Propositional Dynamic Logic
Logics of programs are modal logics arising from the idea of associating with each computer program α of a programming language a modality [α]. This idea stems from the line of works by Engeler [1967], Hoare [1969], Yanov [1959], and others who formulated and studied logical languages in which the properties of program connectives can be expressed. The algorithmic logic (AL) first developed by Salwicki [1970] and the dynamic logic (DL) elaborated by Pratt [1976] are proper continuations of these works. We will here concentrate on DL. The numerous papers devoted to DL and its variants as well as its multifarious applications in program verification and data structures show that it constitutes a useful tool in studying properties of programs. Pratt chose to depict DL on what one might call the first-order level, and it was his work that triggered Fischer and Ladner [1979] to define the propositional variant of DL a couple of years later. This article presents an introduction to PDL, the propositional variant of DL.
- 1. Introduction
- 2. Definitions and fundamental results
- 3. Structured programming and correctness of programs
- 4. Some variants
- 5. Conclusion
- Bibliography
- Academic Tools
- Other Internet Resources
- Related Entries
1. Introduction
Dynamic Logics (DL) are modal logics for representing the states and the events of dynamic systems. The language of DLs is both an assertion language able to express properties of computation states, and a programming language able to express properties of system transitions between these states. DLs are logics of programs, and permit to talk and reason about states of affairs, processes, changes, and results.
Pratt’s original dynamic logic of programs was a first-order modal logic. Propositional Dynamic Logic (PDL) is the propositional counterpart of it. It was presented as a logic in its own right in Fischer and Ladner [1979]. Being propositional, the language of PDL makes no use of terms, predicates, or functions. Thus in PDL, there are two syntactic categories: propositions and programs.
To give meaning to statements in PDL, we typically work with an abstract semantics in terms of Labeled Transition Systems (LTS). LTSs can be seen as a generalization of Kripke models, where transitions between worlds, or states, are “labeled” by names of atomic programs. A valuation indicates for every state what propositions are true in it. A transition labeled π from one state x to a state y—noted xR(π)y, or (x,y) ∈ R(π)—indicates that starting in x, there is a possible execution of the program π that finishes in y. If the proposition A is true in y, then the formula <π>A is true in x: i.e., in the state x there is a possible execution of the program α that ends in a state satisfying A. One recognizes in <π> a modality reminiscent of the modality of possibility (often noted ◊) of modal logic. Unsurprisingly, there is also a corresponding notion of necessity (whose modality is often noted □). The formula [π]A will be true in the state x if A is true in every state reachable from x by a transition labeled π.
The possible executions of complex programs can be next defined compositionally. For instance, a program “first α, then β” is a complex program, more specifically a sequence. A possible execution can be represented in an LTS by composing a two-step transition —hence a transition which can be signified by R(α;β)—between the states x and x′: there is a possible execution in x of the program α that finishes in a state y and there is a possible execution in y of the program β that finishes in x′. If the proposition A is true in x′, then the formula <α;β>A will be true in the state x. The programs α and β could be complex program themselves. Yet more programs can be expressed with more constructs that we will present in due time.
A program is then seen in an extensional way: it is a binary relation between pairs of states of an LTS. Precisely, it is the set of pairs of the form (x,y) such that the program can be executed in the state x and can lead to the state y. On the other hand, a proposition is a statement about a state; it is either true or false in a state. A proposition can thus also be seen in an extensional way: the set of states of the LTS where it is true.
With the acronym PDL, here we refer precisely to the propositional dynamic logic with the following program constructs: sequence, non-deterministic choice, unbounded iteration, and test. We present it in section 2, together with some properties and fundamental results. In particular, we will address its axiomatization and its decidability.
The Hoare calculus from Hoare [1969] is a landmark for logics of programs. It concerns the truth of statements of the form {A}α{B}—meaning that with the precondition A the program α always has B as a post-condition—and is defined axiomatically. It comes from a want of rigorous methods to reason about the properties of programs, and thus giving to the activity of programming a certain place in the realm of science. Burstall [1974] saw the analogy between modal logics and reasoning about programs, but the actual work on it started with Pratt [1976] when it was suggested to him by R. Moore, a student of his at the time. PDL comes from Pratt’s interpretation of Hoare’s calculus in the formalism of modal logic. An introduction to the genesis of PDL can be found in Pratt [1980b]. The Hoare-triple {A}α{B} is captured by the PDL formula A → [α]B meaning literally that if A is true, then every successfully terminating execution of α will end with B being true. With this connection realized, it is a routine to prove the initial rules of Hoare’s calculus using exclusively the axiomatization of PDL. This is something we will do in detail in section 3 which concentrates on the reasoning about the correctness of structured programs.
Additional topics related to PDL include results concerning comparative power of expression, decidability, complexity, and completeness of a number of interesting variants obtained by extending or restricting PDL in various ways. Since its inception, many variants of PDL have received attention. These variants may consider deterministic programs, restricted tests, non-regular programs, programs as automata, complementation and intersection of programs, converse and infinite computations, etc. We will present some of them in section 4, providing some pointers regarding their relative expressivity, their axiomatizations, and their computational complexity.
We conclude in section 5.
2. Definitions and fundamental results
We present the syntax and semantics of PDL in section 2.1. The proof theory of PDL is presented in section 2.2 with axiomatizations and pointers to the literature on completeness. We address the problem of decidability and complexity in section 2.3.
2.1 Syntax and semantics
Propositional dynamic logic (PDL) is designed for representing and reasoning about propositional properties of programs. Its syntax is based upon two sets of symbols: a countable set Φ0 of atomic formulas and a countable set Π0 of atomic programs. Complex formulas and complex programs over this base are defined as follows:
- Every atomic formula is a formula
- 0 (“false”) is a formula
- If A is a formula then ¬A (“not A”) is a formula
- If A and B are formulas then (A∨B) (“A or B”) is a formula
- If α is a program and A is a formula then [α]A (“every execution of α from the present state leads to a state where A is true”) is a formula
- Every atomic program is a program
- If α and β are programs then (α;β) (“do α followed by β”) is a program
- If α and β are programs then (α∪β) (“do α or β, non-deterministically”) is a program,
- If α is a program then α* (“repeat α a finite, but non-deterministically determined, number of times”) is a program.
- If A is a formula then A? (“proceed if A is true, else fail”) is a program
The other Boolean connectives 1, ∧, →, and ↔ are used as abbreviations in the standard way. In addition, we abbreviate ¬[α]¬A to <α>A (“some execution of α from the present state leads to a state where A is true”) as in modal logic. We write αn for α;…;α with n occurrences of α. More formally:
- α0 =df 1?
- αn+1 =df α;αn
- α+ =df α;α*
is often useful to represent an iteration that is unbounded but occurs at least once. Finally, we adopt the standard rules for omission of parentheses.
Formulas can be used to describe the properties that hold after the successful execution of a program. For example, the formula [α∪β]A means that whenever program α or β is successfully executed, a state is reached where A holds, whereas the formula <(α;β)*>A means that there is a sequence of alternating executions of α and β such that a state is reached where A holds. Semantically speaking, formulas are interpreted by sets of states and programs are interpreted by binary relations over states in a transition system. More precisely, the meaning of PDL formulas and programs is interpreted over Labeled Transition Systems (LTS) M = (W, R,V) where W is a nonempty set of worlds or states, R is a mapping from the set Π0 of atomic programs into binary relations on W and V is a mapping from the set Φ0 of atomic formulas into subsets of W.
Informally, the mapping R assigns to each atomic program π ∈ Π0 some binary relation R(π) on W with intended meaning xR(π)y iff there exists an execution of π from x that leads to y, whereas the mapping V assigns to each atomic formula p ∈ Φ0 some subset V(p) of W with intended meaning x ∈ V(p) iff p is true in x. Given our readings of 0, ¬A, A∨B, [α]A, α;β, α∪β, α* and A?, it is clear that R and V must be extended inductively as follows to supply the intended meanings for the complex programs and formulas:
- xR(α;β)y iff there exists a world z such that xR(α)z and zR(β)y
- xR(α∪β)y iff xR(α)y or xR(β)y
- xR(α*)y iff there exists a non-negative integer n and there exist worlds z0, …, zn such that z0 = x, zn = y and for all k = 1..n, zk−1R(α)zk
- xR(A?)y iff x = y and y ∈ V(A)
- V(0) = ∅
- V(¬A) = W \V(A)
- V(A∨B) = V(A) ∪ V(B),
- V([α]A) = {x: for all worlds y, if xR(α)y then y ∈ V(A)}
If x ∈ V(A) then we say that A is satisfied at state x in M, or “M, x sat A”.
Call M the LTS depicted above on the left and M′ the LTS depicted on the right. Formally defined, we have M = (W, R, V) with W = {x1,x2}, R(π1) = {(x1,x1)}, R(π2) = {(x1,x2)}, V(p) = {x1}, V(q) = {x2}, and we have M′ = (W′, R′, V′) with W′ = {y1,y2,y3,y4}, R(π1) = {(y1,y2), (y2,y2)}, R′(π2) = {(y1,y3), (y2,y4)}, V′(p) = {y1, y2}, V′(q) = {y3, y4}. We have for instance:
- M, x1 sat p
- M, x2 sat q
- M, x1 sat <π1>p ∧ <π2>q
- M, x1 sat [π1]p ∧ [π1*]p
- M′, y1 sat <π1*;π2>q
- M′, y2 sat [π1*]p
- M′, y1 sat [π1∪π2](q ∨p)
- M′, y3 sat [π1∪π2]0
Now consider a formula A. We say that A is valid in M or that M is a model of A, or “M ⊨ A”, iff for all worlds x, x ∈ V(A). A is said to be valid, or “⊨ A”, iff for all models M, M ⊨ A. We say that A is satisfiable in M or that M satisfies A, or “M sat A”, iff there exists a world x such that x ∈ V(A). A is said to be satisfiable, or “sat A”, iff there exists a model M such that M sat A. Interestingly,
sat A iff not ⊨ ¬A
⊨ A iff not sat ¬A
Some remarkable formulas of PDL are valid. (The reader may try to prove them formally, or at least start convincing themselves on the few examples displayed above.)
⊨ [α;β]A ↔ [α][β]A
⊨ [α∪β]A ↔ [α]A ∧ [β]A
⊨ [α*]A ↔ A ∧ [α][α*]A
⊨ [A?]B ↔ (A → B)
Equivalently, we can write them under their dual form.
⊨ <α;β>A ↔ <α><β>A
⊨ <α∪β>A ↔ <α>A ∨ <β>A
⊨ <α*>A ↔ A ∨ <α><α*>A
⊨ <A?>B ↔ A ∧ B
One interesting notion concerns the amount of information, expressed with PDL formulas, that is contained in an LTS. The behavior of a system described as an LTS is indeed often slightly hidden in its form. For instance, on simple inspection, it is easy to convince oneself that the two LTSs depicted above have the same behavior, and satisfy the same PDL formulas. To finish this section on syntax and semantics we give the theoretical foundation of these claims.
Given two LTSs, one may ask whether they satisfy the same formulas. The notion of bisimulation has become the standard measure for equivalence of Kripke models and Labeled Transition Systems. A bisimulation between the LTSs M = (W, R,V) and M′ = (W′, R′, V′) is a binary relation Z between their states such that for all worlds x in M and for all worlds x′ in M′, if xZx′ then
- for all atomic formulas p ∈ Φ0, x∈V(p) iff x′∈ V′(p)
- for all atomic programs π ∈ Π0 and for all worlds y in M, if xR(π)y then there exists a world y′ in M′ such that yZy′ and x′R′(π)y′
- for all atomic programs π ∈ Π0 and for all worlds y′ in M′, if x′ R′(π)y′ then there exists a world y in M such that yZy′ and xR(π)y
We say that two LTSs are bisimilar when there exists a bisimulation between them. It is known since the beginning of PDL that in two bisimilar LTSs M and M′, for all worlds x in M and for all worlds x′ in M′, if xZx′ then for all PDL formulas A, x ∈ V(A) iff x′ ∈ V′(A). Thus when two LTSs are bisimilar under the definition of bisimulation above, it is the case that, if xZx′ then
- for all programs α and for all worlds y in M, if xR(α)y then there exists a world y′ in M′ such that yZy′ and x′R′(α)y′
- for all programs α and for all worlds y′ in M′, if x′R′(α) y′ then there exists a world y in M such that yZy′ and xR(α)y
Hence one can simply compare the behaviors of two LTSs by inspecting solely the atomic programs and safely extrapolate on the comparative behavior of these LTSs even for complex programs. We say that the program constructs of PDL are safe for bisimulation. See Van Benthem [1998] for precise characterizations of program constructs that are safe for bisimulation.
It is readily seen that the two instances of LTSs above are bisimilar. A bisimulation Z between M and M′ can be given as: Z = {(x1,y1), (x1,y2), (x2,y3), (x2,y4)}. The states x1 and y1 satisfy exactly the same PDL formulas. So do the states x1 and y2, etc.
2.2 Axiomatization and completeness
The purpose of the proof theory is to provide the characterization of the property ⊨ A in terms of axioms and rules of inference. In this section, we define a deducibility predicate ⊢ inductively by operations on formulas that depend only on their syntactic structure in such a way that for all formulas A,
⊢ A iff ⊨ A.
Of course, PDL is an extension of classical propositional logic. We first expect that all propositional tautologies hold, and all propositional reasoning is allowed. In particular, modus ponens is a valid rule: from A and A → B infer B. For any program α, restricting an LTS to the relation R(α) we obtain a Kripke model in which the logic of the modality [α] is the weakest propositional normal modal logic, namely, the logic K. Thus, PDL contains every instance of the familiar distribution axiom schema:
(A0) [α](A → B) → ([α]A → [α]B)
and it is closed under the following rule of inference (necessitation rule):
(N) from A infer [α]A.
A modal logic is normal if it obeys (A0) and (N). Important properties for all α, are that [α] distributes over the conjunction ∧, and the rule of monotony, which permits from A → B to infer [α]A → [α]B, can be proven. Finally, PDL is the least normal modal logic containing every instance of the following axiom schemas
(A1) [α;β]A ↔ [α][β]A
(A2) [α∪β]A ↔ [α]A ∧ [β]A
(A3) [α*]A ↔ A ∧ [α][α*]A
(A4) [A?]B ↔ (A → B)
and closed under the following rule of inference (loop invariance rule):
(I) from A → [α]A infer A → [α*]A
If X is a set of formulas and A is a formula then we say that A is ⊢-deducible from X, or “X ⊢ A”, if there exists a sequence A0, A1, …, An of formulas such that An = A and for all i≤n, Ai is an instance of an axiom schema, or a formula of X, or comes from earlier formulas of the sequence by a rule of inference. Further, ⊢ A iff ∅ ⊢ A; in this case we say that A is ⊢-deducible. X is said to be ⊢-consistent iff not X ⊢ 0. It is easy to establish that (I) can be replaced by the following axiom schema (induction axiom schema):
(A5) [α*](A → [α]A) → (A → [α*]A)
Let us first establish that (I) is a derived rule of the proof system based on (A1), (A2), (A3), (A4) and (A5):
1. A → [α]A premise 2. [α*](A → [α]A) from 1 using (N) 3. [α*](A → [α]A) → (A → [α*]A) axiom schema (A5) 4. A → [α*]A from 2 and 3 using modus ponens
Let us next establish that (A5) is ⊢-deducible:
1. [α*](A → [α]A) ↔ (A → [α]A) ∧ [α][α*](A → [α]A) axiom schema (A3) 2. A ∧ [α*](A → [α]A) → [α](A ∧ [α*](A → [α]A)) from 1 using propositional reasoning and distributivity of [α] over ∧ 3. A ∧ [α*](A → [α]A) → [α*](A ∧ [α*](A → [α]A)) from 2 using (I) 4. [α*](A → [α]A) → (A → [α*]A) from 3 using propositional reasoning and distributivity of [α*] over ∧
The axiomatization of PDL based on axiom schemas (A1), (A2), (A3), (A4) and (A5) has been proposed in Segerberg [1977]. It is immediate from the definitions above that ⊢ is sound with respect to ⊨, i.e.
For all formulas A, if ⊢A, then ⊨A
The proof proceeds by induction on the length of A’s deduction in ⊢. The question of the completeness of ⊢ with respect to ⊨, i.e.,
For all formulas A, if ⊨A, then ⊢A
was pursued by several logicians. The line of reasoning presented in Segerberg [1977] was the first attempt to prove the completeness of ⊢. Soon, Parikh came up with a proof, too. When early 1978 Segerberg found a flaw in his argument (which he repaired eventually), Parikh published what can be considered the first proof of the completeness of ⊢ in Parikh [1978]. Different proofs of completeness of ⊢ have been published since, e.g. Kozen and Parikh [1981].
Different alternative proof theories of PDL have also been sought after. Even early on, notably in Pratt [1978]. Let us then also mention the completeness of related theories by Nishimura [1979] and Vakarelov [1983].
An alternative formulation of a deducibility predicate for PDL permits the use of an infinitary rule of inference, as for instance in Goldblatt [1992a]. (An infinitary rule of inference takes an infinite number of premises.) Let ⊢′ be the deducibility predicate corresponding in the language of propositional dynamic logic to the least normal modal logic containing every instance of the axiom schemas (A1), (A2), (A3) and (A4) and closed under the following infinitary rule of inference:
(I′) from {[β][αn]A: n ≥ 0} infer [β][α*]A
It can be proved that ⊢′ is both sound and complete with respect ⊨, i.e.,
For all formulas A, ⊢′ A iff ⊨ A
In other words, as far as generating the set of all valid formulas is concerned, the proof systems ⊢ and ⊢′ are equivalent.
2.3 Decidability and complexity
The aim of the complexity theory is to establish the computability of the property sat A in terms of resources of time or space. The complexity of a logic L is often identified with the problem of deciding the satisfiability of its formulas, defined as:
(L-SAT) Given a formula A of L, is A satisfiable?
In this section, we investigate the complexity of the following decision problem:
(PDL-SAT) Given a formula A of PDL, is A satisfiable?
The complete axiomatization of PDL is a recursive definition of the set of valid PDL formulas, or in other words, of the set of formulas whose negation is not satisfiable. Hence, concerning the problem (PDL-SAT), we have a sub-procedure that would answer “no” if the PDL formula A were not satisfiable. The sub-procedure (SP1) consists in enumerating all the formulas ⊢-deducible, starting from the axioms and inferring other theorems with the help of the inference rules. Given enough time, if a formula is ⊢-deducible, the sub-procedure would find it eventually. Thus, if A is not satisfiable, (SP1) must eventually find ¬A, and answer “no” when it does.
However, if the formula A is satisfiable, then (SP1) would never find ¬A. It would run forever, and one could not be sure about it at any time. But there is a way out of this uncertainty. We can also think of a second sub-procedure that answers “yes” if a PDL formula is satisfiable. Indeed, one of the earliest results on PDL was the proof that PDL has the finite model property, i.e.,
For all formulas A, if sat A then there exists a finite model M such that M sat A.
The finite model property offers a basis for a sub-procedure (SP2) that consists in enumerating one by one the finite models of PDL and testing whether one of them satisfies the formula. (For all formulas A and for all finite models M, it is easy to test if M sat A by applying the definition of V(A).) Thus, if A is satisfiable, it must eventually find a model M such that M sat A, and answer “yes” when it does. Symmetrically to the first sub-procedure (SP1), if the formula A is not satisfiable, then (SP2) will never find a model satisfying it, it will run forever, and one could not be sure about it at any time.
Now, combining (SP1) and (SP2) together we have a way of deciding whether a PDL formula A is satisfiable. It suffices to run them in parallel: if A is satisfiable then (SP2) will eventually answer “yes”, if A is not satisfiable then (SP1) will eventually answer “no”. The procedure halts when either (SP1) or (SP2) provides an answer.
If the procedure that is obtained is sufficient to conclude that the problem (PDL-SAT) is decidable, it is very ineffective in practice. There is a result—due to Fischer and Ladner [1979] and Kozen and Parikh [1981]— stronger than the finite model property, that is small model property:
For all formulas A, if sat A then there exists a finite model M of size exponential in A such that M sat A.
This means that we would now know when to stop looking for a model satisfying a formula in the procedure (SP2). Hence, we can use (SP2) to test whether a formula is satisfiable, but once we have exhausted all small models, we can conclude that the formula is not satisfiable. This yields a procedure that runs non-deterministically in exponential time (NEXPTIME): guess a model of size at most singly exponential, and check whether it satisfies the formula. But the key results in the complexity theory of PDL come from Fischer and Ladner [1979] and Pratt [1980a]. Observing that a formula of PDL can efficiently describe the computation of a linear-space–bounded alternating Turing machine, Fischer and Ladner [1979] first established the lower bound of exponential time of (PDL-SAT). The EXPTIME upper bound of (PDL-SAT) has been obtained by Pratt [1980a], who used the equivalent for PDL of the method of tableaux. Thus, (PDL-SAT) is EXPTIME-complete. (An algorithm more efficient in practice, although still running in deterministic exponential time in the worst case, is proposed in De Giacomo and Massacci [2000].)
3. Structured programming and correctness of programs
Historically, logics of programs stem from the work in the late 1960s of computer scientists interested in assigning meaning to programming languages and finding a rigorous standard for proofs about the programs. For example such proofs may be about the correctness of a program with respect to an expected behavior, or about the termination of a program. A seminal paper is Floyd [1967] which presents an analysis of the properties of structured computer programs using flowcharts. Some early work such as Yanov [1959] or Engeler [1967] had advanced and studied formal languages in which the properties of program connectives can be expressed. The formalism of Hoare [1969] was a milestone in the advent of PDL. It was proposed as a rigorous axiomatic interpretation of Floyd’s flowcharts. We often talk about Hoare logic, or Floyd-Hoare logic, or Hoare calculus when referring to this formalism. Hoare calculus is concerned with the truth of statements (“Hoare triples”), such as {A}α{B} which establishes a connection between a precondition A, a program α, and a post-condition B. It indicates that whenever A holds as a precondition of the execution of α, then B holds as a post-condition after the successful execution of α.
It was true some decades ago, and it is still the case: validating a program is more often than not done by testing it on a reasonable variety of inputs. When an input does not yield the expected output, the “bug” is fixed. If eventually for every tested input we obtain the expected output, one has a reasonable belief that the program has no error. However, this is a time consuming method of validation, and it leaves place for untested inputs that would fail. Finding these errors after the program has been implemented and gone into use is even more costly in resources. Reasoning about program correctness with formal methods is crucial for critical systems since it offers a way of proving exhaustively that a program has no errors.
3.1 Hoare calculus
To illustrate the sort of principles of programs captured by the rules in the Hoare calculus it is enough to consult some of them. (N.B.: the rules mean that if all the statements above the rule line hold—the premises—then also the statement under the rule line—the conclusion— holds.)
{A} α1 {B} {B} α2 {C} (rule of composition) {A} α1 ; α2 {C}
The rule of composition captures the elementary sequential composition of programs. As premises, we have two assumptions about the partial correctness of two programs α1 and α2. The first assumption is that when α1 is executed in a state satisfying A, then it will finish in a state satisfying B, whenever it halts. The second assumption is that when α2 is executed in a state satisfying B, then it will finish in a state satisfying C, whenever it halts. The conclusion of the rule is about the partial correctness of the program α1;α2 (i.e., α1 sequentially composed with α2), that follows from the two assumptions. Namely, we can conclude that if α1;α2 is executed in a state satisfying A, then it finishes in a state satisfying C, whenever it halts.
The rule of iteration is an important one because it captures the essential ability of programs to execute some portion of code repeatedly until a certain condition ceases to hold.
{A ∧ B} α {A} (rule of iteration) {A} while B do α {¬B ∧ A}
Finally, the two rules of consequence are fundamental to give a formal basis to intuitively clear reasoning involving weaker post-conditions and stronger preconditions respectively.
{A} α {B} B → C (rule of consequence 1) {A} α {C}
C → A {A} α {B} (rule of consequence 2) {C} α {B}
From the formalism presented in Hoare [1969], we leave out its axiom schemas as it would require a first-order language. Finally, in subsequent work on Hoare logic, more rules are also often added. See Apt [1979] for an early overview.
3.2 Hoare calculus and PDL
Dynamic logics come from Pratt’s interpretation of Hoare triples and Hoare calculus in the formalism of modal logic. With the modality [α], we can express formally that all states reachable by executing α satisfy the formula A. This is done by writing [α]A. Thus, the Hoare triple {A}α{B} is simply captured by the PDL formula
A → [α]B
In addition, important programming constructs are easily introduced in PDL by definitional abbreviation:
- if A then α else β =df ((A?;α) ∪ (¬A?;β))
- while A do α =df ((A?;α)*;¬A?)
- repeat α until A =df (α;((¬A;α)*;A?))
- abort =df 0?
- skip =df 1?
Thus, it seems that with PDL we are well-equipped to logically prove the correctness of structured programs. Beyond this rather hand-waving connection between PDL and Hoare calculus, perhaps it is not yet clear how they relate formally. PDL is in fact a generalization of Hoare calculus in the sense that all the rules of the Hoare calculus can be proven in the axiomatic system of PDL. (Rigorously, the Hoare calculus contains axioms that would require the extended language of first-order Dynamic Logic.) This is quite remarkable, so we will show here the two above rules to serve as examples.
The proofs start by assuming the premises of the rules. Then by using these assumptions, axioms and rules of PDL, and nothing else, the objective is to establish that the conclusion of the rules logically follows. Hence, for the rule of composition, we start by assuming {A}α1{B}, that is A → [α1]B in its PDL formulation, and by assuming {B}α2{C}, that is B → [α2]C. The objective is to prove that {A}α1;α2{C}. Precisely, we want to establish that A → [α1;α2]C is ⊢-deducible from the set of formulas {A → [α1]B, B → [α2]C}.
1. A → [α1]B assumption {A}α1{B} 2. B → [α2]C assumption {B}α2{C} 3. [α1]B → [α1][α2]C From 2 using monotony of [α1] 4. A → [α1][α2]C from 1 and 3 using propositional reasoning 5. [α1;α2]C ↔ [α1][α2]C axiom schema (A1) 6. A → [α1;α2]C from 4 and 5 using propositional reasoning — {A}α1;α2{C}
The proof of the rule of iteration is slightly more involved.
1. A∧B → [α]A assumption {A ∧ B}α{A} 2. A → (B → [α]A) from 1 using propositional reasoning 3. [B?][α]A ↔ (B →[α]A) axiom schema (A4) 4. A → [B?][α]A from 2 and 3 using propositional reasoning 5. [B? ; α]A ↔ [B?][α]A axiom schema (A1) 6. A → [B?;α]A from 4 and 5 using propositional reasoning 7. A → [(B?;α)*]A from 6 using (I) 8. A → (¬B → (¬B∧A)) propositional tautology 9. A → [(B?;α)*](¬B → (¬B∧A)) from 7 and 8 using monotony of [(B?;α)*] and propositional reasoning 10. [¬B?](¬B∧A) ↔ (¬B → (¬B∧A)) Axiom schema (A4) 11. A → [(B?;α)*][¬B?](¬B∧A) from 9 and 10 using monotony of [(B?;α)*] and propositional reasoning 12. [(B?;α)* ; ¬B?](¬B∧A) ↔ [(B?;α)*][¬B?](¬B∧A) axiom schema (A1) 13. A → [(B?;α)* ; ¬B?](¬B∧A) from 12 using propositional reasoning — {A} while B do α {¬B∧A}
In the context of PDL, the two rules of consequence are in fact special cases of the rule of composition. To obtain the first rule, substitute α1 with α and α2 with skip. To obtain the second rule, substitute α1 with skip and α2 with α. It suffices to apply the axiom schema (A4), and to remark that [α;skip]A ↔ [α]A and [α;skip]A ↔ [α]A are also ⊢-deducible for all A and all α.
3.3 Total correctness
By Hoare’s own admission in Hoare [1979], his original calculus was merely a starting point and suffered quite a few limitations. Particularly, it only allows one to reason about partial correctness. That is, the truth of a statement {A}α{B} only makes sure that all executions of α starting in a state satisfying A will end in a state satisfying B, or will not halt. That is, a partially correct program may have non-terminating executions. (In fact, a program that has no terminating execution will always be partially correct. This is the case for example of the program while 1 do skip. The formula A → [while 1 do skip]B is deducible for all formulas A and B.) The calculus offers no basis for a proof that a program terminates. It can be modified so as to account for total correctness of programs: partial correctness plus termination. It is achieved by amending the rule of iteration. We do not present it here and refer the interested reader to Apt [1981].
Let us first observe that for deterministic programs, one can already capture total correctness via formulas of the kind
A → <α>B
The expression <α>B means that there is an execution of α that terminates in a state that satisfies B. Moreover, if α is deterministic, this possible terminating execution is the unique execution of α. Thus, if one first manages to prove that a program is deterministic, this trick works well enough to prove its total correctness.
A general solution to the problem of total correctness exists in the realm of PDL. But we need to extend it a little. Pratt had already alluded in Pratt [1980b] that PDL is not expressive enough to capture the infinite looping of programs. In reaction, PDL with repeating (RPDL) was introduced by Streett [1982]. It contains, for all programs α, the expression Δα standing for a new proposition with semantics
V(Δα) = {x: there exists an infinite sequence x0, x1, … of states such that x0 = x and for all n ≥ 0, xnR(α)xn+1}
Streett [1982] conjectured that RPDL can be axiomatized by adding to the proof system of PDL precisely the following axiom schemas.
(A6) Δα → <α>Δα
(A7) [α*](A → <α>A) → (A → Δα)
The proof of the conjecture was provided in Sakalauskaite and Valiev [1990]. (A version of the conjecture in the variant of combinatory PDL was also proved in Gargov and Passy [1988].)
It is easy to see that in the Hoare calculus presented above, non termination can only come from the rule of iteration. Analogously, non termination of a PDL program can only come from the use of the unbounded iteration. The expression Δα indicates that α* can diverge, and this is just the kind of notion we need. We can now inductively define a predicate ∞ such that for a program α, the formula ∞(α) will be true exactly when α can enter a non-terminating computation.
∞(π) := 0 where π ∈ Π0
∞(φ?) := 0
∞(α ∪ β) := ∞(α) ∨ ∞(β)
∞(α ; β) := ∞(α) ∨ <α> ∞(β)
∞(α*) := Δα ∨ <α*> ∞(α)
Finally, the total correctness of a program can be expressed via formulas of the kind
A → (¬∞(α) ∧ [α]B)
which means literally that if A is the case, then the program α cannot run forever and every successful execution will end in a state satisfying B.
4. Some variants
Results concerning comparative power of expression, decidability, complexity, axiomatization and completeness of a number of variants of PDL obtained by extending or restricting its syntax and its semantics constitute the subject of a wealth of literature. We can only say so much and we will address just a few of these variants leaving out big chunks of otherwise important work in dynamic logic.
4.1 PDL without tests
The axiom schema [A?]B ↔ (A → B) seems to indicate that for every formula C, there exists an equivalent test-free formula C′—i.e., there is a test-free formula C′ such that ⊨ C ↔ C′. It is interesting to observe that this assertion is untrue. Let PDL0 be the restriction of PDL to test-free regular programs, i.e. programs which do not contain tests. Berman and Paterson [1981] considered the PDL formula <(p?;π)*;¬p?;π;p?>1, which is
<while p do π><π>p
and proved that there is no PDL0 formula equivalent to it. Hence, PDL has more expressive power than PDL0. Their argument actually can be generalized as follows. For all n ≥ 0, let PDLn+1 be the subset of PDL in which programs can contain tests A? only if A is a PDLn formula. For all n ≥ 0, Berman and Paterson considered the PDLn+1 formula An+1 defined by
<while An do πn>< πn>An
where A0 = p and π0 = π and proved that for all n ≥ 0, there is no PDLn formula equivalent to An+1. Hence, for all n ≥ 0, PDLn+1 has more expressive power than PDLn.
4.2 PDL with converse
CPDL is the extension of PDL with converse. It is a construct that has been considered since the beginning of PDL. For all programs α, let α-1 stand for a new program with semantics
xR(α-1)y iff yR(α)x.
The converse construct allows us to express facts about states preceding the current one and to reason backward about programs. For instance, [α-1]A means that before executing α, A had to hold. We have
⊨ A → [α]<α-1>A,
⊨ A → [α-1]<α>A.
The addition of the converse construct does not change the properties of PDL in any significant way. By adding every instance of the following axiom schemas:
(A8) A → [α]<α-1>A
(A9) A → [α-1]<α>A
to the proof system of PDL, we obtain a sound and complete deducibility predicate in the extended language. See Parikh [1978] for details. CPDL has the small model property and (CPDL-SAT) is EXPTIME-complete.
It is easy to remark that CPDL has more expressive power than PDL. To see this, consider the CPDL formula <π-1>1 and the LTSs M = (W, R, V) and M′ = (W′, R′, V′) where W = {x,y}, R(π) = {(x,y)}, W′ = {y′}, R′(π) = ∅ and V(x) = V(y) = V′(y′) = ∅. Since M, y sat <π-1>1, not M′, y′ sat <π-1>1, and because for all PDL formulas A it is the case that M, y sat A iff M′, y′ sat A, then it is clear that no PDL formula is equivalent to <π-1>1.
4.3 PDL with repeating and looping
We have already exposed the power of repeating in section 3.3 by introducing RPDL. Here, we summarize more results about RPDL and its connection with other variations on the notion of repeating programs.
Concerning the complexity theory of RPDL, Streett [1982] had already established that RPDL had the finite model property; precisely that every RPDL satisfiable formula A is satisfiable in a model of size at most triply exponential in the length of A. An automata-theoretic argument permitted to conclude that the problem (RPDL-SAT) can be solved in deterministic triple exponential time (3-EXPTIME). The gap between this upper bound for deciding (RPDL-SAT) and the simple exponential-time lower bound for deciding (PDL-SAT) was thus open. The problem found itself greatly connected to the growing interest of computer scientists in establishing the complexity of temporal logics, and more specifically of the (propositional) modal μ-calculus (MMC) due to Kozen [1983], because RPDL has a linear blow-up translation to MMC. Moreover, Streett’s argument somewhat set a precedent in the now pervasive use of automata techniques in proving computational properties of logics of programs and of temporal logics. In Vardi and Stockmeyer [1985], an upper bound in non-deterministic exponential time was shown. In Emerson and Jutla [1988] and in its final form in Emerson and Jutla [1999], it was shown that (MMC-SAT) and (RPDL-SAT) are EXPTIME-complete. If we add the converse operator of section 4.2 one obtains CRPDL. The complexity of (CRPDL-SAT) remained open for a few years but it can be shown to be EXPTIME-complete, too. This is achieved by combining the techniques of Emerson and Jutla [1988] and Vardi [1985], as in Vardi [1998].
In section 3.3 we have defined a predicate ∞, where ∞(α) means that α can have non-terminating computation. We call LPDL the logic obtained by augmenting PDL with the predicate ∞. Clearly, RPDL is at least as expressive as LPDL; The inductive definition of ∞(α) in the language of RPDL is witness of it. RPDL is in fact strictly more expressive than LPDL. This was shown in Harel and Sherman [1982]. As it can be suspected, both RPDL and LPDL have more expressive power than PDL. It is established by proving that some formulas of RPDL and of LPDL have no equivalent expression in PDL. The proof involves the technique of filtration which is designed to collapse an LTS to a finite model while leaving invariant the truth or falsity of certain formulas. For some set of PDL formulas X, it consists in grouping into equivalence classes the states of an LTS that satisfy exactly the same formulas in X. The set of equivalence classes of states thus obtained becomes the set of states of the filtrate model, and a transition is built appropriately over them.
With a carefully chosen set FL(A) that depends on a PDL formula A (the so-called Fischer-Ladner closure of the set of sub-formulas of A), a filtration of an LTS M yields a finite filtrate M′, such that A is satisfiable at a world u in M if and only if it is satisfiable in the equivalence class containing u in the filtrate. (See Fischer and Ladner [1979].)
We can now consider the filtrations of the LTS M = (W, R,V) where
- W = {(i,j) : j and i positive integers, 0 ≤ j ≤ i} ∪ { u }
- (i,j)R(π)(i,j-1) when 1 ≤ j ≤ i
- uR(π)(i,i) for every i
- V(p) = ∅ for every p ∈ Φ0
In one sentence, what goes on in M is that from the world u, there is an infinite number of finite π-paths of growing length. We have both M, u sat ¬Δπ and M, u sat ¬∞(π*). Yet, for every PDL formula A, we will have both Δπ and ∞(π*) that are satisfied at the equivalence class of u in the model obtained by filtration of M with FL(A). Indeed, the filtration must collapse some states of M and create some loops. Thus, there exists no PDL formula that can express either Δπ or ∞(π*). and yet, we will have both Δπ and ∞(π*) that are satisfied at the equivalence class of u in any finite filtrate of M. Thus, neither Δπ nor ∞(π*) can be expressed in PDL.
There are other ways of making possible the assertion that a program can execute forever. For instance, Danecki [1984a] proposed a predicate sloop to qualify programs that can enter in strong loops, that is:
V(sloop(α)) = {x: xR(α)x}
Let us call SLPDL the logic obtained by augmenting PDL with sloop(α). RPDL and SLPDL are essentially incomparable: the predicate Δ is not definable in SLPDL, and the predicate sloop is not definable in RPDL. SLPDL does not possess the finite model property. For example, the formula
[π*](<π>1 ∧ ¬sloop(π+))
is satisfiable in infinite LTSs only. Nonetheless, Danecki [1984a] established the decidability of (SLPDL-SAT) formulas in deterministic exponential time.
4.4 PDL with intersection
Another construct has been studied: the intersection of programs. By adding intersection of programs to PDL, we obtain the logic IPDL. In IPDL, for all programs α, β, the expression α∩β stands for a new program with semantics
xR(α∩β)y iff xR(α)y and xR(β)y
For instance, the intended reading of <α∩β>A is that if we execute α and β in the present state then there exists a state reachable by both programs which satisfies A. As a result, we have
⊨ <α∩β>A → <α>A ∧ <β>A
but, in general, we have
not ⊨ <α>A ∧ <β>A → <α∩β>A
Although intersection of programs plays an important role in various applications of PDL to artificial intelligence and computer science, the proof theory and the complexity theory of PDL with intersection remained unexplored for several years. Concerning the complexity theory of IPDL, difficulties appear when one considers the finite model property. In fact the construct sloop(α) can be expressed in IPDL. In propositional dynamic logic with intersection it is equivalent to <α∩1?>1. We can thus adapt the formula of IPDL of section 4.3, and we have that
[π*](<π>1 ∧ [π+∩1?]0)
is satisfiable in infinite LTSs only. In other words, IPDL does not possess the finite model property. Danecki [1984b] investigated the complexity theory of IPDL and showed that deciding (IPDL-SAT) can be done in deterministic double exponential time. (A modern proof is presented in Göller, Lohrey and Lutz [2007].) The complexity gap between this double exponential-time upper bound for deciding (IPDL-SAT) and the simple exponential-time lower bound for deciding (PDL-SAT) obtained by Fischer and Ladner [1979] remained open for more than twenty years. In 2004, Lange [2005] established the lower bound of exponential space of (IPDL-SAT). In 2006, Lange and Lutz [2005] gave a proof of a double exponential-time lower bound of the satisfiability problem for IPDL without tests by a reduction from the word problem of exponentially space-bounded alternating Turing machines. In this reduction, the role of the iteration construct is essential since, according to Massacci [2001], the satisfiability problem for iteration-free IPDL without tests is only PSPACE-complete. Adding the converse construct to IPDL, we obtain ICPDL. The satisfiability problem of ICPDL has been proved to be 2-EXPTIME-complete by Göller, Lohrey and Lutz [2007].
Concerning the proof theory of IPDL, difficulties appear when we realize that no axiom schema, in the language of PDL with intersection, “corresponds” to the semantics xR(α∩β)y iff xR(α)y and xR(β)y of the program α∩β. That is, not in the same way for example, that the axiom schemas (A1) and (A2) respectively “correspond” to the semantics of the programs α;β and α∪β. For this reason, the axiomatization of PDL with intersection was open until the complete proof system developed in Balbiani and Vakarelov [2003].
In another variant of PDL, due to Peleg [1987] and further studied by Goldblatt [1992b], the expression α∩β is interpreted “do α and β in parallel”. In this context, the binary relations R(α) and R(β) are no longer sets of pairs of the form (x,y) with x, y worlds, but rather sets of pairs of the form (x,Y) with x a world and Y a set of worlds. It was inspired by the Game Logic of Parikh [1985], an intepretation of PDL with “programs as games”. Game Logic provides an additional program construct that dualizes programs, thus permitting to define the intersection of programs as the dual of the non-deterministic choice between programs.
5. Conclusion
This article has focused on propositional dynamic logic and some of its significant variants. There are by now a number of books—Goldblatt [1982], Goldblatt [1992a], Harel [1979] and Harel, Kozen and Tiuryn [2000]—and survey papers—Harel [1984], Kozen and Tiuryn [1990], Parikh [1983] —treating PDL and related formalisms. The body of research on PDL is certainly instrumental in developing many logical theories of system dynamics. However, these theories are arguably out of the scope of the present article. Van Eijck and Stokhof [2006] is a more recent overview of topics making use of dynamic logic, addressing various themes that are of certain interest for philosophers: e.g., dynamics of communication, or natural language semantics. Recent books are going in much details on newer topics, such as dynamic logic of knowledge (dynamic epistemic logic) in Van Ditmarsch, Van Der Hoek and Kooi [2007], and the dynamic logic of continuous and hybrid systems (differential dynamic logic) in Platzer [2010]. PDL was conceived primarily for reasoning about programs. There are many other applications of modal logic to reasoning about programs. Algorithmic logic is closer to PDL since it allows one to talk explicitly about programs. The reader is invited to consult the work studied in Mirkowska and Salwicki [1987]. Temporal logics are now the chief logics in theoretical computer science and have a close connection with logics of programs. They allow one to express the temporal behavior of transition systems with a language that abstracts away from the labels (hence the programs). See for instance Schneider [2004] for an overview of the foundations in this research area.
Bibliography
- Apt, K., 1981, “Ten years of Hoare’s logic: A survey — Part I”, ACM Transactions on Programming Languages and Systems, 3(4): 431–483.
- Balbiani, P., and D. Vakarelov, 2003, “PDL with intersection of programs: a complete axiomatization”, Journal of Applied Non-Classical Logics, 13: 231-276.
- van Benthem, J., 1998, “Program constructions that are safe for bisimulation”, Studia Logica, 60: 311–330.
- Berman, F., and M. Paterson, 1981, “Propositional dynamic logic is weaker without tests”, Theoretical Computer Science, 16: 321–328.
- Burstall, R., 1974, “Program Proving as Hand Simulation with a Little Induction”, Information Processing 74: Proceedings of IFIP Congress 74, Amsterdam: North Holland Publishing Company, 308–312.
- Danecki, R., 1984a, “Propositional dynamic logic with strong loop predicate”, in M. Chytil and V. Koubek, Mathematical Foundations of Computer Science, Berlin: Springer-Verlag, 573-581.
- –––, 1984b, “Nondeterministic propositional dynamic logic with intersection is decidable”, in A. Skowron (ed.), Computation Theory, Berlin: Springer-Verlag, 34-53.
- De Giacomo, G., and F. Massacci, 2000, “Combining deduction and model checking into tableaux and algorithms for converse-PDL”, Information and Computation, 160: 109–169.
- van Ditmarsch, H., W. van Der Hoek, and B. Kooi, 2007, Dynamic epistemic logic, Dordrecht: Springer-Verlag.
- van Eijck, J., and M. Stokhof, 2006, “The Gamut of Dynamic Logics”, in D. Gabbay and J. Woods (eds.), The Handbook of History of Logic, Volume 7—Logic and the Modalities in the Twentieth Century, Amsterdam: Elsevier, 499–600.
- Emerson, E., and Jutla, C., 1988, “The Complexity of Tree Automata and Logics of Programs (Extended Abstract)”, in Proceedings of the 29th Annual Symposium on Foundations of Computer Science, Los Alamitos, CA: IEEE Computer Society, 328–337.
- –––, 1999, “The Complexity of Tree Automata and Logics of Programs”, in SIAM Journal of Computing, 29: 132–158.
- Engeler, E., 1967, “Algorithmic properties of structures”, Mathematical Systems Theory, 1: 183–195.
- Fischer, M., and R. Ladner, 1979, “Propositional dynamic logic of regular programs”, Journal of Computer and System Sciences, 18: 194–211.
- Floyd, R., 1967, “Assigning meaning to programs”, Proceedings of the American Mathematical Society Symposia on Applied Mathematics (Volume 19), Providence, RI: American Mathematical Society, 19–31.
- Gargov, G., and S. Passy, 1988, “Determinism and looping in combinatory PDL”, Theoretical Computer Science, Amsterdam: Elsevier, 259–277.
- Goldblatt, R., 1982, Axiomatising the Logic of Computer Programming, Berlin: Springer-Verlag.
- –––, 1992a, Logics of Time and Computation, Stanford: Center for the Study of Language and Information Publications.
- –––, 1992b, “Parallel Action: Concurrent Dynamic Logic with Independent Modalities”, Studia Logica, 51: 551–578.
- Göller, S., M. Lohrey, and C. Lutz, 2007, “PDL with intersection and converse is 2EXP-complete”, Foundations of Software Science and Computational Structures, Berlin: Springer, 198–212.
- Harel, D., 1979, First-Order Dynamic Logic, Berlin: Springer-Verlag.
- –––, 1983, “Recurring dominoes: making the highly undecidable highly understandable”, in M. Karpinski (ed.), Foundations of Computation Theory, Berlin: Springer-Verlag, 177–194.
- –––, 1984, “Dynamic logic”, in D. Gabbay and F. Guenthner (eds.), Handbook of Philosophical Logic (Volume II), Dordrecht: D. Reidel, 497–604.
- Harel, D., D. Kozen, and J. Tiuryn, 2000, Dynamic Logic, Cambridge, MA: MIT Press.
- Harel, D. and Sherman, R., 1982, “Looping vs. Repeating in Dynamic Logic”, Information and Control, 55: 175–192.
- Hoare, C., 1969, “An axiomatic basis for computer programming”, Communications of the Association of Computing Machinery, 12: 576–580.
- Kozen, D., 1983, “Results on the Propositional μ-Calculus”, Theoretical Computer Science, 27: 333–354.
- Kozen, D., and R. Parikh, 1981, “An elementary proof of the completeness of PDL”, Theoretical Computer Science, 14: 113–118.
- Kozen, D., and J. Tiuryn, 1990, “Logics of programs”, in J. Van Leeuwen (ed.), Handbook of Theoretical Computer Science (Volume B), Amsterdam: Elsevier, 789–840.
- Lange, M., 2005, “A lower complexity bound for propositional dynamic logic with intersection”, in R. Schmidt, I. Pratt-Hartmann, M. Reynolds and H. Wansing (eds.), Advances in Modal Logic (Volume 5), London: King’s College Publications, 133–147.
- Lange, M., and C. Lutz, 2005, “2-EXPTIME lower bounds for propositional dynamic logics with intersection”, Journal of Symbolic Logic, 70: 1072–1086.
- Lutz, C., 2005, “PDL with intersection and converse is decidable”. In L. Ong (ed.), Computer Science Logic, Berlin: Springer-Verlag, 413-427.
- Massacci, F., 2001, “Decision procedures for expressive description logics with intersection, composition, converse of roles and role identity”, in B. Nebel (ed.), 17th International Joint Conference on Artificial Intelligence, San Francisco: Morgan Kaufmann, 193–198.
- Mirkowska, G., and A. Salwicki, 1987, Algorithmic Logic, Dordrecht: D. Reidel.
- Nishimura, H., 1979, “Sequential method in propositional dynamic logic”, Acta Informatica, 12: 377–400.
- Parikh, R., 1978, “The completeness of propositional dynamic logic”, in J. Winkowski (ed.), Mathematical Foundations of Computer Science, Berlin: Springer-Verlag, 1978, 403-415.
- –––, 1983, “Propositional logics of programs: new directions”, in M. Karpinski (ed.), Foundations of Computation Theory, Berlin: Springer-Verlag, 347-359.
- –––, 1985, “The logic of games and its applications”, Annals of Discrete Mathematics, 24: 111–140.
- Peleg, D., 1987, “Concurrent dynamic logic”, Journal of the Association of Computing Machinery, 34: 450–479.
- Platzer, A., 2010, Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics, Berlin: Springer, 2010.
- Pratt, V., 1976, “Semantical considerations on Floyd-Hoare logic”, in Proceedings of the 17th IEEE Symposium on Foundations of Computer Science, Los Alamitos, CA: IEEE Computer Society, 109–121.
- –––, 1978, “A practical decision method for propositional dynamic logic”, in Proceedings of the 10th Annual ACM Symposium on Theory of Computing, New York, NY: ACM, 326–337.
- –––, 1980a, “A near-optimal method for reasoning about action”, Journal of Computer and System Sciences, 20: 231–254.
- –––, 1980b, “Application of Modal Logic to Programming”, Studia Logica, 39: 257–274.
- Sakalauskaite, J., and M. Valiev, 1990, “Completeness of propositional dynamic logic with infinite repeating”, in P. Petkov (ed.), Mathematical Logic, New York: Plenum Press, 339–349.
- Salwicki, A., 1970, “Formalized algorithmic languages”, Bulletin de l’Academie Polonaise des Sciences, Serie des sciences mathematiques, astronomiques et physiques, 18: 227–232.
- Segerberg, K., 1977, “A completeness theorem in the modal logic of programs”, Notices of the American Mathematical Society, 24: 522.
- Schneider, K., 2004, Verification of Reactive Systems, Berlin: Springer-Verlag.
- Streett, R., 1982, “Propositional dynamic logic of looping and converse is elementary decidable”, Information and Control, 54: 121–141.
- Vakarelov, D., 1983, “Filtration theorem for dynamic algebras with tests and inverse operator”, in A. Salwicki (ed.), Logics of Programs and their Applications, Berlin: Springer-Verlag, 314–324.
- Vardi, M., 1985, “The Taming of Converse: Reasoning about Two-way Computations”, in Lecture Notes in Computer Science (Volume 193), Berlin-Heidelberg: Springer, 413–423.
- –––, 1998, “Reasoning about the past with two-way automata”, in Lecture Notes in Computer Science (Volume 1443), Berlin-Heidelberg: Springer, 628–641.
- Vardi, M., and Stockmeyer, L., 1985, “Improved Upper and Lower Bounds for Modal Logics of Programs: Preliminary Report”, in Proceedings of the 17th Annual ACM Symposium on Theory of Computing, New York, NY: ACM, 240–251.
- Yanov, J., 1959, “On equivalence of operator schemes”, Problems of Cybernetic, 1: 1–100.
Academic Tools
How to cite this entry. Preview the PDF version of this entry at the Friends of the SEP Society. Look up topics and thinkers related to this entry at the Internet Philosophy Ontology Project (InPhO). Enhanced bibliography for this entry at PhilPapers, with links to its database.
Other Internet Resources
[Please contact the author with suggestions.]