combining deduction and model checking into tableaux and
TRANSCRIPT
Combining Deduction and Model Checking intoTableaux and Algorithms for Converse-PDL?Giuseppe De Giacomo and Fabio Massacci??Dip. di Informatica e Sistemistica,Universit�a di Roma \La Sapienza", ItalyAbstract. This paper presents a pre�xed tableaux calculus for Proposi-tional Dynamic Logic with Converse based on a combination of di�erenttechniques such as pre�xed tableaux for modal logics and model checkersfor �-calculus. We prove the correctness and completeness of the calcu-lus and illustrate its features. We also discuss the transformation of thetableaux method (naively NEXPTIME) into an EXPTIME algorithm.1 IntroductionPropositional Dynamic Logics (PDLs) are modal logics introduced in [10] tomodel the evolution of the computation process by describing the properties ofstates reached by programs during their execution [15, 24, 27]. Over the years,PDLs have been proved to be a valuable formal tool in Computer Science, Logic,Computational Linguistics, and Arti�cial Intelligence far beyond their originaluse for program veri�cation (e.g. [4, 12, 14, 15, 24, 23]).In this paper we focus on Converse-PDL (CPDL) [10], obtained from the basiclogic PDL by adding the converse operator to programs, which is interpreted asthe converse of the (input-output) relation interpreting the program. A possibleuse of the converse is for formalizing preconditions, e.g. [��]' can be interpretedas \before running program �, property ' must hold".There are certain applications of PDLs where the ability of denoting converseprograms is essential. For instance, recent research in Knowledge Representation[7, 5, 23] points out a tight correspondence between PDLs and a family of class-based knowledge representation formalisms, known as the Description Logics[29]. Such research shows that, by means of suitable polynomial reductions,inference in very expressive description logics can be rephrased as inference inCPDL. Thus, inference procedures for CPDL can be exploited as the reasoningcore for such knowledge representation formalisms. Indeed, this was one of themain motivation that has led us to look into inference procedures for CPDL.From the formal point of view, CPDL shares many characteristics with thebasic PDL, and many results for PDL extend to CPDL without di�culties. Forinstance the proofs of �nite model property for PDL in [10] are easily extended to? A preliminary version of this work appeared in [8].?? Communicating author: Fabio Massacci, Dipartimento di Informatica e Sistemistica,via Salaria 113, I-00198 Roma, Italy, email: [email protected].
CPDL, as well as the proof of EXPTIME-completeness in [21]. However, e�cient{ in practical cases { inference procedures have been successfully developed forPDL, but their extension to CPDL has proved to be a di�cult task and unsuc-cessful till now (to the best of our knowledge).To be precise, inference procedures based on model enumeration [10, 21] or onautomata on in�nite trees [27] have been extended to converse of programs. Yet,these procedures are more suited for proving theoretical results than for beingused in applications. Tableaux procedures for PDL [20, 22], which are typicallysimpler in practice, have never been extended. In [20] Pratt says \We do nothave a practical approach to this di�culty with converse, and our \practical"procedure therefore does not deal with converse".In this paper we propose a pre�xed tableaux calculus for PDL and extend itto deal with the converse operator, thus obtaining the �rst tableaux calculusfor CPDL. The tableaux based technique we propose here combines in a nat-ural way a number of intuitions and techniques that have been developed forvalidity/satis�ability checking [9, 17, 20, 22, 27, 28] and model checking [3, 17, 25,24] with pre�xed tableaux [11, 13, 18] for modal logics. Indeed, the work in thispaper con�rms that the combination of model-checking and theorem provingtechniques, as witnessed also by the recent CAV conference [1], may be veryfruitful also for purely deductive techniques.1.1 Plan of the paperIn the rest of the paper we present at �rst the intuitions underlying our workand emphasize the possibility of merging theorem proving and model checkingtechniques for dynamic and temporal logics (x2). We introduces some notionson CPDL(x3), present the tableaux calculus (x4), give examples (x5) and proveits soundness and completeness (x6). Finally we sketch the transformation ofNEXPTIME tableaux into EXPTIME algorithms (x7) and conclude (x8).2 Tableaux and Model Checking TechniquesThe use of tableaux for modal logics dates back to Kripke (see [13] for a recentoverview or [11] for a \classical" treatment) and e�cient procedures based ondepth �rst search are known [14, 16]. Tableaux methods for satis�ability checkinghave been developed for the basic PDL [20, 22], but not for many extensions, suchas CPDL, whereas automata theoretic techniques are available [26, 27].The problem is that PDLs, temporal logics or modal �-calculus cannot betamed only by \traditional" tableaux methods for logics of knowledge and belief:{ Some formulae impose \�xpoint" properties on paths (in the sequel we callthem iterated eventualities or necessities) so that the traditional \local" val-idation of a model is not enough.{ PDLs, like the modal �-calculus, has an added di�culty w.r.t. temporallogics (which have only one transition, next, and simpler eventualities) since
programs can be extremely complicated and deciding whether two states arereached by a program may have the same complexity of the original problem.{ The converse operator (or past for temporal logics) imposes constraints onpreviously visited states so that these must be re-processed.{ The models of a formula can be exponential in its size and therefore directdepth-�rst search with backtracking at choice points may lead to a double ex-ponential algorithm (although decidability for these logics is in EXPTIME).Tableaux approaches for PDLs (and expressive temporal logics) [20, 22, 9] or[17][Sec. 5.1-5.3] cope with these problems in two conceptual phases:1. Construct an AND-OR graph based on the Fisher-Ladner closure which sat-is�es the constraints of a \normal modal logic", where nodes with the sameformulae are identi�ed and nodes that are locally inconsistent are deleted.2. model check the \pseudo-model" thus obtained for iterated eventualities(deleting nodes with unful�lled eventualities).The separation into two phases is present also in automata techniques where theautomaton corresponding to a formula1 is the product of two automata: one forchecking local modal conditions and one for eventualities [26{28].The �rst intuition is to build the AND-OR graph of the phase 1 in an incre-mental fashion, as particles tableaux for temporal logics [17],Intuition 21 A node of the tableau is a set of formulae and new nodes aregenerated only by reducing already present formulae.In this way we generate nodes and check for local consistency \on-the- y". Incontrast with maximal model techniques [21], tableaux methods generate allsubsets of the Fisher-Ladner closure only in the worst cases.The idea of proceeding in an incremental fashion can be pushed further byexecuting the two phases, building the AND-OR graph and model checking even-tualities, at the same time2. In this way we need not to wait for the constructionof a (large) model just to discard it with the very �rst eventuality we checked.Intuition 22 Merge the pseudo-model checking stage for iterated eventualitieswith the incremental tableaux construction.Thus an algorithm may close a branch due to an unful�lled eventuality beforethe construction of the whole model, improving its average time behaviour.For temporal logics this problem has been solved [3, 17]: as soon as the samenode is repeated along the path and we �nd again the same eventuality (i.e. thesame formula) we conclude that this is a bad (unful�lling) loop.For PDL/CPDL there are more di�culties: to conclude that an eventuality ofthe form h��i' is not ful�lled, it is not enough to \�nd again" the same eventu-ality into a duplicate node. One must verify that the two nodes are connected1 One constructs an automaton that accepts the tree models of the formula and hencea formula is satis�able i� the automaton accepts some models [9, 27, 28].2 There are incremental model checking techniques for temporal logics [3, 2, 17].
by some �-steps and � can be a complex program. This problem does not arise(mutatis mutandis) in temporal logic because � can only be \next".The solution developed by Pratt in [22] has been the introduction of an oper-ator ) to link every eventuality of the form h�i' with the corresponding ful�ll-ing node where ' holds. However this may lead to a cumbersome tableau and tomany unnecessary relations between formulae. Moreover it does not completelyaddress the issue of merging the two phases, because one needs to construct thetransitive closure of ) and this can be done only after the pseudo-model con-struction is terminated. The automata theoretic approaches [27, 28], instead ofbuilding such )-links, use suitable eventuality automata, which as well requirethe construction of the pseudo-model �rst.There is another way that fully addresses this problem, based on the sameintuition of history variables i.e. \auxiliary variables whose values in the currentstates re ect all the facts we need to know about the past" [17]3. This idea hasbeen used for model checking techniques for the modal �-calculus, introducingnew propositional variables (names) for denoting �xpoints [24].If we introduce a name X to denote h��i' and use the name for subsequentreductions than we have a direct way to identify, by just looking at them, whentwo nodes are connected by some �-steps and therefore use the simple check oftemporal logics (repeated eventuality into duplicated nodes).Intuition 23 Associate iterated eventualities with new names X := h��i' andde�ne reduction rules which use the name rather than the formula.Next we focus on the converse operator. One of the intuition used for automatatheoretic techniques [27] is to use two-ways tree models where a transition can gofrom the current state to its child (direct) or vice versa (converse). We combinethis idea with the notion of pre�xed tableaux developed for modal logics ofknowledge and belief [11, 18] to get the following:Intuition 24 Associate to each a formula a pre�x formed by the sequence ofstates and direct/converse transitions starting from the initial state and endingin the current state where the formula is supposed to hold. Devise rules whichtake into account both formulae and pre�xes.In this framework we simply devise tableaux rules for the converse of an (atomic)program with the techniques for symmetric modal logics B or S5 from [18]:Intuition 25 Necessity-like formulae with direct programs such as [A]' moveformulae forward when the last pre�xed transition is direct and backward whenthe last transition is converse. [A�] does the opposite.The next step, when we look for duplicated nodes, is to take into account whathas been also noted for automata [27]: \we also have to know what programconnects this node to its predecessor." With pre�xed tableaux this check isstraightforward: it is embedded into the label of the formulae of each state.3 A related idea is used for automata [27] by introducing state formulae like cycle(�)to represent the fact that there is a �-loop which passes through that state.
We still need to \guess" a small subset of formulae that characterises pastcomputations, especially when we are trying to discard unful�lled eventualities4.The existence of a set characterising past symmetric computations was pointedout in [11] and used in [6] to provide a translation of CPDL into PDL.Intuition 26 To identify two duplicate nodes the formulae which compose themmust also completely specify the past (the arriving program), so we use analyticcut on a small subset of subformulae to complete the nodes.Last but not least we want to lower the complexity of the tableaux procedurefrom NEXPTIME to EXPTIME. The key point is that to avoid exponentialbehaviour on average it is not enough to store only the visited nodes as in [22].We must also track the nodes already proven to be inconsistent as in [3].Intuition 27 Use a global data structure to store \bad" sets, which have beenproven to lead to contradiction in previous expansion of the tableau. Before ex-panding a node always check that it is not a previously seen \bad" set.3 Syntax and Semantics of CPDLWe sketch some basic notions on CPDL (see [15, 24] for an introduction).If A is a set of direct atomic programs (a, b etc.), P a set of propositionalletters (P , Q etc.), the formulae '; and the programs �; � of CPDL are'; ::= P j :' j ' ^ j h�i' �; � ::= a j �;� j � [ � j �� j �� j '?Other connectives can be seen as abbreviations { e.g. [�]' � :h�i:'. W.l.o.g.we restrict the converse operator to atomic programs, by using equivalences suchas (�;�)� � (��; ��) or (��)� � (��)� etc. The metavariable A denotes eithera direct or converse atomic program (considering (a�)� := a) and we refer to itas an atomic program, without specifying direct or converse. In the sequel � isthe formula to be proved valid or satis�able.The semantics is based on Kripke structures [15]: a model is a pair hW; IiwhereW is a non empty set of states and I an interpretation s.t. for every directatomic program a it is aI � W �W and for every propositional letter P it isP I �W . The interpretation I is then extended as follows:( ^ ')I = 'I \ I (:')I = W � 'I(h�i')I = �w j 9v 2W s.t. hw; vi 2 �I and v 2 'I(�;�)I = �hw; vi j 9uhw; ui 2 �I and hu; vi 2 �I(� [ �)I = �I [ �I(��)I = re exive and transitive closure of �I(��)I = �hv; wi j hw; vi 2 �I('?)I = �hw;wi j s 2 'I4 Remember that in this case we are trying to prove that an eventuality has not beenful�lled and never will be (no matter how we continue the computation).
In the sequel we write w j= ' for w 2 'I .De�nition 1. A CPDL formula � is satis�able i� there is a model hW; Ii where(�)I is not empty. A formula � is valid if for every model hW; Ii it is (�)I =W .The Fisher-Ladner closure of a formula � [10, 15] is de�ned inductively as:{ � 2 CL(�);{ if ' 2 CL(�) then :' 2 CL(�), provided ' does not start with :;{ if :', ' ^ or h�i' are in CL(�) then '; 2 CL(�);{ if h�;�i' 2 CL(�) then h�ih�i' 2 CL(�);{ if h� [ �i' 2 CL(�) then both h�i' and h�i' are in CL(�);{ if h ?i' 2 CL(�) then 2 CL(�);{ if h��i' 2 CL(�) then h�ih��i' 2 CL(�).To establish the truth value of a formula � in a model it is su�cient to checkthe value of the formulae in CL(�) for every state of the model [10, 15]. Bothnumber and size of the formulae in CL(�) are linearly bounded by the size of �.4 Pre�xed Tableaux for CPDLPre�xed tableaux are based on pre�xed formulae, i.e. pairs h� : 'i where ' is aCPDL formula and � is an alternating sequence of integers and atomic programscalled pre�x de�ned as � ::= 1 j �:a:n j �:a�:n.Intuitively � denote the sequence of two-ways transitions (in the sense of [27])of states and atomic programs A that starts from the initial state 1 and reachthe state where ' holds. For instance the pre�x 1:a�:2:b:3:a:5:c�:4 correspondsto w1 a w2 b! w3 a! w5 c w4. PDL has only one-way transitions.We use the standard initial subsequence ordering v { i.e. impose � < �:A:nfor every �, A and n, and take the re exive-transitive closure.The de�nition of branch and tableau is standard [11, 13, 18]. A tableau Tis a rooted tree where nodes are labelled with formulae, a branch B is a pathfrom the root to a leaf, a segment S a path from the root to a node of the tree.If a segment terminates into a branching due to a disjunctive rule (�, [test],hchoicei, X , LB(A)) we denote the left-hand extension of S (the left \branch"par abuse de language) with Sl and the right-hand with Sr. Intuitively a branchis a (tentative) model for the initial formula.A pre�x is present in a segment, if there is a pre�xed formula with that pre�xalready in the segment, and it is new if it is not already present. In the sequelwe say that the pair h�0;S0i is shorter than h�;Si if either (i) �0 is a properinitial subsequence of � and S0 is an initial subsegment of S, or (ii) � = �0 andS0 is a proper initial subsegment of S .Figure 1 shows the rules for and, not, sequence, choice and test.The rules for CPDL formulae starting with an atomic program A are shownin Fig. 2 and are the usual �-rule for hAi'-formulae and the �-rule for [A]'-ones.The converse requires a rule which is the analogous of the B rule for symmetric
� : � : ' ^ � : '� : � : � : :(' ^ )� : :' j � : : dneg : � : ::'� : '[seq] : � : :h�; �i'� : :h�ih�i' hseqi : � : h�; �i'� : h�ih�i'[test] : � : :h ?i'� : : j � : :' htesti : � : h ?i'� : � : '[choice] : � : :h� [ �i'� : :h�i'� : :h�i' hchoicei : � : h� [ �i'� : h�i' j � : h�i'Fig. 1. Propositional and program tableau ruleshAi : � : hAi'�:A:n : ' with �:A:n new in the branch[A]F : � : :hAi'�:A:n : :' with �:A:n already present in the branch[A]B : �:A�:n : :hAi'� : :' with � already present in the branchFig. 2. Transitional rules for CPDLmodal logics [18]: we use both forward (F) and backward (B) rules for necessities.The rules for iteration combines pre�xed tableaux with the ideas of [25, 24]for model checking �xpoints in the modal �-calculus5 (Fig. 3). In practice whenan iterated eventuality h��i' is found, we introduce a new propositional variableX (possibly with indices), set a side condition X := h��i', and use the X-rule forfurther reductions. The set X of propositional variables introduced in this wayis distinct from the set P of propositional letters which are used for formulae.The use of � : :' in the right part of the X rule is motivated by the de�nitionof h��i' as a least �xpoint: �-steps are performed while :' is true, stopping assoon as ' becomes true. Indeed h��i' � h(:'?; �)�i' � hwhile :' do �i> isvalid in CPDL [10].5 A formula h��i' can be expressed in the modal mu-calculus as �X:' _ h�iX where�X:(X) denote the least �xpoint of the open formula (X).
[�] : � : :h��i'� : :'� : :h�ih��i' h�i : � : h��i'� : XX := h��i' X newX : � : X� : ' j � : :'j � : h�iX X new on the branchFig. 3. Rules for �-iteration operatorLB(A) : ...�:A:n : hA�i' j �:A:n : :hA�i'�:A:n is already present and ' is a formula of CL(�)Fig. 4. Look behind analytic cutAs mentioned in Sect. 2, these variables are introduced to detect the presenceof � loops which do not ful�ll h��i'. Using such variables, we can eliminate the) (and its transitive closure) introduced by Pratt [22].Remark 1. The combination of converse �� with iteration �� is harder than bothof them in isolation: although [A]B is enough for CPDL without iteration and Xrules are enough for PDL, their combination is not enough for full CPDL.Iteration �� constructs properties with unbounded delays, like ha�iP , while con-verse �� can be used for late discoveries, such as hai[a�]:P , which impose aproperty on the current state after the execution of a program. Their combina-tion creates bombs, like P ^ ha�i[(a�)�]:P , which after an unbounded numberof iterations, make the initial state inconsistent.So, we use a restricted analytic cut LB (\look behind"), presented in Fig. 4,where � is the formula to be proved valid or satis�able.Since the cut is analytic and its application strongly restricted, its introduc-tion does not destroy the decidability of the calculus (although its unnecessaryapplication may choke the proof search).In the sequel, if S is a segment (eventually a branch) of a tableau we indicatewith S=� the set of pre�xed formulae in S labelled with the pre�x �, i.e.:S=� = f' j h� : 'i 2 Sg:De�nition 2. A pre�x � is reduced in S if hAi-rules are the only rules not yetapplied to formulae of S=�. It is fully reduced if all rules have been applied.
Two pre�xes are \a di�erent name for the same state" in CPDL (where the pastmatters) if they (i) have the same properties (dynamic formulae) and (ii) arereachable by the same atomic program. An identical requirement is used forautomata [27]. Point (ii) is not necessary for PDL.De�nition 3. A pre�x � in the segment S is a copy of a pre�x �0 in S0 if(i) S=� = S0=�0, and (ii) both have the form �0:A:n and �00:A:m for the sameatomic program A. If distinct Xi; Xj are present in �0 and � we consider themequal if they represent the same iterated eventuality i.e. Xi := h��i' := Xj.De�nition 4. A branch B is �-completed if (i) all pre�xes are reduced, and (ii)for every � which is not fully reduced there is a pair h�0;S0i shorter than h�;Bis.t. �0 is fully reduced in the segment S0 and � is a copy of �0 in B.If � : X has been considered equal to a �0 : X0 we say that X collapses intoX0. By �-completenes, collapsed X cannot generate new �0 : X with longer �0.The intuition for �-completeness is that hAi-rules are not applied to formulaebelonging to copies.De�nition 5. An eventuality X := h��i' is ful�lled in segment S i� either thereis a � : X in S such that � : ' is also in S or X has been collapsed into an X0which is ful�lled.De�nition 6. A branch B is contradictory i� it contains both � : P and � : :P ,for some P and some �. A �-completed branch B is ignorable i� there is aneventuality X which is not ful�lled.In a �-completed branch B, an eventuality X cannot collapse (directly or transi-tively) into itself and be ful�lled at the same time, since we have either � : ' or� : :' in the X-rule. Indeed suppose we tried to collapse an X from h�;Bi intoa shorter h�0;S0i also with �0 : X . Obviously �0 cannot ful�l X otherwise thebranch would only have had �0 : ' but no other X and therefore a longer h�;Biwith X could not have been generated at all. On the contrary the right-hand\branch" S0r has another instance of X i.e. �0 : h�iX but also �0 : :'. It cangenerate the longer h�;Bi by reducing h�iX . However if � must be a copy of �0this means that also � : :' must be there and � would not ful�ll X .In a nutshell we found an unsuccessful loop [22]: we try to ful�ll an eventualityh��i' with X-rules; the left-hand \branches" with � : ' are always discarded;�nally we meet a pre�x �! with the same formulae of an already seen pre�x; sowe conclude that we could never ful�ll it and give up. We can express this factwith the following su�cient condition to close ignorable branches:Proposition 1. A branch B is ignorable if there is an X which collapses (di-rectly or transitively) into itself provided the corresponding shorter h�0;S0i isfully reduced.Fully reduced means also that cut has been applied in all possible ways and thisis the only place where we need it: we must be sure that two pre�xes are identicalalso for what regard the past, at least w.r.t. the Fisher-Ladner closure.
(1) 1 : :P ^ hai�a��hb�iQ ^ �b�; b��P initial formula(2) 1 : :P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � � rule to (1)(3) 1 : hai�a��hb�iQ(4) 1 : �b�; b��P(5) 1 : �b��[b�]P . . . . . . . . . . . . . . . . . . . . . . [seq] � rule to (4)(6) 1:a:2 : �a��hb�iQ . . . . . . . . . . . . . . . . . hai � rule to (3)(7) 1 : hb�iQ . . . . . . . . . . . . . . . . . . . . . . . . . . �a��B � rule to (6)(8) 1:b�:3 : Q . . . . . . . . . . . . . . . . . . . . . . . . . . hb�i � rule to (7)(9) 1:b�:3 : [b�]P . . . . . . . . . . . . . . . . . . . . . . �b��F � rule to (5)(10) 1:b�:3 : P . . . . . . . . . . . . . . . . . . . . . . . . . . [�]� rule to (9)(11) 1:b�:3 : [b][b�]P(12) 1 : [b�]P . . . . . . . . . . . . . . . . . . . . . . . . . . . [b]B � rule to (11)(13) 1 : P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [�]� rule to (12)(14) 1 : [b][b�]P(15) ?� contradiction in 1Fig. 5. Tableau proofCriterion 1 Apply LB(A) only if the pre�xed formulae �:A:n : X and �:A:n ::' occurs in the branch and we are trying to collapse X into an X0 (also itself).De�nition 7. A tableau is closed if all branches are either contradictory orignorable. A tableau is open if at least one branch is open (�-completed andneither contradictory nor ignorable).De�nition 8. A tableau validity proof for the formula � in the logic CPDL isthe closed tableau starting with h1 : :�i.For satis�able formulae a model can be built from an open branch, as is done inthe completeness proof.5 Examples and QuestionsWe assume that we have rules for the necessity operator which can be easilyderived from the corresponding [rule] described in Sect. 4.A simple example where converse forces us to \move" back and forth amongstates is given in Fig. 5. An example of ignorable branch is given in Fig. 6There are also interesting questions which can be better clari�ed by examples.Question 1. Why di�erent X are introduced each time the same h��i' is metwith a di�erent pre�x if later on we identify them in the loop checking?The propositional variables X := h��i' are an automatic bookkeeping system:if we introduce �0 : X at a certain stage and, later on, we �nd a longer � with� : X , then we can infer, without further checks that there are some h�i-stepsfrom �0 to �, no matter how complicated � is. Hence, if � : ' is present in the
1 : hb; a�iP ^ [b�; a�]:P1 : hb; a�iP1 : [b�; a�]:P1 : hbiha�iP1 : [b�][a�]:P1 : [a�]:P1 : [b][b�][a�]:P1:b:2 : ha�iP1:b:2 : [b�][a�]:P1:b:2 : [a�]:P1:b:2 : [b][b�][a�]:P1:b:2 : [a�]:P1:b:2 : :P1:b:2 : [a][a�]:P(+)(+)1:b:2 : X := ha�iP. &1:b:2 : P?� contrad 1:b:2 : :P1:b:2 : haiX1:b:2:a:3 : X1:b:2:a:3 : X1:b:2:a:3 : [a�]:P1:b:2:a:3 : :P1:b:2:a:3 : [a][a�]:P. &1:b:2:a:3 : P?� contrad 1:b:2:a:3 : :P1:b:2:a:3 : haiX?� ignorable for PDL1:b:2 = 1:b:2:a:3Fig. 6. Another Tableau Proofbranch, we can conclude that the initial occurrence of h��i' and all subsequentoccurrences (represented by X) are ful�lled.If we reused the same X for a di�erent pre�x �1 : h��i' in the branch, thenwe could not know anymore whether � follows from �0 or from �1. We wouldhave to wait for the completion of the (pseudo)model and then model-check it,which is exactly what we are trying to avoid.Yet Xi are just names for the corresponding h��i' and we want to ful�ll theformula and not a name. If we �nd out that Xi := h��i' := Xj this means thatthey are just di�erent names for the same property: if a state �0 ful�ls the sameformulae of � plus Xi then it clearly ful�ls the Xj occurring in � and thus wecan identify the two formulae and hence the states.For instance try the following (without LB(A), since there is no converse):�SAT := P ^ [b�](hbiP ^ ha�i:P ) �UNSAT := �SAT ^ [b�; a�]Pthe consequences of the wrong usage of X are shown in Fig. 7 for �SAT .Question 2. Is cut really necessary?Cut is eliminable if formulae do not contain both converse and iteration operatorssince the soundness proof does not require its use. The di�cult formula is [(��)�]which imposes unbounded constraints on the past. Check the following formulaewithout cut and with a (modi�ed) X without the � : :' on the right.UNSAT := P ^ ha�i[(a�)�]:P SAT := P ^ ha�i(:P ^Vni=1 �a�i�:P )where we abbreviate a�; : : : ; a� for i times with a�i. The second formula issatis�able, while the �rst is not. Without cut and without the :'-branch inthe X rule, after n applications of the X rule both formulae will have onlycontradictory or ignorable branches. After n+1 steps, the tableau for SAT hasone non-ignorable branch whereas the one for UNSAT remains ignorable.
1 : :P ^ [b�]hbi:P ^ [b�]ha�iP: : :1 : :P1 : hbi:P1 : [b][b�]hbi:P1 : ha�iPX := ha�iP . &1 : P1 : ?� contrad 1 : :P1 : haiX1:a:2 : X1:a:2 : P1:b:3 : :P: : :1:b:3 : hbi:P1:b:3 : [b][b�]hbi:P1:b:3 : ha�iP1:b:3 : X . &1:b:3 : P?� contrad 1:b:3 : :P1:b:3 : haiX?� ignorab???
1 : :P ^ [b�]hbi:P ^ [b�]ha�iP: : :1 : :P1 : hbi:P1 : [b][b�]hbi:P1 : ha�iPX1 := ha�iP1 : haiX11:a:2 : X11:a:2 : P: : :1:b:3 : :P1:b:3 : hbi:P1:b:3 : [b][b�]hbi:P1:b:3 : ha�iP1:b:3 : X2X2 := ha�iP1:b:3 : haiX2: : :1:b:3:b:4 : :P: : :The left tableaux is wrongly closed by the ignorability condition because the same X is recycled.The right one never terminates because di�erent Xi for the same eventualities are not identi�ed.Fig. 7. Erroneous Tableaux \Proofs"6 Soundness and CompletenessThe intuitions behind soundness and completeness can be explained by examin-ing the concepts of copied pre�xes and ignorable branches from a model theoreticperspective. In particular by comparing tableau rules to visiting steps of a modeland pre�xes to booking devices (names for states).Whenever we �nd two pre�xes �0 and �! which have the same propertieswe may conclude that they are essentially identical (modelM in Fig. 8). Thus,there is no need to expand the formulae of �!: we have already done it for �0(by Def. 4) and if we didn't �nd a contradiction before we will not �nd it now.We can avoid the visit of the in�nite path from �! by changing the model.If a branch is open then we introduce a loop back to �0, thus dropping thein-principle-in�nite path starting from �! (model Mgood in Fig. 8). This is thecompleteness theorem. When a branch is ignorable there is an eventuality h��i�on � that, after some h�i-steps where :� always holds, arrives to an \identical"state �! . So we change the model toMbad (Fig. 8), and conclude that we cannotful�ll the eventuality in any number of �-steps. This is the soundness theorem.In the tableaux of [20, 22] they were called successful and unsuccessful loop.The formal soundness proof follows an established path [11, 18]:1. devise a mapping between pre�xes in a tableau and states in a model;2. prove a safe extension lemma (any tableaux rule applied to a satis�ableformula preserves satis�ability with this mapping);3. prove a safe closure lemma (no satis�able branch is ignored).
- w -A � ��- r r r r r r - w -A � ��- r r r r r r�0 �!- w -A � ��- r r r r r r - w -A � ��- r r r r r r�0 �!- w -A � ��- r r r r r r - w -A � ��- r r r r r r�0 �!MbadMgoodM� �-A ??� ��A
Fig. 8. Bad and good modelsRemark 2. For modal logics safe closure is immediate (a branch must only benon contradictory) whereas it is the hardest part for PDL/CPDL: we have toverify, with a �nite computation, that an eventuality will never be ful�lled.De�nition 9. Let B be a branch and hW; Ii a model, a mapping is a func-tion {() from pre�xes to states such that for all � and �:A:n present in B it ish{(�); {(�:A:n)i 2 AI .De�nition 10. A tableaux branch B is satis�able (SAT for short) in the modelhW; Ii if there is a mapping {() such that for every h� : 'i present in B it is{(�) j= '. A tableau is SAT if one branch is SAT in some model hW; Ii.Theorem 1. If T is a SAT tableau, then the tableau T 0 obtained by an appli-cation of a tableau rule is also SAT.Proof. The proof is by induction on the applied rules as in [11, 13, 18]. utThe di�cult part is proving that ignorable branches can be discarded. Weneed a preliminary result telling that either (i) if an eventualityX is not collapsedthen terminates into a ful�lling � : ' i.e. no more X are generated, or (ii) ifwe follow the path from an eventuality that is collapsed into itself (directly orindirectly) then we always meet h� : Xi with h� : :'i.To this extent we introduce the following relation � between pre�xed formu-lae for each X := h��i' in a branch B:{ h�0 : Xi � h� : Xi i� �0 : X appears in the segment S0, � : X properly6appears in S , and h�0;S0i is shorter than h�;Si;{ h� : Xi � h�0 : X0i i� X has been collapsed in X0 and �0 is the fully reducedcopy of �.6 When � = �0 this means that �0 : X must have been introduced again in the partof S properly extending S0. Otherwise we would always have �0 : X � �0 : X.
The transitive (but not re exive) closure of � is ��. We need to use segments totake tests into accounts. In a nutshell we are reconstructing (only for the proofand only for iterated eventualities) the ) relation of Pratt [22].Then we can prove the following result whose intuition is that either aneventuality is ful�lled (and � forms a well-ordering with maximum), or after acertain stage all X fall into a �nal cluster (and � is not well-founded).Lemma 1. Let B be a �-completed branch, � : X be a pre�xed eventuality,with X := h��i', and path(� : X) be the set of h�i : Xii present in B, such thath� : Xi �� h�i : Xii. Then there is a h�! ; X!i in path(� : X) such that:{ either h�! : 'i is in B and then path(� : X) is well-ordered by � and h�! ; X!iis the maximum element.{ or h�! : X!i �� h�! : X!i and then for all h�i : Xii 2 path(� : X) the pre-�xed formula h�i : :'i is in B and h�i : Xii �� h�! : X!i.Again the proof is by induction on the applied rules using the argument forProp. 1 and the fact that collapsed eventuality are not further reduced. Noticethat the assignment of a di�erent X for each occurrence of the eventuality h��i'with a di�erent pre�x is necessary for the proof. With this provision the onlyway to obtain some �0 : X is by reducing some previously generated � : h�iX .Theorem 2. If T is a SAT tableau, then one SAT branch is not ignorable.Proof. Suppose the contrary: T is SAT with all SAT branches ignorable (clearlySAT branches cannot be contradictory). It is worth noting that each branch canbe ignorable due to a di�erent unful�lled X := h��i' (or even more than one).It is easy to prove the following proposition.Proposition 2. Let B be an ignorable branch for some � : X. For every modelhW; Ii and for every mapping {() such that B is SAT for them, if h�i; Xii is inpath(� : X) then {(�i) 6j= '.This is immediate because of the presence of :' on the right-hand branch of theX-rule: it boils down to the de�nition of SAT branches. utSince B is SAT, there is a model hW; Ii and an mapping {() on which B isSAT with a certain mapping {(). However, since B is ignorable, by Lem. 1, wecan consider the �nal cluster generated by any pre�xed formula � : X for the Xwhich is unful�lled.We can show that there are at least two �-connected pre�xes in the �nalcluster on path(� : X). Indeed the only way to make a loop, is to have someXj along the path collapsing into an Xi (maybe itself) and therefore the cor-responding pre�xes must be di�erent. Let us denote the fully reduced pre�x inthe loop by �0 � �00:A:n0 and the copy with �! � �0! :A:n!.Since B is SAT, {(�0) j= h�iX , and therefore an integer N and N+1 statesw0; : : : ; wN in hW; Ii exist such that {(�0) = w0, hwi; wi+1i 2 �I and wN j= '.Since the pre�x �0 has been fully reduced B must also contain h�0 : h�iXi andthis must be reduced. Thus the only way to generate the next h�1 : Xi � h�0 : Xi
to go to �! is to perform at least one �-step. Hence, in general, there are R �-stepfrom �0 to �1 to �2 : : : to �! for some integer R � 1Let �rst assume that N � R. Then we can remap the pre�xes �0; : : : ; �N sothat {(�i) = wi. By Prop. 2 the formula ' cannot be ful�lled by any mapping {()of the �i in path(� : X) on the states of hW; Ii. Hence we get a contradiction.Let that assume that N > R. Then there must be N �R �-steps from �! toful�ll ' in the model hW; Ii under {().Now we construct a new model hW;J i as in Fig.8, by coping the originalmodel: W 0 = fwc j w 2 Wg, PJ = fwc j w 2 P Ig and aJ = fhwc; vci jhw; vi 2 aIg. Then we add a new A-arc, where A is the atomic (direct or con-verse) program occurring last in �0 and �! , i.e.:AJ = fhwc; vci j hw; vi 2 AIg [ fh{(�0)c; {(�!)cigThe key point is to prove that this new A-arc can be safely added.Since B is �-completed, all possible instances of LB(A) have been applied andtherefore for every 2 CL(�) either h�0 : :hA�i i or h�0 : hA�i i is presenton the branch. The pre�x �! is a copy of �0 by hypothesis, so h�! : :hA�i i ispresent in the branch i� h�0 : :hA�i i is present. Since the branch is SAT onthe original model hW; Ii, it is {(�0) j= :hA�i i� {(�!) j= :hA�i for every 2 CL(�).Consider now the state {(�!)c the only di�erence with the original state {(�!)is the incoming A-arc. But, as we have seen above, the two states see exactlythe same formulae of CL(�) going back through A. By the �ltration Lemma [10,15], these are the only formulae necessary for establishing the truth value of �.Hence, by induction, we have that {(�!)c satis�es h��i' in N �R �-steps in thenew model (as in the old one).Then we construct a new mapping |() on the new model as follows: mapevery pre�x shorter or unrelated with �0 in the same way as {() does, and map|(�0) on {(�!)c. This make the branch still satis�able: the formulae are the samefor both �0 and �! and the incoming arc does not a�ect them. By Thm. 1. wecan expand the tableau and still preserve SAT.In the new model the state |(�0) ful�lls the eventuality h��i' in N �R < N�-steps. We can repeat the process until we reach an N 0 � R, getting again acontradiction. utThe correctness theorem follows with a standard argument [11]:Theorem 3. If � has a validity proof then � is valid for CPDL.For completeness, we also have an established path [11, 13, 18]: apply a system-atic and fair procedure to the tableau and if it does not close, choose an openbranch to build a model for the initial formula :� i.e. a counter-model for �.The key is the following model existence theorem.Theorem 4. If B is an open branch then there is hW; Ii where it is SAT.
Proof. Construct the model as follows:W := f� j � is present in BgaI := fh�; �:a:ni j � and �:a:n are present in Bg [�h�:a�:n; �i j � and �:a�:n are present in BP I := f� j � : P 2 BgTo take loops and repetitions into account, we modify slightly the above de�-nition: if � is a copy of some fully reduced pre�x �0 then we delete � from W ,replace � with �0 in all transitions aI , and construct the mapping {().{(�) = ��0 if � is a copy of a fully reduced �0� otherwiseNext we prove that if h� : 'i 2 B then {(�) j= ' by induction on the constructionof '. We focus on modal connectives and iteration operators.Suppose that h� : hai'i 2 B. If � is fully reduced then we apply exactly theargument of [11, 13, 18]. If � is a copy then the mapping {() maps � on �0, whichis fully reduced, and the above reasoning applies. Similarly for a�.For the necessity operator we show the case for a�. Suppose that h� : :ha�i'iis in B and that � is fully reduced (the argument for not fully reduced pre�xesis analogous to the previous case). By construction the only possible pairs suchthat h�; �0i 2 (a�)I are:1. the pairs h�; �:a�:ni for some n;2. the pair h�0:a:n; �0i if � has the form �0:a:m3. h�; �00i where �00 is fully reduced copy of a pre�x �0 which satis�es one thetwo previous conditions;For case (1) then for every �:a�:n present in B it is h�:a�:n : :'i 2 B by �-completion w.r.t. [a�]F . Hence, {(�:a�:n) j= :' by inductive hypothesis. For case(2) consider �-completion w.r.t. the rule [a�]B : the pre�xed formula h�0 : :'ioccurs in B. Case (3) is a repetition of the previous two since � is fully reducedand the relevant rule to �0 has been applied already. Since �00 is a copy then wehave �00 : :' and we are done. Thus, for all {(�0) it is {(�0) j= :' by inductivehypothesis and therefore, by de�nition of j=, it is {(�) j= :ha�i'.For h��i' we have to prove that whenever � : X appears the correspondingh��i' is satis�ed. The proof is by double induction: on the formula size andon number of � steps in path(� : X), using Lem. 1. One chooses as a base forthe latter induction the top pre�x �! such that h�! : 'i is present. By inductionhypothesis it is {(�!) j= ' and by de�nition it is {(�!) j= h��i'. For the inductionstep consider a pair h�j : Xji � h�j+1 : Xj+1i in path(� : X) so {(�j+1) j= h��i'by inductive hypothesis. If Xj collapsed into Xj+i then �j is a copy of �j+1 andthe result follows trivially: {() maps them on the same world. For the other casethis means that Xj+i � Xj � X . Hence the only way to introduce �j+1 : X isto reduce completely �j : h�iX . By induction on the construction of � (with a
technique similar to those used in [6]) it is possible to verify that h�j ; �j+1i is in�I and therefore the claim follows by de�nition of j=. For instance if � � �; � thenby �-completion �j : h�ih�iX is on the branch and therefore there must be �0such that h�j ; �0i 2 �I and �0 : h�iX is present. This also yields h�0; �j+ii 2 �Iand the claim follows by induction. utA completeness theorem follows with standard argument [11, 13, 18]Theorem 5. If � is valid then � has a validity proof for CPDL.7 From NEXPTIME Tableaux to EXPTIME AlgorithmsTableaux lead to the following \naive" algorithm:{ select a formula from the branch and reduce it;{ if the reduction requires branching, then choose one branch and add theother to the stack;{ repeat until the branch is contradictory, ignorable, or open;{ in the �rst two cases discard the branch and backtrack.This algorithm computes each time from scratch without keeping track of dis-carded branches, i.e. it does not learn from failures. This makes sense for logicsin PSPACE [14] but not for PDLs. In fact the naive algorithm works in NEXP-TIME, while CPDL is EXPTIME complete [10, 21].A worst case EXPTIME algorithm can be developed as in [22] or [17, Sec.5.1-5.4]: use a suitable data structure where all possible subsets of the formulaethat may appear in the tableau are listed. As soon as our expansion procedureintroduces a new formula with a certain pre�x, we collect the formulae with thesame pre�x and look in our database: if this set is already marked then we do notexpand it further, otherwise we mark it. We use pairs <set of formulae, arrivingprogram> as elements of the database.At the end, we start a marking algorithm which deletes bad pairs as in [22].A key di�erence is that we discard at once all pre�xes with an X making thebranch ignorable. This is more e�ective than [22] also for PDL since we do notcompute the transitive closure of ) but just look for Xs locally.Marking each set with the \arriving programs" and \using cut" implies that,for each atomic programs A, our database could contain all propositionally con-sistent subsets of f ; hAi ;:hAi j 2 CL(�)g. This gives an upper bound forthe database size exponential in O(jAct(�) j�j� j2), where Act(�) are the director converse atomic programs in �, and hence the desired EXPTIME bound.We can transform this algorithm into an on-the- y method by creating thedata structure dynamically as in [3], [17, Sec. 5.5] or in [11, 18] for modal logicsrather than starting from an already fully developed one. Each time we �nd a anew set of formulae S=� we add the pair hS=�; last(�)i to the database. Beforeexpanding new formulae we check whether the corresponding pair is not alreadyamong the visited ones.
Again, the use of the bookkeeping system anticipates the closure of branchesdue to unful�lled eventualities. By using X variables, the check for closure issubstantially identical to the methods used for temporal logics where the dupli-cation of an eventuality in a visited set is enough to close the branch.Still the avor of the algorithm is breadth �rst . Its transformation into adepth-�rst algorithm is similar to the techniques of [3]. We �rst present thealgorithm for PDL to clarify the intuitions and afterward we extend it to CPDL.For a segment S we say that S=�:A:n is a successor [17] of S=� if the pre�x�:A:n has been introduced by an application of a hAi-rule to a pre�xed formula� : hAi' in S . Next we can de�ne a \bad"-set as follows:De�nition 11. Let T be a tableau and S a segment and � a pre�x occurring inT , then the set S=� is an inconsistent set (?-set) for T i� either1. ';:' 2 S=� for some formula ' (contradiction);2. X;:' 2 S=� for some X := h��i' and S=� is a copy of a fully reduced �0for a h�0;S0i shorter than h�;Si (unful�lled eventuality);3. S � S=� for some ?-set S;4. S terminates into a disjunction and both Sl=� and Sr=� are ?-sets;5. S=� has a ?-set successor S=�:a:n.The depth-�rst algorithm is then immediate:{ select a segment S and a pre�x � which have some unreduced formulae{ if S=� is a ?-set (already seen or by using the two local conditions) thenmark all its pre�xed formulae as reduced and apply Def. 11 to generate new?-sets;{ elseif S=� is a copy (among the visited nodes) then mark all its pre�xedformulae as reduced;{ else select a formula and reduce it; if any of the resulting segment S 0 is suchthat S 0=� is fully reduced then add S 0=� among the visited nodes;{ loop until either the root has become a ?-set (UNSAT) or an open branchcan be found (SAT).Not all selection rules may work properly with this algorithm. It su�ces thatthey are copy preserving: if, at the certain stage of the computation, S=� hasbeen detected as a copy of another S0=�0 it should remain so for the rest of thecomputation. For instance applying �rst �; �-like rules (which do not introducebranching or new pre�xes) preserves copies for PDL.The correctness of the algorithm can be proved by a \cut and paste" argu-ment: whenever we closed a branch due to a bad set we just replace down thepreviously generated subtree for the bad set, and so on inductively.For its complexity observe that the number of pre�xes of an open branch isbounded by the number of visited sets (less ?-sets) and these are exponentiallybounded by the size of the Fisher-Ladner closure. Each closed branch introducesat least one new bad set and those are also bounded by the Fisher-Ladner closure.For instance suppose to close Sl=� and then Sr=�. These two may be equalor both already seen but S=� is surely added as a new ?-set (otherwise we wouldnot have applied the �-rule but directly closed the branch).
For CPDL things are more involved. The �rst modi�cation, already men-tioned, is to use pairs hS=�; last(�)i for visited nodes. The second step is tointroduce the notion of temporary copy in a similar fashion of [13, 18] for sym-metric and euclidean modal logics. When S=� is found to be a copy its unreducedformulae are simply frozen and eventually reactivated when a new pre�xed for-mula with pre�x � or �0 is introduced (note that a set may be re-activated atmost j� j-times). Moreover, in the ?-set condition (2), cut-formulae must havebeen applied in all possible ways.Finally we must also change the notion of successor and add the notion of apredecessor. For instance the formula :P ^ hai[a�]P has the tableauf1 : :P ^ hai[a�]P ] 1 : :P ] 1 : hai[a�]P ] 1:a:2 : [a�]P ] 1 : PgWith the PDL-de�nition the ?-set would only have been fP;:Pg while alsof:P; hai[a�]Pg is clearly a ?-set.In practice we cannot only rewind downward from S=�:A:n to S=� throughthe application of the hAi-rule. So, if S=� is found to be a ?-set as in theexample above then we must rewind upward from S=� to S=�:A:n through the[A�]B-rules until we have rewinded them all and then downward again with thehAi-rules. At the end of the process we arrive at the same pre�x � in a shortersegment S0 and S0=� is the new ?-set.8 ConclusionOne characterizing feature of PDLs is the presence of �xpoint operators. In com-parison with tableaux for modal logics [11, 13, 14, 18], the tableaux for modal�xpoint logics are conceptually divided in two: (1) build a (pseudo) model ex-panding the modal part; (2) check this model for the satis�ability of �xpointformulae. The notion of ignorable branches stems out from the idea of mergingthe second step into the �rst one.Such a merging requires to keeps track, during the expansions phase, ofiterated eventualities and of their ful�llment, and to this extent we adoptedthe techniques used for modal �-calculus in [24, 25]. The necessity of (successfuland unsuccessful) loop checking for eventualities has been pointed out in [20, 22]for PDL, and is even stronger for the modal mu-calculus [25].We think that the combination of model checking and deductive techniques,improves the e�ciency and readability of the calculus. In this setting our tableauxcalculus is a �rst step7 towards e�ective decision procedures for CPDL and thecorresponding description logics.7 For PDLs without the �nite model property, the direct search for a model of tableauxtechniques is infeasible. It may be possible to extend them by searching for �nitestructures representing models i.e. that contain enough information to be expandedinto full (in�nite) models. This is also well known from �rst order tableaux.
AcknowledgmentsWe would like to thank F. Donini and M. Vardi for useful discussions andsuggestions. We gratefully acknowledge the �nancial support of the AgenziaSpaziale Italiana (ASI), Consiglio Nazionale delle Ricerche (CNR) and Minis-tero dell'Universit�a e della Ricerca Scienti�ca e Tecnologica (MURST). Part ofthis work was done while F. Massacci was visiting the Computer Laboratory atthe University of Cambridge (UK).References1. R. Alur and T. Henzinger, editors. Proc. of the Int. Conf. on Comp.Aided Veri�-cation (CAV-96), vol. 1102 of Lecture Notes in Comp. Sci., Springer-Verlag, 1996.2. G. Bhat and R. Cleaveland. E�cient local model-checking for fragments of themodal �-calculus. In Proc. of the Int. Conf. on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS-96), vol. 1055 of Lecture Notes inComp. Sci., pp. 107{126. Springer-Verlag 1996.3. G. Bhat, R. Cleaveland, and O. Grumberg. E�cient on-the- y model checkingfor CTL�. In Proc. of the 10th Int. Conf. of Logic in Comp. Sci. (LICS-95), pp.388{397. IEEE Comp. Society Press, 1995.4. P. Blackburn and E. Spaan. A modal perspective on computational complexity ofattribute value grammar. J. of Logic, Language and Information, 2:129{169, 1993.5. D. Calvanese, G. De Giacomo, and M. Lenzerini. Structured objects: Modelingand reasoning. In Proc. of the 4th Int. Conf. on Deductive and Object-OrientedDatabases (DOOD-95), vol. 1013 of Lecture Notes in Comp. Sci., pp. 229{246.Springer-Verlag, 1995.6. G. De Giacomo. Eliminating \converse" from Converse PDL. J. of Logic, Languageand Information, 5:193{208, 1996.7. G. De Giacomo and M. Lenzerini. Boosting the correspondence between descriptionlogics and propositional dynamic logics. In Proc. of the 12th Nat. Conf. on Arti�cialIntelligence (AAAI-94), pp. 205{212. AAAI Press/The MIT Press, 1994.8. G. De Giacomo and F. Massacci. Tableaux and algorithms for propositional dy-namic logic with converse. In Proc. of the 13th Int. Conf. on Automated Deduc-tion (CADE-96), vol. 1104 of Lecture Notes in Arti�cial Intelligence, pp. 613{628.Springer-Verlag, 1996.9. A. Emerson. Automated temporal reasoning about reactive systems. In Mollerand Birtwistle [19], pp. 41{101.10. N. Fisher and R. Ladner. Propositional dynamic logic of regular programs. J. ofComp. and System Sci., 18:194{211, 1979.11. M. Fitting. Proof Methods for Modal and Intuitionistic Logics. Reidel, 1983.12. N. Friedman and J. Halper. On the complexity of conditional logics. In Proc. ofthe 4th Int. Conf. on the Principles of Knowledge Representation and Reasoning(KR-94), pp. 202-213. Morgan Kaufman, 1994.13. R. Gor�e. Tableaux method for modal and temporal logics. Tech. Rep. TR-ARP-15-5, Australian National University, 1995. To appear as chapter on the "Handbookof Tableau Methods".14. J. Halpern and Y. Moses. A guide to completeness and complexity for modal logicsof knowledge and belief. Arti�cial Intelligence, 54:319{379, 1992.
15. D. Kozen and J. Tiuryn. Logic of programs. In J. van Leeuwen, editor, Hand-book of Theoretical Computer Science, vol. II, chap. 14, pp. 789{840. Elsevier Sci.Publishers, 1990.16. R. Ladner. The computational complexity of provability in systems of modalpropositional logic. SIAM J. of Computing, 6(3):467{480, Sept. 1977.17. Z. Manna and A. Pnueli. Temporal Veri�cation of Reactive Systems (Safety), vol.~2.Springer-Verlag, 1995.18. F. Massacci. Strongly analytic tableaux for normal modal logics. In Proc. of the12th Int. Conf. on Automated Deduction (CADE-94), vol. 814 of Lecture Notes inArti�cial Intelligence, pp. 723{737. Springer-Verlag, 1994.19. F. Moller and G. Birtwistle, editors. Logics for Concurrency (Structure versusAutomata), vol. 1043 of Lecture Notes in Comp. Sci. Springer-Verlag, 1996.20. V. Pratt. A practical decision method for propositional dynamic logic. In Proc. ofthe 10th ACM Symp. on Theory of Computing (STOC-78), pp. 326{337, 1978.21. V. Pratt. Models of program logics. In Proc. of the 20th Annual Symp. on theFound. of Comp. Sci. (FOCS-79), pp. 115{122. IEEE Comp. Society Press, 1979.22. V. Pratt. A near-optimal method for reasoning about action. J. of Comp. andSystem Sci., 20:231{255, 1980.23. K. Schild. A correspondence theory for terminological logics: Preliminary report.In Proc. of the 12th Int. Joint Conf. on Arti�cial Intelligence (IJCAI-91), pp.466{471. Morgan Kaufmann, Los Altos, 1991.24. C. Stirling. Modal and temporal logics for processes. In Moller and Birtwistle [19],pp. 149{237.25. C. Stirling and D. Walker. Local model checking in modal mu-calculus. Theor.Comp. Sci., 89:161{177, 1991.26. R. Streett and A. Emerson. An automata theoretic decision procedure for thepropositional mu-calculus. Information and Control, 81:249{264, 1989.27. M. Vardi and P. Wolper. Automata-theoretic techniques for modal logics of pro-grams. J. of Comp. and System Sci., 32:183{221, 1986.28. M. Vardi and P. Wolper. Reasoning about in�nite computations. Information andComputation, 115(1):1{37, 1994.29. W. Woods and J. Schmolze. The KL-ONE family. In Semantic Networks inArti�cial Intelligence, pp. 133{178. Pergamon Press, 1992.