Goldblatt: Logics of Time and Computation (2nd Ed)

LOGICS OF TIME
AND COMPUTATION
CSLI
Lecture Notes
No. 7
LOGICS OF TIME
AND COMPUTATION
Second Edition
Revised and Expanded
Robert Goldblatt
CENTER FOR THE STUDY
CSLI OF LANGUAGE
AND INFORMATION
Copyright © 1992
Center for the Study of Language and Information
Leland Stanford Junior University
Printed in the United States
CIP data and other information appear at the end of the book
To my daughter Hannah
Preface to the First Edition
These notes are based on lectures, given at Stanford in the Spring Quarter
of 1986, on modal logic, emphasising temporal and dynamic logics. The
main aim of the course was to study some systems that have been found
relevant recently to theoretical computer science.
Part One sets out the basic theory of normal modal and temporal
prepositional logics, covering the canonical model construction used for
completeness proofs, and the filtration method of constructing finite models
and proving decidability results and completeness theorems.
Part Two applies this theory to logics of discrete (integer), dense (ra-
tional), and continuous (real) time; to the temporal logic of henceforth,
next, and until, as used in the study of concurrent programs; and to the
prepositional dynamic logic of regular programs.
Part Three is devoted to first-order dynamic logic, and focuses on the
relationship between the computational process of assignment to a variable,
and the syntactic process of substitution for a variable. A completeness
theorem is obtained for a proof theory with an infinitary inference rule.
There is more material here than was covered in the course, partly
because I have taken the opportunity to gather together a number of ob-
servations, new proofs of old theorems etc., that have occurred to me from
time to time. Those familiar with the subject will observe, for instance,
that in Part Two proofs of completeness for various logics of discrete and
continuous time, and for the temporal logic of concurrency, as well as the
discussion of Bull's theorem on normal extensions of S4.3, all differ from
those that appear in the literature.
In order to make the notes effective for classroom use, I have deliber-
ately presented much of the material in the form of exercises (especially in
Part One). These exercises should therefore be treated as an integral part
of the text.
Acknowledgements. My visit to Stanford took place during a period of
sabbatical leave from the Victoria University of Wellington which was sup-
ported by both universities, and the Fulbright programme. I would like
to thank Solomon Feferman and Jon Barwise for the facilities that were
made available to me at that time. The CSLI provided generous access to
its excellent computer-typesetting system, and the Center's Editor, Dikran
Karagueuzian, was particularly helpful with technical advice and assistance
in the preparation of the manuscript.
vu
Preface to the Second Edition
The text for this edition has been increased by more than a third. Major
additions are as follows.
• §7, originally concerned with incompleteness, now discusses a num-
ber of other metatheoretic topics, including first-order definability,
(in)validity in canonical frames, failure of the finite model property,
and the existence of undecidable logics with decidable axiomatisation.
• §9 now includes a study of the " branching time" system of Com-
putational Tree Logic, due to Clarke and Emerson, which introduces
connectives that formalise reasoning about behaviour along different
branches of the tree of possible future states. Completeness and de-
cidability are shown by the method of filtration in an adaptation of
ideas due to Emerson and Halpern.
• In §10 dynamic logic is extended by the concurrency command a fl/3,
interpreted as "a and (3 executed in parallel". This is modelled by
the use of "reachability relations", in which the outcome of a single
execution is a set of terminal states, rather than a single state. This
leads to a semantics for [ a ] and < a > which makes them independent
(i.e. not interdefinable via negation). The resulting logic is shown to
be finitely axiomatisable and decidable, by a new theory of canonical
models and filtrations for reachability relations.
A significant conceptual change involves the definition of a "logic" (p. 16),
which no longer includes the rule of Uniform Substitution. Logics satisfying
this rule are called Uniform, and are discussed in detail on page 23. The
change causes a number of minor adaptations throughout the text.
A notable technical improvement concerns the completeness proof for
S4.3Dum in §8 (pp. 73-75). The original Dwm-Lemma has been replaced
by a direct proof that non-last clusters in the filtration are simple. This has
resulted in some re-arrangement of the material concerning Bull's Theorem,
and a simplification of the completeness theorem for the temporal logic of
concurrency in §9 (pp. 95-96).
Other small changes include additional material about the Diodorean
modality of spacetime (p. 45), and a rewriting of the basic filtration con-
struction for dynamic logic (p. 114) using a uniform method of proving the
first filtration condition that obviates the need to establish any standard-
model conditions for the canonical model.
Reformatting the text has provided the opportunity to make numerous
changes in style and expression, as well as te, correct typos. I will be
thankful for, if not pleased by, information about any further such errors.
rob @math. vuw. ac.nz
Vlll
Contents
Preface to the First Edition vii
Preface to the Second Edition viii
Part One: Prepositional Modal Logic 1

1. Syntax and Semantics 3
2. Proof Theory 16
3. Canonical Models and Completeness 24
4. Filtrations and Decidability 31
5. Multimodal Languages 37
6. Temporal Logic 40
7. Some Topics in Metatheory 48
Part Two: Some Temporal and Computational Logics 63

8. Logics with Linear Frames 65
9. Temporal Logic of Concurrency 84
10. Prepositional Dynamic Logic 109
Part Three: First-Order Dynamic Logic 141

11. Assignments, Substitutions, and Quantifiers 143
12. Syntax and Semantics 146
13. Proof Theory 154
14. Canonical Model and Completeness 162
Bibliography 169
Index 175
Part One
Prepositional Modal Logic

1 Syntax and Semantics
BNF
The notation of Backus-Naur form (BNF) will be used to define the syntax
of the languages we will study. This involves specifying certain syntactic
categories, and then giving recursive equations to show how the members
of those categories are generated. The method can be illustrated by the
syntax of standard propositional logic, which has one main category, that
of the formulae. These are generated from some set of atomic formulae (or
propositional variables), together with a constant _L (the falsum), by the
connective —> (implication). In BNF, this is expressed in one line as
< formula > ::= < atomic formula > | ± | < formula >->< formula >
The symbol ::= can be read "comprises", or "consists of", or simply "is".
The vertical bar | is read "or". Thus the equation says that a formula
is either an atomic formula, the falsum, or an implication between two
formulae.
The definition becomes even more concise when we use individual let-
ters for members of syntactic categories, in the usual way. Let $ be a
denumerable set of atomic formulae, with typical member denoted p. The
set of all formulae generated from $ will be denoted Fma(<?), and its
members denoted A, AI, A', B,... etc. The presentation of syntax then
becomes
Atomic formulae: p € <2>
Formulae: A € Fma(4>)
A::=p\L\A-+ A
Technically, the recursive equation governs a non-deterministic rewriting

procedure for generating formulae, in which any occurrence of the symbol
to the left of the ::= sign can be replaced by any of the alternative expres-
sions on the right side. Thus the two occurrences of A in the expression
A —» A may themselves be replaced by different expressions, and so stand
for different formulae. In some BNF presentations, this is emphasised by
4 Prepositional Modal Logic
using subscripts to distinguish different occurrences of a symbol. Then the

above equation is given as
Modal Formulae
The language of propositional modal logic requires one additional symbol,
the "box" D. The BNF definition of the set of modal formulae generated
by <? is
Atomic formulae: p 6 $
Formulae: A € Fma()
A::=p\±\A1->A2\DA
Possible readings of
It is necessarily true that A.
It will always be true that A.
It ought to be that A.
It is known that A.
It is believed that A.
It is provable in Peano Arithmetic that A.
After the program terminates, A.
Other connectives
These are introduced by the usual abbreviations.
Negation: ->A is A —» _L
Verum: T is -i-L
Disjunction: AI VA2 is (->Ai) —> A?
Conjunction: A\ A AI is ->(Ai —> ->Az)
Equivalence: AI <-» A-i is (.Ai —» A%) A (A2
"Diamond": O is
Notational Convention
In the case that n = 0, the expression
Bo A ... A Bn-i -» B
just denotes the formula B.
§1 Syntax and Semantics 5
Exercises 1.1
(1) Decide what OA means under each of the above readings of D.
(2) Which of the following should be regarded as true under the different
readings of D?
OA-+A
HA -» cm
OT
DA-> OA
HA V D--A
D(A -»£)-> (HA -» OB)
<X4 A <XB -> O(A A B)
Subformulae
The finite set Sf(A) of all subformulae of A 6 Fma($) is defined induc-
tively by
Sf(p) = {p}
Sf(±) = {-L}
Sf(A1 -> Ai) = {Al -* A2} U Sf(A1) U Sf(A2)
Sf(OA) = {DA} U Sf(A)
Schemata
We will often have occasion to refer to a schema, meaning a collection of
formulae all having a common syntactic form. Thus, for example, by the
schema
OA-+A
we mean the collection of formulae
{OB -+B:B(E Fma($)}.
Uniform Substitution
The notion of a schema can be made more precise by considering uniform
substitutions, as follows.
Let A and B be any formulae, and p an atomic formula. By the uniform
substitution of B for p in A we mean the procedure of replacing each and
every occurrence of p in A by B. A formula A' is called a substitution
instance of A if it arises by simultaneous uniform substitution for some of
of the atomic formulae of A, i.e. if there exist some finitely many atomic
formulae pi,...,pn, and formulae Bi,...,Bn, such that A' is the result of
simultaneously uniformly substituting £?i for pi in A, and BI for p2 in A,

and ..., and Bn for pn in A. Let
.EU = {A' : A' is a substitution instance of A}.
Then a schema may be denned as a set of formulae that is equal to EA for

some formula A.
For example, if A is the formula Dp —> p, with p atomic, then SA is
what was described above as "the schema DA —> .A".
Frames and Models

A frame is a pair f — (S,R), where S is a non-empty set, and R a binary
relation on 5: in symbols, R C S x S.
A $-model on a frame is a triple M — (R, S, V), with V : $ —> 2s.
Hence V is a function assigning to each atomic formula p € 0 a subset V (p)
of 5. Informally, V(p) is to be thought of as the set of points at which p
is "true". Generally we drop the prefix $- in discussing models, provided
the context is clear.
The relation "A is true (holds) at point s in model M", denoted
M\=,A,
is denned inductively on the formation of A € Fma(<!>) as follows.
M K P iff s € V(p)
M ¥s -L (i.e. not M \=s J-)
M K (Ai -> A 2 ) iff Ai f= s A! implies M \=s A2
M (=„ DA iff for all t € 5, s#i implies M\=tA
Exercises 1.2
(1) A4 |=.-.4 iff A4 £, A
Work out the corresponding truth conditions for A AS, AVB, A <-> B.
(2) X (=s OA iff there exists t €. S with sRt and AI (=« A.
Motivations
1. Necessity. Following the dictum of Leibnitz that a necessary truth is
one that holds in all "possible worlds", S may be thought of as a set
of such worlds, with sRt when t is a conceivable alternative to s, i.e.
a world in which all the necessary truths of s are realised. DA then
means "A is necessarily true", while OA means "A is possible", i.e.
true in some conceivable world.
2. Different notions of necessity can be entertained. Thus logical necessity

may be contrasted with physical necessity, the latter taking OA to
mean UA is a consequence of the laws of physics" . Under this reading,
sRt holds when t is a scientific alternative to s, i.e. a world in which all
scientific laws of s are fulfilled. Hence in our world, D(x < c) is true
under the physical reading, where c is the velocity of light and x the
velocity of a material body. On the other hand it is logically possible
that (x < c) is false.
3. In deontic logic, D means "A ought to be true". sRt then means that
t is a morally ideal alternative to s, a world in which all moral laws of
s are obeyed. If s is the actual world, few would maintain that sRs
under this interpretation. On the other hand, any world is a logical,
and scientific, alternative to itself.
4. Temporal Logic. Here the members of 5 are taken to be moments of
time. If sRt means "t is after (later than) s" , then DA means "hence-
forth A", i.e. "at all future times A", while OA means "eventually
(at some future time) A". Dually, if sRt means that t is before s,
then D means "hitherto", and so on. Natural time frames (S, R) for
temporal logic are given by taking S as one of the number sets w (nat-
ural numbers), Z (integers), Q (rationals), or R (reals), and R as one
of the relations < , < , > , > . Another interesting possibility is to con-
sider various orderings on the points of four-dimensional Minkowskian
spacetime (cf. page 45, and Goldblatt [1980]), or even more general
non-linear "branchings" in time (Rescher and Urquhart [1971]).
5. Program states. Reading D as "after the program terminates", S is
to be regarded as the set of possible states of a computation process,
with sRt meaning that there is an execution of the program that starts
in state s and terminates in state t. A non-deterministic program may
admit more than one possible "outcome" t when started in s. Then
OA means "every terminating execution of the program brings about
j4", while OA means that the program enables A, i.e. "there is some
execution that terminates with A true" .
At the level of prepositional logic, the notion of state is formally
taken to be primitive, as in the theory of automata, Turing ma-
chines, etc. A natural concrete interpretation of the notion is
possible in quantificational logic, as will be seen in Part Three.
Valuations and Tautologies

Given a #-model M, and a fixed s £ S, define
true if s
false otherwise
Then the function Vs : $ —» {true, false} is a valuation of the atomic

formulae, a notion familiar from prepositional logic. Using the standard
truth-tables for prepositional connectives, Vg is extended to assign a truth-
value to any formula not containing the symbol D.
Thus a model on a frame gives rise to a collection {Vs : s € S} of
valuations of <?, while, conversely, such a collection defines the model in
which V(p) = {s : V8(p) = true}.
A formula A is quasi-atomic if either it is atomic (.4 € #), or else it
begins with a D, i.e. A = OB for some B. If $' is the set of all quasi-
atomic formulae, then any formula A is constructible from members of
$q U {-L} using the connective —>. Hence by using the truth-table for —»,
any valuation
V : $q -* {true, false}
of the quasi-atomic formulae extends uniquely to a valuation
V : Fma($) —> {true, false}
of all formulae. A formula A is a tautology if V(A) = true for every

valuation V of its quasi-atomic subformulae.
Exercise 1.3
Any tautology is a substitution instance of a tautology of prepositional
logic (i.e. a D-free tautology).
Truth and Validity

Formula A is true in model M, denoted M (= A, if it is true at all points
in M, i.e. if
M\=SA for all s € S.
A is valid in frame F = (S, R), denoted F (= A, if
M (= A for all models M = (S, R, V) based on F.
If C is a class of models (respectively, frames), then A is true (respectively,

valid) in C, C \= A, if A is true (respectively, valid) in all members of C.
A schema will be said to be true in a model (respectively, valid in a
frame) if all instances of the schema have that property. More generally,
we will use the notations M f= F and F |= F, where F C Fma, to mean
that all members of F are true in M, or valid in F.
§1 Syntax and Semantics
Exercises 1.4
(1) The following are true in all models, hence valid in all frames.
DT
D(A -> B) -> (HA -> DB)
0(A -+£)-> (DA -» 05)
> OB)
O(AVB)<^(OAV OB)
(2) Show that the following do not have the property of being valid in all
frames.
D4-* A
DA -+ DOA
D(A ->£)-> (DA -» 05)
OT
D(Q4 -» B) V D(DB -» A)
D(4 V 5) -> DA V D5
D(DA ^ A)->DA
(N.B. some instances of these schemata may be valid, e.g. when A is
a tautology. What is required is to find a counterexample to validity
of at least one instance of each schema.)
(3) Show that OT and the schema DA —» OA have exactly the same
models.
(4) Exhibit a frame in which DJ. is valid.
(5) In any model M,
(i) if A is a tautology then M \= A;
(ii) if M \= A and M (= .4 -> B, then At |= B;
(iii) if M h ^ then M \= DA.
(6) Items (i)-(iii) of the previous exercise hold if M is replaced by any
frame f.
Ancestral (Reflexive Transitive Closure)
Let T = (S, R) be a frame. Define on S the relations Rn C S x S, for
n > 0, and R*, as follows.
sR°t iff s = t
sRn+1t iff 3u(sRnu & uRt)
Exercises 1.5
(1) R1 = R.
(2) sR*t iS Bn > 0 3s0, • • • , 3sn e 5 with so = s, sn = £, and for all i < n,
SiRsi+1.
(3) R* is reflexive and transitive.
(4) If T is any reflexive and transitive relation on S with R C T, then
.R* C T. That is, .R* is the smallest reflexive and transitive relation
on S that contains R.
(5) If SCI, and .R = {(s, s + 1) : s € 5}, what is fl*?
.R* is often known as the ancestral of .R (from the case that R is the "parent
of relation). In view of exercise (4), it is also known as the reflexive
transitive closure of R. The notion will play an important role in the logic
of programs in Parts Two and Three.
Generated Submodels
If M = (S, R, V) and t £ S, then the submodel of M. generated by t is
Mt = (St,R*,V*),
where
5* - {u e S : tR*u}
The structure J* = (S*, R*) is the subframe o f f = (S, R) generated by t.
Exercises 1.6
(1) If R is transitive, then 5* = {t} U {u : tRu}.
(2) 5* is the smallest subset X of S that contains t and is closed under R,
in the sense that u € X and uRv implies v e X .
To evaluate the truth of formula A at point t may require investigating

the truth of certain subformulae B of A at various .R-alternatives v of t.
But then to determine the truth- value of B at v may require looking at
alternatives of v. And so on. 5* comprises all points generated by this
process. It is evident that evaluating truth at t will only involve points
that are each obtainable from t by finitely many "^-alternations" . This is
embodied in the
Submodel Lemma 1.7. If A 6 Fma(<l>), then for any u € 5*,

M* \=UA iff M K A.
Proof. By induction on the formation of A. The case A = p e # follows
from the definition of V*, and the case A = _L is immediate. The inductive
cases A = (B —» D) and yl = D.B are given as exercises.
Corollary 1.8.
(1) M \= A implies M* \= A.
(2) M \= A iff A is true in all generated submodels of M.
(3) f (= yl iff A is valid in all generated subframes of T.
p-Morphisms
Let Mi = (Si,Ri,Vi) and M2 = (S2,R2,V2) be models, and / : 5i -» S2
a function satisfying
sRit implies f(s)R2f(t);
f(s)R2u implies 3t(sR\t & f ( t ) — u);
s £ Vi(p) iff /(a) e Vb(p).
Then / is called a p-morphism from .Mi to MI- A function satisfying the
first two conditions is a p-morphism from frame (Si,Ri) to frame (S2,R2).
p-Morphism Lemma 1.9. If A € Fma(), then for any s e Si,
Mi\=.A iff M,\=f(.)A.
Proof. Exercise.
If there is a p-morphism / : T\ —> F2 that is surjective (onto), then frame

FI is called a p-morphic image of J7!.
p-Morphism Lemma 1.10. If J-2 is a p-morphic image of F\, then for

any formula A,
Fi f= A implies F2 (= A.
Proof. Suppose A is false at some point t in some model M2 — (F2, V2)
based on f2. Take a surjective p-morphism / : Si —> S2 and define a model
Mi = (J7!, Vi) by declaring
« € V i ( p ) iff /(*)€Va(p).
Then / is a p-morphism from Mi to ^2- Choosing any s with /(s) = i,
the first p-Morphism Lemma 1.9 gives A false at s in the model Mi based
Exercise 1.11
Let T\ = ({0,1},R) and F-z = ({0},E), where in each case R is the uni-
versal relation 5x5. Show that
FI\= A implies J^ |= -A>
(o>, <)|=>1 implies F± (= 4.
The curious appellation "p-morphism" derives from an early use of the

name "pseudo-epimorphism" in this context, and seems to have become
entrenched in the literature.
Conditions on R
The following is a list of properties of a binary relation R that are denned
by first-order sentences.
1. Reflexive: Vs(sRs)
2. Symmetric: VsVt(sRt -> tRs)
3. Serial: Vs3t(sRt)
4. Transitive: VsVWu(sRt A tRu -» sRu)
5. Euclidean: VsVtVu(sRt A sRu -»tRu)
6. Partially functional: VsVtVu(sRt A sRu -> t = u)
1. Functional: Vs3\t(sRt)
8. Weakly dense: VsVt(sRt -> 3u(s.Ru A uflt))
9. Weakly connected: VsVtVu(sRt A sfiw ->• tRu Vt = uV uRt)
10. Weakly directed: VsVtVu(sRt A sflu -* 3v(tRv A w/Zw))
Corresponding to this list is a list of schemata:

1. CU-^
2. A-+OOA
3. D.4 -» OA
4. D4
5.
6.
7. OA <-> DA
8.
9. n ( ^ A D ^ - ^ £
10. OD^-*DO^
Theorem 1.12. Let T = (5, fi) be a frame. Then for each of the proper-
ties 1-10, ifR satisfies the property, then the corresponding schema is valid
inT.
Proof. We illustrate with the case of transitivity. Suppose that R is tran-

sitive. Let M be any model on f. To show that
M \= HA -» DDA,
take any s in M with M f= g DA We have to prove
M K HOA,
which means
sRt implies M \=t OA,
or, in other words,
sRt implies (tRu implies M (=„ A).
So, suppose sRt. Then if tRu, we have sRu by transitivity, so M \=u A,

since M (=s DA by hypothesis.
The other cases are left as exercises.
Theorem 1.13. If a frame F — (S, R) validates any one of the schemata

1-10, then R satisfies the corresponding property.
Proof. Take the case of schema 10. To show R is weakly directed, suppose
sRt and sRu. Let M be any model on f in which V(p) — {v : uRv}. Then
by definition,
uRv implies M [=„ p,
so M $=u Op, and hence, as sRu, M (=s OOp. But then as schema 10
is valid in .F, M. h« ^ ^Pi so ^ s^» -M N< ^P- This implies that there
exists a v with tRv and M (=„ p, i.e. w € V(p), so uflz; as desired.
Next, the case of schema 8. Suppose sRt. Let M be a model on f
with V(p) = {v : t / v}. Then M ^t P, so A'l â Dp- Hence by validity
of schema 8, M \£s OOp, so there exists a u with sRu and Ai fcu Dp.
Then for some v, uRv and Ai ^t, p, i.e. t; = i, so that u.Ri, as needed to
show that R is weakly dense.
Exercises 1.14
(1) Complete the proofs of Theorems 1.12 and 1.13.
(2) Give a property of R that is necessary and sufficient for F to validate
the schema A —> DA Do the same for D-L.
First-Order Definability
Theorems 1.12 and 1.13 go a long way toward explaining the great suc-
cess that the relational semantics enjoyed upon its introduction by Kripke
[1963]. Frames are much easier to deal with than the modelling structures
(Boolean algebras with a unary operator) that had been available hitherto,
and many modal schemata were shown to have their frames characterised
by simple first-order properties of R. For a time it seemed that preposi-
tional modal logic corresponded in strength to first-order logic, but that
proved not to be so. Here are a couple of illustrations.
(1) The schema
W : D(DA -» A) -> HA
is valid in frame (5, R) iff
(i) R is transitive, and
(ii) there are no sequences SQ,...,sn,... in S with snRsn+i for all
ra>0.
(for a proof cf. Boolos [1979], p.82). Now it can be shown by
the Compactness Theorem of first-order logic that there exists
a frame satisfying (i) and (ii) that is elementarily equivalent to
(i.e. satisfies the same first-order sentences as) a frame in which
(ii) fails. Hence there can be no set of first-order sentences that
defines the class of frames of this schema.
(2) The class of frames of the so-called McKinsey schema
M: nOA-*enA
is not defined by any set of first-order sentences (Goldblatt [1975], van

Benthem [1975]).
(Both of the above schemata will figure in the discussion of incompleteness
in §7, where there is also a further consideration of the question of first-
order definability.)
Subsequent investigations demonstrated that prepositional modal logic
corresponds to a fragment of second-order logic (Thomason [1975]).
Undefinable conditions
There are some naturally occurring properties of a binary relation R that
do not correspond to the validity of any modal schema. One such is ir-
reQexivity, i.e. Vs~*(sRs). To see this, observe that the class of all frames
validating a given schema is closed under p-morphic images (1.10), but the
class of irreflexive frames is not so closed. For instance, it contains (u>, <),
but not its p-morphic image ({0},{(0,0)}) (cf. Exercise 1.11).
Exercise 1.15
Show that neither of the following conditions correspond to any modal
schema.
Antisymmetry: VsVt(sRt A tRs —> s = t),
Asymmetry: VsVt(sRt —> -<tRs).
Historical Note
The concepts of necessity and possibility have been studied by philoso-
phers throughout history, notably by Aristotle, and in the middle ages.
The contemporary symbolic analysis of modality is generally considered to
have originated in the work of C. I. Lewis early this century (cf. Lewis and
Langford [1932]). Lewis was concerned with a notion of strict implication.
He defined "A strictly implies B" as 1(^4 A -i-B), where I is a primitive
impossibility operator (later he expressed this as -<O(A A ~<B), where O
expresses possibility). He defined a series of systems, which he called SI
to 55, based directly on axioms for strict implication. The standard pro-
cedure nowadays is to adjoin axioms and rules for D, or O, to the usual
presentation of prepositional logic. This approach to modal logic was first
used in a paper by Godel [1933]. The model theory described in this section
is due to Kripke [1959, 1963].
To learn about the history of modal logic, the reader should first con-
sult the interesting Historical Introduction to Lemmon [1977], where fur-
ther references may be found.
2 I Proof Theory
Logics
Given a language based on a countable set $ of atomic formulae, a logic is
denned to be any set A C Fma($) such that
• A includes all tautologies, and
• A is closed under the rule of Detachment, i.e.,
if A, A -> B e A then B e A.
Examples of Logics
(1) PL = {A e Fmct($) :Aisa tautology }.
(2) For any class C of models, or of frames (including the cases C = {M}
and C = {f}),
Ac = {A : C h A}
is a logic.
(3) Fma($) itself is a logic.
(4) If {Ai : i & 1} is a collection of logics, then their intersection
is a logic. Thus for any F C Fma() there is a smallest logic contain-

ing F, namely the intersection of the collection
{A : A is a logic and r C A}.
Note that PL is the smallest logic, and Fma($) the largest, in the sense
that for any logic A,
PLCAC Fma($).
Tautological Consequence
A formula A is a tautological consequence of formulae Ai,...,An if A is
assigned true by every valuation that assigns true to all of AI, . . . , An. In
particular, a tautological consequence of the empty set of formulae is the
same thing as a tautology.
16
§2 Proof Theory 17
Exercise 2.1
Show that any logic A is closed under tautological consequence, i.e. if
AI, . . . , An e A, then any tautological consequence of AI, . . . , An belongs
to A
Instead of denning a logic A to include all tautologies, it would suffice to

include a set of schemata from which all tautologies can be derived by
Detachment, e.g. the schemata
-.-.4 -» A.
Theorems
The members of a logic are called its theorems. We write \~A A to mean
that A is a ^1-theorem, i.e.,
Ki A iff A£A.
Soundness and Completeness

Let C be a class of frames, or of models. Then logic A is sound with respect
to C if for all formulae A,
\~A A implies C (= A.
A is complete with respect to C, if, for any A,
C \= A implies \~A A.
A is determined by C if it is both sound and complete with respect to C.
Deducibility and Consistency

If r U {4} C Fma($), then A is A-deducible from F, denoted F \-A A, if
there exist BO, • • . , 5n-i € F such that
\-A Bo -> (Si -» ( ---- - (Bn-i -» A) • • •))
(in the case n = 0, this means that \~A A). We write F \fA A when A is
not ,4-deducible from F.
A set r C Fma() is vl-consj'stent if F \/A -L. A formula ^4 is ^1-
consistent if the set {.A} is.
Exercises 2.2
(1) \-A A iff 0 hi A
(2) If \-A A then r h^ A.
(3) If yl C yl', then F\-AA implies T h^. .4.
(4) If A € T then F \-A A.
(5) If F C A and T (-^ /4, then 2\ hA A.
(6) If T \-A A and {yl} h^ B, then T h^ 5.
(7) Detachment: If T h^ A and r h^ yl -+ B, then T h^ B.
(8) Deduction Theorem: F\J {A} \-A B iff F hA A-> B.
(9) r 1-^ yl iff there exists a finite sequence A0,..., Am = A such that for
all t < m, either Ai € F U A, or else ylfc = (^ —» ylj) for some j, k < i
(i.e. ^4j follows from Aj and ^4^ by Detachment).
(10) {A : F \-A A} is the smallest logic containing F U A.
(11) Soundness: If M \=s T U A and T \-A A, then M \=s A.
(12) If F C yl, then F is yl-consistent if, and only if, yl 7^ Fma($).
(13) r1 is yl-consistent iff there exists a formula A with F \/A A.
(14) F is yl-consistent iff there is no formula A having both F \~A A and
r \-A Â.
(15) r h^ A iff r U {->A} is not ^-consistent.
(16) r U {A} is yl-consistent iff F \/A ->A.
(17) If F is yl-consistent, then for any formula A, at least one of F U {A}
and P U {~<A} is yl-consistent.
Maximal Sets
Let M. = (S, R, V) be a model of a logic yl, i.e. M \= A. Associate with
each s e S the set
ra = {A<= Fma($) :M\=,A}.
Then Fs is yl-consistent (why?), and moreover, for each formula A, one of

A and -<A is in Fs.
In the next section we will be building models for certain logics. Since
we have only a syntactic structure, namely yl, to begin with, we will have to
use syntactic entities, such as formulae or sets of formulae, as the points of
our models. It turns out that the way to proceed is to use sets of formulae
that enjoy the properties possessed by those sets Fs naturally associated
with points of a given yl-model.
A set F C Fma(<l>) is defined to be A-maximal if

§2 Proof Theory 19
• F is /1-consistent, and
• for any A € Fmo(#), either A € F or ->A e F.
We define
SA = {F : r is /1-maximal}.
Exercises 2.3
Suppose F is .^-maximal.
(1) r \-A A implies A e F.
(2) If A $ r, then T U {4} is not /1-consistent. Hence if F C A and
A is /1-consistent, then F = A (this explains the use of the adjective
"maximal").
(3) For any formula A, exactly one of A and -<A belongs to F, i.e.,
-u4eT iff A£F.
(4) ACT.
(5) l^r.
(6) (A -> B) € T iff (^4 € F implies B € T).
(7) AhBeFiS A,BeF.
(8) A v B e r iff ^ e r or B € r.
(9) (A «•» J5) e r iff (A e r iff B € r).
Existence of Maximal Sets
We have yet to show that SA ^ 0, i.e. that there are any yl-maximal sets.
To see this, let
•Ao> AI, • • • ) vljj,
be an enumeration of the set Fma($) (such an enumeration exists, since
<? is countable). Then if F is any /1-consistent set, define
_}AnU{An}, \tAn\-A A
An U {-i/ln}, otherwise.
By construction, at least one of An and -i^4n is in A, for all n.

Exercises 2.4
(1) An is .A-consistent, for all n.
(2) Exactly one of A and ->A is in A, for all formulae A.
(3) If A \-A B, then B € A.
It follows from these exercises that A is yl-consistent. For, if A \- J_, then
^n H J_ for some n, contrary to the consistency of An. Thus we have
established
Lindenbaum's Lemma 2.5. Every A-consistent set of formulae is con-
tained in a A-maximal set.
Corollary 2.6.
(1) {A : r \-A A} = r\{A e SA : F C A},
i.e. F\~A A iff A belongs to every A-maximal set that includes F.
(2) A = r\{A:AeSA},
i.e. \- A A iff A belongs to every A-maximal set.
Proof. We prove only the deeper part of (1). If F \/A A, then r U {~>A}
is yl-consistent (2.2(15)), so for some A € SA, r U {-.4} C A. Then A
includes F but does not contain A, since it contains ->A and is vl-consistent.
Normal Logics
A logic A is normal if it contains the schema
K : U(A -+ B) -> (DA -+ D5),
and is closed under the rule of Necessitation, i.e.,
if \-A A, then \-A OA.
Examples of Normal Logics
(1) For any class C of models, or of frames,
AC = {A:C\=A}
is a normal logic.
(2) If {Ai : i 6 /} is a collection of normal logics, then
is normal. In particular,
K = {~]{A : A is a normal logic}
is the smallest normal logic. The letter K here is in honour of Kripke.
Example 1 shows that any logic determined by relational models or frames
is normal, and so this is the type of logic we will be dealing with throughout.
§2 Proof Theory 21
Exercises 2.7
(1) If A is a normal logic, show the following.
\-AA-+B implies \-A HA -> OB and \-A OA -> OB.

\-A A <-» B implies \-A HA <-» OB and h^ O>1 <-> OB.
\-A O-iA <-> -'OA.
\-A OA/\OB~ O(AhB).
\-A O(A V B) <-» 0.4 V OB.
h^ 0(A A B) -f OA A OB.
(2) A logic A is normal iff for all n > 0,

if r-,1 40 A . . . A ^^ -* A,
then \-A OA0 A ... A D^ n _i -> DA
(Note: when n = 0, this is just the rule of Necessitation.)

(3) A logic A is normal iff it satisfies the following three conditions.
\-A OA A OB -> O(A A B),

\-AA^B implies \-A OA -» OB.
(4) If .A is normal, then
F\-AA implies {D5 : B € T} hi HA.
(5) If a normal logic contains the schema
OA -> DA,
then it contains the schemata
(OA -K Dfl) ^ D(^4 -+ B).
(6) \~K A iff there is a sequence A0,...,Am = A such that for all i < m,
either A: is a tautology or an instance of K, or A* = (^ -> A:) for
some j, k < i, or Aj = OAj for some j < i.
Some Standard Logics

It has become customary to use the notation
to refer to the smallest normal logic containing the schemata Si,...,Sn.

Set-theoretically this logic is defined as
[}{A : A is normal and Si U . . . U Sn C A}.
Historical names for some well-known schemata are

D: UA -> <X4
T: OA -> A
4: HA -» DOA
B: A^HOA
5: OA-+HOA
L: O(A A D.4 -> 5) V D(B A OB -> A)
W: D(D^ -» A) -> OA
Names of some well-known logics are
54 = KT4
55 = ATT4B
G = KW
K4.3 =K±L
54.3 =KT±L
Exercises 2.8
(1) A is a theorem of KSi ...En iff there is a sequence AQ, . . . , Am = A
such that for all i < m, either Ai is a tautology, an instance of schema
K, or an instance of some Sit or else Ak = (Aj —> Ai) for some j, fc < i,
or else >lj = OAj for some j; < i.
(2) AT£) is the smallest normal logic containing the formula OT.
(3) KB1 = KB5.
(4) S5 = KDB4: = KDB5 = KT5.
(5) In the definition of 54.3, the schema L can be simplified to
(6) AT4 C G, i.e. 1-*^ CU -> DD>1 (cf. Boolos [1979], p.30).
§2 Proof Theory 23
Uniform Logics
A logic A is uniform if it is closed under Uniform Substitution, i.e.,
if A e A, then A' & A whenever A' is a substitution instance of A
(cf. page 5 for the definition of "substitution instance").
Exercises 2.9
(1) A is uniform iff
A € A implies SA C A,
where SA is the schema defined by A (cf. page 6).
(2) If A is uniform, and A n <? ^ 0, then A is not consistent.
The logic AM — {A : M j= ^4} determined by a model M need not be

uniform. For instance, if V(p) = 5 in M, then AM will contain the atomic
formula p, but not its substitution instance ±. However, most of the logics
we will encounter are uniform, including any logic determined by a frame,
or a class of frames, and any of the form KSi ...Sn, where the Si are
schemata. These results are covered as follows.
Exercises 2.10
(1) Associate with each atomic formula p a formula Bp. Then if M =
(5, R, V) is a model on a frame f — (5, R), define a new model M' =
(5, R, V) on T by putting
V'(p) = {s e S : M K Bp}.
Prove that for any formula A, and any s & S,
A>
M' \=SA iff M K ,
where A' is the result of uniformly substituting Bp for each atomic
formula p in A.
(2) Deduce from Exercise (1) that for any frame T, the normal logic {A :
f (= A} is uniform.
(3) Associate with each atomic formula p a formula Bp, and, as in Exercise
(1), for each formula A, let A' be the result of uniformly substituting
Bp for each atomic p in A.
Let Si,..., Sn be a list of schemata, and A0,..., Am a sequence of
formulae fulfilling the description given in Exercise 2.8(1). Show that
the sequence A'0,..., A'm also fulfills this description with A!i in place
of At.
(4) Deduce from Exercise (3) that any logic of the form KSi ...Sn is
uniform.
3 I Canonical Models and Completeness
The canonical model of a consistent normal logic A is the structure

MA = (SA,RA,VA),
where
SA — {s C Fma((l>) : s is yl-maximal},
sRAt iff {A € Fma($) : OA € s} C t,
V (p) = { s < E S A : p < E s } .
A
With regard to the definition of RA, recall the intuitive interpretation of

sRt as meaning that t is a conceivable alternative to s, a world in which
all necessary truths of s are realised.
The canonical frame for A is FA = (SA,RA). (Note that if A is not
consistent (i.e. h^ J_, and hence A = Fma), then there are no A-maximal
sets, so MA and FA do not exist.)
Exercise 3.1
sRAt iff {-.D4 : A $ t) C s iff {OA:A&t}Cs.
Theorem 3.2. For any s e SA, and any B e Fma($),
HB € s iff for all t e SA, sRAt implies B <E t.
Proof. We give the "if" direction only. Suppose that for all t £ SA,
sRAt implies Bet,
i.e.,
{A : OA E s} C t implies B € t.
Then by Corollary 2.6(1),
{A : DA & s} h A B,
so by Exercise 2.7(4),
{DA : HA e s} \-A DB,
and hence by Exercise 2.2(5),
s h^ D5.
But s is yl-deductively closed (Ex. 2.3(1)), and so OB 6 s as desired.
24
§3 Canonical Models and Completeness 25
Truth Lemma 3.3. Let A e Fma($). Then for any s e SA,
MA K A iff A e s.
Proof. By induction on the formation of A. The case A = p 6 $ is given
by the definition of VA, while the case A = _L, and the inductive case A =
(5 -> (7), follow from Exercises 2.3(5) and 2.3(6). For the case A = OB,
assume inductively that the result holds for B, and apply Theorem 3.2.
Corollary 3.4. MA determines A, i.e. for all formulae A,
MA |= A iff \-A A.
Proof. By Corollary 2.6, I-A A iff A belongs to all members of SA.
Note that Corollary 3.4 implies that A is complete with respect to the
frame FA:
FA \= A implies \~A A.
A need not however be sound with respect to FA, i.e. it may be that
J-A ^ A. Indeed there are some logics that are not determined by any
class of frames. §7 will discuss examples.
Theorem 3.5. (Determination of K). \~K A if, and only if, A is valid in
all frames.
Proof.
Soundness: For any frame J:, Af — {B : J- \= B} is a normal logic, so
K C Af, i.e. \-jf A implies F (= A.
Completeness: if \/K A, then by Corollary 3.4, A is false in MK, and so is
not valid in the frame FK.
Completeness Theorems
In order to show that a logic A is complete with respect to some class of
models, or of frames, defined by certain conditions, it suffices to show that
MA, or .P1, satisfies those conditions. The great power of this approach
resides in the fact that the proof-theoretic properties of A have an impact on
the properties of the relation RA. To give some examples of this, recall the
first-order properties 1-10 of R, and their corresponding modal schemata,
listed on page 12.
Theorem 3.6. If a normal logic A contains any one of the schemata 1-10,
then RA satisfies the corresponding first-order condition.
Proof. Generally, the proof for a universal condition, like transitivity, is a
relatively straightforward application of the definitions, while cases which
involve existential assertions, such as weak density, require a deeper con-

struction. We illustrate with these two properties.
Transitivity. Suppose A contains the schema
HA -» DDA
Then all members of SA contain all instances of this schema. Hence if sRAt
and tRAu, DA € s implies DDyi e s, so D.4 e t as sRAt, and then A e u
as tRAu. This proves
{A : OA e s} C u,
i.e. sRAu as desired.
Weak density. Suppose A contains the schema
UUA -» DA
Assume sRAt. We want to find some u € SA such that sRAu, i.e. {A :
DA € s} C u, and M.R'1*, which is equivalent to {-<\3B : B £ t} C u (cf.
Exercise 3.1). Therefore it suffices to show that the set
u0 = {A : UA e s} U {-.OB : B $ t}
is yl-consistent. For then by Lindenbaum's Lemma 2.5, there will be some
u € SA with MO C u as desired.
Suppose then that MO is not ^-consistent. Then there is a .A-theorem
\-A AI A . . . A Am A -iDBi A ... A ->OBn -> ±, (i)

for some m, n > 0, with each OAi in s, and each Bj not in t. Let B =
(Si V . . . V Bn). Then since
\-A D5i V ... V D5n -+ DS (ii)

(cf. Ex. 2.7(1)), it follows from (i) and (ii) by tautological consequence that
\-A A! A . . . A Am -» OB
and so by Exercise 2.7(2),
h^ CL4i A ... A DAm -» DD5.
As each D-A, is in s, this implies DD5 € s. But by hypothesis,
(DOB -» D5) e 5,
hence DS 6 s, giving B e i as afl^tf. But this implies that for some j, Bj

is in t (2.3(8)), which is a contradiction.
Thus the hypothesis that MO is yl-inconsistent must be false.
Exercise 3.7
Complete the proof of Theorem 3.6.
The next Theorem and Exercises exemplify the way in which canonical
models are used to prove completeness and determination results. The
particular logics concerned were defined on page 22.
Theorem 3.8. 54 is determined by the class of reflexive and transitive
frames.
Proof.
Soundness. If the relation R of frame f is reflexive and transitive, then
the normal logic
contains the schemata T and 4, and so contains KT4 = 54, i.e. hS4 A
implies f \= A.
Completeness. By the schemata T and 4, the canonical 54-frame is reflex-
ive and transitive (Theorem 3.6). Hence if A is valid in all reflexive and
transitive frames, then .F54 |= A, and so (-54 A.
Exercises 3.9
(1) KD is determined by the class of serial frames.
(2) 55 is determined by the class of equivalence relations (reflexive, tran-
sitive, and symmetric frames).
(3) A"4.3 is determined by the class of transitive weakly-connected frames,
and 54.3 by the class of reflexive, transitive, and weakly-connected
frames.
(4) 54.2 is the name of the smallest normal logic containing 54 and the
schema
OUA-ÛOA.
Prove that f84-2 is weakly-directed, and that 54.2 is determined by
the class of reflexive, transitive, and weakly-directed frames.
(5) Axiomatise the logics determined by
(i) the class of partially-functional frames;
(ii) the class of functional frames;
(iii) the class of weakly dense frames.
(6) (Harder). For all n > 0, define the formulae DM inductively by
On+1A = DQM.
Thus DnA = D . . . D A. Define the formula OnA similarly.

n times
(i) Show that in any model M,
M \=s BnA iff sRnt implies M f=t A;

M K O"^ iff 3t(sRnt & M K A).
(ii) If A is a normal logic, show that
hi DM A OnB «-» Dn(4 A S).
(iii) For any normal logic A, if 5, t e 5"1, prove that
aCR'1)"* iff { ^ : D M € « } C f iff {OM:4e
(iv) For fixed A, /, m, n, let yl contain the schema
Show that
s(RA)kt & 5(/^)mw implies aw^^*)'" & u(RA)nv).
(v) Show how (iv) encompasses all the completeness theorems we have
mentioned in the above theorems and exercises, except for K 4.3
and 54.3.
55: Logical Necessity and Introspective Knowledge

55 is amongst the most well-known of modal logics, and is often regarded as
the system which characterises the notion of logical necessity. It might be
argued that a possible world, representing a different way the world could
have been, ought to satisfy all the logical laws of the actual world, and so
a context in which one of our logical laws was violated should not count
as a possible world at all. From this point of view, a logically necessary
truth is one which is true in all possible worlds whatsoever, suggesting the
semantic analysis
M \=s OA iff for all t e S, M \=t A.
But this is equivalent to confining our relational semantics to frames f =

(5, R) in which R is universal, i.e. R = S x 5, so that any s has sRt for all
Theorem 3.10. S5 is determined by the class of universal frames.

Proof. Soundness is left as an exercise. For completeness, suppose \/s5 A.
Then A is false at some point t in the canonical model MS5. But then
by the Submodel Lemma 1.7, A is false at t in the the submodel of MS5
generated by t. This submodel is based on the set
{w 6 5s5 : t(RS5)*u},
where (RS5)* is the reflexive transitive closure of JRS5. Since RS5 is reflexive
and transitive, this set is just
{u : tRS5u},
the equivalence class off under the equivalence relation RS5. But an equiv-
alence relation is universal on each of its equivalence classes.
The system 55 has been the focus of attention in work on the theory of
computation relating to the representation of knowledge and information
possessed by robotic systems and other "agents". Among the theorem-
schemata of 55 are
UA -» DCL4
+ D-.CL4
(the latter being a variant of the schema 5). Reading OB as "the agent
knows B" , the first of these says that if an agent knows something, then
it knows that it knows it, while the second states that if it does not know
something, then it knows that it does not know it. The principles of 55
are relevant to the study of an agent that possesses full introspection as to
the content of its own knowledge. For further details of this application,
cf. Parikh [1984] and Rosenchein [1985]. The paper of Rosenchein and
Kaelbling [1986] presents a system in this context with modal connectives
for time, necessity, and knowledge.
Connectedness
A frame is connected if it satisfies
VsVt(sRt V s = i V tRs).
This property is satisfied by (S, <), where 5 is any of the number-sets

w, Z, Q, or E, and the notion of connectedness will be of most interest
to us in frames, such as these examples, that are also transitive. Any
connected frame is weakly connected, but whereas the class of weakly-
connected frames is characterised by the schema
L: D(yl A DA -> £) V D(B A D5 ^ A),
there is no similar schema that is valid in precisely the connected frames.

To see this, take two connected frames f\ and FI that have no elements
in common, and form their union
f\ W Fi = (Si U 52, RI U R2).
J-\ W J~i is called a disjoint union, since 5i and 83 are disjoint. It can be
shown that any formula valid in both f\ and fy will be valid in T\ W -F2 (cf.
Ex. 3.11(3) below). But the latter is only weakly connected, not connected.
Nonetheless, by using the generated-submodel construction in the way
that was done for 55 in Theorem 3.10 above, we will be able to produce
the connected frames we need.
Exercises 3.11
(1) Let f be a transitive weakly connected frame. Prove that any gener-
ated subframe of F is connected. Then prove that K4.3 is determined
by the class of transitive connected frames, and 54.3 by the class of
reflexive, transitive, and connected frames.
(2) A frame is directed if it satisfies
VsVtBu(sRu A tRu).
Prove that the logic 54.2 of Exercise 3.9(4) is determined by the class
of reflexive, transitive, and directed frames.
(3) (Disjoint Unions in General.) Let {.F, : i € /} be a collection of
frames f± = (5», Ri) that are pairwise disjoint, i.e. 5, n Sj •. = 0 for all
i^j El. Let
Show that
UjFi (= A iff for all i € /, fi f= A.
The result of this last exercise offers a deeper explanation of why 55
is determined by both the class of universal frames and the class of
equivalence relations: any equivalence relation is the disjoint union of
its equivalence classes, each of which is a universal frame.
4 | Filtrations and Decidability
To show that a logic A is complete with respect to a class C of structures,

one may try to show that if \/& A then there is a member of C that rejects
A. Now we know that there will be some point in the canonical model MA
at which A is false, but in its capacity as a falsifying model for a particular
non-theorem A, MA provides a good deal of superfluous information. To
begin with, to calculate the truth- value of A at points in A4A, we need only
know the truth- values in MA of the members of the set S f ( A ) of subformu-
lae of A, whereas M.A provides truth-values for all formulae whatsoever.
Moreover, if $ is infinite, then SA will be infinite (in fact uncountable),
and so a point of MA will in general be indistinguishable from many other
points as to how it treats the finitely many members of Sf(A). Thus we
many as well identify points that assign the same truth- values to all mem-
bers of Sf(A). The identification process allows us to collapse MA, and
to form a new falsifying model for A, one that has room for variety in its
definition. This process, known as filtration, gives a way of proving certain
technical results (finite model property, decidability) about certain logics
A. But more importantly, it gives a new way of constructing models that
comes into its own in cases where M.A is not in the desired class C for a
completeness theorem.
Filtrations
Fix a model M — (S, R, V) and a set F C Fma(<l>) that is closed under
subformulae, i.e.
B € r implies Sf(B) C T.
For each s e S, define
and put
s ~ r t iff Fs = rt,
so that
s ~r t iff for all B € T, M \=s B iff M \=t B.
31
Then ~/- is an equivalence relation on S. Let

\s\ = {t 6 5 : s ~r t}
be the ~r~e(luivalence class of s, and define
Sr = {\s\ :seS}
to be the set of all such equivalence classes.
Lemma 4.1. If F is finite, then Sp is finite and has at most 2n elements,
where n is the number of elements of F.
Proof. Since \s\ = \t\ iff s T t iff Fs = Ft, putting
/(M) = r.
gives a well-defined and one-to-one mapping of Sr into the set of subsets
of F. Hence Sr has no more elements than there are subsets of F. But if
F has n elements, then it has 2" subsets.
Exercise 4.2
Sr can be finite even if F is not. Define F to be finitely based over M if
there exists a finite set A of formulae such that
V5 6 r 3-B0 6 A (M |= B «-» 50).
Show that ST is finite if F is finitely based over M.
Now let <?r = ^ H P be the set of atomic formulae that belong to F, and
define
by putting
\s\ € Fr(p) iff s 6 F(p)
whenever p € <?r (since then p g J1, Fjn is well-defined).
We are going to consider $r-models of the form M' = (Sr,R',Vr)
with the property that the truth- values of members of F in M and in M'
are left invariant by the correspondence s i-> \s\. Reflection on what is
required to make this work leads to the following definition.
A binary relation R' on Sr is called a F- filtration of R if it satisfies
(Fl) ifsRt, then \s\R'\t\; and
(F2) if \s\R'\t\, then for all B,
if OB e T and Af f=s DB, then M \=t B.
Any #r-model M' = (Sr, R', Vr) in which R' satisfies Fl and F2 is called
a F- filtration of the model M.
§4 Filtrations and Decidability 33
Filtration Lemma 4.3. If B e F, then for any s e S,
M\=SB iff M' hw B,
Proof. An important exercise for the reader. The case B — p € <£ is

given by the definition of Vp- The inductive case for the truth-functional
connectives is straightforward, while the case for D uses Fl and F2. Note
that the closure of F under subformulae is needed in order to be able to
apply the induction hypothesis.
Exercise 4.4
Let Fb be the Boolean closure of F, i.e. the closure of F under the preposi-
tional connectives. Show that the Filtration Lemma holds for all B € Fb.
Examples of Filtrations
1. The smallest filtration.
\s\R"\t\ iff 3s' £ \s\ 3t' € \t\(s'Rt').
2. The largest filtration.
\s\Rx\t\ iff for all B, HB € F & M \=s UB implies M \=t B.
3. The transitive filtration.
\s\RT\t\ iff for all B, OB € F & M K n5 implies M H D-BA5.
Exercises 4.5
(1) R" and Rx are always T-filtrations of R.
(2) If R' is any T-filtration of R, then
R" C R' C Rx
(hence the names smallest and largest).
(3) Rr is transitive and satisfies F2. If R is transitive, then RT is a F-
filtration of R.
(4) Define a symmetric relation on Sp that is a T-filtration of R whenever
R is symmetric.
(5) Show that the following properties are preserved in passing from R to
any /"-filtration of R: reflexive, serial, connected, directed.
Theorem 4.6. K is determined by the class of all finite frames. Moreover,

if a formula A has n subformulae, then \~K A if, and only if, A is valid in
all frames having at most 2" elements.
Proof. Suppose \/K A. Then there is a point s in some model M at which
A is false (e.g. M = MK). Let F = Sf(A). Then T is closed under
subformulae, so we can construct r-filtrations M' — (Sp, R', Vp) of M as
above. By the Filtration Lemma 4.3, A is false at \s\ in any such model,
and hence not valid in the frame (Sr,R')- The desired bound on the size
of Sp is given by Lemma 4.1.
Decidability
A logic A has the finite frame property if it is determined by its finite
frames, i.e.,
if \/A A, then there is a finite frame F with f f= A and Fty=A.
Theorem 4.6 showed that the smallest normal logic K has the finite frame
property, but it showed more: a computable bound was given on the size
of the invalidating frame for a given non-theorem. This implies that the
property of .K'-theoremhood is decidable, i.e. that there is an algorithm
for determining, for each formula A, whether or not \~K A. If A has n
subformulae, we simply check to see whether or not A is valid in all frames
of size at most 2n. Since a finite set has finitely many binary relations (2m
relations on an ro-element set), there are only finitely many frames of size at
most 2™. Moreover, to determine whether A is valid on a finite frame F, we
need only look at models V :$A^ 2s on F, where $A = $ n Sf(A). But
there are only finitely many such models on f. Thus the whole checking
procedure for validity of A in frames of size at most 2" can be completed
in a finite amount of time.
To consider the case of logics other than K, we will say that A has the
strong finite frame property if there is a computable function g such that
if \/A A, then there is a finite .A-frame that invalidates A and has at
most g(n) elements, where n is the number of subformulae of A.
Now in adapting the above decidability argument to A, there is an extra
feature. In addition to deciding whether or not a given finite frame f
validates A, we also have to decide whether or not F \= A. If A is finitely
axiomatisable, meaning that
A = KSl ...Sn
for some finite number of schemata IT,-, then the property "F (= A" is
decidable: it suffices to determine whether each Sj is valid in f. For all of
§4 Filtrations and Decidability 35
the logics we have considered thus far, validity of Sj is equivalent to some

first-order property of R, which can be algorithmically decided for finite
f. But in any case, validity of a schema, and hence of a finite number
of schemata, on a finite frame, is always decidable. The point is that a
schema, such as
D(A A HA -» B) V U(B A OB -» A),
has only finitely many "atomic components" A, B,..., and there are only
finitely many choices for the "truth-sets"
{s:M\=.A}, {s:M\=,B},
of these components in all possible models M on f. To put it another
way: a schema is the set SA of all substitution instances of some formula
A, and validity of all members of SA in frame T is equivalent (by 2.10(2))
to validity of A in F, which, as noted on the previous page, is decidable
when T is finite. Thus we have
Theorem 4.7. Every finitely axiomatisable logic with the strong finite
frame property is decidable.
Exercises 4.8
(1) Prove that the logics KD, KT, K4, KB, 54, 55, K4.3, 54.3, 54.2
(Exercises 3.9(4), 3.11(2)), are all decidable.
(2) In fact any finitely axiomatisable logic with the finite frame property
is decidable (i.e. the result holds without invoking the computable
function g). Prove this as follows.
(i) Show that a finitely axiomatisable logic A is effectively enumer-
able, i.e. there is an algorithm for enumerating the members of A
(hint: cf. Exercise 2.8(1)).
(ii) Show that if A has the finite frame property and is finitely ax-
iomatisable, then the complement Fma($) — A of A is effectively
enumerable (hint: enumerate all the finite A-frames and system-
atically test formulae for validity in them).
(iii) Use the fact that A is decidable iff both A and Fma(<l>) — A are
effectively enumerable.
Finite Model Property

The topic of decidability could also be approached via the notion of the
finite model property, which states that
if \/A A, then there is a finite yl-model M with M ^ A.
It turns out that for logics that are uniform, this is equivalent to the finite
frame property. The following exercises indicate how to prove this.
36 Propositional Modal Logic
Exercises 4.9
A model M is distinguished if for any two distinct points s and t in M
there is a formula A with M \=a A and M ty=t A.
(1) Show that any filtration is distinguished. Hence show that for any
model M, if F = Fma(<l>), then any .T-filtration of M is a distin-
guished model that is "equivalent" to M in some suitable sense.
(2) If M is finite and distinguished, show that for each s in M there is a
formula Aa such that for any t in M,
M\=tAs iff t = s.
(3) If M is finite and distinguished, show that for any subset X of M.

there exists a formula AX such that for any t in M,
M^tAx iff teX.
(4) Let M be a distinguished model on a finite frame T. If M' = (F, V)

is any other model on J-, show that for all formulae A,
M\=gA' iff M'\=,A,
where A' is the result of uniformly replacing each atomic p in A by

AX, where X = V'(p).
Deduce that for any uniform logic A,
M\=A iff F\=A.
(5) Complete the argument showing that for uniform logics, the finite
model property implies the finite frame property .
Decidability Without the Finite Model Property

Although the finite frame property is sufficient to guarantee decidability
for a finitely axiomatised logic, it is not necessary. The sharpest result in
this direction would appear to be that of Cresswell [1984], which presents
an example of a uniform normal logic that is finitely axiomatisable and
decidable, but is incomplete, i.e. not determined by any class of frames at
all. Such a logic cannot have the finite frame (or model) property.
The proof that Cresswell's logic is decidable uses a technique of transla-
tion into a decidable fragment of monadic second-order logic, and is beyond
our scope.
5 Multimodal Languages
Syntax
The whole theory presented so far adapts readily to languages with more
than one modal connective. Given a set ^ of atomic formulae p, and a
new collection of symbols {[i] : i G /}, a set Fma/($) of formulae A is
generated by the BNF definition
so that we now have formulae [ i } A for each A & .Fma/(<5) and each i 6 /.
The connective [i] is to be treated in the way we treated d previously.
The dual connective is defined as -i[i]->, and corresponds to O.
Semantics
A frame for this new language is a structure
comprising a set S with a collection of binary relations Ri C S x S, one

for each i 6 /. (Equivalently, we may think of f as a pair (S, R) with
R : I -> 2 SxS ). A model M = ( f , V ) on T is given by a function
V : $ —> 2s, just as before. The definition of the relation M. (=s A has the
one new clause
M (=g [i]A iff for all t € S, sRit implies M (=t A,
and the definitions of truth in a model (M |= -A), and validity in a frame

(F \= A), are unchanged.
Logics
The notion of tautology is defined as previously, taking all formulae of the
form [i]A, along with members of #, in the definition of "quasi-atomic"
formula.
37
A logic continues to be a subset A of Fma/(#) that includes all tau-

tologies and is closed under Detachment. The theory of A-deducibility and
A-maximal sets then goes through without any changes.
A logic A is normal if it contains the schemata
and satisfies the Necessitation rules
\~A A implies \~A [ i ] A ,
for every i £ I. The smallest normal logic will be denoted Kj.
Canonical Model
For a normal logic A, the model
MA = (SA,{RA:i£l},VA)
has
sRAt iff {B : [ i ] B e s} C t,
with the definitions of SA and VA remaining the same. The proof of the
Truth Lemma for MA, i.e.,
MA K A iff A£ s,
continues to work as previously: we simply treat each connective [ i } in the
way we treated D in §3. It follows that the logic Kj is determined by the
class of all frames for the present language.
Filtrations
In defining a T-filtration M' = (Sr, {#• : i € /}, Vr) of a model M =
(S, {Ri : i £ /}, V), we stipulate, for each i e /, that R^ is a F- filtration of
(Flj) if sRit, then |s|^|f|; and

(F20 if |a|JZ{ |t|, then for all B,
if [ i ] B 6 r and M K [ i ] B , then M \=t B.
Everything else, including the proof of the Filtration Lemma
VBer,M\=.B iff M' (=|.| B,
is as before. This yields a proof that the smallest normal logic Kj has the
strong finite frame property and is decidable.
§5 Multimodal Languages 39
Generated Submodels
Given a model M = (S,{Ri : i £ I},V), and an element t £ S, the
submodel M* = (S*, {R* : i £ I}, V*) generated by t is defined as follows.
A subset X of S is I-closed if it satisfies:
if u £ X, then v £ X whenever there is an i £ I with uRiV.
An intersection of /-closed sets is /-closed, so we can define 5* as the
smallest /-closed subset of S that contains t. R\ and V* are the restrictions
of Ri and V to 5*.
Exercises 5.1
(1) Show that Ml K A iff M \=u A.
(2) Show that for languages with a single modal connective (i.e. when /
is a singleton), the present definition of M* agrees with that given in
§1-
(3) p-Morphisms. Formulate the appropriate notion of p-morphism for
multimodal languages, and prove the analogues of the p-Morphism
Lemmas 1.9 and 1.10.
6 I Temporal Logic
Consider a prepositional language with two modal connectives, [F] and

[P], meaning, respectively, henceforth (at all future times), and hitherto
(at all past times). According to §5, a frame for this language has the form
(S,Rp,Rp), with the modelling
M K [F]A iff sRpt implies M \=t A,
M \=s [P]A iff sRpt implies M \=t A.
We read sRpt as "t is in the future of s" and sRpt as "t is in the past of
s" . But the intended interpretation is that [ F ] and [ P ] express properties
of the same time-ordering, so that t should be in the past of 3 precisely
when s is in the future of t . Thus we want
sRPt iff tRFs
(or, equivalently, that the relations Rp and Rp are each the converse of the
other).
Exercise 6.1
LetF = (S,RF,RP).
(1) Show that
Ft=A->[P]<F> A iff VsW(s#P£ implies tRFs).
(2) Show that
F^=A-*[F] A iff VsVt(tRFs implies sRpt) .
(3) If a normal logic A contains the schema
then in MA,
sR$t implies
(4) If a normal logic A contains the schema
then
implies sR$t.
40
§6 Temporal Logic 41
Temporal Logics
The preceding exercises indicate that any temporal logic should at least
contain the two schemata that they discuss. In the frames for such a
logic, RY and Rp are interdefinable, so we may as well take one relation as
primitive, and use frames F = (S, R), where R C S x 5, with the modelling
M\=S[F]A iff sRt implies M K A,
M\=S[P]A iff tRs implies M \=t A.
But it is natural also to require a temporal ordering to be transitive, so
we will now define a time-frame to be any structure T = (S, R) with R
a transitive relation on S, and with the modelling just given. A temporal
logic is defined to be any normal logic in the language of [F] and [P] that
contains the schemata
CP:
CF:
4P:
4F:
Mirror Images
Notice that these schemata come in pairs, related by interchanging past
and future connectives. Members of such pairs are called "mirror images"
of each other.
The smallest temporal logic, which is
in the present notation, is commonly known as Kt in the literature.

Exercises 6.2
(1) Prove that Kt is determined by the class of all time-frames.
(2) Show that only one of 4p and 4p is needed in the definition of Kt:
each is derivable from the remaining axioms.
Always
One way to view temporal logic is as a more powerful language for ex-
pressing properties of frames of the form (S,R). To this end it is useful to
introduce the connective D by definitional abbreviation, writing \3A for
the formula
DA may be read "always A", i.e. at all times, past, present, and future.
The dual formula OA = -iD-iA is tautologically equivalent to
 AV AV <F> A,
meaning "at some time (past, present, or future), A".
Exercises 6.3
Let T be any frame.
(1) Show that
iff R is transitive. What is the mirror image of this result?

(2) Show that
? t= DA -> [P][F]A
iff R is weakly future-connected, i.e.
sRt A sRu -> (tRu V t = u V uRt).
(3) If yl contains Cp, CF, and the schema
show that ^ is weakly future-connected.

(4) Work out the mirror images of Exercises 2 and 3.
(5) Explain why D behaves like an 55 modality in a connected frame.
Strict and Total Orderings

• A strict ordering is a time-frame whose transitive relation is irreflexive,
and hence has the stronger property of asymmetry (cf. Exercise 1.15).
• A total ordering is a time-frame whose transitive relation is connected
and antisymmetric, like the numerical orderings < and < on R.
• A strict total ordering is therefore an irreflexive total ordering, or,
more simply, a relation that is transitive, connected, and irreflexive.
We tend to use the symbol < for the relation of a strict ordering. An
immediate successor of an element x is an element y with x < y and such
that there is no z with x < z < y. A cut in a structure (S, <) is a partition
of S into a pair (X, Y) of non-empty disjoint subsets with x < y whenever
x € X and y 6 Y. A strict total ordering is continuous if for any such cut
there is a z with x < z < y for all x € X and y € Y (where x < z iff x < z
or x = z). Intuitively, this means that there are no "gaps" in the ordering.
Exercises 6.4
Let f be a strict total ordering.
(1) Show that
f\=A/\[P]A-*<F> [P]A
iff every element of f has an immediate successor.
(2) Show that
iff every element except the last one (if it exists) has an immediate
successor. (An element x is last if there is no y with x < y.)
(3) Work out the mirror images of Exercises 1 and 2.
(4) Show that
T h 0([P]A ^<F> [P]A) -» ([P]A
iff f is continuous.
This last exercise demonstrates that temporal logic is "more expressive"

that the language we began with in §1. The real-number frame (R, <) is
continuous, while the rational-number frame (Q, <) is not. But when these
are used as frames for the language of a single modal connective, the same
formulae are valid in each: consult Exercises 8.8 in the next Part to see how
this is proved. We will also see at the end of §8 how to use the schema of
Exercise (4) above in a completeness proof for the temporal logic of (R, <).
Generated Time Models

According to the definition given in §5, if M — (S, R, V) is a model on a
time-frame, then the submodel M* = (S*, R*, V*) generated by an element
t € S has 5* as the smallest subset X of S that contains t and is closed
under Rp and RF, which means that
if u e X, then v £ X whenever uRv or vRu.
Exercises 6.5
(1) Let R = R U R-1, where R'1 = {(v, u) : uRv}. Show that
5* = {u € 5 : t(R)*u}.
(2) Suppose that R is weakly future-connected and weakly past-connected

(cf. Ex. 6.3(2)). Show
5* = {u : tRu or t — u or uRt}.
(3) Prove that if time-frame f is weakly future-connected and weakly

past-connected, then the generated time-frame T1 = (5*,JFZ*) is con-
nected.
Temporal p-Morphisms
For temporal logic, a p-morphism / : MI —* Mi must satisfy the condi-
tions
sRit implies f(s)R2f(t),
f(s)R2u implies ^(sRrf & f(t) = u),
uR2f(s) implies 3t(tRlS & f(t) = u),
in order for the p-Morphism Lemma
Mi\=.A iS Mt\=f(.)A
to hold for all formulae A in the language of [P] and [F].
Temporal Filtrations
In defining J'-filtrations of models M = (S, R, V) on time-frames, we want
to preserve both the transitivity of R and the fact that R is RF and .R"1
is Rp. A suitable relation for this purpose is RT C Sp x 3r, where
\s\RT\t\ iff [F}B e T &ndM^g[F]B implies M\=t[F]B/\B,
and
[P]B eT and M\=t[P]B implies M K [P]5A5.
The model M = (Sr, RT, Vr) is then transitive, and the Filtration Lemma
T
M\=SB iff AT|= M *

holds for all B 6 T.
Exercises 6.6
(1) Verify this last claim.
(2) Prove that the smallest temporal logic Kt is determined by the class
of finite time-frames and is decidable.
(3) Axiomatise the logic determined by the class of connected time-frames,
proving that it has the strong finite frame property and is decidable.
Diodorean Modality
The most common practice in temporal logic is to regard time as an irreflex-
ive ordering, so that "henceforth", meaning "at all future times", does not
refer to the present moment. On the other hand, the Greek philosopher
Diodorus proposed that the necessary be identified with that which is now
and will always be the case. This suggests a temporal interpretation of D
that is naturally formalised by using reflexive orderings. The same inter-
pretation is adopted in the logic of concurrent programs to be discussed in
§9.
The Diodorean analysis leads to the study of systems containing 54,
and containing 54.3 in the case of total orderings. When time is regarded
as an endless discrete total ordering, the resulting logic is a system known
as S4.3Dum, which will be investigated in §8.
Minkowski Spacetime
The Diodorean logic of four-dimensional special-relativistic spacetime has
been shown to be the system 54.2 of Exercise 3.9(4) (Goldblatt [1980]).
To explain this further, we first describe the structure of n-dimensional
spacetime.
If x = (#1, . . . , xn) is an n-tuple of real numbers, let
Then n-dimensional spacetime, for n > 2, is the frame

Tn = (!",<),
where R™ is the set of all real n-tuples, and for x and y in E™ we have
x <y iff (i(y - x) < 0 & xn < yn
ra-l
iff ^(2/i - Xi)2 < (yn - xn)2 kxn< yn.
i=l
The Minkowski spacetime of special relativity theory is T4, in which a

typical point represents a spatial location (xi, £2, 0:3) at time x$. The
intended interpretation of the relation x < y is that a signal can be sent
from or to y at a speed at most that at which light travels, so that y is in
the "causal future" of x.
The frame T2 is depicted in the following diagram, showing the "future
cone" {z : x < z} for a typical point x.
Observe that the future cones of any two points must overlap, so that the
frame is directed and validates the 54.2 axiom schema
The work of Goldblatt [1980] involves showing that each of the frames Tn
has 54.2 as its Diodorean modal logic. Noting that there is a natural p-
morphism from T™+1 onto T™ (viz. delete the "first coordinate"), the heart
of the proof is then a demonstration that there is a p-morphism from T2
onto any finite generated frame that is reflexive, transitive, and directed.
The class of such finite frames determines 54.2 (Exercises 3.11(2), 4.5(5)).
Other interesting (strict) temporal orderings can be considered on space-
time, such as
x -< y iff n(y - x) < 0 & xn < yn,
and
xay iff x ^ y & x < y.
Here x -< y holds when a signal can be sent from x to y at slower than
light-speed, while a is the irreflexive version of <.
These orderings can be distinguished in terms of the validity of modal
formulae. There may be two propositions A and B that are true in the
future just at two points that can only be reached by travelling in different
directions at the speed of light. Then O.AA OB will be true now, but never
again in the future. Thus the schema
OA A OB ->• O(OA A OB)
is falsifiable under the ordering a. It is however valid under ~<, since a
slower-than-light journey can always be speeded up, so we could wait some
time and then travel at a greater speed to A and to B. This example is
discussed further in Goldblatt [1980], where it is also shown that under a it
is possible to distinguish the dimension of spacetime, e.g. there is a modal
formula that is valid in (R 2 ,a) but not in (E 3 ,a).
The only known axiomatisation result for the temporal logic of space-
time is the one we have been discussing concerning 54.2. There are several
open problems here that the reader may be interested in thinking about:
• axiomatise the full temporal logic, in the language of [F] and [P], of
the frames (E71, <);
• axiomatise the full temporal logic, and the Diodorean modal logic, of
the frames (E™, -<) and (R n ,a);
• analyse the case of discrete spacetime, in which K is replaced by Z.
Since and Until

Consider a binary connective U with the semantics
M. f=s A UB iff there exists t with sRt and M \=t B,
and M \=u A for all u such that sRu and uRt.
The formula AUB is read "A until B", meaning that there is a future point
at which B is true, with A true at all points between now and then.
Notice that
M \=a TUB iff there exists t such that sRt and M f=( B,
so that the formula TUB is equivalent to < F > B. Hence [F]B is equiva-
lent to --(TW-.B).
The formula LUB expresses that B will be true at a future point, with
nothing in between, i.e. B is true at an immediate successor. Hence this
formula is read "next B", and is a natural construct to consider on discrete
orderings, like (Z, <) and (w, <).
Exercise 6.7
Give a semantics for the notion "A since B", and use the notion to define
 B and a formula expressing "B was true at the previous moment".
The connectives since and until have been shown (Kamp [1968]) to form a
complete set of connectives for continuous orderings. In a way that can be
made precise, they suffice to define all possible prepositional connectives
that express temporal properties of such orderings. The connective until
has been used extensively in the temporal logic of concurrent programs,
and will be studied in that context in §9.
7 I Some Topics In Metatheory
We now take up some advanced topics: first-order definability, canonicity,

incompleteness, and undecidability. (The material of this section is not
needed in later sections.)
First-Order Definability
In §1 a number of examples were given of modal schemata whose frames
were characterised by first-order conditions on a binary relation R. All of
these, and many others, can be subsumed under a general class of schemata
devised by Lemmon and Scott (Lemmon [1977]).
A formula y> is positive if it can be constructed using no connectives
other than A, V, D and O. Thus a BNF definition of the class of positive
formulae is
(p ::= p | <?! A ip2 | ^ V <p2 \ Dip \ Oip.
We write y>(pi, . . . ,pk) to indicate that the atomic formulae occurring in y>
are among the list pi, . . . ,pk- ^(Ai, • • • i -^fc) 1S then the formula obtained
by uniformly substituting, for each 1 Bi for
1 < i < k, then
Recall from Exercise 3.9(6) the notations

OnA = H...
n times
OnA= O...OA.
n times
Then for each positive formula tp(pi, . . . , p k ) , and pair m = (mi, . . . , m^)
and n = (m, . . . , n*;) of fc-tuples of natural numbers, there is an associated
Lemmon-Scott schema
"1^! A - - - A
48
i
§7 Some Topics In Metatheory 49
Corresponding to this schema is a first-order condition R<p™ on binary re-

lations R. First, for a given frame F — (S, R) and a fc-tuple t — (ti, . . . , tk)
of elements of 5, a condition Ry>(s,t,n) on F, with "free variable" s, is
defined by induction on the formation of the positive formula /p, as follows.
jFZp 4 (s,t,n) is UWs (l<i<k)
#y> lA ¥J 2 (s,t,n) is ^(s.t.n) A^ 2 (s,t,
%> lV (£ 2 (s,t,n) is flVi(s,t,n) V Rtp3(s,t,
s,t,n) is Vu(sRu —> Rip(u, t,n))
S)t, n) is 3u(sRu A R<p(u, t,n)).
Then .R<£™ is the first-order condition
A - - - AsRmktk
Exercises 7.2
(1) In any model .M, if Jfy>(s, t, n) and M \=ti D"'î for 1 < « < fc, then
(2) If J7 satisfies R<p™, then ^ (= y™.

(3) In any model M, if M \=s <p(pi, • . . ,Pfc), and V(pt) - {u : tiRniu} for
1 (s,t,n).
(4) If ? (= v?™, then ^ satisfies ^™.
These exercises show that the frames validating y>JJ* are precisely those
satisfying -Ri/7™! and hence in particular that the logic K(p™ is sound with
respect to these frames. Completeness can be shown by the canonical model
method, with the key result being
Lemma 7.3. If<p(pi, . .. ,pk) is positive, then the canonical frame for any
normal logic A satisfies
Proof.
By induction on the formation of (p. We give the proof for k = 1, and drop
the subscripts. The case <p — p amounts to the claim that
tRns iff {A : DM e t} C s
which was given as Exercise 3.9(6)(iii).
The most complex part of the proof concerns the inductive case of Oip,
under the hypothesis that the Lemma holds for <p. Assuming that
DnA€t}C8, (t)
we have to show that R<xp(s,t,n), i.e. that there exists a u e SA with

sRAu and Rip(u,t,n). But then it suffices to show that the set
wo = {^4 : UA € s} U (<p(B) : UnB 6 t}
is yl-consistent. For, if u is an yl-maximal extension of UQ, then the defini-
tion of RA and the induction hypothesis on ip ensure that u has the desired
properties.
Now if MO is not jl-consistent, then since {A : OA e s} is closed under
finite conjunctions, it follows that there are formulae A, BI,...,BI such
that DA € s, nnBi € t for 1 < i < /, and
\-A A -» -.(?(Bi) A • • • A
Hence
A ... A
Since DA e s, it follows that
es. (t)
n
Now let 5 = BT. A • • • A Bn. Then it may be shown that D B £ t (cf.
Exercise 3.9(6)(ii)), and so by (t), O<p(B) € s. But \-A ip(B) -»• (p(Bi) for
1 < i < /, by Exercise 7.1, so
whence
h^ 0^(5) -» 0(^(fli) A •
and thus
which is impossible, given (\) and the yl-consistency of s. Therefore, UQ

must be yl-consistent as desired.
The proof that R<xp(s,t,n) implies {Otp(A) : OnA £ t} C s is
straightforward, as are the inductive cases for <p^ A <^2 and Dy>. The case
of ^ V ^2 makes a further use of Exercise 7.1, and is also left to the reader
(cf. Goldblatt [19751]).
Exercises 7.4.
(1) Complete the proof of Lemma 7.3.
(2) Let A be a normal logic that contains the schema y™. Prove that TA
satisfies the first-order condition R<f>™.
(3) If A is the smallest normal logic containing a collection {(y\)™' : i € /}
of Lemmon-Scott schemata, show that A is determined by the class of
those frames that satisfy all the conditions {-R(yj)™* : i € I}.
Sahlqvist's Schemata
The form of the schema y™ was generalised by Sahlqvist [1975], to consider
formulae of the type
where n > 0, ^ is positive, and <p is constructed from atomic formulae

and/or their negations using at most A, V, D and O, in such a way that
no occurrence of A, V or O is inside the scope of a D.
Sahlqvist showed that the frames validating any such formula are char-
acterised by a first-order condition on R, and that this condition is satisfied
by the canonical frame of the normal logic axiomatised by the schema cor-
responding to the formula.
A recent discussion and proof of this result may be found in Sambin
and Vaccaro [1989].
Canonicity
A normal logic A is canonical if it is validated by its canonical frame, i.e. if
FA \= A. The most accessible example of failure of canonicity is the logic
KW, where W is the schema
D(Q4 -» A) -» HA
first mentioned in §1. Completeness for KW will be considered in §8 (cf.

Exercises 8.7) where it is indicated that the logic has the finite frame prop-
erty, so is determined by its (finite) frames and is decidable. The failure of
canonicity is based on the following observation.
Exercise 7.5
Let M — (S,R,V) be a model containing a point s such that sRs. If
V(p) = S — {s}, show that D(Dp —» p) —» Dp is false at s in M.
This Exercise shows that W is not valid on any frame possessing a reflexive
point, and so to show that KW is not canonical it suffices to exhibit such
an s e SKW with sRKWs. For this purpose, consider the set
sQ = {-^nA:\fKW A}.
If SQ is .KW-consistent, then any .KW-maximal extension s of SQ will solve

the problem. For, if A $ s, then \/KW A, and so as s0 C s and s is
consistent, \3A ^ s, showing that sRKWs.
To prove that s0 is KW-consistent, take formulae AI, . . . , An such that

VKW Ai for 1 < i < n. We need to show that
\/KW -.(-.Dî A • • • A -DA*). (i)
Now for each i there is some Si 6 SKW with Ai £ s,. Hence if Ml =

(S\ R\ V') is the submodel of MKW generated by s^ then
Mi \£Si At. (ii)
We now construct a new model M = (S, R, V) by forming the union of all

the models M1 and adjoining an additional element oo that is not in any
of the S1*, but is ^-related to all members of all the S1. Formally, put
S = S1 U • • • U Sn U {00}
R = Rl U • • • U Rn U {{oo, s) : s € S & oo ^ s}
Exercises 7.6
(1) If s & S\ then for any formula B,
M\=aB iff A f K # .
(2) M (= W
Note: in view of Exercise (1), the heart of the matter is to show that
any instance of W is true in M at oo.
In view of 7.6(2), the normal logic
AM = {B:M\=B}
contains KW. But in view of (ii), 7.6(1) and the construction of Ai,
M Hoc -.DAi A - - - A - . D A B .
and so
-.(-.D^! A • • • A -.DA) £ ^W
It follows that (i) must be true, completing the proof that s0 is KW-
consistent, and hence that KW is not canonical.
Canonicity and First-Order Definability

A class C of frames is elementary if there is a set of first-order conditions
such that C comprises precisely those frames satisfying these conditions. A
logic A is first-order determined if there is an elementary class C of frames
such that A is the logic AC determined by C.
In many cases a logic can be shown to be first-order determined by
showing that its canonical frame satisfies the first-order conditions in ques-
tion (for instance, this applies to all the Sahlqvist schemata). In such cases
the logic is also of course shown to be canonical. The universal relevance
of this method is demonstrated by the following remarkable result of van
Benthem [1980]:
ifC is an elementary class of frames, then the logic AC is canonical.
van Benthem's proof is model-theoretic, using a compactness argument,
and builds on earlier work of Fine [1975], which showed that a logic A is
canonical if the class {T : T |= A} of all its frames is closed under elemen-
tary equivalence. An alternative "structural" approach to van Benthem's
result is given in Goldblatt [1990].
It seems plausible to conjecture that the converse result is true, i.e. that
if a logic A is canonical, then there is an elementary class C such that
A = AC.
A possible candidate for C here is the class of all frames that satisfy the
same first-order conditions as J-A. At present the conjecture is open.
The McKinsey Axiom

This is the schema
M: OOAÔOA
mentioned in §1, where it was pointed out that the class of all frames for
M is not elementary. It was shown further in Goldblatt [1976] that the
logic KM is not determined by any elementary class of frames.
It would appear that the schema M is the simplest example not (equiv-
alent to one) meeting the definition of Sahlqvist's schemata. Until recently
the question of the canonicity of KM was unresolved, leaving open the
possibility that it could be a counter-example to the above conjecture.
However, that possibility has now been removed: a proof is given in Gold-
blatt [1991] that there is a model on fKM that falsifies an instance of
M.
In other respects KM is better behaved. Fine [1975i] shows that it
has the finite frame property and is decidable.
Failure of the Finite Frame Property

If a logic has the finite frame property, then it complete with respect to the
class of its validating frames. The converse of this is false: we now exhibit
a logic that is first-order determined, but lacks the finite model property,
and hence the finite frame property. The example is an adaptation by
Hughes and Cresswell [1984] of a fundamental construction introduced by
Makinson [1969].
Consider the Lemmon-Scott schema
Mk : CUi A A2 -» 0(D2Ai A OA 2 ).
Exercise 7.7
Verify that the first-order condition corresponding to Mk is
Vs3t(sRt A tRs A Vu(tR2u -» sRu)).
Now let A» be the logic KTMk. Then from our analysis of Lemmon-Scott
schemata we know that At is determined by the class of all reflexive frames
that satisfy the condition of 7.7. To show that At lacks the finite model
property we prove two things:
(1) If M is a finite A, -model, then the schema 4 is true in M, i.e. for any
formula A, M |= OA -> D 2 A
(2) For some A, \/A, DA -> O2A .
Proof of (1). Let M be a -A»-model that rejects 4. Then we show that
M must be infinite, by showing that it contains a sequence s\, . . . , sn, . . .
of distinct points. To begin with, there is, by hypothesis, some formula A
and some point si such that M ^=Sl DA A ->D2A.
Now make the inductive assumption that sn has been defined and has
(1)
But the formula
DM A -.Dn+1A -» 0(nn+1A A -i
is (equivalent to) an instance of the schema Mk, so as M (= A,, from (f )

it follows that there is some point sn+i with snRsn+i and
Hence, by induction, sn is defined to satisfy (f ) for all positive integers

n. But then to see that the sn's are distinct, observe that if n < m, then
is false at sn by (f ), but true at sm since OmA is true at sm, and

M f= OmA -> On+1A from the schema T.
Proof of (2). This requires the construction of a yl»-model that rejects
schema 4. In view of (1), this model will have to be infinite. Let
where w is the set {0, 1, 2, . . .} of natural numbers, and mRn iff m < n + 1,
so that each number is .R-related to all numbers big than or equal to its
predecessor. J>, which first appeared in Makinson [1969], has become
known as the recession frame.
Exercises 7.8
(1) Show that FT validates the logic A*.
(2) Show that TT is not transitive, and so carries a model in which an
instance of schema 4 is false. Hence complete the argument showing
that A# lacks the finite model property.
Incompleteness
The canonical model construction shows that any consistent normal logic is
determined by some model. On the other hand, there are consistent logics
that are not determined by any class of frames. The first example of such
an incomplete logic was a temporal one, discovered by Thomason [1972]. It
can be defined as the smallest temporal logic AT containing the schemata
DF: <F>T
WP: A
MF: [F]<F>A-KF>[F]A.
The import of MF is that it requires the truth-value of A to eventually

"settle down" to a fixed value. For, if the antecedent is true, then at any
future time there will be a time after that at which A is true. But if the
consequent is false, then at any future time there will be a time after that
at which A is false. Thus if MF is to be true, then A must eventually
become either true forever or false forever.
It turns out that AT has no frames at all! To see this, observe first
that any time-frame validating Wp is irreflexive, for if sRsr then putting
V(A) — {s} for an atomic A would falsify Wp at s. Thus if f (= AT, then R
is weakly future-connected, by LF, so for any point s the set Xs = {t : sRt}
is a strict total ordering (connected, irreflexive) which, by £>p, has no last
element. But then we can choose a subset Y of Xs such that neither Y nor
XS — Y has a last element. Putting V(A) = Y then gives a model in which
Mp is false at s. However this contradicts the hypothesis that f \= Ax-
To see that AT is nonetheless consistent, it suffices to construct a model
for it (by the argument just given, the frame of this model must carry other
models that falsify AT)- Let M = (u>, <, V), where w = {0, 1,2,.. .}, and
V(p) = 0 for all p € #. The frame (w, <) validates all axioms of AT
except Mp. An inductive argument shows that for any formula A, the set
{n e u> : M. \=n A} is either finite, or cofinite (i.e. has a finite complement).
Thus "as time passes", A eventually becomes either false forever (finite
case), or true forever (cofinite case). In the first case [F] < F > A is false
everywhere, and in the second case <F> [F]A is true everywhere. Hence
M (= Afp.
Exercise 7.9
Fill in all the details of the above argument.
Incomplete D-Logics
After the discovery of AT, a number of incomplete logics in the language of
a single modal connective D were produced (Thomason [1974], Fine [1974],
van Benthem [1978]). The latest, and seemingly simplest, example appears
in a paper by Boolos and Sambin [1985], where its discovery is attributed
to R. Magari. The logic is KH, where H is the schema
D(Q4 «-» A) -» DA
Notice that KH C KW, where W, as above, is
f A) -» DA
We noted in §1 that any frame for W is transitive (Boolos [1979], p.82),
and hence validates
4 : UA -> DQ4.
Boolos and Sambin show that H and W are valid on exactly the same
frames, implying that any KH-frame must validate 4. They then give a
model for H in which 4 is false, showing that 4 is not .K".H-deducible.
To spell out some details, suppose F |= H . To prove f is transitive,
take a point s in order to show that
sRt & tRu implies sRu.
Let M be any model on f in which
V(p) = {t:u-eSt implies sRu}
(recall that 5* = {v : tR*v} is the subframe generated by t).
Exercise 7.10
Show that M \=a D(Dp <-> p).
Since T \= H, it follows from this exercise that M \=a Dp. Hence if sRt
and tRu, we have t € V(p) and u e 5*, so sRu as desired.
The following intransitive ff-model is due to M. J. Cresswell. It is an

extension of the construction of Makinson's recession frame fr, and is
just one of a number of uses to which fr has been put in studies of the
"pathology" of modal logics (cf. Bull and Segerberg [1984], §19; Hughes
and Cresswell [1984]). Most spectacularly, ?T was used by Blok [1980]
to prove that if A is any normal extension of KT, there are uncountably
many other logics having exactly the same frames as A\ All but one of
these uncountably many logics must be incomplete.
Let M = (Z,fl, V), where V(p) = 1 - {$} for all p e $, and R is a
nonstandard ordering of the points of 1i got by shifting all the negative
integers "to the right",
0,1,2,..., n, , -n,..., -2, -1
and then allowing each non-negative integer to also have itself and its
predecessor as ^-alternatives (hence destroying transitivity). Formally, if
m,n € Z, then mRn iff one of the following hold.
n< 0 < m
0<m<n+l
m < n < 0.
Exercises 7.11
(1) Show that Dp —> DDp is false at the point 2 in M.
(2) Show that for all formulae A, the set {m : M \=m A} is either finite
or cofinite. Use this to prove M (= H.
In conclusion, note that the axiom Wp in Thomason's logic AT is a variant

of the schema
(P]([P]A ^ A) ^ [P]A,
which is the past-tense version of the schema W. The latter has manifestly
played an important role in technical studies of the metatheory of modal
logics. There is another context in which it is also important: KW is the
logic that results when D is interpreted as meaning "it is provable in Peano
Arithmetic that". This is explained in the book by Boolos [1979].
Undecidability
A logic with the finite frame property is decidable, provided that it is
finitely axiomatisable. This last qualification is essential: there exist logics
with the finite frame property that are undecidable. In fact, Urquhart
[1981] showed that for any subset X of a; there exists a logic AX with the
finite frame property, such that AX has the same "degree of unsolvability"
as X. We now discuss this result, using the following definitions.
• A point s in a frame (5, R) is dead if there is no t € S with sRt .

• A point is live if it is not dead.
• For n €. ui, fn is the frame depicted as
i.e. /•„ = ({-!, 0,1,..., n},R), with
R = {{o, -1}} U {(m,m + 1) : 0 < m < n}.
• Qn is the frame depicted
0 _> i -> ---- > n,
which results by removing the point —1 from Fn.

• 6 is the formula ODJ. A O2T.
• An is the formula 6 -+ CT+2 OT.
Note that if n > 2, then 0 is distinguished in fn as the only point that is
^-related both to a dead point and to a live one. This accounts for the
superscript "n + 2" in the definition of An , and the emphasis on the frames
.Fn+2 in what follows.
Exercises 7.12
(1) In any model,
M |=g DJ- iff s is dead;
M \=s OT iff s is live.
(2) For any n e w , Fn+2 f= g 0 iff a = 0. (Note: since 0 contains no
atomic formulae, its truth at any point in Fn+2 is independent of any
particular model on that frame.)
(3) Fn+2 h> An
(4) Fn+2\=Aj i f j / n .
(5) Qn |= -.6, and hence Qn f= A, for all j.
Now let X be an arbitrary set of natural numbers. Put
Cx = (Qn : n G w} U {JFn+2 : n $ X},
and let AX = {B : Cx |= B} be the logic determined by Cx- Since all

members of Cx are finite, it is immediate that AX has the finite frame
property.
Lemma 7.13. For any j e w,
\-Ax Aj iff j e X.
Proof. Suppose j 6 X. Then if n $ X, j ^ n, so Fn+z |= A,- by 7.12(4).

Together with 7.12(5), this shows that Cx \= Aj, as desired.
On the other hand, if j ^ X, then .FJ+2 € Cx and so by 7.12(3),
Cx H= ^-
Corollary 7.14. If X is undecidable, then so is AX-
Proof. Since formula Aj is explicitly defined in terms of j, the Lemma
shows that a decision procedure for theoremhood in AX would yield a
decision procedure for membership of X.
Axioms for AX
We now develop an axiomatisation for AX, and strengthen the analysis
to prove Urquhart's result that there is an undecidable AX that has a
decidable set of axioms. We need the following schemata
Pfun: D(OA->DA)
De: 0(D-L A A) -> D(D± -» A)
Li: O ( O T A A ) - > D(OT-> A)
Exercises 7.15
Let A be any normal logic containing Pfun, De, and Li. Work in the
canonical model MA for A.
(1) Use Pfun to show that if sRAt, then t itself is .R^-related to at most
one point in SA.
(2) Use De to show that each s e SA is .R^-related to at most one dead
point.
(3) Use Li to show that each s e SA is .R^-related to at most one live
point.
Theorem 7.16. If u — X is infinite, then AX is the smallest normal logic

that contains Pfun, De, Li, and {Aj : j £ X}.
Proof. Let A be the smallest normal logic that contains Pfun, De, Li, and
{Aj : j £ X}. Now Pfun, De and Li are all valid in all frames of the type
Qn and Fn+2, hence in Cx, so it follows from Lemma 7.13 that A C AX-
To prove the converse, suppose \/A A, with the objective of showing
\/AX A, i.e. Cx ^ A. Let SQ be a point in MA at which A is false, and let
M = (S, R, V) be the submodel of MA generated by SQ, whence M ^So A.
Since each point is either live or dead, (2) and (3) of 7.15 imply that
SQ is .R-related to at most two points.
Case 1: s0 has at most one .R-related point. If there is one, say si,
then by 7.15(1), this will in turn be .R-related to at most one point, and so
on. Hence M takes the form of an ".R-sequence"
s0RsiR---Rsn (%)
Now if some sn is dead, then the sequence stops at sn, and the frame of M.
is isomorphic to Qn. Since Qn € Cx, this yields the desired result \/AX A.
If however all terms of the sequence are live, there are two further
possibilities. First, it may be that all terms are distinct. In that case
we can truncate the sequence at some point that bounds the "degree of
nesting" of D in A, and get a finite falsifying model for A. To make this
idea more precise, the modal degree of an arbitrary formula B is introduced
as the number deg(B) defined inductively by
deg(p) = deg(±) = 0,
deg(Bi —> B2) = maximum of deg(Bi) and deg(Bz),
deg(UB] = deg(B) + 1.
Then to determine the truth-value of A at SQ we need not "look beyond"
sn in M provided that n > deg(A), as the reader may verify. Taking such
an n, and restricting to s0RsiR • • • Rsn again gives a falsifying model for
A on a frame isomorphic to Qn.
Finally, if the terms are not all distinct, then there must be some sn
such that snRsk for some (unique) fc < n. Then we pick the least such
n and "unravel the loop": the sequence up to sn is taken, and extended
by appending a new copy s'k • • • s'n of the segment from Sk to sn, making
truth-values at s'k+i agree with those at s/t+j. Further new copies of this
segment are appended until a sequence is built that is longer than deg(A).
Again this produces a falsifying model for A on a frame isomorphic to some
Qm-
Case 2: SQ is .R-related to two points. Then one, say s-i, is dead, and
the other, si, is live, so that there is some «2 with siRs^. Moreover, s2 in
turn can be .R-related to at most one point, and so on, so that M consists
of s_i and an ^-sequence of the form (%) above.
This .R-sequence is then analysed as in Case 1. If some sn+2 is dead,
then the frame of M. is isomorphic to J~n+2, unless we have sn+2 = s_i-
But in the latter case there is an evident p-morphism from Fn+i onto the
frame of M in which m maps to sm for — 1 < ra < n + 2, and n + 2 maps
to the dead point s_i. In either event we are led to a falsifying model for
A on Fn+2- But since OT £ sn+2 and 0 e SQ, it follows that An £ SQ,
hence \/A An, and so n $ X. This implies that fn+2 G Cx, giving Cx \^ A
as desired.
If no sn+2 is dead, then we adapt the sequence (%) by truncation
and/or extension as in Case 1, to again obtain a falsifying model for A on
a frame isomorphic to some Tn+i- Here, finally, we invoke the assumption
that ui — X is infinite, for then we can choose to take n large enough that
n £ X as well as n + 2 > deg(A). Again this gives .Fn+2 € Cx-
This completes the proof of Theorem 7.16.
Corollary 7.17. There exists an undecidable logic that has a decidable
set of axioms.
Proof. Let X be an effectively enumerable but undecidable set of natural
numbers. Then AX is undecidable, and w — X is infinite, so the axioms for
AX are as described in Theorem 7.16. Since X is effectively enumerable,
so too are these axioms. But by a well known metalogical result due to
Craig, a logic with an effectively enumerable set of axioms has a decidable
such set. Indeed, if A = {Ao, AI, ..., An,...} is an effectively enumerable
set of formulae, then the smallest logic containing A is also the smallest
logic containing the decidable set
{Ao, A0 A AI, ..., A0 A • • • A An, }.
To conclude the discussion of the logics AX , we observe that if u> — X is not

infinite, a simpler axiomatisation is obtained: only finitely many axioms
are needed.
Theorem 7.18. If u — X — { H I , . . . ,rik}, then AX is the smallest normal
logic that contains Pfun, De, Li, and the formula
Ax: 6-» O n i + 2 D _ L V - - - V O n * +2 D±.
Proof. In this case, AX is the logic determined by
Cx = {Qn : n e u} U {^ni+2, • • • , J^+a}-
Following the proof of Theorem 7.16, when it comes to Case-2 the formulae
0 and AX are both in s0, and hence so is O n ' +2 D± for some 1 < i < k.
But this is only possible if sni+i is dead, leading to a falsifying model for
A on fn+2.
Part Two
Some Temporal and

Computational Logics
8 Logics with Linear Frames
Part Two applies the techniques developed in the previous sections to some
standard temporal logics, and to some modal logics that have been em-
ployed in the theory of computation. One of these, examined in §9, involves
the use of temporal logic to express properties of linear state sequences gen-
erated by concurrent programs. To study this logic, it is helpful to first iso-
late its "[F]-fragment", and axiomatise the logic determined by the frame
(u>, <) in the language of a single modal connective. This will be done in
the present section, in the context of a general study of discrete, dense,
and continuous time. §10 introduces the multimodal language of dynamic
logic, in which the modal connectives are indexed by the commands of a
programming language.
Discrete Future Time
In the D-language of §1, let f2 be the logic K4DLZ, with axioms
4: OA -> DOA
D: HA -> OA
L: H(A A HA -» B) V D(B A OB -> A)
Z: D(D4-»yl)-»(on>4-»n4).
Our first goal hi this section is to prove that
\-nA iff (u,<)]=A.
Each of the axioms of f i embodies a feature of the frame (w, <). 4 corre-
sponds to transitivity, D to seriality ("endless time"), and L to connect-
edness. Z embodies an aspect of the discreteness of (w, <), namely that
between any two points there are only finitely many other points. What
this has to do with Z may be learned from
Exercises 8.1
(1) Show that (w, <) \= Z.
(2) Soundness of J? : Prove that
\-(i A implies (u, <) \= A.
(3) Let T = ((jj U {oo}, R), with mRn i f f m < n e u ; o r n = oo. Show that
65
66 Some Temporal and Computational Logics
Clusters
In order to carry through a completeness theorem for -fi, we need a fine
analysis of the structure of any transitive frame T = (S, R). In such a
frame, define an equivalence relation w on S by
s w t iff s = t or (sRt and tRs).
The equivalence class

Ca = {t: s K t}
is called the R-cluster of s.
Ordering Clusters
Putting
Cs < Ct iff sRt
gives a well-defined relation between clusters that is transitive and anti-
symmetric. Hence putting
/*** -^ /^ iflT /*** ^* /^ Sr /*"* / /T
L/s %. O( III Og ^ L/t 06 t_/g 7^ O(
iff s.Ri and not tRs,
defines < to be a strict ordering, i.e. transitive and irreflexive, therefore

asymmetric.
We tend to use evocative terminology in reference to clusters, so that
if C < C' we might say that cluster C' is iater than, or comes after, cluster
C, while C precedes, or is earlier than, or comes before, C', and so on.
Exercises 8.2
(1) Verify that w is an equivalence relation.
(2) Verify that < and < are well-defined relations, and have the asserted
properties.
(3) In a transitive model, if Cs = Ct, show that for any formula B,
M K OB iff M \=t OB.

Types of Cluster
If a cluster C contains more than one point, then the relation R is reflexive
in C. For if C = Ca = Ct, with s ^ t, then since s w t, we have sRt and
tRs, and so sRs by transitivity. Hence in particular, C < C.
A cluster C is degenerate if C ^ C. In view of the foregoing, this must
mean that C consists of a single irreflexive point: C = {s}, with not sRs.
Notice that all clusters in a strict total ordering, like (w, <), are degenerate.
§8 Logics with Linear Frames 67
We distinguish two types of non-degenerate (i.e. C < C) cluster. A

simple cluster consists of a single reflexive point: C = {s} with sRs.
All clusters in the frame (w, <) are simple. A proper cluster is a (non-
degenerate) cluster with at least two points. Observe that the relation R
is universal on any non-degenerate cluster.
If R is connected, i.e.
VsVt(sRt V s = tVtRs),
then < is a strict total ordering of clusters, and so ? takes the form of
a sequence of clusters, as illustrated in the following diagram, where the
bullets • depict degenerate clusters, and the circles are non- degenerate ones.
If S is finite, then this sequence will have a first and a last cluster.
Balloons
A balloon is a finite transitive and connected frame whose last cluster is
non-degenerate, while all other clusters are degenerate:
(there need not actually be any non-last clusters, so a finite universal frame,
comprising a single non-degenerate cluster, is counted as a balloon).
Exercises 8.3
(1) If f is a balloon, show that f (= fi.
(2) If J- is a transitive frame that has a non-degenerate cluster C that is
not last (i.e. C < C' for some cluster C'), show that T ^ Z.
Theorem 8.4. If T is a balloon, then F is a p-morphic image of (w, <).
Proof. Let S = {s0,..., sn-i,t0,..., tm-i}, where {s0},..., {sre_i} are the
degenerate clusters in Oorder (if there are any), and {to, • • •, ^m-i} is the
non-degenerate last cluster. Define / : w —> S by
f ( i ) = Si (0<i<n)
f(n + q-m + j)=tj (0 < j < m, q 6 w).
As a sequence, / looks like
So, • • • , S n - l , t o i • • • > * m - l ) ^ 0 ) • • • j ^ m - l i ^ O ) - • • i^m-li
with the last cluster repeated forever. Since R is universal on this last
cluster, the properties of a p-morphism are satisfied, as the reader should
verify.
Completeness of K4DLZ
It follows from Theorem 8.4 that if (u, <) (= A, then A is valid in all
balloons. Thus to prove that the logic /? is complete with respect to (u, <),
it suffices to show that it is complete with respect to the class of balloons,
i.e. that any non-theorem of J? is falsified by a model on some balloon. This
will also show that fl has the finite frame property, and so is decidable (cf.
Theorem 4.7 and Exercise 4.8(2)).
Suppose then that \/n A. As just explained, we want to find a balloon
in which A is not valid.
First Model. Since \/n A, A is false at some point SA in the canonical
model Mn'. In virtue of the schemata 4, £), and L, Mn is transitive, serial,
and weakly connected.
Second Model. Let M = (S, R, V) be the submodel of Ma generated by
SA- Then by the Submodel Lemma 1.7, A is false at SA in M, and M (= ft
because Mn \= ft.
Also, R is transitive, serial, and connected (Exercise 3.11(1)).
Third Model. Let F = Sf(A), and let
MT = (Sr,RT,Vr)
be the transitive T-filtration of M. (Exercise 4.5(3)). By the Filtration
Lemma 4.3, A is false at \SA\ in Mr. Also Sr is finite (4.1), while RT is
transitive, serial, and connected (4.5(5)).
Thus the frame of Mr consists of a finite sequence of clusters. More-
over, the last cluster, Cx say, is non-degenerate. For, by seriality, there is
some y with xRTy, and so Cx < Cy. But then Cx = Cy, as Cx is last,
making Cx < Cx.
However, at this point we cannot rule out the possibility that MT has
some non-degenerate cluster that is not last, so that the frame of M7 is
not a balloon. Hence MT may not be the model we are seeking.
Fourth Model. (Balloon Surgery)
If MT does have a non-last cluster C that is non-degenerate, then we
could try to remove it by weakening the relation RT in C to some strict
total ordering, so that C is replaced by a sequence of degenerate clusters.
We would want to do this in such a way that the truth-values of members
of F were left unchanged, so that our non-J?-theorem A is still false at \SA\
in the new model.
The potential problem with this idea is that formulae of the form OB
that are false at certain points in C in MT may cease to be false, because
the /^-alternative at which B is false may no longer be an alternative in
the new model. However this turns out not to be a problem in the presence
of the axiom schema Z, which is true in the second model M.
Z-Lemma 8.5. Let C\s\ be a non-last RT-cluster. Then if OB € F and

M \£s OB, there exists a point t e S with M. fa B and C\a\ < C\t\.
Proof. Let OB be in F and false at s in M-
Case 1. Suppose M \=s OOB. Then since M \= Z,
MfaO(OB->B),
so there exists t & S with sRt, M ht SB, and M fa B. Then |s|-RT|<|,

since sRt and RT is a F-filtration of R. But since OB is true at t and false
at s in M, the definition of RT implies that we do not have |t|.RT|«|. Hence
the cluster of \t\ comes strictly after that of |s|.
Case 2. Suppose instead that M â OOB. Now since C\s\ is not last,
there exists u e 5 with C\s\ < C\u\. Then we cannot have uRs or u = s,
or else |u|.RT|s| or |u| = \s\, making C\u\ < C\a\. Hence, as R is connected,
sRu. Then in M, since OOB is false at s, OB is false at u, so B is false
at some t with uRt. We have C\s\ < C\u\ < Cjt|, and so the Z- Lemma is
proved.
Final Model
For each non-degenerate non-last cluster C of MT, let <c be a strict total
ordering of the points of C. Define
M' = (Sr,P!,Vr),
where xR'y holds if and only if xRTy and either x and y do not belong
to the same non-degenerate non-last cluster, or else x <c y for some such
cluster C. Then the frame of M1 is a balloon. For each B 6 F and s € 5
we have
M\=8B iff M' |=|. B. (t)
This is proven by induction on the formation of B, using the fact that R'
is contained in Rr and so satisfies the second filtration condition. The only
problematic case in the proof is taken care of by the Z-Lemma.
It follows in particular that M' ^\SA\ A, so we have found our falsifying
model on a balloon for the non-J?-theorem A. Since Sp has at most 2"
elements, where n is the number of subformulae of A, we also get the
strong finite frame property for the logic J?.
Exercise 8.6
Work through the proof of (t).
Completeness for KW
The schema Z is weaker than the ubiquitous
W : D(DA -> A) -> DA,
and if we had M \= W in the proof of the Z-Lemma, Case 2 would become

redundant, therefore so too would the hypotheses that R is connected and
C\s\ is not last. From this observation, a completeness proof for KW readily
emerges:
Exercises 8.7
(1) Prove that KW is determined by the class of finite strict orderings,
and is decidable (remember that KW = K4W).
(2) (Alternative completeness proof.) If F is a finite set of formulae closed
under subformulae, and M is the canonical model of a normal logic
containing KW, define
M' = (Sr,R',Vr),
where
xR'y iff xRTy and not yRTy.
Prove that R' is a strict ordering, and that
M\=,B iff M'^\.\B

for all B € F. Use this to obtain the results of Exercise (1).
Dense and Continuous Time

It was claimed in §6 that the real-number and rational-number frames
(R, <) and (Q, <) determine the same logic. This logic is K4DLX, where
X is the schema
corresponding to the condition of weak density on R (Theorems 1.12, 1.13,

3.6). The following exercises show how to prove these determination results,
and also the corresponding results for reflexive time. The latter involve the
logic 54.3.
Exercises 8.8
Let P be either R or Q. A right-open interval in P is a subset of P having
one of the forms
[r,q) = \peP:r<p<q}, (r, q) = {p € P : r < p < q},

for some r and q. In each case, q is the right end-point of the interval. We
allow q — oo here, with, as usual,
[r, oo) = {p 6 P : r < p} and (r, oo) = {p e P : r < p}.
Observe that by the density of < in P, any right-open interval can be
decomposed as the disjoint union of n right-open intervals, for any positive
integer n.
Next, let M. be a generated submodel of the canonical model for K4DLX,
and MT the transitive ^-filtration of M for a suitable finite F, as in the
completeness proof for K^DLZ.
(1) Show that for any right-open interval / in P, the frame (/, <) can be
mapped p-morphically onto any non-degenerate cluster in MT (hint:
choose in the interval a strictly increasing sequence that converges to
the right end-point, and adapt the construction of Theorem 8.4).
(2) Show that MT does not contain any adjacent degenerate clusters, i.e.
any degenerate cluster is immediately followed by a non-degenerate
one (hint: this uses connectedness as well as weak density of R).
(3) Let / be a right-open interval in (P, <) of the form [r, q). Apply
the previous two exercises to show that there is a p-morphism from
(/, <) onto the frame o f M T , by mapping appropriate subintervals onto
non-degenerate clusters, and the right end-points of intervals onto any
degenerate clusters that may be present. Deduce that
(/, <) [= A iff \-KWLX A.
(4) Use the Submodel Lemma 1.7 to show that the determination result
of Exercise 3 can be extended to hold for / = (r, q) for any r, including
r = oo, and in particular for / — R and / = Q.
(5) Adapt the above constructions to show that if 7 is a right-open interval
in P, or any of the sets listed in the previous exercise, then
(/,<)M ^ I-S4.3A.
(6) Having worked through the foregoing, it should be becoming clear just
what properties of a total ordering suffice for it to determine one of
the logics K4DLX and 54.3. Write down a minimal list of properties
that suffice in each case.
The Discrete Diodorean Case
The logic determined by the reflexive frame (w, <) is S4.3Dum, that is to
say KT4LDum, where the schema Dum (named for Michael Dummett),
is
U(U(A -» DA) -» A) -* (OCL4 -» A).
Exercise 8.9
Show that Dum is valid in (w, <).
Cluster Analysis for Extensions of 54.3

To prove the claimed completeness result for 54.3£>um we follow the gen-
eral strategy of the completeness theorem for f i , but find that we have to
make a more refined analysis of the structure of clusters, using a certain
connected subrelation of RT. This analysis will also be used in the discus-
sion to follow of Bull's Theorem about extensions of S4.3, and in our study
of temporal program logics in §9.
So, let M = (S, R, V) be a generated submodel of the canonical model
of a normal logic that contains 54.3. Then R is reflexive, transitive, and
connected. Let r be a finite subformula-closed set, as usual, and define a
relation Rc on Sr by
xRcy iff Vs£x3t£y(sRt).
Lemma 8.10.
(1) Rc is reflexive, transitive, and connected.
(2) Rc is contained in any F-filtration of R.
Proof.
(1). Reflexivity and transitivity of Rc follow readily from the fact that
R has these properties. For connectivity, suppose that it is not the case
that xRcy. Then there exists s e x such that sRt fails for all t e y. But
then tRs holds for all t e y, since R is connected. This shows that yRcx.
(2). Suppose xR°y. Take any s €. x. Then sRt for some t € y. But if
R' is any T-filtration of R, sRt implies |s|-R'|<|, i.e. xR'y, as desired.
Clusters Within Clusters

The first part of Lemma 8.10 implies that the frame (5r, Rc) consists of a
finite sequence of /Zc-clusters (recall that for reflexive relations, there are
no degenerate clusters). From the second part we see, in particular, that
Rc C RT, where RT is the transitive T-filtration of R, and so the .Rc-cluster
of any point is entirely contained within the #T-cluster of that point. Thus
each /?T-cluster itself decomposes into a sequence of .Rc-clusters. Thus if
C is a given #T-cluster, there is within C an .Rc-cluster CH that comes
after all the other .Rc-clusters that are included in C. CH will be called
the head of C. The situation is depicted in the following diagram, in which
the rectangles represent ^-clusters, the circles are #c-clusters, and a circle
with a dot in the centre is the head of its #T-cluster.
flc-Lemma 8.11. If HB 6 JT and M fia UB, then there exists t with

M Y=-t B and \s\Rc\t\. Moreover, i f \ s \ is not in the head of its P7 -cluster,
then not \t\Rc\s\, i.e. \t\ is in a later R°-cluster than \s\.
Proof. Let C be the .RT-cluster of \s\, and let z be a member of the head
CH of C. Then \s\Rcz.
Next, let X be the union of all the .Rc-clusters that precede the R°-
cluster CH, i.e.
X = {x € Sr '• xR?z and not zR°x}.
Then if X = {XQ, • • • , xm}, for each j < m we have not zR°Xj, and so there
exists Sj € z such that not SjRt for all t € Xj.
Now as R is connected, the Sj's are ^-ordered in some fashion, so we
may assume that s0Rsi • • • Rsm. Then if smRt, we cannot have t € Xj for
any j, or else as SjRsm, we get SjRt, contrary to the definition of Sj. Thus
smRt imph'es \t\ £ X.
Next observe that M \£Sm OB. For, since M. \fcs DJ3, M\£UB for some
u € 5 with sRu. Then |S|^T|M|. But |sm|J?T|s|, since |sm| and \s\ have the
same .RT-cluster C, so |sm|.RT|u|, ensuring that M \£Sm OB by filtration
condition (F2).
Hence M. fct B for some t such that smRt. But then \t\ £ X, as
above, so the .Rc-cluster of |t| does not precede that of z, implying that
zRc\t\, and hence |s|-Rc|i|.
Finally, if \s\ £ CH, then not zRc\s\, and so not
Corollary 8.12. If Mc = (Sr, Rc, Vr), then for any B € T and s € S,
M\=,B iff MC^MB.
Proof. Exercise.
Completeness for S4.3Dum

The construction of Mc just described will give a finite falsifying model for
any non-theorem of any normal logic A containing 54.3. But to use this in
a completeness theorem for A we would need to show that M° validates A.
In the case of 54.3£>um we achieve this by using Dum to show that every
non-last /^-cluster is simple. For this purpose, a further general result is
needed.
Definability Lemma 8.13. For any X C Sr, there is a formula Bx(a

truth-functional combination of members of F) such that for all s £ S,
M K Bx iff M G X.
Proof. For each t € S, let Bt be the conjunction of the (finitely many)
formulae in the set
Then
M K Bt iff s ~ r t iff \s\ = \t\.
Now Sr is finite, since F is finite. So if
A' = {|t1|,...,|tB|},
we can take 5x to be
Btl V - - - V B t » .
£>um-Lemma 8.14. If At (= Dum, then every non-last Rc-cluster is sim-

ple.
Proof. Let (7 be a non-last Uc-cluster, and take x & C. Then there must
be some y € Sr such that xflcj/ but not yRcx.
By 8.13, there is a formula B that defines in M the set X = {s : \s\ ^
x}. In other words, for all s € S,
M\=aB iff s£x. (i)
c
Since not yR x, there exists some t & y such that if £.Rti then u £ x and so
M K B by (i)- Thus
At H D-B. (ii)
Now pick any s e x . Then not tRs, so by ^-connectedness sRt. Hence
from (ii),
M \=s ODB. (iii)
But M ^s B by (i), so from (iii) and M (= Dum it follows that
M fis D(D(B -f DB) -» 5).
Hence there exists u £ S with sJ?u,
At htt D(B -» D5), (iv)
and At \û B. Whence u & x by (i).
Now suppose, for the sake of contradiction, that C is not simple. Then
there exists some z € C with z ^ x. Thus xRcz, and so as u € x, uRv
for some v € z. It follows from (iv) that At |=^ B —» OB. But At |=w B,
since v e z ^ x, so this leads to At |=v DB. However, since z, x e C we
have zl?cx, so vEw for some u; 6 a;. Then At \=w B, which is our desired
contradiction in view of (i).
Finite Frame Property for 54.3Dum

By 8.12 and 8.14, each non-theorem of 54.3Dum can be invalidated by
a finite reflexive transitive and connected frame in which every non-last
cluster is simple (has only one element). But every such frame is a p-
morphic image of (LJ, <) (by a construction similar to that in Theorem
8.4), and hence is an S4.3£>um-frame. This establishes the finite frame
property for 54.3Dum, and the fact that the logic is determined by (u, <).
(At this point the reader could proceed directly to §9.)
Exercises 8.15
(1) Fill in all the details of the argument just given.
(2) A variant of Dum is the schema
Dum* : n(Q(A^> DA) - + A ) - » ( O D A - » OA).
Use the completeness theorem just given to show that S4.3Dum =

54.3-Dum*.
(3) Show that the smallest normal logic containing 54.3 and the schema
H(O(A -» OA) -f A) -» A
is determined by the class of finite reflexive total orderings, and also

by the frame (u>, >). Show further that an alternative to this schema
for the logic in question is
H(D(A -» OA) -Â)^ DA

Bull's Theorem
One of the more striking results in the metatheory of propositional modal
logic is that every uniform normal extension 0/54.3 has the finite model
property. This was shown by Bull [1966], using algebraic models (Boolean
algebras with a unary operator interpreting D). A frame-theoretic argu-
ment was given by Fine [1971]. By utilising our description of the relation-
ship between R° and Rr clusters, it is possible to give a very clear account
of how Fine's proof works.
Let A be any uniform normal logic containing S4.3, i.e. containing the
schemata T, 4, and L. Suppose that \f& A. We want then to construct
a finite A-model that falsifies A. Let M = (S, R, V) be the submodel of
the canonical .A-model generated by some point SA with A £ SA- Put
F = Sf(L\A) (the reason for including DA in F will be revealed later).
Now we saw in the completeness proof for S'4.3£)um that the models
MT and M° will falsify A, but neither can be guaranteed to be a .A-model.
To construct a .A-model that rejects A, we will remove all but the head
from each .RT-cluster.
A point z € Sp is called essential if it belongs to the head of its own
.RT-cluster. Let
E = {x : x is essential}
be the union of all the heads of J?T-clusters. Notice that the relations Rr
and Rc are identical when restricted to E.
Now define a map / : S —» E, as follows. For each .RT-cluster C,
let xc be a fixed, but arbitrarily chosen, member of the head of C. Put
f ( s ) = \s\ if \s\ is essential, and otherwise let f ( s ) = xc, where C is the
#T-cluster of \s\. In both cases, \s\ and f ( s ) are in the same .RT-cluster, so
f(s)Rr\s\ and \s\RT f ( s ) . Moreover, since f ( s ) is in the head, we invariably
have \s\Rcf(s).
Lemma 8.16. / is a p-morphism from (S, R) onto (E, RT).
Proof. First, if sRt, then f(s)RT\s\Rr\t\RTf(t), and so f ( s ) R T f ( t ) as Rr
is transitive.
Second, suppose f(s)RTx, with x € E. Then f(s)Rcx. But \s\Rcf(s),
so |s|.Rc£, implying that there is a t with sRt and t 6 x, hence f ( t ) = x.
This establishes the two p-morphism conditions for /.
Lemma 8.17. For any Y C E, there is a formula By such that for all
ses,
M^SBY iff f(s)£Y.
Proof. By the way / was constructed, using the fixed elements xc, f pre-
serves T-equivalence classes, i.e.
t € |s| implies f ( t ) = f ( s ) .
Thus the set {s : f ( s ) € Y} is a union of equivalence classes, and so there

is an X C Sp such that
f(s) e Y iff |«| 6 X.
But then taking By to be the formula BX of Definability Lemma 8.13 gives

the desired result.
The Finite ^-Model

A model ME = (E, RT, VB) on E is now defined by putting VE(P) = E if
p ^ F, and otherwise
VB(P) = {|*| e E •. s e v(p)} = vr(P) n E,

so that VE is defined on the whole of Fma($) (the definition on $ — F is

immaterial). By Lemma 8.17, for each p e $ there is a formula Bp such
that
M\=.BP iff f(s)€VE(p).
For any formula B, let B' be the result of uniformly replacing each atomic
p occurring in B by Bp. Precisely:
p' = Bp, J-' = J-, (B -»£>)' = B' -» £>', (DB)' = n(B').
Then for all B e Fma(<2>), we get
B. (t)
The case B = p € $ of this result is given by the definition of Bp, and the
inductive cases are straightforward, as / is a p-morphism.
It now follows that ME is a yl-model. For if \-ji B, then since A is a

uniform logic, h^ B'. Thus M (= B' (because .M is a generated submodel
of .Myl), and hence ME \= B by (f). It remains to show that ME rejects
the non-vl-theorem A.
Lemma 8.18. If DB e T and .M ^s DB, then .M ^t B for some t such
that \s\RT\t\ and \t\ € E.
Proof. If M ¥=s OB, then M fa B for some t with sRt and so |s|-RT|*|.
If \t\ € E, we are done. Otherwise, since M |= (DB -» B), we have
M \£t DB, and so by the Rc-Lemma 8.11, M \£u B for some u with
|w| in a later .Rc-cluster than |t|. If \u\ g E, we repeat the argument to
obtain M ^v B for some v with |t;| in a later .Rc-cluster than |u|. Since the
sequence of -Rc-clusters is finite in length, this process cannot move forward
ad infinitum, and must end, in the very last flc-cluster if not before, with
the desired conclusion.
Corollary 8.19. I f \ s \ e E, then for any B e T,
M\=SB iff ME N|.| B-

Proof. The atomic case holds by definition of VE- The inductive case of D
is taken care of by the definition of RT and Lemma 8.18.
It is now apparent why we put the formula OA into F. For, since M is a

T-model and M y=SA A we get M \£SA OA, so by Lemma 8.18 there exists
t such that |t| e E and M ^t A. Then by Corollary 8.19, ME H=|t| A
showing that the finite .A-model ME falsifies the non-yl-theorem A. This
completes the proof of Bull's Theorem that every uniform normal logic
containing 54.3 has the finite model property, and hence has the finite
frame property (Exercise 4.9(5)).
Linear Temporal Logics

For the remainder of this section we return to the [F]-[P]-language of
temporal logic, in which the formula HA is introduced as short-hand for
(at this point it would be appropriate to review the material of §6).

A linear temporal logic is any normal logic in this language that con-
tains the smallest temporal logic Kt, and also the schemata
and
The smallest linear temporal logic will be denoted Lin. In view of Exercises
6.3, it follows that Lin is determined by the class of transitive, weakly
future-connected, and weakly past-connected frames. Indeed, the canonical
model MA of any linear temporal logic A has these properties. Hence
any generated submodel M of such a canonical model is transitive and
connected (Exercise 6.5(3)). Consequently, a temporal filtration MT of
such a generated subframe will also be transitive and connected (Mr was
defined just prior to Exercises 6.6).
We will consider the completeness problem for the three standard types
of irreflexive linear time.
Discrete Time
Let LinDisc be the smallest linear temporal logic containing the schemata
DF: <F>T
Dp: T
ZF:
Then LinDisc is determined by the integer frame (Z, <). The proof of this
is a straightforward adaptation of the proof that the modal logic K4DLZ
is determined by the frame (w, <). In LinDisc there is complete symmetry
between the past and future operators. Dp makes the last cluster in a
finite filtration MT be non-degenerate, while DP does the same to the first
cluster. Zp allows all non-last clusters to be modifiable without affecting
the truth- values of formulae of the type [ F ]B from F. Similarly, by the Zp-
analogue of the Z-Lemma 8.5, Zp allows all non-first clusters to be modified
without affecting [P]B-type formulae. So, we replace each cluster except
the first and last by a strict total ordering of its elements, treat the last
cluster in the same manner as in Theorem 8.4, and apply the mirror image
of this treatment to the first cluster, to get a temporal p-morphism from
(Z, <) onto the frame of MT.
Beginning Time
Let LinDisc" be the logic that results when the schema Zp in the definition
of LinDisc is replaced by
WP: [P]([P]AÂ)-*[P]A,
and Dp is deleted.
WP allows any cluster in Mr to be modified without affecting truth of
[P]B-type formulae from F. Hence the K4DLZ construction of Theorem
8.4 applies directly to show that LinDisd^ is determined by the time- frame
(w, <). In fact, by including the formula [P]-L in F, we can obtain this
result using only the special case A = ± of Wp, for then the first cluster is
already in the desired form:
Exercise 8.20
Let M7 be a finite temporal Infiltration of a generated submodel of the
canonical LinDiscu -model. Suppose [P] _L € F. Then if \s\ belongs to
the first cluster of A4T, show that [P] ±€ s. Deduce that this first cluster
is degenerate. (It might be useful here to note that when A =_L, WP is
equivalent to
[P]_L V
Rational Time
Let LinRat be the smallest normal extension of Lin that contains the
schemata Dp, Dp, and
XF: [F][F]A-+[F]A.
Then LinRat is the temporal logic determined by the rational-number

frame (Q, <).
The effect of axioms Dp and Dp has already been noted: they force
the first and last clusters to be non-degenerate in any finite filtration MT
of a generated submodel of the canonical LinRat-model. The effect of XF
is then to force any degenerate cluster in Mr to be immediately followed
by a non-degenerate one (cf. Exercise 8.8(2)). Knowing this, the following
result can be obtained, and gives the asserted completeness theorem.
Theorem 8.21. There is a temporal p-morphism from (Q, <) onto the
frame of MT.
Proof. By a rational open interval we mean a set of the form
(r,q) - {x 6 Q: r <x < q},

where the end-point r is either — oo or a real number, and q is either +00 or

a real (it is crucial to the construction that r and q need not be rational).
Any rational open interval can be mapped by a temporal p-morphism onto
any non-degenerate cluster in MT . For, since (Q, <) is dense, and serial
in both directions, we can choose a subset {xm : m £ Z} of (r, q) that is
order-isomorphic to (Z, <), i.e. has
xm < xk iff m < fc,
with the xm's converging to q for increasingly positive m, and to r for
increasingly negative m. Then if a non-degenerate cluster C has elements
zi,...,zn, a suitable temporal p-morphism / from ((r, <?),<) onto C is
given by putting
f(xm) = Zj iff m = j(mod n),
and otherwise letting f(x) be any member of C.
Now let Ci,...,Cfc be all the clusters of MT in their <-order, as
induced by RT. Since, by £>p, the first cluster C\ is non-degenerate, we
can map a rational open interval of the form (—00, r\) p-morphically onto
C\. Now if Ci is non-degenerate, we take r^ here to be an irrational real
number, and then map a rational open interval of the form (ri,rz) onto Cz-
If, on the other hand, Ci is degenerate, we take r\ to be rational, and map
r\ to the unique element of (72. Since €3 must now be non-degenerate, by
axiom Xp, we can then map an interval of the form (ri,r 2 ) p-morphically
onto €3. In either case, the interval (—00, r 2 ) gets mapped into MT without
"missing out" any rationals less than r%.
Continuing this process, we eventually come to the last cluster Ck,
having mapped an interval of the form (-00, r'] or (— oo,r') p-morphically
onto C\ U • • • U Ck-i, with the real number r' being irrational in the sec-
ond case. But Ck is non-degenerate, by Dp, so the construction can be
completed by mapping (r',+oo) p-morphically onto Ck-
Exercises 8.22
(1) Show that LinRat is determined by any rational open interval frame
((r,g)<).
(2) Give a proof-theoretic deduction of the schema
in LinRat.
(3) Show that the time- frame (Q, <) determines the smallest normal ex-
tension of Lin containing the schema
Real Time
LinRe is the smallest normal extension of LinRat that contains the schema
Cont: D([P]A -><F> [P]A) -» ([P]A -» [F]A).
Exercise 6.4(4) asked the reader to show that Cont is valid in the real-
number time-frame (R, <). To prove that LinRe is determined by this
frame, we adapt the argument given in Theorem 8.21 for LinRat, this time
using real open intervals
(r,q) = {x e R : r < x < q},
where again the end-points are either reals, or ±00.
Working now with a finite temporal -T-filtration M.T of a generated
submodel M = (S,R,V) of the canonical LinRe-model, we try to map
(R, <) onto the frame of MT by a temporal p-morphism. A problem comes
up if we strike a non-degenerate cluster C in MT that is immediately
succeeded by a cluster D that is also non-degenerate. Having mapped a
real open interval (r, q) p-morphically onto C, we cannot then treat D
similarly without leaving out the end-point q.
This problem would not arise if in Mr there were no adjacent non-
degenerate clusters (for D would then have to be degenerate, and we could
map q to its unique element). However it does not seem possible to prevent
pairs
...-+O-O----
of adjacent non-degenerate clusters from occurring. Instead we will have
to show that the model MT has a certain property that allows it to be
modified, by inserting a new degenerate cluster between any such pair,
creating the configuration
•••-0---0----
and thereby removing the problem - without altering the truth-values of
members of F at any of the old points of MT. The idea of this construction
comes from Segerberg [1970], although the axiom Cont we use, and the
argument in which it is applied (in Lemma 8.23), are different.
So, let C and D be non-degenerate clusters in MT that are adjacent,
with C < D. An element s of the sub-canonical model M will be called
C-greatest if
\s\ € C, and Vi e S (sRt implies \t\ $ C).
Dually, s is D-least if
\s\ € D, and V* € 5 (tRs implies \t\ £ D).
These notion may be intuitively related to the situation in the real-number
frame (R, <), where the element z that fills a cut (X, Y) (i.e. has x < z < y
for x € X and y € Y) must be either a greatest element of X, or a least
element of Y.
Lemma 8.23. There exists an element of M that is either C-greatest or

D-least.
Proof. Suppose that there is no C-greatest element, and no D-least ele-

ment. Let A be a formula such that for all s 6 S,
M^=SA iff C W < C ,
where C|s|, as usual, is the ET-cluster of \s\. Such a formula exists by the
argument of the Definability Lemma 8.13.
Sublemma A. M^=.[P]A iff CM < C.
Proof. Suppose Cw < C. Then if tRs, |t|.RT|s|, so C\t\ < C\s\ < C, and
hence M (=« A by definition of A. This shows M \=s [P]A
For the converse, suppose C\B\ ^ C. Then by <-connectedness, C <
C|s|, and so as D is adjacent to C, D < C\a\. Take first the case that
D = C|s|, so that \s\ € D. Since, by assumption, s is not D-least, there
must exist a t with tRs and \t\ e D. But D comes after C, so M ^t A,
by definition of A. Hence M ^=8 [P]A. On the other hand, if D < C\a\ ,
then taking any t with \t\ € D must give tRs by ^-connectedness, and so
the same argument applies to give M \£s [P]A.
Sublemma B. M \= O([P]A -^<F> [P]A).
Proof. It suffices to prove
M \=[P]A-+<F>[P]A.
So, suppose M \=s [P]A. Then by Sublemma A, C\t\ < C. If C\a\ = C,

then since, by assumption, s is not C-greatest, there exists t with sRt
and |t| e C. But then Sublemma A again gives M ^=t [P]A, and so
M \=S<F> [P]A. On the other hand, if C\a\ < C, then any t with |i| e C
will have sRt, and the same conclusion follows.
Finally, to complete the proof of Lemma 8.23, take any s with |s| e C.
Then M \=s [P]A. Choose any t with |<| 6 D. As in the proofs of the
Sublemmas, we then get sRt and M ^t A, so M \£s [ F ]A. Hence
But in view of Sublemma B, this contradicts the fact that M \= Cont.

Filling The Cut

Armed now with Lemma 8.23, we enlarge the model Mr to a new model
M' as follows. Suppose that there is a C-greatest element 7 in M- M' is
then based on the frame (S',R'), where
S' = Sr U {7}, and
T
R' = R U {(z,7) : x 6 Sr & Cx < C} U {(7,3;) : x € Sr & D < Cx}.
Let / : S' —>• Sr have 7(7) = |7|, and otherwise f(x) = x. For each x e S',
put
M ' K p ^ A-T !=/(*) P-
Thus M' arises by inserting 7 as a new irreflexive element (degenerate
cluster) between C and D in MT.
Lemma 8.24. For any B 6 F, and any x £ S',
M'\=XB iff MT\=f(x)B.
Proof. Since C is non-degenerate, we have that
xR'y implies f(x)RTf(y), (f)
for all x, y €! S', and this suffices to prove the inductive cases of [P]5 and
[F]B from right to left. For the converses, suppose first that Mr ty=f(x)
[F]B. A little reflection reveals that the only problematic case is when
x = 7. But then f(x) = |7|, and so by the Filtration Lemma, M ^7 [F].8,
hence M ^t B for some t with ^Rt. Since 7 is C-greatest, \t\ £ C, so as
|7|fir|f|, C < C\t\, and therefore -jR'\t\ in M'. But Mr ft\t\ B, so applying
the induction hypothesis on B, we then get M1 ^7 [F]B.
Finally the inductive case that M' \=X[P]B implies MT (=/(x) [P]-B
is straightforward, since (t) holds for all x € S' when y = 7.
Exercise 8.25
Adapt the construction of M' to the case that there is instead a D-least
element, and prove Lemma 8.24 for that case.
Now by iterating the .M'-construction a finite number of times, we ob-
tain a model M." with no adjacent non-degenerate clusters, no adjacent
degenerate ones, and non-degenerate first and last clusters. A temporal
p-morphism can then be constructed from (R, <) onto the frame of M", as
discussed above. But by Lemma 8.24 (iterated), any .T-formula falsifiable
in M.T is falsifiable in M", and hence falsifiable in a model based on (R, <).
Exercise 8.26
Axiomatise the temporal logics determined by (Z, <), (w, <), and (E, <)
(cf. Segerberg [1970] for some answers).
9 Temporal Logic of Concurrency
Consider the following description of a "concurrent" program (adapted

from Pnueli [1981]). There are n different processes acting in parallel,
using a shared memory environment, so that each can alter the values of
variables used by the others. For illustrative purposes, the processes may
be thought of as disjoint flowcharts, with labelled nodes. A typical node of
the i-th process is denoted m*. Each process has an entry node m0. If the
program variables are w1( . . . , Vk, then a state may be defined as a vector
specifying a label for each process (denoting the point that the process is
currently at), and a current value a, for each variable Vi- Predicates att of
labels will be used, with the semantics
\=s ati(m) iff m = m1.
Each successive state is to be obtained from its predecessor by exactly one
process being chosen to execute one transition in its flow chart. Thus from
an initial state
s0 = (mj, . . . , m o , a i , . . . , a f e ) ,
many different execution sequences SQ,SI, ...... may be generated, depend-
ing on which process gets chosen to act at each step. Some interesting
properties of such sequences can be formulated by reading the connective
D as "at all states from now on" .
Deadlock Freedom
Deadlock occurs when no processor can act. The requirement that deadlock
does not occur at (m1, . . . , m n ) can be expressed by
D(a*i(m1) A • • • A atn(mn) -> EI V • • • V En),
where Ei is the exit condition for node m1 consisting of the disjunction of
the propositions labelling edges out of m' (the truth of such a proposition
being the requirement for the process to be able to proceed along that
edge).
84
§9 Temporal Logic of Concurrency 85
Mutual Exclusion
D->(ati(m) Aafj(m'))
asserts that the program can never simultaneously access m and m'.
Accessibility
D(oti(m) -> Oatj(m!))
expresses that if the program ever reaches m it will eventually proceed from
there to m'.
Correctness
A partial correctness assertion about a program states that if the program
works as was intended, then a certain condition V must be true after ter-
mination, given that some condition (f was true at the start. Illustrating
with a program having a single entry label mo, and exit m e , this can be
formalised as
A (p —» D(a£(m e ) —> \[>).
Total correctness includes the assertion that the program will halt:
at(mo) A (f —> O(at(me) A t/>).
Responsiveness
An operating system may receive requests (rj) from various agents, to
whom it will signal (9,) when it grants the request. The formula
expresses that a request is always eventually honoured.
Absence of Unsolicited Response

This example, from Gabbay et. al. [1980], uses the connective U (until) to
express the requirement that if a response is to occur, it will not do so until
a request has been received:
Further explanations of how temporal logic is used in applications to com-

puter science may be found in Manna and Pnueli [1981], Hailpern [1982],
Moszkowski [1986], and several articles in Galton [1987] and de Bakker et.
al. [1989].
Syntax and Semantics

Given a set $ of atomic formulae as usual, define a set of formulae A €
Fma($) by the BNF definition
A ::= p 1 1 1 A! -» A2 \ HA \ OA \ A! UA2
D means "henceforth" (i.e. from now on, including the present).

O means "next" (i.e. at the next state).
U means "until".
O, as usual, is shorthand for -iD-i.
By a state sequence we mean a pair T = (S, a), where a is a surjective

function u —> S enumerating S as a sequence
(possibly with repetition, for example when S is finite).
A model M — (S, v, V) on a state sequence is denned in the usual

way, and the relation
M K- A,
meaning "A is true at the j-th state aj in M " , is defined by
M \=j p iff <TJ e V(p)

Mfr±
M \=j A -> B iff M \=j A implies M (=, B
M (=,- OA iff M |=,-+i A
M \=j HA iff for all k > j, M \=k A
M \=j AUB iff for some k > j, M ht B and
for every i such that j < i < k,
The definitions of the relations M \= A and f |= A are as usual.
Intuitively, this semantics amounts to interpreting D by the relation <,

and O by the relation R, where jRk iff k = j + 1. R is functional, and the
connection between the two relations is that < is the ancestral (reflexive
transitive closure) of R (cf. §1 for the definition of the ancestral). This
observation is the key to the completeness theorem to follow.
Axioms
Let © be the smallest logic in the language just described that contains
the schemata
K: O(A -» B) -» (DA -» DB)
#0: O(A -* B)
Fun: O--A <-+ -OA
Mia;: DA -> A A
Jnd: D(A -> OA) -> (A -> OA)
Wl: AWJ3 -» OS
and is closed under Necessitation for D and O, i.e.,
Ae0 implies DA, OA € 0.
The roles of K, K0, and the Necessitation rules are now familiar. The
axiom Fun expresses the interpretation of O by a total function, while
Mix and Ind together correspond to the interpretation of D by the reflexive
transitive closure of the interpretation of O- The reflexivity schema T :
DA —> A is immediately implied by Mix. For the transitivity schema 4,
see Theorem 9.2 below. Ind by itself expresses the induction principle that
any set which contains <jj and is closed under the taking of successor states
must contain all states fromCTJon.
Exercises 9.1
(1) (Soundness). Prove that T [= 0 for any state sequence T.
(2) Show that he A -> QA implies he A -» DA.
(3) he ODA -» OA.
(4) he DA -» OA.
Theorem 9.2. The following schemata are 0-derivable.

(1) 4: D -» DDA
(2) OIHA -» DOQA
(3) ODA -» O(A A ODA)
(4) AAQnA->DA
(5) ODA -» D(A -* DA)
(6) Dum: D(D(A -* DA) -> A) -> (ODA -» A)
Proof. We indicate the main points. The rest involves tautological reason-
ing, and principles that hold for all normal logics.
(1) From DA -> ODA (by Mix) and Exercise 9.1(2).

(2) Prom Mix, .K"0-principles, and 9.1(2).
(3) Use 9.1(3), Mix, and /C0-principles.
(4) Using (3) and 9.1(2) gives
he A A ODA -» D(A A ODA).
But h D(A A ODA)

(5) From (4),
he ODA -> (A
and hence
he DODA -> D(A -» DA).
Then use (2).
(6) An instance of schema K is
D(O(A -* DX) -»>*)-> (DD(>1 -» D>1) -
which by result (5) and the schema 4 yields
he D(D(A -» DA) -» X) -» (ODA -» DA). (f)
Now an instance of Ind is
D(-.Dyl -> O~>DA) -» (-.DA -> D-.DA),
which, with the help of Fun, leads to
he D(--DA -» -.ODA) -» (-.DA -» -.ODA),
and hence
he D(ODA -> DA) -» (ODA -» DA).
But this, together with (f ) and schemata 4 and T, yields he Dum.
Deriving Lt
The schema Dum will be used in the completeness theorem for 0, along
with
L i : D(DA -> B) V D(D5 -> A),
which is also 0-derivable. The following exercises give a guided tour of a
proof of this which is due to Martin Abadi.
Exercises 9.3
Let X be (\3A -» B) and Y be (QB -> .4). Define the following formulae.
LI : me v ny
AI : nx v x v ny v -.y v coy
A2 : ny v y v nx v -iX v onx
A3 : OX V X V DY V Y
A4-. ox v ->x v onx v ny v -.y v
(1) Show that AI and A2 are deducible in any logic that is D-normal.
(2) Show that A3 is deducible in any logic containing the schema T for D.
(3) Use Theorem 9.2(4) and tautological reasoning to show that
\~e AI A AI A A3 A At —> LI.
Conclude that
\-e A4 -^ LI.
(4) Use Fun to 0-deduce

-» A4.
(5) With the help of the last two results, obtain
\-0 -1^4 —> O"1^)
and then use Ind to get
(6) Show that OA^ is deducible in any D-normal logic containing schema
T for D. Conclude that
To gain an intuitive understanding of the formulae Ai,...,A^ that col-

lectively imply I/i, suppose that LI were false at some state. Then both
conjuncts of
0->X A 0-Y
would be true. For each conjunct, the state at which X (respectively, y)
will be false could either be the present state, or some future state, in which
case the conjunct is still true at the next state. This gives four possible
situations, each of which falsifies one of AI, . . . , A&.
Exercises 9.4
(1) Show that
he A -» B A OA
implies
he A -» OB.
(2) Show that

he A -> OB A (B V (D A CX4)),
implies
(3) The following are 0-deducible:
OA -* OA
O(AVB)-
OQA +
OOA*-
+ OA
DA A OB^ AKB
Induction Models
An induction frame is a structure f — (S,f), with / : 5 —> S, i.e. / is a
function from 5 to 5. The "graph"
{(M) :* = /(*)}
of / is denoted R/. R** is the ancestral of R/ (§1). Thus sR*ft iff there
is an Rf-list linking s to t, i.e. a finite sequence s = s0,..., sn = t, with
f(si) = Sj+i for all i < n. Models on induction frames give a semantics for
0, as follows.
M K OA iff M H/w A
M K OB iff sR*ft implies X \=t A
M \=s AUB iff there exists an .R/-list s = SQ, ..., Sk, with
M \=sk B, and M. f=8i A whenever 0 < i < k.
Exercise 9.5
If M is an induction model, show that M f= 0.
Completeness of O.
Fix a formula A such that \/e A. We want to find a falsifying model for A
on a state sequence, and for this we adapt the canonical model construction.
The relations R® and Rf on the set Se of ©-maximal subsets of
Fma($) are given by
sflf t iff {B : OB 6 s} C t, and

sRf t iff {B : OB € s} C t.
Now .Rf is reflexive (since Mix implies the schema T for D), transitive
(since schema 4 is ©-derivable), and weakly-connected (since schema LI,
and hence L, is ©-derivable). By Fun, Rf is functional.
Since l/e A, there is some SA € S0 with A £ SA- Let
5 = {u € 5e : sA(flf )*u}.
As h
implies ufi^v,
so 5 is closed under Rf, i.e.
u e 5 & u.Ret; implies t; € S1.
Also, when restricted to 5, R0 is reflexive, transitive, and connected (cf.

Exercise 3.11(1)).
We will work with the structure
f = (S,RD,R0 ),
which is in essence the subframe of the canonical ©-frame generated by

SA- But R® is not the ancestral of Rf (cf. Exercise 9.6(2) below), and we
will have to collapse T by filtration to achieve that property. Moreover, we
cannot work with the canonical model on F, since it is not apparent that
the Truth-Lemma (3.3) can be proved for formulae involving the connective
U. Instead therefore, we work directly with the relation of membership of
©-maximal sets, using such properties as
UB 6 s iff W 6 5 (sR®t implies B e t ) ,

O-B 6 s iff Vt € S (sRft implies B € t), _
he B implies B € s, for all s 6 5
(cf. Exercise 2.3(1), Theorem 3.2, etc.).

Exercises 9.6
(1) Show that (Rf)* C R%.
(2) Show that the set
to = {Onp : n > 0} U {-Dp}
is ©-consistent, by showing that each finite subset of to is true at some

point of some ©-model. Deduce that there exist f, u € S6 with tRû
but not t(Rf)*u.
Filtration
Our nitration set F will have to contain more than just the subformulae of
A. We define
T =Sf(A) U {QHB : OB 6 Sf(A)}

U {Q(BUD), D-.D, OD-.D, -.D : BUD & Sf(A)}.
Then F is finite: it has fewer than 6n elements, where n is the number of

elements of Sf(A). The purpose of this definition is to ensure that F has
the following closure properties:
A&F;
F is closed under subformulae;
DBEF implies QOB £ F;
BUD e T implies O(BUD), EhD € F.
The definition of T-filtration is adapted as follows.
s ~r t iff s n r = t n r,
\s\ = {t:s~r t},
Sr = {\s\ :s£S}.
Definability Lemma 9.7. If X C 5r, tiere is a formula BX such that

for all s € 5,
Bx € s iff |s| € ^T.
Proof. For each t €. S, let 5t be the conjunction of the members of
{B £ T : B £ t} U {-.5 : B € T & 5 $ t},
and then if
X = {\t1\,...,\tn\},
put
BX = Btl V • • • V Btn
(the construction is just as for the Definability Lemma 8.13).
Now a relation RD on Sr is defined to be a F-filtration of R® if, and

only if,
(Fl) sR^t implies |s|.Rn|t|, and
(F2) \s\Ra\t\ implies {B : OB & s n T} C t.
Replacing D by O throughout this definition gives the notion of a F-
filtration R0 ofRf.
Ancestral Lemma 9.8. If a relation RO on Sp is a F-filtration of Rf,
then the ancestral .R* of RO is a L'-filtration of R® .
Proof.
(Fl). Let s 6 5. To show that sR®t implies |s|fl*|f|, let
Xa = {x £ Sr : \s\R*x}.
First we prove
€ s, (t)
where Ag is a formula, given by the Definability Lemma 9.7., having
As € u iff \s\R*\u\.
To prove this, suppose that sR®t and As £ t. We want QAS £ t to

conclude (t). But |s|.R*|t|, by the definition of As, so |s|JfZJ|t| for some
n > 0. Then if tRfu, we have |f|flo|w|, since RO is a T-filtration of Rf ,
and so |s|B"+1|u|. This gives |u| € Xa, and hence As 6 u. We have thus
shown
tRfu implies As £ u,
and hence QAg £ t as required.
Since s contains all instances of the induction axiom Ind, (t) then
yields
(A, -» D4S) e s.
But As e s, since |s|.R*|s|, and so
UA8 e s.
Hence if sR®t, then As € t, and so |a|.R*|t|.
(F2). We want to prove that
\a\RZ\t\ implies {B : OB & s n F} C t.
First we show, for all n > 0, that
M/Z£|t| implies {OB : OB £ s n F} C t. (})
The case n = 0 is immediate, since |s| — |t| implies sC\F — tr\F. Assuming
the result for n, suppose |s|.R™+1|t|. Then |s|.R™|u| and |u|fio|i|, for some
u. Thus if OB € s fl r, we have OB € u by the hypothesis on n, and
so OOB € u fl r by the axiom Mix and the definition of F. But then
OB e t, as RO is a T-filtration of Rf. This completes the inductive proof
of(t).
Finally then, if |s|.R*|£|, we have |s|.R™|i| for some n, so that if OB e
s n r, ($) gives OB e i, and then Mix gives B € t.
This completes the proof of the Ancestral Lemma, a result which substan-
tiates the earlier remark that the axioms Mix and Ind characterise the
interpretation of D as the ancestral of the interpretation of O- This fact
will feature again in the study of dynamic logic in the next section.
The Role of Fun

The axiom Fun ensures that Rf is a functional relation, but this property
may be lost in passing to RQ. To deal with this, we will use the smallest
.T-nltration of R%, defined by
\a\Ro\t\ iff 3s' e |s| it' e |*| (s'Rff).
Fun-Lemma 9.9. Let RO be the smallest F-filtration of Rf. Then if

OB e F and s 6 S, the following are equivalent.
(1) OB e s.
(2) V<(|s|-Ro|t| implies B 6 t).
(3) 3t(|«|flo|*| and B £ t).
Proof. First, note that (1) and (2) are equivalent for any filtration of Rf.
Next, Fun guarantees that Rf is serial, and hence RO is serial. But
this is enough to make (2) imply (3).
Finally, assume (3). Then there are s' € \s\ and t' € \t\ with s'Rft'.
Thus if OB <£ s, then OB $ s', as s ~ r »', and so O~*B e s' by Fun.
But then -iB 6 t', contradicting the fact that B £ t and t ~r t'. Hence (1)
must hold.
Exercise 9.10
Show that the Fun-Lemma holds for any P-filtration of Rf, smallest or
not, provided that
if OB 6 r, then either Q-^B e f, or else B = ->C with OC £ f.
Show that F can be made to satisfy this additional condition and still be
finite.
Another way to explain the main point of the Fun-Lemma is that, under
its hypotheses, if OB £ s, then B $ t for any t with |s|.Ro|£|. The import
of this will be that although \s\ may have a number of /Jo-alternatives, we
can remove all but one of them, in an arbitrary way, without altering the
falsity of P-formulae of the form QB at |s|.
The Role of Dum

Consider the properties of the structure
where RQ is the smallest T-filtration of Rf. RO is serial, since Rf is, but

may not be functional. R^ is reflexive and transitive (by definition), and
also connected, by the Ancestral Lemma, since R^ is connected. Since Sr
is finite, it follows that the structure takes the form of a finite sequence of
.R*-clusters.
We now recall the analysis of extensions of 54.3 given in §8, and define
the relation R% on Sp by
xR°0y iff Vs € x 3t € y (sR®t).
Then R% is reflexive, transitive, and connected, with R% C .R* (this is

proven just as in Lemma 8.10). Thus the fig-cluster of each point is con-
tained in the fi*-cluster of that point, and so each fi£-cluster decomposes
into a sequence of fig-clusters, as in the diagram on page 72. Moreover,
the following result can be proved just as for the fic-Lemma 8.11.
fig-Lemma 9.11. If OB e T and QB £ s e S, then there exists t € S
^t and \s\Rc0\t\.
Now by Theorem 9.2(6), each member of S contains all instances of Dum.

From this we show, just as for the Dum-Lemma 8.14:
Dum-Lemma 9.12. Every non-last R^-cluster is simple.
Unwinding the Last Cluster

An Ro-list is a finite sequence X Q , . . . , X H such that XiRoXi+i for all i < n.
Now if C is the last ^-cluster in our structure, then C may not be simple,
i.e. may have more than one element. In that case, we will "unwind" C into
a finite .Ro-list. This can be done starting from any prescribed point x £ C,
as follows. First pick some y £ C. Then xR^y, so xR^y, and so there is
an U0-list x = XQ, ..., xn = y, with each x» in C as C is last. If there
is an element z of C that does not appear in this list, then since xnR^z
we can extend the list to xnR0xn+\Ro • • • RoXk = z, for some k. And so
on. Eventually we build a finite .Ro-list xo,...,Xj in which every member
of C appears at least once, and possibly more often. Since repetitions are
allowed, we can arrange to end the list at any prescribed z £ C. Especially,
we can arrange for the list to start and finish at the same point of C.
Now to define our state-sequence a : u> —> Sp- Let CQ,. ..,Cn-\ be the
sequence of non-last .R£-clusters in the order induced by RC0. Then for each
i < n, from 9.12 it follows that d has the form {&i} with a^ £ Sp- This
gives an .Ro-list (ToR0 • • • Ro&n-i- Then if C is the last .R£-cluster, there
must be some x £ C with ffn-iRoX. Let an — x, and unwind C, as above,
into an .Ro-list crn, f n + 1 ,..., ar, that has an =• ar. Finally, we repeat this
last list ad infinitum:
crn,..., oy — <rn, (Tr+1 —
(for all q £ u and 0 j;
(2) if the ^-cluster of x comes after that of Uj, then x — a*, for some
k > j; and
(3) ifCTJis in the last ^-cluster, and so is x, then x = a^ for some k > j.
Theorem 9.13. Let M = (Sr, a, Vr). IfBeF, then for any j £ u and
s 6 CTJ,
B € s iff M\=j B.
Proof.
For B = p £ # n T, M \=j p iff aj £ Vr(p) iff p e s. The truth-
functional cases are straightforward as usual.
For the inductive case for O, suppose QB £ s n F, with \s\ = <TJ.
Pick any t € ffj+i- Then as ffjR0aj+^ the second filtration condition gives
B € t, whence the induction hypothesis on B gives M (=j+i B, so that
M K- OB.
Conversely, if M. f=j OB, then M. \=j+i B. Taking <TJ+I = \t\, we get

B e t by the induction hypothesis, and so QB € s by the Fun-Lemma
9.9.
Next the case of D. If OB e s f~l F, then for any fc > j, we have
ffjR*(Tk, so that as R* is a T-filtration of .Rf, 5 e t for any f e <Tfc, hence
At ^=fe 5 by the induction hypothesis on B. This shows that M \=j OB.
On the other hand, if OB ^ s, then by the #£-Lemma 9.11, B £ t
for some t with |s|.R£|i|. If the ^-cluster of \s\ is not last, then either
|i| = \s\ = (TJ, or else the ^-cluster of \t\ comes after that of \s\, so by (2)
above, \t\ = a\. with k > j. If however \s\ is in the last .R^-cluster, then so
too is |f|, so again, by (3), this gives \t\ = <?k with k > j. In all cases then,
we have M \£k B for some k > j, and so M \£j OB.
Now we come to the case of the connective U, and invoke for the
first time the axioms Ul and U2. Make the inductive hypothesis that the
Theorem holds for B and for D. Suppose that BUD € sHF, with |s| = aj.
Then from HI, O->D £ s. Now the closure conditions on F give D->.D 6 F,
and so from the hypothesis on D and the cases just treated, the Theorem
holds for D-I.D. Hence M \£j O-<D, implying that M (=& D for some
k > j. Take the least such k. If k = j, then immediately M |=j BUD.
Otherwise, when k > j, we will prove that M \=i B for all i having
j < i < k, again giving M \=j BUD. The proof depends on showing that
t E CTJ implies BUD £ t. (t)
This is done by induction on those i with j < i < k. For the case i = j,
if t 6 0-j, then BUD e t because t ~r « and BUD € s. Now assume
that (f) holds, with i + I < k. By the definition of k as "least", we then
have M ^ D, so if u €CTJ,it follows that D £ u by the hypothesis on
D. But BUD € u, by (f), so applying axiom U2 gives O(BUD) € u.
Since <7j.RoCTj+i and O(BUD) £ F, any t € ai+i then has BUD & t by
the second filtration condition on RQ, establishing (f) for i + I.
Thus (f) holds for all required i. Taking t £ a^ for such an i, the
definition of k and hypothesis on D give D £ t, so (f) and axiom U2 then
yield B £t. Hence M \=i B, as desired, by hypothesis on B.
Conversely, suppose that M. \=j BUD and s e (jj. Then for some
k > j, M |=fe D, with M \=i B whenever j < i < k. We employ the
thus-far unused implication of U2 to show that the above condition (f)
now holds whenever j < i < k. In particular, the case i = j will then give
our desideratum BUD € s.
The proof of (t) will this time go by backward induction on i. l f i = k,
then D € t for any t & (7k, by the hypothesis on D, and this immediately
gives BUD g t by U2. Now assume that (f) holds with j < i < k. Then if
u e <7j_i, (f) and the Fun-Lemma give O(BUD} € u, since O(BUD) e F
by definition of T, and |u|.Ro0-j. But B € u, by hypothesis on B, so the

other disjunct of W2 applies to yeild BUD € u. Hence (f) holds for i — 1.
This finishes the proof of Theorem 9.13.
To finish the completeness proof for 0, recall that we began with a non-
0- theorem A, and a point SA €. S with A (£. SA- Taking a j such that
\SA\ = &j, Theorem 9.13 gives M \£j A. Hence 0 is determined by the
class of models on state sequences.
Finite Frame Property

Prima facie, our completeness proof for 0 does not yield the finite model
property, since there are infinitely many sequences on any set with at least
two elements, and we cannot effectively test a formula for truth at all
points of a sequence. However we can rectify this by taking up the rela-
tional semantics in the form of the induction models introduced prior to
the completeness proof. The idea is that instead of generating an infinite
sequence, as above, we stop the .Ro-list at
(TO, . . . ,er n , . . . ,oy = on
as soon as the last ^-cluster is unwound. Then regarding all points in the
list, except oy, and an, as distinct, we get an induction frame in which A
is invalid.
To formalise this, if r is any positive integer put
[0,r) = {j eu:0<j<r},
and then for 0 < n < r define
where
/m = / J + l, ifj<r-l;
f(J)
\n, i f j = r-l.
Thus / is simply the successor function on [0, r), except that the "successor"
of the last element r — 1 is n. We may visualise Fn,r, as consisting of the
initial segment 0, . . . , n, followed by the "simple loop" n, n + 1, . . . , r — 1, n.
Now define a ^y-model M on Fn^, by putting
V(p) = {j<r: a, 6 Vr(p)}.
Then by arguing as in the proof of Theorem 9.13, we can show that the
statement of that theorem holds for this new model M., provided j < r,
where now M ^j B means truth at the point j in the induction model,
rather than truth at the state <TJ in a sequence model.
Hence 0 is determined by the class of finite induction frames fn,r-
Exercises 9.14
(1) Compute an upper bound on r for the induction frame Tn,r invalidat-
ing a prescribed non-©-theorem.
(2) Modify the state-sequence semantics to read
M \=j DA iff for all k > j, M \=k A
M \=j AUB iff for some k > j, M (=* B and
M \=i A whenever j < i < k.
Modify the given ©-axioms to axiomatise the resulting set of valid
formulae. (Do not introduce any essentially different axioms: deduce
as a theorem the appropriate analogue of Dum.) Prove that this new
logic is decidable.
Branching Time
The theory discussed so far has been concerned with logical properties of
a single execution sequence SQ, «i, generated by processes acting in
parallel. As mentioned at the outset, each state will have several possible
successor states, and so there will be many different sequences that have
a given starting state SQ. Thus any particular sequence will be but one
"branch" of the "tree" of all possible future states. If we consider this tree
as a whole, there a number of interesting new modal connectives that can
be used to formalise reasoning about future behaviour:
[VFJ.A: along any future branch there is a state at which A is true,

i.e. A is inevitable.
along some branch there is a state at which A is true,
i.e. A is potentially true.
[VG]A: along all branches, A holds at all states,
i.e. A is true at all possible future states.
[3G]A: along some branch, A holds at all states.
[VX]vl: along every branch, A holds at the next state,
i.e. A holds at all possible successor states.
[ 3X }A: A holds at some successor state.
\f(AUB): along every branch, it will be A until B.
3(AUB): along some branch, it will be A until B.
A logical system embodying these notions, known as Computational Tree

Logic (CTL), was introduced by Clarke and Emerson [1981,1982]. A sim-
ilar system without the until operator was considered by Ben-Ari, Pnueli,
and Manna [1983]. Emerson and Halpern [1985] established decidability

and completeness for CTL, using a method of elimination of states from
"psuedo-Hintikka structures". We will now see how to adapt their approach
to the context of nitrations of canonical models.

The syntax for CTL is given by
A ::= p 111 Ai -> A2 \ [VX]A | V(Ai UA2] \ 3(AlUA2)
The other connectives mentioned above are given by the following abbre-
viations.
[VF]A is V(TZM)
[3F]A is
[\/G]A is
is
is
To define CTZ/-models, consider a frame T = (S, R) in which R is serial,
i.e. Vs3t(sRt). Here sRt will be interpreted to mean that t is a possible
immediate successor to s. An R-branch starting at s in T is an infinite
sequence a 0 , . . . , a n ,... with s = s0 and snRsn+i for all n. An R-path is
a finite version of a branch, i.e. a sequence SQ, • • • , Sfe with snRsn+i for all
n < k. By seriality, any path extends to a branch.
Given the usual notion of a model M = (S, R, V) on such a frame,
satisfaction of CTL-formulae is given by
M (=, [VX]4 iff for all t e S, sRt implies M \=t A.
M |=s V(AUB) iff for all ^-branches s = soRs^R• • •
there exists k with M. \=Sk B and
M. \=Si A whenever 0 < i < k.
M. t=s 3(AUB) iff for some .R-branch s = sgRsiR- • •
there exists k with M \=Sk B and
M. ^=Si A whenever 0 < i < k.
Axioms
Let CTL be the smallest logic in the language just described that contains
the schemata
KK:
Dx: [3X]T
3U:
VW:
and is closed under Necessitation for [VX] i.e.,

\-A implies h
and under the following two rules:
3-Ind: h£V(A
implies
I- 3(AUB) -» C,
V-/nd: \-BV(Ah[VX]C)->C
implies
\-V(AUB)-+C.
Exercise 9.15
Show that CTL is sound with respect to the above semantics.
Completeness of CTL
We use the structure (Sc, RX), where Sc is the set of CTL- maximal sets
of formulae, and
sRxt iff {B: [ V X ] B e s } C f .
If AO is a given non-theorem of CTL, there is some point SAO 6 Sc with
AO $ SAO • Let F be a finite set of formulae that has the following closure
properties:
A0€r-
r is closed under subformulae;
3(AUB) € T implies [3X.]3(AUB) 6 T;
V(AUB) e T implies [VX]V(AWB) e T;
and consider the structure (Sr,R), where Sr is denned as before (page

92), and R is the least /"-filtration of Rx.
For s G Sc, put J^ = s n F. For x e Sr, put 7^ = /^ where s is some
element of x.
Exercises 9.16
(1) Show that a finite F exists as described.
(2) Fx is well-defined (i.e. does not depend on the choice of s € x).
(3) The relation R is serial on 5r-
Lemma 9.17. Let 1(AUB) € T. Then for any x € ST, 3(^WB) e rx if,
and only if, there exists in Sp an R-path x = XQ,-- -,%k (i-e- XiRxi+i for
alii < k) such that A e FXi for all i < k, and B e FXk .
Proof.
Suppose first that there is an R-path of the type described. Then we
show that 3(A KB) € FXi for 0 < i < k, by reverse induction on i, giving
the desired conclusion when i = 0. We use the CTL-theorem (derived from
axiom 3U)
» 3(AUB).
For the base case z = k, we have B € FXk by assumption, so this CTL-
theorem gives 3(AUB) € rxk by tautological consequence.
Now make the inductive hypothesis that 3(AUB) € rxi+l. Choose
s € Xi and t e #j+i with sR\t (since R is the least filtration of RX). But
3(AUB) € t, so [3X]3(AW£) e s by the second filtration condition (F2).
Hence our CTL-theorem gives 3(AKB) € s, and so 3(AUB) € rxi as
desired.
For the converse direction, let X be the set of all points x £ Sp for
which there exists an .R-path starting from x of the type described in the
statement of the Lemma. We will show that whenever 3(AUB) € Fx then
x£X.
Now by the Definability Lemma 9.7, there is a formula C that is char-
acteristic for X, i.e.
C € s iff \s\EX.
Let E be the formula
We show that E is a CTL-theorem, by showing that E e s for any s € Sc.

First, if BV(AA[ 3X ]C) ^ s, then it follows directly from the properties
of s as a maximal set that £ e s (Exercises 2.3). Thus we are reduced to
the case that B V (A A [3X]C) € s, and so either
B e s, (i)
or else
AA[3X]C'es. (ii)
Now if (i) holds, then putting fc = 0 and x — XQ = \s\ gives B € FXk and
provides an .R-path that makes \s\ 6 X. Thus C e s, whence S € s by
maximality of s (Ex. 2.3).
If, on the other hand, (ii) holds, then [ 3X ]C e s, so there exists t e Sc
such that sRxt and C € t. Then |s|jR|t| (by the first filtration condition
(Fl)) and \t\ 6 X, so there is an .R-path of the desired type starting from
\t\. But since A € F\a\ from (ii), appending \a\ to the beginning of this path
gives a new .R-path that ensures that \s\ € X, and so again E € s.
This finishes the proof that E is a CTL-theorem. It then follows by

the rule 3-Ind that 3(AUB) —> C is a CTL-theorem, and so belongs to
every CTL-maximal set. Thus for any s 6 S°, if 3(AUB) e F\s\ then
J(AUB) £ s, so C € s, giving \s\ € X as desired to complete the proof of
Lemma 9.17.
Exercise 9.18
Let V(AUB) e r. Show that if V(AUB) <£ Fx, then there exists an R-
branch x = XQ, ..., Xk, • • • such that for no k do we have B £ FXk simulta-
neously with A € FXi for all i < k.
If the converse of Exercise 9.18 were true, then in combination with Lemma
9.17 we would obtain a Filtration Lemma for the model (Sp, R, Vr) similar
to Theorem 9.13, and completeness for CTL would follow. However it
could be that while V(AUB) € Fx, a branch of the type described in 9.18
nonetheless exists to prevent V(AUB) being "true" at x. We are going to
have to "unravel" R to get around this, and the structure we use for this
unravelling is a special type of tree.
T-Trees
Let (T, p) be a frame with p irreflexive. The members of T will be called
nodes. If npm, then m is a successor of n, while n is a predecessor of
m. The frame will be called a tree if each of its nodes has at most one
predecessor.
A tree is rooted if it has a unique element r, the root, that generates
it, i.e. has T = {m : rp*m}. Note that for each node m, there will be a
unique p-path from the root r to m.
A leaf in a tree is a node that has no successors. Non-leaf nodes are
said to be interior.
For finite trees, the word "branch" will be used in a modified way to
mean a path (i.e. a p-path) whose last node is a leaf.
We will work with trees who nodes are labelled by members of Sp, i.e.
there is a function assigning to each n € T a label n 6 Sr- Then a formula
B is said to be realised at n if B 6 ra, while B fails at n if B <£ F^.
A F-tree is a finite rooted tree who nodes are labelled by member of
Sr in such a way that
(PI) if m is a successor node to n, then nRm;
(F2) if [VX],4 6 r, and [VX]4 fails at an interior noden, then A fails
at some successor node of n.
A F-tree is rooted at x € Sp if x is the label of its root node.
Exercise 9.19
If [ 3X ] A belongs to F and is realised at an interior node of a T-tree, then
A is realised at a successor of that node.
Lemma 9.20. Let M(A KB) e F. Then if \/(AUB) e Fx, there is a F-tree
T rooted at x such that A is realised at every interior node ofT, and B is
realised at every leaf.
Proof.
Let X be the set of points x e Sp for which there exists a tree rooted
at x with the properties described in the statement of the Lemma. Let C
be a formula that is characteristic for X , i.e.
C £ s iff \s\eX.
Then it is enough to show that
V(AUB) -» C
is a CTL theorem. Hence by rule V-/nd, it is enough to show that the
formula
BV(AA[VX]C)-^C (E)
belongs to every s e Sc.
The reasoning is like that for the proof of Lemma 9.17. First, if the
formula B V (A A [VX]C) is not in s, then E € s follows directly. Thus we
are reduced to the case that either
B € s, (i)
or else
s. (ii)
Now if (i) holds, then putting T = {r} with r = \s\ and r = r gives a
one-node T-tree demonstrating that \s\ G X, so C € s, and hence E E s.
Suppose, on the other hand, that (ii) holds. Let [VX]£>i, . . . , [VXjDfe
be all formulae in JT of the form [VX]I> that do not belong to s. For each
i with 1 < i < k there is some ti € Sc such that sRxti and Di^ti. Then
|s|.R|£»| and Di $. F\t.\. Construct a T-tree consisting of a root r labelled
by |s|, with k successors mi, . . . , m& havingTO*labelled by |i$|. The only
interior node is r, and this has A € FL, i.e. A is realised at r, since A € s
by (ii)-
Now extend this tree as follows. For each i, since (ii) gives [VX](7 6 s,
we have C € ti, and so |fj| £ X. Hence there is a /"-tree TJ rooted at |t<|
that has A realised at all its interior nodes and B realised at all its leaves.
Replace m, by the tree Tj, i.e. identify m* with the root of T».
The effect of this construction is to create a .T-tree rooted at |s| that
makes \s\ £ X, leading to E € s as desired, and completing the proof.
Fulfilment
Let T be a P-tree.
• A path in T realises AUB if there is a node on the path at which B
is realised, while all earlier nodes on the path realise A.
• The formula 3(AUB) is fulfilled at node n in T if either it fails at n,
i.e. 3(AUB) $ Fn, or else there exists a path in T that starts from n
and realises AUB.
• The formula V(A UB) is fulfilled at node n in T if either it fails at n,
or else every branch in T that starts from n realises AUB.
Formulae of the form 3(AUB) and V(AUB) will be called eventuality for-
mulae.
Fulfilment Lemma 9.21. Let T be a F-tree, and C an eventuality for-
mula in F that is not fulfilled at node n in T.
(1) If C — 3(AUB), then there is a branch in T starting from n with A
and 3(AUB) realised at all nodes of the branch.
(2) IfC = V(AUB), then for every branch in T starting from n, either the
branch realises AUB, or else A and V(AUB) are realised at all nodes
of the branch.
Proof.
(I). Since 3(AUB) is not fulfilled at n, 3(AUB) € A. Moreover, if
B were realised at n, then 3(AUB) would be fulfilled there, contrary to
hypothesis. Hence B $ Fn- But the formula
3(AUB) -» (B V (A A [3X]3(AMB)))
is CTL-derivable from axiom 3U, and [ 3X]3(AUB) € F, so it follows that

both A and [3X]3(AUB) are realised at n.
Now if n is an interior node, then by Exercise 9.19 it has a successor
node m that realises 3(AUB). Since 3(AUB) is not fulfilled at n while A
is realised at n, B cannot be realised at m, so the above argument applies
to give that both A and [3X]3(AUB) are realised at m. If m in turn is
interior, the construction repeats, generating a path of the desired kind,
and stopping only when a leaf is reached.
Exercise 9.22
Prove part (2) of Fulfilment Lemma 9.21.
Theorem 9.23. For any x E Sp there exists a F-tree Tx with root r
labelled by x, such that
(I) if [VXL4 6 F and [VX]A fails at r, then A fails at some successor o f r ;
(2) every eventuality formula in F is fulfilled at r.

Proof.
First Stage: Construct a T-tree by taking a root node r, labelled by
x, and for each formula [VX]A in F that fails at r, take some y e Sp with
xRy and A $ Fy, and add a successor node to r labelled by y. This ensures
already that (1) holds.
Next make a series of extensions to the tree to establish (2), at each
stage adding new nodes or sub-trees below the leaves of the tree thus far
created (the reader should be visualising trees as growing downwards).
It follows that at all stages r continues to be the root of the tree being
constructed.
To see how this works, let T be the tree that has been created at some
stage, and suppose C is an eventuality formula in F that is not fulfilled at
r inT.
Case of 3U: If C = 3(AUB), then by (1) of Fulfilment Lemma 9.21
there is a branch in T from r to a leaf m having 3(AUB) and A realised at
every node. By Lemma 9.17 there is an fl-path TO = XQ, ... ,Xk in Sp with
B realised at Xk, and A realised at Xj for 0 < z < k. Extend T by adjoining
a path m o , . . . , m^ of nodes with m =TOO,and put ntj — Xi for 0 < i < k.
Then for each i < k, repeat the First Stage construction to adjoin enough
successor nodes to mj to ensure that whenever a [ VX ]D-type formula from
F fails at TOJ, then D fails at a successor of mi. When this is done, we have
a new T-tree with 3(AUB) fulfilled at the root r.
Case ofVU: If C = V(AUB), proceed as follows. Let TO be any leaf of
T and consider the branch from r toTOin T. If this branch realises AUB,
leave TO alone. Otherwise, by (2) of 9.21, A and V(AUB) are realised at
every node of the branch. Hence V(AUB) e F,n, so by Lemma 9.20 there
is is a -T-tree T^ rooted at m with A realised at every interior node of Tm,
and B realised at every leaf. Adjoin this tree, by identifying m with the
root of Tm- The result is a structure in which every branch passing through
m realises AUB.
By applying this procedure to each leaf m of T, we end up with a
T-tree fulfilling \/(AKB) at r.
Notice that once a formula 3(AUB) becomes fulfilled at r, it remains
so if any new nodes are added. But the same is true for a formula \/(AKB),
because of the crucial fact that in each extension the new nodes are always
added below an old leaf. Thus any branch from r in the new tree must
be an extension of a branch from r in the old tree, so that if all the old
branches realise V(AUB), then all the new ones will as well.
The upshot of all this is that by making finitely many repetitions
of these constructions, a tree will be produced in which all eventuality
formulae from F are fulfilled at r.
Final Model
We are now at the final stage of our construction of a finite CTL-model.
This is done by joining together copies of the trees described in Theorem
9.23 (the result need not itself be a tree: it may contain cycles).
Begin with the tree Tx of any x € Sp, as provided by 9.23. Replace
each leaf m of Tx by the tree Tm (i.e. identify m with the root of T^).
Repeat this process for the leaves of the newly adjoined trees, except in
the case of a leaf n for which T,, has already been adjoined. In this case,
delete n and draw an edge from the predecessor of n to the root of T«, i.e.
make the root of Tn a successor of the predecessor of n (this is the part of
the construction that may introduce cycles).
Since each tree Tx is finite, and there are finitely many labels x € Sp,
this process terminates in the construction of a finite frame (T, p) whose
points are all labelled by members of Sp, and whose relation is given by
the successor relation on the trees Tx. Now make this frame into a model
A/" by putting
N\=np iff per a .
Exercise 9.24
Use the fact that [3X]T € F to prove that p is serial.
Theorem 9.25. If A € F, then for any node n&T,
M\=nA iff AeFn.

Proof. We consider only the major inductive cases.
[VX]-Case: Suppose the result holds for A, and [VX]A <E T. If N fin
[VXJ-4, then A/" ^=TO A for some successor m of n. Then by the definition
of .T-trees, nRm, while A £ Fm by the induction hypothesis, so as R is a
/"-filtration of -Rx, [VX]A g ra.
Conversely, if [VX]A ^ F^, the definition of-T-trees (when n is interior)
and 9.23(1) (when n is a root) ensure that A fails at some successor of n,
making [VX]A false in A/" at n by the induction hypothesis.
ElW-Case: Suppose the result holds for A and B, and 3(AUB) e F.
If A/" \=n 3(AUB), then there is a /o-path n = no,..., n/t such that,
by the induction hypothesis, B is realised at nfe, and A realised at n, for
all i < k. But then no,..., Ufc is an R-path in Sp, so Lemma 9.17 gives
l(AUB) e ra.
Conversely, let 3(AUB) e Fn- Suppose n e Tx. Now either AUB is
realised in Tx by a path starting at n, or else by 9.21(1) there is a branch
from n to a leaf m of Tx with A and 3(AUB) realised at all nodes, including
m. But in that case, since 3(AUB) is fulfilled at the root of T^ (9.23(2))
there must be a path from the root in Tm that realises AUB.
In either case, we get a path in T, starting from n, that realises AUB.

Hence by the induction hypothesis, this path makes A/" \=n 3(AUB).
VU-Case: Suppose that V(AUB) € 71,,, where n is a node in some Tx.
Consider any p-branch from n in T. Then there must be a leaf m of Tx
such that this branch passes through the root of Tm • Now either A UB is
realised by the path from n to m in Tx, or else by 9.21(2) A and V(AUB)
are realised by all nodes of this path. But the p-branch must pass through
Tm, and so by (9.23(2)), AUB will be realised along the part of the p-
branch that lies in Tm, and hence be realised along the p-branch itself.
With the induction hypothesis, this shows that M \=n M(AUB).
For the converse, suppose that V(AUB) $ /"„. To prove that jV \^n
V(AUB), we use the one part of the axiomatisation of CTL that has yet
to play a role: the implication
(BV(AA[VX]V04W5)))->V(4W5) (f)
that is part of axiom VU. Since 'i(AUB) ^ Fn, this immediately yields
B £ p^ and hence A/" ^« B by induction hypothesis.
Now if A £ r», then tf fin A, so astf fin B we have A/" £„ V(AUB)
immediately. If, on the other hand, A € Ta, (f) yields [VX]V(AW5) $ /V
But [VK]V(AUB) € r, so by the definition of jT-trees (when n is interior)
and 9.23(1) (when n is a root), there must be a p-successor n\ of n with
V(AUB) t /V
The argument now repeats itself: if A $ f n ,, then A/" ^rei ^4, so
A/" t^Bl \/(AUB) as B 0 T^ and hence AA £ ni B. ITyl e T^, then there is
a successor n^ of n\ with V(^4 UB) £ Fn2, and so on. The argument either
generates a p-path n — no,...,nk with A/" \£nic A and M \£ni B for all
i < k, or else it generates a p-branch n = HQ, ..., n/t,... with A/" ^ ni B for
all i. In either case, it follows that A/" ^n V(AUB).
This completes our discussion of the proof of Theorem 9.25.
Exercise 9.26
Finish the argument showing that CTL has the finite model property and
is decidable.
10 I Prepositional Dynamic Logic
Dynamic logic (Pratt [1976]) is based on the idea of associating with each
command a of a programming language a modal connective [a], with the
formula [ a ] A being read "after a terminates, A", i.e. "after every ter-
minating execution of a, A is true" (allowing that a non-deterministic a
may be executed in more than one way). The dual formula <a>A then
means "there is an execution of a that terminates with A true" (recall the
discussion of motivations in §1).
In this way we obtain a multi-modal language, with a set of modal
connectives indexed by the set of programs. An interesting theory emerges
about the ways in which properties of complex programs can be expressed
by the modal connectives of their constituent programs. The programs
themselves are generated from some set H of "atomic" programs, whose
nature is not examined further, so that we can concentrate on the behaviour
of operations that generate new commands from given ones. Thus U plays
the same role for programs that <£ plays for formulae of prepositional logic.
What happens when we replace II by actual commands will be the subject
of Part Three.
Syntax
Atomic formulae: p€$
Atomic programs: TT e II
Formulae: A € Fma($, 77)
Programs: a € Prog(4>, II)
a ::= TT | ai; 0:2 | ai U a-2 \ a* \ A!

Intended meanings are:
[a]A after a, A,
ai;a2 do ai and then aj (composition),
ai U 0:2 do either QJ or a^ non-deterministically (alternation),
a* repeat a some finite number (> 0) of times (iteration),
AI test A: continue if A is true, otherwise "fail" .
109
Further constructs are introduced by definitional abbreviation:
<a>A is -i[a]-i.A,
if A then a else /? is (At; a) U (->A"i; j3]
while A do a is (A?;a)*;-u4?
repeat a until .A is a; (~<Af; a)*
skip is T?
abort is _L?
a° is skip
an+1 is (a;a n )
Standard Models
According to §5, a model for the language just described should be a struc-
ture of the form
M = (S,{Ra:a€Prog($,II)},V),
with Ra a binary relation on S for each program a, and
M |=s [ a ] A iff sRat implies M \=t A.
We want the binary relations ,RQ to reflect the intended meanings of pro-
grams a. Thus a model M will be defined to be standard if it satisfies the
following conditions:
Ra;/3 = Ra°R0 = {(*,*)

RaU/3 — Ra U R/3j
Ra* — .R* = ancestral of Ra;
-? = {(S,s):M\=8A}.
There are no constraints on the .R^'s. This means that given a structure
which assigns a binary relation to each atomic program, a uniquely de-

termined standard model is obtained by using the above standard model
conditions to inductively define Ra for non-atomic programs a.
Exercises 10.1
(1) In a standard model M, show:
(i) RskiP = {(s,s):seS};
(ii) -Rabort = 0;
§10 Prepositional Dynamic Logic 111
(iii) AI has the same meaning as

if A then skip else abort;
(iv) Ran = (Ra)n;
(v) M (= [a n ]A <-> [a] n yl (recall the definition of D™ from Exercise
3.9(6));
(vi) M\=.[a* ]A iff for all n > 0, M \=s [an}A.
(2) In a standard model, determine the nature of Ra when a is a while-
command (while A do ai), or a conditional command (if A then ai
else a 2 ).
(3) Formulate precisely the observation that in a standard model, any
execution of a program consists of a finite sequence of "atomic execu-
tions" .
Axioms
Let PDL be the smallest normal logic in Fma($,II) that contains the
schemata
Camp: [a;P]A~ [ a ] [ 0 ] A ,
Alt: [a\Jp]A*->[a]A*[P]A,
Mix: [a*]A-4 A A [ a ] [ a * ] A ,
Ind: ja*](A-»[a]A)->(4-»[a*]4),
Test: [A1]B~(A-+B).
Notice the correspondence between [ a* ] and [ a ] in the present language,
and D and O in temporal logic. The axioms Mix and Ind here correspond
exactly to the axioms with the same names in §9. This is to be expected,
since in each case, one connective is interpreted as the ancestral of the
interpretation of the other.
We will show that PDL is determined by, and has the finite model
property with respect to, the class of standard models.
Exercises 10.2
(1) \-PDL[an]A~[a]nA.
(2)
(3) (Soundness) If \~PDL A, then A is true in all standard models.
Completeness of PDL
Let Mp = (SP,{R% : a € Prog($,n)},Vp) be the canonical PDL-
model, with Sp the set of P£>Z/-maximal sets,
sRpt iff {B: [a]B(=s}Ct,

and
Vp(p) = {s£Sp:peS}.
Although Mp verifies all PDL-theorems, and falsifies all non-theorems, it
has the same inadequacy that occurred with the temporal logic of §9: Rp,
is not the ancestral of Rp . However we do have:
Theorem 10.3. Mp satisfies all standard-model conditions except
Rp, C (RPY.
Proof. We discuss briefly only part of one condition, namely,
Suppose sRp.pt. We need to find a u € Sp with sRpu and uR^t. It

suffices, by Lindenbaum's Lemma, to show that
MO = {B : [a]B <= s} U {->[P]D :D$t}
is PDL-consistent, and for this the PDL-theorem
is used. The proof is very similar to the use of the schema
DCU -> HA
in Theorem 3.6 to derive the weak density condition.
Exercise 10.4
Complete the proof of Theorem 10.3.
(The completeness theorem to follow will not depend on 10.3.)
Now let A be a fixed non-theorem of PDL. To obtain a standard model

that falsifies A we will collapse Mp by a suitable F that contains A. The
closure rules for F that will be needed are:
[B1]D e F implies B € F;
[a;/3]B e F implies [a][j9]S € F;
[aU^lSe-Timplies [a]B, [0]B € T;
[ a* ]B<=F implies [a][a*]B € F.
A set F satisfying these conditions will be called closed.

Lemma 10.5. (Fischer and Ladner [1979]). If F is the smallest closed set
containing a given formula A, then F is finite.
Proof. The point is to show that closing Sf(A) under the above rules
produces only finitely many new formulae. Define a formula to be boxed if
it is prefixed by a modal connective, i.e. is of the form [ a }B for some a and
B. Each time we apply a closure rule, new boxed formulae appear on the
right side of the rule, and further rules may apply to these new formulae.
But observe that the programs a indexing prefixes [ a ] on the right side are
in all cases shorter in length than those indexing the prefix on the left of
the rule in question. Hence we will eventually produce only atomic prefixes
on the right, and run out of rules to apply.
To formalise this argument, define a formula Y to be a derivative of
formula X, denoted X >- Y, if one of the following obtains:
X is [B1\D, and Y is a subformula of B;

X is [a;0]B, and Y is [a][/3]B or [0]B;
X i s [ a U / 3 ] B , and Y is [ a ] B or [(3}B;
Xis [ a * ] B , and Y is [a][o*]fl.
Then the smallest closed set F containing A is obtained by closing Sf(A)

under >-, i.e. D € F iff there is a finite sequence of the form
X = X0
with X e S f ( A ) . Notice that the definition of >- is arranged so that if a

set A of formulae is closed under subformulae, then adding to A all the
derivatives of some X € A will result in a set still closed under subformu-
lae. Thus to see that F is finite, observe that only boxed formulae have
derivatives, and if [ a }B y [ ft ]D, then the length of /? as a string of symbols
is less than that of a, so that there can be no infinitely-long X-sequences.
Since Sf(A) is finite, and each formula has only finitely many derivatives,
it follows that only finitely many formulae result by forming ^-sequences
originating in S f ( A ) .
Having determined that T, the smallest closed set containing A, is finite,

we perform a F- filtration of MF ' . Let <?r be $ n F, and let Progr be the
smallest set of programs that includes
all atomic programs occurring in members of F, and
all tests Bl occurring in members of F,
and is closed under ; , U, and *. Define a model
Mr = (Sr, {Ra-ae Progr}, Vr),

where Sr and VT are as usual, while R* is any ./""-filtration of Rp,
RB-, = {(M,M) : Mp K B},
and otherwise Ra is given inductively by the standard-model condition on

a.
Exercise 10.6
Show that if B? occurs in F, then B e F, and hence that RB-? is well
defined.
Theorem 10.7. Mr is a F-filtration of Mp.
Proof.
We have to show that Ra is a .T-filtration of Rp whenever a G Progr- The
case of atomic a holds by definition.
Tests. Suppose Bl £ Progr- Let sR^t. Then if D € s, (B -»• D) € s, so
[B?]D e s by axiom Test, hence D e i . Thus s C £, and therefore s = i
as s is maximal (2.3(2)). Moreover, as Test implies \~PDL [B"?]B, we get
B € t = s. Thus we have s = £ and Mp \=s B, implying |S|.RB?|£| by
definition of RBI- Hence (Fl) holds for B!.
For the second filtration condition, suppose that |S|.RB?|<|. Then |s| =
|*| and Mp K B. Thus if [£?]£> e F and Mp \=s [B1}D, we have
Mp \=B(B-*D),asMp\= Test, and so Mp |=. D. But then Mp K ^>.
since s ~r i and D £ F.
This completes the proof that RBI is a T-filtration of Rg?.
The proof of the first filtration condition (Fl) in the inductive cases will
use the following idea (which was used in the Ancestral Lemma 9.8). Given
s e Sp, let Aa be a formula having
As e t iff \t\Ra\t\
(As exists by Definability Lemma 9.7). Then to show that
sRpt implies |s|.RQ|i|,
it suffices to prove that [a].Ag e s, for then if sRpt we get Aa € t as

desired.
Composition. Suppose that (a;/3) 6 Progr, and, inductively, that Ra and
Rp are T-filtrations of Rp and Rp, respectively.
Let As be a formula having
As £ t iff s#ajt.
Now if sRpuRpt, then by the induction hypothesis lalBalul/J^jtl, hence

|s|/Za;j3|t| as Mr is standard for (a;/3), and so Ag e t. This shows that
[a][/3],As € s, and so by axiom Comp, [a;(3]Aa 6 s as needed to ensure
that sRp.pt implies |s|.Ra;0|t|.
If |s|#Q;/3|i| then for some u, \s\Ra\u\ and lul/fyltl . Then if formula
[a;/3]5 is in F and true at s in Mp, [a][/3]B is true at s, as M ^= Comp,
and also a member of F by a closure condition. But then the hypotheses
on a and /3 give [/3]B true at u in Mp, and thence B true at t.
Alternation. The inductive case for (a U 0) is similar to that for (a;/3). If
Aa is a formula having
Aa£t iff \s\RaU/3\t\,
then using the inductive hypothesis on a and /3, and the fact that Mr
is standard for (a U /3), we get As € t whenever sRpt or sRgt. Hence
[a]./lg,[/J].Ag e s, so [a U/3]A S e s by axiom .Ait.
The proof that Ra(j0 satisfies (F2) is left as an exercise.
Iteration. The proof that Ra*, i.e. R#, satisfies (Fl) in relation to Rp. is
exactly the same as the proof of the Ancestral Lemma 9.8., using Ind. For
(F2), we need to show that
if |4Ro«|*|, then for allB,
if [a* }B e F and Mp \=. [a* ]B, then Mp K B.
But if Ra is a .T-filtration of Rp, we can show that for all n > 0,
if |a|^S|t|, then for all B,
if [ a* ]B e F and Mp \=s [ a* }B, then Mp \=t [ a* ]B,
by an argument just like that in 9.8, using Mp \= [a*]B —> [a][a*]B
(from Mix). Thus if |s|JRQ. |t|, then |s|.R™|t| for some n, so that if Mp \=a
[a* }B, we get Mp \=t [a* ]B, and so Mp \=t B as Mp \= [a* ]B -> B by
Mix again.
Filtration Lemma 10.8. For any B e F,
MP^SB iff Mr\=\s\B.
Proof. From 10.7, in the usual way.
Corollary 10.9. Mr is a standard model.
Proof. The Filtration Lemma, and the definition of RB">, give
for Bl € Progr, which was the only standard-model condition not already
guaranteed by the definition of Mr-
The final step in the argument that PDL has the finite model property with
respect to standard models, and is decidable, should by now be familiar to
the reader.
Exercises 10.10
(1) Extend the syntax to include programs of the form a"1, with the
semantics
flQ-i ={(t,s):sRat}.
(2) Adapt the syntax to take the construction "while A do a" as primitive
instead of a*. Define standard models appropriately, and show that
the resulting logic is axiomatised by replacing Mix and Ind by the
schemata
A -> ([while A do a]B -> [a][while A do a]B),

-<A -> < while A do a>T,
and the well known Iteration Rule of Hoare:
from \-A/\B-*[a]B
infer h B -» [while A do a](B A ->A)
(cf. Goldblatt [1982i]).
Concurrent Dynamic Logic

We now consider an extension of PDL, due to Peleg [1987], which intro-
duces the combination a fl /3 of commands a and /3, interpreted as "a and
/3 executed in parallel". Thus, whereas the theory of §9 envisaged a col-
lection of processes taking turns to act, here we imagine processes acting
independently at the same time. For example, we might contemplate a
command of the form goto I and m, which causes a program to execute
the commands labelled by I and m simultaneously and in parallel.
In this context, the result of an execution started in state s will not
be a single terminal state t, but rather a set T of states representing the
terminal situations of all the parallel processes involved. Thus the relation
Ra interpreting command a is no longer a set of pairs (s,t), but rather
a set of pairs (s, T), with s a member of the state-set S, and T C S. So
instead ofRaCS*S, we have RaCSx2s.
To keep the two types of relation distinct, we will refer to a subset
of S x S simply as a binary relation on 5, and a subset of S x 2s as a
reachability relation on 5. When sR0T, this signifies that T is "reachable"
from s by an execution of a. There may be many ways of executing a, and
hence many different state-sets T reachable from s by doing a.
To model the meaning of < a >A as "there is an execution of a that
terminates with A true", we specify
M K «*>A iff there exists T C S with sR0T and T C M(A), (i)
where
M(A) = {t 6 S : M |=t A}.
If [a] is identified with -i<a>-i, as in Peleg [1987], the condition for truth
of [ a ] A at s becomes
sRaT implies Tr\M(A)?V>.
Nerode and Wijesekera [1990] suggest that in this context a more appropri-
ate modelling of "after every terminating execution of a, A is true", would
be
M\=,[a]A iff sRaT implies T C M(A), (ii)
making [a] and < a > no longer interdefinable via ->.
The extension of PDL with [ a ] and < a > interpreted according to (i)
and (ii) has not been investigated in the literature to date. Here we will
demonstrate finite axiomatisability and decidability for this extension, by
developing a new theory of canonical models and nitrations for reachability
relations.
Notice that if a binary relation Ra is defined by
sR^t iff t € \J{T : sRaT},
then (ii) becomes
M |=s [ a ] A iff sRat implies M \=t A.
This observation will allow us to relate much of the new theory of [ a ] given
by (ii) to our earlier analysis of the binary relation semantics for PDL. At
the same time, a whole new analysis is needed for <a>.
The formal language of Concurrent Prepositional Dynamic Logic (CPDL)
is as for PDL, with the addition of fl and the independent treatment of
[a] and <a>:
Atomic formulae: p £ $
Atomic programs: TT (E H
Formulae: A € Fma(, II)
Programs: a € Pro</(<£, II)
A ::= p | -L | AI -» A2 \ <a>A \ [a]A
a ::— w\ ai; a2 | «i U 0:2 | oti n 0:3 | <** \ A?
A CPDL-model is a structure
M = (5, {Ra : a £ Prog($, 17)}, V),
with Ra a reachability relation on S for each program a, i.e. Ra C S x 2s,
and the truth relation M (=s A determined by (i) and (ii) above.
Operations on Reachability Relations

Let R and Q be reachability relations on a set S.
Composition. The relation R • Q C S x 2s is denned by
s(R • Q)T iff there exist U C S with sRU, and a collection

{Tu : u 6 U} of subsets of T with wQTu for all
ueU, such that T = \J{TU :u£U}.
Combination.
R®Q = {(s,T\J W) : sRT and sQW}.
Iteration. Let
Id = {(*, {«}):«€£},
and define a sequence of reachability relations R(n) inductively by
Rm = Id
fl<"+1> =Id\JR-R(n\
Then put
: n € w}.
Exercises 10.11
(1) QCQ1 implies R-QCR-Q'.
(2) ( f l U # ) - Q = fl-QU#-Q.
(3) Give a counter-example to the assertion
(4) Rm C jR(n+1'. Hence the operation #<"' is monotonic in n: n < m

implies fi(n) C .R<m).
Standard Models
A CP£>-L-model is standard if it satisfies
Rot\J0 = Ra U R/3',
Thus in a standard model, RaMp = Id. The standard-model condition on

n ensures that < a fl /3 >A gets the meaning "a and /3 can be executed in
parallel so that on termination (in both computations) A is true" .
To understand the meaning of the new iteration operation R^ that
interprets a* , consider the schema
<a*>A<-> AV<ctXa*>A, (iii)
which intuitively is true under the intended meaning of a* as "repeat a

some finite number .(> 0) of times". In the binary relation semantics for
PDL, where Ra* is the ancestral #* , truth of this schema in standard
models is a consequence of the fact that
where
id= {(s,s) : s € S}.
(Note also that in such standard models, id = RsMp, and A «-> <skip>A
is true.)
Now in fact to have (iii) come out true in a PDL-model, it suffices to
interpret a* by any binary relation Q satisfying
Q = id\JRa°Q. (iv)
The characteristic property of the ancestral R^ is that it is the least solution

of equation (iv), i.e. if (iv) holds then R^ C Q (cf. Exercise 1.5(4)). Thus
in a model in which (iii) is true, we must have fl* C Ra. . But then by
requiring Ra* itself to be the least solution of (iv) we add the converse
inclusion Ra* C R*a , which is just what is necessary to verify the PDL-
axiom Ind.
Now if we put
F(Q) = id(JRa°Q
for an arbitrary binary relation Q, then (iv) asserts that Q is a fixed point
of the operator F, i.e. F(Q) = Q. There is a general theory about fixed
points of operators like F that is fundamental to the study of recursive
definitions: putting F<0) = F(0), and F(ra+1> = F(F< n >), then knowing
only that F is monotonic, i.e. that
QCQ' implies F(Q) C F(Q'),
it can be shown that F must have a least fixed point, namely the relation
\J{FW : n € u}.
We applied this theory above in defining .R'*1, using the monotonic operator
F(Q) = Id\JR-Q
on reachability relations Q (cf. Exercise 10.11(1) ). Thus R(*~> is denned as
the least solution of the equation
Q = Id U R • Q,
and so R(*^ in turn is the least reachability relation that interprets a* to
make schema (iii) come out true.
Further insight into the nature of the relation Rm is given in Theorem
10.14(7) below.
Exercises 10.12
Define programs a (n) by
a (0) = skip
(n)
Q (n+D = s kipll(a;a )
Prove the following in any standard model.
(1)fla(n>- R%\
(2) M K [a (n) ]A iff *#an)r implies T C M(A)

iff sRWt implies M \=t A (cf. 10.13 below).
(3) M \=s <«(») >A iff there exists T with sRg^T and T C M(A).
(4) M K [a* ]A iff for all n > 0, Ai |=. [a<"> ]A
(5) M |=g < a * >A iff for some n > 0, M \=a <a(n) >A.
Reduction to Binary Relations

For an arbitrary reachability relation R, define the binary relation R by
sRt iff te (J{T : SRT}
iff for some T C S, sRT and t & T.
Lemma 10.13. For any CPDL-model M, standard or not,
M \=s [ a ] A iff sRat implies M \=t A.
We now investigate the properties of the relation R, and for this purpose
we need the binary relations R , defined as on page 9. These satisfy
R° = id
n+1
R = R0Rn = Rn°R
R* = \J{Rn : n e u}.
Theorem 10.14. For any reachability relations Ri, R, Q:

(i) U^P* = U 6 /ft. _
(2) R C Q implies RCQ.
(3) TTQ CRoQ.
(4) If Id C Q,
(5) !#"+»
(6) #<»> =R°\J---URn.
(7)3^ = 5*.
Proof. (1) and (2) are straightforward, and left as exercises.
(3) Suppose that sR • Qt. Then s(R • Q)T for some T with t € T. From
the definition of R- Q, it follows that there exists U with sRU, and
some u_e U for which there is a Tu C T with uQTu and i € Tu. But
then s.Ru and uQt, showing that sR o Qt.
(4) If /d C Q, we want the converse of (3). Suppose then that sR o Qt,
so that sRu and uQt for some u. Then s.R[/ for some U with u & U,
and u<5Tu for some Tu with < 6 Tu. Let
Since Id C Q, we have vQ{v} in general, so it follows (with Tv = {u}

for v ^ u) that s(R • Q)T, and hence as t 6 T that sR • Qt.
(5) Since Id C #">, fi •fl<">= 1 o fiw by (4). But as 7d = id, (5) then
follows from the definition of fl(ra+1> and (1).
(6) By induction on n. The case n = 0 asserts that .R<°> = fl , which is
just the true statement that Id — id.
Assuming the result for n, from (5) and this induction hypothesis we
then get
= idUR°(R°U---URn)
= R°\j(R°R0\J---URoRn)
which gives the result for n + 1.

(7) From the definition of .R<*>, applying (1) and then (5), we calculate
Corollary 10.15. In a standard model M,

M\=s[ot*]A iff sR^*t implies M\=tA.
Proof. In a standard model, 10.14(7) implies Ra- = Ra , so the result
follows from Lemma 10.13.
This Corollary simplifies the determination of truth- values of formulae con-

taining [a* ]. For instance, it makes it easy to show that the P£>L-axiom
Ind is true in standard CPLD-mode\s.
Exercises 10.16
Let M be standard.
(1) Prove by induction on n that
M [= [a*](<a>A -> A) -> [a*}(<aw >A -> A).
(2) Use (1) and 10.12(5) to deduce that

M \=[
Axioms for CPDL

Let CPDL be the smallest logic in Fma(, 77) that contains the schemata
B-K: [a](A-+B)^((a]A-*[a]B),
B-Comp: (a;p}A~[a][/3]A,
B-Alt: [a\Jp]A~[a]A*[p]A,
B-Comb: [ar\P]A<-* (<a>T -> [P]A) A (<
B-Mix: [a*] A -> A A [a][a*].A,
B-Ind: [a*](^-»[a]A)-+(A-»[a*]A),
B-Test: [^?]B^(A-»B),
D-K: [a](A -» S) -> (<a>v4 —> <a>£
D-Comp: <a;^>A<-> <a></9>^,
D-Alt: <aU/3»l <-f < a > A V < / 3 > ^ ,
D-Comb: <an,9>A <-»• <a>^l A </3>A,
D-Mix: AV<aXa*>A-* <a*>A,
D-Ind: [a*](<a>A-+A) -+ (<a*>^-> A),
D-Test: <A?>B^(AA5),
B-D: [a]lV<a>T,
and is closed under Necessitation for [a]. Thus CPDL is a normal logic.
(The B- and D- prefixes stand for "Box" and "Diamond".) For the sake of
legibility we will abbreviate ^CPDL A simply to h A.
It will be shown that this logic has the finite model property with
respect to standard CPDL-models.
Exercises 10.17
(1) (Soundness) If h A, then A is true in all standard CPDL-models.
(2) h- A -> B implies \-[a]A^[a]B.
(3) \- A-+ B implies h <a>A
(4) I- [ a ] A V < a > T .
(5) H [ a ] J 4 ^ ( < a > B
Maximal Sets
Let Sm be the set of all CPDL-maximal subsets of Fma(<£, I I ) . For each
formula A, let
For each s € 5m and program a, let
sa = {A : [ a ] A € s}, and
Thus ||* a ||=n{M|: HAG*}.

Note that the condition "SQ C t" is equivalent to usR%t" , which defines
the binary relations in the canonical model for PDL.
Theorem 10.18.
(1) hAiff||A|| = Sm.
(2) \-A^ Biff \\A\\C \\B\\.
(3) ||AVB|| = ||A||U||B||.
(4) \\A*B\\ = \\A\\H \\B\\.
(5) ||SQ|| C ||A|| implies [ a ] A € s.
(6) If \\sa\\ n ||5|| C || A|| and <a>B € s, then <a>A € s.
(7) I f s , u & Sm and sa C u, then ||u^|| C ||sa^||.
(8) Haau/jINKIIUlla/jH.
(9) Jf<a>T,</3>T e s, then ||san^|| = ||sa|| U ||s/3||.
Proof. (l)-(4) are now familiar properties of maximal sets.
(5) This is essentially as in Theorem 3.2. If ||sa|| C ||jl||, then every
maximal extension of sa contains A, and so by 2.6(1), sa h A. Hence
for some n, and some formulae Bi with [a]Bj € s. Then using Neces-
sitation (directly if n = 0) and axiom B-K,
h [a]J50 - ([a]fli - » ( . • • - » ([a]B n _! -» [a]A) - • - ) ) ,
from which [a] A 6 s follows because s contains all theorems and is

closed under Detachment.
(6) Let t e 5 have sa C t. Then if B £ t, t € ||sa|| n ||B||, so as \\sa\\ n
II-BII Q p||, then A e t. Thus (B -» A) € t. This shows that ||sa|| C
\\B ->• A||, so by (5), [a](B -> A) e s. But then by axiom D-K,
(<a>B —» <a>.A) € s, giving the desired result that if <a>B € s
then <a>A e s.
(7) Let sa C u. Then if t 6 \\U0\\, we reason as follows. If A 6 sQ;/3, then
[a;/?]A € s, so [a][/3]>l € s by axiom B-Comp, whence [/9]4 € sa C
u, giving A E up C t. This shows sa.:p C t, i.e. t £ \\sQ;p\\.
(8) Here we want to show that
* iff sa £ t or s^ C i.
The implication from right to left is straightforward, with the aid of

B-Alt. For the converse, suppose that sa £ t and s@ <£ t. Then there
must be formulae A and B with [a]A, [/3]B 6 s, but A ^ t and B $.t.
Now[a]A-> [a](AVB) is atheorem(cf. 10.17(2)), so [a](AVB) € s.
Similarly, [/3](yl V B) e s. Hence by E-Alt, [a U /3](A V B) € s. Since
(A V B) ^ s, this shows that saU/3 2 *•
(9) If <a>T, </3>T 6 s, then by axiom B-Comfc,
s iff [ a ] A e
But this allows us to prove that
San/3 Qt iff sa Ct or sp Ct,
in the same manner as for (8).
Reachability for Maximal Sets

Let s e Sm and T C Sm. For each program a, put
s#QT iff there exists B with <a>J3e sand T = ||SQ|| H
Theorem 10.19.
(1) <a>A € s iff there exists T with sRaT and T C \\A\\.
(2) <a>T e s implies sRa\\sa\\.

(3) sR^tiffsa Ct.
(4) [ a ] A £ s iffsRaT implies T C \\A\\.
Proof.
(1) If <a>A e s, then defining T = \\sa\\ fl \\A\\ immediately gives sRaT
and T C \\A\\. Conversely, if sRaT C ||4||, then there exists B with
< a > B e s and T = ||aa|| n ||B||. But then \\sa\\ l~l ||B|| C \\A\\, so
Theorem 10.18(6) gives <a>A € s, as desired.
(2) From the definition of Ra, since ||sa|| n ||T|| = \\sa\\.
(3) If sR^t, then t 6 T for some T of the form ||SQ|| n ||J3||. But then
t € ||sa||, i.e. sa C i.
Conversely, if sa C t, then since -L ^ £, we get [a]± ^ s, so by axiom
B-D, < a > T € s. Hence by (2), s.Ra||sQ||. Since t € ||sa||, this gives
(4) By Theorem 10.18(5) and the definition of sa, it follows that to have
[ a }A 6 s it is necessary and sufficient that
sa C t implies A £ t,
which is equivalent by (3) to
sRat implies A e t,
which in turn holds if, and only if,
sRaT implies T C \\A\\.
Corollary 10.20. If there exists some t with sRat, then <a>T € s.

Proof. IfsR^t, there must be some T with sRaT. Since T C ||T||, 10.19(1)
then gives <a>T € s.
Canonical Model
The canonical model for CPDL is the structure
Mm = (Sm,{Ra : a € Prog($,II)},Vm),
where Sm is the set of all CPDL-maximal sets, Ra is as defined prior to

Theorem 10.19, and Vm(p) = {s 6 Sm : p £ s} as usual.
Note that in this model the relation Ra is identical to R%, by 10.19(3).
Truth Lemma 10.21. For any A € Fma($,n),
Mm(A) = \\A\\,
i.e. for all s&Sm,

Mm \=aA iff A e s.
Proof. By induction on the formation of A in the usual way, with the
key inductive cases for <a> and [a] provided by 10.19(1) and 10.19(4),
respectively.
As with PDL, the canonical model Mm determines the logic CPDL,

but cannot be shown to be standard. Some properties that it does enjoy,
and that will be used in our completeness theorem, are collected in the
next result.
Theorem 10.22. The following hold in the canonical CPDL-model.
(1) Tests are standard, i.e. sRA->T iff T = {s} and Mm K A.
(2) IfsRatfT, then s(Ra • Rp)W for some W C T.
(3) IfsRaU/3T, then s(Ra U Rp)Wfor some W C T.
(4) Ran/3 C Ra 9 Rft.
Proof.
(1) Noting that Mm K A iff A e s, we have that if Mm \=a A, then B € s
iff (A —» B) e s for any formula B, so by axiom B-Test, [A?]B e s
iff B € s, showing that 5,4? = s. Moreover, this in turn implies that
\\SA7\\ = {s}, since s is maximal.
Thus if sRAtT, then T = \\sA9\\n\\B\\ for some B with <A1>B € s.
Hence from axiom D-Test, A,B 6 s, whence \\sAt\\ = {s} as above,
and {s} C \\B\\. Thus T = {s} n ||B|| = {s}, with Mm K A as
desired.
Conversely, if Mm \=s A and T = {s}, then \\SA->\\ = {s} and
T = \\sA7\\ n ||.A||. Hence sRA-?T, since D-Test gives <A1>A € s.
(2) Let sRa.t/3T. Then T = ||sa;/3|| n \\A\\ for some A with <a;/3>A £ 5.
Then by D-Comp, <a></3>A e s, so sRalI, where [/ = ||sa|| n
\\A\\.
For each ueU, put Tu = llu^llnimi, so that uRpTu, since </3>^4 e
u. Also, as u € ||sa||, i-e. sa C u, Theorem 10.18(7) yields \\up\\ C
\\Sa;0\\> showing that Tu C T. Thus the desired result follows by
putting W = \J{TU :ueU}.
(3) If sRaUpT, then T - \\sau/3\\ n p|| for some A with <a U /3>A e s.
Axiom D-Alt then implies that one of <a>A and <j3>A is in s. If,
say, <a>A e s, then sRaW, where W = ||SQ|| n \\A\\. By Theorem
10.18(8), \\sa\\ C \\Saup\\, so W C T. Similarly, if </3>A e a, we take

W = \\sp\\ H ||B||, and get aJfyW C T. In either case, s(Ra\jR0)W C
T.
(4) If sRan0T, then T = ||san/3ll n ||A|| for some A with <an/3>,4 €
s. Then by D-Comb, <a>A,<0>A 6 a, so s-Ra(||sa|| n \\A\\) and
a-R/3(||a/3|| n \\A\\). Hence s(Ra ® fl/j)t/, where
u = (\\sa\\ n \\A\\) u (|M n p||) - (||sa|| u |MI) n p||.

Since h <a>;4 -» <a>T (10.17(3)) and <a>A € s, it follows that
<a>T € s. Similarly </3>T e s. But then by 10.18(9) U = T.
Execution Relations
If sRat, then intuitively there is an execution of a from s that produces
a set T of terminal states including t. We may regard this execution as
generating a tree of states, with T being the set of leaves of the tree. There
will be a path through this tree from s to t, comprising a sequence of
executions of atomic programs and/or tests (cf. §2.2 of Peleg [1987i] for an
indication of how to formalise this idea).
If further tRpu, then there will be a similar computation tree contain-
ing a path from t to u as a result of executing /3 from t. We then have
sRa o .Rû, but we cannot conclude that sRa-tpt without first showing that
/^-computation trees can be attached to every state in T, and not just t.
Nonetheless one might suggest that u has been arrived at from s by an
instance of "doing a and then /3" .
These observations may provide some motivation for the following
technical definition of relations R* whose chief purpose is to give a rep-
resentation of program composition a; /3 by binary relation composition o,
and which will be used in defining filtrations of CPDL-models.
Given a CPDL-model
define a family {R+ : a € Prog(<l>, I I ) } of binary relations on S inductively

by
and
sR*npt iff for some T, either
(i) sR+t and sRpT, or
(ii) sRaT and sR^t.
Theorem 10.23. In a model that is standard except possibly for tests,
R^CR+.
Proof. By induction on the formation of a. The cases a = TT and a = At
are immediate by definition of R+. For the inductive cases, assume the
result for a and ft.
Composition:
= Ra • Rp standard condition for a; ft
CllgOfy 10.14(3)
C R+ o R+ hypothesis on a and ft
Alternation:
— Ra U Rp standard condition for a U ft
= Rg\JR^ 10.14(1)
C fi+ U Rt hypothesis on a and ft
Iteration:
Rn* — standard condition for a*
10.14(7)
hypothesis on a
Combination: If sRar\pt, then by the standard condition there are T, W

with sRaT, sRpW, and t 6 T U W. Now if t 6 T, then sR^t, so sR+t by
the hypothesis on a, whence as sRpW we get sR*npt. On the other hand,
if t e W we similarly get sRgt and sRaT, leading again to the desired
conclusion
Theorem 10.24. Let M be a model that is standard except possibly for

tests. If a is any program, then for all formulae A we have
M\=s[a]A iff sR+t implies M\=tA.
Proof. Since in general
M [=s [a]4 iff sRat implies M \=t A
(Lemma 10.13), the fact that Ra C R+ implies directly that the statement
of the Theorem holds from right to left. We prove the converse by induction
on the formation of a.
The cases a = -IT and a = A1 are immediate, as then R+ = Ra. For
the inductive cases, assume the result for a and /?.
Composition. Let M ^=8 [a;f3]A and sR^.pt. Then there exists u with
sR+u and uRgt. Since M. is standard for composition, it verifies B-Comp,
and so M. \=s [a][/3]A. The induction hypothesis on a then gives M \=u
[@}A, from which the hypothesis on /3 yields the desired conclusion M \=t
A.
Alternation. If M (=s [a U 0}A and sR^^t, then either sR+t or sR^t, so
as M verifies B-Alt, the hypothesis on a and 13 leads to M \=t A.
Iteration. Let M \=s [ a* ]A. Then we first show that for any n,
s(R+)nt implies M (=« [a*L4. (t)
The base case n = 0 is immediate, since then s = t. Assuming the result

for n, suppose that s(R^)n+1t. Then for some u, s(R^)nu and uR^t. By
the hypothesis on n, M (=„ [a*]A Hence M \=u [ a ] [ a * ] A , since M
verifies B-Mix, so by the hypothesis on a, M \=t [a*]A. This completes
the inductive proof of (f).
Now if sR+.t, then s(R+)nt for some n, and so M \=t [a* ]A by (t).
Again since M verifies B-Mix, this implies M (=* A.
Combination. Let M \=a [an(3}A and sR^n/3t. Then there exists T such
that either (i) sR+t and sRpT, or else (ii) s.RaT and sR^t.
Now if (i) holds, then sRpT implies M. \=s </3>T, so as M verifies
B-Comb, M (=« [a]A. But then the hypothesis on a gives M \=t A.
Similarly, if (ii) holds we are led to M (=< A by the other conjunct of
B-Comb and the hypothesis on /3.
Filtrations
To define filtrations of CTDL-models, a set F of formulae is defined to be
closed if

[ B1 }Der implies B £ T;
[a;P]B € r implies [a][/3]# 6 T;
[a \ J f 3 ] B e r implies [a}B, [/3]B € T;
[a n /9]B € T implies [a}B, [/3]B, <a>T, <^>T € T;
[ a* ]B € r implies [ a ][ a* ]B € F;
<B1>D e P implies B € T;
<a;/?>B e r implies <a><(3>B e T;
< a U / J x B e - T implies < a >£,</?>£ 6 T;
< a n / 9 > B e r implies <a>B,</3>B € T;
< a* >B e r implies < a >< a* >B € T.
By the same method as used in Lemma 10.5, it can be shown for the
language of CPDL that
Lemma 10.25. For any A £ Fma(<l>, II) there is a finite closed set F with
Aer.
Now let r be a finite closed set. Put $r — & H F, and let Progr be
the smallest set of programs that includes all atomic programs and tests
occurring in members of F, and is closed under ; , U, fl, and *. For s, t 6 S"™,
put
s ~r t iff s n r = t n r,
\s\ = {t € Sm : s ~ r t},
5r = {|«| : s e Sm},
as usual, and for T C Sm, and X C Sr, put
|T| = {\s\ : s € r},

5X = {s e 5m : \s\ 6 X}.
Exercises 10.26
(1) T C [7 implies |T| C |C/|.
(2) XCY implies 5X C 5y.
(3) Sx C T implies X C \T\.
(4) X = \SX\.
(5) TC5 m .
(6) |s| = 5{|8|}.
Now let
M = (5r, (pa : a e Progr}, VT),
be a model based on Sp, with Vr the usual $r-valuation. Then the reach-
ability relation pa on Sp is denned to be a F- filtration of the relation Ra
from the canonical model Mm if, and only if, the following four conditions
are satisfied.
(Bl) sRat implies \s\p+\t\.

(B2) \s\pa\t\ implies {B : [ a ] B 6 s r\F} C t.
(Dl) sRaT implies \s\paX for some X C |T|.
(D2) if \s\paX and S* C \\B\\, then <a>B € T implies <a>B € s.
pa will be called strong if it satisfies
sRaT implies |s|pa|r|-
Any strong relation pa obviously satisfies (Dl). But it also satisfies (Bl)
when ~p~a C p+, e.g. when .M is standard except possibly for tests (10.23).
For then if sRat, we have sRaT for some T with t e T, hence |s|pa|T| and
|t| € |T|, showing |s|p^|t|. But then |s|/9+|t| since ~p~a C p+.
The model M will be called a F-filtration of the canonical model Mm if
pa is a /"-filtration of Ra for all a £ Progr-
Filtration Lemma 10.27. Let M be a F-filtration of Mm that is stan-
dard except possibly for tests. Then for any B € F and s e Sm,
Mm\=sB iff M\=\.\B.
Proof. By induction on the formation of B.

For the inductive case for [a], assume the result for B. Then if [ a ] B €
F and M. \=\a\ [ Q ]-Bj since M. is standard except possibly for tests we get
that
\s\p+\t\ implies M |=|t| -B,
by Theorem 10.24. From (Bl) and the induction hypothesis on B, we then
get
sRat implies Mm (=t B.
This in turn gives Mm (=„ [ a ] B by Lemma 10.13.
Conversely, if Mm K [ a ] B , i.e. [ a ] B e s, then from (B2) and the
induction hypothesis we get that
\s\pa\t\ implies M |=|t| -B,
which implies M f=|s| [ a ] B by 10.13 again.

Now for the inductive case of < a >. First, if < a >B £ F and Mm \=s
<a>B, then there exists T C Sm with sRaT C \\B\\. Thus if the Lemma
holds for B, then for t e T we have B e t , whence M \=\t\ B, showing that
|T| C M(B). But by (Dl), \s\paX for some X C |T|. Then X C M(B),
giving >t \=\B\ <a>B.
Conversely, if M \=\a\ <a>B, then |s|/aaX for some X C M(B).
The inductive hypothesis on B then yields Sx C ||B||, and so (D2) gives
Mm t=
Existence of Filtratious
For a € Progr, define
\s\p*X iff (i) |*| € X implies {B : [a]B <=sr\F}Ct; and

(ii) Sx C \\B\\ and <a>B € T implies <a>B € s.
Theorem 10.28. If p* C (Pa)+, then p^ is a F-filtration ofRa, and is in

fact the largest one.
Proof. First we show that p% is strong, taking care of (Bl) and (Dl) since
Pa - (Pa)+> ^ explained above. So, let sRaT, with the objective of
showing that |s|p£|T|, i.e. that (i) and (ii) above hold with X = \T\. We
have T = \\sa\\ D \\C\\, for some C with <a>C £ s.
Now for (i), if \t\ € \T\, then t ~r u for some u 6 T, so that if
[a]B 6 sHf then T C ||5|| as s/20T, hence B £ u, and so B € t as B € T.
For (ii), suppose that S\T\ C ||£|| and <a>B e f. Then as T C S\T\,
we have sRaT C ||J3||, and so <a>B € s follows by Theorem 10.19(1).
This completes the proof that p^ is strong.
Next we show that (B2) holds for p*: if \s\p*\t\ then \s\pfcX and |i| € X
for some X, so that by part (i) of the definition of ffe,{B :[a]B € sCiF} C t.
Noting that (D2) for p*, is immediate from (ii), we have now shown
that p^ is a filtration. The proof that it is the largest is left as an exercise.
The Finite Model

Given a finite closed F, construct a model
Mr = (Sr, {pa : a € Progr}, Vr),
by letting pv be any -T-filtration of R* (such existing by 10.28),
i = {(\'\,{\*\}):Mm\=.B},
and otherwise defining pa inductively by the standard-model condition on

a. Thus Mr & standard except possibly for tests.
Theorem 10.29. Mr is a F-Bltration of the canonical CPDL-model
Mm.
Proof. We have to show that pa is a T-filtration of Ra for each a 6 Progr-
Tests. Suppose 5? € Progr- If sRsiT, then by 10.22(1), T = {s} and
Mm K B. Hence |T| = {\s\}, and so |s|pB?|^l by definition of pB1. This
shows that psf is strong, and so fulfils (Bl) and (Dl).
For (B2), let |S|/OB?|*|, so that \s\ = \t\ and B & s. Then if \B1\D e
s n r, we get D 6 s via B-Test, and so D e t as s ~r t-
For (D2), let \a\pgjX and Sx C \\D\\. Then X = {\s\} and B € s, so

that s e Sx, giving D e s. Hence by D-Test, <B1>D e s.
Composition. Suppose that (a;/3) € Progr, and, inductively, that pa and
p/3 are T-filtrations of #a and #0, respectively.
(Bl): The argument is just as for PDL in Theorem 10.7. For s € S,
let As be a formula having
Aset iff Mp+01*!.
IfsRûlfyt, then by (Bl) for a and /3, \s\p+\u\p+\t\. Hence |s|p+op+|*|, i.e.
|s|/9+0|t| by definition of p+;/9, and so As € f. This shows that [a][/3]A 8 €
s, and hence by axiom B-Comp, [a;/3]As e s as needed to ensure that
sRa.pt implies |a|pa;/j|<|.
(B2): Let |s|p^|*|, i.e. \s\pa • pp\t\. Then \s\pô~pj\t\ by 10.14(3), so
for some u, \s\pZ\u\ and \u\p~fj\t\ . Then if [a;/3]B € sOT, [a][/3]S £ sflT
by Comp, so (B2) for a and /3 give [0]B £ u and thence Bet.
(Dl): Let sRa-0T. Then by Theorem 10.22(2), there exists U C Sm
with sRaU, such that for each u 6 U there exists Tu CT with uRpTu. By
(Dl) for a there exists X C Sr with |s|/9«X C |t/|. Then if x & X, we
have x = \u\ for some u € C/, so by (Dl) for /3, there exists Yx C Sr with
xp/j^x C |TU| C |T|. Thus putting
Z - \J{YX :x£X},
we have \s\(pa • pp)Z, hence \s\pa-tpZ C |T|.

(D2): If \s\pa-tpX, i.e. |a|(pa • P0)X, then there exists K C Sr with
|a|par, such that X = \J{Xy : y e Y}, with j/p^Xy for all y&Y.
Now suppose Sx C ||B|| and <a;/3>B € T. We want <a;/3>B e s.
But if < 6 5y, then |t| e Y and Sjcm C 5x C \\B\\, so as </3>5 € F and
|*|pÂ"|t|, (D2) for /9 gives <j3>B &t. This shows that SV C ||</3>B||.
Since <a><j3>B € Tand |s|pay, (D2) for a then gives <a></3>B € s,
so D-Comp yields <a;f3>B 6 s as desu-ed.
Alternation.
(Bl). Let AS be a formula having
Aaet iff |s
Using (Bl) for a and f3 and the definition of PÛ;3, we get As € t whenever
sRot or s^t. Hence [ c t ] A s , [P]AS € s, so [a U fi]A3 £ s.by B-Alt.
(B2). If |s|pau^|t|, then either |s|pa"|<| or else |s|pa|t|. Since B-Alt
gives [a U P]B 6 s only if [a]B, [/3]B 6 s, (B2) for a and /3 then readily
yield {B : [ a U / 3 ] B e s n T} C t.
(Dl). If sRQU/}T, then by 10.22(3) there exists W C T with sRaW or

sRpW. Assuming (Dl) for a and /?, it follows that there is some X C \W\
with |s|pQA" or \s\ppX. Hence \s\paupX C \T\.
(D2). Let \s\paU0X, Sx C ||B||, and < a U / 3 > 5 € F. Then either
\s\paX or \s\ppX, and <a>B, </3>B e F. Hence by (D2) for a and /3,
one of <a>B, and </3>B is in s, implying <a U 0>B G s by D-A/t.
Combination.
(Bl). Let .As be a formula having
A.et iff \s\pttv\t\.

We show that
(<a>T -» [/3]A a ), (</3>T -+ [a]^) € s, (t)
which gives [a fl 0]A8 € s by B-Comb.
To prove (f), let < a > T e s. Then sfl^T for some T, and so by (Dl)
for a, |s|paJC for some X . Then if sRpt we have |s|/9^|i| by (Bl) for /3, so
with |s|paX we get |s|/0an«|f|, hence Ag € t. This shows that [(3}Aa € s.
We have now shown that (<a>T —> [/?]>!«) € s. The proof that
(</3>T —> [a].<4s) e s is similar.
(B2). Let |s|j5^n^|i|. Then there exist X, Y with \s\paX, \s\ppY, and
either \t\ € X or |t| e F.
Now suppose [ar\/3]B e s n T. Then <a>T, </3>T € T. Since
SX,SY C ||T||, (D2) for a and /? then give <a>T,</3>T e s. Hence
axiom B-Comb implies [/3}B, [a]B € s. But if |t| € X, then |s|A*|t|, so
(B2) for a gives 5 € t. If however |i| 6 Y, we get the same conclusion from
(B2) for /3.
(Dl). If sRan0T, then by 10.22(4) there exist Wi,W2 with sRaWi,
sRpW-i, and T = Wi U PF2. By (Dl) for a and /?, it follows that there exist
Xi,X2 with |s|pQXi C |Wi| and \s\ppX2 C |W2|. Hence
JSf2) C |î| U \Wt\ C |T|.
(D2). Let |s|pQn^^", 5^ C \\B\\, and < a n / 3 > B e T. Then by

definition of par\0, there exist Y, Z with |s|/9ay, \s\p@Z, and X = Y U .£.
But <a>B, </3>B £ F, and 5y, Sz C Sx C ||B||, so by (D2) for a and /?
we get <a>B,</3>B e s. Axiom D-Comb then implies <a n /?>J3 e s.
Iteration.
(Bl). This is essentially as in the Ancestral Lemma 9.8. Let Aa be a
formula having
As&t iff p+.t.
We show that
\-As^(a]Aa. (t)
m n
For, if t € S and As €. t, then |s|(/o+)*|t|, and so |s|(p+) |<| for some
n > 0. Then if tRau, (Bl) for a implies |<|pj|u|, hence |s|(p+)n+1|u|, so
|s|/9+,|u|, and therefore As € u. This shows [a]^ls 6 t, as required for (f).
By the rule of Necessitation for [ a* ] and axiom B-/nd, we then have
(As -c [o*]4 a ) e s. But As € s as |s|(p+)°|s|, so [a*}As 6 s, yielding
(Bl) for a*.
(B2). Since ~p^ = p(£ = (p^)*, we want to show that
|s|G^)*|t| implies {B : [ a * ] B e sr\T} Ct.
Using (B2) for a and the CPDL-theorem [a* ]B -> [a][a* }B (by B-Mix),
we show, in similar fashion to 9.8 and 10.7, that for all n > 0,
|s|(^)n|f| implies {[a*]B : [a*]B € s n T} C t.
Then if |s|(p^)*|<|, we have |s|(p^)n|i| for some n, so if [a* }B e sDT then

[a* ]B € t, hence B 6 t as h [a* ]B -> B by B-Mix.
(Dl). For any set T C Sm, let AT be a formula such that for all
s€Sm,
AT € s iff \s\pa.X for some X C |T|.
We will prove
TC \\AT\\, (t)
and
From these we derive (Dl) for a* as follows. If sRa*T, then from (f) we
get <a*>AT € s (10.19(1)). But from ($) by Necessitation for a* and
axiom D-/nd,
h
so AT € s, giving |s|/9a«X for some X C \T\ as desired.

To prove (t), let t e T. Then |t|pa-{|<|}, since Id C p^ = pa,, and
{|*|} C |T|, so with X = {|t|} we fulfill AT e t, and hence < € ||AT||.
For (|) it suffices to show that any maximal set containing <O.>AT
must also contain AT- So, let s € Sm have <a>Ar € s. Then sRaU for
some [/ C ||Ar||. By (Dl) for a, |s|paX for some X C \U\. Thus for some
k e a> we have X = {|wo|, • • • , |wfc-i|}, for some u0, . . . , Uk-i 6 [/.
Now for each i with 0 < i < k we have AT 6 MJ, since U C \\AT\\, and
so |wi|/9a*î for some Yj C |T|. Since Mr is standard for a*, it follows that
j for some n». Let n be the maximum of no, . . . , n/fc-i- Then since
the reachability relations p(™} increase monotonically with m (Exercise
10.11(4)), we have Mpg"^ for alii < k. Thus if Y = |J{*i : 0 < t < *},
then \s\(pa • p£})Y, hence \s\pg+1)Y, and so \s\p(*>Y. Therefore we have
|s|pa*y C \T\, which ensures that AT € s as desired.
(D2). If \s\pa* X, then [al/o^X for some n. Hence it suffices to prove
that for all n > 0, and all s e Sm,
if \a\pWX and Sx C ||B||, then <a* >B e T implies <a* >B € s. (f)
(
For the case n = 0, if \s\p ^X, i.e. |s|/dJf, then X = {\s\}, so if Sx C \\B\\,
then as s € Sjr it follows that B £ s, and hence that < a* >B e s by axiom
D-Mix.
Now make the inductive assumption that (f) holds for n, and let
\s\p£+1>X, Sx C ||B||, and <a*>B e F. Then either \s\p^X, whence
the desired result follows as above, or else \s\(pa • p(£})X. In the latter case
there must then be some Y with |s|paF such that X = \J{Xy : y e Y},
with ypg>Xv for all y&Y.
Then if t € Sy, we have |*| € Y, so Sxw C 5X C ||B||, whence as
|<|^n)jL|t|, the hypothesis on n gives <a* >B 6 i. Thus SY C ||<o:* >B||.
But <a><o*xB 6 T, and |s|/9aF, so by (D2) for a, <a><a*>B € s.
Hence by D-Mix we get our desideratum < a* >B € s.
This show that (f) holds for n + 1, completing the inductive proof that
it holds for all n, and hence completing the proof of Theorem 10.29.
Corollary 10.30. Mr is a standard CPDL-model.

Proof. By definition, Mr is standard except possibly for tests. Since it is
a filtration of Mm, the Filtration Lemma 10.27 then implies that
for B? e Progr, so that Mr is also standard for tests.
From this Corollary it follows in the usual way that any non-theorem of
CPDL is falsifiable in a finite standard CPDL-model Hence CPDL has
the finite model property with respect to standard models, and is decidable.
Normality for <a>

A natural condition to impose on models is that
sRaT implies T ^ 0,
i.e.
not-s.Ra0,
since if sRaT then T is the result of a terminating execution of a from s:

termination implies the existence of a terminal state.
The corresponding axiom schema is
D-N : -i<a>_L,
which is always true under the binary relation semantics. Indeed it requires
only the schema
to derive D-JV from [a]T, and the latter is a theorem of any logic that is
normal for [ a ] .
Exercises 10.31
(1) Let A be a normal logic containing CPDL.
(i) Show that relative to A, the schema D-N is equivalent to each of
the schemata
i.e. A contains one of these three schemata if, and only if, it con-
tains the others.
(ii) Suppose that \~A -><7r>_L for all atomic programs TT. Prove that
\-A -i<a>± for all programs a.
(Hi) If hyi -i<a>.L, then in the canonical model for A, not-s.RQ0.
(2) Show that in a standard model, if not-sR^® for all atomic TT, then
not-s.Ra0 for all a.
To prove the finite model property for the smallest normal logic obtained by
adding D-JV to CPDL, we modify the closure conditions on F to require
that <TT>± 6 F whenever •K occurs in F. Then in the finite filtration
.Mr it can be shown that not-|s|/9T0 for all atomic TT e Progr- To see
this, observe that if |s|p»0, then since 50 = 0 = ||±||, property (D2) of pv
implies <TT>± e s, which is inconsistent with D-N.
By Exercise 10.31(2) above, it then follows that not-|s|/9Q0 for all a £
Progp, and so Mr is a D-A^-model.
Sequential Atoms
The reachability relation Ra will be called sequential if
sRaT implies T — {t} for some t.

The corresponding axiom schema is
Seqa • [a]-iA «-> -i<a>^4,
from which -i<a>_L is derivable (10.31(l)(i)).
Lemma 10.32. In the canonical model for a normal logic containing

CPDL and Seqa,
< a >A £ s iff there exists t with sRat and A€t.
Proof. Recall that sRat iff sa C t. Thus if <a>A 6 s, it suffices to show

sa U {A} is consistent. But if it were not, then sa I—<A, hence [a]-i>l 6 s
(10.18(5)), so -><a>A € s by Seqa, contrary to the consistency of s.
Conversely, if sa C t and A € t, then ->A £ t, so [a]->v4 ^ t, whence
by Seqa and maximality of s, <a>A e s.
By a sequential model we will mean one in which the atomic relations R^

are sequential, so that parallelism depends on the presence of the combi-
nation connective a D /3 on programs. The (normal) logic determined by
the class of sequential models is decidable, and is generated by adding the
schemata Seq, for all atomic •K to CPDL. To show this, we modify the def-
inition of Pa in Mr, by denning it as the following sequential reachability
relation on Sp-
x
Pv{y} iff 3s e x 3t e y (sRnt).
Thus
xp*y iff xp^y iff 3s e x 3t e y(sv C t),
from which it follows readily that pv meets filtration conditions (Bl) and
(B2) (indeed the point is that p+ is the smallest filtration of R, in the
sense of binary relation semantics).
To prove (Dl) for p^, let sR^T in the canonical model. Then T ^ 0,
since -><7r>-L is derivable from Seq^. Taking any t 6 T, we get sR^t, and
so \a\p,{\t\} C \T\.
For (D2), let \s\p,X, Sx C \\B\\, and <7r>.B_e T. Then there is some
s' € \a\ and some t such that X = {\t\} and s'R^t. But then t € Sx, so
Bet, and hence by Lemma 10.32, <n>B e s'. Since <w>B € F, we
then get <ir>B € s as desired.
This completes the proof that pv is a P-filtration of R^ whenever
TT G Progr- Thus Mr in this case is a finite sequential model that is a
filtration of the canonical model. The rest of the story is as usual.
Further Studies
Dynamic logic is an extensive subject, with much to be learned by varying
the class Prog of programs and its properties (cf. Harel [1984] and Kozen
and Tiuryn [1989] for extensive surveys). One natural variation is to require
atomic programs to be deterministic, so that, in terms of binary relation
semantics, R^ becomes a partial function and the schema
<Tr>A —» [ i r ] A
is valid (the quantificational logic of Part Three will have this property).
Now a logic A containing this schema will have a canonical model
in which R% is a partial function, but that feature will generally be lost
in passing to a nitration Mr- The problem of "unwinding" the atomic
relations in Mr into functions, while preserving the standard-model con-
ditions and the Filtration Lemma, is not easily solved. A solution is given
in Ben-Ari, Halpern, and Pnueli [1982].
For an indication of the origin of dynamic logic, cf. Goldblatt [1986].

Part Three
First-Order
Dynamic Logic
11 Assignments, Substitutions, and
Quantifiers
In Part Three we study the language that results when the formalism of
dynamic logic is added to a first-order language. The atomic programs TT
of PDL are replaced by assignment commands (v := a), where v is an
individual variable, and a a term. Such a command has the meaning "set
v equal to cr", i.e. "assign to v the current value of <r", and is deterministic.
There is an intimate connection between the computational process
of assignment to a variable, and the syntactic process of substitution for
a variable. If Ava is the result of replacing the free occurrences of v in a
first-order formula A by a, then
[v:= a]A <r+Ava
is valid. Because of this connection, we are able to use modal formulae of

the form [v :— a\A in places where the standard theory of first-order logic
uses Ava: it turns out that this is easier than trying to develop a theory of
syntactic substitution in formulae that contain modal connectives.
In this context, the notion of state can be given a concrete interpre-
tation. The current state of a computation is determined by saying what
values all the variables currently have. Thus a state can be identified with
a vaJuation of the individual variables, the same notion of valuation on
which Tarski's definition of satisfaction in a first-order model is founded.
Programs can then be interpreted as binary relations between valuations,
and first-order dynamic logic becomes an enriched language for defining
subsets of the space of valuations of a first-order model.
Defining an equivalence relation
s ~« t
to mean that states s and t differ only in the value they assign to v, we see
that the Tarskian semantics translates to
(=s 3vA iff for some state t, s ~v t and \=t A;
(=s VvA iff for all states t such that s ~v t, \=t A.
143
144 First-Order Dynamic Logic
This makes 3v and Vu look like modal connectives, and indeed it is well
known that formally they obey the laws of an S5-type O and D. In fact
we could (but won't) pursue this, and replace 3v and Vw altogether by
<v =?> and [«=?], where the command (v :=?) means "assign a random
value to u" (Pratt [1976]).
Exercise 11.1
Explain informally why the following should be valid when v does not occur
in ff.
<v:=(r >A *-> 3v(v = ff A ,4)
[v := ff]A <-> Vv(v = a —> A)
Expressibility
The expressive power of first-order dynamic logic is greater than that of
first-order logic itself. To see this, consider the following formula in the
language of the arithmetic of natural numbers.
Vw<v := 0;while v ^w do v :— v + 1 >T
This asserts that for all w, the displayed program has a terminating ex-
ecution, i.e. that any w can be obtained by starting at 0 and repeatedly
applying the successor operation £(n) = n + 1. In other words: any set of
numbers that contains 0 and is closed under £ must contain everything. But
this is a version of the Peano Induction Postulate, a postulate which cannot
be expressed in the first-order language of the structure (u, C, 0). There is
a single formula of dynamic logic which characterises this structure up to
isomorphism, and from this it follows by standard arguments that the set of
valid dynamic formulae is not effectively enumerable, unlike the first-order
case (cf. Goldblatt [1982], §3.6, for details). This in turn means that there
can be no adequate proof theory for first-order dynamic logic based on
an enumerable set of axioms and an enumerable set of decidable inference
rules. To develop a proof theory then, we will have to use infinitary rules
of inference. The rule-schema we need is:
if \- A -» [0; an}B for alln£u>, then h A -> [0; a* ]B.
Exercises 11.2
(1) Verify that this rule preserves truth in standard PDL-models.
(2) The Archimedean Property of the real-number field R asserts that
Vx 3n G w (x < ri).
§11 Assignments, Substitutions, and Quantifiers 145
Express this as a sentence in the dynamic logic of an appropriate first-

order structure based on E.
(3) In the first-order dynamic logic of the language of groups, write a
formula that expresses the notion of a cyclic group. Do the same for
the notion of divisible group.
It would be possible to develop a theory in which (v := a) induces a

partial function on states, allowing that evaluation of the term a may
fail to terminate. This would require the use of atomic formulae (<r|),
expressing "<r is defined", which would be true in precisely those states in
which a had a value. However for expository and paedogogical purposes,
the system discussed in these notes is going to be kept as simple, and
as close to standard first-order model theory, as possible. A version of the
theory with partially defined terms is worked out in full in Goldblatt [1982],
Chapter 3.
12 I Syntax and Semantics
Let L = Reli U Funi U COHL U FarL be an alphabet made up of disjoint

sets of relation symbols (with specified arities); function symbols (with
specified arities); individual constants; and variables. The set Var^ of
variables is assumed to be denumerable. The syntax of the first-order
dynamic language generated by L is as follows.
Relation symbols: P & Rel^

Function symbols: / e Fun^
Constants: c€
Variables: v6
Terms: a € Termi,
Boolean formulae: </? € Booli,
Formulae: A € Fmai,
Programs: a e Progi
=<7 2
a ;:= (u := <r) | ai; 0:2 | «i U a2 | a* \ tpf

(where / and P are n-ary).
Formulae of the type P(cr\ , . . . , crn) andCTI= <T2 are called atomic. Boolean
formulae are truth-functional combinations of atomic formulae. First-order
formulae are those that contain no modal connectives [a]. Programs of the
form (v := <r) are assignments and all other types of program are called
structured.
The restriction of test programs (f>1 to Boolean formulae is realistic,
since in practice a computer could not test the truth- value of a formula in-
volving quantification of variables ranging over infinite sets, or subformulae
of the form [a] A (which may assert that some program has a halting com-
putation, for instance).
146
L-structures
Let 21 = (X, I) be an //-structure in the usual sense, i.e. / is a function
with domain L such that:
for each n-ary P € RelL, I(P) C Xn;

for each n-ary f€ FunL, I(f) : Xn -» X;
for each c € Coni, I(c) 6 X.
An 2l-va7uation is a function V : Var^ —» X, assigning to each variable v

a "value" V(v) in X. Such a function extends in a unique way to Termx,,
assigning a value V(a) € X to each term a. The set of all 21-valuations
will be denoted 5a .
If V and V' are 21-valuations, we write
V~VV
to mean that V and V are identical except (possibly) in the value they
assign to v. The notation V(v/x) denotes that 2l-valuation V such that
V ~v V and V'(v) = x.
Familiarity is assumed with the definition of the relation
of satisfaction of first-order formula A in 21 by 21- valuation V. In particular,
21 (= VwA iff for all x 6 X, 21 1= A[V(t;/a;)].
A standard procedure in first-order model-theory is to expand the alphabet

L relative to a given L-structure 21 = (X, I) by adding a new constant cx for
each x G X . The resulting alphabet will be denoted La .The interpretation
function I extends to L% by putting I(cx) = x. It will be convenient to
continue to refer to the resulting La-structure as 31.
Note that any 21-valuation V : VarL —> X will assign a value V(cr) 6 X
to any La-term, with, in particular, V(cx) — x.
Models
An L-model for dynamic logic is a structure
where
• 21 is an L-structure, as above;
• S is a non-empty set (of states);

• V : S —»• Sa, i.e. V is a function assigning to each s € S an 21- valuation
ys : VarL -* X;
• R is a function assigning to each program a € ProgL a binary relation
Ra C 5 x S.
For s,t €. S, we write
s(«/x)t
to mean that Vt = Vs(v/x), i.e. that Vt(w) = x and Vt(w;) = VB(w) whenever
w ^ v. More generally, we will use the notation
s(v/a)t
to mean that s(v/V8(cr))t, i.e. that Vs and Vt differ only in that Vt(v) =
Vs(a).
The definition of the truth-relation
M\=.A
can now be given as follows.
M\=s<f iff
At ^=8 AI —> A2 iff A^ |=s AI implies jM |=s ^42
X (=s [«]>! iff for alH € 5, sfiQHmplies M (=t ^
A1 |=s V?;A iff for all a; 6 A", if s(w/a:)t then .M )=< ,4
As usual, we write M \= A if M |=s ^4 for all s £ 5.
Having Enough States

The model .M will be said to have enough states if
for all v e Vari,, s & S, and x & X, there exists t € 5 with s(v/x)t.
This condition is clearly going to be required if the quantifier Vt> is to get
its intended meaning "for all x e X" at each state.
Exercises 12.1
(1) M \= Vv(A -* B) -» (V*M -* VwB).
(2) If X |= ^, then A^ |= Vw^.
(3) If M has enough states, and A is first-order:
(i) M K ^ i f f a M t K ] ;
(ii) 21 ^= A implies M |= A;
(iii) If A is a sentence (no free variables), and M\=s A for some s & S,
then A-l |= A.
Standard Models
An L-model M. is standard if it satisfies the following conditions:
• L includes a constant cx for each x e X, with I(cx) = x;
• RV—V is serial, i.e. for all s £ S there exists t € S with sfl^:=(Ti;
• if sRv—trt, then s(v/a)t, i.e. Vt ~u Vs and Vt(w) = Vs(a);
• for structured programs, the standard-model conditions (as given in
§10) all hold. In particular, for Boolean tests, this requires that
fl,,? = {(*,«): a
By considering assignments of the form (v := cx), the first three of these
conditions collectively imply that
a standard model has enough states,
and so standard models interpret V correctly.
A standard model is, by definition, a model for a language of the form
La (or an extension of such a language), where 21 is its first-order structure.
We may also refer to a standard L-model as being standard for L.
Natural Models
The natural model of an L-structure 21 = (X, I) is the La -model
where
• 5a is the set of all 21- valuations s : Vari, —> X;
• for each s € Sa, V*(v) = s(v);
• sRl=at iff t = s ( v / s ( a ) ) ;
• for structured programs, R* is defined inductively by the standard-
model condition on a.
Since Sa includes all possible 2l-valuations, Mz is a standard model, and
has enough states. Also, since R*.-a is a functional relation,
M* \= <v := a>A «-» [v := a]A.
In fact a standard model will always verify this schema, because of the
standard-model conditions on assignments, even though it need not in gen-
eral interpret (v :— a) as a function. The reason for introducing the more
abstract notion of standard model is that it is convenient to be able to
realise states as entities (such as maximal sets of formulae) other than
valuations. This gives greater freedom in constructing models.
We now examine the relationship between an L-model M = (21, S, R, V)

and the associated natural model A1a. Observe that for each state s in
M., the valuation Va is a state in M*, with the value assigned by V91 to
variable v in the .Ma-state Va being Vg(v), which is the same as the value
assigned to v in the A^-state s. That is:
Exercises 12.2
(1) s(v/x)t in M iff Vs(v/x)Vt in M a .
(2) For any L-term <r,
V?» = W,
so s(v/a)t in M iff Va(v/a)Vt in M a .
(3) If A is a BooJean //-formula,
M K ^ iff A<a \=v. A.
(4) If .M has enough states, the result of Exercise 3 holds for all first-order
A.
p-Morphisrn Lemma 12.3. If M is a standard model, with underlying

structure 21, then the function V : S -» 5a is a p-morphism from M to
Aia.
Proof. What is meant by "p-morphism" here is that for each program a:
sRat implies VaR^Vt, and
VsR*u implies 3t(sRat & Vt = u).
For an assignment (v :— a), the standard-model conditions and the defini-

tion of -Ra.=(T yield
sRv—fft implies VsR*.=ffVt.
For the second condition, suppose VsR*.=au, with u e 5a. Since .R^—cr is
serial, there exists a t 6 5 with sR,,~at, so that
Vt = Vs(v/Vs(v)) = u.
Thus the desired result holds when a is an assignment. The inductive cases
for structured commands use the fact that both models are standard.
Exercise 12.4
Complete the proof of 12.3.
Theorem 12.5. If M is standard, then for any L-formula A,

(1) M^,A iff At21 [=v. A.
(2) Vs = Vt implies (M (=, A iff M \=t A).
(3) If M* |= A then M |= A.
Proof. (2) and (3) are easy consequences of (1). (1) itself is proven by
induction on the formation of A. The case of Boolean formulae is taken
care of by Exercise 12.2(3), while the inductive case A — [ a ] B is taken care
of by the p-Morphism Lemma 12.3 in the same manner as in propositional
modal logic.
We treat only the case A = VvB in detail, assuming the result for B.
If VvB is false at s in M, then for some x e X and some t with s(v/x)t,
M y=t B. Then Vs(v/x)Vt (12.2(1)), and M* ^v, B by hypothesis on B,
so M* ^Vs VvB.
Conversely, if VvB is false at Vs in Aia, then for some x € X, and
some u 6 5a with Vs(v/x)u, Mm ^« B. But then VsR*.=Cxu, so by the
p-Morphism Lemma, sRv-.=cxt for some t with Vt = u. Then M \£t B and
s(v/x)t, so M fis VvB.
Corollary 12.6. The classes of standard models and natural models de-
termine the same logic.
Quantifier/ Assignment Lemma 12.7. In a standard model M,
M (=, VvA iff for all x € X, M \=s [v := cx }A.
Proof. If M \=a VvA, then sRv—^t implies s(v/x)t, so M \=t A by the

semantic clause for V. Hence M \=B [v :— cx]A.
On the other hand, if M \£s VvA, then M fa A for some t such
that s(v/x)t for some x € X. Then Vt = Vs(v/x), so in the natural model
jMa, VaR*.=.CxVt. By the p-Morphism Lemma, there is an Ai-state t'
with sRv-^cJ' and Vt> = Vt. Then by Theorem 12.5(2), M fa A, so
Axioms
We now list some schemata, relating quantifiers to assignments, that will be
used to axiomatise the logic of natural and standard models of a countable
language. For this purpose, we denote by VarA the (finite) set of all
variables v that have an occurrence in A. Likewise, Vara is the set of
variables occurring in program a.
Al: Vv(A -* B) -» (VvA -> VvB)
A2: A -> VvA, for w g Far ,4
A3:
A4: Vw[v := w]A —> VvA, for w ^ {v} U VarA

A5: VtM-> [u:=<7]Vuyl
A6: Vw[v := a]A—> [v := a]VwA, for w $ Var(v := a)
A7: <w :=a>A «-» [w := ff}A
A8: [t> := 0-]j4 <-> ^ for atomic A
A9: [w:=(r][t;:=T]A-»[t;:=72]A
AlO: [v :=ff][w := r]A-* [w := T£][V := a]A, for w i Var(v := a)
All: (T = T^>([v:=a]A^>[v:=T]A)
Note that A8 asserts the equivalence of assignment and substitution for

atomic formulae only (cf. the role of this axiom and its consequences in the
Assignment Lemma 14.3 in the last section).
Soundness
All of the schemata Al-All are true in standard models. Al and A2
are familiar from first-order logic, although in the present computational
context, A2 can be regarded as asserting that the truth-value of a formula
A is not affected by an assignment to a variable that does not occur in A.
A3 and A4 together give the equivalence of "for all v, A", and "after every
assignment to v, A". A6 is an instance of the Barcan formula
VwOA -» CNwA
which figures prominently in studies of modal predicate logics. The Barcan

formula is true when each possible world has the same domain of individuals
associated with it, i.e. when the range of the quantifier Viu is independent
of the world (state) in which truth is being evaluated. That property is
satisfied by our present models.
The verification of A8 derives from the fact that for any 21-valuation
V, and any term r,
VW) = V(v/V(a))(r),
from which it can be shown that
aMaM ^ *TrA[V(v/V(<r))],
for any first-order A (cf. e.g. the Substitution Lemma of Enderton [1972],
p. 127 for details). Hence
M*\=.Al iff M* \=.(v,,(l,)) A iff M*\=s(v:=<r}A,
showing that A8 is true in natural models M*. But that is enough to make
it true in all standard models, by Theorem 12.5(3).
Exercise 12.8
Suppose s(v/a)t in an 2l-based model M.
(1) Show that Va(T%) = Vt(r), for any L-term T.
(2) If M has enough states, show that for all first-order A,
M\=sAva iff M\=tA.
The intuitive meaning of the remaining axioms is left for the reader to
ponder. Formal proofs of the truth of A1-A11 are tedious (although in-
structive) and will not be repeated here. Full details appear on pp.130-136
of Goldblatt [1982]. These proofs depend on some technical lemmas estab-
lishing that the truth of a formula A is not affected by an assignment to a
variable not in VarA. These lemmas are given as
Exercises 12.9
(1) Suppose that v £ Var(a). Then in A^ a , if s(v/x)t, then
tRlt' iff 3s'(sR*s' & s'(v/x)t')
(prove this by induction on a).

(2) Suppose that A € FmaL<n and v ^ VarA. Then in M , if s(v/x)t,
Ma K A iff Ma h* A.
(3) If v £ VarA, then in any standard model M, if sR^.-c^t, then
M K A iff M K A.
(4) Use these results to prove that A1-A11 are true in any standard model.
13 Proof Theory
Axioms
The full set Axmi, of axioms for the first-order dynamic logic over an
alphabet L comprises:
• all tautologies in Fmai,;
• the usual Identity Axioms
v = v,
a — T —> (A —* A'), where A is atomic, and A' results by replac-
ing some occurrences of a by r in A]
• the schemata Comp, Alt, Mix, and Test as for PDL in §10;
• the schemata A1-A11 from pages 151 and 152 in §12.
Rules
In addition to Detachment, and the Necessitation rule for each modal con-
nective [a], the inference rule schemata we need are
Generalisation: from A deduce VvA;
Omega-Iteration: from {(A -» [/?; an }B) : n e u} deduce (A -> [/3; a* }B).
Note that we have left out the PDL-axiom
Ind : [a* ](A -» ( a ] A ) -* (A -» [a* ]A).
Its place has been taken by Omega-Iteration (cf. Exercise 13.1(10)) below.
Theorems
Let AL be the smallest normal modal logic in Fma,L that contains AxniL
and is closed under Generalisation and Omega-Iteration, i.e.
A € AL implies VvA 6 AL;
{(A^[P;an]B):n£u}CAL implies (A -» [j9;a*]B) € >1L.
The members of A^, are the L-theorems. If A € .Az,, we write h^ A, or just
h ^4 if the context is understood. The main result of Part Three is that the
theorems are precisely those formulae that are true in all natural models.
154
§13 Proof Theory 155
Exercises 13.1
The following are L-theorems.
(1) a = a.
(2) a = T —> r = a.
(3) a = T -> (r = p -» a = p).
(4) [v :— a]~>A <-» -i[v := <r]A.
(5) [w := <r](^ -»£)<-> ([t> := a],4 -+ [w := a]J3).
(6) [w := a]ip «-> <p£, for any Boolean ip.
(7) [ skip; a ]>!«-»[ a ]4.
(8) [a n ]4«-»[a]M.
(9) (4^[/3;a*]5)->(,4^[/3;a n ]S).
(10) Ind. Hint: show that
hB-»[a]5,
where B is ^4 A [a* ](-A —> [a]A). Use Omega-Iteration to obtain
\-B-+[a*]B.
Theories and Deducibility

An L- theory is a set A of L-formulae that contains AL and is closed under
Detachment and Omega-Iteration (but not necessarily under Generalisa-
tion or Necessitation). If F U {.A} C Fma/,, then A is deducible from F in
L, F r-£ A, if A belongs to every L-theory that contains F. This type of
definition appears as a theorem in the finitary proof theory of prepositional
modal logic (cf. Corollary 2.6), but since we are using an infinitary inference
rule, the finitary definition of deducibility is no longer appropriate.
A set r is L-consistent if ri/£,-L.
Exercises 13.2
(1) If A e T, then P h A.
(2) If h A, then r I- A.
(3) If T h A and F C 9, then 0 h A.
(4) If T I- A and T h A -+ B, then T h B.
(5) If T h A -» [0; a" ]J3 for all n e w , then r h A -» [/3; a* ]B.
(6) J" is consistent iff there is no A with F \- A and T h -iA.
(7) If M is a standard model, then
h A implies M |= A
(8) If M. is a standard model, then for any M-siate s,
{A : M K A}
is a consistent theory.
(9) If P is a theory, then:
(i) T € F;
(ii) (Deductive Closure) if r I- A, then ,4 € T;
(Hi) itr\-A^>BandAer, then B 6 T;
(iv) r is consistent iff J_£ T iff F £ Fma;
(v) [ a * ] . A e r i f f { [ a ] M : n e w } C r .
Lemma 13.3. If {[« := a\(A -* [/3;a n ]B) : n e w} C T, and T is a
theory, then
[w:=(7](,4-»[j8;a']fl)er.
Proof. For all n, by the axiom K for [v := a], and use of axiom Comp, we
get
([w:=(rL4->[(t;:=<r;/3);aB]B)€r.
By closure of F under Omega-Iteration, this gives
([v := <r\A -> [ (v := a;/3); a* ]B) e T.
and hence by Comp,
([v := ( r ] A - + [ v := <r][/3;a* ]B) £ T.
Exercise 13.1(5) then gives the desired result.

Deduction Theorem 13.4. r\j {A}\- B iff T\- A-* B.
Proof. (Note that for fmitary proof theory this was an easy consequence of
the definition of deducibility (Exercise 2.2(8)).
Suppose that r U {A} \- B. Let
A = {D : r h A -» D}.
We want B £ A, so by our hypothesis it will suffice to show that A is a
theory containing F U {A}.
Now since D —> (A —* D) is a tautology, it is deducible from F, and
this leads to r h A -» D, hence £> € 4, in case that D 6 T or h D.
Similarly, using the tautology A —> ^4 we get .A e A
Next, to show that A is closed under Detachment, suppose D and
D —> I? are in /I. Then the tautology
(A ->£>)-» ((A -*(!>-» £?)) -* (A

leads to F h A —> E, as desired.

Finally, suppose
>[/3;a"]£):new}C A
Then for all n,

r\-A-+(D^[fcan]E),
and so,
r\-A/\D->[(3;an]E.
By Omega-Iteration (Exercise 13.2(5)), this gives
F\- Af\D-^ [P;a*]E,
and ultimately that

(D->[/3;a*]£7)6A
This completes the proof that A is a theory, and hence the proof that
F U {A} h B implies F h A —> 5. The converse is given as an exercise.
Corollary 13.5.
(1) {A!, ..., An} h B iff h A! A ... A 4n -f B.
(2) r U {4} is consistent iff T \/ ->A.
(3) T U {-1.4} is consistent iff F \f A.
Proof. Exercise.
Generalisation Lemma 13.6. If the constant c does not occur in A or
B, and
\-A^[v.= c]B,
then
\- A ->• VvB.
Proof. In a finitary proof-theory, we would have a finite proof sequence
ending in the first formula, and so we would first replace c throughout this
sequence by some fresh variable. In the infinitary situation we could also
have used proof sequences to define deducibility, but these would be infinite
in length. Such an infinite sequence might use; up all the variables, so some
relettering might be necessary to "free one up" so that it could replace c.
As it is, we are using a more abstract inductive definition of deducibil-
ity, but here we can still apply the relettering idea in a way that is, if
anything, a little simpler to describe. So, pick a variable w $ {v} U VarAU
VarB, and let y t—> y' be an injective mapping of Var U {c} into Var
that has c' = w, and y' = y for y in the finite set {v} U Var A U VarB.
Since Var is infinite, such a function exists. For each formula D, let D'
be the result of replacing each variable y in D by y'. Then the injective
correspondence D i—» D' maps axioms to axioms, and instances of rules
(Detachment, Necessitation, Generalisation, Omega-Iteration) to instances
of the same rules. Thus the set
{D e FmaL : h D'}
must contain AL, and so in particular contain the theorem
A-+[v:=c]B,
implying that
By the hypothesis on c and the definition of the relettering y H-» y', this
means that
h A-* [v:=w]B.
Then by the Generalisation rule, axioms Al and A2, and the fact that
w £ Var A, we get
h A
Axiom A4 then provides the desired conclusion.
Exercise 13.7
If h Vv(A -» [/3; a" ]B), for all n, then h Vw(A -»[/?; a* ]B).
Maximal Theories
An L-maximal theory is one that is //-consistent, and contains one of A
and -<A, for each L-formula A.
Exercises 13.8
If F is a maximal theory:
(1) ^ ^
(2) exactly one of A, -(A belongs to F;
(3) (A -> B) € T iff A € T implies B € T.
Rich Theories
If X Q Coni, is a set of //-constants, then an L-theory is x-rich if it satisfies
if VvB £ r, then for some c £ x, [v\= c}B <£ T .
ma
If this holds, x Y De called a set of "witnesses" for F in L.
Exercise 13.9
If F is a X'rich theory, then
\/vB € T iff for all c & x, [v := c}B 6 T.
Witness Lemma 13.10. If F is a \-iich maximal L-theory, then for any

L-term a there is a witness c £ x with (a = c) € jT.
Proof. Since h (a = a), ->(a = a) $ F, and so using Exercise 13.1(6),
[v := cr]-i(cr = v) $L F. Axiom A3 then yields Vv->(<7 = v) $. F, so by
^-richness, -i(cr = c) ^ F for some c € x with maximality then giving
(<r = c) e r.
Adjoining Constants
In order to develop a completeness theorem, we follow the "Henkin method"
used in first-order logic, and extend a given alphabet by adding new con-
stants to serve as witnesses for rich theories. So, from now we fix an
alphabet L, and let x be a denumerable set disjoint from L. Form a new
alphabet Lx by adding the members of x to the set of constants. First it
needs to be checked that this process does not allow any new L-formulae
to become deducible:
Exercise 13.11
Use a relettering technique, as in the proof of the Generalisation Lemma
13.6, to show that if A € FmaL, then
hL A iff h L x A.
Theorem 13.12. Let L be countable. Then if I//, A, there is an Lx-theory

that is x-rich and Lx-maximal, and does not contain A.
Proof. Since L and x are countable, there is an enumeration
•"•0) AI, • • •, An,
of the set Fma,L\ of all Lx-formulae. Define an increasing sequence
A) C ... C An C
of finite sets as follows.

A) = {Â}.
Assuming inductively that the finite set An has been defined, if
An HLX An,
we put
An+i = An U {An}.
Otherwise, when An \f An, we consider cases (working with deducibility in

Lx throughout).
Case 1: An is neither of the form (B —> [/?; a* ]D), nor of the form VvB.
Then put
An+l = AnU {Ân}.
Case 2: An is of the form (B —*• [/3; «*]£>). Then by Omega-Iteration
(Exercise 13.2(5)), for some m € u,
Let
An+l = AnU{^(B - (
for some (say the least) such m.
Case 3: An has the form VvB. Then put
where c is some member of \ not appearing in An or in any member of An

(since An is finite, and x infinite, such c must exist).
This completes the definition of the An's. The desired Lx-theory is
A = \J{An : n € w}.
It is evident that Z\ contains all Lx-theorems, for if \- An, then /in h A n ,
and An £. An+i. Also, the construction ensures that if An £ A, then
->An £ A. To proceed further, it is necessary to show that each An is
consistent. This is done by induction on n. For n = 0, Corollary 13.5(3)
provides the result, since \f A. Assuming that An is consistent, observe
that if A h An, it must follow that An \f ->An (Ex. 13.2(6)), and so
An+i = An U {^4n} is consistent (Corollary 13.5(2)). If however An \f An,
we have the three above cases to consider.
Case 1: Here, invocation of Corollary 13.5(3) again gives the consistency
Case 2: In this case, if An+i were not consistent, then by 13.5(3) and the
Deduction Theorem 13.4 we would have
But
(cf. Exercise 13.1(9)), and so by tautological reasoning,
which contradicts the definition of m.

Case 3: If An+i is inconsistent in this case, then
Since axiom A3 gives
this implies
and hence
where D is the conjunction of the finitely many members of An. From our
choice of c, the Generalisation Lemma 13.6 then gives
I- D -» VvB,
and so An h VvB, contradicting the definition of this case.
Now that we know that each An is consistent, it follows readily that

for each L*-formula B, exactly one of B and ->B is in A: otherwise,
B,->B € An for some n, contradicting An's consistency. From this fol-
lows the closure of A under Detachment, for if B, (B —> D) e A but
D £ A, the inconsistent set {B, (B —> D), ->D} would be contained in
some An. Also, the construction makes A closed under Omega- Iteration,
for if (5 -> [P;a*]D) £ A, then for some m we get ->(B -> [/3;am]D) € A,
and hence (B -> [/3;am]D) <£ A.
At this point A has been shown to be an I,*-maximal theory, and hence
to be deductively closed (Ex. 13.2(9)). Consistency of A now follows, since
A hJL would imply _L€ A, and hence J_e An for some n. Finally, since
->A e A0, we have A £ A.
14 I Canonical Model and Completeness
Suppose L is a countable alphabet, and \fi A. Adjoining a denumerable

set x of constants to L, apply Theorem 13.12 to obtain a x-rich maximal
Lx-theory SA, with A £ SA- We use SA to define a standard Lx-model
MA = (%A,SA,RA,VA)
that falsifies A. The definition of M.A will take some time to develop.
The Diagram
We define the diagram of the structure $LA to be the set DiagA of all
atomic L*-sentences, and negations of atomic Z/x-sentences, that belong to
SA- Thus DiagA consists of all Lx-formulae that belong to SA of the form
P(<TI, . . . ,<r n ) or <r = r, and the negations of such formulae, where the
terms involved contain no variables (only constants and function letters).
The members of DiagA will all be true in the L*-structure 21 , and give a
complete specification of its algebraic relations.
The Structure
The definition of 21A is the standard one used, as in the Henkin complete-
ness proof for first-order logic, to build a first-order structure out of a
maximal theory.
Define an equivalence relation on x by putting
c ~ d iff (c = d} € SA
(by Exercises 13.1, this is indeed an equivalence). Let
c — {d: c ~ d}
be the ^--equivalence class of c and
Then put SI"4 = (XA,I), where the interpretation function / is defined as

follows:
162
§14 Canonical Model and Completeness 163
• if P is an n-ary relation symbol,

7(P)(cl, . . . , 50 iff P(ci, • • • , «v.) e «*;
• if / is an n-ary function symbol,
7(/)(ci, . . . , $0 = c iff (/(ci, . . . , c,,) = c) € SA;
• if d is a constant,
/(d) = ciff (d= c) € a^.
Note that in the last two cases, a suitable witness c always does exist, by
the Witness Lemma 13.10. In the case that the constant d belongs to x, we
have more simply that /(d) = d. Hence every member of 21"4 is "named"
by a constant from \.
The State Set

SA is denned to be the collection of all sets s C Fmai,x such that
• s is a %-rich maximal L^-theory, and
s.
Exercises 14.1
(1) SA e SA.
(2) If B is an atomic L*-sentence, or the negation of such a sentence, then
for any s € SA,
B e s iff B e SA.
The Valuations
VtA(v) = c iff (w = c)e*.
Observe that for any s 6 SA and any variable v, the Witness Lemma 13.10
guarantees that there is a c 6 x with (v = c) € s.
Exercises 14.2
(1) For any Lx-term a, and s € SA,
VA((7) = c iff (a = c) € s.
(2) For any Boolean L*-formula ip, and s € 5A,
s^NdVi 4 ] iff v e s .
In order to model assignments, we need a major preliminary result:
Assignment Lemma 14.3. For any Lx -assignment (v := a), if s € SA

then s(v := a) e SA, where
s(v := a) = {B E FmaLX : [v := a]B e s}.
Proof. First of all, s(v := a) contains all L*-theorems, for if h B then

I- [v := a]B by Necessitation, so [v :— a]B E s, hence B € s(v := a).
Closure of s(v :— cr) under Detachment follows directly from the axiom
K : [v:= a ] ( B -* D) -» ([v := a]B -> [v := a ] D ) ,
and the closure of s under Detachment.

Closure of s(v := cr) under Omega-Iteration is the substance of Lemma
13.3 on page 156.
Thus s(v :— a) is an L*-theory, and so is deductively closed. Con-
sistency now follows, for if s(v := a) h± then J_e s(v := a), and so
[v := a] -L€ s, contradicting the consistency of s, since I—>[v := a] _L by
axiom A7 (cf. Exercise 13.1(4)). A7 also implies
([v := cr]B V [v:= <r]->B) £ s,
so for any formula B, one of B and ->B is in s(v := cr). Hence s(v := a) is
a maximal theory.
To prove DiagA C s(v :— a), observe that if (p E Diag^, then by
axiom A8 (cf. Exercise 13.1(6)),
But, by definition, <p contains no variables, so (p"a = ip £ s. Hence

[v:= ff]tp £ s, giving <p € s(v := a).
It remains to show that s(v := a) is x-rich, i.e. that x is a set of
witnesses for s(v := a) in Lx. This will use all the remainder of our axioms
on quantifiers and assignments.
Suppose then that \/wB £ $(v := cr), i.e. [v :— a]VwB £ s. We want
[w := c]B ^ s(v := a), for some c € x- There are two cases.
Case 1: w = v. Then by A5, \/wB £ s. Since s is x-rich, [w := c]B £ s
for some c E \- But the formula
[w :— tj][w := c]B —> [w := c]B
is an instance of axiom A9, so gives
[w := a][w :— c]B £ s,
hence [w := c]B £ s(w := a) = s(v := a), as desired.

Case 2: w i=- v. By the Witness Lemma 13.10, there is a d e x wi
(a — d) 6 s. Applying All gives
[v:= d}VwB i s.
Since w does not occur in (v :— d}, the "Barcan formula" A6 then yields
Viu[u:= d]B is,
so for some witness c € Xi
[w:= c][v:= d]B ( £ s .
But as an instance of A10 we have
[v := d][w := c]B -> [w := c][v := d]B,
so that we can conclude
[v := d][w := c]B $ s.
Axiom All again then yields
[v := <r][w := c]B ^ s,
whence [w := c]B $. s(v :— a).

Corollary 14.4.
[v~a]Bes iff Bes(v:=a).
Proof. If [v := a]B £ s, then by A7, [v :- a]^B & s, so -*B e s(v := a}.
Modelling Programs
For assignments, we put
sR*=at iff t = s(v := a),
while for structured commands, R£ is denned inductively by the standard-

model condition on a. In particular, for Boolean tests,
This completes the definition of the L\- model

Lemma 14.5. M. is a standard model.

Proof. The only standard-model conditions not built in to the definition
are the ones for assignments. For these, note first that the Assignment
Lemma 14.3 ensures that R^.=a is serial, i.e. that for all s € SA there
exists t € SA with sRA.=at.
Next, suppose that sRA.=<7t. We have to show that s(v/a)t, i.e. that
V and VtA differ only in that VtA(v) = VA(o). Let VA(a) = c, so that
A
(a = c) e s. Now by A8,
h (a — c) -» [v := a](v — c),
so [v := ff](v = c) € s, whence
(v = c) 6 s(v :— a) — t,
and so VtA(v) = c = VA(a), as required. But if w is any variable other

than v, A8 gives
h (w = c) —> [w := <r](u> = c),
from which similar reasoning shows that if VA(w) = c, then VA(w) = c.
This completes the proof.
Lemma 14.5 ensures that MA has enough states, and so interprets the
quantifier V correctly. Moreover, from the Quantifier/Assignment Lemma
12.7, it gives
Corollary 14.6.
MA K VVB iff
for all c e X, MA K [» := c]B.
We are heading towards a Truth Lemma for MA, and, as a final prelimi-
nary, we extract a part of its proof for separate consideration. To this end,
a formula B is defined to be correct if for every s € SA,
MA\=SB iff Be s.
Program Lemma 14.7. Let a be an Lx-program. Then for any Lx-

formula B, if B is correct, then [a]B is correct.
Proof. By induction on the formation of a. Take first the case that a is an
assignment (v := a). If B is correct, then in particular
MA (=,(„:=„) B iff Be s(v := a).

But by definition of MA,

MA\=,[v:=a]B iff MA \=s(v:=<T) B,
while by Corollary 14.4,
[v:=ff]B<Es iff Bes(v:=a),
and so [v :— a]B is correct.
Next the case of a test (pi. The Boolean formula <p is correct (Exercise
14.2(2)), so that if B is correct it follows readily that ((p —» B) is correct
also. Correctness of [ ipt }B is then obtained by use of the formula
which is true in the standard model MA, and a member of every s 6 SA,
since it is an instance of the axiom schema Test.
Now for the case of a program a; /?, under the inductive assumption
that the Lemma holds for a and for /3. Then if B is correct, the hypothesis
on /3 makes [f3]B correct, and so the hypothesis on a applied to
makes [a][/3]5 correct, i.e.
iff [
Correctness of [a;/3]B then follows by using the instance
[a;p]B~[a][l3]B
of axiom Comp, which is true in the standard model MA.
The case of a program of the form a U /3 is similar to that of a; /?, using
the axiom Alt, and is left to the reader.
Finally the case of an iterative program a*, assuming the result for a.
Suppose B is correct. First we show that [a] n S is correct for all n € u. If
n = 0, this is just the assumption on B. Assuming that [a]™S is correct,
the hypothesis on a then gives [a][a] n B, i.e. [a]n+lB, correct. Hence,
by induction on n, we get
MA\=s[a]nB iff [a]"B6«,
for all n and s. But in the standard model MA,
MA^=.[a']B iff for all n e w , MA \=.[a]nB
(Exercise 10.1(1)), while
[ a * ] B € s iff for all n e w , [a]nB €s,
by closure of s under Omega-Iteration etc. (Exercise 13.2(9)(v)). Hence
[a*]J3 is correct.
Truth-Lemma
A
for MA- Every Lx-formula B is correct, i.e. for every
seS ,
MA \=8B iff B e s.
Proof. That Boolean formulae are correct is Exercise 14.2(2). The truth-
functional cases are as usual.
If B is correct, then for any program a, correctness of [ a ]B is given by
the Program Lemma 14.7 (which was treated separately because it requires
an "inner" induction on a).
Finally, consider VvB, assuming B is correct. We have
MA\=lVvB iff for all c ex, MA |=. [v:= e]B,
by Corollary 14.6, while for each c € x, the Program Lemma gives
MA^s[v:=c]B iff [v:=c]Bes.
Since ^-richness and axiom A3 yield
VvB&s iff for all c € x, [u := c]B £ s,
correctness of MvB then follows.

Completeness Theorem. If L is countable, then for any L-formula A,
the following are equivalent.
(1) ^L A.
(2) A is true in all natural L-models.
(3) A is true in all standard L-models.
Proof.
(1) implies (2): if M is natural, {A : M (= A} is a normal modal logic con-
taining all axioms and closed under Generalisation and Omega-Iteration,
hence containing
AL = {A : h A}.
(2) implies (3): Corollary 12.6 (from Theorem 12.5(3)).
(3) implies (I): if \f A, then in the standard model MA constructed above,
the Truth Lemma gives A false at SA-
Bibliography
In addition to the books and papers cited in the text, the following list
includes other items of potential interest to the student of modal and tem-
poral logic.
Ben-Ari, M., Halpern, J.Y., and Pnueli, A.

[1982] Deterministic propositional dynamic logic: finite models, com-
plexity, and completeness, J. Comp. Syst. Sci., 25, 402-417.
Ben-Ari, M., Pnueli, A., and Manna Z.
[1983] The temporal logic of branching time, Acta Informatica, 20, 207-
226.
Blok, W.J.
[1980] The lattice of modal algebras: an algebraic investigation, J. Sym-
bolic Logic, 45, 221-236.
Boolos, George
[1979] The Unprovability of Consistency, Cambridge University Press.
Boolos, George, and Sambin, Giovanni
[1985] An incomplete system of modal logic, J. Philosophical Logic 14,
351-358.
Bull, R.A.
[1966] That all normal extensions of S4.3 have the finite model property,
Zeit. Math. Logik Grand. Math., 12, 341-344.
Bull, Robert A., and Segerberg, Krister
[1984] Basic modal logic, in Gabbay and Guenthner (eds.), 1-88.
Burgess, John P.
[1984] Basic tense logic, in Gabbay and Guenthner (eds.), 89-133.
Chellas, Brian F.
[1980] Modal Logic: An Introduction, Cambridge University Press.
Clarke, E.M., and Emerson, E.A.
[1981] Design and synthesis of synchronisation skeletons using branch-
ing time temporal logic, in Logics of Programs, D. Kozen (ed.),
Lecture Notes in Computer Science 131, Springer-Verlag, 52-71.
169
170 Bibliography
[1982] Using branching time temporal logic to synthesize synchronisation

skeletons, Science of Computer Programming, 2, 241-266.
Cresswell, M.J.
[1984] An incomplete decidable modal logic, J. Symbolic Logic, 49, 520-
527.
de Bakker, J.W., de Roever, W.-P., and Rozenberg, G. (eds.)
[1989] Linear Time, Branching Time, and Partial Order in Logics and
Models for Concurrency, Lecture Notes in Computer Science 354,
Springer-Verlag.
Emerson, E.A., and Halpern, Joseph Y.
[1985] Decision procedures and expressiveness in the temporal logic of
branching time, J. Computer and Systems Sciences, 30, 1-24.
Fine, K.
[1971] The logics containing S4.3, Zeit. Math. Logik Grund. Math., 17,
371-376.
[1974] An incomplete logic containing S4, Theoria, 40, 23-29.
[1975] Some connections between modal and elementary logic, in Proc.
Third Scandinavion Logic Symposium, Stig Kanger (ed.), Studies
in Logic 82, North-Holland, 15-31.
[19751] Normal forms in modal logic, Notre Dame J. of Formal Logic, 16,
229-237.
Fischer, M.J., and Ladner, R.F.
[1979] Prepositional dynamic logic of regular programs, J. Comp. Syst.
Sci., 18, 194-211.
Gabbay, D., and Guenthner, F. (eds.)
[1984] Handbook of Philosophical Logic, Volume II: Extensions of Clas-
sical Logic, D. Reidel.
Gabbay, D., Pnueli, A., Shelah, S., and Stavi, J.
[1980] On the temporal analysis of fairness, Proc. 7th ACM Symp. on
Principles of Programming Languages, Las Vegas, Jan. 1980,163-
173.
Galton, Antony
[1987] Temporal Logics and their Applications, Academic Press.
Godel, Kurt
[1933] Eine Interpretation des intuitionistischen Aussagenkalkuls, Ergeb-
nisse eines mathematischens Kolloquiums, 4 (1931-32), 39-40. En-
glish translation in Kurt Godel, Collected Works, vol. I, Solomon
Feferman et. al. (eds.), Oxford University Press, 1986, 296-303.
Bibliography 171
Goldblatt, Robert
[1975] First-order definability in modal logic, J. Symbolic Logic, 40, 35-
40.
[19751] Solution to a completeness problem of Lemmon and Scott, Notre
Dame J. of Formal Logic, 16, 405-408.
[1976] Metamathematics of modal logic, Reports on Mathematical Logic,
Polish Scientific Publishers, Warsaw-Cracow, 6, 41-78 (Part I);
and 7, 21-52 (Part II).
[1980] Diodorean modality in Minkowski spacetime, Studia Logica, 39,
219-236.
[1982] Axiomatising the Logic of Computer Programming, Lecture Notes
in Computer Science 130, Springer-Verlag.
[1982i] The semantics of Hoare's iteration rule, Studia Logica, 41, 141-
158.
[1986] Review of Fischer and Ladner [1979], Pratt [1976], Segerberg
[1982], and other papers, J. Symbolic Logic, 51, 225-227.
[1990] On closure under canonical embedding algebras, in Algebraic Log-
ic, H. Andreka, J.D. Monk, and I. Nemeti (eds.), Colloquia Math-
ematica Societatis Janos Bolyai, 54, North-Holland Publishing
Co., 217-229.
[1991] The McKinsey axiom is not canonical, J. Symbolic Logic, 56,
554-562.
Hailpern, Brent T.
[1982] Verifying Concurrent Processes Using Temporal Logic, Lecture
Notes in Computer Science 129, Springer-Verlag.
Harel, David
[1979] First-order Dynamic Logic, Lecture Notes in Computer Science
68, Springer-Verlag.
[1984] Dynamic logic, in Gabbay and Guenthner (eds.), 497-604.
Hughes, G.E., and Cresswell, M.J.

[1968] An Introduction to Modal Logic, Methuen.
[1984] A Companion to Modal Logic, Methuen.
Kamp, J.A.W.
[1968] Tense Logic and the Theory of Order, Ph.D dissertation, UCLA.
Kozen, Dexter, and Tiuryn, Jerzy

[1989] Logics of Programs, Technical Report 89-962, Department of
Computer Science, Cornell University. Published in Handbook
of Theoretical Computer Science, Vol. B, North-Holland, 1990.
172 Bibliography
Kripke, Saul A.
[1959] A completeness theorem in modal logic, J. Symbolic Logic, 24,
1-14.
[1963] Semantic analysis of modal logic I: normal prepositional calculi,
Zeit. Math. Logik Grand. Math., 9, 67-96.
Lemmon, E.J.
[1977] An Introduction to Modal Logic, in collaboration with Dana Scott,
American Philosophical Quarterly Monograph Series 11, Basil
Blackwell, Oxford.
Lewis, C.I., and Langford, C.H.
[1932] Symbolic Logic, The Century Co.
Makinson, D.
[1969] A normal modal calculus between T and S4 without the finite
model property, J. Symbolic Logic, 34, 35-38.
Manna, Z., and Pnueli, A.
[1981] Verification of concurrent programs: the temporal framework, in
The Correctness Problem in Computer Science, R.S. Boyer and
J.S. Moore (eds), Academic Press, 215-273.
Moszkowski, Ben
[1986] Executing Temporal Logic Programs, Cambridge University Press.
Nerode, A., and Wijesekera, D.
[1990] Constructive concurrent dynamic logic I, Technical Report '90-43,
Mathematical Sciences Institute, Cornell University.
Parikh, R.
[1984] Logics of knowledge, games, and dynamic logic, in Foundations of
Software Technology and Theoretical Computer Science, Lecture
Notes in Computer Science 181, M.Joseph and R.Shyamasundar
(eds.), 202-222.
Peleg, David
[1987] Concurrent dynamic logic, JACM, 34, 450-479.
[1987i] Communication in concurrent dynamic logic, J. Comp. Syst. ScL,
35, 23-58.
Pnueli, A.
[1981] The temporal semantics of concurrent programs, Theoretical Com-
puter Science, 13, 45-60.
Pratt, V.R.
[1976] Semantical considerations on Floyd-Hoare logic, Proc. 17th IEEE
Symp. on Foundations of Computer Science, 109-121.
Bibliography 173
Prior, Arthur
[1957] Time and Modality, Clarendon Press, Oxford.
[1967] Past, Present, and Future, Clarendon Press, Oxford.
Rescher N., and Urquhart, A.
[1971] Temporal Logic, Springer-Verlag.
Rosenchein, Stanley J.
[1985] Formal theories of knowledge in AI and robotics, New Genera-
tion Computing, 3, Oshma Ltd., Tokyo. Also as Technical Note
362, Artificial Intelligence Center, SRI International, Menlo Park,
California.
Rosenchein, Stanley J., and Kaelbling, Leslie Pack
[1986] The synthesis of digital machines with provable epistemic proper-
ties, SRI International and CSLI Stanford.
Sahlqvist, H.,
[1975] Completeness and correspondence in first and second order se-
mantics for modal logic, in Proceedings of the Third Scandinavian
Logic Symposium, ed. Stig Kanger, North-Holland, 110-143.
Sambin, G., and Vaccaro, V.,
[1989] A new proof of Sahlqvist's theorem on modal definability and
completeness, J. Symbolic Logic, 54, 992-999.
Segerberg, Krister
[1970] Modal logics with linear alternative relations, Theoria, 36, 301-
322.
[1971] An Essay in Classical Modal Logic, Philosophical studies pub-
lished by the Philosophical Society and the Department of Phi-
losophy, University of Uppsala, volume 13, Uppsala.
[1982] A completeness theorem in the modal logic of programs, in Uni-
versal Algebra and Applications, T. Traczyk (ed.), Banach Centre
Publications 9, PWN - Polish Scientific Publishers, Warsaw, 31-
46.
Thomason, S.K.
[1972] Semantic analysis of tense logics, J. Symbolic Logic, 37, 150-158.
[1974] An incompleteness theorem in modal logic, Theoria, 40, 30-34.
[1975] Reduction of second-order logic to modal logic, Zeit. Math. Logik
Grund. Math., 21, 107-114.
Urquhart, A.
[1981] Decidability and the finite model property, J. Philosophical Logic,
10, 367-370.
174 Bibliography
van Benthem, J.F.A.K.,

[1975] A note on modal formulas and relational properties, J. Symbolic
Logic, 40, 55-58.
[1978] Two simple incomplete modal logics, Theoria, 44, 25-37.
[1980] Some kinds of modal completeness, Studia Logica, 39, 125-141.
[1983] The Logic of Time, D. Reidel.
Index
alphabet, 146 ordering of, 66

alternation, 109 proper, 67
always, 41 simple, 67
ancestral, 9-10, 86, 90, 119 unwinding of, 96
Ancestral Lemma, 93 cofinite, 56
antisymmetric, 15 combination, 116
Archimedean property, 144 completeness, 17
assignment command, 143, 146 completeness theorems, 25,
random, 144 Ex. 3.9(6)v
Assignment Lemma, 164 composition, 109
asymmetric, 15 concurrent program, 84, 116
atomic connected, 29
formula, 3, 109, 146 weakly future-, 42
program, 109 consistent, 17, 155
axioms A1-A11, 151-152 constant, 146
Cant, Ex. 6.4(4), 81
B, 22 continuous ordering, 42-43
Backus-Naur form (BNF), 3 continuous time, 70
balloon, 67 correctness, 85
Barcan formula, 152 partial, 85
beginning time, 79 total, 85
binary relation, 116 CPDL, 122
Boolean formula, 146 determination of, 123-138
branch, 99, 100, 103 CPDL-model, 117
branching time, 99 CTL, 100
Bull's Theorem, 75-77 determination of, 101-108
CTL-model, 100
canonical cut, 42
frame, 24 filling, 83
logic, 51
model, 24, 38, 125, 162-165 £>, 22
characteristic formula, 102 dead point, 58
closed set, 112 deadlock, 84
cluster, 66 decidability, 34-36
degenerate, 66 deducible, 18, 156
first, 67 Deduction Theorem, 18, 156
last, 67 Definability Lemma, 74, 92
later, 66 degenerate cluster, 66
non-degenerate, 67 degree (of a formula), 60
175
176 Index
Detachment, 16, 18 Euclidean, 12

dense time, 70 eventuality formula, 105
deontic logic, 7 eventually, 7
determination of execution relation, 127
CPDL, 123-138 expressibility, 144
CTL, 101-108
K, 25, 34 4 (schema), 22
K4.3, 27 5 (schema), 22
KWLZ (= fl), 68-69 falsum, 3
K4DLX, 70-71 filtration, 31-33, 38, 44, 92,
KD,27 101, 113, 129
Kt,41 largest, 33, 132
KW (= G), 70 smallest, 33
Lin, 78 temporal, 44
LinDisc, 78 transitive, 33, 43
LinDisc", 79 Filtration Lemma, 33, 38, 44,
LinRat, 79-80 96, 107, 115, 131
Lin-Re, 81-83 finite frame property, 34-35
P£>L, 111-115 failure of, 54
54,27 strong, 34
54.2, 27, 30, 45-46 finite model property, 35-36
54.3, 27, 71 finitely axiomatisable, 34
54.3Dum, 44, 71, 73-75 finitely based, 32
55, 27, 29, 30 first cluster, 67
<9, 91-98 first-order
deterministic program, 139 conditions on R, 12
diagram, 162 definability, 14, 48
Diodorean modality, 44, 71 determined logic, 53
discrete, 71 formula, 146
directed, 30 Fischer-Ladner Lemma, 113, 130
discrete time, 65, 71, 78 fixed point, 119
disjoint union, 30 formula, 3, 37, 86, 100, 109, 117,
distinguished model, 36 146
Dum, 71, 87 atomic, 3, 87, 146
role of, 95 Boolean, 146
-Dum-Lemma, 74, 95 characteristic, 102
dynamic logic, 109 eventuality, 105
concurrent, 116 first-order, 146
fulfilled, 105
elementary modal, 4
class of frames, 53 multi-modal, 37
equivalence 14, 53 positive, 48
enough states, 148 quasi-atomic, 8, 37
Index 177
realised, 103, 105 K, 20, Ex. 2.7(6)

sub-, 5 determination of, 25, 34
frame, 6, 37 K4.3, 22
canonical, 24 determination of 27
induction, 90, 98 KWLZ, 65
fulfilled formula, 105 determination of, 68-69
Fulfilment Lemma, 105 KWLX, 70-71
Fun, 87 KSi • • • 27n, 22, Ex. 2.8(1)
role of, 94 #*,41
Fun-Lemma, 94 KTMk, 54
functional, 12 KW (= G), 22, 51, 56, 57,
70,79
G (= KW), 22 determination of, 70
determination of, 70
T-tree, 103 L, 22
Generalisation, 154 LI, 88
Generalisation Lemma, 157 labelled node, 103
last cluster, 67
generated
later cluster, 66
submodel, 10, 39
leaf, 103
time model, 43
least element, 81
greatest element, 81
least solution, 119
Lemma
H, 56 Ancestral, 93
having enough states, 148 Assignment, 164
head, 72 Definability, 74, 92
henceforth, 7, 40, 86 Dum-, 74, 95
hitherto, 7, 40 Filtration, 33, 38, 44, 96,
107, 115, 131
Identity axioms, 154 Fischer-Ladner, 113, 130
immediate successor, 100 Fulfilment, 105
incomplete logics, 55-57 Fun-, 94
Ind, 87, 94, 111, 115, 122, Generalisation, 157
135, 154, 155 Lindenbaum's, 20
induction, 87 p-Morphism, 11, 44, 150
frame 90, 98 Program, 166
model 90, 98 Quantifier-Assignment, 151
postulate, 144 Rc-, 73
interior node, 103 Truth, 25, 126, 168
introspective knowledge, 28 Witness, 159 -
irreflexive, 14 Z-, 69, 78
iteration, 109 Lemmon-Scott schema, 48
Iteration Rule, 116 Lin, 78
178 Index
Lindenbaum's Lemma, 20 natural, 149

LinDisc, 78 on a state sequence, 86
LinDisc?, 79 sequential, 138
linear temporal logic, 78 monotonic, 119
LinRat, 79 standard, 110, 118, 149
LinRe, 81
live point, 58 natural model, 149
logic, 16, 38 Necessitation, 20, 38, 87, 101,
canonical, 51 122, 154
decidable, 34-35 necessity, 6
dynamic, 109 logical, 7, 28
finitely axiomatisable, 34 physical, 7
first-order determined, 53 next, 47, 86
incomplete, 55-57 node, 103
linear temporal, 78 interior, 103
normal, 20, 38 labelled, 103
temporal, 7, 41 leaf, 103
undecidable, 58-61 non-degenerate cluster, 67
uniform, 23 normal logic, 20, 38
smallest (K), 20, 38
M (see McKinsey axiom), 14, 53 normality, 137
maximal set, 18, 123
existence of, 19-20
maximal theory, 158 fl (= KWLZ), 65
existence of, 159 Omega-Iteration, 154-155
McKinsey axiom, 14, 53 ordering
Minkowskian spacetime, 7, 45-46 continuous, 42-43
mirror image, 41 of clusters, 66
Mix, 87, 94, 111, 115, 122, 129, strict, 42
135, 136 total, 42
modal degree, 60
modal formula, 4 parallel execution, 116
modal logic path, 100
of (u, <), 65, 68-69 partial correctness, 85
of (Q, <), 43, 70-71 partially functional, 12
of (E,<), 43, 70-71 PDL, 111
model, 6, 37, 40-41, 110, 147 determination of, 111-115
canonical, 24, 38, 125, 162-165 Peano induction, 144
CPDL-, 117 p-morphism, 11-12, 126
CTL-, 110 temporal, 44
distinguished, 36 p-Morphism Lemma, 11, 44, 150
generated sub-, 10, 39, 43 PL (Prepositional Logic), 16
induction, 90, 98 positive formula, 48
Index 179
predecessor, 103 Omega-Iteration, 154-155

program, 109 Necessitation, 20, 38, 87, 101,
atomic, 109 122, 154
concurrent, 84, 116 Uniform Substitution, 5, 23
deterministic, 139
structured, 146 54, 22
test, 109, 146 determination of, 27
Program Lemma, 166 54.2, 27, 45-46
proper cluster, 67 determination of, 27, 30, 45-46
54.3, 22
Q,7 determination of, 27, 71
Quantifier-Assignment Lemma, 54.3Dum, 44, 71
151 determination of, 73-75
quasi-atomic formula, 8, 37 55, 22, 28-29, 42
determination of, 27, 29, 30
R,7 Sahlqvist's schemata, 51
fl-branch, 100, 103
schema, 5-6, 23
fl-path, 100,
Lemmom-Scott, 48
.Rc-Lemnia, 73
Sahlqvist's, 51
RT, 44
sequential
random assignment, 144
model, 138
rational-number frame, 43, 70-71,
relation, 137
79-80
serial, 12, 100
rational open interval, 79
simple cluster, 67
.Rc-Lemma, 73
reachability relation, 116 since, 47
operations on, 118 soundness, 17, 18, 152-153
real-number frame, 43, 70-71, 81- standard model, 110, 118, 149
83 state, 7, 84, 116, 143
real open interval, 81 state sequence, 86
realised formula, 103, 105 strict implication, 15
recession frame, 55, 57 strict ordering, 42
reflexive, 12 strict total ordering, 42
reflexive transitive closure, 10 strong finite frame property, 34
responsiveness, 85 structure, 147
rich theory, 158 structured program, 146
right end-point, 71 subformula, 5
right-open interval, 70 submodel, 10, 39
root, 103 substitution, 143
rule of uniform, 5, 23
Detachment, 16, 18 substitution instance, 5
Generalisation, 154 successor, 42, 103
Iteration, 116 symmetric, 12
180 Index
T, 22 truth
0,87 at a point, 6, 37, 90, 100, 110,
determination of, 91-98 116-117, 148
tautological consequence, 17 at a state, 86
tautology, 8 in a model, 8
temporal nitration, 44 Truth Lemma, 25, 126, 168
temporal logic, 7, 41
linear, 79 undecidable logics, 58-61
of (w, <), 78 undefinable conditions, 14
of (Q, <), 79-80 uniform
of (R,<), 81-83 logic, 23
of(Z,<), 78 Substitution, 5, 23
temporal p-morphism, 44 universal relation, 28, 67
term, 146 until, 47, 86, 99
test program, 109, 146 unwinding clusters, 96
theorem, 17, 154
theory, 155 Vr, 32
maximal, 158 valid in frame, 8
rich, 158 valuation, 8, 143, 147
time verum, 4
beginning, 79
branching, 99 W, 14, 22, 51, 56, 57, 70, 79
continuous, 70 implies transitivity, 14, 56
dense, 70 weakly connected, 12, 30
discrete, 65, 71, 78 weakly dense, 12, 70
endless, 65 weakly directed, 12
rational, 79 weakly future-connected, 42
real, 81 witness, 158
time-frame, 41 Witness Lemma, 159
total correctness, 85
total ordering, 42 Z, 7
strict, 42 Z, 65
transitive, 12 Z-Lemma, 69, 78
tree, 103
CSLI Publications
Reports On the Axiomatization of "if-then-
else" Irene Guessarian and Jose
The following titles have been pub- Meseguer CSLI-85-20 ($5.00)
lished in the CSLI Reports series.
The Situation in Logic-II: Condi-
These reports may be obtained from tionals and Conditional Informa-
CSLI Publications, Ventura Hall, Stan- tion Jon Barwise CSLI-84-21 ($5.00)
ford University, Stanford, CA 94305-
Principles of OBJ2 Kokichi Futatsugi,
4115. Joseph A. Goguen, Jean-Pierre Jouan-
Coordination and How to Distin- naud, and Jose Meseguer CSLI-85-22
guish Categories Ivan Sag, Gerald ($2.00)
Gazdar, Thomas Wasow, and Steven Querying Logical Databases Moshe
Weisler CSLI-84-3 ($5.50) Vardi CSLI-85-23 ($/.50)
Belief and Incompleteness Kurt Computationally Relevant Prop-
Konolige CSLI-84-4 ($4-50) erties of Natural Languages and
Equality, Types, Modules and Their Grammar Gerald Gazdar and
Generics for Logic Programming Geoff Pullum CSLI-85-24 ($5.50)
Joseph Goguen and Jose Meseguer An Internal Semantics for Modal
CSLI-84-5 ($2.50) Logic: Preliminary Report Ronald
Lessons from Bolzano Johan van Ben- Fagin and Moshe Vardi CSLI-85-25
them CSLI-84-6 ($/.50) ($2.00)
Self-propagating Search: A Unified The Situation in Logic-Ill: Situ-
Theory of Memory Pentti Kanerva ations, Sets and the Axiom of
CSLI-84-7 ($9.00) Foundation Jon Barwise CSLI-85-26
($2.50)
Reflection and Semantics in LISP
Semantic Automata Johan van Ben-
Brian CantweU Smith CSLI-84-8
them CSLI-85-27 ($2.50)
($2.50)
The Implementation of Procedu- Restrictive and Non-Restrictive
rally Reflective Languages Jim Modification Peter Sells CSLI-85-28
des Rivieres and Brian Cantwell Smith ($5.00)
CSLI-84-9 ($5.00) Institutions: Abstract Model
Theory for Computer Science
Parameterized Programming Joseph J. A. Goguen and R. M. Burstall
Goguen CSLI-84-10 ($5.50) CSLI-85-30 ($4.50)
Shifting Situations and Shaken At- A Formal Theory of Knowledge and
titudes Jon Barwise and John Perry Action Robert C. Moore CSLI-85-31
CSLI-84-13 ($4-50) ($5.50)
Completeness of Many-Sorted Finite State Morphology: A Review
Equational Logic Joseph Goguen of Koskenniemi (1983) Gerald Gaz-
and Jose Meseguer CSLI-84-1S ($2.50) dar CSLI-85-32 ($1.50)
Moving the Semantic Fulcrum Terry The Role of Logic in Artificial Intel-
Winograd CSLI-84-17 ($/.50) ligence Robert C. Moore CSLI-85-33
On the Mathematical Properties of ($2.00)
Linguistic Theories C. Raymond Applicability of Indexed Grammars
Perrault CSLI-84-18 ($5.00) to Natural Languages Gerald Gaz-
A Simple and Efficient Implementa- dar CSLI-85-34 ($2.00)
tion of Higher-order Functions in Commonsense Summer: Final
LISP Michael P. Georgeff and Stephen Report Jerry R. Hobbs, et al
F.Bodnar CSLI-84-19 ($^.50) CSLI-85-35 ($12.00)
Limits of Correctness in Comput- Computer Aids for Compara-
ers Brian Cantwell Smith CSLI-85-36 tive Dictionaries Mark Johnson
($2.50) CSLI-86-58 ($2.00)
The Coherence of Incoherent Dis- A Sheaf-Theoretic Model of Con-
course Jerry R. Hobbs and Michael currency Luis F. Monteiro and
H. Agar CSLI-85-38 ($2.50) Fernando C. N. Pereira CSLI-86-62
A Complete, Type-free "Second- ($5.00)
order" Logic and Its Philosophi- Tarski on Truth and Logical Conse-
cal Foundations Christopher Menzel quence John Etchemendy CSLI-86-64
CSLI-86-40 ($4.50) ($5.50)
Possible-world Semantics for Au- Categorial Unification Grammars
toepistemic Logic Robert C. Moore Hans Uszkoreit CSLI-86-66 ($2.50)
CSLI-85-41 ($2.00)
Deduction with Many-Sorted Generalized Quantifiers and Plurals
Rewrite Jose Meseguer and Joseph Godehard Link CSLI-86-67 ($2.00)
A. Goguen CSLI-85-42 ($1.50) Radical Lexicalism Lauri Karttunen
On Some Formal Properties of CSLI-86-68 ($2.50)
Metarules Hans Uszkoreit and Stan- What is Intention? Michael B. Brat-
ley Peters CSLI-85-43 ($1.50) man CSLI-86-69 ($2.00)
Language, Mind, and Information The Correspondence Continuum
John Perry CSLI-85-44 ($2.00) Brian Cantwell Smith CSLI-87-71
Constraints on Order Hans Uszkoreit ($4.00)
CSLI-86-46 ($5.00) The Role of Prepositional Objects
Linear Precedence in Discontin- of Belief in Action David J. Israel
uous Constituents: Complex CSLI-87-72 ($2.50)
Fronting in German Hans Uszkoreit
CSLI-86-47 ($2.50) Two Replies Jon Barwise CSLI-87-74
($5.00)
A Compilation of Papers on
Unification-Based Grammar For- Semantics of Clocks Brian Cantwell
malisms, Parts I and II Stuart Smith CSLI-87-75 ($2.50)
M. Shieber, Fernando C.N. Pereira, The Parts of Perception Alexander
Lauri Karttunen, and Martin Kay Pentland CSLI-87-77 ($4-00)
CSLI-86-48 ($10.00)
The Situated Processing of Situated
Noun-Phrase Interpretation Mats Language Susan Stucky CSLI-87-80
Rooth CSLI-86-51 ($2.00) ($/.50)
Noun Phrases, Generalized Quan- Muir: A Tool for Language Design
tifiers and Anaphora Jon Barwise Terry Winograd CSLI-87-81 ($2.50)
CSLI-86-52 ($2.50)
Circumstantial Attitudes and Final Algebras, Cosemicomputable
Benevolent Cognition John Perry Algebras, and Degrees of Un-
CSLI-86-53 ($1.50) solvability Lawrence S. Moss, Jose
Meseguer, and Joseph A. Goguen
A Study in the Foundations of Pro- CSLI-87-82 ($5.00)
gramming Methodology: Speci-
fications, Institutions, Charters The Synthesis of Digital Machines
and Parchments Joseph A. Goguen with Provable Epistemic Proper-
and R. M. BurstaU CSLI-86-54 ties Stanley J. Rosenschein and Leslie
($2.50) Pack Kaelbling CSLI-87-83 ($5.50)
Intentionality, Information, and An Architecture for Intelligent Re-
Matter Ivan Blair CSLI-86-56 active Systems Leslie Pack Kaelbling
($5.00) CSLI-87-85 ($2.00)
Modular Algebraic Specifica- Toward an Architecture for
tion of Some Basic Geometrical Resource-bounded Agents Martha
Constructions Joseph A. Goguen E. Pollack, David J. Israel, and
CSLI-87-87 ($2.50) Michael E. Bratman CSLI-87-104
Persistence, Intention and Com- ($2.00)
mitment Phil Cohen and Hector On the Relation Between Default
Levesque CSLI-87-88 ($5.50) and Autoepistemic Logic Kurt
Rational Interaction as the Basis Konolige CSLI-87-105 ($5.00)
for Communication Phil Cohen and Three Responses to Situation The-
Hector Levesque CSLI-87-89 ($4.00) ory Terry Winograd CSLI-87-106
Models and Equality for Logical ($2.50)
Programming Joseph A. Goguen Subjects and Complements in
and Jose Meseguer CSLI-87-91 ($5.00) HPSG Robert Borsley CSLI-87-107
Order-Sorted Algebra Solves the ($2.50)
Constructor-Selector, Mulitple Tools for Morphological Analysis
Representation and Coercion Mary Dalrymple, Ronald M. Kaplan,
Problems Joseph A. Goguen and Lauri Karttunen, Kimmo Kosken-
Jose Meseguer CSLI-87-92 ($2.00) niemi, Sami Shaio, Michael Wescoat
CSLI-87-108 ($/0.00)
Extensions and Foundations for
Object-Oriented Programming Fourth Year Report of the Situ-
Joseph A. Goguen and Jose Meseguer ated Language Research Program
CSLI-87-93 ($5.50) CSLI-87-111 (free)
13 Reference Manual: Version 2.19 Events and "Logical Form" Stephen
William Poser CSLI-87-94 ($2.50) Neale CSLI-88-113 ($2.00)
Change, Process and Events Carol E. Backwards Anaphora and Discourse
Cleland CSLI-88-95 ($4.00) Structure: Some Considerations
One, None, a Hundred Thousand Peter Sells CSLI-87-114 ($2.50)
Specification Languages Joseph A. Toward a Linking Theory of Rela-
Goguen CSLI-87-96 ($2.00) tion Changing Rules in LEG Lori
Constituent Coordination in HPSG Levin CSLI-87-115 ($^.00)
Derek Proudian and David Goddeau Fuzzy Logic L. A. Zadeh CSLI-88-116
CSLI-87-97 ($1.50) ($2.50)
A Language/Action Perspective on Dispositional Logic and Com-
the Design of Cooperative Work monsense Reasoning L. A. Zadeh
Terry Winograd CSLI-87-98 ($2.50) CSLI-88-117 ($2.00)
Implicature and Definite Reference Intention and Personal Policies
Jerry R. Hobbs CSLI-87-99 ($/.50) Michael Bratman CSLI-88-118 ($2.00)
Situation Semantics and Semantic Unification and Agreement Michael
Interpretation in Constraint- Barlow CSLI-88-120 ($2.50)
based Grammars Per-Kristian
Halvorsen CSLI-87-101 ($/.50) Extended Categorial Gram-
mar Suson Yoo and Kiyong Lee
Category Structures Gerald Gaz- CSLI-88-121 ($^.00)
dar, Geoffrey K. Pullum, Robert
Carpenter, Ewan Klein, Thomas E. Unaccusative Verbs in Dutch and
Hukari, Robert D. Levine CSLI-87-102 the Syntax-Semantics Interface
($5.00 ) Annie Zaenen CSLI-88-123 ($5.00)
Cognitive Theories of Emotion Types and Tokens in Linguistics
Ronald Alan Nash CSLI-87-103 Sylvain Bromberger CSLI-88-125
($2.50) ($5.00)
Determination, Uniformity, and Sixth Year Report CSLI-90-141 (free)
Relevance: Normative Crite-
ria for Generalization and Rea- Categorical Grammar Meets
soning by Analogy Todd Davies Unification Johan van Benthem
CSLI-88-126 ($4.50) CSLI-90-142 ($4.50)
Modal Subordination and Pronomi- Point of View Edit Doron CSLI-90-143
nal Anaphora in Discourse Craige ($3.50)
Roberts CSLI-88-127 ($4.50) Modal Logic as a Theory of In-
formation Johan van Benthem
The Prince and the Phone Booth: CSLI-90-144 ($5.50)
Reporting Puzzling Beliefs
Mark Crimmins and John Perry What Is Information? David Israel
CSLI-88-128 ($3.50) and John Perry CSLI-91-145 ($4.50)
Set Values for Unification-Based Fodor and Psychological Explana-
Grammar Formalisms and Logic tions John Perry and David Israel
Programming William Rounds CSLI-91-146 ($^.50)
CSLI~88-129($4.00) Decision Problems for Propositional
Fifth Year Report of the Situated
Linear Logic Patrick Lincoln, John
Language Research Program
Mitchell, Andre Scedrov, and Natara-
CSLI-88-130 (free)
jan Shankar CSLI-91-147 ($10.00)
Annual Report 1989-90 CSLI-91-148
Locative Inversion in Chichewa: A (free)
Case Study of Factorization in
Grammar Joan Bresnan and Jonni Overloading Intentions for Efficient
M. Kanerva CSLI-88-131 ($5.00) Practical Reasoning Martha B. Pol-
lack CSLI-91-149 ($5.50)
An Information-Based Theory of
Agreement Carl Pollard and Ivan Introduction to the Project on Peo-
A. Sag CSLI-88-132 ($4.00) ple, Computers, and Design Terry
Winograd CSLI-91-150 ($5.50)
Relating Models of Polymorphism
Jose Meseguer CSLI-88-133 ($4.50) Ecological Psychology and Dewey's
Theory of Perception Tom Burke
Psychology, Semantics, and Mental CSLI-91-151 ($3.50)
Events under Descriptions Peter
The Language/Action Approach to
Ludlow CSLI-89-135 ($5.50)
the Design of Computer-Support
Mathematical Proofs of Computer for Cooperative Work Finn Kens-
System Correctness Jon Barwise ing and Terry Winograd CSLI-91-152
CSLI-89-136 ($3.50) ($5.50)
The X-bar Theory of Phrase Struc- The Absorption Principle and E-
ture Andras Kornai and Geoffrey K. Type Anaphora Jean Mark Gawron,
Pullum CSLI-89-137 ($4-00) John Nerbonne, and Stanley Peters
Discourse Structure and Perfor- CSLI-91-153($5.00)
mance Efficiency in Interac- Ellipsis and Higher-Order Uni-
tive and Noninteractive Spoken fication Mary Dalrymple, Stu-
Modalities Sharon L. Oviatt and art M. Shieber, and Fernando
Philip R. Cohen CSLI-90-138 ($5.50) C. N. Pereira CSLI-91-154 ($5.50)
The Contributing Influence of Sheaf Semantics for Concurrent In-
Speech and Interaction on Some teracting Objects Joseph A. Goguen
Aspects of Human Discourse CSLI-91-155 ($5.00)
Sharon L. Oviatt and Philip R. Cohen Communication and Strategic In-
CSLI-90-139 ($3.50) ference Prashant Parikh CSLI-91-156
The Connectionist Construc- ($5.00)
tion of Concepts Adrian Cussins Shared Cooperative Activity Michael
CSLI-90-140 ($5.00) E. Bratman CSLI-91-157 ($3.50)
Practical Reasoning and Acceptance Lectures on Contemporary Syntactic
in a Context Michael E. Bratman Theories. Peter Sells. Lecture Notes
CSLI-91-158 ($3.50) No. 3. ISBN 0-937073-14-8 (paper),
0-937073-13-X (cloth)
Planning and the Stability of
Intention Michael E. Bratman An Introduction to Unification-Based
CSLI-91-159 ($£.50) Approaches to Grammar. Stuart M.
Logic and the Flow of Information Shieber. Lecture Notes No. 4. ISBN
Johan van Benthem CSLI-91-160 0-937073-00-8 (paper), 0-937073-01-6
($5.00) (cloth)
Learning HCI Design: Mentoring The Semantics of Destructive Lisp. Ian
Project Groups in a Course on A. Mason. Lecture Notes No. 5. ISBN
Human-Computer Interaction 0-937073-06-7 (paper), 0-937073-05-9
Brad Hartfield, Terry Winograd, and (cloth)
John Bennett CSLI-91-161 ($5.50)
An Essay on Facts. Ken Olson. Lec-
How to Read Winograd's & Flo- ture Notes No. 6. ISBN 0-937073-08-3
res's Understanding Comput- (paper), 0-937073-05-9 (cloth)
ers and Cognitiion Hugh McGuire
CSLI-92-162 ($6.00) Logics of Time and Computation.
Robert Goldblatt, second edition, re-
In Support of a Semantic Account vised and expanded. Lecture Notes
of Resultatives Adele E. Goldberg No. 7. ISBN 0-937073-94-6 (paper),
CSLI-92-163 ($) 0-937073-93-8 (cloth)
Augmenting Informativeness and
Word Order and Constituent Structure
Learnability of Items in Large
in German. Hans Uszkoreit. Lecture
Computer Networks Clarisse S.
Notes No. 8. ISBN 0-937073-10-5 (pa-
de Souza CSLI-92-164 ($)
per), 0-937073-09-1 (cloth)
Terry Winograd CSLI-92-165 ($)
Color and Color Perception: A Study
A Semiotic Approach to User Inter- in Anthropacentric Realism. David
face Language Design Clarisse S. de Russel Hilbert. Lecture Notes No. 9.
Souza CSLI-92-166 ($) ISBN 0-937073-16-4 (paper), 0-937073-
15-6 (cloth)
Prolog and Natural-Language Analysis.
Lecture Notes Fernando C. N. Pereira and Stuart M.
Shieber. Lecture Notes No. 10. ISBN
The titles in this series are distributed 0-937073-18-0 (paper), 0-937073-17-2
by the University of Chicago Press (cloth)
and may be purchased in academic Working Papers in Grammatical The-
or university bookstores or ordered di- ory and Discourse Structure: Inter-
rectly from the distributor: Order De- actions of Morphology, Syntax, and
partment, 11030 S. Langely Avenue, Discourse. M. lida, S. Wechsler, and
Chicago, Illinois 60628. D. Zee (Eds.) with an Introduction by
Joan Bresnan. Lecture Notes No. 11.
A Manual of Intensional Logic. Johan ISBN 0-937073-04-0 (paper), 0-937073-
van Benthem, second edition, revised 25-3 (cloth)
and expanded. Lecture Notes No. 1.
Natural Language Processing in the
ISBN 0-937073-29-6 (paper), 0-937073-
1980s: A Bibliography. Gerald Gaz-
30-X (cloth)
dar, Alex Franz, Karen Osborne, and
Emotion and Focus. Helen Fay Nis- Roger Evans. Lecture Notes No. 12.
senbaum. Lecture Notes No. 2. ISBN ISBN 0-937073-28-8 (paper), 0-937073-
0-937073-20-2 (paper) 26-1 (cloth)
Information-Based Syntax and Seman- Lexical Matters. Ivan A. Sag and Anna
tics. Carl Pollard and Ivan Sag. Szabolcsi, editors. Lecture Notes
Lecture Notes No. 13. ISBN 0-937073- No. 24. ISBN 0-937073-66-0 (paper),
24-5 (paper), 0-937073-23-7 (cloth) 0-937073-65-2 (cloth)
Non-Well-Founded Sett. Peter Aczel. Tanki's World. Jon Barwise and John
Lecture Notes No. 14. ISBN 0-937073- Etchemendy. Lecture Notes No. 25.
22-9 (paper), 0-937073-21-0 (cloth) ISBN 0-937073-67-9 (paper)
Situation Theory and Its Applications,
Partiality, Truth and Persittence. Tore Vol. &. Jon Barwise, J. Mark Gawron,
Langholm. Lecture Notes No. 15. Gordon Plotkin, Syun Tutiya, editors.
ISBN 0-937073-34-2 (paper), 0-937073- Lecture Notes No. 26. ISBN 0-937073-
35-0 (cloth) 70-9 (paper), 0-937073-71-7 (cloth)
Attribute- Value Logic and the Theory of Literate Programming. Donald E.
Grammar. Mark Johnson. Lecture Knuth. Lecture Notes No. 27. ISBN
Notes No. 16. ISBN 0-937073-36-9 0-937073-80-6 (paper), 0-937073-81-4
(paper), 0-937073-37-7 (cloth) (cloth)
The Situation in Logic. Jon Barwise. Normalization, Cut-Elimination and
Lecture Notes No. 17. ISBN 0-937073- the Theory of Proofs. A. M. Ungar.
32-6 (paper), 0-937073-33-4 (cloth) Lecture Notes No. 28. ISBN 0-937073-
82-2 (paper), 0-937073-83-0 (cloth)
The Linguistics of Punctuation. Geoff
Lectures on Linear Logic. A. S. Troel-
Nunberg. Lecture Notes No. 18. ISBN
0-937073-46-6 (paper), 0-937073-47-4 stra. Lecture Notes No. 29. ISBN
0-937073-77-6 (paper), 0-937073-78-4
(cloth)
(cloth)
Anaphora and Quantification in Situa- A Short Introduction to Modal Logic.
tion Semantics. Jean Mark Gawron Grigori Mints. Lecture Notes No. 30.
and Stanley Peters. Lecture Notes ISBN 0-937073-75-X (paper), 0-937073-
No. 19. ISBN 0-937073-48-4 (paper), 76-8 (cloth)
0-937073-49-0 (cloth)
Prepositional Attitudes: The Role of
Content in Logic, Language, and
Mind. C. Anthony Anderson and
Other CSLI Titles
Joseph Owens. Lecture Notes No. 20.
ISBN 0-937073-50-4 (paper), 0-937073-
Distributed by UCP
51-2 (cloth) Agreement in Natural Language: Ap-
proaches, Theories, Descriptions.
Literature and Cognition. Jerry R. Michael Barlow and Charles A. Fergu-
Hobbs. Lecture Notes No. 21. ISBN son (Eds.). ISBN 0-937073-02-4 (cloth)
0-937073-52-0 (paper), 0-937073-53-9
Papers from the Second International
(cloth)
Workshop on Japanese Syntax.
Situation Theory and Its Applications, William J. Poser (Ed.). ISBN 0-
Vol. I. Robin Cooper, Kuniaki Mukai, 937073-38-5 (paper), 0-937073-39-3
and John Perry (Eds.). Lecture Notes (cloth)
No. 22. ISBN 0-937073-54-7 (paper), The Proceedings of the Seventh West
0-937073-55-5 (cloth) Coast Conference on Formal Linguis-
The Language of First-Order Logic tics (WCCFL 7). ISBN 0-937073-40-7
(including the Macintosh program, (paper)
Tarski's World). Jon Barwise and The Proceedings of the Eighth West
John Etchemendy, second edition, re- Coast Conference on Formal Linguis-
vised and expanded. Lecture Notes tics (WCCFL 8). ISBN 0-937073-45-8
No. 23. ISBN 0-937073-74-1 (paper) (paper)
The Phonology-Syntax Connection. The Proceedings of the Sixth West Coast
Sharon Inkelas and Draga Zee (Eds.) Conference on Formal Linguistics
(co-published with The University of (WCCFL 6). ($1S.9S) ISBN 0-937073-
Chicago Press). ISBN 0-226-38100-5 45-8 (paper)
(paper), 0-226-38101-3 (cloth) Hausar Yau Da Kullum: Intermediate
The Proceedings of the Ninth West Coast and Advanced Lessons in Ha.-a.su Lan-
Conference on Formal Linguistics guage and Culture. William R. Leben,
(WCCFL 9). ISBN 0-937073-64-4 Ahmadu Bello Zaria, Shekarau B.
(paper) Maikafi, and Lawan Danladi Yalwa.
Japanese/Korean Linguistics. Hajime ($19.95) ISBN 0-937073-68-7 (paper)
Hoji (Ed.). ISBN 0-937073-57-1 (pa- Hausar Yau Da Kullum Workbook.
per), 0-937073-56-3 (cloth) William R. Leben, Ahmadu Bello
Experiencer Subjects in South Asian Zaria, Shekarau B. Maikan, and
Languages. Manindra K. Verma Lawan Danladi Yalwa. ($7.50) ISBN
and K. P. Mohanan (Eds.). ISBN 0- 0-93703-69-5 (paper)
937073-60-1 (paper), 0-937073-61-X
(cloth)
Grammatical Relations: A Cross- Ordering Titles
Theoretical Perspective. Katarzyna
Dziwirek, Patrick Farrell, Errapel Distributed by CSLI
Mejias Bikandi (Eds.). ISBN 0-937073-
63-6 (paper), 0-937073-62-8 (cloth) Titles distributed by CSLI may be
ordered directly from CSLI Publica-
The Proceedings of the Tenth West Coast
Conference on Formal Linguistics tions, Ventura Hall, Stanford Univer-
(WCCFL 10). ISBN 0-937073-79-2 sity, Stanford, California 94305-4115 or
(paper) by phone (415)723-1712 or (415)723-
1839. Orders can also be placed by e-
mail (pubs@csli.stanford.edu) or FAX
(415)723-0758.
Books Distributed
All orders must be prepaid by
by CSLI check, VISA, or MasterCard (include
The Proceedings of the Third West Coast card name, number, expiration date).
Conference on Formal Linguistics For shipping and handling add $2.50
(WCCFL 3). ($10.95) ISBN 0-937073- for first book and $0.75 for each addi-
45-8 (paper) tional book; $1.75 for the first report
The Proceedings of the Fourth West and $0.25 for each additional report.
Coast Conference on Formal Lin- California residents add 7% sales tax.
guistics (WCCFL 4). ($11.95) ISBN For overseas shipping, add $4.50
0-937073-45-8 (paper) for first book and $2.25 for each addi-
The Proceedings of the Fifth West Coast tional book; $2.25 for first report and
Conference on Formal Linguistics $0.75 for each additional report. All
(WCCFL 5). ($10.95) ISBN 0-937073- payments must be made in US cur-
45-8 (paper)
rency.
CSLI was founded early in 1983 by researchers from Stanford University, SRI
International, and Xerox PARC to further research and development of integrated
theories of language, information, and computation. CSLI headquarters and the
publication offices are located at the Stanford site.
CSLI/SRI International CSLI/Stanford CSLI/Xerox PARC
333 Ravenswood Avenue Ventura Hall 3333 Coyote Hill Road
Menlo Park, CA 94025 Stanford, CA 94305 Palo Alto, CA 94304
99 98 97 96 95 94 93 92 54321
Library of Congress Cataloging-in-Publication Data
Goldblatt, Robert.
Logics of time and computation / Robert Goldblatt. — 2nd ed., rev. and
expanded.
p. cm. — (CSLI lecture notes ; no. 7)
Includes bibliographical references and indexes.
ISBN 0-937073-93-8 — ISBN 0-937073-94-6 (pbk.)
1. Modality (Logic). I. Title. II. Series.
QA9.46.G65 1992
160-dc20 92-12978
CIP
CSLI Lecture Notes report new developments in the study of language, informa-
tion, and computation. In addition to lecture notes, the series includes mono-
graphs, working papers, and conference proceedings. Our aim is to make new
results, ideas, and approaches available as quickly as possible.

Goldblatt: Logics of Time and Computation (2nd Ed)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Goldblatt: Logics of Time and Computation (2nd Ed)

Uploaded by

Copyright:

Available Formats

LOGICS OF TIME

CENTER FOR THE STUDY

Preface to the First Edition vii

Preface to the Second Edition viii

Part One: Prepositional Modal Logic 1

Part Two: Some Temporal and Computational Logics 63

Part Three: First-Order Dynamic Logic 141

Prepositional Modal Logic

Technically, the recursive equation governs a non-deterministic rewriting

using subscripts to distinguish different occurrences of a symbol. Then the

{OB -+B:B(E Fma($)}.

simultaneously uniformly substituting £?i for pi in A, and BI for p2 in A,

.EU = {A' : A' is a substitution instance of A}.

Then a schema may be denned as a set of formulae that is equal to EA for

Frames and Models

2. Different notions of necessity can be entertained. Thus logical necessity

Valuations and Tautologies

Then the function Vs : $ —» {true, false} is a valuation of the atomic

V : Fma($) —> {true, false}

of all formulae. A formula A is a tautology if V(A) = true for every

Truth and Validity

A is valid in frame F = (S, R), denoted F (= A, if

M (= A for all models M = (S, R, V) based on F.

If C is a class of models (respectively, frames), then A is true (respectively,

The structure J* = (S*, R*) is the subframe o f f = (S, R) generated by t.

To evaluate the truth of formula A at point t may require investigating

Submodel Lemma 1.7. If A 6 Fma(<l>), then for any u € 5*,

If there is a p-morphism / : T\ —> F2 that is surjective (onto), then frame

p-Morphism Lemma 1.10. If J-2 is a p-morphic image of F\, then for

FI\= A implies J^ |= -A>

(o>, <)|=>1 implies F± (= 4.

The curious appellation "p-morphism" derives from an early use of the

Corresponding to this list is a list of schemata:

Proof. We illustrate with the case of transitivity. Suppose that R is tran-

take any s in M with M f= g DA We have to prove

sRt implies (tRu implies M (=„ A).

So, suppose sRt. Then if tRu, we have sRu by transitivity, so M \=u A,

Theorem 1.13. If a frame F — (S, R) validates any one of the schemata

is not defined by any set of first-order sentences (Goldblatt [1975], van

is a logic. Thus for any F C Fma(<i>) there is a smallest logic contain-

Instead of denning a logic A to include all tautologies, it would suffice to

Soundness and Completeness

A is complete with respect to C, if, for any A,

A is determined by C if it is both sound and complete with respect to C.

Deducibility and Consistency

\-A Bo -> (Si -» ( ---- - (Bn-i -» A) • • •))

ra = {A<= Fma($) :M\=,A}.

Then Fs is yl-consistent (why?), and moreover, for each formula A, one of

A set F C Fma(<l>) is defined to be A-maximal if

-u4eT iff A£F.

By construction, at least one of An and -i^4n is in A, for all n.

\-AA-+B implies \-A HA -> OB and \-A OA -> OB.

(2) A logic A is normal iff for all n > 0,

(Note: when n = 0, this is just the rule of Necessitation.)

\-A OA A OB -> O(A A B),

(4) If .A is normal, then

F\-AA implies {D5 : B € T} hi HA.

(5) If a normal logic contains the schema

then it contains the schemata

(OA -K Dfl) ^ D(^4 -+ B).

Some Standard Logics

to refer to the smallest normal logic containing the schemata Si,...,Sn.

The structure J* = (S, R) is the subframe o f f = (S, R) generated by t.