease of generating proofs: unlike existing Gentzen calculi for x-point logics [2,12],
our tableau calculus gives a cut-free Gentzen-style calculus with cyclic proofs
with an optimal rather than worst-case bound for the nitised omega rule.
Potential for parallelisation: our rules build the branches independently but com-
bine their results during backtracking, enabling a parallel implementation.
Prototype: a (sequential) prototype implementation in the Tableau Work Bench
(twb.rsise.anu.edu.au) allows to test arbitrary PDL formulae over the web.
Complexity: our method has worst-case double-exponential time complexity.
Generality: Our method for PDL ts into a class of similar one pass methods for
other x-point logics like PLTL [17] and CTL [1]. Further experimental work is
required to determine if our methods can be optimised to exhibit good average-
case behaviour using techniques like sound global caching [10].
2 Syntax, Semantics and Hintikka Structures
Denition 2.1 Let AFml and APrg be two disjoint and countably innite sets of
propositional atoms and atomic programs, respectively. The set Fml of all formulae
and the set Prg of all programs are dened inductively as follows:
(i) AFml Fml and APrg Prg
(ii) if , Fml then Fml and Fml and Fml and ? Prg
(iii) if Fml and Prg then ) Fml and [] Fml
(iv) if Prg and Prg then (; ) Prg and Prg and Prg.
Let p, q range over members of AFml and a, b range over members of APrg. A
)-formula is any formula ), a , a)-formula is a )-formula ) with / APrg,
and a )-formula is any formula ). Fml) is the set of all )-formulae, Fml, a)
is the set of all , a)-formula, and Fml) is the set of all )-formulae.
3
Table 1
Smullyans - and -notation to classify formulae
[ ] [] ?) ; ) [; ]
1
[] )) [][]
2
[] [][]
) ) [?]
1
)
2
) ))
Denition 2.2 A transition frame is a pair (W, R) where W is a non-empty set of
worlds and R a function that maps each atomic program a to a binary relation R
a
over W. A model (W, R, V ) is a transition frame (W, R) and a valuation function V :
AFml 2
W
mapping each atomic proposition p to a set V (p) of worlds.
Denition 2.3 Let M = (W, R, V ) be a model. The functions
M
: Fml 2
W
and
M
: Prg 2
WW
are dened inductively as follows:
M
(p) := V (p)
M
(a) := R
a

M
() := W
M
()
M
( ) :=
M
()
M
()
M
( ) :=
M
()
M
()
M
([]) := w [ v W. (w, v)
M
() v
M
()
M
()) := w [ v W. (w, v)
M
() & v
M
()
M
( ) :=
M
()
M
()
M
(?) := (w, w) [ w
M
()
M
(; ) := (w, v) [ u W. (w, u)
M
() & (u, v)
M
()
M
() :=

(w, v) [ k N.w
0
, . . . , w
k
W.
w
0
= w & w
k
= v &
i 0, . . . , k 1. (w
i
, w
i+1
)
M
()
For w W and Fml, we write M, w i w

M
().
Denition 2.4 Formula Fml is satisable i there is a model M = (W, R, V )
and a w W such that M, w . Formula Fml is valid i is not satisable.
Denition 2.5 Formula Fml is in negation normal form if appears only
immediately before propositional atoms. For every Fml, we obtain a for-
mula nnf() in negation normal form by pushing negations inward repeatedly (e.g.
using de Morgans laws) so nnf() is valid. We dene := nnf().
We use Smullyans /-notation to categorise formulae via Table 1 and use
bolding to dierentiate it from the use of and as members of Prg. So if (re-
spectively ) is any formula pattern in the rst row then
1
and
2
(respectively
1
and
2
) are its corresponding patterns in the second and third row.
Proposition 2.6 All formulae
1
2
and
1
2
in Table 1 are valid.
4
Denition 2.7 A structure (W, R, L) [for Fml] is a transition frame (W, R)
and a labelling function L : W 2
Fml
which associates with each world w W a
set L(w) of formulae [and has L(v) for some world v W].
Denition 2.8 For a given Fml the (innite) set pre() is dened as:
pre() := Fml [ k N.
1
, . . . ,
k
Prg. =
1
) . . .
k
) .
For all formulae and , the binary relation on formulae is dened as:
i (exactly) one of the following conditions is true:
Fml., Prg. = ; ) & = ))
Fml., Prg. = ) &

= ) or = )
Fml. Prg. = ) &

= or = ))
, Fml. = ?) & = .
Intuitively, using Table 1, the relates a ,a)-formulae (respectively ),
to
1
(respectively
1
and
2
) while pre() captures that ) can be reduced
to )), which can be reduced to
1
) . . .
k
)). Note that pre().
Denition 2.9 Let H = (W, R, L) be a structure, Fml a formula, Prg
a program, and w W a state. A fullling chain for (, , w) in H is a nite
sequence (w
0
,
0
), . . . , (w
n
,
n
) of world-formula pairs with n 0 such that:
w
i
W,
i
pre(), and
i
L(w
i
) for all 0 i n
w
0
= w,
0
= ),
n
= , and
i
,= for all 0 i n 1
for all 0 i n 1, if
i
= a) for some a APrg and Fml then
i+1
=
and w
i
R
a
w
i+1
; otherwise
i

i+1
and w
i
= w
i+1
.
Each
i
is in L(w
i
), the chain starts at (w
0
, )), ends at (w
n
, ), and no
other w
i
is paired with . Formulae
i
,
i+1
are -related and corresponding
worlds w
i
, w
i+1
are equal unless
i
= a), in which case
i+1
= and w
i
R
a
w
i+1
.
Thus eventuality ) w
0
is fullled by w
n
and w
n
is -reachable from w
0
.
Denition 2.10 A pre-Hintikka structure H = (W, R, L) [for Fml] is a struc-
ture [for ] that satises H1-H5 (below) for every w W where and are
formulae as dened in Table 1. A Hintikka structure H = (W, R, L) [for Fml]
is a pre-Hintikka structure [for ] that additionally satises H6 below:
H1 : p L(w) p , L(w)
H2 : L(w)
1
L(w) &
2
L(w)
H3 : L(w)
1
L(w) or
2
L(w)
H4 : a) L(w) v W. wR
a
v & L(v)
H5 : [a] L(w) v W. wR
a
v L(v)
H6 : ) L(w) there exists a fullling chain for (, , w) in H .
5
H3 locally unwinds the x-point semantics of ), but does not guarantee
a least x-point which requires be true eventually. H6 globally ensures all
)-formulae are fullled. H2 captures the greatest x-point semantics of [].
Theorem 2.11 A formula Fml in negation normal form is satisable i there
exists a Hintikka structure for .
3 An Overview of the Algorithm
To track unfullled eventualities and to avoid at a world cycles, our algorithm
stores additional information in each tableau node using histories and variables [17].
Histories are passed from parents to children and variables from children to parents.
Our algorithm starts at a root containing a given formula and some default
history values. It builds a tree by repeatedly applying -/-rules to decompose
formulae via the semantics of PDL. The -rule for ) has a left child that
fulls this eventuality by reducing it to , and a right child that procrastinates
fullment by reducing it to )). The rules modify the histories and variables
as appropriate for their intended purpose.
But naive application of the -/-rules to formulae like a ) with nested
stars can lead to at a world cycles: e.g. a ), , a)a ), , a ). A
solution is to use the histories to reduce one particular )-formula until becomes
atomic by forcing the rules to concentrate on this task, and to block previously
reduced diamonds and boxes if they lead to at a world cycles. The application
of /-rules stops when all non-blocked leaves contain only atoms, negated atoms,
and all )-formulae and all []-formulae begin with outermost atomic programs only.
For each such leaf node l, and for each a)-formula in l, the )-rule creates a
successor node containing , where = [ [a] l. These successors
are then saturated to produce new leaves using the - and -rules, and the )-rule
creates the successors of these new leaves, and so on.
If left unchecked, this procedure can produce innite branches since the same
successors can be created again and again on the same branch. To obtain termina-
tion, the )-rule creates a successor containing for l only if this successor
has not already been created previously higher up on the current branch.
So if the successor exists already, the current branch is blocked from
re-creating it. The resulting loop may be bad since every -node on this branch
for an eventuality ) may procrastinate, so ) is never fullled. To track
this potentially unfullled eventuality, we assign the height of the blocking node to
the pair (, )) via a variable uev as long as is a decomposition of ).
During backtracking, our rules merge the uev entries of the children and also
modify the resulting uev to reverse-track the decomposition of ). In particular,
a uev entry becomes undened at a node if the eventuality it tracks can be fullled in
the sub-tableau rooted at this node. Conversely, if a node at height h receives a uev
entry with value at least h then the eventuality tracked by this uev entry denitely
cannot be fullled, so the parent of this (blocking) node is then unsatisable.
Whether or not the initial formula is satisable is determined by the status
of the root node. Due to technicalities caused by at a world cycles, the status
6
can be one of the values unsatisable, open or barred (to be explained later).
The initial formula is PDL-satisable i the status of the root node is open.
4 A One-pass Tableau Algorithm for PDL
Denition 4.1 A tableau node x is of the form ( :: HCr, Nx, BD, BB :: stat, uev)
where: is a set of formulae; HCr is a list of pairs (, ) where is a set of
formulae and ; Nx is either or a formula designated to be the principal
formula of the rule applied to x; BD is the set of Blocked Diamonds; BB is the set
of Blocked Boxes; stat has one of the values unsat, open, or barred; and uev is
a partial function from Fml)Fml) to N
>0
(the positive natural numbers).
Denition 4.2 A tableau for a formula set Fml and histories HCr, Nx, BD,
and BB is a tree of tableau nodes with root ( :: HCr, Nx, BD, BB :: stat, uev)
where the children of a node x are obtained by a single application of a rule to x
(i.e. only one rule can be applied to a node) but where the parent can inherit some
information from the children. A tableau is expanded if no rules can be applied to
any of its leaves. On any branch of a tableau, a node t is an ancestor of a node s
i t lies above s on the unique path from the root down to s.
The list HCr is a history for detecting ancestor-loops and guarantees termination.
The choice of principal formula is free if Nx = , but is pre-determined as the
formula in Nx otherwise. When a diamond formula in the parent is decomposed to
give a formula Fml, a) in the current node, we set the Nx-value of the child to
to ensure that is decomposed next. Together with the histories BD and BB,
this allows us to block )-formulae and []-formulae from creating at a world
cycles. The variables stat and uev have their values determined by the children of a
node. Formally, stat = unsat at node x if x is denitely unsatisable. Informally,
stat = barred if all descendants of node x are unsatisable or lead to an at a
world cycle. Finally, stat = open indicates that the node is potentially satisable,
but as it may be on a loop, this is something which we can determine only later as
we backtrack towards the root.
Denition 4.3 The partial function uev
: Fml) Fml) N
>0
is the constant
function that is undened for all pairs of formulae: i.e.
1
,
2
. uev
(
1
,
2
) = .
The partial functions tst : Fml Fml and bl : Fml 2
Fml
2
Fml
are dened as:
tst() :=
if Fml, a)
otherwise
bl(, ) :=
if Fml, a)
otherwise.
The function tst returns when the formula being tested is not a )-formula,
or is a )-formula but its program is atomic. The function uev tracks unfullled
eventualities, so uev
ags that all eventualities are fullled, and uev(

1
,
2
) dened
ags a potentially unfullled eventuality. If a node has stat = unsat or stat =
barred then its uev is irrelevant so it is arbitrarily set to uev
.
7
4.1 The Rules
We use and for sets of formulae and write
1
, . . . ,
n
,
1
, . . . ,
m
for the
partition
1

n
1

m
of formulae in a node. To save space, we
often omit histories/variables which are passed unchanged from parents/children to
children/parents. Most rules are applicable only if some side-conditions hold, and
most involve actions that change histories downwards or variables upwards.
Terminal Rules.
(id)
( :: :: stat, uev)
p, p for some p AFml
Action for (id): stat := unsat and uev := uev
.
()
2
)
(), :: Nx, BD :: stat, uev)
Nx , ) & ) BD
Action for ()
2
): stat := barred and uev := uev
.
An id-node is clearly unsatisable. The principal formula of the )
2
-rule is
unfulllable because it causes an at a world cycle, so this rule terminates the
current branch. Note both rules may be applicable to a node.
Linear () Rules.
()
( , :: Nx :: uev)
(, , :: Nx :: uev
1
)
([])
([ ], :: Nx :: uev)
([], [], :: Nx :: uev
1
)
([; ])
([; ], :: Nx :: uev)
([][], :: Nx :: uev
1
)
([])
([], :: Nx, BB :: uev)
(
1
:: Nx, BB
1
:: uev
1
)
Common Side Condition: Nx = .
Common Action: uev(
1
,
2
) := uev
1
(
1
,
2
) if
1
else uev(
1
,
2
) := .
Extra Action for ([]):
1
:= if [] BB else
1
:= [][] ,
BB
1
:=

[]
BB.
Most rules are standard but for the histories since they just capture the transfor-
mations in Table 1. The []-rule just deletes [] if [] BB since this indicates
that it has already been expanded once at this world. Otherwise it captures the
x-point nature of [] via Prop. 2.6 and then puts [] into BB
1
.
The next two rules have individual side-conditions and actions as shown.
(; ))
(; ), :: Nx, BD :: uev)
()), :: Nx
1
, BD
1
:: uev
1
)
Nx , ; )
Actions for (; )):
Nx
1
:=tst
))
BD
1
:=bl
)), BD
uev(
1
,
2
) :=
uev
1
()),
2
) if
1
= ; )
uev
1
(
1
,
2
) if
1

otherwise
8
(?))
(?), :: Nx, BD
1
:: uev)
(, , :: Nx
1
, BD
1
:: uev
1
)
Nx , ?)
Actions for (?)):
Nx
1
:=tst()
BD
1
:=bl
, BD
uev(
1
,
2
) :=
uev
1
(,
2
) if
1
= ?)
uev
1
(
1
,
2
) if
1

otherwise
These rules just capture the transformations in Table 1 except for the histories.
Their choice of principal formula is free if Nx = , but is restricted to the formula
in Nx otherwise. If the decomposition of the principal )-formula is a , a)-formula,
we put Nx
1
of the child to be to enforce that is the principal formula of the
child. The actions for uev ensure that uev(
1
,
2
), where
1
is the principal )-
formula, inherits its value from the corresponding )-formulae in the child: e.g.
uev(; ),
2
) = uev
1
()),
2
) reverse-tracks the decomposition of ; )
into )). Also, uev(
1
,
2
) is only dened if
1
is in the parent.
Universal Branching () Rules.
()
(
1

2
, :: Nx :: stat, uev)
(
1
, :: Nx :: stat
1
, uev
1
) [ (
2
, :: Nx :: stat
2
, uev
2
)
Nx =
([?])
([?], :: Nx :: stat, uev)
(, :: Nx :: stat
1
, uev
1
) [ (, :: Nx :: stat
2
, uev
2
)
Nx =
Action for () and ([?]) for i = 1, 2: uev
i
(
1
,
2
) :=
uev
i
(
1
,
2
) if
1

otherwise
())
(
1

2
), :: Nx, BD :: stat, uev)
(
1
), :: Nx
1
, BD
1
:: stat
1
, uev
1
) [ (
2
), :: Nx
2
, BD
2
:: stat
2
, uev
2
)
Side-condition for ()): Nx ,
1

2
)
Action for ()) for i = 1, 2:
Nx
i
:=tst
i
)
BD
i
:=bl
i
), BD
uev
i
(
1
,
2
) :=
uev
i
(
i
),
2
) if
1
=
1

2
)
uev
i
(
1
,
2
) if
1

otherwise
()
1
)
(), :: Nx, BD :: stat, uev)
(, :: Nx
1
, BD
1
:: stat
1
, uev
1
) [ ()), :: Nx
2
, BD
2
:: stat
2
, uev
2
)
Side-condition for ()
1
): Nx , ) & ) / BD
Action for ()
1
):
9
Nx
1
:=tst()
BD
1
:=bl
, ) BD
uev
1
(
1
,
2
) :=
if
1
=
2
= )
uev
1
(,
2
) if
1
= ) ,=
2
uev
1
(
1
,
2
) if
1

otherwise
Nx
2
:=tst
))
BD
2
:=bl
)), ) BD
uev
2
(
1
,
2
) :=
uev
2
()),
2
) if
1
= )
uev
2
(
1
,
2
) if
1

otherwise
The )
1
-rule captures the x-point nature of the )-formulae according to
Prop. 2.6 as long as the principal formula is not blocked via BD. The choice of the
principal formulae in the rst child is either free if is not a , a)-formula or is if
is a , a)-formula. In the latter case we also block the regeneration of ) and thus
avoid an at a world cycle by putting ) into BD
1
. The right child is treated
similarly but uses )) instead of .
Actions for all -rules:
stat :=
unsat if stat
1
= unsat & stat
2
= unsat
open if stat
1
= open or stat
2
= open
barred otherwise
min
(f, g)(
1
,
2
) :=
if f(
1
,
2
) = or g(
1
,
2
) =
min(f(
1
,
2
), g(
1
,
2
)) otherwise
uev :=
uev
if stat ,= open
uev
1
if stat
1
= open ,= stat
2
uev
2
if stat
1
,= open = stat
2
min
(uev
1
, uev
2
) if stat
1
= open = stat
2
The intuitions are:
uev
i
: the denitions of uev
i
ensure that the pairs (
1
,
2
), where
1
is the principal
)-formula, get the values from their corresponding )-formulae in the children.
In the )
1
-rule, a special case sets the value of uev
1
(
1
,
2
) to if
1
and
2
are equal to the principal formula ) of this rule since the eventuality )
is no longer unfullled as the left child fulls it. Note that uev
(
1
,
2
) is only
dened if
1
is in the parent.
min
: the denition of min
ensures that we take the minimum of f(

1
,
2
)
and g(
1
,
2
) only when both functions are dened for (
1
,
2
).
uev: if stat ,= open, the uev is irrelevant, so we arbitrarily set it as undened. If
only one child has stat = open, we take its uev
. If both children have stat =

open, we take the minimum value of entries that are dened in uev
1
and uev
2
.
10
All previous rules modify existing uev-entries, but never create new ones. The
next rule is the only rule that creates uev-entries (by identifying loops).
Existential Branching Rule.
())
a
1
)
1
, . . . , a
n
)
n
, a
n+1
)
n+1
, . . . , a
n+m
)
n+m
, [],
:: HCr, Nx, BD, BB :: stat, uev
1
,
1
:: HCr
1
, Nx
1
, BD
1
, BB
1
:: stat
1
, uev
1
[ [
n
,
n
:: HCr
n
, Nx
n
, BD
n
, BB
n
:: stat
n
, uev
n
where:
(1) n +m 0
(2)
AFml q [ q AFml
(3) []
[a] [ a APrg & Fml
(4)
i
:= [ [a
i
] [] for i = 1, . . . , n
(5) p AFml. p, p ,
(6) i 1, . . . , n. j 1, . . . , len(HCr).
i
,
i

i
,= HCr[j]
(7) k n + 1, . . . , n +m. j 1, . . . , len(HCr).
k
,
k

k
= HCr[j]
Actions for ()): for i = 1, . . . , n : HCr
i
:= HCr @

i
,
i

i
,
Nx
i
:= tst(
i
), BD
i
:= , BB
i
:=
stat :=
unsat if i 1, . . . , n. stat
i
,= open or
Fml).
i
pre() &
, = uev
i
(
i
, ) > len(HCr)
open otherwise
uev
k
(, ) :=j 1, . . . , len(HCr) such that

k
,
k

k
= HCr[j]
for k = n + 1, . . . , n +m
uev(
1
,
2
) :=
uev
i
(
i
,
2
) if stat = open &
2
Fml) &
1
pre(
2
)
&
1
= a
i
)
i
for an i 1, . . . , n +m
otherwise
Some intuitions are in order:
(1) If n = 0, the application of the rule generates no new nodes and stat vacuously
evaluates to open. If m = n = 0, we additionally have uev := uev
.
(2) The set contains only propositional atoms or their negations.
(3) The set [] contains only formulae of the type [a]. Thus (2) and (3) imply
that the )-rule is applicable only if the node contains no - or -formulae.
11
(4) The set
i
contains all formulae that must belong to the i
th
child, which ful-
ls a
i
)
i
, so that we can build a Hintikka structure later on.
(5) The node must not contain a contradiction.
(6) If n > 0, then each a
i
)
i
for 1 i n is not blocked by an ancestor and
has a child containing the formula set
i

i
thereby generating the required
successor for a
i
)
i
. Note that len(HCr) denotes the length of HCr.
(7) If m > 0, then each a
k
)
k
for n+1 k n+m is blocked from creating its
required child
k
k
because some ancestor does the job. This ancestor must
not only consist of the formulae
k

k
but it must also have been created to
full a)
k
for some a APrg. Note that the values a
k
and a are ignored when
looking for loops since we are interested only in the contents of the required child.
HCr
i
: is the HCr of the parent extended with an extra entry to record the history
of worlds created on the path from the root down to the i
th
child using @ as list
concatenation. Note that we store a pair (
k
,
k
k
), not just
k
k
. That is,
we remember that the node
k
k
was created to full a)
k
for some a APrg.
stat: the parent is unsatisable if some child has stat ,= open. But it is also un-
satisable if some child, say the i
th
, and some eventuality ) in it loops
lower because
i
pre()) and uev
i
(
i
, )) is dened and greater than
the length of the current HCr. Intuitively, the latter tells us that the eventual-
ity ) occurs in the sub-tableau rooted at the parent but cannot be fullled.
uev
k
: for n+1 k n+m, the k
th
child is blocked by a higher (proxy) child. For
every such k we set uev
k
to be the constant function which maps every formula-
pair to the level j of its proxy child. This is just a temporary function used to
dene uev as explained next. The blocking child itself must have been created to
full a )-formula a
)
k
, as indicated by the rst component of HCr[j].
uev(
1
,
2
): If stat = unsat then uev is undened everywhere. Else, for each
1
=
a
i
)
i
with i 1, . . . , n + m, and each
2
with a
i
)
i
pre(
2
), we
take uev(a
i
)
i
,
2
) from the formulae-pair (
i
,
2
) of the corresponding (real)
child if a
i
)
i
is unblocked, or set it to the level of the proxy child higher in
the branch if it is blocked. For all other formulae-pairs, uev is undened. The
intuition is that a dened uev(
1
,
2
) ags a loop which starts at the parent
and eventually loops up to some blocking proxy. The value of uev(
1
,
2
) tells
us the level of the proxy because we cannot classify this loop as good or
bad until we backtrack to that level. The uev of each a
i
)
i
is taken from the
child created specically to contain
i
, a fact which is vital in the proofs.
BD
i
, BB
i
, Nx
i
: each child has no blocked diamond- or box-formulae, and its princi-
pal formula is determined by the form of
i
.
The )- and id-rules are mutually exclusive via their side-conditions. Our rules
are designed so that at least one rule is applicable to any node. As shown in the
next section, we need to build only one fully expanded tableau, hence if multiple
rules are applicable to a node, the choice of rule is immaterial. Of course, in our
implementation, we give priority to the id-rule since it may close a branch sooner.
Other heuristics, like preferring linear rules over branching rules, are also useful.
12
4.2 Termination, Soundness, and Completeness
Denition 4.4 Let x = ( :: HCr, Nx, BD, BB :: stat, uev) be a tableau node, a
formula, and a set of formulae. We write x [ x] to mean [ ].
The parts of x are written as HCr
x
, Nx
x
, BD
x
, BB
x
, stat
x
, and uev
x
. Node x is
closed i stat
x
= unsat, open i stat
x
= open, and barred i stat
x
= barred.
Denition 4.5 Let x be a )-node in a tableau T (i.e. a )-rule was applied to x).
Then x is also called a state and the children of x are called core-nodes. Using the
notation of the )-rule, a formula a
i
)
i
x is blocked i n + 1 i n + m. For
every not blocked a
i
)
i
x, the successor of a
i
)
i
is the i
th
child of the )-rule.
For every blocked a
i
)
i
x there exists a unique core-node y on the path from the
root of T to x such that
i

i
is the set of formulae of y, and y is the successor
of a formula a
)
i
in the parent of y. We call y the virtual successor of a
i
)
i
, and
also call the formula
i
in the (possibly virtual) successor of a
i
)
i
a core-formula.
A state is another term for a )-node but a core-node can be any type of node
(even a state). A state arises from a core-node by - and -rules. Note that the
core-formula in a core-node y is well-dened and unique: if x
1
and x
2
are states and y
is the (possibly virtual) successor of a
1
)
1
x
1
and a
2
)
2
x
2
, then
1
=
2
.
Let be a formula in negation normal form, and T an expanded tableau with
root r = ( :: [], , , :: stat, uev) with stat and uev determined by rs children.
Theorem 4.6 T is a nite tree.
Theorem 4.7 If the root r T is open, there is a Hintikka structure for .
Theorem 4.8 If the root r T is not open then is not satisable.
Theorem 4.9 If [[ = n, our procedure has worst-case time complexity in O(2
2
n
).
The length of a branch in a tableau is bounded, essentially by the number of
core-nodes on that branch. The number of core-nodes itself is bounded, essentially
by the cardinality of the power set of the set cl() of all formula that can appear
in the tableau. The size of cl() is polynomial in n, hence the length of a branch is
in O(2
n
). Thus the overall (worst case) number of nodes in a tableau is in O(2
2
n
).
4.3 Fully Worked Examples
The rst simple example illustrates how the procedure avoids innite loops due to
at a world cycles by blocking )- and []-formulae from regenerating. The
formula (q?))(p p) is obviously not satisable. Hence, any expanded tableau
with root (q?))(p p) should not be open. Figure 1 shows such a tableau where
each node is classied as a -node if rule is applied to that node in the tableau.
The initial formula (q?))(pp) in node (1) is decomposed into a
1
-child pp
and a
2
-child q?)(q?))(p p) according to the )
1
-rule. The formula p p
in node (2) is then decomposed according to the -rule and node (3) is marked
as closed because it contains a contradiction. Node (2) inherits the status from
node (3) unchanged according to the -rules and, thus, is closed too.
13
(2) -node
p p
:: [], , , :: unsat, uev
(1) )
1
-node
(q?))(p p)
:: [], , , :: barred, uev
1
oo
(3) id-node
p , p
:: [], , , :: unsat, uev
(4) ?)-node
q?)(q?))(p p)
:: [], q?)(q?))(p p), (q?))(p p),
:: barred, uev
(5) )
2
-node
q , (q?))(p p)
:: [], (q?))(p p), (q?))(p p),
:: barred, uev
Fig. 1. A rst example: a closed tableau for (q?)(p p)

Because the
2
-formula q?)(q?))(p p) is a , a)-formula, the )
1
-rule puts
this formula into its Nx
2
, the Nx-value of node (4), and thus forces node (4) to
have q?)(q?))(p p) as its principal formula. For the same reason, the )
1
-rule
puts its own principal formula (q?))(pp) into its BD
2
, the BD-value of node (4).
Hence node (4) decomposes q?)(q?))(p p) according to the ?)-rule. Again,
the resulting node (5) is forced to have (q?))(p p) as its principal formula via
its Nx-value, and gets its BD-value unchanged from node (4).
Node (5) has the same principal formula as node (1), so applying the )
1
-
rule to node (5) would cause the procedure to enter an at a world (innite) cycle.
Because the history BD of node (5) contains (q?))(pp), the )
1
-rule is blocked
on node (5), but the )
2
-rule is not. Hence the branch is terminated and the status
of node (5) is set to barred (thereby avoiding the at a world cycle).
Node (4) inherits the status from node (5) unchanged and node (1) is marked
barred also according to the denition of stat in the -rules. Therefore the tableau
is not open. Note that the variable uev does not play a role in this example as it is
irrelevant for nodes that are closed or barred.
The second example demonstrates the role of uev. The formula [a]p [(a; a)]p
is valid. Hence, its negation := [a]p (a; a))p, which is already in nega-
tion normal form, is unsatisable and the root of any expanded tableau for
should not be open. Figure 2 shows such a tableau. The unlabelled edges in
Fig. 2 link states to core-nodes. We omit the histories BD and BB as they do
not play an important role in this example. Each partial function UEV
i
maps the
formula-pair (
i
,
i
) in Table 2 to 1 and is undened otherwise as explained be-
14
Table 2
Denitions for the example in Fig. 2
UEV
i
i = 1 i = 2 i = 3 i = 4
i
a)a)(a; a))p a; a)(a; a))p (a; a))p a)(a; a))p
i
(a; a))p (a; a))p (a; a))p (a; a))p
low. The histories are HCR
1
:= [(
1
,
1
)] where
1
:= a)(a; a))p and
1
:=
[a]p, a)(a; a))p and HCR
2
:= HCR
1
@[(
2
,
2
)] where
2
:= (a; a))p
and
2
:= [a]p, (a; a))p.
The dotted frame at (7a) indicates that its child, an id-node, is not shown due to
space restrictions. Thus the marking of the nodes (3a) and (7a) in Fig. 2 with unsat
is straightforward. The leaf (9) is a )-node, but it is blocked from creating its
successor containing := [a]p, a)(a; a))p because there is a j N such that
HCr
9
[j] = HCR
2
[j] = (a)(a; a))p, ): namely j = 1. Thus the )-rule computes
UEV
1
(a)
1
, (a; a))p) = 1 as stated above and also puts stat
9
:= open. As
node (7a) is closed, nodes (8), (7b), (7), (6), and (5) inherit their functions UEV
i
from their open children via the corresponding - and -rules.
The crux of our method occurs at node (4), a )-node with HCr
4
= [] and
hence len(HCr
4
) = 0. The )-rule thus nds a child node (5) and a pair of formu-
lae (, ) := (a)(a; a))p, (a; a))p) where is a core-formula, pre(),
and 1 = UEV
4
(, ) = uev
5
(, ) > len(HCr
4
) = 0. Thus node (4) sees a
child (5) that loops lower, meaning that node (5) is the root of an isolated sub-
tree which fails to full its eventuality (a; a))p. The )-rule marks (4) as closed
via stat
4
= unsat. The propagation of unsat to the root is simple.
What if the omitted child of (7a), and hence (7a) itself, had been open?
Then UEV
3
in (7) would be undened everywhere via the )
1
-rule, regard-
less of uev
7b
. Thus (a; a))p in (7) would be fullled via the
1
-child (7a).
Hence UEV
4
would be undened everywhere, and node (4) would not be closed.
5 Conclusion and Further Work
We have given a sound, complete and terminating procedure for checking PDL-
satisability. Unfortunately, its worst-case time-complexity is in 2EXPTIME rather
than in EXPTIME, thus our procedure is sub-optimal. We now outline some further
practical and theoretical work which may eliminate this disadvantage.
First, we believe that a small renement of our histories will allow our calculus
to classify a loop as bad or good at the looping leaf, as is done by Baaders
procedure [3], but with no pre-computation of automata. Thus it should be possible
to extend DLP to handle our method. Further experimental work is required to
determine if such an extension will remain practical.
Second, recent work has shown that global caching can indeed deliver optimality
of tableau procedures soundly [10]. The histories used in our calculus make it harder
to extend sound global caching to it since nodes are now sensitive to their context
in the tree under construction. Further theoretical work is required to extend sound
global caching to handle such context sensitivity.
15
(1) -node
[a]p (a; a))p
:: [], :: unsat, uev
//
(2) []-node
[a]p , (a; a))p
(3a) id-node
p , [a][a]p , p
(3) )
1
-node
p , [a][a]p , (a; a))p
1
oo
(4) )-node
p , [a][a]p , a)a)(a; a))p
(3b) ; )-node
p , [a][a]p , a; a)(a; a))p
:: [], a; a)(a; a))p :: unsat, uev
oo
(5) []-node
[a]p , a)(a; a))p
:: HCR
1
, :: open, UEV
4
//
(6) )-node
p , [a][a]p , a)(a; a))p
:: HCR
1
, :: open, UEV
4
(7a) []-node
[a]p , p
:: HCR
2
, :: unsat, uev
(7) )
1
-node
[a]p , (a; a))p
:: HCR
2
, (a; a))p :: open, UEV
3
1
oo
(8) []-node
[a]p , a)a)(a; a))p
:: HCR
2
, :: open, UEV
1
(7b) ; )-node
[a]p , a; a)(a; a))p
:: HCR
2
, a; a)(a; a))p :: open, UEV
2
oo
(9) )-node
p , [a][a]p , a)a)(a; a))p
:: HCR
2
, :: open, UEV
1
//
blocked by node (5)
Fig. 2. A second example: a closed tableau for [a]p (a; a)p
16
References
[1] Abate, P., R. Gore, and F. Widmann. One-pass tableaux for computation tree logic. In N. Dershowitz
and A. Voronkov, editors, Proc. LPAR 2007, LNCS 4790:32-46, Springer, 2007.
[2] Alberucci L., and G. Jager. About cut elimination for logics of common knowledge. Annal of Pure and
Applied Logic, 133(1-3):7399, 2005.
[3] Baader, F. Augmenting concept languages by transitive closure of roles: an alternative to terminological
cycles. Technical Report RR-90-13, DFKI, Kaiserslautern, Germany, 1990.
[4] Ben-Ari, M., Z. Manna, and A. Pnueli. The temporal logic of branching time. In Proc. Eighth ACM
Symposium on Principles of Programming Languages, pages 164176, 1981.
[5] Bhat, G., and R. Cleaveland. Ecient on-the-y model checking for CTL
. In Proc. Symposium on
Logics in Computer Science, pages 388397, 1995.
[6] Cleaveland, R. Tableau-based model checking in the propositional mu-calculus. Acta Informatica,
27:725747, 1990.
[7] Emerson, E. A., and J. Y. Halpern. Decision procedures and expressiveness in the temporal logic of
branching time. Journal of Computer and System Science, 30:124, 1985.
[8] Fischer, M. J., and R. E. Ladner. Propositional dynamic logic of regular programs. Journal of Computer
Systems and Science, 18:194-211, 1979.
[9] Giacomo, G. D., and F. Massacci. Combining deduction and model checking into tableaux and
algorithms for Converse-PDL. Information and Computation , 160:109169, 2000.
[10] Gore, R., and L. A. Nguyen. Exptime tableaux for ALC using sound global caching. In DL07: Proc.
International Workshop on Description Logics, 2007, 8 pages.
[11] Horrocks, I., and P. F. Patel-Schneider. Optimising description logic subsumption. Journal of Logic
and Computation, 9(3):267293, OUP, 1999.
[12] Jager, G., M. Kretz, and T. Studer. Cut-free common knowledge. Journal of Applied Logic, to appear.
[13] Kozen, D., and R. Parikh. An elementary proof of the completeness of PDL. Theoretical Computer
Science, 14:113118, 1981.
[14] Pratt, V. Semantical considerations on Floyd-Hoare logic. In Proc. 17th IEEE Symposium on
Foundations Of Computer Science, pages 109121, 1976.
[15] Pratt, V. A near-optimal method for reasoning about action. Journal of Computer Systems and
Science, 20:231254, 1980.
[16] Schmidt, R., and D. Tishkovsky. Personal communication, September 2007. http://www.cs.man.ac.
uk/
schmidt/pdl-tableau
[17] Schwendimann, S. A new one-pass tableau calculus for PLTL. In H. de Swart, editor, Proc.
TABLEAUX98, LNAI 1397:277-291. Springer, 1998.
[18] Wolper, P. Temporal logic can be more expressive. Information and Computation, 56:7299, 1983.
17
Appendix: Termination, Soundness and Completeness
Denition 5.1 Let G = (W, R) be a directed graph (e.g. a tableau where R is
just the child-of relation between nodes). A path in G is a nite or innite
sequence x
0
, x
1
, x
2
, . . . of nodes in W such that x
i
Rx
i+1
for all x
i
except the last
node if is nite.
Termination
Theorem 4.6 T is a nite tree.
Proof Sketch It is obvious that T is a tree and that every node in T can contain
only formulae from the negation normal form analogue cl() of the Fisher-Ladner
closure [8]. The denition of cl() has been omitted to save space, but cl() is nite.
Hence there are only a nite number of dierent sets that can be assigned to nodes,
in particular core-nodes, and the number of pairs (, ) with cl() is
nite. As each core-node is assigned such a pair and the )-rule ensures core-nodes
on a branch possess dierent pairs, the number of core-nodes on a branch is nite.
It is not obvious that the number of nodes between consecutive core-nodes on
a branch is nite since )- and []-formulae like a ) can regenerate on
a branch without passing a core-node (e.g. a ) a)a ) a )).
However, it is relatively easy to see that formulae of the form ) or [] are the
only potential troublemakers between two states. For formulae of the form []
regeneration between two core-nodes is clearly ruled out by the history BB and the
[]-rule. For formulae of the form ), the job is done by the history BD and
the )
1
and )
2
-rules. In the latter case, it is crucial that the procedure chooses
the decomposition of a principal , a)-formula as the principal formula of the child,
provided that the decomposition is also a , a)-formula.
As the number of nodes between two core-nodes is nite, and there are only
nitely many core-nodes on any branch, all branches in T are nite. Every node
has nite degree so Konigs lemma completes the proof. 2
Soundness
Theorem 4.7 If the root r T is open, there is a Hintikka structure for .
Proof. By construction, T is a nite tree. Let T
p
(p for pruned) be the subgraph
that consists of all nodes x having the following property: there is a path of open
nodes from r to x inclusive. The edges of T
p
are exactly the edges of T that connect
two nodes in T
p
. Clearly, T
p
is also a nite tree with root r. Intuitively, T
p
is the
result of pruning all subtrees of T that have a closed or barred root.
Next, we extend T
p
to a nite cyclic tree T
l
(l for looping) by doing the
following for every state x: for every formula a) x having a virtual successor y,
which must lie on the path from r to x, we add the edge (x, y) to T
l
. Theses new
edges are called backward edges. Note that as id-nodes are closed by construction
of T, all leaves of T
p
must be states where all )-formulae (if any) are blocked. Hence
every formula a) of every leaf has a virtual successor.
Finally, following Ben-Ari et al. [4], the cyclic tree T
l
is used to generate a
structure H = (W, R, L) as described next. Let W be the set of all states of T
l
.
18
For every a APrg and every s, t W, let s R
a
t i s contains a formula a)
and there exists a path x
0
= s, x
1
, . . . , x
k+1
= t in T
l
such that x
1
is the (possibly
virtual) successor of a) and each x
i
, 1 i k is an - or a -node. Thus state t
is a saturation of x
1
using only - and -rules. Note that s R
a
t and s R
b
t is
possible for a ,= b, because two formulae a) s and b) s might have the
same virtual successor: see point (7) of the )-rule. It is also possible that s R
a
t
and s R
a
u for t ,= u.
If we consider the root r of T
l
as a core-node for a moment, it is not hard to see
that for every state s T
l
there exists a unique core-node x T
l
and a unique path
of the form x
0
= x, x
1
, . . . , x
k
= s in T
l
such that either k = 0 (and thus s = x)
or k > 0 and each x
i
, 0 i k 1 is not a state. We set L(s) to be the union
of all formulae of all nodes on . Intuitively, we form L(s) by adding back all the
principal formulae of the - and -rules which were applied to obtain s from x.
It is almost straightforward to check that H is a pre-Hintikka structure for .
There are only two things that deserve extra comments: Firstly, it is not possible
that T
l
contains a )
2
-node as it would be barred. Secondly, assume that y T
l
is a []-node with principal formula [] and s is a state such that y lies on the
path to s that denes the set L(s), which contains [], as described above.
Then either and [][] are contained in the child of y in T
l
, or as the rst
node x on is a core-node with BB
z
= there exists another []-node on that
also has [] as principal formula and its child in T
l
contains and [][]. As
the child of an -node that lies on must lie on too, in both cases, there is a node
on containing and [][]. Thus and [][] are also contained in L(s).
To show that H is even a Hintikka structure we use Lemma 5.2 to conclude H6
as is shown next.
Suppose ) L(s). If we also have L(s) then (s, )), (s, ) is a
fullling chain for (, , s) and we are done. Otherwise, the niteness of the
tableau and the fact that H is a pre-Hintikka structure give us a sequence =
(s,
0
), . . . , (s,
m
) such that:

i
pre()) and
i
L(s) for all 0 i m

0
= ) and
m
= a)
for some a APrg and
Fml

i

i+1
for all 0 i m1.
Applying Lemma 5.2 for the state s and the formula
m
= a)
gives us a
sequence
:= (y
0
,
0
), . . . , (y
n
,
n
) with the properties stated in Lemma 5.2.
Let y
n
, . . . , y
n+m
be an arbitrary path in T
l
such that y
n+m
is a state. Next, we
replace each y
i
, 1 i n in
with the rst state s

i
that appears on the path
y
i
, . . . , y
n
, . . . , y
n+m
.
It is easy to check that the combined sequence ,
is a fullling chain
for (, , s) in H if we contract all consecutive repetitions of pairs. This concludes
the proof. 2
Lemma 5.2 Let y T
l
be a node and y a formula such that pre()).
There exists a nite sequence
= (y
0
,
0
), . . . , (y
n
,
n
) of pairs with n 0 such
that:
y
0
, . . . , y
n
is a path in T
l
19
y
i
T
l
,
i
pre(), and
i
y
i
for all 0 i n
y
0
= y,
0
= ,
n
= , and
i
,= for all 0 i n 1
for all 0 i n 1, either

i
=
i+1
or: if
i
= a) for some a APrg
and Fml then y
i
is a state else
i

i+1
.
Proof. We inductively construct
starting with (y
0
,
0
) := (y, ). Most of the
required properties of
follow directly from its construction and we leave it to the

reader to check that they hold.
Step 1 Let (y
i
,
i
) be the last pair of
. We distinguish three cases: either y

i
is
an - or -node and
i
is not the principal formula in y
i
; or y
i
is an - or -node
and
i
is the principal formula in y
i
; or y
i
is a state.
If y
i
is an - or -node and
i
is not the principal formula in y
i
, we
set
i+1
:=
i
and we choose y
i+1
to be a successor of y
i
in T
l
such that
uev
y
i
(
i
, )) = uev
y
i+1
(
i+1
, )). Note that such a y
i+1
always exists since
the value of uev
y
i
(
i
, )) is determined by one of its open children during the
construction of T and hence T
l
. But it does not have to be unique. We then repeat
Step 1.
If y
i
is an - or -node and
i
is the principal formula in y
i
, we look at all
pairs (x, ) such that x is a child of y
i
in T
l
and
i
is decomposed into x
and
i
holds. By construction of T and hence T
l
there is at least one open child
such that the corresponding pair (x, ) obeys uev
y
i
(
i
, )) = uev
x
(, )).
Let (y
i+1
,
i+1
) be such a pair. If
i+1
= we stop and return
; otherwise we
repeat Step 1.
If y
i
is a state, it is not too hard to see that
i
must be of the form a) for
some a APrg and Fml. We set (y
i+1
,
i+1
) := (x, ) where x is the (possibly
virtual) successor of
i
= a) and repeat Step 1. Note that if x is a non-virtual
successor of
i
, we have uev
y
i
(
i
, )) = uev
y
i+1
(
i+1
, )) by construction
of T and hence T
l
. Also note that if x is a virtual successor of
i
then
i+1
= is
the core-formula of y
i+1
by construction of T and hence T
l
.
The only way for Step 1 to terminate is by nding
i+1
= . It is not dicult
to see that the resulting (nite) sequence
fulls all requirements and the proof

is completed. Hence the rest of the proof shows that
as constructed by Step 1 is
nite. Step 1 maintains the following invariant:
() For all appropriate i N we have uev
y
i
(
i
, )) = uev
y
i+1
(
i+1
, )) un-
less y
i+1
is the virtual successor of
i
y
i
.
In other words, the values of uev
y
i
(
i
, )) and uev
y
i+1
(
i+1
, )) can dif-
fer only if (y
i
, y
i+1
) is a backward edge in T
l
. We distinguish two cases: ei-
ther uev
y
0
(
0
, )) is undened or it is dened. In both cases we show that
the path y
0
, y
1
, . . . can only have a nite number of backward edges. As every in-
nite path in T
l
must use an innite number of backward edges since T and T
p
are
nite trees, this proves that Step 1 terminates.
Case 1. If uev
y
0
(
0
, )) is undened, the path y
0
, y
1
, . . . cannot contain a back-
ward edge as shown next. Assume for a contradiction that y
i
with i 0 is the rst
node such that (y
i
, y
i+1
) is a backward edge. Since the initial uev
y
0
(
0
, )) was
20
undened, by () we know that uev
y
i
(
i
, )) is undened. But y
i
is a state and
as
i
y
i
, which must be of the form a) for some a APrg and Fml, has a
virtual successor z, uev
y
i
(
i
, )) is dened to be the height of z by the applica-
tion of the )-rule to y
i
during the construction of the tableau. Thus uev
y
i
(
i
, ))
is both dened and undened, which is a contradiction.
Case 2. If h := uev
y
0
(
0
, )) is dened, the path y
0
, y
1
, . . . can only contain a
nite number of backward edges as shown next. Let y
i
with i 0 be the rst node
such that (y
i
, y
i+1
) is a backward edge. If no such node exists, we are obviously done.
Otherwise, we have uev
y
i
(
i
, )) = h by (). This means by construction of the
tableau that there exists a set Fml such that (
i+1
,
i+1
) = HCr
y
i
[h].
Thus y
i+1
is the h
th
core-node (child of a )-node) on the path from the root r to y
i
in T
l
and we have len(HCr
y
i+1
) = h by construction of HCr.
If uev
y
i+1
(
i+1
, )) had a value equal to or greater than h then the )-rule
would cause the parent of y
i+1
in T
l
to be marked as closed since
i+1
is the core-
formula of y
i+1
; but we know this is not the case. Hence uev
y
i+1
(
i+1
, )) is
either undened or has a value h
that is strictly smaller than h.

If uev
y
i+1
(
i+1
, )) is undened, we can prove exactly as in Case 1 that the
path y
i+1
, y
i+2
, . . . cannot contain a backward edge. On the other hand, if h
:=
uev
y
i+1
(
i+1
, )) is dened, we can inductively repeat the arguments in Case 2
for the sequence (y
i+1
,
i+1
), (y
i+2
,
i+2
), . . . . The induction is well-dened because
of h
< h, meaning that eventually this inductive argument must terminate because
all such h-values must be in N
>0
. 2
Completeness
Denition 5.3 Let M = (W, R, V ) be a model, w W a state and Fml a
formula of the form =
1
) . . .
k
) for some k > 0 and
1
, . . . ,
k
Prg and
Fml. A witness chain for (, , M, w) is a nite sequence (w
0
,
0
), . . . , (w
n
,
n
) of
world-formula pairs with n > 0 such that:
(1) w
i
W,
i
pre(), and M, w
i

i
for all 0 i n
(2) w
0
= w,
0
= ,
n
= , and
i
,= for all 0 i n 1
(3) i, j 0, . . . , n. i ,= j (w
i
,
i
) ,= (w
i+1
,
i+1
)
(4) for all 0 i n1, if
i
= a) for some a APrg and Fml then
i+1
=
and w
i
R
a
w
i+1
; otherwise
i

i+1
and w
i
= w
i+1
.
Proposition 5.4 In the setting of Def. 5.3, we have:
(1) for every 1 i k there exists an m < n such that (w
0
,
0
), . . . , (w
m
,
m
) is
a witness chain for (,
i
) . . .
k
), M, w)
(2) if
k
= for some Prg then
n1
= ).
Proposition 5.5 Let M = (W, R, V ) be a model, w W a state and Fml
a formula of the form =
1
) . . .
k
1
, . . . ,
k
Prg
and Fml. If M, w then there exists a witness chain for (, , M, w).
From now on, let
y
denote the set of formulae of a node y T. We say that a
nite set of formulae is satisable i

is satisable.
21
Lemma 5.6 Let x T with BD
x
= and principal formula Fml,a) of the
form =
1
) . . .
k
1
, . . . ,
k
Prg and Fml Fml).
Let M = (W, R, V ) be a model and w W a world such that (M, w) satises
x
.
Furthermore let = (w
0
,
0
), . . . , (w
n
,
n
) be a witness chain for (, , M, w). Then
there exists a nite path = z
0
, z
1
, . . . , z
m
in T with the following properties:
(i) m n, z
0
= x, BD
z
m
= , and the only state (if any) is z
m
(ii) w
i
= w,
i
z
i
, and (M, w) satises
z
i
for all 0 i m
(iii)
i
Fml, a) is the principal formula of z
i
for all 0 i m1
(iv)
m
= or
m
= a) for some a APrg and Fml.
Proof. We inductively construct starting with z
0
= x, such that the following
invariant holds:
() m < n and for all 0 i m: w
i
= w and (M, w) satises
z
i
and
i
Fml, a)
is the principal formula of z
i
.
Note that () holds for the initial path = z
0
. Also note that if fulls () then
no node on can be a state and and
i
z
i
for all 0 i m.
Step 2 Let z
m
be the last node of . It cannot be an id-node because it is satis-
able, nor a )
2
-node for the following reason: Assume that z
m
were a )
2
-node.
Then
m
BD
z
m
due to the )
2
-rule and there must be an ancestor node z of z
m
in T which inserted
m
into the BD of its child such that
m
is contained in the BD
of all nodes between z (exclusive) and z
m
(inclusive). As BD
z
0
= by assumption,
the node z must lie on , i.e. z = z
m
for some m
< m. Due to the tableau rules

and the fact that z inserted
m
, the node z must be a )
1
-node with principal for-
mula
m
; but that together with () entails (w
m
,
m
) = (w,
m
) = (w
m
,
m
)
which is not possible because is a witness chain. Hence z
m
is a not a )
2
-node.
Let z
m+1
be the child of z
m
where
m
is decomposed into
m+1
. Such a child
must exist because we have m < n and
m

m+1
due to the denition of the
witness chain and the fact that
m
Fml,a). The same reasoning also gives
us w = w
m
= w
m+1
and M, w
m+1
. Moreover, the set
z
m
is satised by (M, w)
by () and
z
m+1
= (
z
m
m
)
m+1
by construction of the tableau T. Hence
the set
z
m+1
is satised by (M, w).
Now we distinguish whether or not
m+1
is a , a)-formula.
If
m+1
is a ,a)-formula, it must be the principal formula of z
m+1
due to the
tableau rules and the fact that we have
m
Fml, a). Moreover, we have m+1 < n
because
m+1
,= =
n
and / Fml). Thus our invariant () for extended
by
m+1
still holds and we repeat Step 2.
If
m+1
is not a ,a)-formula, we have BD
z
m+1
= due to the tableau rules
and the fact that
m
Fml,a). Furthermore, we have
m
= or
m
= a)
for some a APrg and Fml because is a witness chain. Thus extended
by
m+1
fulls all the required properties of the lemma which concludes the proof
in this case.
As is nite, Step 2 must terminate after a nite number of repetitions which
means that we have found a path that proves this lemma. 2
22
Lemma 5.7 Let x T with BD
x
= and M = (W, R, V ) be a model and w W a
world such that (M, w) satises
x
. Then there exists a nite path = z
0
, z
1
, . . . , z
n
in T with the following properties: z
0
= x, z
n
is the only state on , and (M, w)
satises
z
i
for all 0 i n.
Proof. We inductively construct starting with z
0
= x such that the following
invariant holds:
() (M, w) satises
y
for every node y on and the last node z
i
of has BD
z
i
= .
Note that the initial = z
0
fulls the invariant by assumption.
Step 3 Let z
i
be the last node of . If z
i
is a state, we stop and return . Otherwise,
we distinguish two cases: either the principal formula of z
i
is not a )-formula or it
is a )-formula.
If the principal formula of z
i
is not a )-formula, we choose z
i+1
to be a successor
of z
i
in T such that (M, w) satises
z
i+1
. The existence of z
i+1
is guaranteed by
Prop. 2.6, the fact that (M, w) satises
z
i
by (), and the fact that z
i
cannot be an
id-node because z
i
is satisable nor a )
2
-node because z
i
s principal formula is not
a )-formula. As z
i
s principal formula is not a )-formula and BD
z
i
= by (), we
also have BD
z
i+1
= by a simple inspection of the tableau rules. We then repeat
Step 3.
If the principal formula of z
i
is a )-formula, it is also a ,a)-formula be-
cause z
i
is not a state. Hence it must be of the form =
1
) . . .
k
) for
some k > 0 and
1
, . . . ,
k
Prg and Fml Fml). As (M, w) satis-
es
z
i
by () and
z
i
, we have M, w . Thus Prop. 5.5 gives us a se-
quence := (w
0
,
0
), . . . , (w
n
,
n
) with the properties stated in Prop. 5.5.
Next we apply Lemma 5.6 to z
i
and obtain a path with the properties of
Lemma 5.6. Finally, the new is obtained from the old by appending minus
the rst node z
i
which is already the last node of to the old . As (M, w)
satises
y
for all y on and the last node y
on has BD
y
= , the new
fulls (). We then repeat Step 3.
As T is nite, it is easy to see that Step 3 terminates, meaning that the last
node z
n
of the nite path is the only state on . 2
Lemma 5.8 For every closed node x = ( :: :: ) in T, the set
x
is not
satisable. In particular, if r is closed then is not satisable.
Proof. We use well-founded induction on the (strict) descendant relation of T.
As T is a nite tree, the descendant relation is clearly well-founded. Thus we can
use the following induction hypothesis for every node x T:
IH: for every descendant y of x, if y is closed then the set
y
is not satisable.
If a leaf x T is closed, it must be an id-node as a state with no children
is always open. Hence, our theorem follows from the fact that p, p x for
some p AFml. Note that this can be seen as the base case of the induction as
leaves do not have descendants.
If x is a closed -node then its child must be closed as well so we can apply
the induction hypothesis and the claim follows from the fact that in the sense of
23
Table 1 the formulae of the form
1

2
are valid (Prop. 2.6).
If x is a closed -node then both children are closed as well so we can apply
the induction hypothesis and the claim follows from the fact that in the sense of
Table 1 the formulae of the form
1

2
are valid (Prop. 2.6). Note that x
cannot be a )
2
-node as it would not be closed in this case.
If x is a closed )-node (i.e. a closed state) then it has at least one child and
there are three possibilities for why it was marked as closed by the )-rule:
(1) Some child x
0
of x is closed.
(2) Some child x
0
of x is barred.
(3) Some open child x
0
of x with core-formula has uev
x
0
(, )) > h :=
len(HCr
x
) for some Prg and Fml with pre()).
Case 1. In the rst case, it is not too hard to see that the satisability of
x
implies
the satisability of
x
0
since the )-rule preserves satisability from parent to child.
By the induction hypothesis, we know that
x
0
is not satisable, therefore
x
cannot
be satisable either.
Case 2. In the second case, we assume that
x
0
is satisable and derive a contra-
diction. We can then prove the claim as in the rst case.
So, for a contradiction, let M = (W, R, V ) be a model and w W a world such
that (M, w) satises
x
0
. As BD
x
0
= by the )-rule, we can apply Lemma 5.7
which gives us a path in T with the properties stated in Lemma 5.7. Let y be the
last node of , hence y is a state. It is a descendant of x
0
, therefore the induction
hypothesis applies to it. By Lemma 5.7, (M, w) satises
y
, hence y cannot be
closed; but this means that y must be open as states can only be closed or open by
the )-rule. It is now easy to see that all nodes on must also be open due to the
construction of the variable stat in the - and -rules. But this is a contradiction
to the assumption that x
0
, which is the rst node on , is barred.
Case 3. In the third case, we assume that
x
0
is satisable and derive a contradic-
tion. We can then prove the claim as in the rst case.
So, for a contradiction, let M = (W, R, V ) be a model and w W a world
such that (M, w) satises
x
0
. In particular, we have M, w by assumption
since x
0
. As pre()), it is of the form =
1
) . . .
k1
)) for
some
1
, . . . ,
k1
Prg. Furthermore, let be of the form =
k+1
) . . .
k+l
)
for some
k+1
, . . . ,
k+l
Prg and
Fml Fml). Note that l = 0 is possible:

in this case we already have Fml Fml).
Applying Prop. 5.5 to M and =
1
) . . .
k+l
)
with
k
:= gives us a
witness chain = (w
0
,
0
), . . . , (w
n
,
n
) for (,
, M, w). According to Prop 5.4,

there exists an n
n with
n
= =
k+1
) . . .
k+l
)
and
n
1
= ).
Our plan is to walk down the tableau T starting from x
0
in a way that is
consistent with which will lead to a contradiction when we reach
n
.
As BD
x
0
= by the )-rule, we can apply Lemma 5.6 which gives as a path
1
=
z
0
, z
1
, . . . , z
m
in T with the properties stated in Lemma 5.6. We can then apply
Lemma 5.7 to z
m
which gives us a path
2
with the properties stated in Lemma 5.7.
Let s be the last node of
2
, hence s is a state. It is a descendant of x
0
, therefore
the induction hypothesis applies to it. Thus s cannot be closed because (M, w)
24
satises
s
by Lemma 5.7; but this means that s must be open as states can only be
closed or open by the )-rule. If we join
1
and
2
to obtain , it is now easy to see
that all nodes on must also be open due to the construction of the variable stat
in the - and -rules.
By assumption we have uev
x
0
(, )) > h. As all nodes on
1
are open
and
i
Fml,a) is the principal formula of z
i
for all 0 i m 1, we also
have uev
z
i
(
i
, )) > h for all 0 i m1 by denition of the - and -rules.
We now distinguish whether or not n
m.
If n
m then we have uev

z
n
1
(), )) > h as
n
1
= ); but
as ) is the principal formula of z
n
1
, this is only possible if the rst child
of z
n
1
, which is z
n
as
n
= by denition of
n
, is not open according to the
construction of uev in the )
1
-rule. This, however, is a contradiction to the fact
that all nodes on
1
, in particular z
n
, are open.
If n
> m, we must have

m
= a) for some a APrg and Fml as
m
=
is clearly not possible. Furthermore, we have uev

z
m
(a), )) > h by denition
of the - and -rules. As
m
is the rst node on
2
and all nodes on
2
are
open, we also have uev
y
(a), )) > h for all nodes y on
2
by denition of
the - and -rules. In particular, we have uev
s
(a), )) > h. Let x
1
be
the (possibly virtual) successor of a) s, that contains
m+1
= . Then
:=
(w
m+1
,
m+1
), . . . , (w
n
,
n
) is clearly a witness chain for (
m+1
,
, M, w
m+1
) which
is strictly shorter than and still contains
n
and
n
1
. Note that n
> m + 1
as
m
= a) ,= ). Additionally, we make the following two claims:
(1) uev
x
1
(
m+1
, )) > h and x
1
is a descendant of x
0
(i.e. the induction
hypothesis holds in the subtree rooted at x
1
).
(2) (M, w
m+1
) satises
x
1
.
Before we prove the two claims, we show their consequences: Basically, the two
claims and the properties of
allow us to inductively repeat the proof for x

1
,
w
m+1
,
m+1
, and
instead of x
0
, w, , and , respectively. As
is strictly shorter
than , this is possible only a nite number of times. Hence we must eventually
end up in the case n
m of the proof that yields a contradiction. Therefore the

only thing left is to show that the two claims hold.
Claim 1. We distinguish whether x
1
is a virtual successor of a) s or not.
If x
1
is not virtual, that is it is a child of s in T, it is obviously a descendant
of x
0
as every node in particular s on is a descendant of x
0
. Furthermore, it
follows directly from uev
s
(a), )) > h and
m+1
= and the denition of the
)-rule that uev
x
1
(
m+1
, )) > h.
If x
1
is a virtual successor, a glance at the denition of uev
s
in the )-rule
reveals that x
1
must lie on the path from x
0
to s (it could be x
0
) as we have
uev
s
(a), )) > h and h = len(HCr
x
). Thus x
1
is a descendant of x and
has uev
x
0
(, )) > h as we have already established this on our way from x
0
down to s.
Claim 2. By denition of the )-rule,
x
1
is of the form
m+1
where [a]
s
. We know M, w
m+1

m+1
because of the properties of . We also know
that (M, w
m
) in particular satises [a] since we have established that
s
[a] is
satised by (M, w) and w = w
m
. As w
m+1
is a successor world of w (i.e. wR
a
w
m+1
),
25
this implies that (M, w
m+1
) satises , and hence
x
1
. 2
Theorem 4.8 If the root r T is not open then is not satisable.
Proof. If r is closed, the claim follows directly from Lemma 5.8. If r is barred, we
assume that
x
0
is satisable and derive a contradiction.
So, for a contradiction, let M = (W, R, V ) be a model and w W a world
such that (M, w) satises
r
= . As BD
r
= by construction of T, we can apply
Lemma 5.7 which gives us a path with the properties stated in Lemma 5.7. Let y
be the last node of , hence y is a state. It cannot be closed because of Lemma 5.8
and the fact that (M, w) satises
y
; but this means that y must be open as states
can only be closed or open by construction. It is easy to see that all nodes on
must also be open due to the construction of the variable stat in the - and -rules.
But this is a contradiction to the assumption that r, which is the rst node on ,
is barred. 2
26

Abate, Gore & Widmann, Tableaux For Predicate Dynamic Logic (26 PGS)

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Abate, Gore & Widmann, Tableaux For Predicate Dynamic Logic (26 PGS)

Cargado por

Copyright:

Formatos disponibles

M4M 2007

An On-the-y Tableau-based Decision

For w W and Fml, we write M, w i w

Fml., Prg. = ; ) & = ))

Fml., Prg. = ) &

Fml. Prg. = ) &

ags that all eventualities are fullled, and uev(

: the denition of min

ensures that we take the minimum of f(

. If both children have stat =

[a] [ a APrg & Fml

Fig. 1. A rst example: a closed tableau for (q?)(p p)

for some a APrg and

with the rst state s

for all 0 i n 1, either

follow directly from its construction and we leave it to the

. We distinguish three cases: either y

fulls all requirements and the proof

that is strictly smaller than h.

< m. Due to the tableau rules

Fml Fml). Note that l = 0 is possible:

, M, w). According to Prop 5.4,

m then we have uev

> m, we must have

is clearly not possible. Furthermore, we have uev

allow us to inductively repeat the proof for x

m of the proof that yields a contradiction. Therefore the

También podría gustarte